Activism, Culture, Leadership, and Disruption: The Sale of Whole Foods to Amazon

Few saw the acquisition of Whole Foods Market by coming, though the synergies between the companies were many, according to former directors at Whole Foods. In light of activism and other challenges presented at the company, the move to sell Whole Foods to Amazon at $42 per share, or $13.4 billion, made sense. So did the opportunity to shake up the company’s board.

NACD Colorado recently welcomed a panel of three of the aforementioned former Whole Foods directors, including John Elstrott, former chair of the board and audit committee chair; Bud Sorenson, former nominating and governance committee and compensation committee chair; and Mo Siegel, financial expert and member of the audit and compensation committees, to share the story of the sale. NACD Colorado program committee chair and EY Partner Kris Pederson moderated, and EY strategy partner lead for consumer products Dave Hollman added perspective around and beyond the transaction.


At a time when the industry was suffering, Whole Foods saw same-store sales declining 1.5 percent in 2017 and 2 percent in 2016. The brand also needed to make large investments to bring its lagging technology infrastructure up to date. When Jana Partners purchased close to 9 percent of the company’s stock, the board saw the writing on the wall and immediately started planning for a counterstrike.

Due to the shift in company stock price, Whole Foods’ shareholders had changed. Siegel explained that no longer did the company fit into either the large cap growth or value funds of institutional shareholders. Thus, a proxy fight would mean talking to a new set of institutional shareholders, namely index funds focused on shorter-term numbers, where the company did not have existing relationships.

When Jana filed a form 13D with the U.S. Securities and Exchange Commission and notified the company that it wanted to replace six directors, including the chair, the board took proactive measures, according to Elstrott. Not only did six directors voluntarily resign, including Elstrott, Sorenson, and Siegel, but the board found and voted in new directors quickly, with credentials they believed exceeded those of replacement directors promoted by Jana. The company also quickly restarted talks with Amazon. Siegel added, “The 13D was like a bomb dropped at the company.”


All three directors who sat on the panel stressed the strong culture at Whole Food, resting on founder and CEO John Mackey’s novel approach to company purpose, known as conscious capitalism. According to Sorenson, the company’s mission was to:

  • Sell the healthiest food to change eating habits and agriculture;
  • Practice servant leadership and bring out the best in team members; and
  • Focus on optimizing returns for customers, team members, partners in the supply chain, investors, communities, and the environment.

When Mackey met Jeff Bezos, there was an instant synergy. “It was love at first site,” said Sorenson. “The more they talked, the more synergies they uncovered.” Amazon and Whole Foods shared cultural beliefs, including an emphasis on customer experience; however, there was a concern about the amount of efficiency change that would be placed on Whole Foods team members. “At a farewell dinner for board members,” said Sorenson, “we were heartened to hear that Amazon didn’t want our culture to change.”

Leadership Takeaways

Pederson facilitated the discussion of a series of lessons learned by taking audience questions. The tenure of members of the Whole Foods board—more than 20 years each for Elstrott and Sorenson, for example—was an issue Jana Partners raised. For public companies, said Elstrott, board turnover is important, though he disavows tenure and age limits and favors annual terms with systematic director and board performance reviews rather than legislated mandates.

Further, Elstrott’s advice to other companies in a world where disruption is accelerating was varied.

  • The board should encourage its CEO to surrounded himself with talented leaders who are not afraid to take a contrary position and back it up with experience and knowledge.
  • Establish a strong board and CEO dialogue that encourages a dialogue on tough questions.
  • Understand that a diverse board and management team—including age, gender, and ethnic diversity—enables companies to react to technology change and competition with greater agility.
  • Stay on top of developments in governance best practices. Whole Foods offered board members $10,000 per year for director education, such as that offered by NACD, as a means to prepare their governing body to navigate governance challenges with confidence.
  • Know that your company could be disrupted, so be prepared to act fast.


Amazon’s purchase of Whole Foods accelerated disruption in the grocery sector. According to Hollman, “In the 90 days after the purchase, Amazon moved with a speed not seen in the industry.” It dropped prices to combat Whole Foods’ “whole paycheck” moniker. It activated Prime Go, a delivery service for Prime members that guaranteed home delivery of Whole Foods products within two hours. “It began to unleash the power of its prime members—70 million unique households,” he said.

Though Kroger lost one third of its market cap after the sale of Whole Foods, “the death of the big retailers was wildly exaggerated,” Hollman noted. “The big guys fought back.” For example, Walmart started a click and collect model, ramping digital efforts quickly to allow for in-store pick up within 15 minutes.

What’s to come? Hollman said the future is bright for technology-driven brick and mortar stores with a strong online presence. And to really peer into a crystal ball, “keep your eye on China,” he stressed. Alibaba was reported to have earned $24 billion in 24 hours on Singles Day, the wildly popular Chinese holiday that is comparable with Black Friday, with 80 percent earned via mobile.


Kimberly Simpson is an NACD regional director, providing strategic support to NACD chapters. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.

Snapshot: Evolving Risk Concerns in Asia-Pacific

At an expected growth rate of 5.6 percent, Asia-Pacific will account for almost two-thirds of global economic growth during 2018 and 2019. In the age of global supply chains, risks impacting this area will have a critical impact on many organizations—regardless of where they are situated.

The third edition of Evolving Risk Concerns in Asia-Pacific, released on October 11th, flags threats to the region’s physical and human infrastructure as key challenges. These risks are deeply interconnected with ongoing megatrends in the region and part of the larger regional risk landscape.

