Loading...

Follow NACD Blog | Corporate Board Leaders' Blog on Feedspot

Continue with Google
Continue with Facebook
or

Valid

Organizations face increasing cybersecurity risks and threats to their customers, financial information, operations and other data, processes, and systems—and state and federal governments are alert to the threats imposed on their constituents. To understand just how widespread concerns about these risks are, look no further than the abundance of cybersecurity legislation that is currently on the dockets of state legislatures across the country.

For example, California, New Jersey, Washington, and Illinois are among the latest states to enact breach notification legislation that will significantly impact businesses operating in those jurisdictions by defining whether, when, how, and to whom notifications of a breach must occur. Some of these laws are going into effect just months after being signed and the cost of noncompliance can be severe (in California, fines are assessed per record breached).

As stewards of the strategy, finances, reputation, and overall direction of an organization, corporate directors have an important role to play in ensuring adequate policies and protections are in place to answer the demands of such regulations—and that their whole board is ready to meet the oversight demands of new regulations.

Directors are in a position to provide the leadership and strategic direction necessary to help their organizations balance the need to safeguard information, minimize disruption in case of an attack or breach, provide transparency, and manage a sustainable cybersecurity program with competing strategic priorities.

There are four key steps boards should take to ensure adequate cybersecurity program development and oversight in response to emerging regulations and threats:

1. Understand the threat landscape and how companies are expected to respond under the law. Corporate directors and leaders need a clear picture of the threats at play to assess and implement an appropriate response framework that both meets the business’s needs and is compliant with a complex web of laws.

Adversaries’ tactics will vary based on their motivations. Nation-states may be focused on cyber warfare while garden variety criminals (including internal threats) are likely to commit fraud or steal information. Each of these threat types will warrant their own response, and may also warrant involving different law enforcement and regulatory agencies.

It is also important to note that the nature of threats will vary by industry. A real estate company is likely to face a higher risk of wire fraud, while a manufacturer might be a target of theft of information by foreign governments. Directors should spend time in their busy schedules understanding the appropriate responses required per industry-specific regulations.

In addition, the range of threats—from phishing and social engineering to attacks on the supply chain—is constantly shifting. Boards must be aware of emerging threats, ensure they have the right team in place as first responders, and ensure people and processes are in place to help mitigate and address regulatory and compliance consequences from cyber incidents.

2. Ask relevant executives, leaders, and legal counsel the right questions. The board is tasked with gathering information from leadership, but the value of the exercise is dependent on asking the right questions. This ability becomes much more acutely important in light of a cyber breach, but should be practiced early and often. While these types of questions have been suggested for review by many in the cybersecurity community, it is worth asking the following in light of increased regulatory action:

  • On risk: What are our risks and how are they being mitigated? Who is the owner of a particular risk?
  • On capabilities: What are the people, tools, and processes we have in place to implement our cybersecurity framework? Do these comply with the demands of new and existing regulations?
  • On controls: What controls are currently in place? What are the organization’s cybersecurity policies and procedures (e.g., incident response plan) and when were they last reviewed, tested, and updated? What training do employees receive regarding privacy and security?
  • On trends: What industry-leading best practices should be considered? What stories of disaster should we read and learn from?
  • On regulation: What is taking shape at the local, state, and federal levels that will impact the business? What is the plan to get compliant and stay compliant?

3. Know the potential costs and how they influence risk tolerance. In the event of an attack, it will be important to demonstrate to regulators good faith efforts to identify and remedy risks. The extent to which an organization can show regulators that they did the work up front and put controls into place based on industry standards and best practices will determine the strength of their case for reduced penalties. For most organizations, cybersecurity incidents and regulatory noncompliance are associated with legal, financial, and reputational risks.

Compliance and risk mitigation come with their own set of financial costs. In Arizona, the maximum fine is $500,000 per breach event while Alabama can impose a fine of $5,000 per day for failure to comply with its notification law. To make decisions about risk tolerance, companies need to balance the risk with the cost of everything from business interruption to notification costs and potential fines.

Directors of companies should also closely review their own director and officer liability insurance policies frequently to see if cyber-risk-related incidents are covered.

4. Establish metrics for governance. One of a board’s most important roles is to establish and assess metrics to enable oversight of the company’s cybersecurity program. The board should prioritize the development of a well-documented plan that is designed to account for and address evolving regulations, including a board-level metrics portfolio focusing on the following categories:

  • Program status, including cybersecurity strategy milestones and program tracking;
  • Internal environment updates such as patching and the state of infrastructure, and the capacity of people to prevent phishing and data loss;
  • External environment updates, including the ability to gather threat intelligence and respond to emerging cyberthreat trends;
  • Compliance and audit figures on cybersecurity audit planning and regulatory compliance tracking; and
  • Response figures on disaster recovery, business continuity, and incidence response planning.

Board members’ oversight of cybersecurity programs is crucial to protecting business interests from current and future threats. This requires boards to take an active role in strategy, validation, detection, and response plans, ultimately steering the dialogue with stakeholders to better understand, assess, and identify cybersecurity needs and deficiencies that need to be addressed.

It is impractical and inefficient for organizations to revamp their cybersecurity risk management program each time a new law goes into effect. Organizations with a presence in multiple jurisdictions should instead think holistically about their programs. With the cyberthreat landscape constantly changing, it requires that risks be regularly weighed against strategic goals—and that the company meets the regulatory demands created to protect businesses and consumers alike. By ensuring the quality of a company’s cybersecurity framework through leadership and oversight, a board can fulfill its obligation to protect the overall health and sustainability of the organization.

