Manage the Change, Don’t Let the Change Manage You

In a 2015 study, Gallup’s David Leonard and Claude Coltea asserted that 70 percent of all change initiatives fail. Anyone who has overseen a transformation knows that leading change is not easy. It’s complicated and commitment is required at multiple levels. Just as all organizations are different, no two change initiatives are the same. A change leader must consider the nuances and uniqueness of the organization – taking into account the needs of the business, the interdependencies between departments, and the impact to employees. While it isn’t easy, the following seven guiding principles will greatly increase your chances of successfully implementing your initiative.

1. Build a stable foundation for managing the change initiative and articulate your vision.

A strong foundation starts with a vision for the change that is aligned to the business strategy. Simply put, solid planning, competent leadership, and systemic thinking. Identify a change management team that the initiative deserves and who share in the vision. In addition to a sponsor (usually a senior leader), identify a change agent who is responsible for leading a broader change management team. This person must demonstrate strong influence skills and have broad organizational perspective. This team will be responsible for creating the road-map for the transformation.

2. Give the change agent and the change management team free reign to execute their plan.

In order to drive the change forward, the team must be given the opportunity and authority to plan, execute, and make decisions. This is not to say there cannot be oversight, but if the team believes that their ideas and recommendations will be corralled, they will instinctually confine their recommendations to only what they think will be accepted.  

3. Focus on the problems, not the symptoms.

Ground yourself using the question “what problem am I trying to solve”? Using this as your beacon will help assess the situation from an unbiased lens.  Using problem solving methods like the Five Whys, conducting a SWOT analysis to understand the internal and external factors, and other popular methods will ensure you are addressing the right issues.

4. Use a balanced and inclusive approach to gathering information. Look beyond the numbers.

Often, the first indication that a problem exists is the qualitative data – such as handle times in a call center or conversion rates in a marketing group. Equally important however, is qualitative data from the frontlines.  Involve frontline leadership and key team members to get a perspective from the trenches. Not only will you gain the “color commentary” around the numbers, you’ll reduce resistance by giving them a sense of inclusion.

5. Use the power of the people.

While leadership can limit resistance by creating excitement and anticipation for the changes, humans are wired to be suspicious of unfamiliar things. Successful change initiatives set the stage by articulating the business need; building momentum by engaging and soliciting input; giving employees needed tools and resources; and anchoring the changes by recognizing accomplishments and celebrating successes. Making the transition as easy as possible for the individuals who are tasked with execution, creates the least disruption to the operation and ensures long-term sustainability.

6. Communicate, communicate, and communicate.

Use storytelling and personalization to explain how the changes will improve things. Talking about a customer who had to spend hours on the phone trying to resolve a problem with their sick child’s prescription, or how “Mary in finance” won’t need to work 12 hour days at the end of the quarter to close out the books is much more powerful than “this change will make us more efficient and responsive to customer needs.” It is also most effective to use multiple mediums and venues to allow for employees to address concerns and ask questions. Senior leadership and/or HR should be represented in these venues and could include town halls and dedicated staff meetings.

7. Identify the metrics that will guide you to your end game.

Having clear and measurable goals that help define the path to a successful transformation is vitally important when executing a broader strategy and ensuring sustainability. Identify clear key performance indicators (KPIs) that provide everyone with consistent and measurable goals. The KPIs should be tied to the strategy and the reasons behind the transformation.

CPI’s unique approach to managing change is illustrated in our proprietary Change Navigation Model™. We help our clients and their leaders traverse the path to a successful transformation by recognizing the fundamental needs of both the organization and the employees.  This holistic approach anchors the process in three distinct phases: Creating a Vision which aligns the change plan to the broader business strategy; Planning and Building Momentum by considering the needs of the employees; and, Implementing and Sustaining the change by seeing the plan through and celebrating the successes.

 

Mark Saddic
Senior Talent Development Consultant
CPI Philadelphia

The post Manage the Change, Don’t Let the Change Manage You appeared first on CPIWorld.