Understanding the deep connections between specific risks, macro risks, risk trends, and the wider risk landscape can help identify new potential vulnerabilities that businesses must be aware of to avoid getting blindsided.

Inadequacies: The Risk of Critical Infrastructure Shortfall or Failure

Intensifying economic activities, population growth, and ongoing urbanization in Asia will need to be supported by an estimated extra $22.6 trillion investment into infrastructure from 2015 to 2030, according to the Asian Development Bank, highlighting the significant infrastructure gap in the region.

The framing of this issue as a gap, however, belies the fact that threat to the physical infrastructure of Asia-Pacific is not only a quantity but also a quality issue. The general dearth in quality of transportation, energy, and information and communication technology infrastructure has been shown to be a major contributor to increasing cost, lowered productivity, and disruption to the economy and businesses, and it is concentrated in the region’s emerging markets.

Putting this infrastructure issue into the context of ongoing regional megatrends reveals further vulnerabilities. Aside from the growing demands from economic, population, and urbanization growth, the increasing severity of climate change events and our growing cyber-dependency are two key trends that can exacerbate critical infrastructure failure or shortfall.

The vulnerability of infrastructure to climate change can be seen in extreme events’ devastating damage to physical infrastructures and in the depreciation of assets due to slow-burning changes. Accounting for these damages and making future infrastructure more resilient will require substantial planning, effort, and capital: the Asian Development Bank estimates Asian countries will need an extra $3.4 trillion by 2030 for this, which also requires a supportive political climate.

Cities and businesses in Asia-Pacific are also rapidly digitalizing their everyday operations. This growing cyber-dependency has two major implications for infrastructure development. On the one hand, it will lead to a growing demand for information and communication technology infrastructure. On the other, it also means the digital infrastructure of the region’s cities and businesses are progressively under the threat of a systemic breakdown from a cyber-attack.

Help Wanted: The Problem of Talent Shortages

Asia-Pacific’s human infrastructure is faced with growing talent shortages. The problem is already felt by businesses across the region, from advanced economies like Singapore and Hong Kong to emerging markets such as China, India, and Malaysia. In Singapore, for example, 56 percent of employers reported having difficulties filling vacancies.

As with critical infrastructure, talent shortages in Asia-Pacific will be further shaped by ongoing megatrends.

The first is the already aged or rapidly aging population in several economies in the region (Japan, Singapore, Hong Kong, South Korea, and China). In these societies, the labor force and talent pool are expected to shrink significantly in the next 15 years.

The second is continued technological advancements and their applications in the workplace. This has fundamentally changed how work is performed and perceived. New technologies have required new skill sets that are not readily available—for example, data from Mercer show an unmet increase in demand for data scientists and experts in cloud computing, cybersecurity, and artificial intelligence.

Yet unlike critical infrastructures, the interactions between megatrends and their effects on talent shortages in Asia-Pacific will play out in many forms. Consider the application of automation: Automation can play an important role in filling the labor shortage experienced in rapidly aging societies such as Japan, where robots have been increasingly replacing humans in fields like construction and healthcare.

At the same time, automation also exacerbates talent shortages, as the skill sets for its application are not necessarily available. In emerging markets, automation threatens the displacement of millions of low-skilled workers, creating new social imbalances. Within these dynamics, the linchpin is education systems’ capacity to catch up with technological developments and retraining/reskilling programs.

The Bigger Picture: The Evolving Risk Landscape in Asia-Pacific

The threats to Asia-Pacific’s physical and human infrastructure can be contextualized in the wider risk landscape of the region.

For example, global and regional geopolitical shifts have affected infrastructure development efforts, including the complications surrounding the Belt and Road Initiative. While there is little debate over the project’s potential economic value and its contribution to solving the current infrastructure gap, geopolitical considerations from governments across the region present real barriers to cooperation and shared prosperity.

Separately, the rise and persistent presence of populism, nationalism, and “strong state” governance can also limit the mobility of human capital, which can help ease talent shortages.

Similar dynamics are can be seen in the region’s underlying economic fragilities. There is a strong connection between infrastructure development and the increasing debt load countries in the region have been taking on, raising the question of what a sustainable approach is to promoting infrastructure investments. At the same time, solving for talent shortages similarly cannot avoid the question of affordable and accessible education, as well as of reskilling and upskilling programs—thus putting the dogged problem of inequality at center stage.

These observations highlight the deep interconnectedness of specific risks, macro risks and risk trends, and the wider risk landscape. Viewing these issues through this lens reveals new potential vulnerabilities that businesses and governments alike must be aware of to avoid getting blindsided.

Wolfram Hedrich is the Executive Director at Marsh & McLennan Companies’ Asia Pacific Risk Center. Read more on the Asia-Pacific risk environment at the center’s recent Evolving Risk Concerns in Asia-Pacific vol.3 report.

FBI Director to Corporate Directors: “We’ve Got to Build These Relationships Now”

When it comes to cyber threats and challenges, the Federal Bureau of Investigation (FBI) stands ready to work shoulder-to-shoulder with its private sector partners.  This according to Christopher Wray, who has served as director of the FBI since the summer of 2017. Director Wray joined more than 1,700 corporate directors at NACD’s annual Global Board Leaders’ Summit in Washington, DC, and discussed the agency’s priorities.

Nicholas Donofrio, left, interview FBI Director Christopher Wray at the 2018 Global Board Leaders’ Summit.