David Ross is a principal and the cybersecurity and privacy practices lead at Baker Tilly.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

The 2019 proxy season was notable for companies’ efforts to disclose actions taken to develop a diverse and inclusive (D&I) workforce. Their efforts are like a rolling stone that will accelerate in the coming years, and may bring others along with them as corporate D&I efforts gather momentum.

The empirical research on the benefits of diverse experiences and viewpoints among a broader workforce is now widely accepted. Corporations in turn are orienting their hiring and development strategies towards increasing diversity among their worker populations. Companies leading these efforts tend to be larger, with more resources to commit to these plans and more attention from the outside world on their efforts and results.

The chart below illustrates the results of a simple keyword search within Russell 3000 company compensation discussion and analysis (CD&A) proxy statement disclosures since 2012. The number of companies citing D&I in the CD&A has increased nearly sevenfold and represents two percent of the overall index. Since this year’s data is current as of July 1, the final number for 2019 will almost certainly be higher.

It is noteworthy that the median revenue of companies referencing D&I in their CD&A disclosures has fallen by 75 percent in the same eight-year period to $6.5 billion. This implies that more boards of medium-sized companies are recognizing and reflecting the value of D&I in compensation decisions. (For reference, the median revenue of all Russell 3000 companies is approximately $1 billion.)

The large majority of these D&I references are listed as material factors in discretionary elements of pay decisions, but the usage of such references in formal, metric-driven portions of pay programs is also increasing. This trend will continue over time as D&I approaches become more standardized and commonly accepted, or even expected by investors and other stakeholders.

Including appropriately designed D&I goals in senior executive pay programs sends an important message to stakeholders about nonfinancial goals and priorities. Below, we address four critical action items to consider when setting up and executing D&I-linked compensation programs.

1. Evaluate measures that reflect near- and long-term imperatives.

Many D&I imperatives focus on improving existing diversity metrics and have both near-term and long-term elements. For example, addressing gender pay gap issues can be measured in the near-term, i.e., annually, while shifting the demographics of an entire employee population has a longer path to execution.

Both types of initiatives require a four-stage process:

  • understanding the current state of diversity within the company;
  • developing long-range goals;
  • setting a multi-year strategy; and
  • executing the plan.

The right measures are those that can be replicated and benchmarked against internal or external targets, and are easy to understand and communicate.

2. Get the timeframe right on measurement and pay.

Linking new measures to pay programs is fraught with peril. Adding any new measure by definition means that one or more existing measures will be scaled back or replaced, which could impact the pay incentives that drive performance on other metrics.

After determining the right measures, the board must decide the level of performance for which it wants to hold management accountable. This could include immediate actions and progress (for example, closing any systemic pay gaps), achievement of a long-term standard (such as a better gender or racial balance at senior organizational levels), or a combination of both.

Only when these measures and the desired performance level are determined should the pay program be considered. Near-term immediate goals lend themselves well to being included in the annual bonus, especially when new goals can be set each year as progress occurs. Longer-range D&I measures and objectives could determine a small portion of performance share awards (these typically have overlapping three-year measurement periods), acknowledging that broader initiatives have longer timeframes for execution.

3. Report progress consistently to participants, the board, and beyond.

The consistent communication of progress made on those D&I metrics used to assess appropriate compensation will ensure that the initiatives remain important to the executive team and board members. Contact on this front at the board and management levels primarily takes the form of consistent meeting materials at regular intervals.

Broader communication to the employee population and beyond can occur in many different ways, including by town hall discussion, through internal and external internet sites, and through celebrations of individual and group successes. As always, consistent messaging to a company’s various audiences is key.

4. Use clear disclosure that focuses on principles, then actions and progress.

If you’ve made clear, measurable efforts towards increasing diversity that are reflected in executive pay incentives, then disclosure in the CD&A is a positive opportunity to exhibit this progress. A demonstrated commitment to D&I, in conjunction with other nonfinancial objectives like learning, development, and community support, builds company culture and increases employee engagement.

Consider allocating some space in the proxy executive summary to the company’s efforts on D&I and other environmental or social topics. Contemporary proxy designs allow greater usage of infographics and professional layouts to create digestible messages for shareholders on important topics.

The pay programs are more of the final word than the leading statement. Leading with the message of “these things are important for us to make our company successful and to contribute positively to our communities” is powerful, but is already becoming common. Backing this message up in the CD&A and in pay tables with real measures, goals, actions, and an impact on pay for success or failure is the next-generation differentiator.

Todd Sirras is a managing director at Semler Brossy Consulting Group working out of the Los Angeles office.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

In today’s world of real-time communications, companies are now expected to respond immediately to emerging crises, and boards are feeling more pressure to ensure that their companies can navigate effectively through challenging crisis moments. Peter Gleason, NACD president and CEO, explains, “Boards have always provided oversight of crisis response plans, but the key difference today . . . is [that] with the advent of social media, the window for response time has all but disappeared. It’s critical for directors to engage with management on a regular basis to discuss the outline of the crisis response plan.” 

The 2019 NACD Public and Private Company Governance Surveys find that less than a third of companies have delineated roles for the board and management in their crisis preparation plans, while fewer than 20 percent  indicated that they’ve assessed the effectiveness of early-warning capabilities—a critical aspect of crisis preparedness.

