SEC Cyber-Risk Governance and Its Boardroom Business Resilience Implications

Earlier this year the US Securities and Exchange Commission (SEC) released proposed cybersecurity disclosure rules to advance risk management and governance regarding cyber risk. To quote the SEC, “The Securities and Exchange Commission… is proposing rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, we are proposing amendments to require current reporting about material cybersecurity incidents. We are also proposing to require periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk.”

These recent developments heighten attention to the management and disclosure of cyber risks and incidents by public companies. They also underscore the importance of advancing risk management and governance efforts across the boardroom community that ensure resources and investments are applied to those cyber risks that have the most material financial, business, and operational impact. 

Below, recent SEC developments and what they mean for board directors, ways companies can prepare while they wait for the specifics of the expected SEC cybersecurity rule, and how companies can contextualize cyber risks and incidents with business, financial, and operational impact are discussed.

Focus on Resilience and Financially Aligned Cyber-Risk Investments

As cyber threats advance, companies worldwide are bolstering their cybersecurity budgets. Meanwhile the regulatory community, including the SEC, is advancing new requirements for companies to effectively manage and govern cyber risk. For companies, this requires significant investments to reduce cyber risk while maintaining a compliant cybersecurity program. Given the rate of cyber losses, it is more critical than ever that clear and effective strategies are established to counterattack the impacts of cyber risk. Clarifying cyber-risk engagement in the boardroom is the first step.

Effective communication is a cornerstone of positive outcomes in business. Developing a common language for discussing the complex issues of cyber risk is essential to achieving business resilience. This requires simplifying confusing, technical discussions loaded with nuanced security terms into precise economic analysis that shows how cyberattacks endanger organizations financially in the short and long term.

Building resiliency in an organization requires proper oversight from the boardroom based on a clear plan built on business and economic analysis. Industries such as insurance are basing cyber-risk evaluations in their underwriting standards on established and understandable financial exposure analyses. In doing so, insurance industry players are shifting the cyber conversation from a highly technical and ambiguous security one to one where businesses can understand and effectively manage their financial exposure in relatable business terms. If financial exposures from cyber threats are clear, boards will find it easier to align cybersecurity strategies with economic cyber-risk metrics.

Developing the organization’s cyber-risk appetite levels in financial terms, based on its unique risk profile, and defining effective remediation and mitigation steps to reduce financial exposure are important initial steps when planning for cyber resiliency. Boards should keep certain items on the cyber resiliency agenda in their discussions with management. On an ongoing basis, the board should keep abreast of how management uses return-on-investment analysis to align the cybersecurity budget to financial exposure reduction. So, too, should boards oversee the steps that are taken to practically implement the cybersecurity strategy.

When formulating their companies’ cyber resiliency plans, boards would do well to ask management questions such as the following:

What is our financial exposure to cyber threats?What cyber threats are most likely to have a major financial impact on our business?How much financial exposure are we willing to accept across our enterprise and digital supplier ecosystem?How can we align our budget, implement controls, and optimize risk transfers to address our cyber-risk exposure?Are our digital initiatives being developed in a cyber-resilient way?

Board Level Governance and Risk Management Disclosure

As per the proposed SEC cyber rules, companies are now required to disclose the substance and nature of board oversight of a registrant’s cyber risk, the inclusion and exclusion of management from the oversight of cyber risks, and how the implementation of related policies, procedures, and strategies impacts an investor’s ability to understand how a registrant prepares for, prevents, or responds to cybersecurity incidents. Moreover, companies are required to disclose their cybersecurity governance capabilities, including the board’s oversight of cyber risk, a description of management’s role in assessing and managing cyber risks, the relevant expertise of such management, and management’s role in implementing the registrant’s cybersecurity policies, procedures, and strategies. Specifically, where pertinent to board oversight, registrants are required to disclose:

whether the entire board, a specific board member, or a board committee is responsible for the oversight of cyber risks,the processes by which the board is informed about cyber risks, and the frequency of its discussions on this topic, andwhether and how the board or specified board committee considers cyber risks as part of its business strategy, risk management, and financial oversight.

Formulating and implementing cyber resiliency plans, focusing on aligning these plans with financial exposures, and understanding how the board and management effectively oversee cyber risk and can improve will help any board prepare for SEC rules likely to come.

Chris Hetner served as the senior cybersecurity advisor to SEC chairs White and Clayton and currently is a senior advisor at The Chertoff Group, a special advisor for cyber risk at NACD, and a member of the NASDAQ Center for Board Excellence Insights Council.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Increasing Geopolitical Risks Raise Disclosure Issues

Over the past two years, public companies in the United States have faced an unpredictable risk environment. Two geopolitical crises—the COVID-19 pandemic and the Russian invasion of Ukraine—strained international supply chains and destabilized financial markets. It is tempting to view these events as temporary departures from the stable climate for international commerce of the past 75 years. There are reasonable grounds for that position. After all, COVID-19 was the first global pandemic since 1918, and the conflict in Ukraine marks the first large-scale conventional conflict in Europe since World War II. Geopolitical instability, however, may be the new normal. Companies must therefore consider how the resulting risks from such events impact them, and for public companies, whether and how to disclose such information to shareholders.

