Cyber-Risk Oversight Amid Russia-Ukraine Tensions

Will they or won’t they? This question has been top of mind for the United States and North Atlantic Treaty Organization (NATO) allies for several weeks as sophisticated intelligence operations have monitored Russian forces inching closer to invading Ukraine outright. The history leading to this moment is complex and nuanced, but one matter is clear: the consequences of a kinetic war in Ukraine would be devastating for its people, economy, and young democracy, and have dire ripple effects around the world.

And that’s just considering potential traditional acts of war.

Could Russian cyberattacks used to “soften the Ukrainian battlefield” spill into business networks around the world?

According to the Cybersecurity and Infrastructure Security Agency (CISA), the agency at the forefront of US cyber defense, it’s time to put “shields up” at organizations of all kinds. “CISA recommends all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets,” reads a notice recently posted to the CISA website in light of current events in Russia and Ukraine.

Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger emphasized this point at a press conference on Feb. 18, during which she detailed how Russian actors have already deployed distributed denial-of-service attacks within the Ukrainian Ministry of Defense and the country’s state-owned banks. “I cannot stress this enough: we urge our private sector partners to exercise incident response plans and put in place the cybersecurity defenses, like encryption and multifactor authentication, that make cyberattacks harder for even sophisticated cyber actors,” she said.

Businesses and other institutions are called on to defend American infrastructure against the influence of Russian state actors’ cyberattacks, and board members can do their part. Key action steps for you and your board to take in the coming weeks—and as the crisis in Ukraine unfolds—follow.

Understand the 2017 NotPetya Attack

Ukraine is well known among cybersecurity professionals and researchers as the unfortunate testing ground for Russian cyberattacks. In 2017, many nations got a taste of what can happen when such tests stretch beyond their intended borders.

Do you recall when global shipping giant Maersk was moored due to a cyberattack that year? That was part of a cyber event now known broadly as NotPetya, and it impacted an astonishing number of companies and countries. The igniting incident was the injection of malware into commonly used Ukrainian tax software. While the code appeared to operate like ransomware, there were no decryption keys to regain access to data. Once infected, data was simply lost and computer hardware rendered useless.

The United States and United Kingdom attributed the attack to Russian state actors. NotPetya’s power to quickly spread outside Ukraine through connected networks led to multimillion-dollar losses by the likes of FedEx Corp. and DLA Piper.

In today’s environment, a cyberattack in advance of a traditional act of war could leak into networks worldwide accidentally or intentionally, and companies and organizations worldwide need to be prepared to act rapidly to mitigate any related issues. Directors might consider learning about the evolving role cyberattacks play in war and how their organizations’ networks can get caught in the crossfire.

Review NACD Cyber-Risk Oversight Guides

The NACD Director’s Handbook on Cyber-Risk Oversight, updated most recently in 2020 by NACD and coauthors at the Internet Security Alliance (ISA), is a staple for understanding board-level cyber-risk preparedness. The following principles from the handbook are worth reviewing in times of potential crisis:

Directors need to understand and approach cybersecurity as a strategic, enterprise risk, not just an information technology risk.Directors should understand the legal implications of cyber risks as they relate to their companies’ specific circumstances.Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget.Board-management discussions about cyber risk should include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance, as well as specific plans associated with each approach.

If followed, these principles should leave your board in a sound place to oversee the needs of the cybersecurity organization through a crisis without the board interfering in operational responses. Appendices of the handbook include questions to ask about the company’s cybersecurity posture, a tool that outlines the board’s role in incident response, resources provided by the US Department of Homeland Security, and a guide to involving the US Department of Justice and Federal Bureau of Investigation in the event of a breach.

NACD and ISA in 2021 joined the World Economic Forum to expand upon these core principles in Principles for Board Governance of Cyber Risk. While most of the principles align with the ones above, one critical addition was made: encourage systemic resilience and collaboration.

This new principle acknowledges one of the critical vulnerabilities present in US cyberinfrastructure: that we’re all operating within interconnected systems that are private from one another. What could harm one company could harm many others, and the line of sight into those vulnerabilities is only as clear as the information shared by their owners. It’s critical that board members and their executives understand that their organizations could be affected by a malicious attack at the hands of a state actor, and that information about such attacks should be shared with appropriate industry information sharing groups, law enforcement agencies, and other parties. Information security experts in recent days have applauded the speed at which critical vulnerabilities have been identified, investigated, and declassified for sharing, all in the name of securing companies like yours. Directors can encourage their security leaders to communicate anomalies to law enforcement and information sharing networks as part of their contribution to securing the ecosystem.

Review What Your Company’s Cyber Insurance Covers

Merck & Co. was one of the unfortunate victims of the NotPetya attack in 2017, and its cyber insurance declined to cover the cost of more than 40,000 computers lost to the virus, as the insurer stated that the loss fell under its “War or Hostile Acts” exclusion. There is some good news: the $1.4 billion claim was awarded to Merck early in 2022 by the New Jersey Superior Court. Still, Threatpost reports that Lloyd’s of London and other insurers are taking steps to exclude from coverage and create more explicit terms for what counts as an act of war.

Is your board aware of the types of risk transfer the company practices that would shield the organization in the event of harm done in a borderless cyber war? Consider checking in with your management team to understand what material harm could come to the company if its insurance-based risk transfer solutions will not cover this type of loss.

Follow CISA’s Alerts

CISA is a young and quickly growing agency within the Department of Homeland Security. The agency has had its eyes on the situation in Ukraine for months and has issued several briefings urging private-sector organizations to secure themselves against any known threats and to have crisis response plans in hand and rehearsed, especially at the C-suite and board leadership level.