Speaking with Nicholas Donofrio—former executive vice president of innovation and technology at IBM and director at Aptiv, MITRE, and NACD—Wray shared the FBI’s approach to partnering with companies across industries and sectors to foster cybersecurity and prevent economic espionage, and talked about his hopes for closer cooperation between the FBI and the private sector.

Highlights of the most important points for boards to consider follow.

  • Cybersecurity is an urgent corporate issue, and a critical FBI priority. According to Wray, no threats to the United States’ economy and security have evolved more dramatically over the past 10 to 15 years than have cyber threats, an evolution he attributes to the ever increasing connectivity of our companies, systems, devices, and assets. Wray urged companies to recognize that “every single bit of information, every system, every network is a target [and] every link in the [supply] chain is a potential vulnerability” – including vendors, contractors, subcontractors, and any other point of entry or exchange along supply chains.

    Wray added that employees also present a growing risk, with increasing incidents of company insiders attempting to take and transfer proprietary information to business competitors and/or foreign governments.

  • The FBI is focused on nation-state-sponsored intrusions. There is growing concern at the FBI about the long-term threat China poses to the United States’ national security and economic interests. Beijing has unveiled a formal plan to achieve dominance in high-technology industries, known as its “Made by China 2025” campaign. In its quest to lift its industries up the value chain, China has shown not only a willingness but also an ability to seek a competitive advantage through both lawful and unlawful means, Wray remarked. In fact, the FBI chief said investigations into economic espionage linked to China were open in all FBI field offices across the country, which drove home the reality and gravity of the threat to the directors in the audience.
  • The government and the private sector are in this fight together. Cyber risk and technology theft are generational threats that will have wide-ranging political and economic repercussions for decades to come. As Wray put it, “Technology, geopolitics, and crime have all converged.” Addressing these issues will require closer cooperation not just among government agencies, but also between the public and private sectors. The FBI is already working closely and diligently with agencies such as the Departments of State, Homeland Security, and Commerce to deal with cyber threats and cyberattacks as quickly as possible. The FBI is also working to strengthen partnerships with US companies, according to Wray.

    To facilitate this process, the agency has created cyber task forces in all of its field offices. Every field office has a Private Sector Coordinator dedicated to engaging with companies. The FBI also runs a Chief Information Security Officer Academy at the FBI Training Academy in Quantico, VA, which covers cybercrimes ranging from nation-state-sponsored attacks to insider threat incidents. Companies may also partner with the FBI through its General Counsel (GC) Summit, where GCs can get expert guidance around cyber issues.

  • An effective response to cyberattacks will require a greater level of public-private information sharing. For many companies, it’s a matter of when, not if, they will suffer a cyberattack. When such an attack takes place, “getting the FBI involved early allows [the agency] to mitigate ongoing damage to [a company’s] data, . . . [provides the company with] the information need[ed] to understand what happened, helps mitigate risks to [a company’s] reputation from a delayed notification, and helps identify other potential victims,” Wray said. This is especially important if a breach has the potential to impact national or economic security or public health and safety, or if critical infrastructure is affected. That said, companies should not wait until a crisis strikes to connect with the FBI.

    “Too often, [organizations] confuse the idea that the harm is waiting until theft has occurred or systems have shut down. But the problem can happen much earlier. One of the points [the FBI] makes is that while prevention is important, detection and mitigation are even more important,” Wray said. To bolster such efforts, Wray advised organizations to reach out to the FBI and establish a trusting and reliable working relationship. “The best time to patch a roof is when the sun is shining,” he said.

Wray pointed out that the information flow goes in both directions: the FBI and other law enforcement agencies can serve as useful sources of data about emerging trends and developments in the fast-changing cyber-risk landscape. “We’re sharing indicators of compromise, tactics cyber criminals are using, and strategic threat information whenever we can,” he said.

At a time when a critical mass of people and businesses around the world rely on the Internet to store, access, and protect their digital assets, effectively securing this information has never been more imperative. The proliferation of cyber risks is placing a higher burden on directors—and their executive teams—to actively oversee this ever-evolving threat, according to Wray. As stewards of long-term value creation, boards should make sure their companies are balancing efforts to mitigate short-term concerns with efforts to deal with ongoing risks in the long term. Directors need to ensure that their organizations’ management teams implement effective, enterprise-wide cyber-risk frameworks and have adequate crisis response plans in place.

At the end of the day, the FBI director remains sanguine about the resilience of American businesses. He ended the conversation by remarking, “When I look at the dedication and commitment to [cybersecurity, as well as] the sophistication and entrepreneurial spirit that extends [across] our private sector, I would stack [our companies] against those of any other country in the world.”

Related Resources:  NACD’s Director’s Handbook on Cyber-Risk Oversight  and Cyber-Risk Oversight Certificate Program are designed to help board members stay on top of cybersecurity matters.  Our online Cyber-Risk Oversight Resource Center has additional guidance, commentary, and tools for directors.

Winners of Pitch-Off Inspire Audience at Summit

Eliminating deaths caused by pneumonia. Securing payment data using blockchain. These are just a few of the innovative ideas that were pitched—and that won—at the 2018 edition of Dancing With the Start-Ups (DWTS), a premiere event hosted by NACD at its annual Global Board Leaders’ Summit (GBLS).

2018 winners, from left to right: Zohar Steinberg (Token), Tinia Pina (Re-Nuble), Temiloluwa Adeniyi (NoPneu), and Fabrizio Martini (Electra Vehicles)

Audience members and judges alike at GBLS were inspired by the big ideas and disruptive technologies that the winners presented in short, Shark Tank-style pitches—all emceed by Guy Raz, the acclaimed host of TED Radio Hour and How I Built This. The 2018 competition winners’ companies solve for everything from health care crises to financial fraud, and promise to offer creative solutions to some of the most pressing challenges faced by businesses and people around the globe.