While each crisis is unique, there are leading practices boards can adopt to improve their governance of crisis readiness. To help directors prepare for this issue, NACD, Heidrick & Struggles, and Sidley Austin LLP cohosted a meeting of the NACD Nominating and Governance Committee Chair Advisory Council—comprising Fortune 500 company nominating and governance committee chairs and lead directors—on April 24, 2019, in Washington, DC. The meeting was held using a modified version of the Chatham House Rule, under which participants’ quotes (italicized) are not attributed to those individuals or their organizations, with the exception of cohosts. A list of attendees’ names are available here.

Participants identified three important benefits of effective board-management dialogue on crisis planning and preparation:

  • Effective crisis planning identifies skill gaps within the executive team.
  • Thoughtful crisis planning exposes potential risks related to information flows to the board.
  • Nominating and governance committees can use insights from crisis planning to inform their reviews of board structure and composition.
Effective crisis planning identifies skill gaps within the senior management team.

Crisis planning offers more benefits than just a routine hygiene check. As one director noted, “When you are doing a good job as a board overseeing crisis preparation, issues are going to rise to the top that you need to address.” These issues can take many forms, including identifying potential disconnects in the assignment of roles and responsibilities. Ted Dysart, Vice Chair at Heidrick & Struggles, noted “Crises can accelerate to a point where senior leadership is no longer equipped to serve in some roles—for example, acting as a spokesperson for the organization. As part of the crisis planning process, the board can discuss whether any skill gaps have been identified, and how they will be addressed with training or other support.”

Delegates discussed that the right candidate isn’t always the most obvious one. One participant noted, “We need to ask the questions about whether the CEO is fully prepared if a crisis arises, but it goes beyond that. Some crisis response roles should be assigned according to skills, not necessarily titles, so the board needs to know who else in the management team is crisis ready.”

Thoughtful crisis planning exposes potential risks related to information flows to the board.

While it’s important to have a process around what information is escalated to the board, judgment is often more important than process. One delegate commented, “At one of my companies we had an issue with a senior leader that never reached the board. The reporting process was part of the roadblock. What worries me most [are the gaps in information.] What does the organization know, [that] the board does not?” Another participant noted, “The [glaring] crises that are acute and major are easier to prepare for. It’s the under-the-radar ones that result from a series of seemingly insignificant activities that can be more difficult to detect, and they’re often the ones that the board is most accountable for.”

Some council participants indicated that their boards use the latest news stories as a mechanism to evaluate the effectiveness of their crisis readiness. One director noted, “In the aftermath of some of the recent headlines related to culture and #MeToo, we’ve had discussions with management about when the board will receive information about issues that may not be financially material, but could be culturally significant.”

The relationship between the board and the general counsel (GC) also emerged as a critical component of effective crisis planning. A delegate said, “I have a conversation with the GC monthly. [This practice] started when I was new to the [nominating and governance committee chair] role, and was an opportunity to set up a trusted relationship, that has strengthened over time.” Another director shared a similar approach: “Before every committee meeting, I sit with the GC and review the agenda. Then we have an open conversation about anything else on the GC’s mind. The regular rhythm of these conversations helps me stay informed about potential challenges.”

Nominating and governance committees can use insights from crisis planning to inform their reviews of board structure and composition.

Delegates discussed benefits outside those traditionally associated with crisis preparation, zeroing in on board structure. Sara Spiering, principal at Heidrick & Struggles, commented, “In our board search work, we’re seeing clients asking questions about prospective directors’ past experiences with turnarounds or other challenging situations. One of the [qualities] boards are starting to [recruit for] is confidence and calmness in high-pressure situations.”

Directors are also using these insights to weigh the merits of changing committee structure. One participant explained, “We had a situation on one board that required establishing a special committee. Luckily, [the board] had enough independent directors with the [requisite] capacity and skills— [that is,] the ability to get into the details [and] ask tough questions, [as well as] the time commitment and energy to take on the [additional] workload. As nominating and governance committee chairs, we have to factor this into board succession planning.”

The boards of companies in heavily regulated industries often align committee structure with risk management and crisis planning. One director remarked, “I’m on several boards with a separate safety committee. Other industries have compliance or regulatory affairs committees; some are [establishing separate] cybersecurity committees. In all cases, it sends a strong signal about the importance of the issues and the level of oversight. On our safety committee, we’re looking at [granular] information—if a truck hits a ditch on Christmas morning, [the committee] hears about it.”

Conclusion

As Benjamin Franklin pointed out, “By failing to prepare, you are preparing to fail.” In light of growing public scrutiny, board and management preparation for crises is likely to remain a priority for nominating and governance committees. When confronting these complex and unpredictable events, Holly Gregory, partner and co-chair of the Global Corporate Governance & Executive Compensation Practice at Sidley Austin, advised directors to closely monitor corporate culture, noting, “Periods of crisis are when the cracks in an organization’s, and a board’s, culture really show up. If there’s been a tendency to avoid difficult conversations, if relationships with management are strained, if there are skill gaps or factions within the board, these things will all make a bad situation worse.”

As directors scan the horizon for potential risks, they should not lose sight of seemingly insignificant, but persistent, problems. As a delegate framed the issue, “Major crises don’t come along very often. We can learn not only from crisis planning, but [also] from more minor issues. Both of these can help the board identify underlying tensions and open up important conversations about the skills and processes needed to weather a serious crisis.”

