Audit Committee Members Share Tips for Better Management Presentations and Engagement

While wearing a lot of oversight hats, the audit committee often interfaces with different members of the management team. It may be challenging for those members of management to present to the board, especially since some of these individuals may only have a handful of opportunities to do so each year. And there is a lot of room for improvement in those presentations, according to directors.

Click to enlarge in a new window.

Out of eight management roles, directors rank the presentation skills of only two as excellent, the chief financial officer and general counsel. It’s critical that executives hone their presentation style, polish their overall executive presence, and provide helpful and manageable pre-read materials. Doing so will impact the audit committee’s effectiveness and the audit committee’s impression of both the presenters and the functions they lead.

We synthesized feedback from directors about how senior management can better engage with the audit committee. Here are five tips they gave for those members of management to succeed.

  1. Invest in your relationships. Schedule a meeting with the audit committee chair to get his or her impression of your role, its value to the company, and your presentation skills. As you further develop your relationship, you should continue to ask for feedback and coaching on how to improve. By forming relationships, you become a valuable asset—one that the audit committee can look to for expertise and help in what are often complex areas that may present unpopular messages. Also be sure to talk to other members of the executive team. They can provide insight into director personalities and dynamics. They might also be in the room when presenting and could have some good tips. 
  2. Know your audience. Audit committees (and boards) are different than other audiences. It’s important to balance the right level of detail, insight, and impact without being too granular. Be sure to effectively convey risks and concerns in terms directors can relate to. Audit committees generally have some sort of financial reporting background, so they’re comfortable with related topics. If, however, you are presenting on something more technical (like cybersecurity or emerging technology risks), it’s important to find the balance of educating the audit committee and achieving the objectives you have for your presentation. In general, the audit committee is looking for insights. That might be trends or themes, or concerns or challenges.
  3. Be thoughtful when preparing pre-read materials. Make sure any materials sent ahead of the meeting are easily digestible, especially if there are important messages to relay or critical decisions that will need to be made. If pre-read materials are not clear or are cumbersome to get through, the committee could misinterpret the message or focus on the wrong areas. If a presentation requires a regular cadence, it is important to develop a dashboard or some consistent reporting mechanism that will make it easy for audit committee members to monitor the activity. It is also important to work closely with the chair to develop reporting formats that are fit for their purpose. If you are presenting a new topic, like a tax matter or an investigation update, you will want to think about how audit committee members might read that data when you’re not there to walk them through it. It’s important not to send information that could be interpreted incorrectly. You want to provide enough detail to give them the background but save some insights for the in-person discussion. 
  4. Be strategic with your time. It should be clear that once the management team is in the room, the audit committee is ready to hand the reigns over to that team to lead the discussion. Pre-read materials should have had an executive summary that highlights what will be discussed—and the pre-read should not be repeated. Instead, the key risks and critical matters that require discussion and decisions at the meeting should be highlighted. The main objectives should be communicated up front, and you summarize and reinforce key points throughout. Be prepared for any questions (and reactions), as well as for any changes in the meeting direction.
  5. Focus on your message. You should scrap the jargon, know your material, and be engaged with your audience. Presenting is important, but make sure you are also asking the committee for questions and commentary. The focus here should be that the committee hears and understands management’s messages.

If the person presenting is a senior management executive like the chief information officer, chief audit executive, or head of tax, he or she may only end up presenting to the audit committee once or maybe a few times a year. When that person does present,  they’ll want to make sure those interactions are helpful and effective. Suggesting these tips to your senior management team will help your audit committee get the information it needs. These tips will also help give the management pipeline a chance to share ideas and interact with people who are deeply invested in ensuring that the entire company succeed.

For more on how to management should interact with the board, read our Executive Coaching series.

Resilience: Building an Essential Corporate Capacity

Editor’s Note: This is the first in a series exploring the board’s role in corporate resilience.

Resilient companies produce impressive results. They have shown positive earnings and sales growth during recessionary years, improved their corporate image by effective strategic responses to natural disasters, raised dividends for several consecutive decades, and won back market share against low cost and online competitors. They also invest wisely. By one estimate, “…for every dollar invested in resilience before a disaster, there is a four-dollar savings in the cost of recovery response in the wake of the crisis.”

The examples mentioned above support the claim that organizational resilience is an important concept for corporate boards and senior executives, but companies often don’t include it in executive planning exercises. Instead, many mistakenly categorize resilience as disaster recovery plans or business continuity plans, leaving the details to mid-level operations.

Others see resilience as a part of corporate succession planning, risk management, or other programs that are important. However, in today’s dynamic, disruptive operating environments, organizational resilience requires that companies integrate features that others’ plans and programs lack.

To succeed, leadership, supported by the board, must resource and incent resilience into the infrastructure and the culture of the company. Similar to other cultural paradigms like workplace safety, resilience matures and becomes integral to people, processes and technology. Suggestions for doing so follow.

What is resilience?

Most importantly, resilience involves strategy. It’s not just a plan. It includes two critical concepts: organizational capacity and the ability to “adapt and grow from a disruptive experience.”

Judith Rodin, former president of the Rockefeller Foundation, includes the following concepts in an excellent definition of resilience made in a speech from 2014:

“Resilience is the capacity of any entity—an individual, a community, an organization, or a natural system—to prepare for disruptions, to recover from shocks and stresses, and then to adapt and grow from a disruptive experience.”

In sum: Be prepared to bounce forward better.

Effective organizational resilience requires strategy that spans vertically and horizontally across the organization. “Resiliency requires alignment in all levels of management and all lines of business,” said Israel Martinez, CEO of Axon Global, where his team is charged with cyber risk and resilience strategy for the Japanese government and private sector leadership as they prepare for the Tokyo 2020 Summer Olympic Games. “It integrates risk; governance; policies; principles; partners such as supply chain; technology and most of all a culture.”