The winner in each category received a monetary prize package, a complimentary NACD membership, and a suite of NACD services and support to help them advance strong governance practices within their companies as they grow in size. Our previous DWTS competitors rank NACD mentoring as one of the most useful parts of participating in DWTS, and around 80 percent of former competitors received further mentoring, contacts, or funding through NACD-forged contacts.

2018 Winners

  • According to founder Temiloluwa Adeniyi’s pitch, undiagnosed pneumonia kills 1 million children per year. Nopneu, the winner in the health-care category, wants to change that through a diagnostic saliva test that is cheaper to manufacture and faster to diagnosis than chest X-rays. As a medical device, there is a low threshold for FDA testing and approvals. Adeniyi believes that with the partnership of the Gates Foundation NoPneu can help eliminate pneumonia.

Host Guy Raz listens to Temiloluwa Adeniyi’s NoPneu pitch

  • In the energy category, cofounder Fabrizio Martini introduced the audience to Electra Vehicles, a dual-energy storage (battery) and control solution. The technology was originally researched as part of the NASA Venus rover investigation, and has applications for vehicles in the United States and globally. Looking beyond electric vehicles, Electra Research claims that “anywhere there are batteries, we can help.”

How I Built This host Guy Raz with Electra Vehicles winner Fabrizio Martini

  • Financial services winner Token is in the business of eliminating bank-card fraud. “Hackers can’t steal what you don’t share! […And] hackers can’t steal what merchants don’t have,” said founder and CEO Zohar Steinberg. New York- and Israel-based Token hides your payment information behind secure virtual cards that are accepted wherever MasterCard is accepted.

Zohar Steinberg, Token

  • Re-Nuble, the winner in the “discovery industry” category, turns food waste into organic fertilizer, helping the organic food production industry work toward implementing a no-waste supply chain solution. Re-Nuble’s process doesn’t create any greenhouse gas emissions, is 20 percent cheaper than chemical fertilizer, and works in both hydroponic and traditional soil-based environments. This helps agribusiness create a closed-loop sustainable architecture, said Re-Nuble founder and CEO Tinia Pina.

Guy Raz with Tinia Pina of Re-Nuble

This year’s pitch competition, presented in conjunction with KITE, put every audience member in the judge’s seat. Expert judges Ray Rothrock (RedSeal), John Farrell (KPMG LLP), Danielle Cohn (Comcast Corp.), Robin Raskin (Living in Digital Times), and Amy Wilkinson (Ingenuity) asked probing questions and evaluated pitches.

Judges from left to right: Amy Wilkinson, Ray Rothrock, Robin Raskin, John Farrell, and Danielle Cohn

The audience also was able to weigh in on their favorites by voting on the GBLS mobile app. Winners were selected by a combination of the audience and the judges’ votes.

Click here to learn more about this year’s start-up stars.

Board Oversight of Ethics and Compliance: The Real Dynamics

Boards of directors set the ultimate tone at the very top. What they say, what they do, and how they spend their time in board meetings cascades from the C-Suite all the way through the grassroots of companies around the world. One of boards’ many critical roles is to oversee ethics and compliance and the systems that are meant to drive companies to do the right thing.

I know from my own board experience that directors are committed to helping their companies do the right thing—and that most board members at some point in their tenure wake up at night worrying that their company will be the next one to experience a headline-making corporate scandal. And, as a former chief compliance officer, I also realize that companies spend millions of dollars on people, processes, and programs meant to bring their core values to life in everyday business decisions.

Yet, despite the investments in time, people, and resources, there is little evidence that we have figured out how to get things right. Too many instances of corporate misconduct make the evening news, destroy company and individual reputations, and drive valuations in the wrong direction.

To explore the question of how boards oversee corporate conduct, LRN Corp. conducted in-depth, off-the-record interviews with the chief ethics and compliance officers (CECOs) of 25 companies from diverse sectors around the world.

LRN’s recent report on those interviews, “What’s the Tone at the Very Top? The Role of Boards in Overseeing Corporate Ethics and Compliance,” reveals a big disconnect on board ethics and compliance (E&C) oversight. Most of the CECOs say that their boards give E&C short shrift despite the significant business, legal and reputational risks involved in ignoring it.

Here are just a few of our key findings:

  • 52 percent of CECOs estimated their boards spend less than two hours a year on E&C.
  • 40 percent of CECOs reported that their boards have metrics in place for measuring E&C effectiveness.
  • 40 percent of CECEOs say their boards are willing to hold senior executive accountable for misconduct that happens on their watch
  • 50 percent say their board has not been educated on their E&C responsibilities
  • 40 say their boards have not done a “deep dive” on compliance failures and scandals, despite recent Department of Justice guidance urging them to do so.

In addition, only one third of the CECOs surveyed do not have an executive session with their boards or board committees, despite the 2017 Department of Justice guidance that this is a critical component of an effective ethics and compliance program.