Questions directors should consider:

  • Is there a crisis-response plan in place? How often is it revised? How often is crisis planning discussed in board meetings?
  • Is there a common understanding among management, the board, and board committees about their respective roles, responsibilities, and accountabilities for crisis management?
  • Have we identified which crises the company is most likely to face? What steps can be taken to mitigate the risks that would lead to those crises?
  • Have we achieved a common understanding of what circumstances trigger bringing an issue to the board’s attention? Has our management team identified key indicators that offer early warnings about increased risk exposure that could lead to a crisis? What is the threshold, and the process, for reporting to the board about sudden changes to the company’s risk profile?
  • Does the organization’s culture support a level of trust between a) the board and the executive team and b) the executive team and middle management that encourages candid discussions about risks? How willing are employees to speak up about problems that can cause a crisis for the organization?
Related Resources
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

A 2018 joint report prepared by NACD, Protiviti, and NC State’s Enterprise Risk Management (ERM) Initiative advanced the view that boards may not be overseeing the appropriate risks and outlined a road map for strengthening the board’s risk oversight in today’s complex and unpredictable marketplace.

As the business environment changes, so must the board’s risk oversight. As the pace of change quickens and the stakes for “getting it right” increase, a question arises: Is our board risk oversight process still fit for purpose?

Below is a refresher of four points from the report’s road map that continue to apply today.

1. Revisit the board’s risk governance model and director skill sets. Depending on the nature of the enterprise’s risks and the extent of the expected change in its risk profile over time, the board should assess whether it has access to the requisite expertise and experience needed to provide appropriate oversight—either on the board itself or among its external advisers. For example, with digital disruption affecting many businesses, do directors have sufficient understanding of digital business models, digital ecosystems, and the potential that hyperscaling digital platforms has to facilitate rapid growth and reinvent the company’s business model? These are trends that bring both opportunity and risk to the business, and understanding them is essential to sound oversight. In addition, the board should rethink how it organizes itself for risk oversight, including the delineation of responsibilities among its various committees and the full board.

2. Make culture an enterprise asset as well as an oversight priority. Culture is almost always the source of reputation and financial performance outcomes, as it is a potent source of strength or weakness for an organization. A strong culture is a critical asset for any brand. It is of vital importance to both a differentiating strategy and superior performance. Accordingly, the board should expect management to understand the culture at lower levels of the organization, and whether the mood in the middle and the tone at the top are aligned. Concerns that this topic may be “too soft” for objective assessment should not distract the board’s focus on the real question:

Does the CEO really want to know the unvarnished truth about people’s perceptions across the entity, and is he or she prepared to act on that knowledge?

A “speak up” culture that encourages transparency and sharing of contrarian data and bad news entails convincing employees that they can indeed speak up without fear of repercussions to their careers or compensation. Anonymous and confidential surveys are an example of how executive management can learn what they need to know. Metrics addressing such things as mission and values alignment, innovation, resiliency (speed), collaboration, and employee satisfaction also offer insights regarding culture. Candid, open, and constructive board and management interactions should prioritize the tough questions on directors’ minds.

3. Focus on the quality of the risk management process. Given the pace of change experienced in the industry and the nature and relative riskiness of the organization’s operations, does the board understand the quality of the process informing its risk oversight? For example, how much manual effort is required by management and various board-reporting departments to generate the reports used in board meetings? How actionable is the entity’s risk information for decision-making? These and other questions focus on how mature and robust the risk management process is and whether it is effective in:

  • Delineating the critical enterprise risks from the day-to-day risks of managing the business;
  • Establishing accountability for results;
  • Fostering an open dialogue to identify and evaluate opportunities and risks; and
  • Informing key decision-making processes with current, reliable information.

4. Ensure management integrates risk considerations into strategy, performance, and decision-making. The unique aspect regarding exposure to disruptive change is that it presents a choice: On which side of the change curve do organizations want to be? Organizations must make a conscious decision about whether they are going to be the disrupter and try to lead as a transformer of the industry, or whether they are going to play a waiting game, monitor the competitive landscape, and react appropriately and in a timely manneras an agile follower to defend their market share.

These market realities strongly suggest that the board should ground its risk oversight with a solid understanding of the enterprise’s key strategic drivers and management’s significant assumptions underlying the strategy and risk appetite. Directors need to ensure that risk oversight and management are not appendages to strategy-setting, performance management, and decision-making, but contribute information and insights relevant to the success of these core processes.

We encourage everyone to read the joint report from 2018. Boards should take a fresh look at how they are approaching risk oversight, including how the company’s ERM is informing that oversight. With risk management practices for many industries largely rooted in the prior century, the big question is:

Are we prepared to improve our risk management and risk oversight, or do we face the challenges of the next 10 years in the digital age with what we’ve been doing over the past 10 years?

The nature, velocity, and persistence of risks have changed. Consequently, it’s time for boards to revisit their governance model and skill sets and refresh the focus of their risk oversight.

Jim DeLoach is managing director of Protiviti.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Innovation is top of mind for most C-suite executives and directors of companies, and both have every reason to prioritize innovation as part of the company’s strategy. According to a study by Credit Suisse, the average lifespan of a S&P 500 company is now less than 20 years compared to 60 years in the 1950s. Additionally, Mercer’s 2019 Talent Trends Survey found that 73 percent of executives predict significant industry disruption in the next three years, up sharply from 26 percent in 2018.  In many industries, continued innovation is critical to a company’s ability to survive and thrive.