Cyber-Risk Management for Directors Should Start at Home

Frederick Scholl

There are many posts on the NACD Board Leaders’ Blog discussing cybersecurity, but all of them deal with directors’ responsibilities toward the organizations where they are board members. In fact, corporate directors themselves may be targets for hacktivists or cybercriminals and need to make sure they have adequate protection. This protection should include both home and professional office.

Directors obviously will have access to sensitive insider information that many unauthorized parties would like get access to. Many directors will also be targets as high net worth individuals. Cyber criminals always target the weakest link, and as corporate information security improves, they increasingly will target the home networks of key executives and directors.

Breaches such as the one that occurred in the summer of 2017 at Equifax have put so much personal information into the hands of criminals that individuals increasingly will become targets. Directors represent a perfect demographic cross section to be attacked. Attack vectors may include phishing, ransomware, and social media.

Earlier this year, an employee of the National Security Agency was in the news as the hacker apparently stole government secrets from the comfort of his own home network. Directors with access to confidential strategic or financial information should make sure their home networks are protected above and beyond the usual consumer grade defenses.  Another attack path may be through tools and services used by directors. In 2010 attacks were reported against a prominent meeting portal for corporate boards. It is not clear if any sensitive information was stolen at that time.

What more should directors do?

First, make sure your home network is built to corporate standards. You need a commercial firewall, not just a consumer router. Most critically, any devices—especially firewalls and routers—should be set to auto-update their security firmware. Auto-update is now included in the Windows 10 operating system, in most smart phones, and in many home network devices, but not in devices more than a few years old. Anything you put on your network will be found to have vulnerabilities, so this software and firmware update feature is critical to keep hackers out.

Password strength and protection represent a second critical area. Many breaches result from theft of user credentials such as username and password. You should use two-factor authentication to log in to sites with your financial or personal information. Two-factor verification utilizes a second security barrier to verify with the application or website that the person logging in is, in fact, you. For instance, applications for your smart phone such as Google Authenticator and Duo Security generate one-time tokens that serve as a second factor. More familiar is the text messaging that many sites still use to send one time codes to users. This process has been deprecated by the Federal government because of potential eavesdropping attacks, so use the dedicated security apps, if possible. Still other financial sites do not yet have any two-factor authentication available. For these, make sure to use strong passwords that contain at least 12 characters, and that preferably can be pronounced. Such complex passwords should be managed using password vaults like LastPass or KeyPass.

The last factor to consider is encryption. Never store any sensitive data online without encrypting it and protecting it using a password known only to you. It is true that collaboration sites like Dropbox do encrypt the data saved there, but the companies still have the encryption keys and can view the data. These keys can be hacked or stolen by a disgruntled employee. That level of encryption is fine for 99 percent of the information you store online. But for the other, essential 1 percent of information—especially personal or corporate sensitive material—only you should have the encryption key. Applications like Boxcryptor integrate with Dropbox and enable you to further protect your information.

These three security precautions will help you keep your personal and professional information secure. Since threats and vulnerabilities are constantly changing, you should keep up to date using the NACD Cyber-Risk Resource Center and other sources of information on this topic. Also consider attending the NACD Global Cyber Forum in Geneva, Switzerland, April 17–18, 2018. You’ll hear from leading international directors, executives, and security professionals on how to protect sensitive corporate information.

Frederick Scholl is president of Monarch Information Networks, and is adjunct professor of computer science at Lipscomb University in Nashville, TN. All thoughts expressed here are his own.

Culture: The Board’s Expanding Frontier

Peter R. Gleason

With headlines trumpeting high-level firings for “inappropriate behavior” in a variety of domains, it’s become more obvious than ever that corporate culture matters, and that boards should oversee it. So what exactly is corporate culture, and how can it be overseen? These questions might sound new, but they are as old as the corporate governance movement that began some 40 years ago when NACD was founded. Indeed, for the past four decades, the role of the board in overseeing corporate culture has been growing in breadth and depth, and much can be learned from history.

