Overseeing Cyber Risks in a Complex Regulatory Landscape

Organizations face increasing
cybersecurity risks and threats to their customers, financial information,
operations and other data, processes, and systems—and state and federal governments
are alert to the threats imposed on their constituents. To understand just how
widespread concerns about these risks are, look no further than the abundance
of cybersecurity legislation that is currently on the dockets of state
legislatures across the country.

For example, California, New Jersey, Washington, and Illinois are among the latest states to enact breach notification legislation that will significantly impact businesses operating in those jurisdictions by defining whether, when, how, and to whom notifications of a breach must occur. Some of these laws are going into effect just months after being signed and the cost of noncompliance can be severe (in California, fines are assessed per record breached).

As stewards of the strategy,
finances, reputation, and overall
direction of an organization, corporate directors have an important role to
play in ensuring adequate policies and protections are in place to answer the
demands of such regulations—and that their whole board is ready to meet the
oversight demands of new regulations.

Directors are in a position
to provide the leadership and strategic direction necessary to help their
organizations balance the need to safeguard information, minimize disruption in
case of an attack or breach, provide transparency, and manage a sustainable
cybersecurity program with competing strategic
priorities.

There are four key steps boards should take to ensure adequate cybersecurity program development and oversight in response to emerging regulations and threats:

1. Understand the threat landscape and how companies are expected to respond under the law. Corporate directors and leaders need a clear picture of the threats at play to assess and implement an appropriate response framework that both meets the business’s needs and is compliant with a complex web of laws.

Adversaries’ tactics will vary based on their motivations. Nation-states may be focused on cyber warfare while garden variety criminals (including internal threats) are likely to commit fraud or steal information. Each of these threat types will warrant their own response, and may also warrant involving different law enforcement and regulatory agencies.

It is also important to note that the nature
of threats will vary by industry. A real estate company is likely to face a
higher risk of wire fraud, while a manufacturer might be a target of theft of
information by foreign governments. Directors should spend time in their busy
schedules understanding the appropriate responses required per
industry-specific regulations.

In addition, the range of threats—from phishing and social engineering to attacks on the supply chain—is constantly shifting. Boards must be aware of emerging threats, ensure they have the right team in place as first responders, and ensure people and processes are in place to help mitigate and address regulatory and compliance consequences from cyber incidents.

2. Ask relevant executives, leaders, and legal counsel the right questions. The board is tasked with gathering information from leadership, but the value of the exercise is dependent on asking the right questions. This ability becomes much more acutely important in light of a cyber breach, but should be practiced early and often. While these types of questions have been suggested for review by many in the cybersecurity community, it is worth asking the following in light of increased regulatory action:

On risk: What are our risks and how are they being mitigated? Who is the owner of a particular risk?On capabilities: What are the people, tools, and processes we have in place to implement our cybersecurity framework? Do these comply with the demands of new and existing regulations?On controls: What controls are currently in place? What are the organization’s cybersecurity policies and procedures (e.g., incident response plan) and when were they last reviewed, tested, and updated? What training do employees receive regarding privacy and security?On trends: What industry-leading best practices should be considered? What stories of disaster should we read and learn from?On regulation: What is taking shape at the local, state, and federal levels that will impact the business? What is the plan to get compliant and stay compliant?

3. Know the potential costs and how they influence risk tolerance. In the event of an attack, it will be important to demonstrate to regulators good faith efforts to identify and remedy risks. The extent to which an organization can show regulators that they did the work up front and put controls into place based on industry standards and best practices will determine the strength of their case for reduced penalties. For most organizations, cybersecurity incidents and regulatory noncompliance are associated with legal, financial, and reputational risks.

Compliance and risk mitigation come with
their own set of financial costs. In Arizona, the maximum fine is $500,000 per
breach event while Alabama can impose a fine of $5,000 per day for failure to
comply with its notification law. To make decisions about risk tolerance,
companies need to balance the risk with the cost of everything from business interruption
to notification costs and potential fines.