In the recent past, having a dedicated, centralized innovation team seemed like the obvious answer to this corporate imperative, and companies made the move to create such teams—the number of corporate innovation centers has grown from over 300 to 580 from 2015 to 2017.  Unfortunately, the success of these innovation centers has been mixed. Centers that tend to lag in performance usually have unclear strategic goals, suboptimal set-up, and vaguely defined success metrics.  

Developing a culture of innovation requires commitment from the top, starting with the CEO. The company’s CEO needs to define what innovation means to the firm, be its biggest advocate, and get the entire leadership team’s buy-in and support—including the backing of the board. Boards should make sure that the innovation strategy is forward looking with a balance of incremental and disruptive goals. Once the vision is defined, leaders need to infuse innovation into the company’s DNA by cultivating an open-minded and intellectually curious culture that is ready for change.

To truly embrace a culture that is open and prone to innovation, CEOs are also looking to their chief human resources officers (CHROs) to help lead this cultural change and drive innovation.   

The CHRO as Innovation Catalyst

The role of the CHRO has evolved, and it has never been more critical for the board to focus on this role’s ability to drive a culture of innovation throughout the organization. To enable innovation at scale, having a sound people strategy is equally important as having the right infrastructure, processes, and tools. 

When considering the CHRO’s role in setting the framework to build a workforce that drives innovation, the board should consider how the CHRO is leveraging the following four building blocks. 

Talent identification

  • The most important building block for the CHRO’s talent strategy is identifying the right people. One could argue that innovation is an innate skill, and not a skill that is developed. In reality, the answer is, “it depends.” The company’s definition of innovation drives the types of talent needed, whether the talent can be developed from within, and if recruitment from outside needs to happen. People also have varying degrees of innovative talent. Organizations may have a limited number of innovation whizzes available to create transformative ideas, but many are capable of developing incremental innovations to improve existing solutions or modernize core businesses with the right training, support, and tools. 
  • The board and management need to think beyond traditional approaches to identify the right talent and teams to lead innovation initiatives. Depending on the level of disruption required, the board and management may need to urge the CHRO to consider external talent such as seasoned entrepreneurs to get an injection of fresh ideas. The CHRO should keep a close pulse on innovation talent across the firm, meet with innovation teams on a regular basis, and report back to the CEO and board to ensure the firm has a strong pipeline of talent suited for innovation.  

Diversity and inclusion

  • It is no secret that diversity drives innovation. Diversity in this context extends beyond gender, race, and ethnicity, and includes experiences, expertise, perspectives, and even working styles.  Individuals with differing thoughts can result in dissent and conflict, but this should be viewed as the gateway towards developing breakthrough ideas. Inclusion must come hand-in-hand with diversity. One can only maximize the potential of a diverse team when each individual’s differences are respected and valued. In addition, a diverse and inclusive workforce ensures that the innovations created are reflective of the organization’s diverse customer base. The board should embrace and work with the CEO and CHRO to measure how diversity and inclusion impacts innovation and the company’s people strategy on an ongoing basis.          

Performance management

  • Since innovation development processes are agile in nature, workforce performance management and metrics should align with “test and learn” principles. The “test and learn” approach ensures that projects can fail fast and pivot as needed. To encourage such behavior, performance management also needs to allow continuous and open feedback to enable individuals to adapt according to project needs. The board and CEO can make this feedback loop a priority by measuring how the CHRO structures performance reviews at the firm.   
  • Disruptive innovation initiatives require a longer time horizon to realize their potential and impact. As such, these initiatives should not be measured on a quarterly basis. Setting key milestones that could be an early indicator of success will help boards monitor progress. Although driving revenue, profit, and return on investment growth are the ultimate goals of innovation, non-financial metrics are not to be ignored and are arguably equally important. These metrics include, but not limited to, enhanced company brand, increased ability to attract top talent, improved customer satisfaction, speed to decision making and execution, ability to break down silos, the number of ideas in the pipeline, and increased digital presence and digitization across the firm.       

Learning and development

  • In this rapidly changing environment, it is critical for all employees to be on top of key trends and develop new skills—the board included. Besides formal training courses, entrepreneurs and start-ups are excellent channels for corporate “intrapreneur” learning. Including exposure to these resources as part of a corporate people strategy could yield measurable benefits that the board could use to assess efficacy of the program. As an example, Mercer piloted a learning program with NewCampus, a startup that invites entrepreneurs around the world to share their expertise and experiences with Mercer colleagues. This type of alternative learning is a great source of inspiration for new ideas. For companies with dedicated innovation centers, having rotational programs will enable organizations to build stronger innovation muscle, share what has been learned, and develop skills with broader employee populations to achieve greater impact.   

For CHROs to drive innovation, they need to innovate and reimagine the HR function they lead. The CHRO and his or her team at entrepreneurial companies are more progressive in their thinking, willing to experiment, and thrive on setting new industry standards. If companies believe that their people are the ultimate sustainable competitive advantage—the power for creating innovations for the firm—the CHRO and that person’s entire team should be the key to unlocking human capital potential at the firm. The board and CEO need to empower the CHRO to experiment, and that could be as simple as trying out new technologies and policies. The time to do so is now. 