At maturity, resilience represents value as an organizational capacity—a core characteristic of the corporation. At this stage, it requires a continuous improvement process so that it remains effective as a core value. The distinguished venture capitalist Ray A. Rothrock notes that resilience needs to be treated as a “positive business asset” and resourced accordingly. Demonstrating effectiveness in a company’s resilience allows leadership to innovate confidently knowing that calculated risk mitigation strategies are in place. This impacts valuation and reputation, which are core to boardroom concerns.

The mantra “adapt and grow” requires actions that are different from yesterday’s. Many approaches to resilience focus on returning to the status quo ante, such as disaster recovery, but this isn’t enough. Today’s definition of organizational resilience is closer to Nassim  N. Taleb’s notion of being “antifragile.” Taleb, distinguished professor of risk engineering at New York University’s Polytechnic Institute, is the famous author who introduced us to antifragile resilience characteristics that insulate or even benefit from “black swan” risks in his 2014 book Antifragile: Things that Gain from Disorder (Incerto). His concept builds on principles such as “…things [that] benefit from shocks; they thrive and grow when exposed to volatility, randomness, disorder, and stressors and love adventure, risk, and uncertainty.” Resilience strategy should incorporate similar concepts and principles such as the ability to recognize disruptions, mitigate shocks, and adapt to accelerating change with agility.

Preparedness is the principal muscle that implements resilience. Unexercised, resilience’s value to the corporation diminishes. Over time, preparedness provides a higher return on investment (ROI) than reactive approaches, and its value is multiplied when it includes partners outside of the company. Therefore, to maximize outcomes in crises, the preparedness principle requires leadership to incentivize proactive and collective exercises with communities, governments, and stakeholders at all levels.

As former New York City Mayor Rudolph W. Giuliani notes in Leadership, it wasn’t the plan that helped New York recover after 9/11—it was the planning processes, and the pre-crisis exercising of the plans. Within this framework, preparedness drives the effectiveness of resilience. Resilience cannot be effective as a static concept. It requires practice with action. Preparedness exercises feed the continuous improvement process that must anticipate a dynamic environment, from accelerating technologies, to socio-cultural factors, to changing workforces, expanding cyberattack surfaces, and climate change.

As with other boardroom enterprise initiatives, resilience requires cultural considerations across the enterprise. Resilience depends on understanding growing interdependencies within and among societies—such as links among power, telecommunications, transportation, and water infrastructures. These will become more important as we build smarter, more connected cities and societies.

Getting to good

Enterprise Risk Management (ERM) integrates across core functions such as corporate succession planning, continuity of operations, supply chain management, and cybersecurity. But resilient corporations demand more. Daniel Newman of Broadsuite Media Group points out that companies must build both business resilience and cultural resilience. The former depends on technology and systems, while the latter is “the ability to maintain composure and an effective business image regardless of the situation.” In Rothrock’s words, “Resilience is about standing up to do business while effectively fighting back and winning.”

Figure 1. Conceptual diagram for measuring vulnerability and resilience (expanded from KANG Shian Chin, et. al. (2014); based on Richards, Ross, Shah, & Hastings, 2009. Click image to review original.)

As shown in Figure 1, components of resilience, such as acceptable performance and extent of degradation, can be assigned measures of effectiveness (MOEs) and tracked. Within the company there may be several such curves—for sales, cybersecurity, backlogs, etc. But leadership also must define an overall measure of corporate performance. Proctor & Gamble Co., for example, has defined total shareholder return as their “measure of value.”

Metrics will be explored in more detail in a future installment of this series, but there is no silver bullet solution. A resilient culture is built on a foundation of ethics, principles, and governance, as well as compliance—not blind adherence to checklists, but a structure that assesses damage and prioritizes meaningful responses when things go wrong. Collectively the measures must promote continuous improvement and use stresses and shocks to strengthen the organization against operational impacts from cyberattacks and other challenges. Beyond predictive analyses, strategic foresight and scenario planning are important.

Building the capacity for resilience: the board’s role

Successful corporate directors are keen to build resilience. Only senior leadership, supported by the board, has the breadth of vision and the experience to address these issues comprehensively. Far more important than compliance checklists, the board members’ strategic impact on business and cultural resilience can help leadership build valuation through quality control incentives and measurements like MOE.

NACD’s Robyn Bew explains in the 2017 Report of the NACD Blue Ribbon Commission on Culture as a Corporate Asset what a resilient company culture looks like and roles the board can play. These will be explored in the remaining parts of this series, which will examine:

  • Why does resilience matter now more than ever?
  • How is resilience different from conventional approaches to ERM?
  • How can companies build resilient capacity and integrate it into corporate culture and practices? What does “good” look like?
  • What should the board’s role be? What questions should boards be asking?


Oversight of Workplace Dynamics: The Labor Model

Jim DeLoach

Jim DeLoach

The so-called war for talent has been waged and chronicled for so long that reference to it has become trite, but the battles continue in earnest. A top risk for many years, the conflict has become increasingly complex and even more competitive as demographics shift, new technological capabilities emerge, and the pool of needed talent falls short of demand. As these disruptions alter traditional labor models, today’s organizations are being forced to cope with a future that is looming large on the horizon.

Nearly 30 years ago, Irish author and philosopher Charles B. Handy introduced his idea of the “shamrock organization.” Just as the most common clover leaf has three leaves, this organization consists of three components:

  1. A professional core of well-qualified, hard-to-replace, and highly compensated leaders, managers, and technicians with the skills underlying the entity’s core competencies and essential to its continued growth;
  2. A contractual fringe of self-employed individuals and specialized organizations that provide essential capabilities to perform work on a project-by-project or outsourced basis and are compensated on results; and
  3. A contingent workforce of flexible, part-time workers whose employment is temporary and scaled up and down to address peak staffing periods arising from events and developments, such as an enterprise resource planning (ERP) system upgrade, unusual merger and acquisition (M&A) activity, major business process changes, or dramatic shifts in demand for company products and services.