Directors of companies should also closely review their own director and officer liability insurance policies frequently to see if cyber-risk-related incidents are covered.

4. Establish metrics for governance. One of a board’s most important roles is to establish and assess metrics to enable oversight of the company’s cybersecurity program. The board should prioritize the development of a well-documented plan that is designed to account for and address evolving regulations, including a board-level metrics portfolio focusing on the following categories:

Program
status, including cybersecurity strategy milestones and program tracking; Internal
environment updates such as patching and the state of infrastructure, and the capacity of people to prevent phishing and data
loss;External
environment updates, including the ability to gather threat intelligence and
respond to emerging cyberthreat trends; Compliance
and audit figures on cybersecurity audit planning and regulatory compliance
tracking; andResponse
figures on disaster recovery, business continuity, and incidence response planning.

Board members’ oversight of
cybersecurity programs is crucial to protecting business interests from current
and future threats. This requires boards to take an active role in strategy,
validation, detection, and response
plans, ultimately steering the dialogue with stakeholders to better understand,
assess, and identify cybersecurity needs and deficiencies that need to be addressed.

It is impractical and
inefficient for organizations to revamp their cybersecurity risk management
program each time a new law goes into effect. Organizations with a presence in
multiple jurisdictions should instead think holistically about their programs.
With the cyberthreat landscape
constantly changing, it requires that risks be regularly weighed against
strategic goals—and that the company meets the regulatory demands created to
protect businesses and consumers alike. By ensuring the quality of a company’s
cybersecurity framework through leadership and oversight, a board can fulfill
its obligation to protect the overall health and sustainability of the
organization.

David
Ross is a principal and the cybersecurity and privacy practices lead at Baker
Tilly.

Avoid the Baby Boomer “Brain Drain” by Supporting Employee’s Journey into Retirement

Inclusion has appropriately supplanted diversity as a root cause lever and mindset that makes organizations stronger. With it, we now expand our frame beyond the traditionally noted racial, gender, and cultural diversity, and incorporate the value of generational diversity as well. Baby Boomers have stayed in the workforce for an extended period, Gen Xers are firmly in their mid-career, Millennials make up the largest portion of workers and are leaning into managerial roles, and Generation Z is at the start of their career. Whether you subscribe to the notion that each cohort has its own unique needs affecting organizations differently or not, overlooking the value derived by each segment is an opportunity missed. Boomers have stayed in the workforce beyond the traditional retirement age and present a spectrum of experiences that can be used in the present and live on through the passage of experience into the future.
Commonly cited fallout in the Boomers’ departure is the subsequent “Brain Drain”, the loss of knowledge from a lack of transitional planning. Often the cause of failed transfers is poor succession planning. Succession planning is a critical practice throughout an organization, with a focus on contributions to the customer value proposition made by workers in senior or specialty roles. While it is important to identify who will follow in a leader’s role, it can be even more beneficial to find out who is departing well in advance. By supporting workers into the next stage of life, retirement, organizations can more fully engage departing employees earlier in their exit planning.
Most companies provide a financial savings plan, such as a 401k, but do not offer much retirement preparation beyond that. Career Partners International (CPI) delivers holistic programs to engage with individuals preparing to retire to the benefit of both employee and employer. The New Horizons program coaches employees to plan for retirement across fifteen life factors involved in a successful retirement. Through validated proprietary assessments, individual coaching, and online workshops this system helps individuals see beyond their working life and prepare for their next journey. When an employee is looking forward to retirement and feels supported by the organization, they are much more likely to give months or even years of advanced notice prior to exiting. This advanced notice and excitement about the next phase also makes transitions to a successor smoother. There is less reluctance to pass something on if it is not being clung to for dear life!
In depth retirement planning is important for exiting employees, but in order to completely prepare an organization for employee departures there must be a cultural shift through all generations in the organization. To begin the conversation of future career goals and retirement planning with the rest of the organization, CPI has developed the PowerMyFuture™ program. PowerMyFuture™ is a series of 8 modules, each customizable to the client’s target audience. Modules range from Money Matters for Gen Z and Millennials, to A Woman’s Journey, to Creating an Exit Strategy, and more. These programs help employees in all generations begin looking at retirement, allowing them to plan for the future and better transition their exiting colleagues.
It may be tempting to hold on to high level Boomer employees for as long as possible, but the reality is that they will eventually need to leave. If they depart without proper preparation, there is a risk of Brain Drain and leadership gaps. When they exit on a well-planned high note, there are numerous benefits to be gained. Younger leaders are often groomed as successors, increasing engagement and retention through promotions and mentorships. Customers are less likely to leave as they have been smoothly transferred to new relationship managers. Information has been more broadly shared across the organization, often with cross-training for others within the company, with the benefits of experience through both success and mistakes is passed on. Properly preparing for and supporting an employee’s retirement creates a win-win for the organization and the retiree.
About Career Partners International LLC.
Career Partners International was founded in 1987 and is one of the largest consultancies in the world. With over 350 offices in over 50 countries, Career Partners International is a leading provider of outplacement, career management, executive coaching, and leadership development services to clients and their employees worldwide.
The post Avoid the Baby Boomer “Brain Drain” by Supporting Employee’s Journey into Retirement appeared first on CPIWorld.