Patty Sung is a senior principal and innovation leader in Mercer’s Global Digital Innovation Hub.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

This fall, NACD will release the findings of our latest Blue Ribbon Commission report (BRC). Carrying forward a tradition we have kept for more than a quarter century, seasoned directors and advisors will opine on yet another challenging new topic. In recent years we have tackled corporate culture and disruptive risk. This year, the topic will be the future of board leadership.

Despite the strong progress made in governance over the last decade, board leaders are now being confronted with a wave of interconnected and simultaneous forces that will only intensify in the next 5 to 10 years, requiring a profound transformation of how boards deliver value. The BRC will offer a blueprint that board leaders can use to prepare themselves and their boards for a much more demanding future that in some ways has already arrived.

Can an NACD BRC help to shape that future? With 25 BRCs to date, and multiple recommendations made in each BRC (typically 10), our overall impact is hard to trace. Still, as was shown four years ago in a blog post about “Blue Ribbon Impact,” our voice is being heard. If you compare governance practices in the year of any given BRC to practices two or so years later, you will undoubtedly see that our BRCs do move the needle.

To focus on reports that had significant impact, I turned to Chief Knowledge Officer Emeritus Alexandra Lajoux’s insights from her 2015 blog post (excerpted and condensed below) as a reminder of the prescience exemplified by these reports. That changes in board governance and oversight practices are brought about by these BRCs is supported by data collected in NACD’s public company surveys on how our members have adopted these practices over the years.

1995: The BRC on Director Compensation recommended director payment in equity, with dismantling of benefits. Before vs. After: Whereas in 1995 it was common for directors to receive benefits but no stock, by 1999 the trend was the opposite. By then, nearly two-thirds of companies included stock as part of director pay, and less than 10 percent paid benefits.

2001: The BRC on Board and Director Evaluation recommended formal evaluation of boards and directors. Before vs. After: The 1999 survey showed 32 percent of boards conducted evaluations; the 2003 survey showed that 85 percent did so. This was no doubt due to new stock exchange requirements mandated in the Sarbanes-Oxley Act of 2002 and issued in 2003. But, the stock exchange rules themselves were born in part out of NACD recommendations made March 4, 2002 (included in this NYSE report). In fact, 9 of NACD’s 10 recommendations—all based on the Blue Ribbon Commission’s recommendations (including one on board evaluations)—subsequently became stock exchange listing requirements.

2003: The BRC on Executive Compensation recommended an entirely independent compensation committee for all public companies. This change was notable because it suggested an independent compensation committee beyond those covered by the Sarbanes-Oxley–mandated stock-exchange rules that would be issued in November of that year. Before vs. After: The 2005 survey showed a rise in overall independence of compensation committees compared to 2003: “Three-fourths (75.9%) of firms overall, up from 65.5 percent in 2003, indicated that they had only independent outsiders on their compensation committees.”

2004: The BRC on Board Leadership recommended that boards consider using an independent lead director in cases where they did not have an independent chair. Before vs. After: In the immediate and near-term aftermath of this report there was an apparent surge in the use of the lead director—even greater than that seen when the “presiding director” disclosure requirement of the New York Stock Exchange became effective in 2003. The 2005 survey indicated that over a third (38.5%) of the boards studied had a designated lead director, almost four times the number (10.0%) shown in the 2003 survey. The 2007 survey said that “44.8 percent of respondents’ boards have a designated lead director.”

2007: The BRC on the Governance Committee recommended director orientation (as well as ongoing director education). Before vs. After: In 2007, 60 percent of respondents said that their boards had a policy or program on director education. In 2009, 72.8 percent said they had such a program.

2011: The BRC on Lead Directors recommended continued use of the lead-director role as a viable alternative to an independent chair. Before vs. After: The 2011 survey showed that at the time this group was convened, only 65.4 percent of respondents sat on boards with lead directors; the 2012 survey showed that 82.8 percent had a lead director.

2017: The BRC on Culture as a Corporate Asset recommended stronger oversight of this area, including not only oversight of the tone at the top, but also oversight of the buzz at the bottom. Within one year, the impact of this recommendation was already evident. Our 2018–2019 survey reported that directors’ understanding of the mood in the middle rose 10 percentage points, to 45 percent. It also found that 27 percent now say they clearly understand the buzz at the bottom levels of the organization, a 9 percentage point increase compared to 2017.

So, what will the 2019 BRC recommend, and will it help predict the future? The Future of Board Leadership report will recommend practices to future-proof the boardroom. Our Commissioners have already begun convening, and here are several of the action items that they foresee for boards and their leaders:  

  • Change the board’s structure to become more flexible.
  • Disclose more about governance methods and results to investors and stakeholders.
  • Deploy data analytics capabilities and new technology to enhance board oversight.
  • With accelerating turnover, become more diverse.
  • Increase accountability for individual and collective performance.
  • Prioritize the fastest-changing drivers of corporate strategy and risk.
  • Represent a wider variety of stakeholder interests.

These recommendations are all credible and important. Will they provide an accurate lens into the future of board leadership and predict where we’ll be in a few years? Perhaps. But the important thing is not predicting the future of board leadership. Rather, it is in making that future better through decisive, informed board leadership. That is the goal of this Commission, and I am confident that they will meet it.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

No C-level role has evolved as quickly and radically as chief information security officer (CISO). The CISO role first sprang from the ground-breaking “mega breaches” of the early 2000s, when it became apparent that cybersecurity issues could have serious business ramifications. Back then, the role was largely technical in nature (they would put up a technology perimeter to stop breaches from happening) and, really, it was C-level in name only—most CISOs reported to chief information officers and did not have a direct line to the CEO like other C-level executives.