While CISA publishes a lot of technical, operational-level information, its warnings and briefings are meant to inform leadership and the public about what risks to attend to. If you’re interested in registering for direct emails from the agency about general warnings and news, or would like information more specific to your industry, visit their email subscription page and follow the directions to select what you want to receive.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

How to Make Your 2022 Climate Resolutions Stick

The novelty of the new year is waning, and many resolutions are already losing steam—or have been abandoned altogether. What have we learnt? That anything worth doing is going to take more than changes in the margins. Resolutions, especially the big ones, tend to fizzle without serious lifestyle changes.

A version of this is playing out right now with climate change commitments in the capital markets. As it stands, approximately 60 percent of Fortune 500 companies have declared their climate resolutions in the form of greenhouse emissions reductions goals. Of these, 17 percent have set “net-zero” carbon emissions goals. But market and investor reactions to these ambitions have been muted. The Edelman Trust Barometer 2021 reveals that 72 percent of investors do not believe companies will live up to their environmental, social, and governance (ESG) commitments. Seventy-nine percent of global investors (and a staggering 92 percent of US investors) are concerned that companies will be unable to meet their net-zero goals.

Why the mistrust? Perhaps the answer lies in the chasm between what corporate climate resolutions are and the actions they have been taking in their business. Recent research has highlighted a vast gap between corporate climate commitments and strategic plan disclosures. While 81 of the world’s 100 largest companies had set climate targets as of September 2021, only 17 had referenced climate change in investor presentations on the organizations’ strategic plans and only five had provided substantive details. In other words, their “lifestyle” hasn’t really changed.

Directors should heed the mistrust. As we saw during last year’s proxy season, investors are more than willing to hold corporate directors accountable for their companies’ climate strategies and change guard when they disagree with the path forward. And we’ve already seen announcements foreshadowing how this mistrust could play out in the 2022 proxy season. Aviva Investors recently released its plan to vote against corporate directors of companies falling short of their climate change objectives. State Street Global Advisors also announced its intention to hold boards and CEOs of high-emitting portfolio companies accountable for sub-standard climate transition plans.

Boards should see the current climate around climate change as an opportunity to communicate with management not only about climate change goals but also about how their businesses need to change to achieve them. This understanding of how businesses need to evolve in light of climate change should be reflected in long term strategic plans.

Looking ahead, directors can do the following to help management evolve their strategic plans and meet their climate resolutions:

Query the impact on your business model. While climate change poses great risks to businesses, the opportunities presented are equally compelling, and the climate transition is considered by many to be the greatest investment opportunity of our lifetimes. In his 2022 letter to CEOs, BlackRock CEO Larry Fink called on chief executives to consider how their enterprises could be disrupters rather than victims, asking, “As your industry gets transformed by the energy transition, will you go the way of the dodo, or will you be a phoenix?”

Understand the impacts on the external environment. Climate change not only impacts companies directly but also their operating environment. It affects regulation, supply chains, consumer preferences, and even access to capital. Directors and management can work together to factor each of these external impacts into their company’s long-term strategy refresh.

Evaluate impacts on goals and key performance indicators (KPIs). Are outdated corporate goals being grandfathered in, or worse, distracting leadership from new goals that would redirect the company to thrive in a net-zero world? Reducing greenhouse gas emissions is only part of the battle, not a complete climate strategy in and of itself. Business goals and KPIs should reflect how the company plans to generate value in a transformed business landscape.

Develop climate-conscious capital allocation strategies. Investors are starting to use corporate capital allocation as a yardstick to identify companies whose climate rhetoric matches their actions. The board should call on management to update capital allocation plans if climate change mitigation and adaptation investments, research and development, and capacity building aren’t getting a big enough slice of the pie.

Assess risk processes. Given our evolving understanding of climate science and shifting environmental vulnerabilities, audit committees should assess and develop risk management protocols designed to keep the company afloat. Responsiveness to new data, regulation, and stakeholder needs will be critical to corporate resilience.

Establish accountability systems for climate strategy implementation. Investors are looking for boards to hold management accountable for corporate climate resilience performance. Building on the recommendations above, directors should consider incentivizing management not for climate performance exclusively, but rather for the success of a broader climate-conscious business strategy.

While corporations continue to boldly make climate change commitments, considering the above steps now will enable directors to help management go beyond the marginal changes and implement the ”lifestyle” changes needed for the company to stick to its climate resolutions. It won’t be easy, but it will be necessary to generate value and stay resilient in a carbon-constrained future.

Veena Ramani is a research director at FCLTGlobal. She is an expert in climate change, corporate governance, and ESG disclosure.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Cyber-Risk Oversight Is Evolving: Are Directors Ready?

Last year was yet another challenging one for organizations in terms of cybersecurity. Massive breaches, exponential growth in ransomware attacks, attacks targeting critical suppliers and vendors, and new vulnerabilities in ubiquitous software created heartburn for security teams and executive leadership.

On top of that, several recent announcements from US regulators suggest that corporate directors need to reexamine their cyber-risk oversight efforts in 2022. On Jan. 4, the Federal Trade Commission issued a warning that it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” Most executives had never heard of Log4j prior to December, when news emerged that a serious vulnerability threatened millions of products that rely on the common software.

Weeks later, US Securities and Exchange Commission (SEC) chair Gary Gensler delivered remarks at the annual Securities Regulation Institute placing cyber-risk oversight squarely on the shoulders of executives and directors. During the meeting, Gensler announced that SEC staff would be recommending new rules on mandatory cybersecurity disclosure by public companies, saying companies and investors alike would benefit from cybersecurity information “presented in a consistent, comparable, and decision-useful manner.”

