Five Reasons Why CEO Succession Fails, and How to Get It Right

The road to CEO success is rocky. The average tenure of CEOs has plummeted, from 8.5 years in 2003 to 3.7 years as of 2020. The Corporate Executive Board finds that in the first year and a half in a new role, 50 percent to 70 percent of executive leaders recruited both internally and externally fail. This lack of success comes at a huge cost. Companies that have to remove a CEO forfeit almost $1.8 billion in shareholder value compared to companies with successful placements. Add to that internal disruption and lost opportunity and the cost mushrooms for companies of all types and sizes. It’s a board’s nightmare.

Despite these odds, there are some lessons to be learned about how to avoid a CEO transition failure and how to get it right in the first place. As consultants to boards and CEOs on leadership and succession, our front-row view of the missteps that create costly mistakes in CEO placement decisions offers a cautionary tale for all leaders considering their own successors and those of their colleagues.

Take the example of the first-time CEO of a growing technology company who, not long after her internal succession, brought BTS Boston in to help focus her team on their strategy. She was frustrated by the mistrust and finger-pointing on the executive team, and as we worked with her to rebuild the team and culture, the challenge of her position became clear. About 18 months previously, the board had by-passed internal candidates to recruit an external industry leader from a marquee brand to follow their long-time, retiring CEO. The high-profile search took a year, and though fully supported by the board, within the first 12 months the new CEO’s divisive leadership style had created an “in crowd” and an “out crowd,” leading to siloed arms of the organization that could not collaborate. When that chief executive abruptly departed, the board scrambled to circle back to internal candidates, and our client got the nod. She would enter her first year with strong headwinds, tasked with rebuilding the team, the culture, and the strategy.

This scenario highlights the blind spots companies have when taking on the high-stakes, high-risk task of CEO succession. One big misstep is often followed by years of recovery. Before going any further with succession planning, boards should pressure test their own processes against these five common mistakes.

1. Overlooking the Question of Character

The CEO of the tech company above went on to see tremendous success, building a top-performing company with a strong team, culture, and trust with the board and shareholders. Her board chair told us two years after her initial ascent to the position that promoting her into the CEO seat was the best decision they had made. But what was that “off-the-paper” difference that made her so successful? And what had they missed about the external candidate who failed?

Character. When evaluating candidates or internal successors, search committees too often rely on hard skills as the concrete metrics to decide on CEO placement. They miss out on the opportunity to ask critical questions about the candidate’s personal values and how they build relationships, instill trust and confidence, grow company value, build credibility with analysts, promote a strong corporate culture, and inspire a shared vision.

Board members must get to know candidates and internal successors personally through conversations over time to learn how the leader thinks, what they find important, how they listen and engage, and how they share their own life lessons and values.

2. Further Dependance on the Wrong Criteria

The profile of a successor is the foundation upon which the future of the company and strategy are based. One of the biggest derailers of success is relying on the wrong profile and the wrong set of criteria for your next CEO. Avoid the following common missteps when setting candidate criteria:

as noted above, overemphasizing industry expertise, while missing the wider range of leadership capabilities and skills that make a high-performing CEO,
trying to simply replace the current CEO rather than taking a fresh look at what will be needed to deliver on the future strategy or market opportunities, and
tasking an external search firm with the development of success criteria based on their models, rather than building the company’s own profile tailored to its business, culture, and strategic requirements.

In the case study of our tech client, the board’s belief that an external change agent would advance the existing strategy led to a cultural mismatch, and ultimately failed.

3. Failure to Develop Internal Candidates

Many boards and CEOs put active succession-planning on the back burner until they are at the precipice of a transition because, quite frankly, it’s hard to do. They perceive too much risk in signaling advancement to internal successor candidates, fearing they’ll create a horse-race that distracts from execution and potentially leads to the loss of key talent. The consequence is a readiness gap with possible successors weakening the organization’s ability to weather the storm of an unexpected departure. Additionally, putting off succession planning reduces the strength and breadth of the candidate pool that comes with a deep leadership bench and those in line lose out on the opportunity to gain exposure to critical audiences, issues, and experiences that would make them more ready and effective to step into the role.

4. Believing Placement Is the End Zone

Making the right selection is the starting point—but setting the new CEO up to succeed is the difference-maker. It can be easy to forget that there is a steep learning curve involved with entering a new CEO seat, even for experienced executives. Particularly for an internal successor, time allocation, building board relationships, executive team management, navigating external visibility, and other new routines need to be established and can make for a bumpy first year. For any candidate, developing trust, building a successful executive team, stabilizing client relationships, setting and selling the strategy, and creating a CEO narrative requires a high level of focus that should be core to the onboarding process.

5. Ignoring the Importance of Transparency in the Process

So often the CEO succession process happens behind closed doors, far away from even those who will work most closely with the new CEO. Beyond the search committee, few have insight into how the CEO will be selected, what the criteria are, and how the decision will be made. This vacuum of information gives rise to rampant speculation, skepticism, and cynicism, and, in more extreme cases, suspicion and concern. The void is sometimes filled with a fear of hidden agendas, such as those involving insider relationships and favoritism, diversity goals, potential unannounced mergers or acquisitions, or the influence of activist investors. If those concerns take root, at best it will make it hard for the team to trust their new leader. At worst, this can create destructive infighting and even cause key players to leave when you can least afford their departures. Make sure to set your next CEO up for success by communicating the how and why of the selection process early and often.

