Tools & Insights for Effective Board and Director Evaluations

The practice of conducting full-board, committee, and/or individual-director evaluations has largely become commonplace. Ninety percent of respondents to the 2016─2107 NACD Public Company Governance Survey: Aggregate Results say their companies conduct full-board evaluations. Approximately 78 percent of respondents facilitate committee evaluations, and 41 percent conduct individual director evaluations, the survey finds.

The New York Stock Exchange since 2003 has required listed companies to disclose how their boards address evaluations. Although Nasdaq-listed companies have no such requirements, many conduct these assessments to enhance governance standards. NACD has long been an advocate for routine board, committee, and individual-director evaluations as part of a larger strategy of continuous improvement.

In keeping with these listing requirements and recommendations from our research, NACD recently created the Resource Center on Board Evaluations. Resource centers are repositories for NACD content, services, and events related to top-of-mind issues for directors. In these resource centers, individuals can find practical guidance, tools, and analyses on subjects varying from board diversity to cyber-risk oversight. Below we have highlighted a sample of helpful materials from our new board-evaluations resource center.

Thought Leadership & Research

The Report of the NACD Blue Ribbon Commission on Board Evaluation: Improving Director Effectiveness explores how boards and directors can use self- and peer-assessments to enhance board performance and director effectiveness. The report emphasizes that, while there is no one-size-fits-all approach to board evaluations, a commitment to ongoing assessments is indispensable when it comes to enhancing  corporate governance practices and performance.

Expert Commentary

The NACD Directorship magazine article “The Argument for Yearly Board Evaluations” by Salvatore Melilli, national audit industry leader for private markets at KPMG, examines the importance of assessments specifically for private company boards. Less than half (48%) of respondents to the 2016─2017 NACD Private Company Governance Survey say their boards conduct full-board evaluations.  Melilli’s article highlights several reasons why evaluations are critical to improving oversight evaluations. They can help vet company and board culture, identify gaps in talent or skillsets, and streamline processes for the board to engage in difficult conversations with the executive team.

Boardroom Tools & Templates

This resource center’s boardroom tools and templates are segmented by evaluation type—full-board, committee, and individual-director levels. The tools offer questions and considerations that help boards and directors ask questions that can drive healthy conversations about strengths and areas of improvement.

Videos & Webinars

An NACD video series featured in the resource center focuses on the role board evaluations play in improving governance practices. One video in the series, called “Why Confidentiality is Key,” focuses on the benefits of confidentiality in the evaluation process. Another video, “Transform Insight into Action,” discusses the value of creating tailored educational or development programs based on insights that emerge from evaluations.

If you would like help finding resources on a specific subject matter, please let us know. We welcome the opportunity to engage with directors on pressing needs and concerns.

The Corporate Director’s Guide to GDPR

On May 25, 2018, a major new piece of data protection regulation will come into effect across the European Union (EU), and with it comes the potential for hefty fines or penalties for your organization. Even if you do not directly operate in the EU, chances are that the General Data Protection Regulation (GDPR) still pertains to your company.

Corey Thomas

The regulation covers any entity that processes the personal data of EU citizens (referred to as “data subjects”), even if the organization does not provide goods or services to EU citizens and only handles or processes their data. Unless you are categorically sure that your organization does not and will not process EU citizens’ personal data, compliance is not optional.

The fine for an infringement can be €20 million (approximately $23 million at today’s exchange rate), or 4 percent of your worldwide annual turnover, depending on which is the higher amount. It is essential for directors to pay attention to the data and information security practices in place to ensure that the organization is prepared and compliant.

The Policy Details of GDPR

The GDPR was written to ensure that organizations:

  • protect the personal data of ‘EU Natural Persons’ (i.e. living people);
  • are transparent, fair, and lawful about the processing of personal data;
  • only request and process necessary personal data;
  • do not share data with third parties or countries unless the correct legal agreements and processes are implemented; and
  • gain consent from data subjects to process their data.

Personal data is defined in the policy as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

There are six principles that apply to the processing of personal data. According to the policy, personal data shall be:

  • processed lawfully, fairly, and in a transparent manner;
  • collected for specified, explicit, and legitimate purposes;
  • adequate, relevant, and limited to what is necessary;
  • accurate and, where necessary, kept up to date;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
  • processed in a manner that ensures appropriate security of the personal data.