As these events have unfolded, the US Securities and Exchange Commission (SEC) has provided guidance in various forms as to what it expects in terms of disclosure by building on already existing requirements in the SEC’s Regulation S-K. Specifically, the SEC issued nonbinding guidance on COVID-19–related disclosures and later issued a sample letter focused on the conflict in Ukraine. Turning first to the 2020 pandemic guidance, the SEC staff identified a detailed list of COVID-19–related factors for issuers to examine in drafting future disclosures, including the following:

the impact of the pandemic on current and future operations;the impact on capital and financial resources;any material impairments on an issuer’s financial statements;COVID-19–related impacts on business continuity plans; anddisruptions in supply chains and the methods for distributing products.

On May 3, 2022, the SEC issued the sample letter, and directly addressed the nexus between the Russia-Ukraine conflict and Regulation S-K. The sample letter informed issuers that the Ukraine conflict may trigger disclosure obligations for any “direct or indirect impact[s]” on operations, liquidity, supply chain, or assets, and advised issuers to specifically examine risks related to cybersecurity, supply chain integrity, and commodity price volatility. The SEC also advised companies to carefully review their sanctions compliance function. In addition, the sample letter paid particular attention to the role of the board of directors, emphasizing that companies should disclose the role of the board in “overseeing risks related to” the conflict. And, perhaps most significantly, the SEC placed increased focus on supply chain risk: the sample letter indicated that in future regulatory investigations, issuers could anticipate questions about whether supply chain risks flowing from Ukraine were adequately disclosed, and whether issuers undertook or considered efforts to “deglobalize” their supply chains.

Collectively the pandemic guidance and the sample letter provide issuers with the best available template for complying with SEC rules and regulations in the event that other potential disruption creates geopolitical instability. In particular, and just by way of example, issuers should consider the potential downstream risks of geopolitical tension between the People’s Republic of China (mainland China) and the Republic of China (Taiwan). In recent years, tensions between China and Taiwan—always high—have escalated, with the military and civilian leadership of both countries openly contemplating the outbreak of hostilities, and China acknowledging its intent to develop the military capabilities necessary to mount a full-scale invasion.

For issuers that depend on global supply chains, the potential impacts of a conflict between Taiwan and China are highly relevant, and, in light of the SEC’s pandemic guidance and sample letter, may require disclosure to investors. For example, even if the United States were to remain neutral, domestic issuers would still likely lose access to Taiwan and to all ports in China because both China and Taiwan have submarine and anti-ship missile capabilities sufficient to reach any commercial vessels that transit the area. The loss of access to Taiwan would, in turn, effectively eliminate the ability of domestic companies to manufacture products that rely on semiconductors, while the inability to access Chinese ports and exporters would create massive disruption for retailers, manufacturers, and other industries that rely on China for finished goods and raw materials.

To that point, several issuers already identify and disclose the risk of a conflict in the Taiwan Strait to their shareholders. Best Buy, for example, disclosed in its most recent 10-K filed on Mar. 18, 2022, that “further deterioration between Taiwan and China” could disrupt the manufacture of “hardware components in the region.” Similarly, Gravity Co. filed a Form 20-F on Apr. 28, 2022, that noted “a significant percentage of… revenue” came from customers in Taiwan, and therefore “an increase in tensions between Taiwan and China and the possibility of instability and uncertainty” could affect customer demand and the business in general. And Micron Technology, in its Mar. 30, 2022, Form 10-Q, disclosed “political and economic instability, including the effects of disputes between China and Taiwan” as a risk to international sales and operations.

Of course, we hope that all of the issues discussed above—the COVID-19 pandemic, Russia’s invasion of Ukraine, and the increasing tension in the relationship between China and Taiwan—come to an end. We also hope that the world is not entering into a period of more frequent and severe events causing geopolitical instability. Nonetheless, as issuers deal with a global environment that generates greater risks, companies that apply the SEC’s pandemic guidance and sample letter to their finances, supply chains, and operations during a crisis are more likely to issue disclosures that satisfy shareholders, avoid private civil litigation or reduce the likelihood that such litigation is successful, and withstand potential SEC scrutiny.

Richard Zelichov is a partner and Trevor T. Garmey is an associate at Katten Muchin Rosenman.