In addition to reviewing company processes and the common missteps above, boards can take the following steps now:

Start early. If it’s not already on the agenda, bring C-suite succession to the front of the deck at your upcoming board meeting. Engage the full board and current CEO in a discussion about succession-planning for each member of the executive team and set expectations of a formal process.

Engage external expertise. Have these experts develop a profile for the CEO of the future state of the company and keep the profile current annually by reevaluating criteria based on material shifts to the company, strategy, or environment.

Develop the bench. Learn about company leaders before they become successors. Have them present at board meetings, learn about their business areas, and hear how they think and what they see as future opportunities for the business. Invest in preparedness with a formal development plan for each leader.

Take the risk out of transitions. Provide the new CEO with a strong third-party coach. The chair can act as a valuable mentor and can help onboard a CEO but is no substitute for an experienced, trusted advisor who creates a safe zone for even the most seasoned leaders.

CEO turnover is a perennial issue, one that will continue to plague companies who fail to plan and prepare for the future. The failures will become more and more costly as the pace and competitive environment of global business continue to accelerate at warp speed. Going forward, it will be even more important for boards to put this issue front and center, plan carefully, and consider actions to take now to develop potential internal candidates to deliver future success.

Sarah Woods is a partner at BTS Boston, formerly Bates Communications, a global management consultancy that improves performance through communicative leadership. Joe Andrews was formerly chief human resources officer for Progress Software Corp. and is currently a consultant, coach, and CEO succession expert with BTS.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

ESG and Human Capital Management Are the Keys to Resilience and Transformation

The COVID-19 pandemic materially altered how corporate boards should be thinking about enterprise sustainability through the lens of environmental, social, and governance (ESG) initiatives. The concept of stakeholder capitalism—and its link to enterprise sustainability—has taken firm root in corporate governance and workforce management. Consistent with the Business Roundtable’s 2019 articulation of the new corporate purpose, 2021 begs for a more expansive view of organizational success—one that puts all stakeholder (employee, customer, shareholder, and community) interests at the heart of the transformation agenda.

It is clear that ESG and stakeholder capitalism will and should have a growing presence in the boardroom and on the board agenda. For example, 67 percent of nearly 2,000 global director respondents in the Global Network of Director Institutes (GNDI) 2020-2021 Survey Report indicate that COVID-19 will increase board focus on ESG, sustainability, and stakeholder value issues. In addition, 39 percent identify meeting the challenges of stakeholder capitalism as one of their top three challenges in responding to the pandemic.

Mercer’s 2020-2021 Global Talent Trends Study reveals similar concerns within an organization. Sixty percent of US human resources (HR) leaders say that they have maintained or stepped up their pace in moving toward an ESG and multi-stakeholder approach to business over the last year. Over half (53 percent) of these HR leaders are now tying ESG objectives to their corporate purpose, and 26 percent are linking these objectives to executive scorecards. In addition, more than one-third of surveyed employees indicate that their choice of future employer would be influenced by the employer’s articulated corporate purpose.

Meanwhile, two-thirds of organizations report that ESG will be a crucial focus for 2021 (71 percent said the same in Europe; 67 percent in the Asia-Pacific region; and 61 percent in North America). The United States clearly has room to grow on this agenda item.

Managing people risk effectively will be critical to future success and sustainability in an uncertain economic and social environment. Stakeholder empathy, particularly in relation to employees, emerged as a top leadership concern in 2020, and is likely to persist as an important component of sustainability, with two in five HR leaders at US companies saying that managing employees inclusively and with empathy will be a key to enterprise resilience going forward.

Indeed, the study finds that organizations that integrate ESG metrics into the CEO’s agenda are more likely to report high revenue growth. Also, investment funds that focus on organizations that prioritize ESG often generate returns superior to those of other funds.

Given the rising emphasis on people and ESG, with a particular focus on the diversity, equity, and inclusion (DE&I) aspects of social corporate objectives, boards must turn to the old adage that you cannot manage what you do not measure and ask their management teams to map out how their organizations will track, monitor, and drive forward their ESG and DE&I program goals. In fact, the GNDI survey reveals that 63 percent of directors see an increased need to incorporate data analytics into the board decision-making process. Boards may wish to ask management, for example, what DE&I analytics and metrics will be tracked and how and when these will be reported. Is the organization considering an internal labor market analysis to assess representation deficits across the company’s hierarchy and to identify specific pain points (e.g., hiring shortcomings, career “ceilings,” and points of retention risk)? The board or committees can also consider links between DE&I goals and incentive plans. Increasingly, investors evaluate companies based on their human capital management and DE&I metrics, such as those pertaining to representation, equity in pay and benefits, and attrition rates by demographic group.

However, only 23 percent of organizations say they will be investing in DE&I analytics and insights in 2021. This is disappointing, given that Mercer’s talent research attests to the impact of analytics in making DE&I progress and the disproportionate toll COVID-19 has taken, for example, on women in the workplace.

Nonetheless, a recent Mercer executive rewards pulse survey of around 1,000 North American organizations finds that nearly half (44 percent) are currently using or considering the use of ESG and DE&I metrics in their incentive plans to promote a focus on related objectives. That said, practices vary significantly, ranging from the majority of companies having no linkage between executive pay and human capital management and DE&I goals, to Hyatt Hotels, which made increasing minority representation across various levels of management in the United States and globally the sole metric in its most recent long-term incentive awards. For most companies, the right answer will fall somewhere in between.