Data subjects are provided with a set of legal rights under GDPR, including the right:

Each EU member state has a designated supervisory authority. These regulatory bodies are responsible for monitoring the application of GDPR, and have the power to audit organizations and determine relevant warnings, reprimands, and fines for violations of the organization. When breaches of personal data occur, companies will be subject to a high level of scrutiny, and will have only a 72-hour window to report on the breach. A personal data breach is described as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

There is a requirement for some organizations to appoint a data protection officer (DPO), whose responsibility it is to advise and inform on GDPR and to monitor compliance within the organization. The DPO acts as the main contact for both data subjects and the supervisory authority, must report to the highest level of management within the organization, and cannot perform any tasks or duties which result in a conflict of interest.

You need to ensure your organization has fully investigated the nuances of the requirements to ascertain whether you need to appoint such a role or prepare to meet other personnel or technical demands.

Where do we start?

Your organization first needs to define the team that will drive GDPR compliance and management. Within the C-suite this should include the chief information officer and the chief information security officer, in addition to representatives from legal counsel, human resources, risk and compliance, and privacy. Determine if you need to appoint a DPO. Once your team is assembled, assess your current state, so that you can plan next steps accordingly. This team should present results at least to your board’s audit committee, if not the full board, given the financial and reputational risks involved.

Understand your personal data retention

You should ask your GDPR team the following questions to determine what categories of personal data your organization is dealing with:

  • To whom does data you collect and retain pertain?
  • Is it necessary to collect and keep this data?
  • If so, how long do you need to keep it?
  • Do you have permission from the data subject to process the data?
  • How is consent obtained from data subjects for each method of personal data collection?

Encourage your team to follow others’ personal data on its journey through and beyond the organization. Doing so will help the GDPR team understand how the data is collected, stored, transmitted, accessed, and secured, and understand where and how it is passed on to any third parties. 

Review how your organization collects consent from individuals to process their personal data

EU citizens must be able to give and rescind consent for their personal data to be processed. Consent means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

In a contractual situation, the provision of a service may require personal data to be processed in order for the service to function correctly. In this case, this has to be made clear to the data subject when they register for the service.

Identify partner and supplier risk

Review third party legal agreements to ensure the EU citizen’s personal data provided to a third party is handled in a compliant manner. Otherwise, your organization will be held accountable for vendors’ data breaches or a data loss scenario. If you process personal data on behalf of another organization, you will need to demonstrate your compliance with GDPR, and ensure your legal agreements reflect this accordingly.

Ensure your cybersecurity programs are up to par

Your security posture and processes impact the journey and security of personal data, and should be assessed accordingly. GDPR Article 32 stipulates that you must ensure a level of security appropriate to the risk involved with the data. This might require adjustments to your security program, especially if you have weighted your security setup to focus primarily on prevention and are lighter in the areas of detection and correction. Visibility across your ecosystem is vital for determining risk. Knowing your weak points will help you understand where to bolster your security, and testing out your processes will determine whether they are fit for purpose.

Get regular updates on progress and status

As individual reviews are completed, have each leader report back to the core and leadership teams with a set of prioritized actions and milestones. Set up a frequent cycle of reporting to understand the progress of your GDPR compliance status. The spring of 2018 is clearly too late to be finding problems.

In conclusion

If your organization employs, partners with, or serves people who are citizens of the European Union, you are subject to GDPR. Given the detailed stipulations of the regulation, along with the threatening risk of steep fines, it’s not something you can get away with ignoring or procrastinating. As a board member, you’ll want to ensure the organizations you serve are prepared to meet the challenge and reduce the risk.

Corey E. Thomas is president and CEO of Rapid7. He is director of Blue Cross Blue Shield of Massachusetts and the Greater Boston Chamber of Commerce. 

Take These Five Lessons from NACD’s Cyber Summit Back to Your Board

NACD held its third annual Cyber Summit in Chicago on June 21, 2017, in partnership with the Internet Security Alliance (ISA). This year’s event followed in the wake of cyber incidents such as WannaCry and the hacking of the Democratic National Committee’s email account, as well as Europe’s adoption of the General Data Protection Regulation (GDPR) and the implementation of China’s Cybersecurity Law.

NACD members left the Cyber Summit with valuable lessons to share with their colleagues.