Outplacement – What Makes a Truly Excellent Program?

You put a great deal of thought and consideration into the necessity of separating employees from your organization.  These valued members of your company have dedicated their time and efforts for years and in many cases must leave due to no fault of their own.  What your employees experience during separation and their treatment upon departure reflects on your organization.  Central to a contemporary separation with a holistic approach to current needs and demands is an expert Outplacement program.  For over 30 years, Career Partners International has designed and delivered top of the line career transition support throughout the world.  Below are the critical elements of an outplacement approach that get’s results others don’t and is marked by the dignity and respect supportive of your organization’s culture and brand.
Individual Coaching
CPI’s coaches are world class with years of experience and local market knowledge and networks.  The most powerful coaching comes from building relationships and learning the unique needs of each candidate.  In lesser outplacement programs, coaching is often cast to whoever is available from wherever at the time or left out entirely.  Repeatedly switching the coaching flow sub-optimizes progress.  Think of your last call center experience when you were transferred from one attendant to the next, and the next.  How did you feel?  And that was for an issue likely less important than a career!
Technology to Enable, Not Replace
Pairing great coaching with leading technology creates a holistic program to fully support candidates.  You are relying more heavily on technology to recruit employees than ever before.  If an outplacement program does not account for this change it is missing a major component.  CPI’s technology suite includes ways to better adapt to the new employment reality with tools like Job Scan to match ATS programs, Video Interview practice, resume builders, weekly webinars, and much more.  All this technology is mobile friendly and accessible from anywhere in the world.
Immediate Support
CPI believes in immediate support of both organizations and separated employees.  Our coaches are trained to provide on-site support the day of a separation to immediately engage with former employees and help them begin taking steps in the right direction.  Our team is available to coach Human Resources and Management through the appropriate steps in preparing for layoffs and to work with team members who remain after a separation.  This is a trying time for both individuals and organizations, with CPI’s support this transition can be made as smoothly as possible.
Choices
Part of the CPI outplacement program is taking time to evaluate a candidate’s options in moving forward.  For many, this will be returning to a similar role as quickly as possible.  For others, the evaluation goes deeper, and alternative choices may be more attractive.  As an example, some senior executives choose to start consulting instead of returning to a standard 9-5 role.  The entrepreneurial program is appropriate for them.  Alternatively, if a separated employee is nearing retirement, this might be an appropriate time to begin that next phase of life.  For them, CPI has the New Horizons program with proprietary and validated assessment tools to begin holistically planning for retirement.  Importantly, CPI caters to each candidate’s unique needs, providing choices not a one-size-fits-all system.
Consistency
Career Partners Internationally is truly that, International.  In over 50 countries, our Partners are the best in their region and share our values.  If your organization is a single location, National, Multi-National, or globally prolific you will experience the same high-quality delivery everywhere.  For programs with 1 to 1000 candidates, CPI delivers consistently with constant reporting back to the client.  Organizations working with CPI know the quality and individual attention their candidates will receive around the globe.
Taking the time to find the right career transition and outplacement programs for departing employees is essential to maintaining a good employer brand.  With CPI, over 80% of candidates land in equal or better positions than those they previously left.  Success rates like this provide organizations peace of mind and help former employees move forward.  Settling for subpar outplacement providers may provide a short-term financial benefit, but by partnering with a quality provider, you fortify your status as an employer of choice and set yourself apart from the rest of the market.
The post Outplacement – What Makes a Truly Excellent Program? appeared first on CPIWorld.