On the bright side, last year saw a fivefold increase in the number of companies measuring pay inequity against 2019 levels, helping to boost the business community’s understanding of large gaps in health and wealth across numerous constituencies. In 2021, 45 percent of HR leaders in the United States (and 35 percent of HR leaders globally) plan to improve pay equity analytics to drive transparency and action.

The bottom line is that decision-quality data is at the heart of charting an enterprise’s course toward people sustainability and organizational performance. Companies that fail to invest appropriately will inevitably find themselves struggling to attract, retain, and engage the diverse talent needed to succeed in today’s marketplace.

Eric Larré is a partner in Mercer’s executive rewards business in Atlanta. He works with corporate boards to develop incentive programs that align with financial and strategic objectives and investor expectations.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Improve Cyber-Risk Measurement Through Scenario-Scoping

Many boards are struggling with the question of what cybersecurity risk means to their organizational objectives and how to manage this risk. There is a strong desire to find some way to look at cyber risk from a quantitative point of view, owing to the late Peter Drucker’s principle of “what gets measured gets managed.” But what is cyber-risk quantification and how can measuring cyber risk help your organization?

Underpinning all measurement activities is something known as “measurement science” or metrology. This scientific approach to measurement has given rise to such basics as temperature reading and distance scales. For things that are a little more abstract, there are scientific principles that can be applied to help improve measurement and, by extension, decision-making.

As enterprise-risk management (ERM) organizations established themselves over the last two decades, they needed a way to help businesses manage loss exposure from risks that were difficult to quantify and that were largely unable to be underwritten by insurers. They also needed a way to prioritize risks based on the potential each risk had to cause harm to organizational objectives. The easiest solution was to directly apply priority labels to show how important the risk was (e.g., high, medium, or low). These labels have also been used by cybersecurity organizations as they lead or assist in managing enterprise cyber risk.

However, there are some problems with this approach. While a useful decision-making shortcut (a company does not want to take on high-risk activities, but it will tolerate low-risk ones), there are reams of academic research that discuss the failures of this approach to account for biases and basic measurement errors. Too many people subconsciously neglect to account for organizational risk when applying these labels and instead use their own risk tolerances to calibrate risk for the entirety of the organization. The use of these scales actually adds error to the risk evaluation process instead of reducing it. Further basic errors include the assumption that the distance between values is equal (i.e., the assumption that risks rise in severity at a consistent rate), which compresses risks at the top into a single category, effectively treating a $50 billion risk as equivalent to a $5 million risk, for example. This approach therefore has the effect of keeping an organization from taking reasonable risks at best and misallocating capital to unnecessarily mitigate risk at worst.

True cyber-risk quantification requires the use of values that measure frequency of loss and impact of loss in attaining organizational missions and goals. In this way, quantifying cyber risk comes down to articulating the scenarios that could cause an organization to fail to deliver the products and services for which it is chartered. Expressing cyber risk this way has been thwarted by a dearth of available data and methodologies at individual companies. However, many third parties have been established to provide such data and methodologies and today, cyber-risk quantification is not only possible but employed by companies all over the world.

Applying this data to your organization requires the development of cyber-risk scenarios. This approach begins with defining top-level cyber-risk categories (such as data disclosure, fraud, and business interruption) and breaks those down into progressively more detailed sets of scenarios. Ultimately, at the lower branches of such a decomposition exercise, an organization will arrive at a series of risk triggers familiar to cybersecurity professionals that can be mapped to a control framework, such as the National Institute of Standards and Technology Cybersecurity Framework. In this way, an organization can connect low-level cybersecurity attacks, such as those involving ransomware and code exploits, to the controls that prevent them and ultimately to organizational objectives (as expressed through a company’s products and services). The good news for enterprise risk teams is that financially oriented frameworks, including the Basel II regulations, also support this approach.

Here is an example of a risk decomposition that connects high-level strategic objectives to lower-lever cybersecurity issues.

Strategic Objective 1: Increase the number of customers that use more than one company product by 40 percent.

Cyber Risks to Objective 1:

Layer 1—External fraud
Layer 2—Systems security
Layer 3—Hacking
Layer 4—Credential stuffing, privilege escalation, lateral movement, etc.

Strategic Objective 2: Increase sales in the North American market by 15 percent.

Cyber Risks to Objective 2:

Layer 1—Business disruption
Layer 2—Systems security
Layer 3—Software
Layer 4—Ransomware

Once such a top-down and bottom-up approach has been made, the exercise of building quantified values to express loss as a result of risk becomes clearer. In addition to traditional revenue metrics such as those weighing the value of delayed or forgone customer transactions, organizations can also leverage public peer data to index losses and project legal and regulatory outcomes.

It is useful to start operationalizing these foundations of cyber-risk quantification as global credit agencies and cyber insurance underwriters are beginning to use similar processes in assessing organizations’ credit worthiness. Indeed, in much the same way that credit rating agencies began talking about environmental, social, and governance risk years ago, so too will cyber ratings become a constituent component in investors’ evaluations over the coming years. This is especially true as the world becomes more aware of the sizable financial impact of mega breaches and supply-chain interruptions on business. Organizations that don’t address cyber risk as a quantifiable, financial risk to their strategic plans will find themselves at a disadvantage in the marketplace. As a board, consider asking the security and enterprise risk leaders in your organization how they are considering the above approaches, including how to use scenario-planning and cyber-risk quantification to inform the company about cyber risks and how ERM leaders and the chief information security officer are bringing their teams together to tackle this problem.

