First SEC “Red Flags” Enforcement Case Spotlights Board’s Role

A recent U.S. Securities and Exchange Commission (SEC) enforcement action punishing a financial firm for its subpar data security practices—the agency’s first-ever use of its “red flags” rule—called out the company’s board of directors for its failure to “administer and oversee” the program.

While corporate boards are charged with the general oversight of business risks including cyber risks, it’s far from the norm for a data security regulation to draw a straight line to the boardroom. The SEC’s “red flags rule” does just that and places direct responsibility on corporate boards. In an enforcement order against Voya Financial Advisors, the Iowa-based investment advisory arm of Voya Financial, the commission used the rule to censure the asset management firm for allowing hackers to roam freely though its customer information. The hackers were able to access social security numbers, account balances, and even details of client investment accounts, according to the commission.

This should set off alarm bells for every financial firm and board of directors under the SEC’s watch. It’s likely that most companies are not in compliance with the rule and, given the agency’s increased focus on cybersecurity, this should be their wake-up call to quickly get such a program in place.

Five years ago, the SEC adopted the rule, formally called the “Identify Theft Red Flags Rule,” which requires investment firms to pay attention to identity theft by developing and implementing a written program to “detect, prevent and mitigate” identity theft and fraud, and to provide “red flags” or other warning signs when hackers might be trying to steal customer information or customer identities. The rule also requires that a firm’s board of directors or senior leadership administer the program. But until recently, the SEC did not enforce the rule.

The SEC’s charge against Voya implies that the company’s conduct was so egregious that it might explain the agency’s decision to finally make use of its “red flags” rule. During a six-day window in 2016, cybercriminals impersonated Voya’s independent investment representatives—the largest segment of the firm’s work force—by calling the Voya help line and asking that their passwords be reset.  Even though some of the telephone numbers used by the hackers were already flagged in Voya’s system as being associated with fraud, the callers still made it past security and were able to convince Voya’s help line to reset their passwords and provide new passwords over the phone, according to the SEC.

The intruders used the new passwords to gain access to the personal information of 5,600 customers, the SEC alleged, and then used the customer information to create new online customer profiles and identities and to pour through thousands of account records.

Without so much as triggering a fraud alert, hackers were able to change a legitimate customer’s phone number and address of record, which meant account statements and confirmations would be re-routed from legitimate customers to the hackers. In several instances, the SEC said, hackers used a “@yopmail.com” address, a disposable email service that lets users create an email address, review incoming emails, and then destroy everything.

Voya had an identity theft program in place since 2009 but the program was not updated, nor was it approved by the firm’s board of directors or senior leaders, as is required. Instead, the program languished, was ignored by Voya’s security team and fell far below the requirements of the regulation.

Although Voya did not admit or deny liability in the SEC settlement, the commission deemed the firm’s violation of the red flags rule as “willful.”

“VFA’s [Voya Financial Advisors] board of directors or a designated member of VFA’s management did not administer and oversee the Identity Theft Prevention Program, as required by the Identity Theft Red Flags Rule,” concluded the SEC.

In the settlement, the SEC ordered that Voya clean up a laundry list of data security issues and also mandated that it engage a consultant to monitor its compliance with the red flags rule. This is also a first time the SEC has ordered use of an independent monitor to police compliance with the red flags rule.

Yet it’s likely that few firms and even fewer boards are aware of the rule. Many firms and their leaders are familiar with the SEC’s general data security rule and its guidance to public companies about disclosing cybersecurity risks and data breaches, but the red flags rule—for all its timeliness and importance—has flown under the proverbial radar screen.

Over the past few years, the SEC has made scrutiny of companies’ cybersecurity practices a priority. Earlier this year, the agency updated guidance to public companies, telling them to beef up cybersecurity risk factors and data breach disclosures. And in April, the SEC pursued its first-ever cybersecurity enforcement action over the massive Yahoo! data breach after it was learned that the company sat on news for more than two years that hackers had made off with the personal information of more than 500 million users. Altaba, the company that has since purchased Yahoo, was fined $35 million for the tardy disclosure.

With the SEC toughening its stance on data security issues, corporate leaders and board members should treat the Voya case as an object lesson and ensure that their identity theft programs are up-to-date and align with the particular cybersecurity risks that face their organization. Although Voya was only hit with a symbolic $1 million fine, it’s doubtful that the SEC will be as forgiving in the future.

