SASB Standards Help With Risk Oversight and Insight

In the stormy seas of modern markets, effective corporate governance can seem like Ithaca to Odysseus: a noble goal impeded by a litany of extraordinary obstacles. From technological innovation and population growth to resource constraints and climate change, a host of modern challenges are reshaping the competitive landscape of every industry, and the risk oversight responsibilities of corporate directors are evolving accordingly.

Mismanagement of these issues can have significant impacts on a firm’s financial outcomes and those of its peers. They can disrupt business models or even entire industries, they can create public relations crises, they can result in regulatory action—or they can do all three at once. Increasingly, a broad swath of stakeholders—from employees and key suppliers to customers and local communities—want to know how companies are managing environmental, social, and governance (ESG) issues.

Shareholders, too, have joined these ranks—although they may take a narrower view as they increasingly monitor corporate sustainability risks and opportunities. As the chairman of Vanguard, one of the world’s largest asset managers, noted in a 2017 letter to the boards of public companies, “directors are shareholders’ eyes and ears on risk.” Therefore, in this evolving competitive environment, ESG-related risk management is not just an operational responsibility for executives and their teams but also a governance issue that falls under the purview of the board’s oversight. Indeed, a board’s “sustainability literacy” is of growing concern to investors.

In their oversight role, boards—or, often, their audit or risk committees—must satisfy themselves that a company’s risk management approach is:

  • Strategically aligned: this involves knowing which ESG factors are most relevant to the company’s business model;
  • Appropriate to the organization’s risk appetite: this involves having comfort that the probability, magnitude, and timing of each issue’s impacts have been rigorously interrogated; and
  • Present and functioning: this involves performance data through which the effectiveness of risk responses may be monitored.

The industry-specific standards recently issued by the Sustainability Accounting Standards Board (SASB) can help directors more effectively assess each of these key considerations. By viewing sustainability through the lens of financial materiality, the SASB standards identify the subset of ESG factors—six per industry, on average—that are reasonably likely to impact a company’s financial condition or operating performance. They are, therefore, fit to be incorporated into an organization’s enterprise-level risk assessments and discussions of strategy. And because they establish best-practice performance metrics, they can also be used for monitoring risk responses to inform an evaluation of residual risk. SASB’s Materiality Map, which can be seen here, illustrates the dimensions and key ESG factors to improve risk oversight.

As investors and their governance teams increasingly engage with directors and management around ESG-related issues, the SASB standards can help boards become more conversant on key, industry-specific sustainability factors. They can also help keep the lines of communication open beyond direct engagement through conventional channels, such as financial filings, sustainability reports, websites, and others. For instance, Nike provides an index of ESG-related performance indicators based on SASB standards on the investor relations page of its website, as well as in its sustainability report.

Such sustained and consistent communication about these issues is growing in importance—for example, of the 79 percent of investors who believe climate change is a significant risk factor, 61 percent believe enhanced reporting is the top priority for companies. For this reason and others, investors and companies alike have begun to embrace the recommendations of the Task Force on Climate-Related Financial Disclosures (TCFD), which have received public expressions of support from more than 450 companies with a combined market capitalization of over $7.9 trillion. Meanwhile, nearly 400 investors managing more than $22 trillion in assets have also done so. Notably, the TCFD specifically and repeatedly cited SASB standards as a practical tool for implementing its recommendations. This is because the standards, by design, help companies move their sustainability efforts “from principles to practice.”

As a result, although the SASB standards were designed primarily to fulfill investor expectations for consistent, comparable, and reliable data on ESG performance, they can also help directors respond to an evolving set of risk oversight responsibilities. Indeed, recent regulatory activity has indicated that boards may need to sharpen their ESG-related risk oversight. After the Securities and Exchange Commission issued cybersecurity guidance suggesting that boards play a strong role in overseeing cyber risk, a recent “red flag” enforcement order called out a financial services company’s board for failing to “administer and oversee” cyber risk. Meanwhile, the Federal Reserve reprimanded a commercial bank’s board for its “lack of inquiry and lack of demand for additional information,” which the Fed said led to “pervasive and serious compliance and conduct failures” related to customer welfare.

As corporate management and boards wrestle with a growing array of ESG frameworks and demands from ever-widening groups of stakeholders, the SASB standards can serve as a vital tool for achieving focus—in their reporting, their performance management, and their risk oversight. After all, effective decision making requires useful information—regardless of whether you’re an investor making a buy, sell, or hold decision or a director looking to identify, assess, and monitor the ESG-related issues most likely to affect your core business strategy and ability to manage risks and opportunities.

As directors attempt to navigate the shifting sands of competitive, regulatory, and capital market landscapes, new challenges are likely to call for new—or renewed—priorities. For example, in a recent NACD survey, most public company directors indicated they would like their boards to take more action to enhance ESG oversight and also identified strengthening oversight of risk management as a top improvement priority in 2019. With investors’ “eyes and ears” increasingly attuned to ESG issues, practical application of the SASB standards can be indispensable as boards modernize their risk oversight toolkits and help their companies proactively tackle tomorrow’s challenges today.


Matthew Welch is president of the Sustainability Accounting Standards Board (SASB) Foundation.

Integrating Sustainable Investing into Corporate Retirement Plans: What Boards Need to Know

Driven by increasing media coverage and inquiries from employees, a growing number of employers are evaluating whether—and how—to integrate responsible investment approaches into their retirement plans.