The real dynamics of the relationship between boards and CECOs come through in the verbatim comments of the CECOs themselves. It is painful to read their actual words in describing board oversight of ethics and compliance. Here are some quotes from our interviewees:

  • “The board is passive—it doesn’t have a plan or strategy for ethics and compliance. It needs one.”
  • “The problem is the board doesn’t spend enough time on any ethics and compliance issue. We’re last on the agenda and often there is not time at all.”
  • “Some board members are asleep at the wheel because they either do not care or do not understand. It is really hard for board members to know what they are doing.”
  • “Directors know what auditors do, but they do not understand ethics and compliance enough to ask intelligent questions.”
  • “We need to make ethics and compliance a priority. Management does not get that sense from the board at all.”
  • “Compliance is the last thing on the agenda, sometimes reduced to five minutes.”
  • “I want the board to ask for an open, honest report on the status of compliance and do not phrase it nicely or in a way that looks good for your CEO.”
  • “We don’t measure ethical culture, but we should.”
  • “The board should be asking senior management something—anything—about ethics and compliance. Neither the CEO nor CFO need to report what they have done.”
  • The board “does not look to business leaders to talk about ethics and compliance.”
  • “I wish the board had more discussion on the consequences of incentives and pressures that are created by board action toward management. I get one shot a year to talk to them and usually my time is cut short.”
  • “The board should make it safer for me to have a conversation with them.”
  • “We need more independence. There is a lot of pressure. Many of us think ‘I do this and my chances of staying at the company are low.’”

Not all the findings in study are bad news, however. There were a few critically important behaviors of high-functioning boards in the companies in our report. High-functioning boards:

  • View E&C as foundational to the business.
  • Hold leadership accountable for E&C outcomes.
  • Develop long-term E&C plans and rigorous metrics focused on behavior and outcomes, not activities.
  • Establish strong, direct relationships with CECOs.
  • Devote time to their E&C responsibilities.

Ultimately, the gulf between CECOs and boards can be bridged—and the companies that get it right in our study show the way—but it requires boards to take meaningful steps to acknowledge the very real financial, tactical, and moral benefits of the E&C function. Ethics and compliance need more support and scrutiny from boards if it is to safeguard company reputation and performance.

As I said at the outset, I know boards and individual directors want to do the right thing. I also know how much pressure there is on board agendas and how many competing priorities are on their plates. Our interviews of chief compliance officers make plain that it is time for boards to take a hard, in-depth look at how they are overseeing ethics and compliance. Human behavior in the organizational context is extremely complex. Therefore, board oversight needs to become much more sophisticated if it expects to get the job done on ethics and compliance.

Our upcoming webcast, What’s the Tone from the Very Top: The Role of Boards in Overseeing Ethics and Compliance, will provide deep insight on this important question. To learn more, join LRN on October 10th for this webcast as I interview Gary Hayes, Marcus Brauer and Anthony Goodman from the Board of Directors and Leadership Practices of Russell Reynolds Associates.

Using Security Ratings to Drive Organizational Performance

An increasing number of security and risk teams are using security ratings to effectively assess the impact of their security programs and communicate changes to key decision makers like the company’s board of directors. These teams know that their company needs tools that provide an objective and quantitative view of their cybersecurity performance over time, and that a continuous overview of cybersecurity metrics is critical to sound cyber-risk oversight by the board.

As a CEO, I understand the importance of establishing goals and benchmarks and the need to be able to measure performance against them over time. This is an important demand that my company’s board has of me. In turn, it is a critical demand I have of people who report to me.

As adoption of security rating services has rapidly increased across companies and industries, many customers have tied their own BitSight Security Rating, a product that my company offers to security teams, to broader business goals and initiatives. With senior leadership more involved in security and risk programs than ever before, companies are beginning to set intervals of rating improvement as the benchmark for performance-based raises and compensation. But why should they be setting these goals within the company’s performance plans?

Progress in a fast changing environment like cybersecurity isn’t absolute. Rather, it’s relative and based on a goal determined by your specific organization and its leadership and on the prevailing conditions that confront your market and your peer group. Performance should be based on progress towards that goal as well as performance relative to others you measure yourself against in other business dimensions. So how do you know what a realistic goal is for cybersecurity performance? Setting that goal is the first step, and the next is tracking that progress over time as well as understanding the context for your performance.

Observing my team’s reactions to measurement and benchmarks in all areas of the business (pipeline, conversion rates, customer satisfaction rates, and account health measurements, for instance) is a healthy lens for understanding how cybersecurity ratings are initially received, but ideally embraced over time. In the early days of a benchmark or metric there is a tendency to focus on the absoluteness and provenance of data initially, followed by healthy debate on the key indicators and what they mean. If successful, the metric or benchmark delivers a common framework for business understanding and action. Anecdotes serve to illuminate the trend rather than obscuring it.

When thinking about these security performance trends, the measurement of a security rating can help provide context for decision making. Is your company’s security performance getting better or worse? How is your security performance changing relative to the important peer groups and benchmarks for your broader business? If worse, why is that and what do we need to change or implement as a part of our remediation strategy that we might not have considered? Overall, security ratings can help organizations understand their security performance over time, provide context, and then indicate trends that show improvement and can lead to better decision making.

One way to understand security performance context and trends is through products like my company’s Cyber Risk Monitor publication. Exclusively for corporate directors, this quarterly report contains critical, timely data and insights into global cybersecurity performance and trends. Armed with this information, directors can feel more confident and prepared as they engage in discussions around cyber risk and security performance.

Security ratings are innovative because they provide a way to quantitatively measure cyber performance, but with that comes certain challenges. Learning to use the measurement to drive performance is a process that takes time but ultimately simplifies internal decision making about cyber risk management.

Get the Most from the Risk Appetite Dialogue

Does your board practice what it preaches on risk oversight? While many directors espouse the importance of regular dialogue between the board and management about the company’s risk appetite, a recent publication by the NACD Advisory Council on Risk Oversight indicates there is room for improvement on how organizations articulate and discuss risk appetite.