Leading an Effective CEO Transition: It’s a Journey, Not an Event

Having just gone through a CEO transition at Pearl Meyer, I have spent some time reflecting on the outcome as well as what we learned organizationally and as individuals throughout the process. While we have guided numerous clients through the same exercise, I am more keenly aware than ever that leadership transition is an ongoing process and every company is on this journey—whether deliberately or not. It is important for boards and CEOs to acknowledge that they will learn lessons along the way and need to have a plan for incorporating those lessons into their teams’ leadership development.

Here’s what we learned from our own journey:

1. You can’t start too early. We stress this with clients and our experience reinforces this number-one lesson. There is much to do, consider, and prepare for. It’s too important to “wing it” or short-change the process.

2. Objectivity is imperative. This goes for outlining the candidates’ strengths and growth areas, creating opportunities to improve any detrimental weaknesses, and assessing the outcomes of their development plans.

3. Coaching is a must. Few organizations, in my experience, appreciate the value of executive coaches. They are absolutely key to both effective development and a successful transition.

4. Get everyone on board. Having broad support for the new leader once a choice is made leads to a smooth transition. The alternative is simply abrupt change.

Plan Ahead

I believe that you can’t start developing successors too soon. We have frequently advised clients that the moment somebody assumes the top job, they—and the board—need to be thinking about what’s necessary for someone else to succeed them. The development of a successful CEO can take a very long time.

However, you can definitely name a successor too soon. They often become frustrated with the passage of time. Companies lose great succession candidates to becoming CEOs of other companies because they grow impatient. So, while you can’t start developing too soon, you can definitely pick one too soon.

And you know what they say about the best laid plans. Often you set out on a particular journey, only to find that adjustments must be made along the way. Plan to course-correct.

Cultivate Objectivity and Bring in the Coaches

A key lesson learned for me in being part of the process, rather than advising on the process, is that an organization can’t do its best job at succession planning alone.

Self-assessments or individually managed development is usually not enough. Even the most self-aware candidates don’t automatically know exactly what their strengths and weaknesses are, as seen by others. It’s especially difficult to have a clear picture of the “soft” things they need to do to be successful in leading others. And the perspectives of the board and the CEO in creating a short list and analyzing those candidates can be helpful, but may also prove to be too subjective or not fully accurate.

This is where organizational development experts can offer the outsider’s view and help the organization define the ideal profile for the next CEO and then work with candidates to clearly understand their current strengths and challenges with respect to that profile. Converting this assessment into multi-year development plans helps focus the candidates on how they need to develop and what they need to do to demonstrate that they are ready for the next step in their careers and up the ladder.

An outside advisor can help the organization structure learning opportunities that are appropriate to each candidate and beneficial to the full group, such as moving high potentials into positions that offer a chance to lead new teams and perhaps stretch the candidates’ comfort levels or creating an opportunity for the group of candidates to work together on strategic projects and strengthen their relationships as a leadership team. We took both of these development actions; however, I did not appreciate at first that my style of mentoring and developing people did not necessarily help each candidate maximize their learning opportunities. If I had a do-over, I would bring in outside assessment and coaching sooner.

Long term, the most effective leadership development comes about when it is structured in a way that is tailored for each of those candidates as individuals and is not unduly clouded by the relationship and experiences those individuals and the sitting CEO have developed. Finally, it is important for the board to get an impartial assessment of candidates because their impressions of the people they know, possibly on a limited basis, have been formed over a long period of time. In that context, it’s not always clear how a candidate may have grown or how they might perform in a different role.

It’s my experience that relatively few organizations appreciate the value of executive coaches. In the past, if some in the boardroom heard that the CEO asked for or needed a coach, it was likely viewed as evidence of some inadequacy. However, we may be entering a new era of business culture. New attention to issues such as diversity, equity, and inclusion indicate that this kind of change is quite possible, and, of course, beneficial. Ongoing coaching is a very effective tool, providing the CEO with an objective and, very importantly, external sounding board and giving directors additional assurance that the transition will be successful.

Create Unity

In the spirit of absorbing and implementing lessons learned, a big part of our own transition has been to provide post-selection coaching to the new CEO and to the other senior members of the management team. This provides continuity for the strong leadership development plans in place, as well as helps everyone adjust to their new relationships. It is a simple fact that when you promote from within, all relationships change and there must be adjustment to new ways of doing things and new ways of working together. Accounting for—or ignoring—this important aspect of the transition can be the critical, make-it-or-break-it point. Carefully planned, but open and forthright, communication throughout the company about the change sets the right stage.

In our case, the end result from an organizational perspective is that there absolutely is a great deal of change happening, but the change feels purposeful and evolutionary. Naturally, every company will experience changes in leadership style with every transition. One leader may be more intuitive and the next more analytical, but there is continuity in our values and especially in our culture, and I see strong energy and enthusiasm in our firm.