The early days of CISO evolution also had a dark chapter. As the breach epidemic picked up steam, so did the scapegoat status of CISOs, who often found themselves in career jeopardy following publicly disclosed data breaches. Life in those days was difficult for CISOs. There was still a general belief in boardrooms that breaches could be prevented with some degree of certainty, so CISOs were tasked with an impossible job: preventing the unpreventable.

That perception is changing today. I would venture to guess that no CEOs or board members in the Fortune 500 believe data breaches are 100 percent preventable. Those same enlightened executives and directors want to understand if the company is prepared to effectively respond to a major security incident. After all, if breaches are not completely preventable, then breach-response preparedness becomes the most effective tool for managing business risk associated with data breaches, which can include operational disruption, litigation, regulatory fines, customer attrition, and loss of intellectual property.

Cybersecurity has become similar to the electric grid. Utilities can do their best to reduce the likelihood of blackouts, but violent storms will still cause power outages. Therefore, the measure of competence for an electric utility is not so much its ability to withstand violent storms without blackouts. Rather, the company’s success is measured by how effectively it minimizes impact and how quickly it can bring power back online after the storm. Likewise, the measure of competence for a CISO is not so much their capacity to prevent every conceivable breach, but whether or not they have a codified, rehearsed, and company-wide incident-response plan in place that can contain the incident and minimize the damage caused by a data breach.

Which brings us back to the evolving role of the CISO.

From those early days of being technical people and easy scapegoats, today’s top CISOs have a much broader role within business. That broader role requires a fuller skillset. They still need to understand the strategy and technology of cybersecurity, not to mention IT in general, but they also need to have the management acumen to make strategic investment decisions and to effectively deploy staff and third parties. They also need to have the vocabulary to translate security program objectives into business terms for the board of directors.

And, most importantly, they need to be able to instill confidence in the board that they know how to prepare the company to respond to a data breach, because breach-response effectiveness can mean the difference between a “blip” of bad publicity and an ongoing morass of litigation, regulatory fines, and customer loss. It is for this reason that what was once the career “kiss of death” for a CISO—being in charge when a data breach occurred—is now a resume builder. Boards rightfully want to ensure that the CISO knows how to “land the plane” following a breach, so what better experience could there be than to have already managed a breach-recovery situation—particularly when the outcome was as favorable as possible?

It’s been a wildly complicated ride for CISOs. Moving from “tech jockey” to strategic business executive in little more than a decade is not an easy shift. There is still a long way to go, as many CISOs are still viewed as technical hands by senior management and directors, but the trends are clear: more and more CISOs are getting a seat at the boardroom table. And with savvy boards of directors, breach experience gets CISOs invited into the boardroom, not thrown out of it. That’s a change for the better.

Mark Adams is the senior practice director of risk transformation at Optiv.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Ten years ago, US Airways Flight 1549 departed from La Guardia airport with Captain Chesley B. Sullenberger III (“Sully”) in command. Shortly after takeoff, the engines ingested a number of large geese, the aircraft faltered, and the Captain was forced to make the life or death decision between trying to make the runway at Teterboro, New Jersey, or landing the plane in the Hudson River. His choice was the water, and he made a rare successful water landing, coined the “Miracle on the Hudson” and made famous a second time in 2016 by the movie Sully.

Sully’s leadership during that crisis formed the backdrop of a recent panel discussion at NACD’s Strategic Asset General Counsel event in New York. The panel focused on the personal and professional ramifications of a crisis and featured Miracle on the Hudson passenger and experienced public company director, Maryann Bruce; senior vice president, general counsel, and secretary of Spirit Airlines, Thomas Canfield; and Andrew Cole, co-president and board member at Sard Verbinnen & Co (SVC), a global strategic communications firm. Key takeaways from the discussion follow.

The right person at the helm is critical. Sully was the right person at the right time during the crisis. For companies, having the right CEO is likewise critical, as is being ready for a change at the top. “Companies must be prepared for unplanned CEO departures, whether they are due to the #MeToo movement, health problems, or something else,” Cole said. “Someone has to be the quarterback during such a crisis, and if it’s a CEO departure, it won’t be the CEO.” One of his clients even did tabletop exercises for a scenario in which the CEO never returned from an overseas vacation.

According to Bruce, who joined a board just as that company’s CEO was asked to leave, suggested that the best approach is to get the right leader in the position in the first place—a critical role of the board. For that company’s new CEO hire, Bruce believed more structure was needed. “I suggested that the board create qualitative and quantitative internal and external metrics to define success for both the CEO and the company, as we needed to ensure board alignment as well as a methodology to hold the new CEO accountable.” She recommends that companies have both an emergency CEO transition plan as well as a succession plan.

Canfield agreed on the importance of succession planning. “Spirit Airlines recently completed a smooth, year-long transition of our CFO into the CEO role.”

Having courage in a crisis is a must, and preparation can help. Sully had the courage to make a difficult call quickly on the day he landed the plane in the Hudson River. Some of that courage came from years of experience and preparation.