According to Handy’s The Age of Unreason (Harvard Business School Press, 1989), in effect, the shamrock organization is a “core of essential executives and workers supported by outside contractors and part-time help.”

Over the past 30 years, demographic, social, and technological market forces have shaped the components of Handy’s model in interesting ways. Handy asserts that, while this labor model “has existed in embryo … what is different [now] … is scale.” Whereas the second and third leaves of the shamrock may have been smaller in the past, they are much larger today—and are still growing. They will continue to grow as the risk of disruption increases, customer loyalty grows fleeting, workplace demographics continue to shift, the service—or “gig”—economy expands, and the war for fit-for-purpose talent intensifies. It’s an omnipresent trend toward a talent ecosystem that warrants director attention.

As the world of work changes, the board has a role in ensuring that management is making the appropriate adjustments. Below, we pose several questions germane to board oversight, with emphasis on two of the three dimensions of the evolving labor model: skills and scale (our next blog discusses technology, which is the third dimension):

  1. Do we have an eye on the demographic, social, and technological trends affecting the labor model? Shifts in demographics, the availability of skilled talent, and the effect of technology on work, jobs, wages, and society at large should be assessed continuously over time. The board should be briefed periodically on this intelligence.
  2. Does the board utilize sources other than management for insights about market trends affecting the labor model? Relying on multiple intelligence sources is a smart play in all aspects of a board’s oversight, particularly this one.
  3. Given the evolving market trends, do we have processes in place to evaluate their implications to our labor model? Has management thought about separating noncore activities from the essential tasks of operating the business with the objective of improving focus on mission-critical activities? What are the benefits and costs to the organization if any or all of these noncore tasks and functions were performed by external workers or firms? If the business case dictates action, what specific changes should be made to the labor model (e.g., how, why, and within what time frame must the enterprise transform it)?
  4. Do we consider the economics, opportunities, and risks associated with outsourcing noncore activities? Providers of managed business services and business process as a service can offer options, particularly if the activities in question are not associated with strategic capabilities underlying the entity’s core competencies and the provider can perform the activities better at lower cost.
  5. Have we considered applying all three elements of the shamrock model? Is management positioned to hire, develop, and manage the labor pool in each shamrock category in an optimal manner? In the digital age, management can focus on understanding and harnessing technology’s role in supporting and shaping each pool considering its unique challenges.
  6. Do we have the right human resources partner? As management plans to implement process improvements and addresses the resource needs to support key initiatives, important talent management questions arise. What specific forms of expertise are needed For instance, an ERP implementation requires finance professionals with technology and change management skills, and a digital transformation initiative requires data scientists. How do we resource these efforts? Does a traditional outsourcing relationship meet the need? Do we need help in deploying individuals and firms on the contractual fringe or on a contingency basis? As management addresses these and other questions in building the enterprise’s talent ecosystem, management may unleash significant value through an external partner who offers new capabilities and solutions through deep knowledge of the company’s people, processes, technology, and culture.

Directors should be cognizant of changing workplace dynamics and how management’s handling of them can have significant implications for the organization’s long-term viability. The economic drivers, technological advancements, and shifting generational expectations affecting the traditional staffing model are forcing companies to rethink how they are approaching staffing and talent development. Boards can play a catalytic role in stimulating this process.

Jim DeLoach is managing director of Protiviti. 

Report Finds Modest Increases in Director Pay, Notes Implications of Tax Law

Compensation for directors continues its slow and steady upward creep, but not everything is expected to be business as usual over the next couple of years.

The 2017–2018 Director Compensation Report—the 19th annual report on board pay authored by the compensation consulting firm Pearl Meyer and published by the National Association of Corporate Directors (NACD)—finds small pay increases and notable changes in the operating environment that could have a trickle-down effect on director pay in the near future.

Growth Across All Company Sizes

The report’s authors analyzed director pay information found in proxy statements or other financial disclosures filed with the U.S. Securities and Exchange Commission for fiscal years ending between Feb. 1, 2016, and Jan. 31, 2017. In all, Pearl Meyer analyzed data from 1,400 companies across 24 industries.

Across all companies included in the analysis, median director pay increased a modest 4 percent over the prior reporting year. Looking at companies by market capitalization, the smallest increases went to directors of micro-sized companies (those with revenues ranging from $50 million to $500 million), where median pay grew just 2 percent, from $120,286 to $123,230 (see Figure 1).

Small and medium-sized companies tied for the largest year-over-year median pay increases at 6 percent. That brought director pay up to $166,278 at small companies (those with revenues between $500 million and $1 billion), and to $192,250 at medium- sized ones (those with revenues between $1 billion and $2.5 billion). The low- to mid-single-digit increases in median director pay have been fairly consistent over the past six years, according to the report.

Committee Service and Pay

Most companies continue to provide additional compensation to directors for their committee membership. As is consistent with previous years’ data, members of the audit committee—which has a median of seven meetings annually, the highest of any committee—garner more than members of any other committee, no matter the company size (see Figure 2).

Fees paid to audit committee members could increase in the next couple of years, according to the report. The committee’s already high workload could increase as companies navigate the financial ramifications of the new tax law.

The New Tax Law and a Changing Environment

The Tax Cuts and Jobs Act of 2017, introduced by congressional Republicans late last year and signed into law by President Donald J. Trump, is having wide-ranging effects on businesses. Board pay programs are likely to change as a result of the law, the report states.

