How to Oversee the Essential Risks of Innovation

Corey E. Thomas

When it comes to innovation, boards are notorious for sending conflicting messages. They want to hear assurances of innovation and predictability from management in the same breath. Unfortunately, innovation and predictability don’t go hand-in-hand. Simply put, innovation can’t exist without risk. In fact, the two are easily understood as a marriage—they show up together and work in unison.

Those of us who work in cybersecurity—where staying ahead of adversaries can mean life or death for a company—know that better than most. We have to invest in new ideas, technologies, and processes to adapt to an ever-changing threat landscape. Such investment, like any investment, entails some risk.

We can apply lessons learned about cybersecurity innovation to just about any industry. That’s because every company needs to innovate to remain competitive, which inherently means taking risks. How much risk is enough? How much is too much? And what’s the best way to foster innovation while balancing the need to take risks with the need for predictability?

The best way to answer these questions is to develop clear processes around innovation. It all starts with good communication and diversity of viewpoints.

Talk It Through

Effective communication is key between senior leadership and the engineers and others responsible for innovation. Communication reveals ideas worth taking chances on. There are two structural processes that can work well for this that the board could suggest.

  1. Encourage management and engineers to engage in ad-hoc sharing of observations. This means forming groups to share candid observations about what’s working and what’s not working within an organization.
    At Rapid7, we pull in team members across the organization to bring a variety of perspectives to the table. I recommend creating small cross-functional teams and getting them in the habit of observing and sharing ideas to generate more innovation. This continuous dialogue pushes people to think more broadly and differently while sharing learnings that can then be reported to the board when discussing innovation.
  2. Facilitate thought-provoking discussions. Encourage management to create thought experiments designed to spark new ideas and challenge conventional thinking. Those facilitating the conversation might start by asking, “If I gave you an unlimited amount of money to double our efficiency, what would you do?” Or, “If we were going to build a business plan to destroy our business and at the same time gain twice the profits and twice the customer loyalty, what would we do right now?”

These processes can be quite powerful in uncovering places to innovate. But in order for a leadership team and those responsible for innovation to maintain a firm grounding in the reality of the industry while also allowing room for creativity, they need a source of external truth. That means urging management to get outside of the company bubble.

Learn from the Field
To gather new ideas, people across functions should spend unmanaged time outside of the organization, bringing observations back to leadership and to their work. Spending time with customers and partners, engaging with peer groups, observing and engaging with competitors, reading, and attending conferences are all ways to gather the insights that are crucial for effective innovation. The board should challenge management to build a culture of curiosity within the company.

That said, directors should beware of herd mentality taking over the minds of management. Emulating companies that have non-sustainable positions or those in which you have too little insight into the success they are having often doesn’t play out well. Instead, encourage management to pay attention to well-performing companies in their quest for ideas that will improve your company’s position.

At Rapid7, I frame these jobs as learning. I don’t need my teams to come back with concrete action steps or specific outcomes but instead with a learning plan and details on what they saw that has the potential to transform the business over the next year.

Anything a team learns that can potentially create an advantage opens the doors to innovation. Therefore, this culture of learning should not focus only on technology, but instead on the combination of process, technology, market, and customer needs.

Create an Innovation Culture

To flourish, innovation also must be nurtured in the culture of the organization as expressed in the attitudes, beliefs, and behaviors of its people. Cultures that punish failure, demand certainty, or reward short term results kill innovation before it can even be expressed as an idea. On the other hand, cultures that emphasize learning, encourage experimentation, and focus on rewarding long-term growth behaviors tend be much better at innovation. One of the keys to this is encouraging transparency and reinforcing that it’s okay to discuss possibilities even when the path to delivery is unclear. Lastly, innovation demands an environment built on trust. When people don’t trust each other, they can’t be vulnerable and share their ideas, hopes, and aspirations. Directors should cultivate a culture of open conversation with their management team, and then encourage the same candor between management and employees across the company.