  • The Foreign Corrupt Practices Act of 1977 made the board a vigilante against foreign bribes. The original law made it illegal to do business abroad “corruptly” and required “internal controls” through oversight of books and records.
  • In 1987, the Committee of Sponsoring Organizations of the Treadway Commission put the board on alert against misdeeds not just in faraway lands but down the hall: its Treadway report required independent audit committees to prevent fraud in general.
  • Another decade later, in 1996, the Delaware Chancery Court’s decision In re Caremark International Inc.said that directors have an affirmative duty to seek reasonable assurance that a corporation has a system for legal compliance. Soon thereafter, NACD published its first handbook on ethics and compliance, authored by NACD pioneer Ronald “Ronnie” Zall, an attorney and educator then active in the NACD Colorado Chapter, which later established the Ronald I. Zall Scholarship in his honor.
  • In late 2007, as global equity markets went into panic mode, NACD forged Key Agreed Principles of Corporate Governance for U.S. Public Companies, highlighting all areas of agreement among management (the BRT), directors (NACD), and shareholders. Our report, published in 2008, stated that boards must ensure corporate “Integrity, Ethics & Responsibility.NACD Southern California Chapter leader Dr. Larry Taylor began writing on “tone at the bottom,” publishing a series of articles and books on the topic over the next several years.
  • And now, in 2017, board oversight of culture has become more important than ever. Our NACD 2017 Blue Ribbon Commission Report on Culture as a Corporate Asset provides useful guidance.

NACD’s 2017 Commission made 10 recommendations, starting with this one:

The board, the CEO, and senior management need to establish clarity on the foundational elements of values and culture—where consistent behavior is expected across the entire organization regardless of geography or operating unit—and develop concrete incentives, policies, and controls to support the desired outcome. The Commission report explains that these foundational elements involve two sets of standards: first, the values and behaviors that help the company excel and that are to be encouraged, and second, the behaviors for which there is zero tolerance.

As I write this blog in December 2017, the business media are continuing to report firings or sabbaticals for executives—some 20 in the past eight weeks alone—over reportedly inappropriate conduct or speech. Many of these pertain to sexual harassment, but the corporate desire to clean house seems to be spreading like wildfire to other domains. One executive was recently fired for making a disparaging remark about regulators in private conversation to a former employee. Could a policy have prevented this? I think so.

Click to enlarge in a new window.

The NACD Commission urges a proactive approach backed by policies and training. The good news is that many companies are taking preventive action.  A Wall Street Journal article titled “Harassment Scandals Prompt Rapid Workplace Changes” cites numerous companies that are instituting training to avoid bad behavior in the workplace. Some like Vox Media and Uber Technologies are responding to scandals. Others like Dell, Facebook, Interpublic Group of Cos., and Rockwell Automation are acting more proactively.

Boards in these companies and others are starting to oversee culture in proactive ways, but they still have a long way to go. Our most recent 2017–2018 NACD Public Company Governance Survey found that oversight of culture is stronger at the top than at lower levels, but that boards are taking steps to correct the imbalance.

The best cultures don’t happen by accident. They are intentional. They happen when a company makes a concerted effort to foster a good culture.

Understanding Climate Resilience Is Requisite for Climate Competence

Underlying the growing pressures for climate-competent boards is this fundamental question: how resilient is the organization to the impacts of climate change?

Few organizations or boards are capable of answering this question with any degree of certainty. Yet, the question is being raised with greater frequency and urgency due to actions by investors, regulators, customers, supply-chain partners, and competitors.

Click to enlarge in a new window.

Across every industry the increased focus on climate change is accelerating other megatrends such as disruptive technologies, digitization, urbanization, and evolving demographics. Underpinning these megatrends are a combination of technological leaps and upheavals in global society and the environment that will reshape economies, businesses, and lifestyles. For example, over $1 trillion worth of new markets for manufacturers are expected to develop over the next decade as industries transform. This shifting landscape creates many uncertainties, risks, and opportunities for new products, services, supply-chain structures, and improvements in resource management, among many others.