This is particularly true when it comes to the practice of deferring director fees. Deferral of compensation that gets paid out in the form of director fees has, over time, become something of a signal of good governance. Delaying payouts is seen as helping align directors’ interests with the long-term interests of shareholders. The practice was meant to provide potential tax relief to directors who were, at the time of their board service, employed full time: by deferring their director pay until after retirement, they could presumably take advantage of lower post-retirement tax rates.

Enter the new tax law. Under the law, personal income taxes will decrease for upper-income levels. That means deferring director fees until later to enjoy lower tax rates on those fees may be less enticing.

For more information about the latest director compensation practices, read the full article about the compensation report in NACD Directorship magazine. The full 2017–2018 Director Compensation Report is available to NACD members at Information about joining NACD is available here. A supplemental publication, Director Compensation: Summary Statistics, provides additional compensation data and is available at

Championing Diversity and Inclusion from the Top

Anna Catalano

Investors, legislators, and director peers around the world notice that diversity and inclusion practices are slow to be adopted. While adopting diversity from the highest level of the company appears as a challenge for some boards, it is one worth overcoming. Enter Anna Catalano, a respected director and champion of greater inclusion of people of diverse backgrounds and perspectives in American boards and on boards around the world.

Catalano, an active corporate director with more than 30 years of experience, is a director of Willis Towers Watson, Kraton Corp., and HollyFrontier Corp., and advises still more companies. She is an NACD Board Leadership Fellow and board member of the NACD Texas Tri-Cities Chapter. In her work in the nonprofit sector, she is a director of the Alzheimer’s Association, the Houston Grand Opera, and is an honorary co-founder of the Kellogg Innovation Network at Northwestern University.

Catalano’s global business leadership experience is deep: she has held executive positions in Asia, Europe, and North America. She also is a proud champion of women in business and understands the role of diversity and inclusion in companies’ ability to innovate.

NACD caught up with Anna Catalano to speak with her about diversity in the boardroom prior to NACD’s 2018 Global Board Leaders’ Summit.

NACD: Having held executive positions in Asia, Europe, and North America, how has working internationally influenced you?

Catalano: Living abroad really changes your perspective on the world. If you have the opportunity to work and live internationally, you should do it. An international perspective is crucial for members of boards at companies that are global or are considering expanding into global markets. It’s important that companies recognize that not all countries develop in the same ways. If you have experiences working and living in different countries, it can help you understand how countries develop and what different populations are interested in within that market. One thing that has been reinforced for me in my global experience is that in spite of cultural differences across the globe, we all care about our families and our communities. I believe that perspective is needed on boards, and sadly it’s really missing in many.

NACD: You’ve been recognized in Fortune’s ranking of “The Most Powerful Women in International Business” and shared your thoughts on International Women’s Day on your blog. What advice do you have for female board members working to expand their international board portfolio? How can women break into the boardroom?

Catalano: It is crucial to get more women to serve on boards of all types and in all industries. If a woman is not on a board and is looking to join, I would advise her first to continue growing her experiences and seek out learning opportunities. My advice to people who want to get on their first board is to make sure you have a good story to tell about why you’re qualified and what makes you a desirable candidate. It’s imperative to be distinctive and able to add value to the strategic conversation. Second, you have to figure out how to become top-of-mind. You want to be the first person a recruiter or another director thinks of when a position opens up. How do you do that? Form relationships. The first time you call a recruiter should not be about how you’re going to get onto a board. If you wait until you are 55 years old before you develop a relationship with a recruiter, it’s probably too late. Start early and build relationships over time. Most importantly, women who already sit on boards need to help other women.

NACD: Implicit bias and the idea of the bias of crowds hardwires a lack of inclusion into organizations. What steps can a board take to get serious when it comes to diversity and inclusion in 2018?

Catalano: Directors on a board need to understand deeply what diversity and inclusion are. It is not about numbers or getting a certain percentage of women or people of color in certain positions. The concept of understanding bias around diversity and inclusion requires delving into why you make certain choices and assumptions about people. My take is that in the majority of instances it’s not intentional or malicious that women are primarily in functional roles and that men are primarily in profit and loss roles. Boards need to examine and understand why these trends happen, and that be willing to invest time into the process. If you ask most board members if they understand diversity and inclusion at their company, they will say they do but then they cannot really explain it. It is crucial to invest in learning about and understanding diversity and inclusion and having a board chair willing to spend some quality time on this topic.


Don’t miss out on the continuation of this discussion at the 2018 Global Board Leaders’ Summit, happening September 29 through October 2 in Washington, DC. There will be plenty of opportunities at Summit to discuss the future of the economy, globalization, and much more. Register by June 30 to take advantage of the early bird rate and save $1,000 off the registration price.

Getting the Right Cybersecurity Metrics and Reports for Your Board

In the 2017–2018 NACD Public Company Governance Survey, 22 percent of corporate directors said they were either dissatisfied or very dissatisfied with the quality of cybersecurity information provided by management.

We’re not surprised. In most cases, management still reports on cybersecurity with imprecise scorecards like red-yellow-green “heat maps,” security “maturity ratings,” and highly technical data that are out of step with the metric-based reporting that is common for other enterprise reporting disciplines.

Boards deserve better. We recognize that cybersecurity is a relatively young discipline, compared to others under the umbrella of enterprise risk management (ERM). But it’s not a special snowflake. Management can and should deliver reports that are:

  • Transparent about performance, with economically-focused results based on easily understood methods.
  • Benchmarked, so directors can see metrics in context to peer companies or the industry.
  • Decision-oriented, so the board can provide oversight of management’s decisions, including resource allocation, security controls, and cyber insurance.

