A wave of lawsuits surrounding director compensation surfaced a couple of years ago, often alleging “excessive” pay for boards of directors on a variety of grounds…
Underlying the growing pressures for climate-competent boards is this fundamental question: how resilient is the organization to the impacts of climate change?
Few organizations or boards are capable of answering this question with any degree of certainty. Yet, the question is being raised with greater frequency and urgency due to actions by investors, regulators, customers, supply-chain partners, and competitors.
Across every industry the increased focus on climate change is accelerating other megatrends such as disruptive technologies, digitization, urbanization, and evolving demographics. Underpinning these megatrends are a combination of technological leaps and upheavals in global society and the environment that will reshape economies, businesses, and lifestyles. For example, over $1 trillion worth of new markets for manufacturers are expected to develop over the next decade as industries transform. This shifting landscape creates many uncertainties, risks, and opportunities for new products, services, supply-chain structures, and improvements in resource management, among many others.
Taken as a whole, these pressures are driving companies to better assess, define, and enact strategies to increase their climate resilience. In their strategic oversight role, boards need better insights on the direct impacts of climate change on the organization as well as the indirect risks and opportunities associated with transitioning to a lower-carbon economy.
Yet, recent NACD corporate governance survey data suggests that many boards need a rethink on this issue. A mere 6 percent of respondents indicated that climate change would have the greatest impact on their businesses over the next year. The previous year’s report found that over 90 percent of public company directors believe that climate change would have negligible impact over the next five years.
Companies that focus primarily on climate change’s projected physical impacts expected to play out over the coming decades will have “blind spots” to the indirect risks associated with the transition to a lower-carbon economy. Companies must to go on the offensive to build climate resilience in order to gain competitive advantage.
Climate resilience has the capacity to adapt and succeed in the face of direct and indirect impacts of climate change. In addition to addressing and managing risks, it encompasses the ability to capitalize on the strategic opportunities presented by the shift to a lower-carbon and resource-constrained economy.
To provide boards with a line of sight into its organization’s climate resiliency, management teams can undertake one or more of the following actions:
- assess climate vulnerability of operations and facilities;
- embed climate impacts into enterprise risk management programs; or
- undertake scenario analysis to enhance decision making around risks and opportunities.
As a start, companies can model the risk of physical assets to identify location-level risk exposure and the vulnerability of properties and assets to evolving weather events and climate change. A geographic portfolio review can also help map demographic and infrastructure vulnerabilities to natural hazards to better understand how supply chains may be impacted by weather events.
Existing enterprise risk management (ERM) and risk assessment processes can be used to increase awareness of climate risks and better assess resilience across the organization. Leading organizations are using their ERM processes to identify how direct and indirect climate impacts—including regulatory and technology developments—serve to accelerate or otherwise change the velocity of other trends and risk events. Framing climate as a risk driver helps to align the timeframe of the risk and opportunity assessment to that of most corporate planning cycles.
Scenario analysis is recommended by the Financial Stability Board’s Task Force on Climate-related Financial Disclosures as a technique to assess climate impacts. Modeling different environmental scenarios (such as warming by a margin of 2 degrees Celsius and associated changes) gives form to the amorphous problem of climate change and provides mechanisms to discuss potential future states of operation. In selecting and devising scenarios, companies should consider the appropriate trade-offs in quantification, but also avoid excess complexity and optionality. When assessing for operational climate-risk resilience, it is critical to include a minimum of one favorable and unfavorable scenario respectively. This empowers organizations to make informed decisions regarding their longer-term strategies.
Overall, it is clear that the dialogue on climate change within boardrooms and among C-suites of companies across all sectors must evolve to a focus on how climate change will impact their businesses. The real measure of a climate-competent board is one that can address this critical question: how climate-resilient is the organization?
Lucy Nottingham is a director in Marsh & McLennan Companies’ Global Risk Center and leads research programs on governance and climate resilience.