Taken as a whole, these pressures are driving companies to better assess, define, and enact strategies to increase their climate resilience. In their strategic oversight role, boards need better insights on the direct impacts of climate change on the organization as well as the indirect risks and opportunities associated with transitioning to a lower-carbon economy.

Yet, recent NACD corporate governance survey data suggests that many boards need a rethink on this issue. A mere 6 percent of respondents indicated that climate change would have the greatest impact on their businesses over the next year. The previous year’s report found that over 90 percent of public company directors believe that climate change would have negligible impact over the next five years.

Companies that focus primarily on climate change’s projected physical impacts expected to play out over the coming decades will have “blind spots” to the indirect risks associated with the transition to a lower-carbon economy. Companies must to go on the offensive to build climate resilience in order to gain competitive advantage.

Climate resilience has the capacity to adapt and succeed in the face of direct and indirect impacts of climate change. In addition to addressing and managing risks, it encompasses the ability to capitalize on the strategic opportunities presented by the shift to a lower-carbon and resource-constrained economy.

To provide boards with a line of sight into its organization’s climate resiliency, management teams can undertake one or more of the following actions:

  • assess climate vulnerability of operations and facilities;
  • embed climate impacts into enterprise risk management programs; or
  • undertake scenario analysis to enhance decision making around risks and opportunities.

As a start, companies can model the risk of physical assets to identify location-level risk exposure and the vulnerability of properties and assets to evolving weather events and climate change. A geographic portfolio review can also help map demographic and infrastructure vulnerabilities to natural hazards to better understand how supply chains may be impacted by weather events.

Existing enterprise risk management (ERM) and risk assessment processes can be used to increase awareness of climate risks and better assess resilience across the organization. Leading organizations are using their ERM processes to identify how direct and indirect climate impacts—including regulatory and technology developments—serve to accelerate or otherwise change the velocity of other trends and risk events. Framing climate as a risk driver helps to align the timeframe of the risk and opportunity assessment to that of most corporate planning cycles.

Scenario analysis is recommended by the Financial Stability Board’s Task Force on Climate-related Financial Disclosures as a technique to assess climate impacts. Modeling different environmental scenarios (such as warming by a margin of 2 degrees Celsius and associated changes) gives form to the amorphous problem of climate change and provides mechanisms to discuss potential future states of operation. In selecting and devising scenarios, companies should consider the appropriate trade-offs in quantification, but also avoid excess complexity and optionality. When assessing for operational climate-risk resilience, it is critical to include a minimum of one favorable and unfavorable scenario respectively. This empowers organizations to make informed decisions regarding their longer-term strategies.

Overall, it is clear that the dialogue on climate change within boardrooms and among C-suites of companies across all sectors must evolve to a focus on how climate change will impact their businesses. The real measure of a climate-competent board is one that can address this critical question: how climate-resilient is the organization?

Lucy Nottingham is a director in Marsh & McLennan Companies’ Global Risk Center and leads research programs on governance and climate resilience.

Ten Simple Questions for an Effective Discussion of Information Security

Tom Killalea

Information security should be one of the most important risk areas of focus for boards. However, according to the 2017–2018 NACD Public Company Governance Survey, 88 percent of surveyed directors indicated that they had only some or little knowledge about how to navigate cyber risk. It’s clear that too few directors feel qualified to have this conversation in any degree of depth.

When I joined Amazon.com in 1998, Jeff Bezos, the company’s CEO and chair, viewed security as the most threatening, potentially company-ending risk that the company faced. Since then, many companies have elevated security risk to their technology, the infrastructure on which they depend, as the greatest existential threat to their enterprise. Yet boards struggle to quantify these risks, to determine their tolerance for security risks, and to assess the company’s security program.

In their discussions of security risk, security leaders and board members are constrained by time, frame of reference, shared vocabulary, experience, and understanding of the adversary. Board members could use some help.

I propose ten simple questions that could enable discussion, provide board members with a lens through which they can broadly view the company’s security program and posture, and prompt security leaders to build a shared understanding of the company’s risk profile, threat landscape, and most important security initiatives.