These initiatives signal an important change in the expectations that regulators have of companies and their directors.

In the past, regulators sought assurance that companies were addressing cyber risk at senior levels. Over the last five years, we have witnessed incredible change in the way that companies have organized themselves to address cyber risk. These critical corporate governance initiatives—from ensuring that directors with cybersecurity or technology expertise are on the board to creating board-level committees responsible for cyber-risk oversight to developing reporting structures between the business and the board—have created an important foundation for many organizations to manage cyber risk.

But in many respects, these critical corporate governance initiatives are just the beginning of the journey. They establish the structure and framework for decisions to be made. Now, with incidents and breaches piling up, the focus is shifting to questions about security program performance and effectiveness. What should directors do to respond?

The next phase of cyber-risk oversight—Cyber-Risk Governance 2.0, if you will—will focus on the data itself. What data should be reported? What metrics should be analyzed? How does this data inform our decision-making? How do we assess our program’s effectiveness?

We are entering a new era of cyber-risk oversight, one that will be marked not by governance changes but by the integration and use of data, information, and metrics.

Effective Cyber-Risk Monitoring and Measurement

When developing or improving the ability to measure and oversee cyber risk, understanding an organization’s exposed assets and security performance are critical. Work from home due to the COVID-19 pandemic, increased dependence on mobile devices and applications, increased cloud and third-party reliance, and high-speed 5G connectivity have all dramatically expanded organizations’ attack surface—the volume of exposed assets that may be at risk of attack.

The expanding attack surface means that significant risks may exist in areas organizations have not historically considered. For example, a recent BitSight study into the security posture of organizations’ mobile applications found that 75 percent of mobile apps contain at least one moderate vulnerability. Few organizations address material and severe vulnerabilities once they’ve released their applications. This is highly risky behavior, and malicious actors are ready to take advantage of these lapses.

Organizations need visibility across their entire attack surface—from on-premises and cloud infrastructure to software as a service and mobile applications. Additionally, ongoing monitoring is essential in an ever-changing risk landscape. Tools that track security performance over time can help guide continuous improvement efforts. This type of insight gives decision-makers the ability to make security investments that deliver the highest impact over time and efficiently allocate resources to the most critical areas of cyber risk within their organization.

Armed with data and insights, corporate directors will be able to build upon their cybersecurity governance initiatives and confidently enter the next phase of risk oversight.

Jake Olcott is vice president of communications and government affairs at BitSight.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Board Committees Are Key to Embedding ESG

There is always a warning—but the call is not always heeded.

When it comes to companies, especially in the United States, taking environmental, social, and governance (ESG) issues seriously, that sentiment couldn’t be more apt. The world has irrevocably changed, and US companies that fully embrace and engage on ESG will remain players in the global market. If US companies don’t get on board with ESG, their equities could be worth less than anyplace else in the world.

Take cybersecurity as an example: It was a threat. Companies knew this and discussed it. It wasn’t until data breaches hit like a magnitude 10 earthquake that companies grasped the severity of the threat and the change required, and took action. Initially, many companies created a board seat for a cybersecurity expert, with the onus landing on that person to know all and see all. But when it came to implementation, cybersecurity became an investment issue that necessitated broader board education and different committees taking responsibility for different pieces of cyber-risk oversight.

ESG is at this crossroads now. Stakeholders’ calls for action are louder and more urgent in their demands for change, increased disclosure, and greater transparency. Boards can no longer continue to only discuss ESG or rely on a solely performative approach.

Embedding ESG starts with the three standing committees on a board. Each committee brings its own concerns and governance charter to incorporating ESG into its processes, and when ESG is effectively integrated, this will lead to the next-level mind-set that is required of boards today.

The Nominating and Governance Committee: ESG and People

The nominating and governance committee, simply put, is focused on people. So, ESG from a nominating and governance perspective needs to focus on questions that employees are raising, such as on the return-to-office policy and on conducting employee surveys that provide answers that make sense in the face of the Great Resignation—a component of the “Great Corporate Renegotiation”.

Questions for the nominating and governance committee include, for example:

What investment are we making in our employee culture—beyond affinity groups?How does working remotely support the company in achieving Scope 1 and 2 carbon emission goals? How is that being tracked, analyzed, and disclosed publicly?Have strategies for recruiting and retaining talent shifted to include historically Black colleges and universities and public universities and colleges?How does our company value and promote women and people of color?What is our board composition strategy? How does it align with Nasdaq listing requirements when it comes to board diversity, for example?

A shift in the mind-set of directors on this committee needs to resonate throughout the board, including through asking integrative questions and showing broad support for setting diversity targets during financial and supply-chain discussions.

In today’s landscape, investors see high resignation rates as a risk indicator, triggering deeper analysis of the risk of volatility in growth and performance projections. Considering the questions posed here, as well as others, will strengthen the board’s oversight of the social and environmental components of ESG.

The Compensation Committee: Put Your Money Where Your ESG Is

The compensation committee has its own role in this equation. It is responsible not only for determining who gets paid and how much but also for achieving any targets that have been set. After the last two years—of the pandemic, as well as the racial reckoning following the murders of George Floyd and Ahmaud Arbery and the $12 million wrongful death settlement for Breonna Taylor’s killing—diversity, equity, and inclusion (DE&I) are not “nice to have.” They are “must haves.”

No longer can companies get away with simply presenting as though they have good governance around equity and race, gender, and sexual orientation. They need to show what they are doing to hit targets and grow a diverse, stable workforce from the front lines to their executive leadership teams.

