What to Do With Pay If Taxes Go Much, Much Higher

Regulations and
taxes greatly influence executive pay design. While the current “typical”
program—salary, annual bonus based on financial results, and an annual equity
award dominated by performance-based shares—seems as comfortable as an old shoe,
it’s an evolving thing that adapts to meet dual goals of incentives and retention.

As the election
cycle begins to heat up for a 2020 showdown, lines are beginning to show in the
sand around monetary policy, trade, and income taxes. Compensation committees
need be forward-thinking about long-term implications of potential new laws so
they can act nimbly and with conviction when changes occur.

Our objective is not
to handicap the political environment and discuss what’s “likely” to occur.
Guessing right would be simple luck. In broad strokes, the tax ideas floated so
far by potential 2020 Democratic presidential candidates focus on raising taxes
for the wealthy as a mechanism to close the Federal deficit. That drumbeat will
get louder and more polarizing on the road to the 2020 general election and amid
mixed economic signals.

The ideas of candidates Bernie Sanders and Elizabeth Warren center on increasing tax revenue from capital gains. Bill Gates approached the notion more directly (albeit in a manner less politically appealing): “The big fortunes, if your goal is to go after those, you have to take the capital gains tax, which is far lower at like 20%, and increase that.”

Both ideas are similar in that they create a more even playing field between ordinary income and capital gains. That disparity is arguably at the heart of inequality of wealth distribution.

Boards first should be thinking and talking about the broader economic implications of the political environment on their business planning and strategy. Compensation committees should consider near-term and long-term implications for pay program design as part of this discussion.

A Dollar Today May Be Worth More Than a Dollar Tomorrow

Material changes to
the tax code should not be expected reasonably before 2022, and then only if a
Democrat is elected as president. If marginal income rates are certain to rise
materially, incentive awards that vest prior to the increase will have a higher
after-tax value than those that vest after the increase occurs.

Awards that deliver a
higher after-tax value may be desirable, similar to the end of 2017 when the
corporate tax rate—and the associated value of tax-deductible compensation—dropped
from 35 percent to 21 percent. Many boards took action at the end of 2017 to
bring forward compensation-related tax deductions. We would expect similar
actions if future individual tax rates are certain to rise.

Maintaining Sound Pay Principles Remains Paramount

The compensation committee
has a duty to make rational decisions about pay that align with performance. Pay
programs that deliver pay sooner and incentives for long-term strategic
execution that benefit the company must remain balanced. This could lead to
complexity in pay program design that generates taxable income for recipients
but maintains a connection to long-term performance of the company. This could
take many forms, such as:

  • Increased stock option usage, giving the
    recipient control over timing of income.
  • Shorter vesting of share-based awards with
    material holding requirements.
  • “Banked” awards, to trigger income tax
    quickly on a portion with future performance requirements for upside attainment.
  • A (short-lived) renaissance in Section 83(b)
    elections.

Increased Taxes Could Promote “Long-termism”

If wealth, estate,
and capital gains tax ideas come to fruition, an opposite and powerful
incentive to encourage long-term behavior could become a reality. Executive pay
above $1 million in a given year generally is no longer deductible, and if
corporate tax rates do not rise with individual rates, companies have less incentive
to accelerate pay-related deductions where available.

This should
stimulate discussion of much longer-term and estate-oriented pay structures for
senior executives. Ideas in this area include the use of various kinds of
trusts to encourage a reduction in personal balance sheets to defer wealth or
estate tax burdens, and a delay
versus acceleration of income recognition.

It is too early to
tell how this will shake out. How pay evolves is a result of many complicated interactions.
History teaches us that changes in the law are a major driver of that
evolution. Reaffirming the principles of the pay system when discussing
potential reactions to a new regulatory environment will be the key to having
comfort in the next wave of executive pay design.

Margaret Hylas is a consultant and Todd Sirras is a managing director of Semler Brossy Consulting Group. All thoughts expressed here are their own.

What to Do With Pay If Taxes Go Much, Much Higher

Regulations and
taxes greatly influence executive pay design. While the current “typical”
program—salary, annual bonus based on financial results, and an annual equity
award dominated by performance-based shares—seems as comfortable as an old shoe,
it’s an evolving thing that adapts to meet dual goals of incentives and retention.

As the election
cycle begins to heat up for a 2020 showdown, lines are beginning to show in the
sand around monetary policy, trade, and income taxes. Compensation committees
need be forward-thinking about long-term implications of potential new laws so
they can act nimbly and with conviction when changes occur.

Our objective is not
to handicap the political environment and discuss what’s “likely” to occur.
Guessing right would be simple luck. In broad strokes, the tax ideas floated so
far by potential 2020 Democratic presidential candidates focus on raising taxes
for the wealthy as a mechanism to close the Federal deficit. That drumbeat will
get louder and more polarizing on the road to the 2020 general election and amid
mixed economic signals.