The potential benefits of integrating environmental, social, and corporate governance (ESG) approaches into retirement plans are twofold. First, doing so can lead to stronger risk-adjusted returns for retirement plan participants’ and beneficiaries’ assets. Second, participant surveys and evidence show that employees—especially younger ones—tend to save more for retirement when offered investment options that reflect their values. Given the strain that societal aging and longer retirements are putting on pension assets in many advanced markets, strategies that increase retirement savings are critical.

Fiduciaries may wish to examine including responsible investment options within their organization’s retirement plan. However, as their respective committees review and consider recommendations to the board (and shareholders, if necessary or appropriate) on establishing or changing retirement plans, many organizations deal with questions about integrating ESG investment approaches into their retirement plans.

Recent research by Mercer Investment Consulting and the World Business Council for Sustainable Development focuses on three key areas of concerns for many organizations as they consider implementing ESG approaches into retirement plans:

  • Regulations. In most regions of the world, understanding and acceptance of ESG’s significance in long-term investment performance is generally increasing among financial regulators. In the United States, by contrast, recent policy shifts by the Department of Labor have resulted in a notable lack of clarity around whether and how plans governed by the Employee Retirement Income Security Act of 1974 (ERISA) can consider ESG factors in investments, a challenge the US Government Accountability Office (GAO) has acknowledged directly. Until such issues are addressed more definitively, US retirement plan fiduciaries may have a (potentially unwarranted) belief that their responsible retirement initiatives could face added regulatory scrutiny.
  • Responsible Investment Performance. A common perception among investors is that considering ESG factors in decision-making necessarily involves sacrificing some measure of investment performance in the pursuit of values alignment. However, studies show ESG integration approaches to investing can produce positive or, at worst, neutral outcomes. For example, studies by the US GAO have found a neutral or positive relationship between ESG considerations and financial returns compared to otherwise comparable investments. Another study by the US Department of Labor found incorporating ESG factors into investments typically produced performance comparable to, or better than, investments that did not incorporate ESG.
  • Fiduciary Duty Considerations. A fairly common element of fiduciary duty across major jurisdictions is duty of loyalty, which requires that the retirement plan is run solely in the best interests of beneficiaries and participants in the plan. A secondary, but nonetheless essential, fiduciary duty requirement is the prudent person rule. The Organisation for Economic Cooperation and Development defined the prudent person rule as requiring retirement plan fiduciaries to invest on beneficiaries’ behalves with the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent person acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.

While our staff are not lawyers, it is our belief that responsible retirement approaches are not in conflict with either of these two core fiduciary duties—rather, such approaches can enhance them. For duty of loyalty, given that ESG integration practices are generally employed by investors seeking to broaden the scope of investment analysis to include material ESG risks that may not be evident in financial statements, ESG integration is focused on improving investment outcomes for participants and can therefore be interpreted as acting solely in plan participants’ and beneficiaries’ interests. Similarly, it makes sense that a prudent person would consider as many material data points as possible, and therefore ESG integration (or the consideration of material non-financial data in making investment decisions) aligns with the prudent person rule.

Integrating responsible investment approaches into corporate retirement plans represents an exciting opportunity to align the interests of plan sponsors, participants, and beneficiaries in potentially enhancing plan participant outcomes.


Max Messervy is a senior associate and responsible investment consultant at Mercer Investment Consulting.

Is Your Board Keeping Up With Evolving Expectations Around Privacy?

India, the world’s largest democracy, last year declared that “privacy is the constitutional core of human dignity” and is pursing a national data protection law. In Europe, the General Data Protection Regulation (GDPR) has already been put into effect, while California took the lead this summer in the United States to pass its own data privacy law. Even China and Vietnam have passed cybersecurity laws that include stipulations for the storage of user data.

As nearly every commercial and social transaction has become linked to the Internet of Things, the definition of privacy has evolved as well. NACD and Baker Tilly Virchow Krause LLP recently cohosted a roundtable discussion with directors and industry experts in Philadelphia, Pennsylvania, to assess the board’s role in data privacy oversight in light of the current regulatory environment and the growing expectations of consumers and investors. The discussion resulted in five key takeaways for how to think about data privacy as a whole and what concrete steps boards can take to improve oversight of data privacy programs:

1. Data now belongs to the data subject, not the entity in possession of the data. Although a national data privacy law has not yet been implemented in the United States, the European Union and the state of California have taken the lead in adopting regulations that give consumers a right to control their own data. “There has been a fundamental shift in thinking around who really owns data,” said Baker Tilly Partner David Ross. “In the United States our [corporate] perspective has always been, ‘If I have the data, then it’s mine and I can do whatever I want with it.’ Then the Europeans started saying that the data subject really has the rights to control the data and how it’s used.” As consumers globally demand a greater right to privacy, boards should preemptively prepare for further data privacy regulations both internationally in the United States.

2. Data privacy and cybersecurity are not synonymous terms, although they are intertwined. Baker Tilly Partner Jeff Krull distinguished data privacy from cybersecurity this way: “Privacy is protecting people’s data in compliance with the law. Cybersecurity is whether or not you have the right mechanisms in place to keep that data from being breached.” Krull emphasized that there is a heavy legal component to data privacy and a heavy operational component to cybersecurity. “You can have a great privacy program and get breached one hundred times over. You can also have a terrible privacy program and a great cybersecurity program, and even though your data might not get breached, you may not be in compliance with the law.” If directors properly understand the distinction between these terms, they will be better equipped to oversee how data privacy and cybersecurity programs are implemented at their companies.