This is what I want for our clients. And thankfully, the renewed energy isn’t just internal. As our business evolves to meet the growing responsibilities of our clients, I am seeing an expansion of ideas and creativity among our consulting teams that will help all of us involved in compensation and the broader issues of workplace change and human capital management tackle some very real challenges—ongoing succession planning being at the forefront.

David Swinford is the chair at Pearl Meyer.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

How Cybersecurity Experts Are Tackling Proposed SEC Rules, Working From Home, and More

The data security landscape is ever changing, and boards need to prepare themselves for future threats. To discuss insights into the challenges of overseeing cybersecurity and constant new threats, NACD, in partnership with Baker McKenzie, EY, and Optiv, brought together panelists Robyn Bew, west region leader of EY’s Center for Board Matters; Joanna Burkey, chief information security officer (CISO) at HP, Inc.; Jerry Perullo, founder of Adversarial Risk Management and former CISO at IntercontinentalExchange; James Turgal, vice president at Optiv; and Cyrus Vance, partner at Baker McKenzie. Greg Griffith, NACD senior director of partnerships and corporate development, moderated the event. Below are key questions and answers from that conversation.

What are some baseline steps you find [yourself] advising your clients to take over and over to enhance cybersecurity resilience?

Cyrus Vance: I think you have to be looking at the whole continuum of risk. It means getting a lawyer involved early in the process so that some of these investigative steps can be done with the direction of counsel, which gives the company flexibility as it goes through all these other steps along the continuum to determine what information becomes public and what information does not become public. Make sure that your board has looked at your company, has looked at its resiliency, has a game plan for when the day happens that you don’t want to happen so that there’s no confusion about who gets called.… Look at everybody who’s in the action chain in the aftermath of cyber events—the CEO, CISO, lawyers, consultants, all of that. You probably already are doing what needs to be tested before an event happens so that you are not caught out when it happens. Make sure that your leadership around cyber is steady… [and that] the communications personnel are also in the loop before anything happens. We’ve all been through crises in business. I certainly have. I think one of the most important things is to have executive leadership [that] knows how to lead through a crisis without everyone feeling scared about what they’re doing and how they’re doing.

What advice would you give to yourself or to boards or board members?

Joanna Burkey: I can’t agree emphatically enough with the need for preparedness. It’s important to think about not only being prepared so you know what to do, but also [so that] people know what they do not need to do when the time comes, especially with a cyber incident because there can be so much panic, and there’s so much unknown around it. I’ve noticed the tendency for a lot of the senior executives and board members to immediately think, Oh my gosh, I’ve got to do something. Not necessarily. Ideally, your preparation is very much predicated on getting a comfort level where they know who’s going to do what, and at least that aspect of the panic can be tamped down a little bit.… My piece of advice there is [that cybersecurity] is just another element of business. It can be a risk. It can also be an opportunity. What it means to the enterprise is very much determined by the type of enterprise you are, who you want to be, what makes your company special. Is it the [intellectual property], is it your mobile operations that make you special? What is your cyber maturity? And what’s your value proposition as an enterprise? Once you look at those three things, you as a board director don’t need to have in-depth, technical knowledge about cybersecurity. You just need to know it’s a strategic element of doing business. As long as you have somebody who is overseeing it for your enterprise, you have confidence that that’s the right somebody, you know that they have a plan, and you as a director have oversight as to whether their plan is appropriately resourced, then it’s just another business element.

What are you hearing from your clients about the proposed US Securities and Exchange Commission (SEC( rule changes and what do you advise?

Robyn Bew: Obviously there’s a lot of attention from directors on the component of the rule regarding disclosure around board expertise.… To date, we’re not seeing a lot of boards and nominating and governance committees immediately ripping up and redoing their skills matrix; board composition and recruiting take time. But boards are starting to discuss how they’re going to tell their story about the way that cyber knowledge and expertise is getting into the boardroom. That might include the skills of one or more individual directors, it might be briefings that the board receives from law enforcement or from external advisors, and so on. The other thing we’re seeing, and this is true for really any proposed SEC rule, is boards engaging with management teams and asking the questions, “If the rule was enacted as written, where are we with our ability to comply? Are we pretty close? Or what’s the gap? […] Do we need to revisit our definition of materiality? What about our escalation protocols? If there’s going to be a four-day clock that starts ticking [to report a cyber incident after the company has determined it is material], how prepared would we be?”

What can board members do to diminish the risk of successful critical infrastructure attacks?

James Turgal: The [Federal Bureau of Investigation (FBI)] has led a bunch of different initiatives. It’s all [about] the public-private partnership. You got the Information Sharing and Analysis Center, ISAC, out there.… What [Vance] is talking about is this ability for organizations within a particular industry, within a particular vertical to share information. One of the things that the FBI tried to do, and I don’t think they did it very well in the early days of cybersecurity, but excel at it today, is to be able to drive that sharing mechanism, which they really need to do…. But when companies don’t throw up the flag and say, “Oh my god, we’re in the middle of an attack,” we can’t tie the attackers to the breadth of victims we have all talked about. There’s a real need to force that kind of conversation, but also force the conversation within your industries. Where is your local ISAC? Do you know your local FBI field office cyber supervisor? Your CISO and [chief information officer] should have a speed dial to those guys because every city has one. The entire world is covered by the FBI from a cyber aspect. Knowing about the ISACs and [being] able to share that intelligence will also help keep you safe.