Embrace the Right Level of Risk

Many organizations pursue the minimal amount of innovation because they fear taking too big a leap and risking too much. Others may aggressively pursue transformational innovation that comes with a high degree of risk. What’s the right balance?

To make that assessment, directors and management can consider the three main levels of innovation, in order of increasing risk.

  • Incremental improvement innovation. You will generally have a high degree confidence about this level of innovation because others in your industry are already doing it and you have real-world observations to back up planning for those innovations.
  • Outside-in innovation. Somewhat riskier, this level of innovation involves implementing ideas that you are confident could be successful based on outside observation—perhaps from beyond your industry—and adapting them for your organization.
  • Moon shot innovation. The ultimate risk, with a potentially high-reward payoff. Think SpaceX’s success at launching a sports car to Mars in its quest to ultimately get settlers there.

For a company that’s doing well inside a stable industry, it’s most likely not wise to take a huge risk. Incremental innovation in this case may be enough, always with an oversight-focused eye on what others in the industry are doing.

A company in a more volatile industry, however, may need to get more aggressive in pursuit of game-changing innovations, with ideas borrowed from other industries. A moon shot in this case, appropriately managed and nurtured over time, may be just what’s needed. Directors should ask management to develop plans and evidence for these innovations that are clear, concise, and geared toward oversight of the project’s successful execution and value creation.

Manage the Learning Cycle
Innovation takes time, starting with the learning cycle.

In our experience, the learning cycle takes about a year, and is crucial for properly managing the risk involved in investing further. For implementation, two to four years is a good rule of thumb to start to see a return on investment. Here’s the typical timeline from idea to implementation.

Year 1: Learn a concept.

Year 2: Decide to learn more or kill it.

Year 3: Learn a few more things and try some ideas. Refine the concept.

Year 4: Get traction.

A successful organization prepares for innovation in the same way a runner prepares for a marathon. Innovations and marathons both take time, conditioning and learning the course. That includes understanding the role that risk plays in innovation. Starting with that foundation will put boards and the companies they serve on the right track for success now and into the future.

Corey E. Thomas is CEO of Rapid7. Read more of his insights here. 

College to Career Program – San Antonio

A training program provided by Greene and Associates, Inc./CPI Firm

Make yourself marketable and find the career of your dreams with the Greene and Associates, Inc. team. Find the right job, refine your networking skills, and interview like a boss with this unique, customized workshop that will set you apart from your peers.

Click here to learn more!

The post College to Career Program – San Antonio appeared first on CPIWorld.

Directors Discuss the Challenges of Cyber-Risk Oversight

Jim DeLoach

Jim DeLoach

Companies today fall into two groups: those that have been breached and know it, and those that have been breached but don’t know it. The realities of managing cyber risks are that breach risks are impossible to eliminate, resources for managing them are finite, risk profiles are ever-changing, and getting close to secure is elusive.

Our December 2017 discussion with a group of active directors during a dinner roundtable at a National Association of Corporate Directors (NACD) event identified some interesting insights into cyber-risk oversight at the board level.