3. Directors need to have a fundamental understanding of the data privacy landscape, not necessarily an expertise. The 2018–2019 NACD Public Company Governance Survey indicates that only half of public company directors (52%) believe they personally have enough understanding to provide effective cyber-risk oversight, although slightly more (58%) believe their boards collectively have enough understanding to do so. “If you’re going to be a true expert in cybersecurity or privacy, you have to be out there doing it day in and day out, because six months from now what you know may be obsolete,” said Krull. “The key is to get access to the right information when you need it to make a strategic decision. If you don’t think you have the right expertise, it’s really hard to set an appetite for how much risk you’re willing to accept.” Roundtable participants discussed hiring outside advisors, using an advisory board, or taking certification courses to ensure directors have access to this expertise.

4. Management responsibilities for cybersecurity and data privacy programs should be clearly defined so directors know who to go to for information. According to Krull, the board’s first step is to decide where on the management team primary responsibility for cybersecurity and data privacy lie. “Boards should assign direct lines of responsibilities to specific members of management who will report to the board on cyber and privacy and have the authority, responsibility, and accountability to oversee cybersecurity and privacy for the organization as a whole in alignment with the board’s cyber and privacy objectives and risk appetite,” said Krull.

Just as the chief information security officer (CISO) has become a staple C-suite position, attendees discussed how there will likely be a similar trend with the adoption of chief privacy officers, although the approach currently varies by industry. “I’m a chief privacy officer, which at my company means anything that has even a little data—including email—is my responsibility. So, it’s good to have a centralized person to handle data protection,” said one director. “However, the CISO and I are [attached] at the hip because I don’t have the technical knowledge and he doesn’t have the legal knowledge.” Regardless of whether of or not a chief privacy officer is currently in place at their organizations, boards should ensure responsibility for cybersecurity and data privacy is properly assigned to members of management, accounting for the strong link between the two domains.

5. Gap assessments around the data privacy and cybersecurity programs can be used to develop a plan to address program risks. Krull and Ross suggested boards take a calculated approach to assessing their data privacy and cybersecurity programs by defining their acceptable risk envelope with regards to privacy. This usually starts with identifying the critical data pools, including where the data is stored, the size of the data, and how sensitive it is. Then management should rank the data in order of importance according to the potential risks posed to the organization and develop a program to address the most high-risk data first. “With our clients, we adopt the attitude of eliminating the most risks in the most efficient way, because you’re never going to eliminate all the risks due to the high cost,” said Krull. Setting goals over the next 12 months for what the program should look like and using metrics to measure success can help ensure accountability.

In conclusion, the strength of the company’s data privacy program will directly impact its reputation and bottom line. As more regulations regarding data privacy come into force, and as consumers demand more control over their data, boards need to be agile in defining their companies’ data privacy programs in this rapidly changing environment. Boards should conduct a gap assessment of their data privacy programs and ensure responsibilities are delegated appropriately to management, with the ultimate goal of creating a risk culture where the board, management, and employees understand the reasons behind protecting data and work as a collective to do so.

Oversight of Digital Transformation: Insights from Active Directors

Disruptive innovation has a clear impact on the half-life of companies’ business models, and industry disruption and digital transformation present opportunities and risks that are shaping—and speeding up—business model changes.

To gain perspective on this important area of board oversight, Protiviti met with 20 active directors during a dinner roundtable at an August 2018 NACD event to discuss the board’s oversight of industry disruption and digital transformation. Here are some important takeaways from that discussion.

Evaluate digital readiness. Digital leadership requires a certain state of mind. Digital leaders change the way an organization acts and thinks in everything it does. To be successful, digital leaders must prepare their organizations to compete in the digital age. They must also assess how advanced digital know-how is across the company. Is the organization a follower or a leader? If it is a beginner or a skeptic, does the board encourage management to advance its digital maturity? Can management identify and act on strengths and weaknesses across the business in the context of the digital vision, mission, and strategy?

Management can have the best possible strategy, but the organization can’t execute if it is not digital-ready. It is also difficult to formulate a viable strategy if the organization is not digital-ready. It helps if the company benchmarks itself against the competencies at which digital leaders excel to better understand the path to achieving digital readiness. Protiviti offers a framework to help organizations conduct this assessment.

Understand what transformation entails. To probe management for answers to questions about the company’s advancement as a digital entity, directors should prioritize digital familiarity and literacy in their own development as well as ensure they have access to digital-savvy experience. True digitalization starts at the core. The board, therefore, must transform itself before it can offer effective oversight of the organization’s digital journey. Just as a strategy that attempts to layer technology on an analog business doesn’t work, neither can a board consisting solely of directors who grew up in the analog age contribute effective oversight without substantive steps toward digital literacy and digital savvy.

One option may be to form an innovation committee with technology, digital, and transformation experts as members. Another is to include directors with the requisite technology expertise on the board to complement the directors who grew up in the analog age. Yet another option is to engage outside advisers to inform the board with relevant perspectives.

Focus on resiliency and agility. In the digital era, good governance may need to be different than even five years ago. Boards need to sharpen their focus on innovation initiatives and on changing the organization’s mindset concerning digital initiatives. People and culture are the keys to success in digital transformation. If an organization has effective digital leadership, enhances the digital capabilities of its people, and creates a corporate culture that incentivizes and empowers creativity and innovation, it will become a truly digital organization. Changing the mindset also requires effective communication by management of a compelling narrative regarding the company’s focus on digital transformation and the need for change.

The board can play an important role in fostering a resilient and agile mindset by allocating sufficient agenda time to discussing the company’s innovation strategy and culture and encouraging open discussion on direction and progress. This requires constructive engagement with management and broader, more diverse perspectives regarding how the organization should embrace digital culture opportunities. The dialogue should be supported with appropriate innovation-specific metrics that tell the full story of how the strategy is performing, what the return on investment is, and how effective the company’s innovation culture and capabilities have become.