How are you handling the risk of working from home?

Jerry Perullo: If we had our intellectual property stolen, revealed on Twitter, how impactful would that be for us? There need to be some frank discussions to say, “That would be a bad day, but we can manage it.” That’s not our top risk. Sabotage, on the other hand, we can’t afford to be offline for more than, well, everybody’s going to say five minutes. But what’s real? Maybe it’s actually five days. You need to go through that process and you need to do that first because when you identify these threat objectives—and that’s things like extortion, sabotage, [data] theft—when you go through those and figure out what’s our mission for cybersecurity, then that adds a vocabulary for everything from that day forward. When you’re hearing about an investment, say, “Okay, how does that affect what we decided early on as our marching orders?”

With home computing, [companies will] talk about, “What’s our latest [security] software? We’re going to deploy it on all of our laptops to secure them.” But if you ask the question of how many of our employees are actually using our laptops [versus home computers], there are a lot of people that are completely operating outside of the environment. You need to look through your cybersecurity leadership for people who are just looking [to say], “When something happens, I want to be able to prove it wasn’t my fault.” That’s not what you want. You want something like that to not happen. You don’t want people to put their head in the sand or have a policy that says everyone’s going to use our equipment and now only worry about that. People are violating policy and we need to meet them where they are, because you really just want to not have an incident.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Plastic and Recyclability Litigation: Best Practices to Minimize Risk

With a growing trend toward taking more ESG measures, some companies are at risk of lawsuits from consumers involving plastic packaging. Here are some best practices boards should know about to mitigate the risk of litigation.

In a recent trend, citizen advocates and environmental groups have been filing lawsuits asserting novel theories against major companies that use or rely on plastic, even if the companies do not produce plastic products or are not involved in the disposal of plastic products. The disruptive increase in plastic-related environmental, social, and governance (ESG) litigation is poised to affect companies in virtually all industries—including technology, manufacturing, food, retail, and transportation—because environmental organizations are targeting companies that use plastic anywhere in their supply chains. Boards of directors need to be aware of the very real risk that their companies can become targets of lawsuits, even if the companies’ use of plastic is ancillary to their actual business. The steep increase in lawsuits against companies suggests that recyclability and other plastics-related litigation is only going to continue to increase and may even reach the proportions of asbestos, tobacco, or opioid litigation. Below, we summarize recent developments and provide advice on what directors can do to mitigate the litigation risk posed by such claims.

For the last few years, plaintiffs have used consumer protection laws to pursue environmental claims against companies that use plastic packaging for their products, alleging that the companies misrepresent the environmental impact or the recyclability of such packaging. Even companies dealing only at a very attenuated level with plastic have been the subject of such lawsuits, such as pharmacies (for their use of reusable plastic grocery bags) and cargo and freight companies (for packaging and shipping plastic material that supposedly pollutes local environments). Plaintiffs have also claimed that, even if a product technically can be recycled, references to recyclability are false—or at least misleading—because the plastic recycling process is often ineffective, a fact of which the consumer products industry is well aware while average consumers are not. This was the plaintiffs’ argument in Smith v. Keurig Green Mountain, Inc., which arose out of Keurig’s sale of disposable coffee pods, some of which were labelled “recyclable.” Plaintiffs alleged that, although the pods were capable of being recycled, they were not recyclable in a practical way because municipal recycling facilities were unable to separate small materials like the Keurig pods. In February 2022, Keurig and the plaintiffs entered into a $10 million settlement by which Keurig agreed that it would refrain from labelling its pods as or otherwise claiming that its pods are recyclable absent qualifying language.

The upward trend in lawsuits based on recyclability is likely to continue. In 2021, California Governor Gavin Newsom signed Senate Bill 343 (SB 343), which prohibits the use of symbols or other claims suggesting recyclability, including the chasing arrows symbol, on any product or packaging that fails to meet strict recyclability criteria. Penalties may be imposed for violations. The latest reforms under SB 343 could result in investigations by government entities, including the California attorney general, and consumer groups. Other states have started to enact similar legislation, including Illinois, Oregon, Connecticut, Maine, Hawaii, and Maryland, among others.