The ideas of candidates Bernie Sanders and Elizabeth Warren center on increasing tax revenue from capital gains. Bill Gates approached the notion more directly (albeit in a manner less politically appealing):“The big fortunes, if your goal is to go after those, you have to take the capital gains tax, which is far lower at like 20%, and increase that.”

Both ideas are similar in that they create a more even playing field between ordinary income and capital gains. That disparity is arguably at the heart of inequality of wealth distribution.

Proponent Idea
Sen. Bernie Sanders For the 99.8% Act expands estate tax to 77 percent marginal rate for estates worth $1 billion or more
Sen. Elizabeth Warren Annual wealth tax: 2 percent on net wort
over $50 million, 3 percent over $1 billion
Sen. Brian Schatz Proposed Wall Street Tax Act would
introduce 0.1 percent tax on sale of stocks,bonds, and derivatives
Sen. Alexandria
Ocasio-Cortez
New 70 percent marginal rate on annual income over $10 million
Sen. Tammy Baldwin and
Rep. Bill Pascrell
Eliminate capital gains treatment for carried interest gains

Boards first should be thinking and talking about the broader economic implications of the political environment on their business planning and strategy. Compensation Committees should consider near-term and long-term implications for pay program design as part of this discussion.

A Dollar Today May Be Worth More Than a Dollar Tomorrow

Material changes to
the tax code should not be expected reasonably before 2022, and then only if a
Democrat is elected as president. If marginal income rates are certain to rise
materially, incentive awards that vest prior to the increase will have a higher
after-tax value than those that vest after the increase occurs.

Awards that deliver a
higher after-tax value may be desirable, similar to the end of 2017 when the
corporate tax rate—and the associated value of tax-deductible compensation—dropped
from 35 percent to 21 percent. Many boards took action at the end of 2017 to
bring forward compensation-related tax deductions. We would expect similar
actions if future individual tax rates are certain to rise.

Maintaining Sound Pay Principles Remains Paramount

The compensation committee
has a duty to make rational decisions about pay that align with performance. Pay
programs that deliver pay sooner and incentives for long-term strategic
execution that benefit the company must remain balanced. This could lead to
complexity in pay program design that generates taxable income for recipients
but maintains a connection to long-term performance of the company. This could
take many forms, such as:

  • Increased stock option usage, giving the
    recipient control over timing of income.
  • Shorter vesting of share-based awards with
    material holding requirements.
  • “Banked” awards, to trigger income tax
    quickly on a portion with future performance requirements for upside attainment.
  • A (short-lived) renaissance in Section 83(b)
    elections.

Increased Taxes Could Promote “Long-termism”

If wealth, estate,
and capital gains tax ideas come to fruition, an opposite and powerful
incentive to encourage long-term behavior could become a reality. Executive pay
above $1 million in a given year generally is no longer deductible, and if
corporate tax rates do not rise with individual rates, companies have less incentive
to accelerate pay-related deductions where available.

This should
stimulate discussion of much longer-term and estate-oriented pay structures for
senior executives. Ideas in this area include the use of various kinds of
trusts to encourage a reduction in personal balance sheets to defer wealth or
estate tax burdens, and a delay
versus acceleration of income recognition.

It is too early to
tell how this will shake out. How pay evolves is a result of many complicated interactions.
History teaches us that changes in the law are a major driver of that
evolution. Reaffirming the principles of the pay system when discussing
potential reactions to a new regulatory environment will be the key to having
comfort in the next wave of executive pay design.

Margaret Hylas is a consultant and Todd Sirras is a managing director of Semler Brossy Consulting Group. All thoughts expressed here are their own.

Directors Discuss How to Build Cyber-Risk Resilience

“What’s the board’s role in a data breach?”

This was a question posed by one of the director attendees
at a recent roundtable event hosted by NACD in partnership with Accenture on
how boards can go about building greater cyber resiliency within the
organizations they serve. And as a litany of companies have fallen victim to
cyberattack and endured considerable financial and reputational fallout—it’s a
simple question that demands a nuanced answer.

Robert Kress, managing director at Accenture, encouraged
attendees not only to have a well-coordinated response plan mapped out so that
it can readily be put into action if and when the worst occurs, but also to
“Ask yourselves: How does the board get engaged in a breach?”

“Is there a subcommittee? How are decisions made? Which
decisions should involve the board?,” Kress asked. “Breaches oftentimes happen
at inopportune times such as weekends and holidays because threat actors know less-experienced
people are manning the ship—if they’re working at all. A good crisis response
plan should have clearly defined the role of the board, outside counsel for
support to ensure you have the regulatory requirements for reporting, and
arrangements with a marketing firm to handle public relations.”