Speakers acknowledged this context and focused on topics such as building a cyber-risk culture, insider threats, cyber-risk regulation, the threat of state-sponsored attacks, and the economics of cybersecurity. (Click here for a list of event sessions and speakers.)

Five key takeaways emerged for director attendees at the 2017 NACD Cyber Summit:

1. Actively learn from cyber incidents at other companies. A bill that aims to require cyber expertise on public company boards has surfaced twice in Congress since 2015. However, Melissa Hathaway—president at Hathaway Global Strategies and senior advisor at Harvard Kennedy School’s Belfer Center for Science and International Affairs—believes boards do not necessarily need to have a director who is an expert in cybersecurity. Hathaway, who delivered a keynote at the cyber summit, suggests boards regularly hold conversations about current events in cybersecurity, and review a cyber-event case study at each quarterly meeting.

2. Work toward a public-private partnership. Hathaway emphasized the benefit of forming a public-private partnership in the United States to serve as a medium for information sharing about cyberattacks. Canadians have already formed such an organization. The Canadian Cyber Threat Exchange is an independent nonprofit that functions as a middleman between the public and private sectors. According to Hathaway, the U.S. government itself has been a victim of a number of cyberattacks exposing personal data, which has cost it credibility with the private sector. Thus far, U.S. corporations have been largely reluctant to share information about cyberattacks with a government that may not be seen as equipped to adequately respond. At the same time, the government classifies data on cyberattacks that limits information sharing with the private sector.

3. Consider having the CISO report directly to the board. The 2016–2017 NACD Public Company Governance Survey indicates that only 31 percent of boards receive reports directly from the chief information security officer (CISO), despite the increased prevalence and importance of the role. Bret Arsenault, corporate vice president and CISO at Microsoft, indicated that the frequency of meetings between the CISO and the board depends on the board’s existing cyber knowledge. As Microsoft’s CISO, Arsenault conducts a quarterly review with both the full board and the audit committee, in addition to meeting with the CEO and the full leadership team for a half hour once each week. Having all members of senior management involved in the conversation helps set the tone at the top around cyber culture. See the 2017 Cyber-Risk Oversight Handbook for guidance on building a relationship with the CISO (p. 38) and questions for the board to ask management about cybersecurity (p. 21).

4. Strengthen a culture of secure behaviors. In providing oversight of cybersecurity, one aspect of the board’s role is to ensure that the organizational culture reinforces healthy cybersecurity behaviors. For this culture to take hold, it is essential that any cybersecurity-related issues be explained to the board—and employees—in a clear, understandable way. For example, the CISO should speak in business terms to the board and avoid using technical language, according to Arsenault. John Lhota, managing principal for global cybersecurity consulting services at SecureWorks, also suggested using gamification for employee cyber education programs. Directors should evaluate whether a culture of awareness about the importance of cybersecurity truly exists, beginning at the board level. See NACD’s Cyber-Risk Oversight Handbook for tools on assessing the board’s cybersecurity culture (p. 27) and establishing board-level cybersecurity metrics (p. 28).

5. Ensure access rights are limited and continuously monitored. Directors should discuss with management what the company’s most critical data assets—or, “crown jewels”—are, and who could access them. Many high-profile breaches have been carried out by employees or contractors with access to company networks. Robert Clyde, vice chair of ISACA and managing director for Clyde Consulting LLC, indicated the hiring process can aid in selecting trustworthy employees, but employees with administrative privileges (i.e., the ability to install certain software, access certain files, or change configuration settings) can become very destructive if they retaliate against the company after a job loss or make a mistake. The board should check with the CISO to make sure there are a very small number of employees that have administrative privileges on an everyday basis, with slightly more given access in an emergency. Adding secondary approvals—so that two people must be involved in a process—further constrains the possibility of someone accidentally deleting data or removing it on purpose. Access for those with administrative privileges should be amended the second those individuals change jobs, according to Robert Zandoli, director of the ISA and global chief information security officer at BUNGE Ltd.

For more information on providing cybersecurity oversight, please see the following NACD resources:

Do Nonfinancial Measures Have To Be Soft?