  • Winning battles does not necessarily win the war. The discussion focused on how state-sponsored attacks targeting government institutions, industrial facilities, infrastructure, and many business organizations are increasing in both power and sophistication. Combatting so-called advanced persistent threats (APTs) requires faster detection and more advanced response tactics. In the arms race to keep pace (or, in most cases, catch up) with these threats, organizations need to commit adequate resources to tapping into available government intelligence and using it to facilitate their preparedness. Directors should suggest to their management team that they develop and maintain relationships with the correct contacts in the government sector needed to stay informed of emerging risks.
  • Upgrading detection capabilities. If management and the board believe the entity is an APT target based on what it represents, what it does, and the intellectual property it owns, the directors raised concerns over the maturity of most companies’ cybersecurity countermeasures and what can be done from the board level to encourage more effective mitigation of the risks. Capabilities need to be upgraded beyond the controls, tools, and response mechanisms traditionally used to contain sophisticated attackers and corporate insiders. Our experience is that detective and monitoring controls remain immature across most industries relative to the evolving threat landscape.
  • Clarifying expectations with management. One director noted that when a chief information officer (CIO) or chief information security officer (CISO) asserts, “Don’t worry, we’re taking care of that,” or delivers a similar pushback, it tends to stifle the dialogue and leaves directors with nowhere to go and an incomplete understanding of cyber-risk mitigation. The group’s ensuing discussion pointed to several themes. Directors should ask the right questions (an appendix in the 2017 NACD publication on cyber risk oversight suggests relevant questions), consider changing board composition if more expertise is necessary, and establishing a separate cybersecurity or technology committee of the board. Although directors have limited time to get into details, they should set clear expectations for management at all levels with respect to cyber incidents that can affect the company’s reputation, brand image, and standing with customers. Expectations regarding cybersecurity strategy and risk tolerances should be incorporated into the entity’s risk appetite statement.
  • Improving board cybersecurity reporting and metrics. The severity of the Equifax breach as well as others raises the question as to whether boards are probing deeply enough to determine what they don’t know. To that end, the directors noted that too often board reports deliver high-level information only. So, the question then becomes, what reporting and metrics on cybersecurity should the board request? The discussion pointed to several examples of key areas to consider:
    • The number of system vulnerabilities
    • The length of time required to implement patches
    • The length of time to detect a breach
    • The length of time to respond to a breach
    • The length of time to remediate audit findings
    • Percent of breaches perpetrated through third parties
    • The number of security protocol violations
  • Paying attention to “blocking and tackling.” The group brought up several cybersecu­rity issues, including prioritizing high-risk patches, raising awareness of phishing, implementing security segmentation, and refreshing incident response and recovery plans continuously. One director noted that every organization should have multi-factor authentication access controls in place; accordingly, the board should discuss this security measure with management.
  • Conducting independent cybersecurity assessments. As innovative transformation initiatives constantly expand an organization’s digital footprint, they outpace security protections companies have in place. Accordingly, organizations should consider assessing the current state of their overall cybersecurity using an established framework, in relation to their desired state. If such reviews identify gaps or areas of weakness requiring immediate remediation, the board should satisfy itself that management addresses those areas in a timely manner.
  • Being aware of challenges in the information technology (IT) and security organizations. The point was raised that many organizations need to seriously consider re-architecting themselves from both a technology and security standpoint. The question the board needs to ask management is: How quickly are we able to get an issue resolved? Management assertions that a solution will disrupt existing operations and legacy systems and, thus, will take time to implement, are a red flag. Our discussion also touched on the issue of inadequate IT and security resources, and the need to innovate the business. The point is, cybersecurity must be focused on what’s important and cannot consume the entire budget.
  • Considering the value of cybersecurity insurance. One director brought up the importance of cybersecurity insurance coverage as a means to transfer some of the financial risk associated with a variety of cybersecurity incidents, including data breaches, business interruption, and network damage — particularly since the entity’s directors and officers liability policy may not cover these issues. If a company invests in a cybersecurity policy, the insurer may require the business to follow certain guidelines and provide evidence through a cybersecurity assessment, as discussed earlier. If the company hasn’t benchmarked itself against an appropriate framework, directors should inquire as to why not.

Dig into deeper insights from Protiviti by visiting their Board Perspectives piece on the challenges directors face when overseeing cybersecurity risks.

Career Partners International Grows in the Toronto Market

Career Partners International (CPI), a leading global provider of Outplacement, Career Management, Executive Coaching and Leadership Development services, is pleased to announce that The Talent Company has exceeded the rigorous standards required to become a Career Partners International firm.  The Talent Company is now a  CPI partner firm, Supporting clients and their employees in the Toronto, Ontario, Canada market.

“Only those firms that ensure the highest quality of client and participant services are selected to join the Career Partners International Global Group,” said Doug Matthews, President & CEO of Career Partners International; “The Talent Company has an exceptional reputation and is constantly growing.”