Keep an eye on the customer experience and competitive advantage. How can directors ensure that management has its act together, has the right team and competencies in place, and is taking the organization down the right path? A customer-centric approach to digital strategy breeds confidence that the organization is making the right moves.

Success in executing on digital initiatives is about knowing the company’s limitations and avoiding procrastination on making the difficult decisions to address those limitations. A strong focus on the customer is a powerful driver for moving forward. For example, data strategy and legacy infrastructure issues (e.g., technical debt) are examples of difficult problems that are often ignored. But with a commitment to enhancing the customer experience and commanding customer loyalty, companies can overcome this inertia and do what it takes to remain competitive.

Ensure there is a compelling plan that fits market realities. The board needs to ensure that management formulates a viable plan for managing business disruption and transformation and executes that plan. This isn’t easy given the uncertainty in determining the appropriate technologies to embrace, new products and services to offer, strategic supplier and distribution channel partners to engage with, and changes to make in the business. Under the auspices of the board, management must measure and monitor progress. As noted earlier, a digital readiness assessment can help by clarifying the organization’s strengths and weaknesses so that management knows where to focus on its journey to digital maturity.

Consider humane digital transformation. A clear and coherent strategy is needed to address worker dislocation and displacement. That was a critical issue during the NACD event, which no one took lightly, and several participants continued to discuss it after the roundtable concluded. Currently, the answers are elusive.

For a more complete look at this roundtable, including key takeaways, read Protiviti’s full summary of the event.

Global Directors Weigh in on Corporate Governance Issues

Companies operating globally are facing disruption on nearly every front. Political divisions are deepening in democracies across the Western world as varying groups become increasingly disenchanted with the status quo. On a regulatory front, Europe is forging ahead and initiating stringent rules, particularly in the areas of privacy and technology. Companies are also bracing for a future with deadlier and less predictable environmental issues, which pose potentially significant risks to business operations, from employee safety to supply chain disruption. In light of these realities, it is more critical than ever for the board to have a proactive approach to accountable and adaptive governance.

To understand how directors globally view governance, the Global Network of Director Institutes produced the 2018 Global Director Survey Report. This first-of-its-kind survey reflects the perspective of roughly 2,000 public and private company directors from Africa, the Middle East, the Americas, Asia–Pacific, and Europe. The results provide important insights into the challenges and priorities of board members around the world.

What issues are top of mind for this group of directors?

Boards are increasingly finding social issues on their radar. When asked about key challenges, participants largely coalesced around three issues: poverty and income inequality, taxation and government spending, and the cost of health care. That said, there were some regional differences in directors’ ranking of these issues. Survey participants from European companies are more concerned with the cost of health care than their American counterparts, who point to taxation and government spending as a key priority. For their part, Middle Eastern and African directors worry most about poverty and income inequality.

How do boards evaluate themselves?

Conventional wisdom holds that what is not measured does not get done. In an effort to enhance governance, assessing directors individually and the board collectively is critical to ensuring that the board’s composition aligns with the company’s long-term strategy. The survey found that the majority of respondents (80%) conduct evaluations. However, out of those who conduct evaluations, the highest percentage of directors (46%) said their boards evaluate performance via informal discussions. This is compared to 42 percent whose assessments are done using formalized discussions and processes. The Americas led the group in using formal evaluations (57%).

How do directors view environmental, social, and governance issues?

Despite investor calls for more robust oversight of environmental risks, these issues continue to be lower priorities for boards. When asked about the relevance of select risks to the strategy and operations of their organizations, nearly half (42%) of respondents said the depletion of fossil fuels was not at all relevant; 38 percent said the same of measuring carbon emissions and their carbon footprint. Climate change fared slightly better with 30 percent of directors saying it was irrelevant to planning for the company.

Issues involving personnel, however, ranked fairly high for directors: 72 percent believe ethical behavior is critical to company strategy and operations, compared with 65 percent for employee health and safety, and 57 percent for employee relations and engagement. Given the tight labor market in the United States, human capital management is likely to become a more pressing issue on board agendas. In fact, employee engagement was slightly more important to American directors (62%) than their European counterparts (45%). This concern also underlines the growing focus on culture as an enabler of company strategy and success. Culture can have wide-ranging repercussions for an organization—both beneficial and detrimental—and, therefore, the board should dedicate adequate time to oversight of organizational culture. As noted in the Report of the NACD Blue Commission on Culture as a Corporate Asset, “a healthy culture serves as a unifying force for the organization and reinforces the elements of the strategy and business model in a productive way,” while a “dysfunctional [one] has the potential to undermine the business model and create significant risk for the company.”

Are directors confident in their board’s ability to oversee technology?

Technology can either catapult an organization to unexpected success or disrupt its business model to the point of insolvency. And directors believe big data and artificial intelligence (AI) are likely to disrupt their companies, with a majority (63%) selecting big data as the top potential disruptor, closely followed by AI (60%). The application of emerging technologies is likely to change the ways a variety of companies do business; however, it also represents unpredictable risks. Even if their companies are not early adopters or first movers in their industries or sectors, directors should ensure their companies are well positioned to capitalize on the changes these technologies may usher in.

Directors of any company type—regardless of domicile—are charged with strengthening the company’s long-term value creation. As the global business landscape continues to evolve, directors must ensure their board is keeping up with the skill sets and practices necessary for effective oversight. That said, understanding the answers to the above questions, and how they may vary from region to region, will be increasingly important as more companies extend their cross-border operations. For more insight into how varying governance approaches may impact your company’s global operations, download the full 2018 Global Director Survey Report.