The compensation committee needs to wed compensation to DE&I targets. When hiring a compensation company to advise it, the committee must check and see if that company has experience bringing DE&I into short- and long-term compensation and then ask, “Whom are they benchmarking our company to?”

If a company is paying an executive for achieving DE&I targets, they should be benchmarking against where the company is going (e.g., Best Buy) versus what they have been doing (e.g., Blockbuster).

The Audit Committee: From Bottleneck to Breakthrough

Finally, the audit committee is responsible for looking at the history of intangible assets, such as a company’s reputation, and determining how to budget the management of those risks in accordance with ESG concerns. Is ESG embedded in internal capital allocation models? Was ESG explicitly included in the company’s last financial materiality assessment? How is the company tracking and reporting this data?

Companies need to invest in creating and tracking their own data, and they need to do so in a way that withstands financial valuation analysis at critical times including during merger and acquisition transactions or when they seek financing externally from banks and investors.

In today’s competitive environment, when a board needs to assess the value of an acquisition target, it’s now a prerequisite to view the assessment through the ESG lens. It begins with the board identifying where the target company aligns with the acquiring firm’s corporate strategy and then identifying alignment in how the acquisition target has integrated and embedded ESG in investments and capital allocation decision processes. Target acquisition companies that are not aligned from an ESG viewpoint will face a discounted value.

Essentially, the audit committee can be a bridge from what was done yesterday to what needs to be done today to consistently moving forward in order to embed resiliency through good governance.

Pay Heed or Pay the Price

The world has changed forever since March 2020. Were there warnings from a financial, social, racial inequity, and public health perspective? Yes, and most went unheeded until the pause button was hit, and we were left to ask: Who are we as a nation? As a people? As a corporation?

The world is demanding answers to pressing questions, and pressure is coming from all sides. Corporations that respond at pace and scale with the global landscape will be invested in by the people within, by the community without, and in the financial capital marketplace. Those that don’t, won’t. Embedding ESG meaningfully and effectively is an advantage that bolsters organizational agility even in times of crisis and will help companies successfully renegotiate their role in society and the economy.

Joyce Cacho is an experienced independent director and honoree of Savoy magazine’s 2021 Most Influential Black Corporate Directors list.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

The Great Resignation: How Did We Get Here, and What Can Our Companies Do to Adjust?

Last May, Anthony Klotz, an associate professor at Texas A&M University, coined the phrase “The Great Resignation” to describe the unprecedented number of resignations occurring as a result of the impact of COVID-19.

It was apt: 4 million Americans—primarily mid-career employees—quit their jobs in July alone, with the greatest increases in departures recorded in tech and health care. Since then, departures have continued across all industries.

On Jan. 20, the NACD Texas TriCities Chapter held a virtual program to discuss this topic and the role that organizational leaders play at a time when the war for talent has peaked. David Bixby, a partner at Meridian Compensation Partners, moderated the panel of speakers, which included Dave Pruner, partner in charge of the Heidrick & Struggles Houston Office and directors Carol Hess (Wi2Wi) and Bill Easter (Delta Airlines, Emerson Electric Co., Grupo Aeroméxico, and Memorial Hermann Health System).

The panelist dialogue, followed by small breakout conversations, yielded insight into what executives and directors can do to understand, monitor, and fend off the causes behind unwanted departures. Here are some of the key takeaways.

Why is the Great Resignation happening?

The Great Resignation has been caused by several factors:

A virtual workplace. COVID-19 forced people to stop business travel and start working from home, using technology to meet with colleagues and clients and sell to customers. Much of this has proven effective and provided a degree of flexibility that was perhaps needed far before the onset of the pandemic. For many employees living in large metropolitan areas, the end of the daily commute resulted in fewer expenses, less stress, and greater productivity. Many relocated from crowded urban areas to quieter suburban or out-of-state locations or moved into second residences. As more companies are adding this flexibility on a permanent basis, people are reexamining their options and realizing that jobs that once were difficult to logistically accommodate due to required commuting are now within reach.

Families at home. With children also learning from home, family routines and dynamics changed. Parents became more hands-on, and newfound family connections. On the other side of the coin, however, the stress of having families at home has been significant. For example, a recent McKinsey & Co. report reveals that the pandemic’s impact on women has been disproportionate and offset substantial progress made in recent years. Women—who often carry the larger share of household, childcare, and eldercare duties—might be experiencing burnout at a much higher rate than men, perhaps driving their (and their spouses’) decisions for an occupational change.

Personal health and safety. As people contemplated the personal risk of contracting COVID-19 in their daily jobs, positions in health care, hospitality, and travel became far less attractive than those in other industries. As these industries either shut down (hospitality and travel) or ramped up (health care), employees more carefully examined their options and their employers’ actions, and they made decisions about personal priorities.

Millennial and Gen Z priorities. As employees began realizing the workplace could be—and would likely continue to be—different, they acted. We have known for years that for millennials and Generation Z employees, the definition of “a great place to work” challenges traditional paradigms and involves work-life balance, flexibility, action on climate change, and organizational purpose. The topic of shareholders versus stakeholders is not up for debate, and younger employees expect their employers to have a productive and positive relationship with the wider community.

How can organizations adjust?