As head of cyber-risk methodology for VisibleRisk, Jack Freund has overall responsibility for the systemic development and application of frameworks, algorithms, and quantitative and qualitative methods to measure cyber risk.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Board Leaders Rethink Strategy, Risk, and Stakeholder Focus

The year ahead will be about refining—if not fundamentally rethinking—strategic planning and risk management. While not surprising, this overarching takeaway from discussions and polling at the KPMG Board Leadership Conference in January is no doubt eye-opening in its scope and implications for board oversight and leadership. As our conference conversations highlighted, robust scenario planning—thinking deeply and continually about a company’s future—will be essential as a result of the unprecedented disruption and uncertainty caused by the COVID-19 pandemic and resulting accelerating megatrends.

Further results from conference polling highlight critical issues for lead directors to consider in the context of strategy and risk as they help ensure that the board’s agenda and meeting time are focused on the issues that are most critical to the business. Below are some of the takeaways from our polling.

The shift toward stakeholders and long-term value creation is clear and dramatic. Nearly 90 percent of directors say that, in light of the events of the past year, their companies are reassessing how they address the interests of key stakeholders (in addition to investors); more than two-thirds say that a focus on environmental, social, and governance (ESG) issues is important to long-term performance and value creation; and nearly 90 percent of respondents believe that companies can meet the needs of stakeholders in a socially responsible manner while generating superior financial results. At the same time, 81 percent respond that their companies’ incentive structures encourage management, to some degree, to maximize short-term returns at the expense of long-term returns. Some of the key questions for the CEO and lead director to consider include: How do our incentive structures and culture drive ESG performance? How effectively are we assessing and disclosing the company’s ESG performance?

The focus on climate risk by companies and boards appears to be falling short of investor expectations. Only one-third of directors express confidence that their management teams understand the implications of climate change for their businesses, and only 29 percent say that “addressing climate change” will be of strategic importance to their companies in 2021. This is in contrast to investors’ expectations for companies. In his 2021 letter to CEOs, BlackRock chair and CEO Laurence D. Fink wrote, “No issue ranks higher than climate change on our clients’ lists of priorities.” Fink asked companies to disclose plans explaining “how their business model will be compatible with a net-zero economy,” and how these plans are incorporated into long-term strategy and reviewed by boards of directors. Lead directors should help ensure that management teams are factoring climate issues into their risk analyses and strategies.

Cybersecurity and data privacy and governance are the top global governance risks for companies in 2021. This comes as little surprise given shifts to remote work, online customer engagement, and the growing sophistication of cyber attackers, including nation-states. In light of the recent SolarWinds cyberattack, directors express increasing concern about cyber risks posed by third-party vendors. Lead directors should work with committee chairs to reassess the board’s oversight of cyber risk, including clarifying committee roles.

The pressure—and spotlight—on CEO and corporate leadership is intensifying. Nearly two-thirds of directors say that corporate America is best positioned to help tackle societal problems through leadership by example and innovation, and the vast majority of directors believe that CEOs have a responsibility to take a stand on diversity, equity, and inclusion (DE&I) and other societal issues. But there’s an important caveat: only 8 percent of respondents say that corporate America has had a “strong follow-through” thus far on DE&I and societal commitments. Boards play an important role in turning this around. Is the company using its resources, influence, and capabilities to not only talk the talk, but to walk the walk? Does the board receive regular reporting on DE&I metrics and milestones? Eighty percent of directors report that, given the events of the past year, their boards have intensified their focus on leadership and succession plans for the CEO and senior leaders.

The Biden administration’s policy initiatives will be a key area of focus in the near term. In addition to an economic stimulus package, near-term policy initiatives that directors say should be the focus of board attention include tax reform (which may be part of the stimulus package); the US Securities and Exchange Commission’s regulatory agenda (in particular, new disclosure rules regarding ESG issues, sustainability, and corporate governance); and trade policy and climate-related regulation. Beyond the regulatory and compliance issues that may lie ahead, is the company assessing the potential opportunities presented by the emerging policy agenda?

Given the challenges to come, the role of the lead director and other boardroom leaders in helping to ensure effective board engagement in strategy and risk oversight, a strong CEO-board relationship, and a culture of crisis prevention and readiness has never been more important. The year ahead will clearly put boardroom leadership to the test.

John H. Rodi is leader of the KPMG Board Leadership Center.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Global Governance Lessons From Europe’s Enron

Editor’s note: This excerpt is pulled from the January/February 2021 issue of Directorship magazine. Read the full article here.

Last June, members of the Wirecard supervisory board dialing into a hastily convened emergency call could hardly believe what they were hearing. The fast-growing German financial services provider that they were charged with overseeing only recently had been rumored to be in takeover talks with Deutsche Bank. Now, Wirecard board members were being told that €1.9 billion ($2.2 billion) in cash was missing and the company was €3.2 billion ($3.7 billion) in debt. Could Wirecard’s vast international business empire really have been based on lies and obfuscation?

Indeed, it appears so.

On June 25, 2020, Wirecard filed for insolvency. Then, on Aug. 25, a court-appointed administrator issued a press release stating that it had been able “to stabilize the ongoing business and create a basis for [Wirecard’s] continuation.” As part of the stabilization efforts, all members of Wirecard’s management board—at least those who had not already resigned or fled Germany—and some 730 employees were let go.