 

Craig A. Newman is a partner with Patterson Belknap Webb & Tyler LLP, the New York law firm, and chair of its Privacy and Data Security Practice. All thoughts are his own. 

The Board’s Role in Cyber-Risk Oversight: Advice from Leading Directors

In today’s evolving threat landscape, corporate directors are increasingly asking for security performance updates from chief information (and information security) officers, chief risk officers, and other executives.

At BitSight’s inaugural EXCHANGE forum last month, a panel of directors and executives from top global companies discussed the importance of board involvement in mitigating cyber risk.

The panel was moderated by Suraj Srinivasan (professor, Harvard Business School). The panelists included Ed Brandman (chief information officer, KKR & Co.), Andy Brown (board of Zscaler and Guidewire), Bijoy Sagar (chief digital and technology officer, Stryker) and Shelley Leibowitz (board of AllianceBernstein and E*TRADE).

Panelists Ed Brandman, Andy Brown, Bijoy Sagar, Shelley Leibowitz, and Suraj Srinivasan discuss the board’s role in cybersecurity at BitSight’s inaugural EXCHANGE forum on October 10, 2018.

Here are some of the key takeaways from the discussion.

1) When it comes to cybersecurity, board members need to completely understand the spectrum of risk for both their organization and industry.

It’s important for directors to understand the landscape around their company: its value and possible threats to that value, as well as company decisions, their residual risk, and the risk-mitigation techniques being employed. Understanding both qualitative and quantitative data allows organizations to look backward and forward; the audit committee should focus specifically on looking backward while the risk oversight committee focuses on what may happen. This helps create a comprehensive picture of risk both within and outside the organization. Companies, especially those in cybersecurity, must think about risks that may not seem obvious. As one executive said, “Think about the risks you may not be thinking about and expect the unexpected.”

2) While some boards have a cybersecurity expert, most do not. Instead, the risk oversight committee should fulfill this role and facilitate discussions that provide the appropriate context around cyber risk.

The shortage of security professionals among board members emphasizes the need for collective responsibility around cybersecurity and cyber risk. While most boards do not have a designated cybersecurity expert, an increasing number are assigning this responsibility to the risk oversight committee. According to another executive, risk committees should be accountable for several cybersecurity-related areas: governance, policy, testing, transparency, and resource allocation.

All executives agreed it’s critical for boards to get—and understand—the qualitative and quantitative information needed to make informed decisions about cyber risk, particularly when it comes to transparency. Security ratings are one tool many of these boards are using as an external, objective measurement of their company’s security posture— recognizing that internal measurements only go so far because of their natural biases. This is also significant when chief information (and information security) officers are reporting to board members and can use security ratings to track security performance and trends over time.

3) The cybersecurity information presented in board meetings must align with business objectives and areas of responsibility.

Another executive emphasized the most important thing for him is aligning his roles and responsibilities with the board. He looks at cybersecurity reporting in terms of conveying applicable information about the threat landscape, sharing insights into trends, and articulating the strategy (particularly the public relations strategy) around all efforts.

Another executive said his board has a cybersecurity expert but his relationship with the board as chief information officer is unique; he views his primary role as disclosing a strategy around how to keep the business safe and the areas his team is most focused on. He lays out the roadmap for the board and outlines how it can help in resourcing, financial commitment, and prioritization within a business context. He acknowledges that every company is going to think about cyber risk in a different way but that his job is to help educate the board on how it constructs its risk management model and strategy, as well as how it responds to risk.

While every company thinks about risk management in a unique way, executives need to convey critical information to the board of directors in a consumable way. One component can be a reporting metric like a security rating, but ultimately the goal should be to convey the company’s positioning and strategy to address cyber risk in a proactive, efficient manner.

 

To learn more about how to keep up with your company’s risk metrics, visit BitSight’s Cyber Risk Monitor report.

From Cars to Cornflakes, LIBOR’s Departure Will Ripple Through Corporate America

The phrase “LIBOR transition” doesn’t elicit more than a yawn from most corporate treasurers.

But how about this: “the terms on your debt maturing after 2021 are going to change, whether you like it or not.”

That is precisely the scenario in view as regulators phase out the London Interbank Offered Rate, or LIBOR, by the end of 2021.