Seymour Burchman

In a recent Harvard Business Review article, Graham Kenny posits that nonfinancial measures should be included alongside financial measures in incentive plans. He goes on to say that this is leading companies to use both hard and soft performance measures—where ‘soft’ measures can be more subjective in nature. We wholeheartedly agree with the premise—so much so that we wonder if Kenny goes far enough, particularly where subjectivity is concerned. For many, however, the element of subjectivity in this context implies an arbitrary assessment of performance against goals, based on the general sense of the board’s compensation committee.  This interpretation rightly makes institutional investors and other investors uneasy. But, does this really need to be the case, especially given the abundance of data in today’s digital age?

Barry Sullivan

We think there are ways to structure subjectivity such that the compensation committee’s performance assessments and incentive determinations make sense against the backdrop of company performance. Moreover, by bringing a clear structure and hard information to the more subjective elements of the incentive system, performance assessments and incentive determinations become more explainable, more powerful internally, and more defensible externally. We suggest an approach that would work as follows.

Define the performance to be measured as precisely as possible. We have used nonfinancial measures across a wide range of clients targeting a variety of strategic and operational areas. The goal in this step is to provide enough specificity at the board level so management can operationalize imperatives into specific, measurable key performance indicators (KPIs).

For example, one company was an end-to-end, integrated furniture manufacturer which covered product development, through the supply chain, manufacturing, retail sales, installation, and after-sales servicing. This company viewed the improvement of total customer experience as a critical strategic imperative in an increasingly competitive industry.

Consider potential sources of objective evidence and data. Preferably using a cross-functional team, determine KPIs to be tracked, sources of the KPI information, and favorable and unfavorable outcomes for each KPI. The KPI data could be sourced from: internal management information systems; Internet sources such as social media sites; sensors, which are becoming ever more prevalent in household goods, vehicles, industrial equipment; or tailored surveys conducted by or for the company.

For our furniture manufacturer, the board chose to use Net Promotor Score (NPS) as a key indicator. NPS could be benchmarked against key competitors and broader industry groups, and it tracked many of the key elements of total customer experience. The company then supplemented and validated this information with data collected from its own website and social media platforms as well as a few key Internet and social media sites that track customer satisfaction. It was recognized that the quality of data on these external sites can be open to question, so composite information and judgment are needed when using them. Favorable results were considered to be in the upper quartile vs. competitors, given the company’s premium pricing.

Build a scorecard. Use the evidence and data sources identified in the prior step to build a scorecard that can be measured quantitatively or with highly structured discretion. Such a scorecard is a useful tool for communicating with employee-participants, as well as external stakeholders (generally after the fact, to safeguard the company from competitive harm).

Put a range around the committee’s adjustments. Putting a fixed range around compensation adjustments makes the process more approachable and more doable versus using open-ended ranges. It also communicates to participants the importance of non-financial metrics by virtue of their potential impact on overall awards. In this case, the company allowed for a +/- 25 percent adjustment to the award.

By using this approach, executives have a better sense of focus areas and needed behaviors—as in, they know the rules of the game. And the compensation committee are more fully ‘in the seat’ when it comes time to judge performance. The committee also knows the rules of the game and, more pointedly, the committee knows the potential impact, or swing, its discretion can drive in the incentive outcome. Where discretion is left unstructured, we often see committees shying away from hard choices either out of concern for not having enough supporting information to make an informed decision or for fear of making too big an impact on the overall incentive outcome. Other important process points include: transparency, regular reporting on progress, careful consideration of unintended consequences, and openness to experimentation (e.g., implement the softer elements on a trial basis before including them in the formal incentive decision).

Consider the furniture manufacturer: the board and management built a program based on the principles outlined above that strikes the right balance of hard and soft performance measurement. And the softer, more subjective elements of the measurement system, by virtue of careful consideration and diligent information gathering, are anything but soft. Overall, the company’s incentive program is perceived as fair by employee-participants and investors, alike. And these key stakeholders also applaud how the system makes clear the company’s strategy and priorities for execution.

Barry Sullivan is a managing director at Semler Brossy.  Sullivan supports boards and management teams on issues of executive pay and company performance. He may be contacted at bsullivan@semlerbrossy.com. 

Seymour Burchman is a retired managing director at Semler Brossy. Burchman, who has been an executive compensation consultant for over 30 years, has consulted on executive pay and leadership performance for over 40 S&P 500 companies. He may be contacted at sburchman@semlerbrossy.com.