One attendee shared that, after the US Government Affairs
Office (GAO) released its assessment of the Equifax breach, his board asked the
chief information officer to review the GAO’s recommendations and do a gap
analysis. “I was surprised by how cogent those reports really were,” he said.
But for him, paying close attention to how one federal entity picked apart all
that went wrong in the Equifax case raised questions around how boards should
think about disclosures and communicating what the company’s risk capacity is.

“Cybersecurity needs to go hand-in-hand with the broader
enterprise risk management program,” Kress said. “Cybersecurity is one type of
business risk that needs to be addressed broadly—in the 10-K or via a cogent
response from management on how they want to mitigate that risk. And companies
are improving their capabilities in detection and response processes, with the
time to detect and respond to an incident getting shorter. However, the
financial impact of cyber breaches continues to go up, with current research
showing that the average cost of a cyber incident is between 16 and 17 million
dollars.”

When it comes to improving the company’s response, a board
can be a huge asset. Another director shared that, in her experience,
management might offer pushback against boards that want to do tabletop
exercises, seeing the process of simulating an emergency as “overdoing it.” And
yet, when her boards were allowed to engage on this level, management found
that the director perspective was invaluable because they were asking the right
kinds of questions that challenged basic assumptions.

“It’s important you put pressure on things,” Vikram Desai,
global managing director at Accenture, said in affirmation. “In my
observations, the CEO will ask the CISO [chief information security officer] and
the CIO [chief information officer] if everything’s good on the security front.
They say it is—and nothing gets back to the board. These are dynamics that
create a false sense of security.”

But despite best efforts, odds are that companies with a
digital footprint will be breached at some point in time—which will in turn
mean having to work with the federal powers that be. On this front, it was
noted that most companies are not 100 percent compliant with federal
regulations from the get go. At the very least, it’s important to have a formal
plan and timeline in place for becoming compliant as a token sign of good faith
for the regulators who may do a thorough investigation of the company’s
cybersecurity practices. Ignoring these issues, however, is not an option.

As the conversation accentuated the integral role that the
CIO has to play in the board’s oversight of cybersecurity issues, one director
asked about what small-cap companies should do, as they frequently lack the
financial means to attract and retain the requisite talent to help see boards
through these issues. And even if there is money set aside to bring on a CIO or
a CISO, the phrase “you get what you pay for” painfully springs to mind.

Here, outsourcing can be a viable option. “The smartest
thing a company can do is go to a managed security services provider,” Desai
said. “They can provide the ability to monitor operations, and if something
happens, they can activate the incident response plan. And within the universe
of security services, there is a ranking checklist that rates these companies
from OK to very proficient.” 

As the afternoon progressed, the conversation began to
explore a more fundamental element of cybersecurity: What part of the board
should assume the primary responsibility for overseeing cyber risk?
Historically, the audit committee has taken on this task largely because it was
concerned with enterprise risk management in general. But as the cyberthreat
landscape continues to quickly grow in scope, both Kress and Desai agreed that
this might not be the best arrangement and that—at least for the larger
companies with the capabilities to do so—creating a standalone technology and
risk committee might be key to capably overseeing these issues into the future.

Failsafe means of prevention may be impossible and having a
well-orchestrated crisis response plan is the best any company can hope for to
save face in a crisis. A company that makes the best of efforts remains at high
risk of losing stakeholder trust. It’s a problem too large for any one company
to solve, making it imperative to identify ways in which to foster
collaboration.

“We are nearing a point where boards need to ask management
how they are working with other companies within the industry,” Kress said in
closing. “Digital trust underpins every organization today. If we lose digital
trust, there will be significant financial impacts. I think that participating
in industry forums and being more willing to share knowledge with government
entities about breaches can help.”

Click here to read additional coverage from this roundtable event.

What You Need to Know About Cyber Insurance and Regulatory Change

As recent events have shown, the pace and scale of cyberattacks continue to grow, as do the financial stakes—revenue losses, recovery expenses, liability costs, and potentially severe regulatory fines are all consequences facing companies. The specter of 2017’s NotPetya event, the most devastating cyber event in history, continues to haunt business leaders: the malware caused more than $10 billion in economic damages and disrupted business operations, production, and logistics for major global firms.  The insured losses from that attack alone have been estimated at more than $3 billion

Incidents such as these are forcing companies to make cyber risk a corporate priority. In the recently released Global Risks Report 2019, those in advanced economies again rank cyberattacks among their top risk concerns. That recognition has evolved from viewing cyber risk as a problem to be solved by spending more on technology to seeing it as a risk that must be actively managed across many areas of the company. That shift in mindset has brought cyber insurance into the overall equation of how a firm manages its technology risk.