As of mid-December, senior Wirecard executives including ex-CEO Markus Braun and former chief financial officer Burkhard Ley have been criminally charged and are awaiting trial in Germany. Another executive was released from jail as a cooperating witness for the prosecution. Former chief operating officer Jan Marsalek, who also served on the management board, is a fugitive from the country.

Wirecard leadership is accused of having conspired with others to inflate revenues and its balance sheet by faking business with third-party partners, said Anne Leiding, a spokesperson for the Munich State Prosecutor’s Office, during a press conference in which she announced the charges. The creation of a false impression of financial strength enabled Wirecard executives to borrow €3.2 billion from banks and investors.

“In reality, it was clear, at the latest by the end of 2015, that Wirecard’s real business was losing money,” Leiding told reporters in Munich. Wirecard executives are also suspected of harming investors by overpaying for acquisitions and for creating and perpetuating a culture “characterized by an esprit de corps and oaths of loyalty” to Braun as their leader.

Braun resigned after Wirecard auditor EY said it could not verify the €1.9 billion supposedly held in escrow on behalf of the third-party partners.

Altogether, the formal charges made against Wirecard’s leadership team include organized commercial criminal fraud, breach of trust, false accounting, and market manipulation. All of the former Wirecard executives now awaiting trial have declared their innocence.

Ominous Questions

Wirecard, like Enron until its own spectacular demise in 2001, had been on a wild and aggressive trajectory of growth. When the dot-com bust threatened Wirecard’s existence in 2002, Braun was recruited as CEO. With the benefit of hindsight and courageous reporting—notably by the Financial Times (FT)—it is clear that the company’s lifespan was fueled by hubris and a win-at-all-costs corporate culture. Braun provided Wirecard with a cash infusion, and under his leadership proceeded to allegedly perpetrate an intentional accounting fraud over a period of years that escaped the notice of key stakeholders including regulators, auditors, and Wirecard’s own supervisory board.

Now, in the aftermath of Wirecard’s insolvency, and as lawsuits add up, regulators and stock exchanges are reevaluating their checks and balances, looking to repair fault lines, and taking aim mostly at the corporate audit function—both internal and external. Many corporate governance observers expect to see regulatory reform in the European Union and in Germany on a scale akin to the Sarbanes-Oxley Act, the US federal law that was passed in 2002 after corporate accounting scandals—including at Enron Corp., Tyco International, and WorldCom—came to light. Sarbanes-Oxley essentially gave board audit committees greater authority and thus increased both the responsibilities and oversight of the committee.

Given the sheer scope, daring, and size of Wirecard’s fraud, comparisons to Enron are both inevitable and predictable. The business community and the public began asking two ominous questions: Where was the board? And where were the regulators? After all, the Wirecard fraud was not discovered by these governance stakeholders but instead by a cadre of short sellers and FT journalists, ultimately aided by lower-level whistleblowers who were paying much closer attention than those lawfully entrusted and compensated to do so.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Keep One Eye on Pandemic Fallout, One on the Longer Term, Says Global Risks Report 2021

Last year will forever be defined by COVID-19’s devastating impact across societies and economies. However, the global pandemic also intersected with a range of other threats to accelerate and exacerbate preexisting global challenges and drive unexpected outcomes. Organizations will now need to appreciate how these issues might develop if their strategies and business models are to stand the test of time.

Trends and Reverberations

The Global Risks Report 2021, prepared by the World Economic Forum in collaboration with Marsh & McLennan and other partners, reflects on disparities in the socioeconomic fallout from the COVID-19 pandemic and the implications for the next decade. Strengthened by the insights of more than 650 global risk experts and leaders, the report contains four broad messages, detailed below.

1. Societies will likely continue to grapple with the long-term impacts of the pandemic on their economies. An already sluggish global economy at the end of 2019 is expected to see that growth has dropped by 4.4 percent in 2020, while governments collectively expended almost USD 12 trillion in fiscal measures to support their citizens through the crisis. The road to recovery remains arduous and vulnerable to setbacks from new surges of the virus in the foreseeable future, while pressures on household purchasing power, business reluctance to invest in fixed assets, and government debt crises may also hold back growth.

Downside scenarios set out a global gross domestic product that may be, by the end of 2022, 8.5 percent smaller than pre-pandemic projections—a total loss to economic output in the order of USD 23 trillion. While recently announced large-scale stimulus measures are welcome for many, the challenge ahead is how to transition successfully from providing “life support” in the form of unemployment aid, rental assistance, and tax reliefs to the transformational agenda of revitalizing and restructuring economic ecosystems, sectors, and businesses with an eye toward a sustainable future.

2. Inequality, already on the rise pre-pandemic, was significantly exacerbated by the crisis along multiple dimensions. Massive waves of employment loss globally have endangered the livelihoods of millions of people and may be consolidated in the recovery. Small businesses, youths (aged 15-24), unskilled workers, working parents, and minorities—overrepresented in sectors hardest hit by the pandemic—saw retrenchments and closures at multiples of national averages. Female-owned businesses in North America closed at nearly twice the rate last year of their male-owned counterparts, and Black-owned businesses in the United States suffered closures 2.4 times more than those that were white-owned.

At the same time, lockdowns across the world have interrupted important pathways to socioeconomic mobility, with the education of billions significantly disrupted and workplace constraints throwing a new spotlight on digital divides. Livelihood impacts and disparities have amplified mental health challenges, which will reverberate for many years. Forty percent of adults in the United States have experienced increased anxiety and depressive disorders over the past year, disproportionately so among the young (18-24 years old), racial and ethnic minorities, essential workers, and caregivers.