Best Preventative Practices

In light of these trends, corporate boards should take steps to reduce the risk of ESG litigation in connection with their companies’ plastic recyclability labelling and use of plastics within their supply chains, including by doing the following:

Prompt management to oversee or assign oversight of the use of recyclability labelling on all products, including product packaging. Increase accountability for any misalignment in representations or other statements regarding recyclability and the recyclability criteria in the jurisdictions in which the product is sold or distributed.Review all corporate ESG statements at the board level. Maintain communication with management to ensure that both formal and informal statements (including investor communications) with aspirational language cannot be misconstrued as false or misleading. Any public statement or disclosure can create the risk of liability and should be carefully vetted.Stay updated on evolving legislation in this area, such as California SB 343. Given current trends, similar legislation may arise in various other jurisdictions, so it is important to be prepared and keep abreast of the impact of the changing legal landscape. Consider evolving definitions of what is “recyclable.”

As the volume of plastic-related lawsuits against businesses continues to increase, it is growing more important for  boards to become involved in overseeing and helping mitigate the litigation risks that have arisen or may arise in the future.

Mark Goodman is a partner and Christina M. Wong is an associate at Baker McKenzie. Summer Associate Michelle Leonard, a juris doctorate candidate at the UCLA School of Law, also contributed to this article.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Talent Remains a Top Concern for Boards Ahead of Growing Inflation, New Report Finds

NACD released findings from the 2022 NACD Public Company Board Practices and Oversight Survey in late June. Despite many pressing economic and political challenges, the competition for talent remains at the top of many directors’ lists of key trends for the next 12 months.

The increased competition for talent tops the list of issues of concern for responding public company directors for the second year in a row while the next two highest-ranking issues, “growing inflation” and the “uncertain pace of the economic recovery,” highlight growing economic concerns.

“Each year, our Board Practices and Oversight Survey reveals trends that are driving public company directors,” said NACD president and CEO Peter R. Gleason. “The changes companies have endured this year have had broad impacts on board members. The disruption in the workplace has created pressure on management, which has resulted in more time and oversight required from boards.”

Below are other key trends from the 2022 Public Company Board Practices and Oversight Survey.

Boards get organized and formalize their oversight of human capital. Human capital is a growing point of focus on the boardroom agenda, and many boards have begun to formalize their governance structure, processes, and practices to oversee this critical asset. For example, a majority of boards now discuss an enterprise-wide talent development strategy (68 percent, according to survey respondents) and a majority of respondents indicate that their boards discuss human capital strategy on a more regular basis as a recurring agenda item (57%).

These discussions are perhaps a precursor to more targeted practices adopted by leading boards, such as delegating human capital oversight to relevant committees (43 percent of respondents’ boards do this) or communicating reporting expectations to management (45%). Human capital oversight is most likely to find its home in compensation committees (57%), which is increasingly transformed into a human capital committee with oversight over a much broader array of talent-related concerns.

Faced with increasing cyber risk, directors warm to the idea of adding a cybersecurity-savvy director to their boards. Eighty-three percent of respondents indicate that their boards’ understanding of cyber risk has significantly improved compared with two years ago. Yet, amid the growing speed and sophistication of cyber threats, as well as the increased scrutiny of regulators, directors increasingly see a benefit in adding a cybersecurity-savvy director. Forty-two percent of respondents indicate that recruiting a cybersecurity-savvy director would benefit their boards, compared to 36 percent of public company respondents saying the same last year.

Environmental, social, and governance (ESG) oversight is forming and norming at most boards, yet challenges remain. This includes efforts to improve board reporting (70 percent of respondents say that their boards are doing this) and delegating ESG oversight tasks to specific committees (64%). Yet, developing clear ESG priorities presents a major barrier for boards and management teams. Forty-four percent of directors indicate that the lack of uniform disclosure standards presents the greatest challenge to the oversight of ESG issues. Feeling the pain of their management teams, boards find themselves grappling with defining what the E, the S, and the G mean for their companies. Respondents indicate that defining scope (23%) and materiality (9%) are among the most challenging aspects of ESG oversight.

Most directors indicate improvement in their boards’ understanding of diversity, equity, and inclusion (DE&I) issues. Nearly 3 in 4 boards (74%) now receive key DE&I metrics from management and 69 percent hold discussions on their organizations’ DE&I priorities. These practices enhance the understanding many boards have of DE&I within their organizations, but much work remains. Fifty-eight percent of respondents indicate that their boards’ understanding of DE&I issues has significantly improved compared to two years ago when the social justice movement, sparked by the murder of George Floyd, intensified rising societal and investor expectations. Similarly, 59 percent of respondents agree that their boards understand how DE&I is connected to other board issues such as strategy, human capital, and technology. But only 29 percent of respondents have moved beyond traditional human capital issues to discuss DE&I issues in relation to vendor selection, supply chains, and corporate purpose.