Boardrooms nationwide must consider the implications of the Great Resignation. Organizations’ success lies in their ability to attract and retain the best talent, meaning leaders must consider what can be done to minimize the wave of departures impacting so many companies. The program’s panel and subsequent breakout conversations yielded productive insights on steps for directors to consider:

Be clear on strategic priorities. Examine the priorities that have been driving the business. Are they still relevant? Were they made priorities due to shareholder preference without consideration for stakeholders? Are there changes that need to be made to address a wider community of interest? Priorities should be clearly communicated with their purpose understood. People are less likely to leave if they feel their interests and those of the enterprise are shared or aligned.

Innovate on compensation and benefits. Although the importance of a competitive compensation and benefits package isn’t diminishing, companies are innovating around benefits given recent changes in health-care policy and to address employees’ changing desires. Unlimited vacation, sabbaticals, and mental health days are seen as ways to create more flexibility and demonstrate an understanding of the need to create downtime in a 24/7, connected world. Educational benefits are also increasing as topics such as foreign language lessons are included in some employee development benefits.

Examine entrenched practices. In every long-standing organization, there are policies and practices that are hardwired into the enterprise. Some of these are human resources practices, while others can be found in the operations themselves. These can manifest as leaders who are never questioned or behaviors that are overlooked. Particularly in companies that have experienced past success, it is important to examine if the “non-negotiables” are causing people to question whether the organization is right for them.

Focus on environmental, social, and governance (ESG) topics. A deliberate effort to align ESG with business strategy is important to most of today’s workforce. The purpose of a business can no longer be solely about short-term shareholder interests. In today’s environment it is essential for organizations to commit to ESG standards held by the wider society. Employees want their leaders to not only say the right things but also demonstrate through investment and action that the commitment is real. Compensation committees that align remuneration to ESG goals can further reinforce the priority.

Measure who and how many. As talent development is one of the primary responsibilities of compensation committees and full boards, it is imperative that directors understand the variables of the mass balance over time. Historical patterns of attrition (who and how many annually depart) should be compared against current numbers, and a demographic breakdown of those leaving should be closely examined. Attention should focus on whether or not particular demographic segments are departing at higher rates, which could indicate that specific operational, policy, or cultural issues need attention.

Remember that culture matters. Many are concerned that a hybrid work environment with employees who only gather in the office on occasion will struggle to build culture. Work culture (how it feels to work in an organization) is the glue that keeps people together, as it defines how things are done both formally and informally. It’s important for leaders today, many of whom are Baby Boomers or Gen Xers, to realize that how we define “healthy culture” will likely not be how future generations of workers see a sensible and effective culture. Technology, increased flexibility, and less emphasis on “face time” will bring about different ways to collaborate, challenge, and build camaraderie among coworkers. Boards need to be aware of and support how culture is transforming in their organizations.

COVID-19 has accelerated change that was already taking place in the business world. Directors serving on boards should be careful not to dismiss this as “something that will pass” under the belief that the world will soon return to a more recognizable model. Increasing vacancies in commercial real estate, sustained remote work, and the continued use of videoconferencing indicate that the office of the future will look significantly different than the office of the past.

As employees carefully examine options, driven by a different set of values, there will be great companies that find ways to retain a strong and productive employee base. Directors play a critical role in driving conversation in the boardroom to focus on creating an environment that garners loyalty and commitment. Strategic clarity, aligned values, and flexible work arrangements to provide balance are key to winning the war for talent.

Anna C. Catalano serves on the boards of Willis Towers Watson, Kraton Corp., HollyFrontier Corp., Frontdoor, and Appvion. She is also president of the NACD Texas TriCities Chapter and a board member of the NACD Corporate Directors Institute.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Small and Medium-Sized Businesses: What’s Your Plan for 2022?

Over the past two years, the US federal government has given billions of dollars to businesses, including through Paycheck Protection Program (PPP) loans, Economic Injury Disaster Loan (EIDL) grants, and Employee Retention Credit (ERC) tax rebates. The good news is that many businesses are now finding they’ve survived or even made a profit last year thanks to these loans and grants.

But those government programs are now over. Inflation is on the move, cash from banks is becoming more difficult to obtain, scrutiny from lenders is increasing, and it is an employee’s market with immense labor movement particularly in the retail and service industries. On top of that, the supply chain is unpredictable, and the virus that started it all is still among us.

CEOs and board members of small and medium enterprises can do little to push the entire economy beyond COVID-19, but they can certainly take steps to protect their companies as economic difficulties deepen.

Being Proactive Versus Reactive

Supply chain issues have affected large, medium-sized, and small businesses alike. Not only are container ships backed up, but there’s been stagnation at intermodal transfer sites and logistics terminals around the country, as well. Trucking companies are hungrily looking for drivers. Some business owners who have enough current supply may be waiting to see how this will affect their supply chains. This is much like standing on your porch, watching an approaching tornado.

Middle-market and small businesses have found their costs rising and production limited by shortages of raw materials and supplies. The creativity that allowed many of these businesses to succeed over the past two years should continue to be their driving force.

Boards of such companies should anticipate forthcoming economic issues and guide management to address tighter lending, more difficult vendor credit terms, supply shortages, and possibly even product acceptance challenges as the consumer and business climate shifts.

Being Strategic Versus Tactical

As banks review their lending relationships, small and middle-market companies, with fewer assets on the balance sheet, will be given greater scrutiny. Cash flow shortages will stress business operations. Now is the time for the board to be even more strategic.

In my experience working with clients, some small and medium-sized business boards and executives believe their companies to be too solid to be affected by COVID-19 at this stage, especially if they previously accepted governmental support. They will be proven wrong.

Without the reassurance and aid of government programs, boards should ensure that management strategically reviews their businesses. Hiring at all levels should address staffing shortages, providing flexibility and scalability which is as critical on the production floor as in the front office. Furthermore, looking at the “why” of financial statements is more important than reading the results. Everything that happens operationally in a company flows down to the financials. They are a guidepost to future results.