3. Escalating fractures in domestic politics threaten democracy and the rule of law. Trust in governments, public institutions, and businesses across the world has greatly diminished, often catalyzed by widespread misinformation, mounting social polarization, and hyper-partisanship. Trends suggest that mobility rights have become more constrained, Internet freedom has declined, and surveillance has increased. Pro-democracy and anti-government protests have been intense against injustice, authoritarian behaviors, and shortcomings in national pandemic responses. In some countries this sets a new tone for the future; elsewhere, achieving unity and restoring confidence in public institutions will be hard work.

4. Geopolitical schisms may grow as the pandemic accelerated the existing global trend toward a more protectionist stance. The US-China rivalry continues to intensify; foreign direct investment restrictions across advanced economies have expanded markedly on national security grounds; and challenges stemming from state-on-state cyberattacks have become more acute. While the pandemic may have created turmoil for the cross-border supply of critical goods, moratoria on trade disputes provide hope for the ability of global trade to underpin the recovery and the 40 million US jobs in export sectors, of which 98 percent are with small businesses.

Pressures on several fronts introduce the prospect of a disorderly shakeout for different sectors, which it will be vital for businesses to anticipate at a time of inherent fragility. With governments in all economies holding center stage and keen to seize opportunities for a fundamental reset, it is likely that the implementation of industrial strategy and thematic priorities will generate not only winners and losers, but also disruptive discontinuities in business ecosystems. Regarding the digital agenda, technology giants came out of 2020 with stronger, more diverse revenue streams, with enhanced investment power, and better positioned to compete on more strategic agendas—but also facing a plethora of government-led lawsuits, investigations, regulatory proposals, and legislation across the world. How this plays out will have ramifications for companies in other sectors, whose technology agendas have become more ambitious and more accelerated because of the crisis.

Finally, stakeholder scrutiny has significantly increased. The focus on environmental performance has risen and corporate ethics are on radars, with workforce diversity, supply chains, and employee exploitation among top issues considered. Meeting employee expectations that companies take stances—and quickly—on key issues may take leaders out of their comfort zones and present commercial dilemmas.

Oversight Imperatives

As they take stock of this turbulent risk landscape and guide management teams, boards might wish to reflect on four approaches that will help enhance the resilience of their organizations.

First, there has been much valuable discussion in recent years about disruptive risks. The past year, though, has pressed firms to appreciate the likelihood of concurrent crises, the validity of more extreme scenarios, and the existence of ignored tail risks that were lurking in risk registers all this time. This argues that companies should develop tougher stress tests to understand how they would stand against different eventualities.

Second, the crisis has made firms acutely aware that resilience is not a fixed standard, but an evolving, active process in which organizational muscles are stretched and honed. The most advanced businesses are able to flex trade-offs between agility, efficiency, and robustness with confidence, even at times when data and intelligence are weak.

Third, as boards look to the next year, it will be important to have one eye on near-term surprises and setbacks and the other on longer-term transformations. If companies only do the former, the price of survival may be obsolescence.

Fourth, organizations need to find the right balance between human capital and technological capital and anticipate associated risks accordingly. There’s no question that technology and data have underpinned governmental responses to the pandemic and enabled firms to keep working during the crisis—but the ability to reshape working practices, motivate employees, and retain talent in the recovery will be critical for ongoing success.

Richard Smith-Bingham is an executive director of Marsh & McLennan Advantage and a key contributor to the Global Risks Report 2021.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

What a Biden White House Might Mean for Boards

Editor’s note: This excerpt is pulled from the January/February 2021 issue of Directorship magazine, launched this week. For more key regulatory themes to keep an eye on, as well as further insights into the themes listed below, read the full article here.

“Regulators are in a strong position to drive change. What is more powerful is for the change to come from the top down within business organizations.” So said Laura Cha, chair of the Hong Kong Exchanges and Clearing at a January World Economic Forum conference. In her speech to business leaders, Cha challenged directors to “step up in driving the ESG agenda of their companies.”

Her words were prescient, and US-based directors would be wise to heed them now. As the Joseph R. Biden Jr. administration begins its work, boards that have not been Washington-minded may experience culture shock. The White House under President Donald J. Trump and Vice President Michael Pence focused on deregulation. By contrast, an administration led by President Biden and Vice President Kamala Harris will likely focus on restoring regulations. This is especially true now that both chambers of Congress are controlled by a Democratic majority, albeit by slim margins, after twin victories in Georgia Senate runoff elections. Democrats will control committees and the legislation and nominations brought to the floor, with Vice President Harris casting the deciding vote in the event of a tie. Directors can expect many additional regulations and bills—if not laws—increasing regulatory requirements for companies and the boards that govern them.

A renewed focus on regulation would have two distinct implications for boards. First, board oversight of regulatory compliance must sharpen because companies will have to deal with new or restored regulations. Second, boards themselves are likely to contend with new requirements stemming from the Dodd-Frank Act that were put on ice under the Trump administration. The following key themes should help boards gain an advantage as we enter a new year with a new presidential administration.