While that level of reporting may still be aspirational for some companies, directors can drive their organizations forward by asking the following five questions, and demanding answers backed by the sorts of metrics and reports that we suggest below.

Before we get to the questions, there’s an over-arching prerequisite for sensible reporting: Every key performance and risk indicator should be tracked against a target performance or risk appetite, respectively.

That means defining risk tolerances in an objective, clear, and measurable way—for instance, “our critical systems downtime should always be less than one percent”—so that an analyst’s gut feelings aren’t determining results.

1. What is the threat environment that we face?

The chief information security officer or chief risk officer should paint a picture of the threat environment (cybercriminals, nation-states, malicious insiders, etc.) that describes what’s going on globally, in our industry, and within the organization. Examples of good metrics and reports include:

  • Global cyber-related financial and data losses
  • New cyber breaches and lessons learned
  • Trends in ransomware, zero-day attacks, and new attack patterns
  • Cyber threat trends from ISACs (information sharing and analysis centers)

2. What is our cyber-risk profile as defined from the outside looking in?

Boards should get cyber-risk assessments from independent sources. Useful sources of information include:

  • Independent security ratings of the company, benchmarked against peers
  • Third-party and fourth-party risk indicators
  • Independent security assessments (e.g., external consultants and auditors)

3. What is our cyber-risk profile as defined by internal leadership?

Management should provide assessments with tangible performance and risk metrics on the company’s cybersecurity program, which may include:

  • NIST-based program maturity assessment
  • Compliance metrics on basic cyber hygiene (the five Ps): passwords, privileged access, patching, phishing, and penetration testing
  • Percentage of critical systems downtime and time to recover
  • Mean time to detect and remediate cyber breaches

4. What is our cyber-risk exposure in economic terms? Based on the company’s cyber-risk profile, the central question is: What is the company’s potential loss?

In the past 30 years, we have seen that question answered in economic terms in each and every risk discipline in ERM: interest rate risk, market risk, credit risk, operational risk, and strategic risk. Now we need to address that question for cyber risk. This expectation can also be found in the U.S. Securities and Exchange Commission’s new guidance on cybersecurity disclosures and its focus on quantitative risk factors.

The Factor Analysis of Information Risk (FAIR) methodology is a widely-accepted standard for quantifying cyber value-at-risk. The FAIR model provides an analytical approach to quantify cyber-risk exposure and meet the heightened expectations of key stakeholders.

In the current environment, directors should demand more robust reporting on metrics such as:

  • Value of enterprise digital assets, especially the company’s crown jewels
  • Probability of occurrence and potential loss magnitude
  • Potential reputational damage and impact on shareholder value
  • Costs of developing and maintaining the cybersecurity program
  • Costs of compliance with regulatory requirements (e.g., the EU’s General Data Protection Regulation)

5. Are we making the right business and operational decisions?

Cyber is not simply a technology, security, or even risk issue. Rather, it is a business issue and a “cost of doing business” in the digital economy. On the opportunity side, advanced technologies and digital innovations can help companies offer new products and services, delight their customers, and streamline or disrupt the supply chain. As a top strategic issue, management should provide the board with risk and return metrics that can support effective oversight of business and operational decisions, such as:

  • Risk-adjusted profitability of digital businesses and strategies
  • Return on investment of cybersecurity controls
  • Cyber insurance versus self-insured

We believe the number should be zero when it comes to the percentage of directors dissatisfied with the cybersecurity information provided by management. Based on our own observations of board reports on the quality of cybersecurity reporting, there remains significant gaps. We hope our article will serve as a framework for directors and executives to discuss ways to close those gaps.

When Healthcare Meets Retail

Sam Glick

It seems there’s always a new article about Amazon’s latest Alexa news, or a trendy startup trying to disrupt the shopping experience. Or, more soberly, a downtown now dominated by empty storefronts. Americans living and shopping in the country that invented the modern shopping mall, the supermarket, and e-commerce seek out the latest and greatest retail experience. Traditional retailers are now getting into the health business. Amazon bought Whole Foods, a grocer that began as a health food store. Walmart is considering buying PillPack, an online pharmacy startup. Albertsons is buying Rite Aid. And, in the biggest retail healthcare deal yet, CVS is buying Aetna, bringing together a retail chain with nearly 10,000 stores and a major national health insurer.

What does all this activity mean? Will the average American soon be going to the drugstore to pick up a quart of milk and have someone look at their rash while they’re there? Will my family physician deliver care at the same place that sells my Cheerios? The short answer to both questions: Maybe.

Retail’s entry into healthcare reflects three major trends in how the healthcare industry—and consumer behaviors—are evolving:

  1. Consumers are in the driver’s seat. In 2017, the average single plan deductible for those with employer-sponsored health insurance was $1,505. Since 2006, the average consumer’s annual out-of-pocket healthcare spending has increased by 230 percent. Consumers are spending mostly their own money for basic healthcare services, and they want to see value for that money like they do in other industries. They want reasonable prices, convenient hours and locations, and great service—not exactly attributes for which traditional doctor’s offices or hospitals are known. So, they’re turning to retailers and others to meet their needs, and it’s working. Oliver Wyman research shows consumers who visit a clinic in a drug, grocery, or discount store are highly likely to return—with just the opposite being true for conventional medical offices.
  2. Primary care is being redefined. The shortage of primary care physicians nationwide has been well-documented. Yet primary care is provided by a physician in many locations beyond the traditional exam room. Providers such as Kaiser Permanente now conduct more than 50 percent of primary care visits electronically. And in the United Kingdom, through a partnership with the artificial intelligence company, Ada, the National Health Service provides round-the-clock care via a chatbot. Also, in states such as California, pharmacists are beginning to be licensed to provide basic medical services, which could have a significant impact, given that there are more pharmacists in the US than there are primary care physicians. A drugstore chain with a pharmacist on every corner, or an online retailer with an app on every smartphone, is well positioned to get into the modern primary care business.
  3. Pharmacy matters more than ever before. We’ve seen some miraculous drug innovations in recent years—from a cure for Hepatitis C to using a patient’s own immune system to fight cancer—but those innovations have been accompanied by significant increases in pharmacy costs. According to Mercer, increases in pharmacy spending are one of the biggest concerns for employers when it comes to managing healthcare costs. Yet controlling that spending requires careful coordination long after a physician writes a prescription, from ensuring drugs are being taken correctly to understanding which consumers represent most of the spending to monitoring effectiveness. (Overall, just 0.3 percent of Americans account for a full 20 percent of drug spending.) And retailers—with big local footprints, large pharmacist workforces, and years of experience with consumer analytics—are in an advantageous place to deliver real value.