Institutional Shareholder Services (ISS) published annual updates to its proxy voting guidelines in November, followed by a set of preliminary FAQs…
Information security should be one of the most important risk areas of focus for boards. However, according to the 2017–2018 NACD Public Company Governance Survey, 88 percent of surveyed directors indicated that they had only some or little knowledge about how to navigate cyber risk. It’s clear that too few directors feel qualified to have this conversation in any degree of depth.
When I joined Amazon.com in 1998, Jeff Bezos, the company’s CEO and chair, viewed security as the most threatening, potentially company-ending risk that the company faced. Since then, many companies have elevated security risk to their technology, the infrastructure on which they depend, as the greatest existential threat to their enterprise. Yet boards struggle to quantify these risks, to determine their tolerance for security risks, and to assess the company’s security program.
In their discussions of security risk, security leaders and board members are constrained by time, frame of reference, shared vocabulary, experience, and understanding of the adversary. Board members could use some help.
I propose ten simple questions that could enable discussion, provide board members with a lens through which they can broadly view the company’s security program and posture, and prompt security leaders to build a shared understanding of the company’s risk profile, threat landscape, and most important security initiatives.
1. Who is in charge?
It is critical for the board to identify the most senior information security leader in the company. This should be a person explicitly designated to lead the program, with the requisite skills, resources, and authority to execute it. This person commonly goes by a title such as chief information security officer (CISO), chief security officer, or head of security, among other titles. Sometimes, companies will take a tiered approach to security. In such cases, the leader of the security team plays a pivotal role, and the board needs to be comfortable that their position and authority is consistent with the importance that the board places on security.
If you identify someone who has security as one responsibility among a portfolio of others, it’s necessary to determine who has single-threaded focus on information security. Once that person is identified, you can discuss whether they have the proper ownership and resources to go with the responsibility, their reporting chain, the support that they receive from the rest of the company, and their relationship with the board. Regardless of who they directly report to, this person should be accountable to the board.
2. How do we assess risk?
Security is about risk management. It’s critical for directors to understand the process of identifying and analyzing security risks, how their likelihood and impact are estimated, how the appropriate controls are prioritized and implemented, how their efficacy is tested, and how results are monitored. Some potential security events are low probability and extremely high impact, making it more difficult to compare them to other risks. Nevertheless, it’s critical to go through the exercise of determining risk appetite, assessing and qualifying risk, quantifying overall exposure, and placing it within the company’s overall risk management framework. Finally, it’s important to be candid about your confidence in the risk assessment.
3. Are we focused on attacks?
It’s important to focus on managing the most critical threats and on breaking the attack kill chain—the structure of an intrusion—rather than to engage in “security theater,” or activities that give the appearance of competence while lacking in substance. Budgets are limited and security talent is in very short supply, so resources should be focused on establishing an architecture that has sufficient defense in depth, resilience, and intelligence to survive modern attack types.
Traditional approaches to defensive security that were dependent on protecting the perimeter of the enterprise continue to prove insufficient. Today, defenders must understand the adversary’s attack mechanisms, work backwards from the path of the attack, layer defensive measures throughout the enterprise, intervene before the attacker can extract sensitive data, and teach employees and customers to play their crucial part.
4. What’s our most important asset?
This question shouldn’t take long to answer. It should drive a discussion between the board and the security leader about how data and services are classified, the policies that are established for their defense, and the required and recommended controls for each class. When a new service is established, this classification framework in combination with the new service’s threat model should make it relatively easy to decide who is responsible for mitigating threats and what controls should be put in place.
When asked to rank their biggest cybersecurity fears, 41 percent of directors said they are most worried about brand damage. While customer trust is the key asset in many businesses, it’s important to identify the specifics of what would be the most devastating loss for the company. It’s only then that a thorough, qualitative assessment of the most critical components of the security program can occur.
5. How do we protect our most important asset?
Board members can calibrate the overall risk profile of a security program once they understand how the most precious asset is protected. The answer to this question should discuss the high-level threat model for that most important asset and, in the context of modern attack patterns, the mechanisms used to defend it. The answer should reflect that this is a journey on terrain that is shifting. There should be an iterative process of quantifying the risks of different threats, and of mitigating the most significant ones.