Diversity

In light of the current national emphasis on civil rights issues, we may see Congress revive diversity bills under renewed or new sponsorship. For example, the Improving Corporate Governance Through Diversity Act, if reintroduced by its original sponsor Rep. Gregory Meeks (D-NY), would ask the US Securities and Exchange Commission (SEC) to “require the submission of data relating to diversity.” A similar bill could be reintroduced in the Senate by Sen. Robert Menendez (D-NJ). Rep. Carolyn Maloney (D-NY) is likely to bring back the Diversity in Corporate Leadership Act, which would require the SEC to “establish a Diversity Advisory Group to study and make recommendations on strategies to increase gender, racial, and ethnic diversity on the boards of issuers, and to “amend the Exchange Act of 1934 to require issuers to make disclosures to shareholders with respect to gender, racial, and ethnic diversity.”

In parallel with congressional initiatives to increase disclosure requirements, the SEC under a new chair will likely focus on company disclosures on board diversity. The SEC’s scrutiny may extend to compliance and disclosure interpretations (C&DIs) about board diversity. C&DIs—likely more familiar to general counsel and corporate secretaries than to most directors—are interpretations by the SEC’s Division of Corporation Finance intended to provide guidance on rules. It is possible that at some point this year the SEC will expand further the guidance it offered last year. One example: in a Feb. 6, 2020, update on Regulation S-K, the SEC added a question and answer about Item 401(e) that requires discussion of what led to the conclusion that a person should serve as a director, as well as a related provision under Item 407(c) requiring a description of how a board implements policies on nominee diversity “such as their race, gender, ethnicity, religion, nationality, disability, sexual orientation, or cultural background.”

Compensation

The Biden administration will almost certainly strengthen laws affecting working conditions and pay equity, and Congress will likely reintroduce legislation on this topic. In a November fundraising message to Democrats, Robert Reich, former labor secretary under President Bill Clinton, called for an “FDR moment.” Reich, using language that some may find hyperbolic, wants to “reverse Trump’s efforts to take away workers’ health care” and “protect all workers against wage theft.” He also wants to bolster workplace safety inspections to make it easier for businesses to classify workers as independent contractors, and “ensure millions of workers receive the overtime pay they deserve.” In Congress, among the bills likely to be revived is the Corporate Freeloader Fee Act that was introduced by Sen. Sherrod Brown (D-OH) to “impose an excise tax on employers with low-wage employees.”

The new year will also be a time to remember the Dodd-Frank Act. The long-pending pay-for-performance rule proposed in 2015 may be finalized. Section 953 of Dodd-Frank mandated that the SEC pass a rule requiring public companies to disclose “the relationship between executive compensation actually paid and the financial performance of the issuer, taking into account any change in the value of the shares of stock and dividends of the issuer and any distributions.” Legislators who passed the law were concerned that some executives were being overpaid in relation to their performance. The rule defines pay as the total reported in the compensation tables of the proxy, with some modifications, and it defines performance as total shareholder return (TSR) over each of the company’s five most recently completed fiscal years compared to peers.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

US 2021 Cyber Agenda May Affect Liability, Disclosure, and Enforcement

Structural and technological changes have been set in motion by COVID-19, creating new cyber-risk and security challenges that will likely endure even after the pandemic ends. There is no shortage of cyber-threat actors attempting to take advantage of this situation, and the majority of cyberattacks continue to be financially motivated.

While cybersecurity has seen strong progress over the last decade in terms of threat information sharing and cyber-resilience measures, it is still easier to attack than defend in cyberspace. Every year, cybercrime becomes cheaper, easier, and faster, making a variety of companies more vulnerable to attacks than ever before. After all, all companies are tech companies nowadays.

Last year, of course, was no exception. As boards seek to oversee companies’ risk assessments, investments, and cyber-defense tactics to ensure their businesses adapt to meet post-pandemic cyber challenges, they must take stock of the complex and varying types of cyberattacks businesses faced in 2020.

Over the past twelve months, massive amounts of downtime due to business disruption caused by cyberattacks and large troves of highly sensitive data made the private sector particularly vulnerable to ransomware, supply-chain compromise, distributed-denial-of-service (DDoS) attacks, and data breach attacks. As cybercriminals devised new ways to profit, such attacks grew in volume, sophistication, and impact.

DDoS extortions, where attackers extort companies by threatening DDoS attacks, made a resurgence in 2020, with the New Zealand stock exchange among financial institutions targeted. Even Amazon Web Services suffered a record-setting attack last February.

While DDoS attacks have caused significant problems, ransomware dominated the headlines last year. In fact, 2020 saw seven times more ransomware attacks than 2019. However, it is far from just a volume issue, as ransomware operators, driven by profit, think of new and innovative attack strategies. Attackers now almost always steal sensitive data in addition to encrypting the target company’s network or devices—called “double-extortion” ransomware—and extort victims by threatening to either publish data online or to auction off victims’ data on the dark web. Among companies that experienced double-extortion ransomware attacks last year were Banco de Costa Rica and a trio of financial technology providers including Cognizant Technology Solutions Corp., Finastra, and Pitney Bowes. There has also been staggering growth in the ransomware-as-a-service (RaaS) market, with Intel 471 tracking 18 new RaaS groups in 2021.

The US Securities and Exchange Commission (SEC) has issued multiple alerts warning of increasingly advanced ransomware attacks on registrants as well as their third-party service providers. As the massive SolarWinds breach starkly highlighted, even entities with relatively robust cyber defenses are vulnerable to attacks through third-party suppliers. Sophisticated attackers recognize this and are increasingly devoting attention and resources to targeting third-party service providers and other organizations down the supply chain that allow them to compromise many networks at once. Companies everywhere should pay more attention to supply-chain vulnerabilities as potential attack vectors for data breaches, ransomware, and other cyberattacks. 