Known as the “world’s most important number,” LIBOR has more than $240 trillion linked to its daily fluctuations according to Oliver Wyman estimates. LIBOR is tied to all sorts of financial products; you may have a mortgage, student or auto loan tied to it, and your company probably borrows based on it. In other words, it drives your corporate interest expense.

Board directors need to ensure management starts thinking through the transition now. The good news is that companies still have time to get ready. The bad news? The transition will require a fundamental repricing of debt and might have a large market impact.

The largest banks are already preparing, pushed ahead by regulators on both sides of the Atlantic. UK regulators in September sent classically understated “Dear CEO” letters to the largest financial institutions in Britain, politely demanding they develop and submit by December a board-approved plan for LIBOR transition. Regional and community banks, meanwhile, are just starting their efforts.

Beyond banks, the transition affects almost all large corporations, given that trillions of dollars of debt or hedges of debt is tied to LIBOR. Yet in our conversations with treasurers, financial officers, and yes, board members of non-financial companies, we have come across few who recognize the looming issue—or are even aware of it.

Consider this an early warning.

Buried in Fine Print

Corporate loan and debt agreements generally contain language that defines what happens if LIBOR is unavailable – but is designed for a short-term contingency like a systems outage, not permanent cessation. Typical terms vary, ranging from “use the last rate,” meaning that your floating debt is now fixed, to “use prime,” meaning that your rate is now very different.

There are no criteria for what constitutes a LIBOR discontinuance, leaving companies exposed to language buried in contracts. Firms might be entitled to something better, or something worse. Does management know, or are they depending on the financial system to offer a reworked deal? That isn’t always possible; perhaps a bank will renegotiate, but bondholders might be unwilling to give back an unexpected gain.

Companies are likely to feel a financial impact not only from the changing terms of the debt itself but also from changes rippling through hedges and derivatives linked to debt. That’s because almost all these changes break the “hedge accounting” that firms use on their balance sheet, potentially increasing balance sheet volatility.

What Will Replace LIBOR?

In the end, transactions in the market won’t be defined by the regulators who are taking LIBOR off the table. Regulators indicate the transition is “market led,” so it is up to the banks and customers to define a path forward. That’s why corporations need to focus: This is a fundamental repricing of the more than 100 financial products tied to LIBOR, and the market impact is still murky.

While the regulators have not defined how economic changes will work, they have created potential replacement rates. Each of the five existing LIBOR rates will be replaced by country or region specific rates. For example, the Federal Reserve has created the Secured Overnight Financing Rate, or SOFR, and the UK Working Group recommended the Sterling Overnight Interbank Average rate, or SONIA. These are structurally very close to true “risk free” rates and therefore act differently than LIBOR. They should average lower than LIBOR as LIBOR contains features that are good for the banking system. For example, LIBOR will increase during a bank crisis like we had in 2008—and this is not in the new rates. Look for the industry to seek to replicate these features in new non-LIBOR products, which are still under development, and to seek to sell them to corporate borrowers.

All of this points to a mountain of work for corporations and their finance teams. They must inventory existing LIBOR-based obligations, determine exposures past the likely end of LIBOR in 2021, work down those exposures if possible, and get ready for a slew of new products to be evaluated.

What To Do: A Checklist for Boards

How can boards monitor this? In short, by following the script already laid out for banks by the UK regulators in September.

First, they should ensure there is leadership accountable for managing the transition. This might well be the chief financial officer or corporate treasurer, but it will vary depending on the company’s business model. And since this is a global problem, it needs to be considered and managed globally.

That leader (and team) should start by identifying exposures. These is no easy way to do this but to go through the financials and document those which are based on LIBOR, and project what will change when LIBOR goes away.

Once the exposures are understood, leaders should consider the big picture and report to the board about its implications. Companies and their bankers have a relationship that needs to survive what in the end is a technical hitch. What should be the response when a bank calls to refinance or renegotiate?

Next, board members should advise that their companies need to consider the details and build a work plan. LIBOR likely is present in more places than is obvious. For instance, systems will need to be updated. Some of these will be vendor systems, and companies need to show that they are on top of these vendors. That’s the end of the UK regulatory request—a board-approved plan. Boards should be pushing for a similar outcome unless their LIBOR exposures are negligible.

Finally, if you are a board member, you should insist your company isn’t the last to change. As LIBOR fades away it will likely get stale and products based on it could become illiquid. If your company is late to the table, it could prove costly.

For more information on how to prepare for the transition, please see Oliver Wyman’s LIBOR hub.