Discussion of climate change has increased at most public company boards. Fifty-four percent of public company respondents indicate that the frequency of climate change discussions increased on the board agenda in the last two years. For 37 percent of those indicating discussions have increased, the main factor prompting increased discussion was the perceived relevance of climate change to the long-term growth prospects of the business. Twenty-five percent stated that disclosure requirements were the primary driver. As director awareness of issues related to climate change increases, and as it is figured into more board discussions, it is likely to become more of a key consideration in strategy, risk management, executive pay, accounting, and reporting of performance.

Quality of board discussions is seen as the most important driver of board performance. More than half of public company directors (57%) rate the quality of board discussions as the most observable indication of board performance. Quality input from management was the most widely selected key driver of exceptional board performance, identified by 59 percent of respondents.

While boards are growing more accustomed to discussions about less traditional areas of focus and are modifying board operations, structures, and agendas to meet this new reality, they’ll be keeping their eyes on the competition for talent, growing inflation, economic recovery, increasing pace of digital transformation, and changing cybersecurity threats in the year ahead.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Practicing Responsible Climate Policy Engagement in 2022

The 2022 proxy season was another record-breaking year for climate-related shareholder proposals. Shareholders filed 227 proposals, a 51 percent increase from last year, but they also withdrew a record number of proposals after winning commitments from their portfolio companies.

Among those withdrawals were six shareholder proposals that called for companies to report on the alignment of lobbying with the Paris Agreement, underscoring the growing movement among investors looking for insight into whether businesses’ climate lobbying is in step with their climate commitments.

Against this backdrop of successful shareholder and portfolio company engagements, Ceres is refreshing its benchmark assessment of the S&P 100 companies’ engagement on climate policy. A significant majority of companies publicly acknowledge climate-related material risks, and a large majority have governing systems in place for boards to oversee company climate strategy and risk management. Additionally, an even larger majority of companies are setting individual emissions reduction targets.

Responsible Policy Engagement

However, for most of the companies that Ceres has assessed, the persistent misalignment of public commitments and internal climate strategy with public advocacy efforts that work against effective climate policy continues.

When trade associations lobby successfully against regulatory and legislative frameworks, as was the case this year with the defeat of the US House of Representatives-backed Build Back Better proposal, the absence of a level playing field can serve to undermine a company’s climate strategy and amplify risks or negate opportunities. The climate proposals of that earlier, broader bill are still in play and the focus of negotiations in the US Senate while some funding for it remains the focus of trade associations’ lobbying. To address the risks introduced by lobbying misalignment and the increasing focus by investors on that misalignment, there are a key few steps boards can take.

Boards should begin by assessing the impact of climate change on their companies, including the impact of lobbying against climate policy. A cross-functional materiality assessment should be prepared by management and presented to the board for evaluation, ideally by the company’s sustainability team.

Management should conduct internal assessments of direct and indirect lobbying positions on climate policy, also for evaluation by the board. It is often effective for board oversight of climate risk to be organized within a specific climate risk committee or other standing committees. The board committee should work closely with management on climate risk assessments which can then be presented to the full board.

Boards should govern to systematize decision-making on climate risk throughout the organization and on lobbying. This means integrating climate risk analysis and decisions across functions and departments throughout the organization, and likely may include centralizing reporting. It also means that the process of oversight of decision-making by the board should be part of the regular board reporting cycle.

We believe that boards should act to align direct and indirect lobbying with science-based climate policies. The connection between internal climate strategy and external lobbying activity should be clear, fully evaluated by the board and misalignment identified and corrected by management. If lobbying activity is deemed appropriate and necessary, boards should require lobbying directly for Paris-aligned climate policies and expect management to engage with trade associations to align lobbying with climate science.

Ensuring Alignment

The role of the board within responsible policy engagement should begin by clearly defining the difference between the role of the board and that of management. It is the responsibility of management to develop strategies and tactics to ensure the short- and long-term success of the business across its stakeholders. It is also the responsibility of the board to represent the fiduciary interests of stakeholders and to hold management accountable for the successful execution of business strategy, but it is not the responsibility of the board to run the day-to-day operations of a company.

With respect to responsible policy engagement, it is the role of the board to exercise oversight of the lobbying activity of the company and ensure its alignment with company strategy. In the case of trade associations that have lobbied against effective climate policy and regulatory frameworks, it is the role of the board to require communication by management of lobbying misalignment and hold management accountable for the correction of misalignment in support of the success of the company’s climate strategy and mitigation of climate risk.

Yamika Ketu is an associate with the Ceres Accelerator for Sustainable Capital Markets. Todd Miller is the governance manager for the Ceres Accelerator for Sustainable Capital Markets.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Better Succession Planning Starts with Knowing Your CEO

The average age of CEOs is nearly 60 years of age within the S&P 500. As the average age of CEOs grows older, the average CEO tenure is growing shorter, to about 6.9 years. In this environment, your organization will likely look soon for a replacement, as will many other companies. Are you ready?