How A Wedge Approach To Positioning Helps Clarify Choices

Positioning is a wedge – a tool designed to separate things. Those driving sharp distinction lead with their point of difference. Consultative sellers seek first to understand prospects’ needs and then narrow their message to focus on the most important of those needs. The most effective of all combine a sharply distinctive positioning with a consultative selling approach.Those combiners run around the world trying to fit puzzle pieces together. They are confident enough in their sharply distinctive point of difference to begin conversations seeking to understand others’ needs to see if their pieces fit. If their offering is the best fit, the best tool for the task, they move forward. Otherwise they suggest other people’s tools.
Click here to read more.

The post How A Wedge Approach To Positioning Helps Clarify Choices appeared first on PrimeGenesis.

Why Trying To Make A Good First Impression Is The Worst Thing You Can Do When Starting A New Job

The trouble with trying to make a good first impression when starting a new job is that you don’t understand the context. This means people may not receive your communication in the way you mean it.
Define the verb to “dust.”
That’s not as easy as you think. It has different and occasionally opposite meanings. If I dust the table, I’m removing particles of dirt. If I dust the strawberries with sugar, I’m adding sugar. If I dust a batter in baseball, I’m pushing them back. And if someone dusts you in a race, they defeat you badly, leaving you in their dust.None of you are likely to start a new job by telling people that you’re a big believer in dust. But you may do something similar without even meaning to.
Here’s why this matters.
Click here to read more.

The post Why Trying To Make A Good First Impression Is The Worst Thing You Can Do When Starting A New Job appeared first on PrimeGenesis.

Lessons From Federer v Djokovic: Not All Points Are Created Equal

If you missed the Wimbledon men’s tennis final this weekend, Roger Federer won 36 games to Djokovic’s 32 games. Three of Djokovic’s 32 game wins were tie-breakers to win the match 5 sets to 3. While it could have gone either way, it didn’t. Djokovic won the points and games that mattered most. That’s the lesson: marshal your resources to win where, what, and when it matters most.
The where to play question is both strategic, tactical and personal.
Where to play strategically
Strategy is the art of the general, arranging forces before the battle. So where to play strategically is about which battles to fight in the first place.
Professional tennis players and golfers and the like, do not compete in every tournament. They carefully map their seasons so they give themselves the best chance to win the tournaments that matter most.
This is one of the fundamentals of business strategy – choosing where not to play.
Click here to read more.

The post Lessons From Federer v Djokovic: Not All Points Are Created Equal appeared first on PrimeGenesis.

Onboarding Into An Interim Role? Focus On Needs And Remits

The eight essential steps of executive onboarding apply whether you’re joining a new company, getting promoted from within, or moving into an interim role. But the specifics are different for different interim roles depending upon the organizational need (steady state vs. point of inflection) and your remit (holding the fort, developmental, or probationary.) And know that in an interim role, you may not make it through all of the eight steps. Get started in the right way anyway to set your successor up for success.