What does this mean for corporate directors?

Well, for those on retailer and healthcare boards, what’s vital is making sure that experience, value, and consumer preferences remain front and center on the company’s agenda, and that a range of innovative partnership and M&A options are being considered.

In other industries, directors should be asking hard questions to probe how these retail healthcare trends are being reflected in employee benefits and the company’s role in the new retail healthcare ecosystem. Health is affected by nearly every part of a consumer’s life, from technology to transportation, to food, to housing choices. Pretty soon, every company could be a healthcare company.


Sam Glick is a partner in Oliver Wyman’s Health and Life Sciences practice who focuses on consumer-centric healthcare.

Five Leading Practices for Governing Innovation

Technology is eroding traditional lines between industries and creating opportunities for innovators to disrupt incumbents. Findings from the 2017-2018 NACD Public Company Governance Survey suggest that boards are increasingly concerned about how to navigate technology disruption, with one third of respondents citing this as a trend likely to have the greatest impact on their company in the coming year. The rapid pace of change presents a significant challenge for boards as they look to sharpen their oversight. As such, directors, and the management teams they oversee, are searching for strategies that will enable them to adapt quickly to shifts in the business landscape.

Nichole Jordan speaks with directors.

The National Association of Corporate Directors (NACD), in collaboration with audit and tax specialist Grant Thornton, recently cohosted a director’s roundtable in Chicago, Illinois, where directors and industry experts discussed the tactics that have helped them learn at the pace of disruptive innovation. Special guests from Amazon Web Services (AWS) were also present. Nichole Jordan, national managing partner of clients, markets, and industries at Grant Thornton, discussed the following strategies for getting out ahead of disruptors based on her engagement with clients.

1. Utilize leading technology conferences and events. There are many reputable conferences and events centered around technology and innovation that directors should consider attending each year. These gatherings bring together renowned innovators and thinkers, providing attendees with an insider view that many outside of the technology industry do not have access to. This year, NACD partnered with Grant Thornton to host a group of directors for the CES Experience, a curated, board-focused tour of the Consumer Electronic Show (CES)—the world’s largest and most influential technology show. Participants were introduced to novel products and services and spoke with their peers about potential disruptions to their companies and industries. Outside of CES, Jordan suggested that directors also attend South by Southwest and The Wall Street Journal’s Future of Everything conference, among others.

2. Visit domestic and international companies at the forefront of innovation. Corporate executives and directors can now access the innovation centers of leading technology companies including, Google, Microsoft Corp., and Apple. Through offerings as varied as tours of innovative hubs, executive immersion programs, and corporate strategy sessions, boards can gain valuable insights into disruptive trends and how these may impact their own businesses.

Geoff Nyheim, director of US central area at AWS, provided an example of an insurance carrier taking advantage of Amazon’s offering. The insurance carrier was particularly concerned with the predicted growth of autonomous vehicles and the potential impact on their industry. The CEO brought his direct reports to AWS, where they spent three days talking through strategy under the premise that insurance claims would plummet due to disruption caused by the safety of autonomous vehicles. According to Nyheim, “when [operating under] that assumption, all sorts of different paths and creative ideas emerged” for the future of the company. Nyheim added that “a lot of other companies are in the same place, [but to their detriment] lack a similar urgency.”

One director commented that it’s just as important for boards and their management teams to get out of the country to visit innovation centers in India, China, and other emerging markets as it is to visit the ones to home. On such a trip to India, the director visited a General Electric Co. factory that produced equipment used to create computerized tomography (CT) scans, and was amazed by the advanced tools and research that he saw. Directors should find ways to experience a similar sense of wonder that’s applicable to their own industries.

3. Cultivate a collaborative business mentality. Though possibly counterintuitive, businesses need to consider building a sustainable ecosystem of partners for themselves. Jordan called out companies in Grant Thornton’s ecosystem, naming, “Amazon Web Services and NACD as partners.” Directors should challenge members of management to consider developing a set of networks, partnerships, or alliances that can be tapped into to generate and implement innovative solutions. One director agreed, citing an internal study at his company which found that “less than five percent of ideas [generated within the company] actually came to fruition.” The company makes large investments in research, leading the director to conclude that part of the problem may be that it is relying too heavily “on [its] own resources and [is too] unwilling to trust others to help in the innovation process,” one director said. He also briefly outlined how companies can leverage networks to collaborate with a trusted supplier. The tactic assumes that a supplier “gets ten percent of revenue from [your company, so you ask the supplier if they would be willing to] take that ten percent and put it towards creating products for [your company].” This kind of thinking can lead to mutually beneficial and innovative engagements that enhance operational effectiveness.