But cyber risk is an increasing concern not just for c-suites
and boards: regulators also are more actively looking at how organizations
address cyber risks and how they manage their responsibilities to key
stakeholders. So even as the financial costs of cyber threats grow, the
regulatory stakes are likewise poised to rise as more regulators—and particularly
the US Securities and Exchange Commission (SEC)—begin to impose stricter
requirements on businesses.

These two trends—the increasing adoption of insurance to transfer cyber risk and a more rigorous regulatory approach to cyber-risk management—dovetail in numerous ways. Many of the new regulatory requirements and guidance around cyber-risk assessment, prevention, and management, executive and board-level ownership, and event disclosure and response, are the same practices that should inform an organization’s decision-making around cyber insurance investment. These same best practices are what underwriters increasingly expect and value.

The SEC Strengthens Its
Stance

Cybersecurity has been on the SEC’s agenda for several years. In 2011, the commission’s Division of Corporation Finance issued guidance calling on companies to assess their disclosure obligations regarding their cybersecurity risks and cyber incidents.

While a good starting point, the guidance did not go far enough in setting clear expectations for both proactive and reactive cyber-risk management and oversight. The SEC’s 2018 interpretative guidance outlines requirements for publicly traded companies to disclose cybersecurity risks and material incidents.

The SEC guidance focuses on five main areas:

  • Pre-incident
    disclosure.
    The guidance calls for transparency around the identification,
    quantification, and management of cyber risks by the C-suite and oversight by
    the board of directors. Often, growth in technology and the global operating
    environment impede 360-degree visibility into a company’s vulnerable spots, with
    lack of data contributing to compromised security.
  • Board oversight. The board is expected to
    understand, quantify, and oversee cyber risk. The SEC advises companies to
    disclose in their proxy statement the board’s role and engagement in cyber-risk
    oversight. Board members have to be privy to and understand the
    company’s overall cybersecurity exposure, with a particular focus on the impact
    on the company’s financial condition, integrating this insight into their
    360-degree view of the company’s risks.
  • Incident
    disclosure.
    Companies are required to “inform investors about material
    cybersecurity risks and incidents in a timely fashion.” To do so, companies must
    have structures in place to identify and quantify cyber risk—tools that allow
    the organization to rapidly determine whether the impact of a compromised
    system was, in fact, material and requires disclosure to regulators and
    investors.
  • Controls
    and procedures.
    The guidance also tasks companies with assessing whether
    their enterprise risk management (ERM) process is sufficient to safeguard the
    organization from cyberdisasters. This requires a step-by-step playbook for
    cyberevents, including identifying who needs to be contacted and how and with
    whom the business will share information about a breach. Given the evolving
    nature of cyber risk, ongoing due diligence exercises should occur to identify
    and manage new risks—especially during a merger or acquisition. Most companies
    have long done this for other perils such as natural disasters, and it is
    imperative they extend this process to cyber risk.
  • Insider
    trading.
    New to the 2018 guidance is a reminder to companies, directors,
    officers, and other parties of insider trading prohibitions. In practice, this
    means that directors, officers, and other executives who are aware of a
    company’s cybervulnerabilities or a breach could be liable if they sell company
    stock, or instruct anyone else to do so, before such a breach or vulnerability
    is divulged.

The cost of non-compliance can be substantial. Last year the SEC leveled a $35 million penalty against a large technology company it said misled investors when the company failed to disclose the theft of the personal data from hundreds of millions of user accounts.

Congress, which holds the SEC’s purse strings, is placing mounting pressure on the agency to improve cybersecurity, and private investors are also pressing for more stringent cybersecurity controls at the companies they hold. It is, therefore, likely the SEC will start coming down on companies with more vigor, especially in the wake of recent—and, inevitably, future—major breaches.

Risk Transfer as a
Core Cyber-Risk Management Tool

Given the nature of the majority of risks, businesses
recognize that technology and other solutions alone can’t respond to the full
spectrum of risks they face. Insurance has historically stepped in to provide
the financial backstop for that residual risk that cannot be managed to zero
through process, procedure, and mitigation. 

Cyber risk is no different in this sense, and organizations
are now recognizing that cyber risk also cannot be managed through technology
alone. It is an operational risk that needs to be incorporated into the firm’s
overall ERM processes—one that includes risk transfer, as well as mitigation
and resilience planning.

The insurance market now offers risk transfer solutions for
cyber risk that address both ever-evolving technology risk and the recent retreat
of traditional insurance products from adequately addressing firms’ evolving cyber-risk
profile.

Cyber insurance starts with the premise that all of a firm’s
technology-driven risk should be insurable. These risks include both the direct
loss that a firm can suffer in terms of lost revenue or assets, as well as the
liability that can arise from a data breach or failure to comply with myriad
new domestic and international regulations.