1. Who is in charge?

It is critical for the board to identify the most senior information security leader in the company. This should be a person explicitly designated to lead the program, with the requisite skills, resources, and authority to execute it. This person commonly goes by a title such as chief information security officer (CISO), chief security officer, or head of security, among other titles. Sometimes, companies will take a tiered approach to security. In such cases, the leader of the security team plays a pivotal role, and the board needs to be comfortable that their position and authority is consistent with the importance that the board places on security.

If you identify someone who has security as one responsibility among a portfolio of others, it’s necessary to determine who has single-threaded focus on information security. Once that person is identified, you can discuss whether they have the proper ownership and resources to go with the responsibility, their reporting chain, the support that they receive from the rest of the company, and their relationship with the board. Regardless of who they directly report to, this person should be accountable to the board.

2. How do we assess risk?

Security is about risk management. It’s critical for directors to understand the process of identifying and analyzing security risks, how their likelihood and impact are estimated, how the appropriate controls are prioritized and implemented, how their efficacy is tested, and how results are monitored. Some potential security events are low probability and extremely high impact, making it more difficult to compare them to other risks. Nevertheless, it’s critical to go through the exercise of determining risk appetite, assessing and qualifying risk, quantifying overall exposure, and placing it within the company’s overall risk management framework. Finally, it’s important to be candid about your confidence in the risk assessment.

3. Are we focused on attacks?

It’s important to focus on managing the most critical threats and on breaking the attack kill chain—the structure of an intrusion—rather than to engage in “security theater,” or activities that give the appearance of competence while lacking in substance. Budgets are limited and security talent is in very short supply, so resources should be focused on establishing an architecture that has sufficient defense in depth, resilience, and intelligence to survive modern attack types.

Traditional approaches to defensive security that were dependent on protecting the perimeter of the enterprise continue to prove insufficient. Today, defenders must understand the adversary’s attack mechanisms, work backwards from the path of the attack, layer defensive measures throughout the enterprise, intervene before the attacker can extract sensitive data, and teach employees and customers to play their crucial part.

4. What’s our most important asset?

This question shouldn’t take long to answer. It should drive a discussion between the board and the security leader about how data and services are classified, the policies that are established for their defense, and the required and recommended controls for each class. When a new service is established, this classification framework in combination with the new service’s threat model should make it relatively easy to decide who is responsible for mitigating threats and what controls should be put in place.

When asked to rank their biggest cybersecurity fears, 41 percent of directors said they are most worried about brand damage. While customer trust is the key asset in many businesses, it’s important to identify the specifics of what would be the most devastating loss for the company. It’s only then that a thorough, qualitative assessment of the most critical components of the security program can occur.

5. How do we protect our most important asset?

Board members can calibrate the overall risk profile of a security program once they understand how the most precious asset is protected. The answer to this question should discuss the high-level threat model for that most important asset and, in the context of modern attack patterns, the mechanisms used to defend it. The answer should reflect that this is a journey on terrain that is shifting. There should be an iterative process of quantifying the risks of different threats, and of mitigating the most significant ones.

6. What’s our biggest threat?

This question forms the heartbeat of the conversation between the board and the security leader. It provides an opportunity to describe the company’s current security posture and its target state, and to refresh the board on the evolving threat landscape, the lessons to learn from emerging attacks, and the measures that the company is taking to mitigate the threats. For many companies, security risk is sufficiently important to warrant a discuss of this question at every board meeting, perhaps with a summary of the threat models for any major new products or services, and a review of the most significant risks at any recently acquired companies. When board members hear grandiose plans to address the biggest threat, but the deliverables are more than 18 months away, they may wish to ask for approaches to improve today’s posture without necessarily derailing the long-term solution. Don’t make the perfect the enemy of the good.