Proxy Season 2019: What’s on the Horizon for Boards

Every year around this time NACD provides resources to help directors prepare for the coming spring proxy season. This month we released a new Proxy Season Preparation Toolkit, supplemented by our standing NACD Resource Centers—one on Preparing for Proxy Season and one on Board-Shareholder Engagement. These tools should be useful to directors as they work proactively with management to enhance the value of their proxy statements—a trend identified in NACD’s most recent public company governance survey.

These efforts to improve proxy statements will be especially crucial in 2019, which could usher in changes thanks to recent developments in Washington. Specifically, new proxy rules may arise from the US Securities and Exchange Commission’s November 15 Roundtable on the Proxy Process,* which covered proxy voting, shareholder resolutions, and proxy advisors. Proxy game changers could also emerge from actions in Congress, where legislators are close to voting on two bills seeking to rein in proxy advisors.

Here, accordingly, are some contingencies that may be on the horizon—along with recommendations you may wish to consider with your corporate counsels. 

Contingency 1: Your proxy voting results may reflect more retail views.

Equity markets today are by and large institutional (70%) rather than retail (30%)** and retail shareholders are far less likely to participate in voting, since in many cases brokers vote for them (2018 Proxy Season Review, Broadridge and PWC, 2018). Certainly, institutional holders are important. I know this from my early years at Institutional Shareholder Services, where I began my governance career, as well as from my past two decades at NACD, which remains actively engaged with institutions through our Investor Perspectives series. Still, the voice of the retail shareholder matters for every company. Research has shown that retail owners are more likely to vote for management proposals and against shareholder proposals critical of management. (See “Small Investors Support the Boards. But Few of Them Vote,” by Gretchen Morgenson, the New York Times, Oct. 6, 2017.)

I believe that retail investors need a stronger voice in proxy voting, and I am not alone in my belief. In his opening statement at the November 15 SEC Roundtable, Commissioner Elad L. Roisman noted that the managers of passive index funds may vote shares without being required to check in with investors. He asked: “Should asset managers reach out to the underlying holders to understand their voting preferences?” The answer is yes, Roisman implied, citing the proposed SEC rule, Regulation Best Interest, which would require brokers voting proxies to vote in the interests of beneficiaries (including individuals who are retail buyers).

If this pending SEC rule passes soon, there could be more retail participation by spring 2019. But note that one impediment to this may be what I call the “black box” of beneficial ownership—an often-forgotten topic resurrected during the November 15 SEC Roundtable. Public companies don’t know who all their shareholders are because shareholders who buy through brokers can vote in the broker’s name rather than their own. This is because of an obscure rule that allows an “objecting beneficial owner” (OBO) to remain  anonymous; only the identity of a “non-objecting beneficial owner” (NOBO) can be disclosed to the company. (See the SEC comment letters from Gary A. LaBranche, president and CEO of the National Investor Relations Institute, and Darla Stuckey, president and CEO of the Society for Corporate Governance.) Amending this rule would go a long way toward improving board-shareholder relations in future proxy seasons

Recommendation: Remember your retail investors! Ask your director of investor relations to give the board a rough breakdown of individual vs. institutional holders and encourage outreach to both groups—not just the institutions (but see below about NOBO-OBO challenges).

Contingency 2: Your shareholders may be required to meet higher ownership thresholds before submitting resolutions—and/or to achieve better success rates for resubmitting them.  

SEC rule 14(a)8 identifies 13 valid reasons to exclude a shareholder proposal—and the SEC recently clarified these reasons. (See, for example, Staff Legal Bulletin 14J, Oct. 23, 2018.)

Under this rule, shareholders need only hold $2,000 or 1 percent in company stock for one year to submit a proposal. A number of groups would like to raise those thresholds, including the Business Roundtable. In a written comment submitted in advance of the SEC roundtable, Business Roundtable senior vice president and counsel Maria Ghazal urged the SEC to raise the $2,000 amount as well as the ownership time.

Rule 14(a)8 also sets a low bar for resubmitting failed proposals—a.k.a. zombie proposals. A company can exclude a resubmitted shareholder proposal only if the previous submission failed to receive the support of either less than 3 percent, if voted on once within the previous five years; less than 6 percent, if voted on twice within the previous five years; or less than 10 percent support, if voted on three or more times within the previous five years.

A coalition of business groups including the US Chamber of Commerce would like to raise this resubmission threshold. As the Chamber’s Tom Quaadman, executive vice president of the Center for Capital Markets Competitiveness, said in comments submitted in advance of the Roundtable, “The resubmission thresholds under Rule 14a-8 should be raised so that proponents must receive a meaningful level of support before resubmitting proposals that are overwhelmingly unpopular with investors.” The Chamber’s letter recommends a 6-15-30 progression to replace the existing 3-6-10—a sensible suggestion in my view. Last year, NACD joined the Chamber and others in signing a comment letter to the SEC advocating this approach.

Recommendation: Ask your shareholder relations director and/or legal counsel to keep tabs on the ownership level of shareholders proposing resolutions, and on the number of times the same proposals have been submitted. That way the company can begin to prepare for a time when the thresholds rise. At the same time, make sure that your communications convey the message that all valid resolutions from qualified shareholders will be valued. 

Contingency 3: The proxy advisors making recommendations on your company may be forced into greater accuracy and transparency.