The Talent Company, which has three offices servicing the Toronto area, was selected based on its expertise, quality, and reputation for success, combining its local market intelligence and solutions with CPI’s world-renowned career transition and executive coaching programs. The Talent Company serves as a trusted CPI partner leading organizations across all verticals, delivering innovative, yet practical solutions to their human capital needs.  In addition, their accomplished team of experts are often sought after as thought leaders to speak at industry events and conferences. The company’s “people first” mantra helped to validate that The Talent Company is a great match for the client-centric Career Partners International Global Group.

 “The vast global reach of CPI, and their focus on consistency and quality of delivery with all partners were certainly the most compelling reasons for joining Career Partners International,” said Greg Vertelman, Senior Partner with The Talent Company; “CPI’s incredible talent, their emphasis on high-touch consultation and results-focused services combined with their effective business model will be a great complement to how we support our clients on a global level.”

Career Partners International operates in over 300 global locations and guarantees excellent, personalized services with cutting-edge technology, whether in a local market or in cross-continent geographies.  With CPI’s global net promoter score of +78, you can be assured that the clients and candidates we serve achieve their career goals quickly and with exceptional satisfaction.

The post Career Partners International Grows in the Toronto Market appeared first on CPIWorld.

Catalysts for Transforming Culture Risk into Culture Value

Andrea Bonime-Blanc

It seems recently that one can’t escape reading stories about poor leadership gone wrong. It’s time for action from the boardroom, and it’s no longer good enough to ask unstructured questions about a company’s helpline. Nor is good enough to rely on one’s own experience, instinct, and blind spots in the boardroom to hold management accountable for a healthy culture.

Trust-but-verify culture might be a good way for boards to move forward. While it is critically important to have trust in the CEO, blind trust can only lead to blind alleys where bad cultures can fester and become toxic. The board needs to be equipped with a way to periodically and in a customized and simultaneously adaptable manner understand the company’s culture.

The need for directors of companies to get under the skin of the culture of their organization has never been greater—or more necessary and daunting. Witness the many culture disasters we have recently seen from Uber, Wells Fargo & Co., The Weinstein Co., and Wynn Resorts. Over the past 25 years as a corporate executive, advisor, and board member, I have witnessed and advised on responses to similar instances of culture gone wrong—the good, the bad, the ugly, and, in one or two cases, the uglier.  And I have also seen what a good culture can do to propel a company to greater reputational and financial heights (and returns).

It is important to share some of the tools, lessons learned, and insights on how the board can peel back the layers of the culture onion to begin to understand what is going on inside their companies, above and beyond the surface that boards are usually privy to. We start with a look at what happened in 2017 to understand the workplace culture maelstrom that the #MeToo moment has ushered in and crystallized.

A Year in Culture Dysfunction

2017 was a year filled with tales of organizational culture gone wrong. We learned about negative and destructive behaviors in the workplace, mostly perpetrated by powerful leaders, causing serious human, economic, and reputational costs for people and organizations. The toxic workplace cultures extended from the pinnacles of political power to the front lines of manufacturing facilities.

Powered by the ubiquity and raw reach of social media, the #MeToo story quickly became universal—told first by the more glamorous denizens of Hollywood and then extending to the most vulnerable hotel, restaurant, and factory floor workers. All of them were victims of a toxic workplace culture of abuse of power, shame, and lies. Worse still, many victims are submitting to terrible work conditions, are sidelined from needed jobs, or are permanently derailed from pursuing desirable careers and professional passions.

Time magazine’s choice for the 2017 Person of the Year, the “Silence Breakers,” said it all. Though sparked by the Weinstein exposé, the #MeToo story represents the culmination of decades of pent-up workplace silence, lies, cover-ups, manipulation and anger. The overwhelming impact of the #MeToo phenomenon can only be explained by the explosion and maturation of social media, which has led to the amplification and acceleration of reputation risks tied to workplace culture.