7. What do we control?

The board should assess the degree to which the company’s security policy and practices are explicit and prescriptive. Board members should be very suspicious of a security leader who claims to have complete control of the technology platform and the tools that employees use. Full control is usually a dangerous illusion, and any autocratic attempt to achieve it can lead to inflexibility and to employees working against or around the security program. Security should be viewed as a collective responsibility, rather than as a fixed constraint. Boards spend time assessing internal controls that for example provide confidence in custody over sensitive data and in the accuracy of financial reporting. Effective security leaders will distinguish between controls and control, and will strive towards “getting to ‘yes,’” rather than being the one who always says no. Getting to yes is easier if employees buy into a decision and if the path of least resistance is for them to do the right thing by default.

8. Are incident response and recovery plans tested?

This is one of those questions to which the answer can be “no” at most once. In the common case this question will lead to a review of responses and recovery from real incidents, in addition to a summary of simulated attack exercises, consideration of the fidelity of such exercises, and lessons learned. It provides the board with a view of the company’s capabilities in communication, response planning, incident analysis, risk mitigation under duress, and leadership.

9. Would we know if we’d been compromised?

Security technology vendors may tout breakthroughs that provide the ability to identify and prevent attempted compromises with perfect precision and recall. An effective conversation between a security leader and a board will take as a given that all attacks can’t be identified and prevented, and that compromises may already lurk undetected. This should lead to a discussion of actions to make prevention as strong as possible, to improve the probability of detecting lurking intruders, and to reduce the likelihood that they reach critical assets and extract them.

In a world where the edge of the company’s technology footprint is increasingly blurred, where the sophistication of attacks outpaces security awareness, and where advanced persistent threats are used by adversaries, it’s inevitable that the answer to this question will be nuanced.

10. Who would be told, and how do we expect them to respond?

Communication is a key part of a successful incident response plan. Each person, including the board, needs to know his or her role in communicating about incidents internally and externally. The question goes beyond incident handling to include recovery processes and the proactive management of any reputation impact that may arise from the incident.

As a board member, it’s worth thinking about two questions that I used back in 1998 to get Bezos thinking about his role in incident response:

  1. In the event of a high-severity security incident, do you think you’d be told?
  2. Would you like to be told?

Response and recovery go hand in hand. It’s tempting to avoid putting significant effort into planning for recovery from a major security incident, and while everyone would prefer to focus on prevention efforts with a goal of zero incidents, the reality is that there’s no such thing as perfect security. The recovery plan is part of responding to the incident, learning from it, managing communications, and getting the company back in business. A well-executed recovery plan has the potential to limit the reputation damage caused by the event, and to help management and other stakeholders to move beyond it.

Finally, a bonus credit question: Do you have the team and the budget that you need to be successful in managing the company’s security risk?

These 10 questions are a starting point for a longer conversation. Directors and the security leader should regularly employee a more thorough framework, such as the NIST Framework for Improving Critical Infrastructure Cybersecurity, to begin building a deeper understanding of their company’s security posture. While the NIST framework goes to considerably more depth, these 10 questions are intended to get to the essence of what is most important for a board to periodically review.

Tom Killalea (@tomk_) is a director of Capital One Financial Corp., MongoDB, Carbon Black, and Orreco. From 1998–2014 he served in various leadership roles at Amazon.com, including vice president of technology and CISO. All opinions expressed here are his own.

Four Exercises for Contemplating Digital Readiness

Jim DeLoach

Jim DeLoach

Over the next few years, the digital revolution will force many organizations to undertake radical change programs and, in some cases, completely reinvent themselves to remain relevant and competitive. Ask executives and directors what their company’s biggest threats are, and chances are the answer will include the threat of disruptive innovation. That said, is disruptive innovation sufficiently emphasized on the board agenda?

Our experience indicates that most boards do not fully grasp the opportunities and risks associated with digital transformation. There are four important activities for organizations to consider as they contemplate what digital means to their business and strategy.

1. Assess digital competencies. Protiviti’s original research has identified more than 30 competencies at which digital leaders excel. These competencies consist of empirically supported capabilities and structural characteristics that can be used to benchmark the organization. They are arrayed across six core disciplines that many traditional businesses struggle with:

  • vision, mission, and strategy;
  • management and employee culture;
  • organization, structure, and processes;
  • communication, marketing, and sales;
  • technology innovation and development;
  • and big data, analytics, and automation.