Two pending federal bills—one originating in the House and one in the Senate—would require all proxy advisors to register as investment companies with the Securities and Exchange Commission, and set specific standards for such registration. If either bill becomes law, proxy advisors such as Egan-Jones, Glass Lewis, and ISS will have to meet a higher standard of accuracy and independence. (ISS, the most dominant of the three, is already registered, but without having to meet all of the stringent standards now being proposed.)

  • R. 4515, sponsored by Rep. Sean Duffy (R-WI) and cosponsored by one other Republican and one Democrat, passed the House December 20, 2017, and awaits a Senate vote. The Duffy bill would not only require proxy advisory firms to register as investment companies, but would also set many new requirements including disclosure of conflicts of interest, appointment of an ombudsman, and ongoing correction of inaccurate information.
  • 3614, a narrower bill sponsored by Sen. Jack Reed (D-RI) and cosponsored by two other Democrats and three Republicans, was introduced November 13, 2018, and, if passed by the Senate, will go to the House for a vote. The Reed bill, in addition to requiring registration, would mandate periodic examination of disclosures and policies.

NACD agrees that all proxy advisors should register with the SEC to further accuracy and transparency.

Recommendation: Don’t suffer in silence if one or more of the proxy voting advisors makes an inaccurate statement about your company when issuing a voting recommendation on one of the resolutions in your company’s proxy. In fact, make sure the advisor is notified. Given these pending bills (which could be reintroduced next year if they don’t pass in 2018), proxy advisors are likely to correct their mistakes promptly. 

In summary, Proxy Season 2019 may see more retail shareholder participation, improved quality of shareholder resolutions, and greater accuracy in proxy advisor recommendations—all good news for companies and all trends that NACD supports.

But just because proxy conditions improve does not mean that directors can coast along on a wave of goodwill. As always, preparing for proxy season requires hard work. Therefore, I urge all directors to explore the resources we offer for this proxy season, and wish you every success.

* As of this writing, the SEC has not yet archived this hearing. However,  the SEC has posted Comments on Statement Announcing SEC Staff Roundtable on the Proxy Process. Also, it has posted archives from past Investor Roundtables.
** The 70/30 institutional/retail split is reported by 2018 Proxy Season Review by Broadridge and PWC. The split is even greater based on Bloomberg numbers reported here: “80% of Equity Market Cap Held by Institutions,” by Charles McGrath, Pensions and Investments, April 25, 2017. Also, nearly half of all US assets are invested in passive strategies (tied to an index) rather than being active when it comes to investment choices. See “Passive Investing Rises Still Higher, Morningstar Says,” by Amy White, Institutional Investor, May 21, 2018.

A Directors’-Eye View of Disruptive Innovation

Members of the 2018 NACD Blue Ribbon Commission challenged directors to improve situational awareness in the boardroom. Among other recommendations, they urged board members to keep finding ways to tap into fresh, unconventional thinking in order to improve oversight of the risks and opportunities posed by disruptive forces and events, including, but not limited to, the seismic shifts in the way we live and work that are being accelerated by new and emerging technologies. CES®—“the largest and most influential technology event on the planet . . . [and] the proving ground for transformative tech”—is essentially a one-stop shop where directors can gain that situational awareness.

CES® veterans, including a cochair of the 2018 Blue Ribbon Commission, have several tips for fellow board members about how to get the most out of the event:

  • Step outside of your industry. In an NACD poll of public- and private-company directors earlier this year, over 60 percent of respondents said their boards’ tendency to focus on known risks (those that management has already identified) is a significant barrier to understanding and overseeing disruptive, atypical risks, including those related to new technologies. Kathy Misunas, a director at Boingo Wireless and Tech Data Corp., had this to say about her attendance at CES® in 2018: “Even if you are not affiliated with what is considered a consumer business, you do serve customers [who] will continue to expect innovation. . . . One of the benefits of being at CES® is being away from daily routines and taking the opportunity to observe and just let your mind cogitate [on] the possibilities.”
  • Use the power of peers. Says Jeff McCreary, board member at Benchmark Electronics, “CES® can be an overwhelming show, so attending with a group that is focused on what matters most to you makes it worth it. . . . The opportunity to network with peers is invaluable.” NACD’s CES® Experience program is designed for directors and features small-group tours and debrief sessions where attendees can discuss what they have seen and learned with fellow board members.
  • “[Don’t] be afraid to ask the dumb questions.” According to Maureen Connors, board member at Fashion Incubator San Francisco and a former director of Deckers Brands, that’s “the best advice I’d give to anyone coming to CES®.” Kelvin Westbrook, a director at The Archer Daniels Midland Co, Camden Property Trust, Mosaic Co., and T-Mobile and cochair of the 2018 NACD Blue Ribbon Commission, agrees. “While touring the large exhibition floors, there are ample opportunities to interact with, ask questions of, and hear points of view from leaders [making] technological advancements happen. These perspectives may differ from those discussed in the boardroom setting.”

The 2018 NACD Blue Ribbon Commissioners asked board members to reflect on this question: “Am I as personally prepared as I need to be to tackle the responsibilities of a director in the current business environment?” Says Westbrook, “Director education needs to go beyond the boundaries of the boardroom. By taking the opportunity to see a wide variety of new technologies and innovations firsthand, we will be better informed to participate in discussions and better able to appropriately challenge management—and fellow directors—about whether our organizations have the skills, agility, and nimbleness to respond to what’s coming.”

Learn More

Kathy Misunas shares additional details about her time at CES® 2018 in this NACD blog post. Read more NACD blog coverage from our 2018 visit to CES® here, and watch video highlights from Day 1, Day 2, and Day 3. Registration details for NACD’s 2019 CES® Experience program can be found here. Visit for more findings and recommendations from the 2018 Blue Ribbon Commission.