Paul Cantwell is a Partner in Oliver Wyman’s Finance & Risk and Public Policy Practices in the Americas. Adam Schneider is a Partner in Oliver Wyman’s Digital and Banking Practices in the Americas. Ming Min Lee is a Principal in Oliver Wyman’s Corporate and Institutional Banking practice.

Avoid Losing More Than You Let Go

With over thirty years of experience, Career Partners International (CPI) has repeatedly demonstrated the value of quality outplacement services.  CPI makes the difficult process of a career transition as smooth as possible for candidates and clients.  Over 80% of participants working with CPI land in equal or better paying positions than they previously held.  On average, candidates land in 2.73 months, twice as fast as the national average.  These results protect the employer brand that clients have worked so hard to develop.  But how can offering outplacement services to separated employees benefit those who remain in the organization after a reduction?

A termination or layoff can leave remaining workers questioning the security of their positions.  Knowing that even in the worst-case scenario their peers are taken care of and treated with respect enables the workplace return to normalcy. Offering separated employees outplacement services keeps remaining employees focused and engaged.  By providing career transition services organizations prove that they care about their employees, even if they are no longer with the company.

Remaining employees have a personal connection with those who have been separated.  Many have spent 8+ hours a day, five days a week, for years building both personal and professional relationships with those who have lost their jobs.  They care about their wellbeing and will likely stay in contact.  CPI facilitates candidates landing great new opportunities.  97% of participants report being highly satisfied with their outplacement experience, easing concerns of their peers.

CPI assists organizations through all phases of the separation process to make outplacement programs as effective as possible.  From planning, to notification support, to change management training, CPI coaches support both the organization and candidates to ensure a seamless transition.  Handled properly, CPI ensures that outplacement services are beneficial to all stakeholders, protects the employer brand, moves candidates into great opportunities, and keeps remaining employees focused and engaged.

The post Avoid Losing More Than You Let Go appeared first on CPIWorld.

Cybersecurity Response Plan: Why Prioritization Matters

The ability to understand cybersecurity risks—and what areas of business they effect—is crucial in making sound decisions for the company you govern. A general security status report is informative, but it won’t deliver the actionable intelligence you need to steer the company past threats. However, your astute questioning will uncover more pertinent and granular detail upon which you can confidently act.

The first critical question your board should ask its security team when it receives news of a breach is: “where are we exposed?” The next question is: “what should we prioritize?” Without knowing which assets are essential to business continuity and recovery, the security team could end up locking down the cafeteria menu instead of securing customer data or other business critical resources. The results of such missteps can be devastating. Liability abounds for corporate executives and directors alike.

The smart way to organize response team priorities is to perform predictive prioritization based on actual business risk and threat intelligence. Such prioritization enables the security team to respond with the urgency and care that risks to business-critical assets warrant, rather than waste resources on lesser evils.

The Answers You Don’t Need 

Below are two common replies board members may hear from their security leaders to the hot-seat question, “where should we prioritize?” I also explain why these responses fall far short of the concise and actionable answer that directors of companies need to hear.

  1. We take care of all critical vulnerabilities and respond to and most that are ranked “high.” This answer carries a high degree of mathematical improbability, since there are far too many vulnerabilities for security teams armed with traditional cybersecurity technologies to find and address. According to the Vulnerability Intelligence Report from Tenable Research, some 19,000 new vulnerabilities will have been found by the end of 2018. The vast majority of these are defined as “critical” or “high” in nature.If everything is critical, then nothing is. It is nearly impossible to know whether all of your company’s critical or high vulnerabilities are covered at any point in time. Further, an answer such as this can lead to a false sense of security and a dangerous state of complacency. The haystack of vulnerabilities keeps getting bigger, making finding the needles more and more difficult. But it only takes a few needles to cause huge damages for your company.
  2. We have moved this latest vulnerability to top priority status. Pulling resources away from other vulnerabilities to refocus them on the latest one may feel like your company is on top of things. In fact, the opposite may be true. If the vulnerability is unlikely to be weaponized to harm your company’s critical assets, moving resources might unnecessarily increase exposure elsewhere. However, if a critical asset is vulnerable, and predictive prioritization forecasts that an exploit is likely, then re-allocating resources makes perfect sense.