RemitNeed

Steady State

Point of Inflection

Holding the fort for someone else

Minimize disruption

Sacrificial change agent

Developmental

Maximize learning

Get help

Potentially permanent

Prove yourself

Set someone else up to fail

Click here to read more.

The post Onboarding Into An Interim Role? Focus On Needs And Remits appeared first on PrimeGenesis.

NACD Advisory Council Discusses the Board’s Role in Crisis Preparation

In today’s world of real-time communications, companies are
now expected to respond immediately to emerging crises, and boards are feeling
more pressure to ensure that their companies can navigate effectively through
challenging crisis moments. Peter Gleason, NACD president and CEO, explains, “Boards
have always provided oversight of crisis response plans, but the key difference
today . . . is [that] with the advent of social media, the window for response
time has all but disappeared. It’s critical for directors to engage with
management on a regular basis to discuss the outline of the crisis response
plan.” 

The 2019 NACD Public and Private Company Governance Surveys find that less than a third of companies have delineated roles for the board and management in their crisis preparation plans, while fewer than 20 percent  indicated that they’ve assessed the effectiveness of early-warning capabilities—a critical aspect of crisis preparedness.

While each crisis is unique, there are leading practices boards can adopt to improve their governance of crisis readiness. To help directors prepare for this issue, NACD, Heidrick & Struggles, and Sidley Austin LLP cohosted a meeting of the NACD Nominating and Governance Committee Chair Advisory Council—comprising Fortune 500 company nominating and governance committee chairs and lead directors—on April 24, 2019, in Washington, DC. The meeting was held using a modified version of the Chatham House Rule, under which participants’ quotes (italicized) are not attributed to those individuals or their organizations, with the exception of cohosts. A list of attendees’ names are available here.

Participants identified three important benefits of
effective board-management dialogue on crisis planning and preparation:

Effective crisis planning
identifies skill gaps within the executive team.Thoughtful crisis planning exposes
potential risks related to information flows to the board.Nominating and governance
committees can use insights from crisis planning to inform their reviews of
board structure and composition.

Effective
crisis planning identifies skill gaps within the senior management team.

Crisis planning offers more benefits than just a routine
hygiene check. As one director noted, “When
you are doing a good job as a board overseeing crisis preparation, issues are
going to rise to the top that you need to address.” These issues can take
many forms, including identifying potential disconnects in the assignment of
roles and responsibilities. Ted Dysart, Vice Chair at Heidrick & Struggles,
noted “Crises can accelerate to a point where senior leadership is no longer
equipped to serve in some roles—for example, acting as a spokesperson for the
organization. As part of the crisis planning process, the board can discuss
whether any skill gaps have been identified, and how they will be addressed
with training or other support.”

Delegates discussed that the right candidate isn’t
always the most obvious one. One participant noted, “We need to ask the questions about whether the CEO is fully prepared
if a crisis arises, but it goes beyond that. Some crisis response roles should
be assigned according to skills, not necessarily titles, so the board needs to
know who else in the management team is crisis ready.”

Thoughtful
crisis planning exposes potential risks related to information flows to the
board.

While it’s important to have a process around what
information is escalated to the board, judgment is often more important than process.
One delegate commented, “At one of my
companies we had an issue with a senior leader that never reached the board.
The reporting process was part of the roadblock. What worries me most [are the
gaps in information.] What does the organization know, [that] the board does not?”
Another participant noted, “The [glaring]
crises that are acute and major are easier to prepare for. It’s the
under-the-radar ones that result from a series of seemingly insignificant
activities that can be more difficult to detect, and they’re often the ones
that the board is most accountable for.”

Some council participants indicated that their boards use
the latest news stories as a mechanism to evaluate the effectiveness of their crisis
readiness. One director noted, “In the
aftermath of some of the recent headlines related to culture and #MeToo, we’ve
had discussions with management about when the board will receive information
about issues that may not be financially material, but could be culturally
significant.”