Whatever excess cash existed at the end of 2021 should be used to pay down debt, restructure internal operations, improve efficiency, and strengthen the balance sheet in preparation for the difficulties that will likely appear this year—including the Federal Reserve raising interest rates to rein in inflation. Every move is critical for the health of small and medium-sized companies in 2022.

Where to Go From Here

When economic winds change, small and middle-market companies must be able to pivot. As the buying paradigm shifts, companies need to review how they fit into the marketplace. Are they an innovator or a low-cost supplier? Both consumers and businesses are increasingly shopping online, searching for alternate products and sources.

The recent passage of the Infrastructure Investment and Jobs Act to help rebuild our national infrastructure certainly provides opportunities for companies of all sizes. Boards need to be farsighted enough to help management determine how the companies they steward may seize such opportunities.

Not all companies are directly in line for contracts. For those that are not, find an opportunity to supply the suppliers. These new government purchases will filter through the economy, and boards should consider how their businesses may take advantage.

Policies and Procedures

There are great benefits to being a leader. Small and middle-market companies should mirror the direction of public will in their business policies. Despite initial cost implications, being an early adopter of stakeholder-focused initiatives will deepen employee engagement. The Great Resignation has created a tightening labor market. Thinking proactively will prompt good employees to seek you as an employer.

Policy review, including as it relates to flexible work programs, job sharing, and diversity, equity, and inclusion issues, can no longer wait for the next board meeting. Changes in employment practices are having a real impact on companies throughout the country. In addition, review of and improvements to quality control standards, credit policies, and internal controls will help every company succeed.

The days of pandemic-related government aid for small businesses are over. Small to medium-sized companies and their boards should continue to think creatively and strategically to not just survive the coming year but grow by taking advantage of unique opportunities that present themselves.

Larry Chester, president of CFO Simplified, served as a corporate chief financial officer (CFO) for more than 20 years before starting his consulting firm. His team serves as fractional CFOs to companies in many industries, from start-up to middle market, providing cash flow planning and other services that drive profitability.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Preparing the Future American Boardroom

The American boardroom has been under significant stress over the last two years. Many directors faced their most challenging boardroom moments but rose to the occasion, navigating their companies through the depths of the pandemic and making many tough calls to ensure financial survival and adapt to rapidly shifting conditions.

It was maximum-intensity governance and management. As we learned from our surveys, directors’ time commitment doubled in 2020 when they delved into many urgent matters such as employee health and safety, remote operations, supply chain management, and access to capital and government relief funds. Using (and getting more comfortable with) virtual meetings, boards and management engaged much more frequently, sometimes even weekly, and traditional governance boundaries often blurred, as directors and senior executives worked closely together to navigate through the crisis.

This high-speed governance is barely slowing down, as companies now confront many new strategic and operational challenges, including the “Great Resignation,” accelerating digitalization of every dimension of business, rising inflation, widespread demands for corporate climate action, and the integration of diversity, equity, and inclusion into the fabric of every organization. It has made the job of the board much more difficult than it was before.

What makes the current environment uniquely unpredictable and hard to navigate is the fact that these changes are happening concurrently, interacting with and amplifying each other, creating many unintended and unwanted consequences. Just look at the top trends from our 2022 Director Trends and Priorities survey (in the included chart below) that directors believe will have the biggest impact on their companies over the next 12 months.

Talent scarcity is disproportionately affecting companies’ ability to successfully execute their high-stake digital transformations. At the same time, these transformational technology initiatives may inadvertently expose companies to new cyber risks, which may also disrupt already weakened global supply chains that, coupled with the growing labor market shortages, are driving inflation to levels not seen in recent years. A number of these trends are challenges that many directors did not have to grapple with in their prior operational careers and that they therefore have relatively little experience with.

In the coming year and likely beyond, boards will need to govern their companies through both a telescope—spotting new, over-the-horizon patterns across markets, societies, and geographies and connecting the dots between them—and a microscope by keeping a finger on the pulse of the company’s performance and its key drivers, such as talent, technology, brand, and financial stability.

Overall, board effectiveness now seems more important than ever as the pace of change is relentless and stakeholder expectations about what boards should do and look like are ever-increasing. But the pandemic governance model is likely neither sustainable, nor desirable. We need to maintain distance between boards and management teams to effectively govern businesses for the long-term. The board modus operandi prevalent for the last few decades, however, is unlikely to be adequate.

To position boards to help their companies succeed in a more turbulent future, we need to firmly challenge how boards are composed and structured, how they operate and interact with the business, and how they hold themselves accountable. Although the fundamental legal underpinnings of board governance have not changed, longstanding conventions and unwritten norms that have shaped boardroom practices and behaviors deserve to be revisited.

Recent NACD analysis reveals that directors themselves expect that their boardroom practices will need to change in the coming years. For example, a slim majority expect that in the near future the combination of the CEO and chair roles will no longer be acceptable. Almost 60 percent of directors expect that environmental, social, and governance (ESG) reporting will receive as much scrutiny as financial reporting, while more than 50 percent believe that time commitment to board service will vastly increase. Close to 40 percent believe that a sole focus on shareholders at the expense of other stakeholders will come to be considered inappropriate.

Sensing this turning point in the evolution of board governance, NACD announced last week the 2022 Future of the American Boardroom Initiative, led by a special commission that will convene a diverse, influential group of directors and notable governance practitioners from across the investor, regulatory, and academic communities. The year-long initiative will seek to discover how the prevailing governance model may be adapted, or whether a fundamental reshaping is in order, and will develop guiding principles to help boards build toward high performance in a more demanding, inclusive, and turbulent future.