4. Integrate technology briefings into your daily routine. Directors should be purposeful about incorporating reading about technology into their everyday lives, and can do so by seeking out reputable publications that report on the business of technology. The Wall Street Journal’s technology department, Recode, TechCrunch, and Wired magazine are widely considered reliable publications that bridge the gap between management and technology. Following leading organizations and their CEOs on social media—Jeff Bezos, Elon Musk, Shelley Palmer, or Gary Shapiro, for instance—can also enrich directors’ technology diets. One participant observed that maintaining relationships with individuals in late-stage venture capital funds can also facilitate learning. Venture capitalists “evaluate hundreds [if not] thousands of proposals,” she said, and could keep directors apprised of bleeding-edge developments.

5. Monitor your company’s progress on innovation relative to its customers. Effective benchmarking of technology initiatives’ success will vary from company to company. As such, innovation efforts should be wedded to the current and future needs of its customers. Jeffrey Traylor, head of AWS solutions architecture for the US Central area at Amazon, Traylor suggested Amazon’s value of working backwards as a strategy for customer-centered innovation. “Before we [even] write the first line of code, we write a press release for three years from now, then write an FAQ,” Traylor said. “We ask [ourselves the following]: Who is the customer? What problem are we solving? What are the most important benefits to the customer? What does the customer experience look like?” For Amazon, innovation is about high intentionality and requires planning out how any new offering will benefit the end-user’s experience.

The board should also ensure that management views emerging technologies as a means to achieving long-term value creation, rather than an end in itself. As noted by a director at the event who oversees a company in the healthcare and life sciences industry, companies cannot succeed sustainably if they don’t innovate alongside the customer. “When we talk about innovation, it’s the people whose lives we’re going to make better. We innovate around the patients,” she said. For her company, “It’s not just about [developing a different] drug delivery system or [a new] device, [but rather] how can we prevent unexpected events, and connect caregivers and care systems to the patient.”

Jeffrey Burgess, national managing partner of audit services at Grant Thornton, rounded out the conversation, pointing out that innovation should not only be limited to the board and management, but also be instilled at every level of the company. “I think [of] innovation [as] more and more on the front lines,” Burgess said.  “You need a culture [that] embraces change, and you need change management methodologies, procedures, and processes that drive innovation.” To meet these challenges, directors need to ensure that they are surrounded by intellectually curious and well-informed peers who can work with management to develop a forward-looking vision for the company. As Traylor cautioned, companies with boards that do not cultivate this curiosity may leave themselves vulnerable to the “ruthless and unsparing” effect of innovation.

As Bells Toll for Earnings Guidance, We Ponder Progress

Peter Gleason

There was a lot of buzz around NACD’s offices earlier this month as our people learned that momentum is building to end quarterly earnings forecasts. You can’t work at NACD for very long without learning that our members champion long-term value creation and oppose short-termism, or without coming to understand how earnings guidance destroys the former and promotes the latter. (Short-Termism 101: when companies estimate the next quarter’s earnings per share, they drive a 90-day focus on meeting that projection and discourage focus on the organization’s long-term vision.)

Our communal excitement stemmed from reports of an interview on CNBC’s Squawk Box featuring Berkshire Hathaway CEO and chair Warren Buffett and JPMorgan Chase CEO and Business Roundtable member Jamie Dimon. During the June 7 interview, the two iconic businessmen agreed that companies should stop providing quarterly earnings guidance. NACD’s researchers noticed the interview and hailed it as “great news.” They praised the Business Roundtable for its “leadership” and shared links to relevant research with me, like this study asking Does the Cessation of Quarterly Earnings Guidance Reduce Investors’ Short-Termism?, and this one on Moving Beyond Quarterly Guidance: A Relic of the Past from FCLTGlobal, the think tank for focusing capital on the long term.

Later that day, NACD put out a press release noting that while NACD had called for a move away from quarterly earnings guidance in the past, the problem was still lingering in 2017. The 2017–2018 NACD Public Company Survey found that nearly three-quarters (74%) of respondents said that focus on long-term strategic goals has been compromised by pressure to deliver short-term results. Frankly, the finding was discouraging, considering how many years we have all been working to reverse short-termism.

Perhaps a flashback is in order. Dimon and Buffett were not the first to advise ridding corporate America of short-term guidance, and the Squawk Box interview wasn’t even the first time they themselves had done so.

  • In June 2010, exactly eight years ago this month, NACD joined the Business Roundtable as some of the first subscribers to an Aspen Institute manifesto entitled Long-Term Value Creation: Guiding Principles for Corporations and Investors. One of the principles in that document was the recommendation that companies and investors should “avoid both the provision of, and response to, estimates of quarterly earnings and other overly short-term financial targets.” I was happy to sign on. Even prior to 2010 NACD had been making recommendations against short-termism in our Blue Ribbon Commission reports, our Key Agreed Principles, and other publications, especially those addressing executive compensation.
  • In October 2015 NACD issued the Report of the NACD Blue Ribbon Commission on the Board and Long-Term Value Creation, where we made a similar recommendation: “Boards should consider recommending a move away from quarterly earnings guidance in favor of broader guidance parameters tied to long-term performance and strategic objectives.”
  • In July 2016, both Dimon and Buffet themselves had signed onto a similar recommendation when developing Commonsense Corporate Governance Principles, which was published with backing from large institutions and companies across the investment chain. I spoke about the principles on C-Span the following month. The 2016 Principles stated that “companies should not feel obligated to provide earnings guidance—and should do so only if they believe that providing such guidance is beneficial to shareholders.” They further state that “making short-term decisions to beat guidance . . . is likely to be value destructive in the long run.”
  • In September 2016, I was a delegate at the General Counsel Summit on Short-Termism and Public Trust. The report from that event cited the 2016 Principles with respect to earnings guidance, as well as research from the Conference Board and others dating back more than a decade in questioning the wisdom of earnings guidance.