The relationship between the board and the general counsel
(GC) also emerged as a critical component of effective crisis planning. A
delegate said, “I have a conversation
with the GC monthly. [This practice] started when I was new to the [nominating and
governance committee chair] role, and was an opportunity to set up a trusted
relationship, that has strengthened over time.” Another director shared a
similar approach: “Before every committee
meeting, I sit with the GC and review the agenda. Then we have an open
conversation about anything else on the GC’s mind. The regular rhythm of these
conversations helps me stay informed about potential challenges.”

Nominating
and governance committees can use insights from crisis planning to inform their
reviews of board structure and composition.

Delegates discussed benefits outside those traditionally
associated with crisis preparation, zeroing in on board structure. Sara
Spiering, principal at Heidrick & Struggles, commented, “In our board
search work, we’re seeing clients asking questions about prospective directors’
past experiences with turnarounds or other challenging situations. One of the [qualities]
boards are starting to [recruit for] is confidence and calmness in
high-pressure situations.”

Directors are also using these insights to weigh the
merits of changing committee structure. One participant explained, “We had a situation on one board that
required establishing a special committee. Luckily, [the board] had enough
independent directors with the [requisite] capacity and skills— [that is,] the
ability to get into the details [and] ask tough questions, [as well as] the
time commitment and energy to take on the [additional] workload. As nominating
and governance committee chairs, we have to factor this into board succession
planning.”

The boards of companies in heavily regulated industries
often align committee structure with risk management and crisis planning. One
director remarked, “I’m on several boards
with a separate safety committee. Other industries have compliance or
regulatory affairs committees; some are [establishing separate] cybersecurity
committees. In all cases, it sends a strong signal about the importance of the
issues and the level of oversight. On our safety committee, we’re looking at [granular]
information—if a truck hits a ditch on Christmas morning, [the committee] hears
about it.”

Conclusion

As Benjamin Franklin pointed out, “By failing to prepare,
you are preparing to fail.” In light of growing public scrutiny, board and
management preparation for crises is likely to remain a priority for nominating
and governance committees. When confronting these complex and unpredictable events,
Holly Gregory, partner and co-chair of the Global Corporate Governance &
Executive Compensation Practice at Sidley Austin, advised directors to closely
monitor corporate culture, noting, “Periods of crisis are when the cracks in an
organization’s, and a board’s, culture really show up. If there’s been a
tendency to avoid difficult conversations, if relationships with management are
strained, if there are skill gaps or factions within the board, these things
will all make a bad situation worse.”

As directors scan the horizon for potential risks,
they should not lose sight of seemingly insignificant, but persistent,
problems. As a delegate framed the issue, “Major
crises don’t come along very often. We can learn not only from crisis planning,
but [also] from more minor issues. Both of these can help the board identify
underlying tensions and open up important conversations about the skills and
processes needed to weather a serious crisis.”

Questions directors
should consider:

Is there a crisis-response plan in
place? How often is it revised? How often is crisis planning discussed in board
meetings? Is there a common understanding among
management, the board, and board committees about their respective roles,
responsibilities, and accountabilities for crisis management?Have we identified which crises the
company is most likely to face? What steps can be taken to mitigate the risks
that would lead to those crises?Have we achieved a common understanding of what circumstances
trigger bringing an issue to the board’s attention? Has our management team
identified key indicators that offer early warnings about increased risk exposure
that could lead to a crisis? What is the threshold, and the process, for
reporting to the board about sudden changes to the company’s risk profile?Does the organization’s culture support a level
of trust between a) the board and the executive team and b) the executive team
and middle management that encourages candid discussions about risks? How
willing are employees to speak up about problems that can cause a crisis for
the organization?

Related
Resources

NACD Online Resource Center: Risk Oversight“Governing Through Disruption: A Boardroom Guide for 2018” Holly Gregory, Sidley AustinReport of the NACD Blue Ribbon Commission on Adaptive GovernanceReport of the NACD Blue Ribbon Commission on Culture as a Corporate Asset“Seven Steps to Minimize Fallout from Crisis Situations”