Cyber insurance has also been at the forefront of pushing
for better understanding of this risk’s financial implications to help the
industry improve modeling of potential loss scenarios. That financial
assessment is a critical foundation for businesses’ risk management planning as
well: Cyber-risk quantification helps the firm assess the economic impact of a
range of cyberevents, and on that basis, make informed investments in
technology, insurance, and response resources. Quantification of cyber risk
also allows for cyber risk to be analyzed within the firm’s overall risk
framework and integrated into its overall risk management planning. 

The assessment, evaluation, and modeling processes that are essential foundations for purchasing cyber insurance are, in many ways, aligned with the practices called for by the SEC in its recent guidance. Given the likelihood of an increasingly active regulatory agenda, organizations are advised to align their policies and practices to abide by the SEC’s recommendations and to consider insurance market coverage that can help protect against cyberevent-related losses and regulatory liabilities. 

Bob Parisi is cyber product leader and Christopher Hetner is managing director of cyber-risk consulting at Marsh.

Finding Inroads to Alleviating Common Cyber Risk Pain Points

It’s generally accepted that the development of technology
is rapidly accelerating. So too has the speed of integration of new
technologies into our day-to-day lives. Consider this: since mobile phones were
first introduced, it took 12 years before 50 million people had one. In
contrast, it took Facebook only 2 years since its debut to reach that same
milestone, and the mobile phone game Pokemon Go only needed two days.

At such a pace of proliferation, it’s difficult to fully
synthesize the full ramifications of a new technology before the next wave of
change comes rolling in. And if you’re a company that is under pressure to
digitize its operations, being too aggressive about staying on the cutting edge
of digital transformation can lead to potentially catastrophic risk exposures.
It’s an area where board insight and oversight is especially needed—but knowing
exactly how to approach the issue might not seem equally crystal clear.

Accenture’s Robert Kress says there is no panacea to cyber risks.

This was the subject of a recent roundtable hosted by NACD
in partnership with Accenture. According to Robert Kress, managing director at
Accenture, there’s no single panacea.

“You need to tailor your thinking to the environment you’re
working in,” he said. “So, what do you do about it? Think about leadership in
governance across three key dimensions: within your organization, within your
ecosystem, and within and across industries. Looking within your organization,
ask: What is the scope of your CISO’s responsibility? Looking within your
ecosystem, realize that every organization is more dependent on other players
within your ecosystem. Many of the breaches that occur come through that
channel. Look across industries because the Internet is fragile. Think about
when it was created and what it was created for—and it was not designed to
defend against cyberattacks. There is a lot of work needed to reinvent the
Internet—and that is only going to happen if organizations are working together
and working with the government.”

“I would say that it’s not as complex a picture as you have
painted,” Vikram Desai, global managing director at Accenture said in
counterpoint. “I do think that while each company has a unique fingerprint,
there’s a value chain associated with how businesses operate and there are
simple pain points along the way. And there are some very basic things you need
to get right to make it more difficult for an attacker to target you. Within
industries, exchange information on best practices, work with service providers
to understand the real-time status of attacks. It’s incumbent on every board
member to make sure that there are techniques and exercises consistently
executed [throughout the organization] to make sure the people are sensitized
to these issues.”

Desai went on to underscore the importance of the chief
information security officer (CISO). To begin with, selecting the right person
for that role is difficult because most CISOs are technologists who lack
business savvy and the ability to communicate what they know to a lay
audience—so ensuring that the person who steps into that role receives the
requisite training to effectively communicate to senior leaders and the board
is critical for his or her success. Boards should also ensure that there is a
CISO succession plan in place. Generally speaking, a CISO stays with a company
for about 24 months. With such a high turnover, ensuring that there is a
pipeline of talent within the organization that can capably fulfill the duties
of that role is critical.

Attendees listen on as NACD Directorship Publisher Christopher Clark introduces the theme of the discussion.

“Understand the role of the CISO and what you expect from
that person,” Desai said. “Does the CISO have direct exposure to the board, or
are they blocked by a tech person? Does the CISO understand the top business
objectives for your company and how security can enable those objectives? The
CISO needs to show how things can be done and what the associated risk and
rewards are. If there’s alignment, you’ve got a great running start.”

Visit NACD BoardTalk later in the week for additional
coverage from this event as director attendees grapple with cyber-risk
oversight best practices.

Webinar: Harnessing the Potential of Virtual Teams

Join us in the upcoming Wilcox Miller & Nelson/CPI Webinar, “Harnessing the Potential of Virtual Teams” featuring Bill Florin of CPI Partner, Learning Dynamics. As part of our firm’s participation in Career Partners International, we periodically host webinars to share HR industry experts’ viewpoints on trending topics. This webinar will explore ways to increase engagement, develop relationships, and bridge cultural differences regardless of proximity.