Indeed, there is no end in sight, with damages from cybercrime projected to reach $6 trillion globally in 2021. Despite ever-growing investments in cyber defense, an increasingly anxious public feels that the oversight of federal agencies, boards, and CEOs fails to meet their expectations. The lack of a generally accepted framework for the evaluation of cyber risk, agreed-upon best practices, or unifying standards adds to the uncertainty and complexity for senior executives and directors of understanding the true nature and extent of an organization’s cyber-risk exposure. Given this emerging reality, the legislative and regulatory agenda must evolve to address these economic, national security, and stakeholder impacts. 

The Expected Cyber Agenda Under the New Presidential Administration

President Joseph R. Biden Jr. has said his administration will make cybersecurity a top priority at every level of the government. Moreover, in stark contrast to the previous administration’s agenda, the focus on data privacy issues will intensify as will collaboration with Europe and the global community. Vice President Kamala Harris has a track record of such focus; as attorney general in California, she spearheaded privacy efforts that ultimately led to the state’s adoption in November of the California Privacy Rights Act (CPRA), which established a new regulatory agency to police data privacy.

Changes in US Senate leadership and anticipated greater collaboration with the US House of Representatives will likely spur bills to address the governance of cybersecurity, incident reporting, and consumer privacy. Senators Sherrod Brown and Pat Toomey have agreed to furthering technology concerns in the Senate Banking Committee. It is widely expected that Senator Jack Reed will reintroduce a bipartisan bill to require disclosure to investors of information on whether a company’s board has a member with cybersecurity expertise. Moreover, the Cyberspace Solarium Commission, mandated by the National Defense Authorization Act of 2019, recommended various legislative initiatives that may advance, including amending the Sarbanes-Oxley Act of 2002 to mandate corporate accountability and certain cybersecurity disclosures by publicly traded companies.

Leadership changes expected at financial services regulators and at the Consumer Financial Protection Bureau will likely coincide with a host of new regulations as well as a revitalization of consumer protection efforts. Further, market participants should anticipate an increase in examinations and enforcement actions from all independent regulators and other oversight agencies, such as the Financial Industry Regulatory Authority.

States legislatures and regulators are expected to continue to prioritize cybersecurity and data privacy. Some may align with the CPRA and others with the New York Department of Financial Services cybersecurity requirements, which cover all financial institutions operating in New York. The lack of a comprehensive federal cyber regime has and will continue to contribute to the diversity of state initiatives, which may be reminiscent of state blue sky laws from the early 1900s.

Without question, the legislative and regulatory landscape in 2021 will include a variety of measures that seek to improve the accountability for and governance of cyber-related concerns.

How Boards Can Act Now

While there is no one-size-fits-all solution, there are specific defensive investments that companies can implement to mitigate risk from costly cyberattacks—and to preempt new regulations and legislation.

The first step in improving cyber defenses is to know what needs protection by quantifying cyber-risk exposure and deriving a risk appetite. Companies should conduct a 360-degree review across the enterprise that covers external exposures, such as those created by third-party service providers. A discussion around risk appetite, addressed in the NACD Director’s Handbook on Cyber-Risk Oversight, should cover the following principles:

Corporate Values: What risk will we not accept?
Strategy: What are the risks we need to take?
Stakeholders: What risks are stakeholders willing to bear, and to what level?
Capacity: What resources are required to manage those risks?
Financial: Are we able to adequately quantify the effectiveness of our risk management and harmonize our spending on risk controls?
Measurement: Can we measure and produce reports to ensure proper monitoring, trending, and communication?

Managing supply-chain risk from third-party service providers has become an essential part of corporate risk management. As supply-chain attacks leverage the existing trust between vendors and customers, they can be incredibly difficult to prevent and detect. Today, unfortunately, many companies remain underinvested in this area.

Companies should ideally try to evaluate the cyber-risk exposure of prospective service providers before engaging them as trusted third-party partners, and one way to achieve this is through security ratings. These ratings, from companies such as SecurityScorecard, provide a standardized snapshot and ongoing monitoring of a company’s cybersecurity capabilities to help it make strategic risk decisions.

Advanced companies can also use security ratings alongside strategic risk metrics to do the following:

Align cyber-risk scenarios with material business exposure.
Roll the reporting of cyber risks together with financial exposure to inform risk-management decisions.
Measure the improvement of cyber-risk reduction over time.

Companies must also ensure sound technology hygiene. A large part of this involves implementing proactive vulnerability and patch management programs and applying secure coding standards across internal and external applications, but it also includes managing supply-chain exposure, integrating enterprise-wide security, and performing regular risk-assessment evaluations and incident-response exercises.

With cybersecurity and data privacy on the legislative and regulatory horizon, boards should act now to ensure their security programs will meet potential requirements and stay up to date as Congress and regulatory bodies proceed with their related plans.

Christopher Hetner has served in various executive roles in both the private and public sectors, including senior cybersecurity advisor to the chair of the SEC, senior member of the US Department of the Treasury Financial Banking Information Infrastructure Committee, cyber-risk advisor to the National Association of Corporate Directors, and global chief information security officer of GE Capital. Robert Peak has served in senior capital markets policy roles including at the SEC, where he worked on the Commission’s issuance of its 2018 cybersecurity guidance. He has advised commissioners, members of Congress, and board members, and is a thought leader in securities trading, regulation, and enforcement.

The views expressed in this presentation are the views of the author and do not necessarily reflect the views of the author’s employer or any other entities with which the author may be associated.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.