So looking back, the journey to end earnings guidance has been long. But that was then and this is now. Dimon today chairs the Business Roundtable (he was named chair in December 2016). And on the morning of June 7, the medium was an important part of the message: there were Dimon and Buffett, expressing their views in plain, spontaneous language, live, for all the world to see and hear in all their familiarity.


This entire history reminds me of a quote by Scottish author and government reformer Samuel Smiles, known for his treatise on self-improvement, Self-Help. He wrote: “Progress, however, of the best kind, is comparatively slow. Great results cannot be achieved at once; and we must be satisfied to advance in life as we walk, step by step.”

Thanks to many steps by many people over many years, the bell is tolling for earnings guidance at last. And that is indeed the best kind of progress.

What to Expect in Your CISO’s First 90-Day Board Report

Corey E. Thomas

Aligning with your company’s new chief information security officer (CISO) is a great opportunity to provide better protection for your organization, ensure regulatory compliance, and align previously siloed teams to gain clarity on how your business will respond in the event of a cybersecurity crisis. That’s why I urge board members to initiate early communication with those directly in charge of maintaining the enterprise’s vision for security by asking questions and collaborating on cybersecurity strategies.

According to a new study from the Enterprise Strategy Group and the Information Systems Security Association a lack of alignment between the security leader and the business can contribute to high CISO turnover. This is especially true if the CISO doesn’t feel welcome to participate in the boardroom meetings with executives.

This is a two-way street, of course. Board members often lack the knowledge they need to converse with information technology (IT) and cybersecurity professionals. They also tend to lack an understanding of how these groups contribute to effective enterprise risk management. Below we go through a few tips that will help put you on the right track and align these critical parties.

Understanding Your Company’s Risk Tolerance

First, in order for the board to understand the company’s cybersecurity posture, its members need to understand what level of risk is appropriate for your company. Each company’s individual strategy for growth, innovation, and safety should determine the extent to which it manages various types of risk, be it safety risks, operational risks, environmental risks, or technology risks (keeping in mind that technology plays a role in just about every category of risk).

Cybersecurity programs need to address an expansive and ever-changing threat landscape. They should include strategies to identify how vulnerable the organization is, determine whether or not they are compromised, and enhance operational efficiencies. During the first 90 days of his or her tenure, directors should be sure to get input from the new CISO on all of these areas, as well as a documented approach to how they will monitor the overall risk to the business based on these elements.

Setting Expectations

Understanding the risk tolerance of the business is the first step, but in order to properly determine this the CISO must be able to answer several questions. And knowing which questions to ask, and how these questions relate to managing risk within the company, will go a long way toward effective cyber risk management. To get a full understanding of your company’s cybersecurity posture, and ensure your security team is focused on the right things, ask your new CISO to answer the following questions in his or her first 90-day board report.

  1. Does our security team have a full, well-informed view of our organization’s vulnerabilities? What are our top three cyber threats? How do we identify and deal with emerging threats?
  2. What have we learned from past cybersecurity incidents?
  3. Does management have a clear vision of the cyber risks to our organization? Can you provide any past examples of C-suite executives supporting the cybersecurity objectives of the company?
  4. Are we managing cyber risks in alignment with the appropriate level of risk for our company and industry?
  5. What steps are we taking to ensure compliance with all requirements for our industry? Do we follow any cybersecurity industry best practices such as the Center for Internet Security’s Critical Controls?
  6. What is our cybersecurity incident response plan? Do we maintain an internal and external communications plan as a component of that? Has a tabletop exercise been completed to test the effectiveness of the plan?
  7. How is our security team collaborating with our IT and development operations teams? Look for examples of a strong security operations (SecOps) practice, such as shared data and integrated processes, helping to make security inherent within all business operations and innovation.
  8. How are we ensuring that our partners take appropriate security measures? For example, when engaging outside firms for services, are those other companies protecting sensitive information such as our marketing strategies and customer information? How is this being enforced? This could include signing agreements and performing regular assessments of vendor security practices.
  9. How do you measure the effectiveness of our cybersecurity program and initiatives?
  10. What investments can we make to further reduce our risk? What do we need  and why?

Encourage your board as they review the information provided by the CISO to ask for relevant specific examples and documentation. While your fellow board members might not know the underpinnings of cybersecurity, they will have a fresh point of view around the resources and implementation of these processes. For instance, a comprehensive incident response plan should be thoroughly documented and readable for all involved parties so that they are aware of their role during a security incident.

By asking the CISO these probing questions, verifying the responses, having a knowledgeable senior executive or board member sponsors, and partnering with a trusted cybersecurity advisor, your organization will have a defined understanding of its cyber risks and will be prepared to make informed investment decisions.

Next Steps

Only 44 percent of cybersecurity professionals surveyed by the Enterprise Strategy Group and the Information Systems Security Association believe that CISO participation with executive management and boards of directors is at the right level. Clearly, more needs to be done to inform risk-based cybersecurity decision making as well as deeper integration of SecOps into core IT and development responsibilities. How can you buck that trend?

After the 90-day report from the CISO is a perfect time to discuss the answers to these questions. Follow up with your CISO to identify areas of concern and where more support from the board or executives might be needed for them to succeed. An ongoing dialog is critical, and will fine-tune cyber-risk management. It will also allow management to make informed technology investments, identify what training needs to happen, and provide ongoing cybersecurity governance aligned to risk tolerance and business goals.

The time is now for boards to improve the quality of dialogue with CISOs. Initial conversations and expectation-setting will minimize the possibility of overlooking cyber risk that could be detrimental to the corporation and its shareholders, while also making sure that everyone involved in the oversight of security gets on the same page.


Corey E. Thomas is CEO of Rapid7. Read more of his insights here.