Whether they have given their teams an added perk of remote work flexibility or have just assembled a completely virtual “dream team,” many employers are still struggling to see the promised returns of a digital team. Why are these teams not delivering at the level of their onsite counterparts despite being, on paper, a superior group of employees? Join us to discuss some of the more treacherous obstacles to realizing the potential of a virtual team.

This program is valid for 1 PDC toward SHRM-CP and SHRM-SCP recertification.

Join us on March 12th at 8:00 a.m. PDT or March 14th at 4:00 p.m. PDT for a 45-minute presentation and 15 minutes of Q&A. Register Today!

Register here or at CPIworld.com.

Sharpening the Board’s Cybersecurity Acumen

Much has been written,
and important insights shared, on cybersecurity. The threat landscape continues
to evolve, and the topic remains significant in the boardroom.

To gain fresh
perspectives on this important area, Protiviti met with 20 active directors
during a dinner roundtable at a December 2018 NACD event to discuss their
experiences. Here are some key takeaways from that discussion:

Don’t let overinvesting in protection and detection lead to underinvesting in response and recovery. The National Institute of Standards and Technology (NIST) framework identifies five pillars of effective cybersecurity: protection, detection, identification, response, and recovery. A global study sponsored by Protiviti asked executives to rate their company’s progress on these pillars, finding most companies score highest on protection and detection and lowest on identification, response, and recovery. As most cybersecurity investments address the protection pillar, the participating directors agreed their organizations need a balanced program to detect and respond to the inevitable cyberattacks. However, most board members report they only see an overall cybersecurity budget; the company’s investments across the five NIST domains are not transparent to them.

Overall, it is important for organizations to move beyond the
protection pillar when it comes to cybersecurity. One board member spoke of a
maturity assessment using the NIST framework and of monitoring progress across
the five domains to improve them to the desired maturity levels. The board
should work with management to regularly assess and monitor the organization’s
ability to identify, detect, respond to, and recover from a cyber breach, as
well as ensure that appropriate investment is supporting each pillar.

Understand the paradox in breach detections between cyber “leaders” and “beginners.” Protiviti’s research finds that digital leaders report more cyberattacks than beginners. The roundtable discussion revealed several reasons, including the likelihood that digital leaders are better at monitoring security activity and have stronger detection measures. Also, they are more likely to have an expanded attack surface due to the new technologies and digitization capabilities they employ. Organizations need to stay focused and keep cybersecurity a critical priority as they advance their digital maturity. To minimize risks, companies should build cybersecurity into each step along their digital transformation process.

Manage the “cyber
squeeze” on innovation funding.
How does the board effectively address cyber risk without throttling innovation? This important question is
a double-edged sword, as
innovating creates more
cyber risk because it almost always involves embracing new digital
technologies. The roundtable discussion emphasized that innovation is about business strategy and should not be an
information technology (IT) or “innovation” budget item. Innovation should be
part of an overall budget for the enterprise’s growth strategy. Also, risk and
cybersecurity should be embedded into the
design and developmental approaches—including the Agile and DevOps methods—that
innovation teams use so that innovation is undertaken securely.

Mind the
enemy within.

According to Protiviti’s research,
nearly all firms (87%) see untrained
general staff as the greatest cyber risk to their business because they may provide a conduit for outside attackers. As noted by
several directors, there are solutions to help combat internal threats, but the
board is typically not aware of how effective they are. Exposure to attacks by
nation-states and sophisticated external attackers is compounded in that these
groups often exploit untrained insiders.

The directors
agreed that boards need to turn up the volume on their inquiries of cyber
management as to what is being done about insider risk, including exposure to
third parties. One tried-and-true, not to mention low-cost, cybersecurity
measure—at least for insiders—remains employee training and communication.

Quantify cyber risk to put a value on the crown jewels. Quantification will help management and the board significantly as they work to understand the different types of data and information systems assets the organization maintains. More importantly, it will help them understand what needs to be protected most and oversee how asset protection is being prioritized. The FAIR methodology can assist with this analysis, as it employs risk quantification software to analyze risk using techniques such as the Monte Carlo method, which simulates risk scenarios. Conducting a quantitative risk analysis forces IT and security teams to set risk appetite thresholds, which enhances cybersecurity communications with the board.

Increase the board’s confidence in its cybersecurity oversight. Cyber threats represent a legitimate concern. A company reputation established and nurtured for 100 years can suffer severe and lasting damage following just one high-profile cyberattack. As a result, it can be difficult for boards to feel fully confident in how they are monitoring cybersecurity risk, both within the organization and among third parties. The roundtable discussion participants noted that while directors must rely on management for this information, they should be proactive in refreshing the board’s oversight capabilities: asking appropriate questions, receiving independent assurances, monitoring focused dashboards, and setting clear expectations regarding the need to preserve reputation and brand image.