Why 2017 Stands Out

Two other relatively recent periods of corporate cultural moments, if we can call them that, come to mind: 2002 and 2008. The downfall of Enron, WorldCom, and others resulted in an uproar about financial accountability and the adoption of Sarbanes–Oxley in 2002. Nearly six years later, we witnessed the downfall of financial giants Lehman Brothers Holdings and Bear Stearns Cos., leading to the humiliation of the U.S. financial sector in general for the massive mortgage and derivative-related scandals, leading to social awakenings such as Occupy Wall Street and the adoption of the Dodd-Frank Act.

While these two watershed moments were important, 2017 was arguably the most momentous year yet for matters of corporate culture. In both the 2002 and 2008 cases, the cultural issue revolved around financial malfeasance. The cultural issue of 2017 is qualitatively different. Challenges are being made against toxic personal behaviors in the workplace perpetrated mainly by leaders against their subordinates, and those actions demand a qualitatively different approach to oversight that is more proactive and requires the ability to look behind the numbers and the dashboards.

By 2017 we had also arrived at the convergence of two other significant developments not fully present or developed before:

  1. the rise of the importance to business of environmental, social and governance (ESG) issues (especially in the US, as Europe has long focused on ESG); and
  2. the acceleration and amplified impact of reputation risk associated with ESG risk (which includes workplace cultural issues) because of the age of social media and hyper-transparency.

Companies can no longer reactively manage their reputation in this hyper-transparent environment. Companies have to earn it proactively and watchfully, and getting to the bottom of the culture of their organization is of paramount importance for the C-suite and board.

Culture: A New and Urgent Focus for Boards

As the NACD 2017 Blue Ribbon Commission Report on Culture as a Corporate Asset was prescient in addressing, boards and executive teams must immediately focus on understanding the culture of their workplaces as part of the value chain and strategy. But they must also understand how to get to the root of any workplace culture dysfunction that may exist.

In this era, the excuse that only shareholders matter no longer holds. Boards and management are responsible to all of their stakeholders for ESG results as well (shareholders, employees, customers, and beyond), which include proactively maintaining and nurturing a healthy workplace culture. In the age of hyper-transparency, it does not pay to turn a blind eye or to wait for a crisis to hit. The rapid-fire downfall of not only Harvey Weinstein but of his entire company, including its damaged board and board members, is the cautionary tale of the day.

On the positive side, there is plenty of evidence that while a toxic culture destroys value, a strong and resilient culture fully championed and embodied by the very top of the organization (read: CEOs and directors) can and will add long-term sustainable value to the company’s reputation and financial bottom line. Such values protect the organization from the crises that will inevitably come and add bottom line financial value, as the famous Johnson & Johnson Tylenol case first demonstrated.

Is our Current Culture Moment Fleeting or Momentous?

We are certainly witnessing a cultural moment. The real question is this: will this moment pass with no more than a whimper, or will it become momentous?

The 2017 stories have definitely awakened awareness at the very top of corporate leadership—at least for now. In one day in December at two major governance gatherings sponsored by NACD in New York City—at Leading Minds of Governance and the NACD Director 100 Gala—this author witnessed how the #MeToo movement was top of mind for directors in general and dominated discussions both public and private throughout that day. Energized directors and experts who were present underscored the importance of action in this moment for the boardroom, and how this topic must be addressed in the long term as part of the board’s responsibility.

Thus, I would argue that this moment is not a fleeting one. The importance of this moment cannot be over-emphasized. It’s one that will be captured by responsible leaders and boards. Indeed, this is a unique time for leaders to step up to their responsibility for creating and owning a healthy workplace culture and for boards to acknowledge and embrace their responsibility: exercising proactive oversight of—and holding management accountable for—creating and maintaining a healthy workplace culture. 