An example of a competency related to “vision, mission, and strategy” is that executive management must have a clear understanding of the potential impact of digital disruption in the industry segments in which the organization operates and be able to articulate a clear strategic vision fit for the digital age. In addition, digital strategy-setting and review should be a continuous activity for the business and in the boardroom.

Competencies can be useful when plotting the path toward digital maturity. The strategy should reflect the competencies that currently define the organization and address the absence of those which present barriers to success. This is important because the digital age is forcing organizations to radically rethink how to engage with customers and pursue design breakthroughs for improving processes and functions continuously. That means they must balance outside-the-box thinking with the practical considerations of repositioning the business. Many strategies ignore these fundamental issues, resulting in a business that is digital on the edges but not at the core. Our view is that a truly digital business has a digital core.

2. Define and refine continuously the digital vision and strategy. Organizations need to make a conscious decision about whether they are going to lead as the disrupter of the industry or, alternatively, play a waiting game, monitor the competitive landscape, and react only when neces­sary to defend market share. For many companies, the answer may be somewhere in between. For organizations choosing not to actively disrupt the status quo, their challenge is to be agile enough to react quickly as an early mover. Few are ready for that challenge, however.

A leader of the organization must own responsibility for understanding the competitive landscape, the opportunities emerging technologies present, and the threats to existing revenue streams. Management must frame the digital vision and the strategic initiatives supporting it around the enterprise’s core competencies. The vision must reflect the direction in which relevant digital technology is trending. It should express how technology can elevate the company’s differentiating core competencies and deliver unique customer experiences. With technology and regulations changing, and innovation happening so rapidly, the business needs to review and refine its digital priorities constantly.

3. Define the target operating model. Too often policies, processes, and organizational structures get in the way of a business becoming and remaining digital. The key is to empower, trust, and monitor people, not control them. That’s a different way of thinking for organizations rooted in “command and control” structures. The business should clearly define where it’s going in its vision and strategy, and management must recruit and train the right people while ensuring that the enterprise’s policies, processes, and systems are suitable to compete in a digital world.

Accordingly, management should define the processes, organization, talent, methodologies, and systems comprising a future operating model that remains true to the company’s identity and brand promise. In the rush to become digital, the importance of policies shouldn’t be forgotten to address risks and ethical questions leaders must consider.

With the current and future states defined, improvement plans should be developed to close the gaps based on industry best practices and reviewed with executive management and the board. The risks associated with the target state should be identified and assessed against the entity’s risk appetite. In this respect, management should be careful to avoid understating the hyper-scalable business model component of digital transformation. Digital thinking requires organizations to solve the problem of rapid growth and scalability to rely primarily on technology rather than people, as opposed to the traditional focus on scaling ahead of demand.

4. Align the organization with the needed change. Using digital technologies to improve products, services, and processes requires focus and discipline. To enable continuous or breakthrough change with confidence, buy-in must be obtained from executive management and the board for significant changes in strategy, processes, and systems. Support also is needed from business-line leaders, operating personnel, and process owners affected by the change. The communication of change and its implications must address why a digitally-focused culture is necessary for the entity to survive and thrive, and offer a compelling case that the interests of employees and the enterprise are inextricably tied to effecting change.

Depending on a director’s perspective, the exciting or worrisome truth is that the digital revolution is just getting started. Even when executives are aware of emerging technologies that obviously have disruptive potential, it is often difficult to have the vision or foresight to anticipate the nature and extent of change. That is why every organization must chart its own digital journey.

To that end, the board should be engaged in all of the above activities, from readiness assessment to organizational alignment. When addressing digital, directors should recognize the signs of organizational short-termism and executive management’s emotional investment in traditional business models. Ultimately, the board must ask the necessary questions to encourage management to advance the enterprise’s digital journey at a pace that will sustain the company’s sources of competitive advantage and market position.

Jim DeLoach is managing director of Protiviti.