This report—based on a discussion with risk and audit committee chairs from Fortune 500 companies—provides insight into how and why risk appetite is used in the boardroom, as well as the importance of an effective risk appetite statement. Here are some key takeaways.

Align the Risk Appetite Statement with Company Strategy

Risks are inherent to every strategy, whether the organization’s management chooses to express them explicitly or not. When determining the level of acceptable risk, directors should work with management to understand the most critical risks (whether expressed qualitatively or quantitatively) and evaluate management’s tolerance for each.

A solid risk appetite statement articulates risks in terms of how they align with company strategy. To create an effective statement, the NACD advisory council suggests using metrics to set boundaries for risks the organization is willing to accept—targets, ranges, floors, ceilings, or prohibitions within which the company is to operate.

The boundaries can be strategic, financial, or operational in nature. For example, strategic parameters consider matters such as new products to pursue or avoid, new markets to target, markets that are on- or off-strategy, brand-eroding actions to avoid, and the investment pool for capital expenditures and mergers and acquisitions activity. The advisory council also recommended benchmarking against peer groups.

When aligned with strategy and benchmarked against peer groups, the risk appetite statement can be useful for communicating with the board, encouraging personnel to take risks in executing the strategy, transforming a risk-averse culture into one that takes measured risks, and maintaining strategic focus.

Use the Risk Appetite Statement to Inform Critical Processes and Decisions

When articulated with both forward- and backward-looking metrics, a robust risk appetite statement can be used to:

  • Establish performance targets. Risk appetite statements help organizations set more balanced performance targets that avoid incentivizing excessive risk-taking. Executive management and the board determine trade-offs between promoting superior performance and limiting Pushing these determinations down into the organization drives strategic alignment.
  • Shape corporate culture. An organization’s overall risk awareness improves significantly when the risk appetite statement is translated into actionable guidance with well-defined thresholds and tolerance levels, as well as when it is used across the organization to measure and monitor acceptable variation in performance.
  • Improve communication, including reporting to the board. An effective risk appetite statement is an important communication tool for driving alignment with and awareness of the strategy. A robust statement clarifies acceptable (or on-strategy) risks that management intends to take and forces dialogue on whether the strategy’s potential rewards outweigh the inherent risks. These risks are typically foundational elements of the business strategy (e.g., investing in developing countries to fuel market growth and innovating in specific areas to drive new revenue streams).
  • Make decisions about compensation. A formal risk appetite statement can inform a company’s overall compensation philosophy with the goal of preventing employees from taking unacceptable risks to achieve performance targets. The NACD publication provides important questions directors can ask when evaluating whether the design of incentive compensation plans may inadvertently encourage risk-taking that conflicts with the established risk appetite.

No one disputes that successful organizations must take risks to create value. The question is, how much risk should they take? A balanced approach to value creation means the enterprise only accepts reasonable risks given its capacity to bear risk and the level of risk it can reasonably expect to manage successfully.

Continually Re-Evaluate the Risk Appetite Statement

The risk appetite statement should be revisited periodically as the business environment and strategic priorities change—that is, it should be considered a “living document” and a benchmark for discussing the implications of opportunities as they arise versus a way to constrain management.

The four appendices to the NACD publication also provide useful insights, such as four core elements of an effective risk appetite framework:

  1. A collection of principles that articulates the company’s philosophy on risk-taking;
  2. A set of limits that identifies the thresholds of acceptability in key areas;
  3. An analytical tool that enables the development of those limits and facilitates reporting against them; and
  4. An implementation framework that describes how the risk appetite is deployed in corporate decision-making.

From our experience, the most important part of formulating a risk appetite statement is the board’s dialogue with management. This dialogue often focuses on such questions as what risks we seek to take, what risks do we want to avoid and—the big one—why?

It leads to discussions on which risks the organization manages better than its competitors and if management knows why it handles them better. Finally, the dialogue forces the organization to acknowledge the risks and uncertainties inherent in the business model, as well as how these risks are being reduced to an acceptable level.

The Tortoise, the Hare, and the Bull: Long-Term Value Creation at Ariel Investments

John W. Rogers Jr. once beat Michael Jordan at basketball. Real basketball. One on one. On a real court. With a real basketball. In front of people who were watching. While impressive to anyone on the planet who has seen a basketball, that victory is perhaps lower on his list of achievements than one might expect. Rogers has led Ariel Investments, a value-based mutual fund and investment company, since founding it in 1983, and he serves on the boards of McDonald’s Corp. and Exelon Corp.

He joined more than 1,700 directors at the 2018 NACD Global Board Leaders’ Summit, offering perspectives on his view of the economy, diversity, social engagement, and directorship.

Bullish on the Economy

His firm, Ariel Investments, focuses on long-term-value investing. This philosophy is embodied in its logo, a tortoise holding a trophy. At present, his perspective on the economy is long-term and bullish. Rogers travels extensively, speaking to a wide range of small- and mid-cap C-suite executives. These conversations have shown increasing enthusiasm toward the operating environment in which firms now find themselves.

Tax reform has allowed many to pay down debt and invest in operations, while regulatory reforms have positively impacted a wide variety of businesses. However, Rogers notes that investment committees remain more bearish than management. Their risk-averse instincts, developed over the last ten years, remain on alert. For Rogers, and for Ariel, this is good news. Board skepticism creates room for a contrarian investor to pluck attractive investment opportunities.