Although the focus of the commission may shift throughout our meetings, we expect much of the discussion to focus on the following five areas:

1. Stakeholder interests. The expanded notion of stakeholder interests, and ultimately the definition of performance through the lens of these stakeholders, is changing how companies create, preserve, and report value. Put simply, companies cannot succeed when society fails or when the planet’s temperatures continue to rise. These issues are no longer externalities; they pose immediate financial, operational, and reputation risks. Boards must perform a delicate balancing act to account for multiple stakeholder concerns, while simultaneously addressing the expectations of shareholders for growth and long-term returns. This multi-stakeholder approach affects the board’s crucial role in establishing the right incentives for management.

2. Board operating model. The furious pace of change has put strains on traditional board operating models and processes, which may have become bottlenecks to effective oversight. Boards may need to adopt a more fluid and flexible model that maximizes the use of precious board meeting time and a structure to better oversee new and fast-changing issues. Similarly, ever-increasing expectations about the board’s role and engagement may have caused scope creep, with many boards struggling to focus deeply on mission-critical issues.

3. Board independence and management accountability. In recent years, boards have been more deeply engaged on a variety of issues such as strategy, influencing more decisions and becoming more operational. This deepened level of engagement could potentially threaten the independence of the board and its ability to hold management accountable. Simultaneously, in many boardrooms, the CEO still sets the agenda, not the board.

4. Transparency. With increasing public scrutiny of the contributions of boards, boards will need to reassess how transparent they should be about their workings, skill sets, and decisions. Currently, much board activity remains outside the view of shareholders and other stakeholders, and this confidential setting helps support deliberation and discussion. At the same time, the black box in which boards function raises concerns about their engagement and accountability.

5. Board renewal. While boards have started to make progress on diversifying their ranks, far too many boards are still reactive in aligning their skill sets and past experiences with the shifting strategic and risk priorities of the business, and do not sufficiently hold their directors accountable for individual (under)performance.

As part of this initiative, we launched a dedicated NACD resource center on the Future of the American Boardroom that includes relevant articles, guidance, and tools to help your boards engage in meaningful conversation and, where needed, take action to prepare for a more demanding future. Throughout this initiative, we will update these resources and report on the progress of our work.

As we shape our guidance, we would very much like to hear about your board transformation. What fundamental changes have you made or are you making to advance board performance? What new practices have you adopted? What norms have you challenged? Please share with me directly at fvanderoord@nacdonline.org.

Friso van der Oord is senior vice president of content at NACD.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

How Inflation Complicates the Compensation Committee’s Job

It has been a very long time since we’ve dealt with an inflationary economy. So long, in fact, that the term “inflation” may conjure memories of Jimmy Carter’s presidential administration, long lines of AMC Pacers waiting for gasoline, and double-digit mortgage rates—for those of us who go back that far. The idea that this period of inflation may be transitory isn’t much comfort to the decision-makers who are still determining their 2022 plans.

Given that most calendar-year companies approve incentive plan targets in the first quarter of the year, inflation’s impact on executive pay decisions is on the minds of most compensation committee members. Of course, inflation impacts the price of goods and services almost across the board (we are all feeling that currently), but specifically for compensation decisions, there are two main variables to consider: merit budgets (or salary increases) and incentive plan goal-setting. Let’s briefly explore some of the fundamental current challenges with each.

Merit Budgets and Salary Increases

For as long as most people can remember, merit budgets have been reliably steady at 3 percent per year at all levels in an organization. In the past, merit budgets tended to lag inflation rates early in inflationary periods. They may also have tended to be higher than was necessary in the waning days of an inflation cycle. Both tendencies can largely be blamed on time delays in incorporating external information into the decision-making process. The era of 3 percent increases are ending. In December, results from a Pearl Meyer quick poll suggested the number may exceed 4 percent. Some clients are concerned we may end the year above 4 percent if additional actions are required later in the year.

Because the current environment is challenged by inflation, as well as ongoing pandemic and labor difficulties, some management teams might see an increase to the merit budget for the broad workforce as perhaps one of the easier decisions to make this year. It’s a different story, however, for executives.

Boards have generally been more willing to increase incentive opportunities than to provide executives with significant salary increases. This is due to the bias toward performance-based compensation and can be seen in the evolution of executives’ pay mix over the past 40 years. However, incentive plans can be perceived as riskier during inflationary times—to say nothing of the other risks looming—and so higher incentive opportunities may be less valued right now than smaller salary increases.

Every now and then, someone raises the idea of a cost-of-living adjustment (or COLA) for executives. It may seem a logical extension of a COLA for the general population, but beware—it’s not. Competitive salary increases for the general workforce are important, but that standard 3 (or more) percent merit budget can usually accommodate them. COLA for executives, on the other hand, is something that investors and the public cannot understand. The perception of COLA is that it meets fundamental needs like paying rent or putting food on the table; the “need” to maintain the buying power of a $500,000 salary is not viewed in the same way.

Incentive Plan Goal-Setting

It seems as though we’ve been hoping forever that things will get back to normal so we can have greater certainty in our forecasting. While COVID-19 has created exceptional uncertainty, inflation just creates a “normal” amount of uncertainty (which we really don’t need any more of).

Logically, one would think the key is to understand how the company’s results are impacted by price changes through the supply chain and then factor in the company’s ability to pass on these additional costs through corresponding product or service price increases—a seemingly simple calculation to arrive at anticipated financial results. 