The Answer You Need 

According to the Vulnerability Intelligence Report, a staggering 93 percent of the vulnerabilities discovered last year did not have any publicly available examples of how they were exploited. In other words, while the vulnerabilities were identified, no one had yet taken advantage of them. It’s imperative that your security team be able to concentrate on the remaining seven percent. The math alone illustrates the vast potential for missing the most serious threats and spreading resources too thin. The Vulnerability Intelligence Report shows that enterprises identify 870 unique vulnerabilities on their systems every day, on average. Of those, more than 100 vulnerabilities are rated as critical on the common vulnerability scoring system. Yet, in 2017, public exploits were available for just seven percent of all vulnerabilities. The remaining question is which of your critical assets were at risk from this seven percent?

New, next-generation tools have been designed to sniff out new vulnerabilities as they appear in real time across your entire attack surface. These tools visualize threats on a single pane of glass, and then perform predictive prioritization that will better arm your team to address the threats that matter most. If the security team is taking a holistic, rather than a piecemeal, approach in their defensive strategy, using a predictive tool will allow them to be able to see the company’s total cyber exposure, and concisely report the most pertinent details to you in the boardroom. Further, if a predictive tool is used early to identify critical business assets and vulnerability management took advantage of predictive prioritization, the security team can also report the response status for those that may be affected by the most salient threat.

It is critical to rank threats according to actual risk, and business assets according to their impact on business outcomes, to see how they may align. Response priorities can then be set according to the data from this hard analysis. Only when your security team is able to prioritize based on risk can they give corporate directors the answer they need: “We have evaluated this vulnerability, we have identified the risk it poses to our most critical business functions, and we are prioritizing our response accordingly.”

Want to learn more about understanding vulnerabilities in the context of business risk? Read the Vulnerability Intelligence Report from Tenable Research.

Why—and How—Boards Should Urge Companies to Disclose What Matters on Climate Risk

If Hurricanes Harvey, Irma, Florence, and Willa—and their collective millions of dollars in damages and losses—haven’t convinced you that climate change poses real risks to business, perhaps the recent Intergovernmental Panel on Climate Change report will.

In no uncertain terms, the report lays out a vision, grounded in science, of the stark future that awaits us all if we fail to keep the planet from warming more than 1.5 degrees celsius. Increased sea-level rise and flooding, warming oceans, more and ever-intensifying coastal storms, and widespread drought—and all the destruction they bring to human lives and business operations—will become the norm unless we act in the next 12 years or so to significantly reduce global greenhouse gas emissions.

Investors are taking these risks extremely seriously and raising pressure on companies and their boards to do the same. From taking action during proxy season via shareholder statements and other measures to staying engaged with management in the off-season, investors are signaling they expect serious corporate commitments and action on climate change, starting with rigorous analysis of climate risk to their investments.

Smart, proactive, and effective disclosure is critical to helping investors do their job well—and assess which companies are well positioned in the face of climate change risks. Fortunately, tools that can help companies provide such disclosures are emerging.

Last year, a body convened by the Financial Stability Board released a framework that companies can use to disclose the kind of information investors need to accurately price climate risks. Called the Task Force on Climate-related Financial Disclosures (TCFD), the group’s recommendations quickly garnered widespread support. Heavy hitters in the financial community, including BlackRock, JPMorgan Chase, and TIAA, helped develop the recommendations, and more than 160 investors representing $86.2 trillion in assets have issued statements supporting them. Over 500 major companies, including PepsiCo, Unilever, and eBay, have publicly supported the TCFD.

Why should boards pay attention?

The TCFD recommendations are a great example of the growing integration that investors are looking for between corporate governance structures and disclosure on environmental and social issues such as climate change.

Investors don’t just want companies to disclose data on how climate change is affecting them: they want to know how companies are addressing these risks in the long term, including how they factor into corporate strategy and decision-making. As part of this, they are paying close attention to the effectiveness of companies’ governance systems allowing for this integrated decision‑making—systems like board oversight of climate change.

Yet, in its 2018 report on the status of TCFD-based disclosures, the TCFD Secretariat notes that companies are still in the early stages of demonstrating their climate-related financial impacts.

Disclose What Matters, a recent Ceres report, echoes this finding. In analyzing the sustainability disclosure practices of nearly 500 of the world’s largest companies, we found that while most large global companies disclose their sustainability performance, and indeed provide a wealth of information, these disclosures are still not presented in a financially relevant way. Specifically, companies still don’t demonstrate how their approach to climate and other environmental, social, and corporate governance (ESG) issues impacts their business strategy and performance.