At a more macro level, Rogers believes valuation levels are reasonable and notes that interest rates remain at historically low levels. It is an unexpected rise in interest rates that Rogers is most concerned about, while the national deficit, a top concern for many, does not worry him, at least not in the near term.

Encouraging Diversity and Inclusion

Ariel was the first black-owned mutual fund business in the United States. Early on, Rogers embedded a commitment to diversity in Ariel’s investment criteria and in its own management. The value-investment perspective necessitates a longer-term focus. Interestingly, this has implications for diversity and inclusion.

Value investors seek out firms that are not only undervalued now, but also have a strong potential for future returns. As such, Rogers and Ariel seek out firms that look like the twenty-first century, not the 1940s. Often, simply pointing this out to boards is sufficient to initiate positive change—and it has worked 35 times since Ariel’s founding.

These “Jackie Robinson moments,” as Rogers calls them, borrowing the phrase from Jesse Jackson, helps firms come to understand that diversity and inclusion is not cosmetic, but rather improves actual firm performance. Diversity of opinion, thought, and background makes organizations better than they were before, echoing improvements in the quality of play that Major League Baseball saw after Robinson broke the color barrier.

Engaging With the Larger Community

His diversity-related work does not end with his professional obligations. Rogers helped to start the Black Directors Conference, which brings together more than 350 directors to take actions that lead to measurable improvements in diversity and inclusion across the economy. Directors at the conference agree to ask broadly about diversity and inclusion within their own organizations. They also agree to ask the businesses with which their companies have relationships about diversity and inclusion in their organizations, to move beyond the often narrow diversification of suppliers to a much broader supply-chain diversity imperative.

Advice for New Directors

Rogers has some helpful advice for first-time directors, resulting from his investment interactions with boards and management and his role as a director:

  1. Be a good listener.
  2. Ask clear and direct questions.
  3. Pick two or three things you are comfortable with—your areas of expertise—and make them your own.

His own path provides both future and current directors with clear and actionable advice. And it’s good advice, advice that stands on its own. If you don’t believe that, you should take his word anyway. He beat Michael Jordan, for goodness’ sake.

BRC Commissioners to Directors: Become Adept at Adapting

When this year’s Blue Ribbon Commission (BRC) convened to define the objective of its initiative, evidence was everywhere that boards needed to do a better job of adapting to unexpected risks. Since that day, 2018 has shaped up to be a year that embodies the acronym VUCA: volatile, uncertain, complex, and ambiguous.

What follows is an adapted excerpt from “Adapting to Future Trends,” the cover story of the September/October 2018 issue of NACD Directorship magazine. Comments from BRC cochairs Sue W. Cole and Kelvin R. Westbrook add color to the initiative behind The Report of the NACD Blue Ribbon Commission on Adaptive Governance: Board Oversight of Disruptive Risk, which was released this week and discussed by attendees and commission members at the 2018 NACD Global Board Leaders’ Summit.

Situational Awareness in the Boardroom

The fact that business operations today are fundamentally different from those of even a decade ago has only complicated the board’s role in risk oversight. The current pace of change necessitates that your board’s composition, skills, and processes are chosen to maximize situational awareness in the boardroom. “There’s not a cookbook for how to deal with this stuff,” said Cole. Thus, the commission challenges boards to anticipate and get ahead of change.

“In an operating environment frequently characterized by the acronym VUCA (volatility, uncertainty, complexity, and ambiguity), boards need to help their organizations do a better job assessing disruptive risks, whether internally or externally driven, that could have a significant economic, operational, or reputational impact—and to be better prepared to respond when the unforeseen does occur,” the cochairs write in their introductory letter to the report. “We believe this task is not an optional consideration for directors—it is a critical imperative for boards of both for-profit and nonprofit organizations, both private and public companies.”

“NACD and our commission did a survey of directors that indicated that the majority of boards felt they were not spending enough time even talking about this area of [atypical] risk,” Westbrook said. Fifty-three percent of surveyed directors indicated that they felt only moderately or slightly knowledgeable about these risks, while another portion of the survey found that 72 percent of surveyed directors felt that the amount of time left in their agenda to address these types of risks served as a moderate to significant barrier.* “If you’re not taking the time to do so, what you’re doing probably isn’t adequate,” Westbrook said.

In spite of their assessment, the cochairs wanted the commission findings to inspire and empower directors who are often overloaded with work and information. “We thought that given everything that’s going on boards ought to be encouraged to improve by reevaluating their approach to risk oversight in the current environment—to step up their game,” Westbrook said. A summary of recommendations follows.