Take stock of a changing landscape. Throughout the roundtable discussion, numerous comments were made regarding the changing cyber-threat landscape and the importance of staying informed as it evolves (e.g., ransomware, expanding the value of data beyond credit cards, unapproved mobile devices, third-party threats, and state-sponsored cyberattacks). The complexity of the evolving threat landscape is prompting a need for increased cooperation and information-sharing between the private and public sectors, an objective that remains elusive due to concerns over disclosing confidential and other sensitive information.

The game has now changed. Virtually any organization is
susceptible to cyberattack, even if it does not harbor customers’ personal data
or credit card information. Continue to monitor your company’s cybersecurity
maturity using these and other steps and resources to ensure management has
mitigated risks appropriately.

For a more complete look at the NACD roundtable, including key takeaways, read Protiviti’s full summary of the event.

Gender Pay Equity Analysis Is Here to Stay. Is Your Company Doing It Right?

Equal pay for equal work by people of different genders is top of mind for most companies in 2019, with a December World Economic Forum report noting the gender pay gap is on track to persist for the next twenty decades.

There is absolutely no
reason for the pay gap to persist, and some actors have begun taking steps on
what they have realized is a solvable problem. For example, many states are
enacting laws that require organizations of all sizes to close the gender pay
gap. Shareholder activists, third-party organizations, and activist fund
managers are pressing companies for transparency on their pay equity to avoid
facing a shareholder proposal. Within companies, employee networks are more
frequently sharing their own pay information when pressing their employers on
pay equity.

But more than the legal
requirements or external and internal pressure, gender-based pay equity is the
right thing to do. When employees know a company takes pay practices seriously,
they are more engaged, happier, more productive, and less likely to leave. Employers
that are transparent about their commitment to pay equity earn trust, and a
reputation for pay equity is also the number-one way to attract top talent.

The current solutions
for addressing pay disparities between men and women may actually be
perpetuating the problem. Employers wisely choosing to address pay equity are
often left thinking that fixing the problems is an expensive, complex, and time-consuming
task that may not be worth the investment because—year after year—they must
hire legions of lawyers, experts, or consultants with advanced degrees to
find pay gaps. The industry has conditioned employers to believe the process is
fraught with peril.

Because these costs appear
to be so prohibitive, the industry recommends a “one-and-done” model in which companies
pay for this massive undertaking once a year. The truth is the “one-and-done”
model exists because few companies can afford to do it more than once a year,
or want to endure the process more than once.

What’s worse, one-and-done
reviews don’t sufficiently address the root causes of disparities in pay
between genders. They are forever behind—rather than ahead of—risk. The old
model looks backward, helping companies explain and maintain differences to
assure leaders that while differences exist, they are explainable and won’t
lead to lawsuits. Remedial action, or “catch-up” payments made to underpaid
women annually, is tantamount to fixing symptoms each year but never addressing
the underlying problems.

If
“one and done” actually worked, by definition, we would be “done.” And yet the
gap persists.

So, how do you know
whether your company is engaged in meaningful pay analyses and committed to
eradicating pay disparities between workers of different genders? We’ve
compiled several questions to ask, which will enable you and your board
colleagues to understand more deeply whether your company has seriously and
genuinely addressed pay equity.

Seven Qestions Every Board
Member Concerned About Pay Equity Sholud Ask:

  1. Did the company conduct a pay equity analysis this year? If not, is that because pay fairness is not a priority? Is it not prioritized due to fear of finding a problem, or some other reason? Is that reason acceptable?
  2. What were the results, and can you show me those results in a clear and dynamic dashboard?
  3. How long did the process take, and at what cost?
  4. Are the results presented in a way that is usable for you to take action?
  5. If compensation changes were made as a result, what did you learn about the underlying problems that led to the disparities? What policy or behavioral changes will be made?
  6. Are all compensation events analyzed? This includes base pay, new hire starting pay, stock grants, mid-year changes, bonuses, reorgs, or re-leveling exercises and the like.
  7. Does the company analyze pay during the pay-setting cycle so that changes can be made before pay is finalized? And does the company monitor pay equity throughout the year?

Once you have the
answers to these questions, you will be able to assess risk and evaluate the
company’s commitment to pay equity. Most companies engage in ongoing changes in
the employee lifecycle, including hiring, setting pay, promotions, terminations
and turnover, and reorganizations. Companies not analyzing pay equity, or doing
it just once per year, are incurring unnecessary risk—and doing so at a time
when third parties are becoming dramatically more sophisticated in pressing
companies to demonstrate gender pay equity results.

One of the most
important elements of employee satisfaction and engagement is fair pay. A
company genuinely committed to pay equity is not only doing the right thing. It
also has an incredible opportunity for brand marketing and public relations, as
well as a differentiator for recruiting top talent.

If you’d like to talk more about an ongoing or new pay equity initiative at your organization, get started in the comment section below.