To meet investor expectations, companies need to step up the maturity of their disclosures, evolving from “disclosing more” to “disclosing what matters.”

Boards can do a lot to help their companies make this transition—and by doing so, get credit from the investor community for their work on climate change and other ESG issues. Disclose What Matters outlines specific steps boards can take:

  1. Keep track of ESG issues that your investors care about. Boards should encourage a company’s sustainability and investor relations teams to work together to understand ESG issues their top investors are focusing on—and then drive the assessment of whether these issues are indeed material to the company. They can take this a step further: a number of investors are seeking to engage directly with corporate boards on ESG issues such as climate change.
  2. Encourage disclosure in a way that your investors are looking to see. For many companies, the plethora of ESG disclosure standards can lead to confusion. Instead, boards can encourage their companies to approach each standard as an opportunity to hone or focus ESG disclosures for specific audiences. For instance, most investors are very interested in disclosures based on the Sustainability Accounting Standards Board (SASB) standards. Indeed, Glass Lewis recently integrated SASB’s materiality guidance across its research and vote management products. In a step that will ease the standards burden, a number of disclosure standards are updating their frameworks to incorporate the TCFD.
  3. Demonstrate decision-making. Most large global companies disclose that they have the relevant governance systems to prioritize and address ESG issues. But they do not disclose how these systems drive decision-making on business performance. Boards can work with management and leadership to provide disclosure that bridges this gap.

Markets run on good disclosure. Boards have a key role to play in helping their companies begin to provide the kind of climate risk disclosure that investors demand. Adopting comparable, financially relevant, and reliable ESG disclosures will help boards demonstrate their companies are resilient and prepared for whatever risks the future brings.

Veena Ramani is the program director of Capital Market Systems at Ceres. Ceres is a sustainability nonprofit organization working with the most influential investors and companies to build leadership and drive solutions throughout the economy. All thoughts expressed here are her own. 

CPI’s Sacramento Partner Wilcox Miller & Nelson’s President and CEO Joins the Advisory Board of Leaderxxchange

Wilcox Miller & Nelson today announced that their President and CEO, Diane D. Miller, has joined the Advisory Board of Leaderxxchange, the New York- based company that produces the Gender Diversity Exchange. Leaderxxchange is a change-drive organization that advises and promotes diversity in governance, leadership and investment. The Gender Diversity Exchange provides a comparison of the gender diversity in the management ranks amongst the world’s leading companies.

“It’s an honor to serve on Leaderxxchange’s Advisory Board, alongside distinguished governance leaders from around the world.  The important data the Exchange provides assists boards, shareholders, and companies in making informed decisions regarding their organization’s gender diversity and its comparison to others.” – Diane D. Miller

Wilcox Miller & Nelson is the Sacramento Partner of Career Partners International and provides board and executive search, governance consulting, and executive career transition services.

The post CPI’s Sacramento Partner Wilcox Miller & Nelson’s President and CEO Joins the Advisory Board of Leaderxxchange appeared first on CPIWorld.

Is Technical Debt Limiting Your Company’s Competitiveness?

For decades, discussions within the information technology (IT) department about technical debt have occurred with insufficient engagement from executive management and the board. But boards must increase their awareness and understanding of this issue in order to add additional perspective and make suggestions that would facilitate execution of the strategy and improve their companies’ competitive position.

What exactly is technical debt? It refers to the cost and magnitude of additional work caused by choosing technology solutions that are easier to implement over the short term instead of selecting the best overall solution for the long run. As an organization makes these decisions, and as technology continues to evolve, the cumulative effect of layers upon layers of code and architectural approaches can stifle a company’s ability to innovate and compete.

While not new, technical debt has become a formidable hurdle to sustaining competitiveness in the digital age. Today, agility and resilience have emerged as essential for long-established incumbents exposed to “born-digital” players with architecture built optimally from the ground up. With wave after wave of cutting-edge technology solutions addressing pressing market needs, responding to these market entrants becomes a challenge for organizations that have multiple layers of architecture reaching back decades. Therefore, the topic is strategic in nature rather than a narrow IT discussion.

Not all technical debt is bad. There are times when it helps bring a product to market or respond to an emerging opportunity or risk more quickly. For example, a company may make a conscious decision to take on debt for a specific business outcome, such as debugging known problems now with an action plan to pay it back later after more thoughtful consideration is given to a design that accommodates future requirements.