  • Define what disruptive risks look like for your organization. Assess the risks that might have the greatest impact on your organization’s ability to function and thrive. Set goals for strengthening governance based on what you would need to have in place either to respond to a negative incident or to bounce back with resilience, and task the nominating and governance committee with allocating oversight responsibilities among the full board and key committees.
  • Seek new and different resources for information critical to assessing disruptive risks. “If you’re going about the risk oversight process by gathering information in the same way that you have historically, then you’re probably leaving some very relevant data inputs on the table,” Westbrook said. These resources include hiring subject-matter-specific consultants, attending educational events, and pressing management to provide greater context about how their reported results were compiled and how their conclusions were drawn.
  • Develop awareness of cognitive biases that could be acting like blinders. “A great leader is going to be very self-aware,” Cole said. “And the same goes for the board—we have to be aware we have our own biases.” Westbrook suggested that directors “spend time with people who didn’t occupy this world 30 years ago,” stating that “they’re not concerned with what used to be; they’re focused on now and tomorrow, and the pace of change for them is very comfortable.” Westbrook also suggested developing an advisory board, while Cole mentioned bringing specialized experts into the boardroom if an advisory board doesn’t make sense for your organization.
  • Create a board culture where skepticism is encouraged. “We have to set up the environment where it’s okay to ask questions, to debate, to disagree,” Cole said. “It’s that simple. We’re put on boards to have the oversight, the insight, and the foresight, and you can’t do that without asking questions continuously.” Boards that do not embolden directors to seek greater context may miss indicators of risks that could be right under their noses—and may miss the opportunity to seize on a risk that could create greater value.
  • Stop looking backward. “Depending on where you sit, you can’t derive a lot of comfort from the way things have played out in the past, because that world looks very different from where we are today,” Westbrook said. When the stakes change, boards have to change their approach to risk oversight. “If you’ve not been here before, I don’t know how much you should rely on history to give you comfort that you’re at a good place,” he added. Directors should learn from past mistakes and triumphs, but also recognize that the current operating environment is significantly different from the one where they may have cut their teeth as executives.

Directors should approach these risks with the understanding that oftentimes, risks have upside opportunities. This year’s report and toolkit will empower your board to seize chances to strengthen long-term value creation.

Ready to read more? Members can click here to read the September/October 2018 issue of NACD Directorship. Members and nonmembers alike can click here to read the Commission’s report.

*Source: Data from NACD director poll on board oversight of atypical risks, conducted March–April 2018.

NACD CEO to Members: We Are the Key to Transformation

Editor’s note: NACD CEO and president Peter Gleason addressed the audience of the 2018 NACD Global Board Leaders’ Summit on Sunday morning, September 30. What follows is a recap of his comments.

Take a moment and look around—at the person sitting next to you, or behind you. Take a moment to recognize the company you’re in. This is a very significant group of leaders. In this room we hold the means to positively influence virtually everything that affects our world.

We are the key to transformation.

We represent companies of all types: public, private, nonprofit, small, medium, large, mega. Our companies have the know-how, the access, the resources, the infrastructure, and the human capital to discover, design, and innovate to create products and services that can transform everything.

What we do can save lives, protect natural resources, improve education, feed the world, and promote human dignity for all.

There are relatively few of us, but the power here is remarkable. We guide and enable the companies we serve. We create jobs and drive the economy.

We’re also living in a transformative time. Movements have caught fire. Geopolitics and regulatory shifts have altered landscapes. Disruption abounds and innovation either threatens our businesses or beckons us to act. While we often talk about disruption, let’s talk about transformation and how we can use our unique influence to drive it.

In his 2017 letter to shareholders, Larry Fink warned that companies need to demonstrate a strategy for long-term value creation and that understanding a company’s effect on the world is a key component of that strategy. He wrote, “To prosper over time, every company must not only deliver financial performance, but also show how it makes a positive contribution to society.”

Even Dennis Whalen in the Harvard Business Review is commenting on a tighter connection between social capitalism and bottom-line performance, noting that “leadership from the boardroom is essential to making this happen.”

This movement toward transformation represents a convergence of culture, communities, capitalism, and growth, and it starts in the boardroom.

Rest assured that NACD is transforming, too.

We serve you, our members, with tools, insights, and resources—not just to keep you up to date with what’s going on, but to help you get ahead in these turbulent times. Many of our resources explore how people and culture drive company value. If your people are aligned with company values, you get greater performance. Lead the conversation around culture with management and then define your values as an organization. Be proactive with discussions rather than reactive to an event that may define your culture for you.

One element of culture that we’ve focused on for 20 years is diversity. NACD has charted a path toward more diverse and inclusive boardrooms. Simply put, diversity is not a nice to have, it’s a business imperative. And the time is now.

To put our words into action, NACD is unveiling the NACD NXT Initiative.

This is a multiyear initiative to equip boards to better navigate the challenges of the future. In the next decade, boards will be facing questions like these:

  • Where will the next generation of board leaders come from?
  • What skills will be imperative in terms of board composition?
  • How will they learn, network, and capitalize on opportunities?
  • What issues will rise to the top?
  • How will directors stay current in this dynamic and rapidly changing world?

Many of you were with us last night when we kicked off this initiative with a gala celebrating four companies that represent the kind of transformation we’re aspiring toward. They have not only recognized the importance of diversity and innovation but have also acted on it.

Please join me in congratulating the four winners:

  • Newmont Mining Corp.
  • Foot Locker
  • TrueBlue
  • Liberty Mutual Insurance

Finally, disruption is driving transformation. To survive and thrive in the face of disruption, we need to be adaptive to constant changes. This is the theme of this year’s Blue Ribbon Commission initiative. [You can read The Report of the NACD Blue Ribbon Commission on Adaptive Governance: Board Oversight of Disruptive Risks starting October 1 on our website.]

The opportunities and threats posed by disruptive forces and events have the potential to make or break an organization’s ability to generate sustainable long-term value. The transformation resides in our ability to perceive and respond to unforeseen changes happening around us.

In closing, I want to leave you with this:

  • It’s up to us.
  • We, the director community, are in a unique position of influence.
  • We are, indeed, the key to the transformation we are seeking.

I urge you to make the most of this Summit. Get out of it what you can—there truly is something for everyone. And continue to engage with NACD. We’ve got some exciting things ahead to help you lead with confidence and drive the transformation that our boards, our organizations, and our world needs today.

Thank you, and enjoy the next three days!