Navigating Disruptive Risk: The Lead Director Lens

Envisioning a company’s future is hard and imprecise work. But it’s increasingly clear that dedicating time to think about the future is vital to navigating the disruptive risks that are shaking up industries and upending business models.

During the NACD Lead Director Symposium, sponsored by the KPMG Board Leadership Center, we explored the topic of disruptive risks—such as technological innovation, the Internet of Things, the digital economy, demographic changes, and ecosystem changes—that may threaten the core assumptions underlying a company’s strategy and business model. Approaching the topic from their perspective as board leaders, some 80 lead directors and independent chairs discussed the challenges they face as they lead their boards in helping the company identify and assess disruptive risks and as they prepare to calibrate strategy and change course as needed in an increasingly disruptive business and risk environment.

One of the important insights we heard was an articulation of the key challenge that these disruptive risks pose for boards today: obtaining a view or picture of the future and how that future may impact the company’s strategy. What will the business or industry look like one, three, five, or more years from now? What will be the impact of these disruptive forces on the business or industry, and what risks will these forces pose to the company’s strategy? By gaining a better understanding of the future of the business—the risks and opportunities—boards are better positioned to provide oversight and guidance on the company’s key governance activities: setting and calibrating strategy, monitoring execution, and managing strategic risks.

Our dialogue with the lead directors generated a number of practical suggestions—echoing several of the recommendations made by the Report of the NACD Blue Ribbon Commission on Adaptive Governance: Board Oversight of Disruptive Risks:

Encourage the board, CEO, and senior management to develop an understanding of the disruptive risks that threaten the continuing viability of the assumptions underlying the company’s strategy and business model. What are the most critical assumptions underlying our strategy? What disruptive forces have impacted our industry or adjacent industries, and what lessons can we learn?

Make clear that it is management’s job to educate the board about these disruptive forces and the risks they pose to the company’s business model and strategy. What information does the board receive from management about disruptive risks? Do their reports provide a forward-looking view of changing business conditions and potential risks? Who takes part in the discussions about disruptive risks? Are outside perspectives being heard?

Insist on an assessment of the company’s ERM (enterprise risk management) processes, with a particular focus on how these processes help the company to detect and assess early-warning signals that may indicate disruptive risks on the horizon.

  • Does management have regular, systemic mechanisms in place to accelerate the pace of detection of early-warning signals? Do we have people from outside, who bring very different experiences and perspectives, involved in the process?
  • Do we engage expert partners to scan for subtle indicators of change, and to provide trend analyses?
  • How can we enhance our risk prediction and scenario-planning capabilities?
  • Do management and leadership have the talent, skills, and training to manage disruptive risks?

With committee chairs, reassess board and committee structure and processes for overseeing disruptive risks.

  • While the full board has responsibility for overseeing strategic risks—and disruptive risks are generally strategic risks—board committees have important oversight responsibilities as well. And committees can bring increased focus and attention where required. Which board committee has responsibility for overseeing each of the disruptive risks management and the board have identified as posing a threat to core strategic assumptions?
  • Which committee should oversee management’s ERM processes generally—and particularly the adequacy of ERM processes to help the company detect and assess early-warning signals that may indicate disruptive risks on the horizon?
  • Is ample committee and board agenda time devoted to disruptive risks?
  • How does the board stay abreast of company and industry developments between board meetings?

As part of the board evaluation, assess whether the board has the “right” composition and culture (in addition to the “right” structure and processes) to provide effective oversight of disruptive risks.

Gaining a better understanding of the future—and the potential impact of disruptive forces on the business and industry—won’t enable the board and management to predict or prevent all disruptive risks, but it will provide greater agility and help position the organization to effectively manage and respond to disruptive risks that do arise.

Dennis T. Whalen is leader of the KPMG Board Leadership Center.

How Does Your Cybersecurity Posture Stack Up To That Of Your Peers?

It’s one thing to know the status of your organization’s cybersecurity defenses, and quite another to know whether they’re enough to protect your business on the virtual battlefield. You can’t prepare a real-world security posture without knowing these three things:

  • Where your company stands in relation to your industry peers;
  • How your defenses have improved (or not) over time; and
  • Which emerging threats are rising.

In other words, context is everything.

Most organizations focus their cybersecurity reporting on tactical matters, such as how much money has been spent, how the dollars were invested, goals that have been met (or missed), and how many threats have been identified and neutralized. While those data points are meaningful to those who are on the cybersecurity front lines, additional data inputs are necessary for board members to understand the business implications of the company’s cybersecurity posture.

When you begin asking the organization you oversee to provide the kinds of benchmarking context outlined above, you may find executives are challenged to give you the answers you need to make informed decisions.

The Answers You Don’t Need

Below are two typical responses you might receive when asking how you stack up against your peers’ security practices, and why they fall short of delivering the context you need.

  1. We patched X number of vulnerabilities. While it is always important to know the organization is keeping patches up to date, this information alone won’t give you the full picture of where the organization stands. You need to understand if your critical assets are protected against threats that are currently in the wild—that is, being actively utilized by bad actors.
  2. We have everything secured in the cloud. Keeping applications patched and updated is your organization’s responsibility, not the cloud provider’s. Therefore, it’s incumbent upon directors to ensure they have access to ongoing comparative studies. Directors should ask for studies comparing the security of cloud versus traditional assets, year-to-year security progress, and compliance with regulations governing privacy and security, such as the EU General Data Protection Regulation. While receiving assurances that security measures exist in the cloud is nice, this alone tells you very little about how secure your company—and its vendors—happens to be.