However, it can become a serious issue if technology isn’t refreshed or if the shortcuts taken are not subsequently addressed. All too often, the work to reduce technical debt is delayed due to competing priorities. Left unchecked, the debt can grow insidiously until it becomes the proverbial ball and chain that could prevent an organization from keeping pace with its nimbler rivals.

In many longstanding organizations, mapping technology-supporting, mission-critical operations can be like an archaeological dig. On the surface, the shiniest, newest technology supporting websites, mobile solutions, and advanced analytics may exist. But dig below the surface and one is likely to find layer upon layer of highly interdependent, complex systems—some dating back four decades or more. Continued dependence on this aging technology presents several risks, including reliance on an aging (and shrinking) workforce with the knowledge and skills to support it.

It gets worse: The complex, monolithic design of these systems and the processes supporting them are not well-suited to the fast-paced, agile nature of today’s digital world. Organizations deploying these aging platforms often find it difficult to respond to market opportunities or risks or to adopt emerging technological capabilities promptly. In some cases, the platforms and their complex integrations create security risks and challenges in responding to regulatory compliance demands.

Why not just upgrade, replace, or even abandon aging systems and wipe out the technical debt? If only it were that easy. Options to mitigate technical debt include:

  1. Build new infrastructure based on modern technologies. An example of this digital-first, clean-slate tactic is Goldman Sachs’ approach to supporting its Marcus brand in 2016.
  2. Quarantine. “Ring-fence” the technical debt to isolate it, such as when the infrastructure and supporting business processes are designated for retirement.
  3. Preserve and protect. Build a services layer around the system to defer the inevitable need to upgrade or replace the systems in question and extend the life of critical systems assets.
  4. Simplify and rationalize. Simplify and rationalize the infrastructure to address some forms of technical debt (organizations that have grown through mergers and acquisitions may find this useful).
  5. “Big bang.” Do a full replacement and upgrade to more modern infrastructure. This option is a high-risk, high-reward proposition.
  6. Phased upgrade and replacement. Conduct a phased upgrade or migration to newer technology platforms. This is one of the most likely approaches for dealing with technical debt.

These options are not mutually exclusive, and they also can be combined with additional modern technologies as organizations deal with existing—and avoid further—technical debt. For example, cloud solutions offer several benefits related to avoiding future technical debt while shifting some of the maintenance burden to the cloud services provider. Service-oriented architectures, including application programming interfaces (APIs) and microservices, can be used to “wrap” and “decompose” legacy systems in the “preserve and protect” option described above. They can be an important tool in the implementation of the “phased upgrade and replacement” option as well. The decomposition of large, complex, monolithic systems into smaller components offers support strategies that manage technical debt, create agility, and enable innovation.

What should you, as a board member or director, take away from this discussion? You need to ask about the extent and level of the enterprise’s technical debt and where management is in creating and executing a plan to address it. Organizations that built their legacy applications for operational optimization now face formidable challenges as new business realities demand ever-higher levels of resilience in adapting business processes and systems to the digital economy. The board can play an important role in ensuring the organization selects the best approach to modernize.

Human Capital Investment Can Yield a Better Bottom Line

Companies are now facing a range of urgent human capital challenges. Workforce productivity that has remained stubbornly stagnant over the last decade; unemployment that is near historic lows, making it much harder to attract and retain top talent; and political and social pressures to address diversity, gender pay equity, and the wages of the rank-and-file employees, particularly in low-paying industries like retail and hospitality.

Institutional investors, led by BlackRock, have heightened the focus on these challenges in their conversations with boards and management teams. BlackRock has even made human capital management a 2018 “engagement priority,” seeking to determine if and how boards oversee and work with management to improve performance in these areas. BlackRock seeks to ensure companies are adopting sound business practices likely to create the engaged and stable workforce needed for competitive advantage, especially where it helps them to win the war for talent in labor-constrained markets.

Given that the challenges highlighted by BlackRock are primarily human resources related, responsibility for board action typically falls to compensation committees, and that committee’s role has expanded well beyond executive pay in recent years. The member of those committees now increasingly have to concern themselves with issues once left entirely to management.