The Culturally Attuned Board

The culturally attuned board is one that is organized to understand the company in depth and to leverage that understanding for the success of all its stakeholders. What does that mean in real terms? It means, first, that the board has the tools necessary to understand what the culture really is—to peel that onion to get to the heart of what the tone is not only at the top (in the C-Suite), but also at the grass roots—including among entry-level employees. Second, it means that the board is aware of the red flags that might tip them off to a culture issue or problem. And third, it means that the board does not rest on its laurels but makes the culture conversation a permanent fixture of its work with the CEO, C-suite, and employees generally.

The next blog in this series will describe three specific tools that boards should implement, as well as the ten questions the board should ask to dig deeper and what should be on the board’s culture dashboard.

Dr. Andrea Bonime-Blanc is founder and CEO of GEC Risk Advisory, a strategic governance, risk and ethics advisor, board member, and former senior executive at Bertelsmann, Verint, and PSEG. She is author of numerous books including The Reputation Risk Handbook (2014) and The Artificial Intelligence Imperative (April 2018). She serves as Independent Ethics Advisor to the Financial Oversight and Management Board for Puerto Rico, start-up mentor at Plug & Play Tech Center, life member at the Council on Foreign Relations and is faculty at the NACD, NYU, IEB and Glasgow Caledonian University. She tweets as @GlobalEthicist. All thoughts shared here are her own. 

Disruption or Distraction? Focused Oversight in the Age of Innovation

Peter Gleason

Over the years, the Consumer Electronics Show (CES) in Las Vegas has featured miles of technology and millions of people—2.75 million square feet for 3,900 booths and nearly 185,000 attendees in 2018 alone.

Under those tents are innovations that will disrupt markets and your companies. The question is, which ones?

Not every innovation is disruptive, and not every market is vulnerable. According to a recent blog by Harvard professor Clay Christiansen, written shortly before the most recent CES event in January, “disruptive innovation,” a term Christiansen coined in 1995, is “the process by which products and services, often less expensive and less sophisticated, move upmarket until they displace established competitors.”

Displacement is no fun; it generally means downsizing and can mean demise. So directors naturally want their companies to disrupt, rather than be disrupted. That’s why NACD launched the NACD CES Experience in partnership with Grant Thornton. Participants enjoyed a director-curated tour and program that explored the technology trends of greatest relevance to business, helping attendees see implications for their own companies.

General trends highlighted on the tour included the impact of artificial intelligence, machine learning, chip and processing technologies, and sensor technologies on human-machine interface. The small group of directors also witnessed new technologies in voice input and response, image and vision interactions, biometrics, digital assistants, computational photography, shoppable images, virtual environments, and biometric trackers.

NACD inaugurated a similar annual event last July, the NACD Technology Symposium, where directors toured businesses in Silicon Valley, interacting with innovators there. And in April 2018, NACD will host a Global Cyber Forum in Geneva, Switzerland. NACD, working with others, has been providing cyber-risk oversight guidance for directors since the year 2000, most recently with the NACD Director’s Handbook on Cyber-Risk Oversight, 2017 edition. Also our Emerging Issues resource center has a segment on the impact of technology change.

Such programs, encouraging focus amid complexity and change, are models for what board leadership is all about: focused oversight. Based on my own board service, and on my decades of dialogue with directors, I believe that identifying and prioritizing issues for oversight is the single most important value that boards bring to organizations. It’s opposite of the “shiny thing” syndrome, in which our attention darts to whatever is new and interesting.

In a video interview with several directors at the opening day of CES, NACD Chief Programming Officer Erin Essenmacher asked why they came. Lianne Pelletier, whose views on CES were recently featured in the Wall Street Journal, focused on infrastructure, a key topic at Expeditors International, where she serves as a director. John Hotta, a director at First Washington Robotics, focused on the accessibility of platforms like Amazon’s Alexa. Maureen Conners, on the board of Fashion Incubator San Francisco, said that directors should bring the top “three to five” issues to the attention of their CEO to ask for a report on strategic implications.

In short, all the directors interviewed said that they wanted broader horizons but would continue to focus straight ahead.