6. What’s our biggest threat?
This question forms the heartbeat of the conversation between the board and the security leader. It provides an opportunity to describe the company’s current security posture and its target state, and to refresh the board on the evolving threat landscape, the lessons to learn from emerging attacks, and the measures that the company is taking to mitigate the threats. For many companies, security risk is sufficiently important to warrant a discuss of this question at every board meeting, perhaps with a summary of the threat models for any major new products or services, and a review of the most significant risks at any recently acquired companies. When board members hear grandiose plans to address the biggest threat, but the deliverables are more than 18 months away, they may wish to ask for approaches to improve today’s posture without necessarily derailing the long-term solution. Don’t make the perfect the enemy of the good.
7. What do we control?
The board should assess the degree to which the company’s security policy and practices are explicit and prescriptive. Board members should be very suspicious of a security leader who claims to have complete control of the technology platform and the tools that employees use. Full control is usually a dangerous illusion, and any autocratic attempt to achieve it can lead to inflexibility and to employees working against or around the security program. Security should be viewed as a collective responsibility, rather than as a fixed constraint. Boards spend time assessing internal controls that for example provide confidence in custody over sensitive data and in the accuracy of financial reporting. Effective security leaders will distinguish between controls and control, and will strive towards “getting to ‘yes,’” rather than being the one who always says no. Getting to yes is easier if employees buy into a decision and if the path of least resistance is for them to do the right thing by default.
8. Are incident response and recovery plans tested?
This is one of those questions to which the answer can be “no” at most once. In the common case this question will lead to a review of responses and recovery from real incidents, in addition to a summary of simulated attack exercises, consideration of the fidelity of such exercises, and lessons learned. It provides the board with a view of the company’s capabilities in communication, response planning, incident analysis, risk mitigation under duress, and leadership.
9. Would we know if we’d been compromised?
Security technology vendors may tout breakthroughs that provide the ability to identify and prevent attempted compromises with perfect precision and recall. An effective conversation between a security leader and a board will take as a given that all attacks can’t be identified and prevented, and that compromises may already lurk undetected. This should lead to a discussion of actions to make prevention as strong as possible, to improve the probability of detecting lurking intruders, and to reduce the likelihood that they reach critical assets and extract them.
In a world where the edge of the company’s technology footprint is increasingly blurred, where the sophistication of attacks outpaces security awareness, and where advanced persistent threats are used by adversaries, it’s inevitable that the answer to this question will be nuanced.
10. Who would be told, and how do we expect them to respond?
Communication is a key part of a successful incident response plan. Each person, including the board, needs to know his or her role in communicating about incidents internally and externally. The question goes beyond incident handling to include recovery processes and the proactive management of any reputation impact that may arise from the incident.
As a board member, it’s worth thinking about two questions that I used back in 1998 to get Bezos thinking about his role in incident response:
- In the event of a high-severity security incident, do you think you’d be told?
- Would you like to be told?
Response and recovery go hand in hand. It’s tempting to avoid putting significant effort into planning for recovery from a major security incident, and while everyone would prefer to focus on prevention efforts with a goal of zero incidents, the reality is that there’s no such thing as perfect security. The recovery plan is part of responding to the incident, learning from it, managing communications, and getting the company back in business. A well-executed recovery plan has the potential to limit the reputation damage caused by the event, and to help management and other stakeholders to move beyond it.
Finally, a bonus credit question: Do you have the team and the budget that you need to be successful in managing the company’s security risk?
These 10 questions are a starting point for a longer conversation. Directors and the security leader should regularly employee a more thorough framework, such as the NIST Framework for Improving Critical Infrastructure Cybersecurity, to begin building a deeper understanding of their company’s security posture. While the NIST framework goes to considerably more depth, these 10 questions are intended to get to the essence of what is most important for a board to periodically review.
Tom Killalea (@tomk_) is a director of Capital One Financial Corp., MongoDB, Carbon Black, and Orreco. From 1998–2014 he served in various leadership roles at Amazon.com, including vice president of technology and CISO. All opinions expressed here are his own.