Understandably, many companies have been preoccupied with the major economic disruption in the market and may not have invested the time or leveraged the expertise of their board members to focus on effective CEO succession planning.

If you’re not thinking about this topic now, though, you may be in need of a wake-up call, especially in today’s competitive labor market. All signs point to a hiring desert for companies that are unprepared. Some companies are late to the game—but it’s not too late. Boards can act now to ensure their plans are ready to meet the challenges of the future.

Get to Know Your CEO and Plan

The best medicine for healthier succession planning is garnering a deep understanding of what your company needs in a CEO, and that means really getting to know your current CEO and engaging in robust business scenario planning with the CEO and executive team.

Data suggest that many boards of directors are unprepared for engaging in the process of CEO development and succession. A study by The Rock Center for Corporate Governance at Stanford University and Heidrick & Struggles found that only 51 percent of boards can identify their internal successor CEO. Thirty-nine percent say they have zero internal candidates. This isn’t surprising given that when boards do meet to discuss succession planning, they on average only spend 1.14 hours on the topic, according to a separate study by The Rock Center and the Institute of Executive Development.

Robust business scenario planning and CEO succession planning go hand in hand: you can’t have one without the other. Knowing the expected trajectory of the business is a critical ingredient to properly planning for CEO succession. 

Being actively involved and engaged in business scenario planning and fully understanding the CEO role critically informs succession planning and ultimately the hiring qualifications of a new CEO. It’s not enough for one or two board members to be immersed, either. Every board member needs to be deeply engaged, applying unique expertise and perspectives to collaborate with the CEO. To know your next CEO is to know your business.

Consider the Impact of a CEO’s Strengths and Weaknesses on the Entire Leadership Team

Another benefit of being actively engaged in scenario and succession planning as a board is that it gives insight into a current CEO’s strengths and weaknesses, and how those characteristics can impact the entire leadership ecosystem. Of course, a key responsibility of the board is holding the CEO accountable, but beyond that, effectively managing a CEO’s performance provides a window into the dynamics of the entire leadership team.

Established plans for accountability, regular engagement with, and offering feedback to the CEO as well as regular performance reviews should be standard practice, but if lacking, consider incorporating them. The enterprise’s performance will likely benefit, and the board will become keenly aware of characteristics they value in the current CEO and would like to see mirrored in future candidates. Trusted relationships with directors and candid conversations are oftentimes the miracle elixir of success. Through this process, blind spots will become evident. Then the board will move to fill these either through thoughtful CEO succession planning or influencing key complimentary hires on the leadership team surrounding the CEO.

Additionally, thoughtful accountability plans and performance reviews can highlight systemic problems early and, if need be, accelerate succession planning action. Likewise, a current CEO’s strengths can help boards think about the positive characteristics they not only value in the role but also how that should cascade through the organization—and be present in the next CEO.

Use Scenario Planning to Inform the Succession Plan

An organization in 5- or 10-years’ time won’t look the same as today, and neither, probably, should its top executive. The board must understand where the organization is going to determine the type of CEO and level of expertise it will need down the road. Is the business in a growth phase? Planning for an acquisition or a divestiture? Is the market eroding? Are all stakeholders being managed?

Just as scenario planning helps businesses prepare for a variety of market scenarios or disruptors, it is also a critical input to boards to consider the different profiles of CEOs they might need to address those same conditions. The characteristics that make an excellent growth CEO may not be the same as those that make an excellent crisis CEO, after all. Boards should consider tailored succession plans and CEO profiles that align to each of their companies’ critical scenario plans.

Putting the Pieces Together to Yield Strategic Succession Planning

Once a board is aligned on what the next CEO should look like, it can turn its attention to translating that profile into a pool of qualified future candidates.

Ideally, the pool consists of both internal and external candidates. The former can be nurtured through robust talent and development programs that identify high-potential leaders and provide them with opportunities and mentorship to build the characteristics and behaviors that will help propel the company to success.

Ensure that you start with robust scenario planning, align the board on key attributes of CEO success, look for blind spots among the leadership team to inform a holistic picture, and instill desired leadership attributes within various levels of the business while simultaneously looking outside the organization for future talent. You should never be caught flat-footed. There should always be a path and plan to a successor for each of the viable scenarios.

Regardless of whether the ultimate successor is chosen from the internal ranks or the market, a board that actively participates and collaborates closely with its current CEO will be well positioned to choose wisely and enable a smooth transition that supports growth and business objectives for the long term.

Richard Holt is managing director with Alvarez & Marsal Corporate Performance Improvement. He specializes in helping corporations execute complex business transformations that improve financial performance and drive growth.

Amerino Gatti is an executive in the energy sector and independent director on the board of Helix Energy Solutions, and he most recently served as chair of the board and CEO of Team, a provider of integrated specialty industrial services. He spent the first 25 years of his career with Schlumberger in various global roles.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.