We believe the appropriate response for many boards is to assure that management is making smart human capital investments—in other words, that the investments yield a high return on investment. Such investments might take one of several forms:

  • improved training and cross-training;
  • more thoughtful recruiting;
  • greater emphasis on development and internal promotion;
  • improved scheduling systems to provide employees more predictability and advance notice;
  • switching to more full-time employees; and
  • raising pay to retain valuable talent.

Investments will help to more fully engage employees, help to make employees more productive and increase their value add (e.g., through improved customer satisfaction), and help secure needed talent now and into the future. This contention is supported by recent research, which has shown that human capital investments, when coupled with business process changes, can lead to improved employee performance, higher levels of customer satisfaction, and in turn, better financial and stock performance.

Zeynep Ton of MIT has recently spearheaded research into this topic. She demonstrates the benefits of investment in employees with her research at Costco, Trader Joe’s, Mercadona, Quicktrip, and other companies. She found that investment, combined with the right operational strategies (e.g., focus and simplification, standardization and employee empowerment, cross-training, and operating with slack), raises productivity, reduces turnover, reduces costs, maximizes profits, and improves returns.

Ton notes that the companies she has studied also often pay individuals more through higher wages, as well as using more full-time people who are more frequently promoting from within. Companies pay more in some cases to protect their investments and also because more fully engaged full-time employees enable the companies to make needed changes to business processes.

Walmart is an example of the promising returns some companies hope to reap by giving more attention to human capital management. Improved human capital management was a core element of a multi-pronged strategy introduced by Walmart CEO Doug McMillon which included increasing its e-commerce presence, selling more upscale and premium brands, and better blending its digital and brick-and-mortar channels. With respect to human capital, although much attention has been given to Walmart’s decision to raise pay starting in 2015, and more recently to raising its starting wages from $9 to $11 per hour, the company also offered employees more training and made work schedules more predictable. It also expanded maternity and parental leave and created Walmart Academies, locations in the back of stores for associates to learn management skills—running a store department, using mobile tools, leading and motivating associates.

While its shareholders initially took a hit as the stock price declined, in the last twelve months, the stock has outperformed the S&P 500, at least in part from its holistic approach to human capital investment

Other research suggests the benefits of such investment can accrue to many companies. Alex Edman, whose work examined companies in Fortune magazine’s list of the “100 Best Companies to Work For,” showed that the listed companies earned, over the long term, excess risk-adjusted returns of 3.5 percent. Similarly, research by Aaron Bernstein and Larry Beeferman, who surveyed a multitude of studies on human capital, found a positive correlation between human resource initiatives and investment outcomes. The initiatives led to better total shareholder returns, returns on assets, returns on investment, and returns on capital employed.

Directors in companies in some industries might worry that investments in employees that include higher pay would invariably hurt earnings. The evidence is otherwise, so long as companies raise wages as well as make other changes to improve employee performance.

To get some idea of the relationship between higher pay and performance, Semler Brossy Consulting Group (SBCG) took a look at companies in a traditionally low-paying, low-margin industry—retailing—and could not find evidence that companies paying more hurt financial performance. Because salary data is not publicly disclosed, SBCG used employee-reported pay data from the online job-posting site indeed.com, which reflects employee-reported average hourly wages by job title over the prior 36 months.

Although this was only a pilot analysis, SBCG found that the higher-paying companies, on average, outperformed lower-paying companies in sales growth, margins, earnings growth, and total shareholder returns. The assumption is that the profitable results stemmed from employees’ increased value and productivity resulting from changes like those suggested by Ton.

The decision to invest more, and possibly pay more, needs to be made based on a company’s situation and on specific jobs, with customer-facing employees and those critical to the company’s strategy being the most likely for attention. To proceed with human capital investments, companies would need to identify specific human capital strategies and business process changes and then determine if there would be an adequate return on investment through such things as improved employee productivity, higher levels of customer satisfaction, and reduced turnover with its related costs. The returns should be tested in pilot locations first to see if returns were adequate, before adopting them company-wide.

With unemployment levels dipping below 3 percent in many regions, the suggestion is that human-capital management may increasingly be the element of strategy that makes all the difference in a once-in-a-lifetime economy. The tight labor market, for example, in part prompted Amazon to raise minimum wages. It has meanwhile expanded experiments with robots in warehouses and cashierless convenience stores. Although the company has not announced a broader human capital investment strategy, the need for it to stay competitive suggests that Amazon and other companies would be well-advised to take a more integrated approach that would further increase the value-add of employees. Now is an excellent time to consider optimizing human capital investments and management.