Over the next few years, the digital revolution will force many organizations to undertake radical change programs and, in some cases, completely reinvent themselves to remain relevant and competitive. Ask executives and directors what their company’s biggest threats are, and chances are the answer will include the threat of disruptive innovation. That said, is disruptive innovation sufficiently emphasized on the board agenda?
Our experience indicates that most boards do not fully grasp the opportunities and risks associated with digital transformation. There are four important activities for organizations to consider as they contemplate what digital means to their business and strategy.
1. Assess digital competencies. Protiviti’s original research has identified more than 30 competencies at which digital leaders excel. These competencies consist of empirically supported capabilities and structural characteristics that can be used to benchmark the organization. They are arrayed across six core disciplines that many traditional businesses struggle with:
- vision, mission, and strategy;
- management and employee culture;
- organization, structure, and processes;
- communication, marketing, and sales;
- technology innovation and development;
- and big data, analytics, and automation.
An example of a competency related to “vision, mission, and strategy” is that executive management must have a clear understanding of the potential impact of digital disruption in the industry segments in which the organization operates and be able to articulate a clear strategic vision fit for the digital age. In addition, digital strategy-setting and review should be a continuous activity for the business and in the boardroom.
Competencies can be useful when plotting the path toward digital maturity. The strategy should reflect the competencies that currently define the organization and address the absence of those which present barriers to success. This is important because the digital age is forcing organizations to radically rethink how to engage with customers and pursue design breakthroughs for improving processes and functions continuously. That means they must balance outside-the-box thinking with the practical considerations of repositioning the business. Many strategies ignore these fundamental issues, resulting in a business that is digital on the edges but not at the core. Our view is that a truly digital business has a digital core.
2. Define and refine continuously the digital vision and strategy. Organizations need to make a conscious decision about whether they are going to lead as the disrupter of the industry or, alternatively, play a waiting game, monitor the competitive landscape, and react only when necessary to defend market share. For many companies, the answer may be somewhere in between. For organizations choosing not to actively disrupt the status quo, their challenge is to be agile enough to react quickly as an early mover. Few are ready for that challenge, however.
A leader of the organization must own responsibility for understanding the competitive landscape, the opportunities emerging technologies present, and the threats to existing revenue streams. Management must frame the digital vision and the strategic initiatives supporting it around the enterprise’s core competencies. The vision must reflect the direction in which relevant digital technology is trending. It should express how technology can elevate the company’s differentiating core competencies and deliver unique customer experiences. With technology and regulations changing, and innovation happening so rapidly, the business needs to review and refine its digital priorities constantly.
3. Define the target operating model. Too often policies, processes, and organizational structures get in the way of a business becoming and remaining digital. The key is to empower, trust, and monitor people, not control them. That’s a different way of thinking for organizations rooted in “command and control” structures. The business should clearly define where it’s going in its vision and strategy, and management must recruit and train the right people while ensuring that the enterprise’s policies, processes, and systems are suitable to compete in a digital world.
Accordingly, management should define the processes, organization, talent, methodologies, and systems comprising a future operating model that remains true to the company’s identity and brand promise. In the rush to become digital, the importance of policies shouldn’t be forgotten to address risks and ethical questions leaders must consider.
With the current and future states defined, improvement plans should be developed to close the gaps based on industry best practices and reviewed with executive management and the board. The risks associated with the target state should be identified and assessed against the entity’s risk appetite. In this respect, management should be careful to avoid understating the hyper-scalable business model component of digital transformation. Digital thinking requires organizations to solve the problem of rapid growth and scalability to rely primarily on technology rather than people, as opposed to the traditional focus on scaling ahead of demand.
4. Align the organization with the needed change. Using digital technologies to improve products, services, and processes requires focus and discipline. To enable continuous or breakthrough change with confidence, buy-in must be obtained from executive management and the board for significant changes in strategy, processes, and systems. Support also is needed from business-line leaders, operating personnel, and process owners affected by the change. The communication of change and its implications must address why a digitally-focused culture is necessary for the entity to survive and thrive, and offer a compelling case that the interests of employees and the enterprise are inextricably tied to effecting change.