However, every item in the supply chain reflects a similar analysis, and supply chains are far more intricate than in previous inflation cycles, so it becomes hugely complex to predict what will happen. By upsetting pricing all the way along the supply chain, inflation introduces additional prediction risk when projecting future results. When compounded with typical executive incentive plan time frames, usually one- and three-year, the projections can become speculative.

Fortunately, understanding these dynamics is the chief financial officer’s responsibility. But at the board level, we need to at least understand the subtleties to develop a feel for whether any changes might be warranted to, for example, thresholds, maximums, or gatekeeper measures in any existing or future incentive plan. This is important when determining and explaining any non-GAAP (generally accepted accounting principles) or judgmental adjustments to payouts. Regarding long-term targets, changes to the mix can be made to deal with higher goal-setting risk by incorporating more time-based stock vesting or options and less performance-based stock, for example.

A complicating factor for directors approving annual goals is that inflation generally results in higher earnings growth than we normally see. When a company has been moving along at a steady, and perhaps more predictable, earnings growth rate of 5 to 8 percent, it is psychologically difficult to set a 15 percent goal. If demand stays strong as inflation increases, you may see companies overachieve during the early days of a cycle. Then, the opposite occurs as inflation cools, and taking earnings expectations back down to pre-inflation ranges becomes similarly difficult, especially for investors.

Plowing Ahead

In reviewing budget proposals this year, boards need to be more focused than ever on assumptions relative to the cost of goods sold and volume projections at higher product prices. Compensation committees may want to think about providing for potential year-end adjustments that reflect the differences between key assumptions and what actually happens. Many did this with volatile US dollar to Euro exchange rates a few years back.

Alternatively, committees might consider increasing the range from threshold to maximum to recognize that results will inevitably vary from assumptions given that the factors are harder to predict. In either case, explaining these changes both to participants and to shareholders will be critical.

Mark Rosen is a managing director and David Swinford is president and CEO of Pearl Meyer.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

A Voice of Reason: BlackRock’s Newest Letter Can Help Boards Navigate Difficult Shoals in 2022

In the middle of Homer’s epic poem The Odyssey, Odysseus heads home—but he has a problem: sea monsters. “We then sailed on up the narrow strait with wailing. For on one side lay Scylla and on the other … Charybdis,” Homer writes from the featured hero’s perspective.

The sailors must progress carefully because a turn too far to the right or left will mean certain death from either a six-headed beast or a whirlpool.

Today’s corporate leaders, faced with numerous dilemmas as they strive to create long-term corporate value, must feel a kinship with Odysseus. But leaders should not fear: good advice on how to navigate the difficult shoals of the modern era comes in the latest annual letter from Larry Fink, CEO of BlackRock, the world’s largest asset manager with more than $10 trillion in assets under management.

This most recent letter is the longest that Fink has ever written in the ten years that he has been reaching out to the CEOs of firms with shares held by BlackRock funds. Fink’s first CEO letter, which debuted in 2012 at under 500 words, simply introduced CEOs to BlackRock’s “value-focused” approach to corporate governance. Since then, Fink’s letters have grown in length and complexity. (For a review of past themes, see this summary from NACD senior vice president Friso van der Oord, who wrote about Fink’s letter last year.)

Fink’s 2022 letter, at more than 3,000 words, covers five main topics and related dilemmas: company purpose, human capital, financial capital, decarbonization, and participative proxy voting. In each area, Fink steers a middle course, discouraging CEOs and boards from either-or thinking, as exemplified by the following questions: What is our purpose? Should we focus entirely on short-term profitability, or should we heed concerns raised by all our stakeholders? What about talent drain? Should we invest heavily in technology, neglecting human capital, or should we put all available funds into our payroll? And what about funding? Should we try to generate as much capital as we can from operations, or should we max out on external financing? Regarding energy, should we embrace alternative fuels and cut all ties with fossil fuels, or should we stay with oil, coal, or gas as a necessary evil? At proxy time, should we ignore smaller shareholder complaints or bend our company’s goals to please the maximum number of owners? Of course, none of these extreme alternatives is correct; each could have monstrously bad consequences.

As for company purpose, Fink warns against a focus on either short-term profits or stakeholder appeasement. While he acknowledges that “the fair pursuit of profit is still what animates markets,” he also notes that only “long-term profitability is the measure by which markets will ultimately determine your company’s success.” Veering too far in the direction of all stakeholders also holds peril: “Political activists, or the media, may politicize things your company does,” he warns. “They may hijack your brand to advance their own agendas.” The middle course is holding company purpose as a “north star.” Stakeholders do not need CEOs to opine on every issue of the day, says Fink, “but they do need to know where we stand on the societal issues intrinsic to our companies’ long-term success.” 

Also eminently middle-of-the-road are Fink’s comments on energy. He announces that although BlackRock has a net-zero emissions goal, the investment firm will not divest all fossil fuels. Fink explains why: “The transition to net zero is already uneven with different parts of the global economy moving at different speeds. It will not happen overnight,” says Fink. He notes that traditional fossil fuels such as natural gas will play a key role both for power generation and heating in some parts of the world. In short, “We need to pass through shades of brown to shades of green.”  

This kind of middle-course, hopeful thinking is exactly the mindset that directors need to adopt in 2022 and beyond as they journey to the ultimate destination of long-term company value. Safe travels!

Alexandra R. Lajoux is NACD chief knowledge officer emeritus. In addition to studying business at Loyola University in Maryland, she studied The Odyssey and other classics at Princeton University with the late Robert Fagles.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.