The Answer You Need 

“Here is our report on our security progress over the past three years. This shows how we are remediating the most dangerous vulnerabilities on our most critical assets. We’re now able to predict in advance which vulnerabilities are likely to be attacked and deploy our resources accordingly. We can track the progress different regions and business units are making in reducing their cyber exposure. Plus we have insight into how our cyber exposure compares with industry peers.”

This is the answer you seek. It gives you the detail and context you need to make informed decisions about your organization’s cybersecurity strategy.

The only way you’ll know if your security efforts and investments are paying off—or if your company has just been lucky—is to measure your progress. It’s vitally important to measure the state of your cybersecurity investment and policy by business unit, geography, and asset type. Security progress reports are best when they’re updated regularly. Your company’s cyber exposure will change over time due to a variety of factors, including mergers and acquisitions, changes in business models, and the deployment of new technologies. In other words, everything changes fast and your progress reports need to keep pace with organizational change.

Benchmarking will show you where your company stands in comparison to industry peers. If a comparative ranking with industry peers finds you in the bottom quartile, you probably need to commit more budget and resources to come up to industry standard and achieve average protections. If your company ranks in the top quartile, you likely don’t need to increase your budget or buy much. The point is, your decisions should be based on data and not a guess.

Want to learn more about understanding vulnerabilities in the context of business risk? Read the Vulnerability Intelligence Report from Tenable Research.

Anticipating Disruptive Innovation and Digital Transformation

To stay competitive and relevant in a rapidly changing business landscape, organizations in every industry must navigate an increasingly disruptive, technology-enabled environment. Companies that do not address and embrace new and emerging technologies will be less competitive or may even face obsolescence. Netflix and Uber Technologies disrupted traditional business models by rethinking the way in which service delivery occurred, tapping into new technology capability to empower customers.

Given these challenges to companies, what does innovation mean in this era of digital transformation? Innovation now involves finding the right problems worth solving; building new offerings, business models, and experiences; and generating value at scale for customers.

Furthermore, the rapid digital transformation of advanced technologies such as blockchain, robotic process automation (RPA), and artificial intelligence (AI) now portend similar effects in industries from financial services and healthcare to communications and manufacturing. Boards must become knowledgeable about these digital disruption trends in order to be able to conduct meaningful oversight that management can use successfully as the company embraces new technologies.

Advanced digital technologies bring with them both opportunities and challenges for boards. Consider the following strategies when the organization evaluates or adopts any new, potentially disruptive technology:

  • Overcome technology anxiety. Directors and executives who either lack knowledge of disruptive technologies—or lack confidence in their knowledge—stand to allow their companies to lag behind or fall into a state of stasis. This is something no organization can afford in this age. Management can feel threatened or uncertain about jobs surrounding the adoption of advanced technologies. Concerns can arise around the lack of historical evidence and case studies to demonstrate the technology’s value. Management must be confident and equipped to explain how the tools will support the existing workforce, rather than cannibalizing their talents. To support this mindset and approach, the board needs to support and approve major policies focused on empowering management with knowledge around advanced technologies.
  • Reduce fragmentation while achieving enterprise-wide consistency in adoption. Organizations tend to assign value and evaluate impact as disconnected activities. In a world where value is created by technology across the enterprise, value and impact should be assigned as part of a cohesive business strategy that embraces advanced technology. Neglecting to do so creates knowledge and skills gaps between teams, causing inefficient business processes and ineffective or sporadic performance, rather than fully functioning, optimized operations. Boards must go beyond fiduciary responsibilities to take a more active role by challenging management constructively on how new technologies fit into the overall organization’s strategic plan.
    Management may focus too narrowly on addressing a problem through technology for a small group of individuals and lose sight of the larger application of the technology, resulting in a varied impact across the organization. The board can provide clear guidance and ensure balance by reinforcing a consistent, enterprise-wide, business-change approach to technology adoption.
  • Manage the pace of technological change. The adoption of advanced technologies demands teams that are agile in nature. This process can potentially leave legacy business units behind. For example, blockchain technology can be used to identify the location of any transaction, file, entity, or product at any given time. However, information changes in a data-driven age, expanding quickly and exponentially, which can have a cascading impact on how the organization currently uses the technology. Digital technologies demand organizations to be both agile and adaptable to the new ways of doing business. The board must promote digital innovation when it comes to doing things faster, better, and more efficient. The board must also monitor the pace of innovation to ensure the organization can best manage the change while meeting strategic objectives.
  • Define evolving responsibilities and accountabilities. Adoption of advanced technologies can create knowledge gaps and roles changes. For instance, when an organization implements RPA for a particular process, the digital resource (robot) and the human workforce each may have responsibilities to support or execute an element of the process. In order to provide sound oversight of the changes to a business unit, the board must ask management for clearly defined roles, responsibilities, and accountabilities affected by or involving an advanced technology’s adoption and use.

While the board isn’t tasked with the hard work of managing through digital transformation, its members must be cognizant of the policies and decisions made to ensure they aren’t driven by legacy assumptions. Directors must ask the right questions about the technology as well as the broader questions about the company’s information technology (IT) strategy. This, in turn, requires that board directors, senior management, and IT use a shared language to discuss IT performance. Deeper board involvement can serve as a mechanism to cut through company politics and focus management on the large, integrated technology investments needed as digital weaves ever further into the fabric of today’s businesses.


Waqqas Mahmood is director of advanced technology and innovation for the advisory, tax, and assurance firm Baker Tilly.