Zev Eigen is the founder and chief data scientist at Syndio. Eigen speaks on the topic of pay equity at regional NACD events, most recently at the Colorado Chapter meeting in December 2018.

Why Executives Need Career Transition Support, Even in a Hot Job Market

In a hot job market, certain business leaders question whether they should continue to provide career transition support for executives.  Unemployment is down.  Companies are clamoring for good talent.  “Surely, they will find something quickly.”

But is this really the case?  According to the December 2018 report from the U.S. Bureau of Labor Statistics, the average unemployment duration was over 21 weeks.  As employees climb the ladder it takes longer and longer to find a position on par with their talents.  For executives, it is not unusual for the hunt to take over a year, placing considerable strain on the job seeker.

While your displaced former executive is hunting for a job how are they filling their time?  Are they sharing their discontent with former colleagues at the organization?  Have they visited Glass Door and left a scathing review for the world to see?  Or have they been given the support needed to move on in their career with a future focus, reflecting on their time with your company as a period that was enriching for their career?  Regardless of job market conditions, the challenges of a career transition still exist. Your executives are unlikely to be prepared for the emotional challenges of dealing with a job loss, the technical difficulty of conducting a modern job search at the executive level, and the motivational struggle of sustaining a typical, extended search.  Without support, this could prove detrimental to your employer brand.

Career Partners International (CPI) has over thirty years of experience getting executives back to work quickly.  Our combination of expert level coaching facilitated through world-class technology helps executives convey their value to the market and land new opportunities suited to their talent.  CPI coaches guide job seekers through this complex market, while our technology ensures that executives perfect every detail of their job search documents and interview interactions.  Over the course of 2018, this system has helped the average CPI Executive candidate land in under 20 weeks, a significant decrease in search time compared to executives without a career transition plan and support.

If you’re charged with deciding whether to provide executive outplacement services, don’t think for a minute that it is any less stressful or any easier to find a new role in a “hot market.”  Sure, there may be more opportunities in an expanding economy, but the competition is tough and the process of finding the right opportunity can be extremely difficult, especially for executives who haven’t been out in the market or haven’t been hands-on in a search for a while.

Having a professional on your side with experience in career transitions and industry-leading technological support is the exact backing your executives need. Your executives are accomplished in many things but bootstrapping their own career transition is not one of them.  An executive career coach who is trained to help executives identify their goals, polish their messaging and networking skills, facilitate important introductions, negotiate their next package, and generally put their best foot forward can help them navigate this unfamiliar territory and come out the other side for the better. Not to mention, executive career coaches can also help ensure that your company brand is protected and positively represented by your most visible employees – a worthwhile investment indeed.

 

Written by John Myers, Managing Partner at Kensington International, a Career Partners International Firm

The post Why Executives Need Career Transition Support, Even in a Hot Job Market appeared first on CPIWorld.

Why is Your Virtual Dream Team Not Living Up to Expectations?

Harness the Potential of Virtual Teams – March 12th and 14th – 1 SHRM PDC

With over thirty years of experience in talent development and career transition services, Career Partners International (CPI) has provided clients with the tools to navigate through decades of change in the workplace. Despite the best preparations, new challenges continually emerge for HR and Management teams.

Join us for Harnessing the Potential of Virtual Teams, a CPI Webinar Series program, on March 12th and 14th, 2019 as we discuss how to bring out the best in your remote workforce.  Many organizations already have or are beginning to introduce remote workers to their team.  The benefits of this arrangement are numerous.  Leaders can source scare talent from all over the world, not limited to a commutable range.  With constant improvements in technology, connectivity becomes easier despite physical separation.  Engagement and retention are improved.  Employers are even keeping cost down by reducing worksite overhead.

Whether they have given their teams an added perk of remote work flexibility or have just assembled a completely virtual “dream team” many employers are still struggling to see the promised returns of a digital team.  Why are these teams not delivering at the level of their onsite counterparts despite being, on paper, a superior group of employees?  Bill Florin of Learning Dynamics, a CPI Partner Firm, joins us to discuss some of the more treacherous obstacles to realizing the potential of a virtual team.

With over three decades of experience in evolving workplace best practices, the team from Learning Dynamics will be illuminating the most frequent disruptors to team productivity and proposing practical resolutions.  We will explore ways to increase engagement, develop relationships, and bridge cultural differences.  Ultimately, the goal of the program is to identify ways to get things done.  With the proper guidance your teams can deliver on those promises of effectiveness and efficiency, achieving well beyond your current results and expectations.

 

This program is valid for 1 PDC toward SHRM-CP and SHRM-SCP recertification.

 

Register today for free at CPIworld.com.

The post Why is Your Virtual Dream Team Not Living Up to Expectations? appeared first on CPIWorld.