Depending on a director’s perspective, the exciting or worrisome truth is that the digital revolution is just getting started. Even when executives are aware of emerging technologies that obviously have disruptive potential, it is often difficult to have the vision or foresight to anticipate the nature and extent of change. That is why every organization must chart its own digital journey.
To that end, the board should be engaged in all of the above activities, from readiness assessment to organizational alignment. When addressing digital, directors should recognize the signs of organizational short-termism and executive management’s emotional investment in traditional business models. Ultimately, the board must ask the necessary questions to encourage management to advance the enterprise’s digital journey at a pace that will sustain the company’s sources of competitive advantage and market position.
Jim DeLoach is managing director of Protiviti.
Equilar analyzed the corporate connections of Meg Whitman, the most recent of many female CEOs to announce their resignation…
In the years since Say on Pay passed in the wake of Dodd-Frank, executive compensation has been under close scrutiny. This advisory vote on compensation for the highest-paid executives…
Global marketing officer Karin Timpone recently participated in the NACD Capital Area Chapter’s season kick-off program on social media. Timpone, who leads the integrated global marketing and consumer relationship management strategy for Marriott International, suggests that in the long term, boards must consider the broader impact of companies like Facebook, with its two billion users, and Amazon.com, with an estimated number of customers at well over 200 million, having digital empires with deep customer data. “Consider how your company will fit into the new digital world order,” said Timpone.
In the meantime, boards should be asking the right question about the status of current efforts in the digital realm. Specifically, Timpone recommends that they ask five key questions:
1. What is the company’s content strategy?
Social media has disrupted business as we know it. “The upside of this disruption is the opportunity to have a two-way conversation with your audience,” said Timpone. “You can also amplify your marketing efforts, allowing the social graph to carry your message.” However, the downside is that a company cannot expect its messages to follow a company calendar. Instead, the company has to be constantly vigilant about being a part of the conversation.
The board should be informed about what the company is planning to talk about, why, and with what voice. Also, ask about the media mix—that is, what has modeling shown in terms of where money should be spent? Is “brand safety” (where the brand appears and what is near it) being considered?
2. How are crisis management and customer care intersecting in the social world?
Timpone emphasizes the need for processes in social media crisis management. “The board should know how crisis management and customer care intersect,” she said. “Social media should be governed in a multi-faceted way; it’s part of an ecosystem that has the customer at the center.”
Marriott has set up newsrooms around the world in order to stay abreast of news and social media. “We have to make sure we aren’t publishing something that is tone deaf and that we are dialing up our communication when needed.” Software helps power these newsrooms, using geofencing technology to pick up company-related tweets, for example.
3. How do employees fit into the company’s social strategy?
Companies must have clear policies about employees’ use of social media. Timpone said, “Be clear whether it’s a person’s job to post on social medial for the company.” Also, human resources departments—along with other key stakeholders—should be part of management’s internal communications governance group.
4. Is the company keeping up with quickly changing technology?
The risk of not keeping up with the latest technologies must be mitigated. For example, Facebook is now emphasizing video and live features. “The social media program metrics have to change with the technology,” said Timpone.
5. What are the business outcomes of the social media strategy and how is the program being measured?
Metrics for a social media strategy may be counterintuitive compared to traditional media. For example, not doing anything can sometimes have more impact than doing something. In one instance, a company got extensive press and positive social media results for not buying a Super Bowl advertisement. Whatever the company’s strategy, “the board should ask about the program’s key performance indicators,” said Timpone. “What is measured gets done.”
NACD Capital Area would like to thank sponsor WilmerHale for hosting the program and Timpone’s fellow panelist, William Bethune, for also sharing his views.
Kimberly Simpson is an NACD regional director, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, North Texas and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.
Jack in the Box found itself in the spotlight last week when activist investor Jeff Smith and investment fund Starboard Value acquired new positions at the fast food giant, TheStreet reported…
Discussion in corporate governance surrounding board recruitment and refreshment has become more common, but in actuality, turnover is low and available board positions are scarce…