According to Canfield, Spirit Airlines constantly prepares for a variety of scenarios, including customer and cyber incidents, as well as airline-specific emergency preparedness. “We have a dedicated emergency response department that includes people highly experienced in airline operations and disaster recovery,” he said. “Between 80 and 100 people participate in tabletops, including the general counsel and outside counsel, representatives of the pilots’ union, insurance carriers, and government representatives. These rehearsals use fictitious but real-world simulations, which are not revealed to participants prior to the session. While the board is not part of a physical disaster exercise, the board is briefed regularly on the company’s safety systems and procedures, including emergency preparedness.”

In a non-aviation context, unexpected courage also can be required. Cole mentioned a retail client that learned one of its suppliers was using detention camp labor in China. Despite the potential blow to the bottom line, “the company had the courage to cut off that particular supplier, acting in line with their values, even though they recognized there would be near-term impact to their business.”

Put the corporation ahead of yourself. Sully was the last person off the plane in 2009. For directors and general counsel, the circumstances may be less dire, but the duty to put the corporation first remains. This duty could lead to stepping off a board when doing so is best for the company, according to Bruce. Cole stressed that taking personal feelings out of a situation can be tough, “especially for founders during a crisis.” Shareholder activism can often feel personal as well, but the best approach is to rise above personal attacks. For all boards, he added, “preparation and level-headed advice from the general counsel can be helpful to get people to separate personal and professional interests.”

“The GC must be able to tell it like it is, with a firm and unsparing analysis,” added Canfield.

Stick to the script in a crisis. Sully faced heavy governmental and media scrutiny, but stuck to his “script” about the events on the day of the water landing. In any crisis, sticking to the script is important; however, crafting the script can be tricky. For the general counsel, there must be a balance between liability concerns and providing a swift response. “Very few lawsuits threaten the long-term success of the company,” said Canfield, so tipping the balance toward a swift response is appropriate. Cole agreed, emphasizing the need for transparency and authenticity in crisis communication and the need to tailor the response to the appropriate channel.

The panel agreed that a crisis can be an opportunity as well as a challenge, sometimes both professionally and personally. Bruce summed up the point. “Prior to the Miracle on the Hudson, I had always managed my career and led my life guided by what I refer to as my two ‘P’ philosophy: have purpose and passion. Yet it wasn’t until 2009 when I was looking at the city skyline from a raft in the middle of the Hudson River that I realized I was missing a third and the most important ‘P’: perspective. I will always have passion and purpose . . . but without the benefit of perspective, the context is missing. I now realize that . . . we make a living by what we get, but we make a life by what we give . . . . And, quite frankly, that’s the only perspective that matters.”

More on the Miracle on the Hudson can be found in NACD Directorship magazine.

Kimberly Simpson was the panel moderator. She is an NACD regional director, providing strategic support to NACD chapters. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

The slow pace of progress toward increasing the representation of women and minorities on public company boards is often blamed on lack of available seats. With directors routinely serving for 7 to 10 years, institutional investors and other diversity advocates are increasingly calling on boards to adopt governance practices that enhance board refreshment.

To date, boards have primarily responded by implementing mandatory retirement ages that typically range from 70 to 75 years old. Term limits too are being considered as a mechanism for stimulating board refreshment. They are presently much less common than age caps, however, with only five percent of S&P 500 boards specifying a term limit for non-executive directors, according to the 2018 US Spencer Stuart Board Index. While helpful, these practices are not enough. Thoughtful succession planning is also required.

Leverage a skills matrix. Being intentional about board refreshment is an important part of achieving a diverse and inclusive board. Accordingly, organizations with leading practices take a forward-looking approach to anticipating mandatory retirements as well as to filling sudden vacancies due to voluntary retirements, death or illness, non-performance, or any number of personal factors. This forward-looking approach often involves leveraging a skills matrix to understand the gaps in competencies, experiences, and perspectives that would occur if any given director resigns. Importantly, this matrix should be continually refreshed to ensure that desired and varied skills are present and align with the organization’s evolving strategy.

Cultivate a network. Beyond identifying potential gaps, leading-practice organizations develop a bench of diverse talent for filling them. Here, individual directors can make a big impact. Building the pipeline is a long-term game and directors can add value to their boards by cultivating a network of diverse rising leaders. Industry associations, professional organizations, and non-profits are excellent avenues for building these relationships.

Through involvement in these organizations, current directors and up-and-coming talent can work together and get a sense of what it would be like to serve jointly on a board. In addition, good, old-fashioned networking also has its place. Generosity of time and spirit in mentoring others who are different from you and understanding what their priorities are, perhaps over a meal or a beverage, can go a long way toward making connections that can be mutually beneficial several years down the road.

Widen the search aperture. Another leading practice in building a pipeline of diverse candidates is defining the search criteria more broadly. Board leaders are increasingly acknowledging that the traditional practice of primarily recruiting retired or sitting CEOs may not deliver the diversity of background, thought, and experiences needed to govern a complex company in today’s disruptive environment. Indeed, many institutional investors are speaking up in favor of expanding the search criteria, and some have declared their intentions to vote against CEOs who sit on more than one other board in addition to their own. Widening the search aperture to include people from the military, government, academia, nonprofits, and a broader set of C-suite roles can help companies not only to identify more female and minority candidates but also to achieve diversity of thought in a broader sense.

Flex up. Developing a slate of diverse candidates who can be immediately considered to fill vacancies is one way to advance diversity through succession planning. But another non-traditional method is also gaining traction. Increasingly, directors are keeping an eye out for talent that can add value to their boards, even when they are not planning for a specific transition.

The by-laws of some boards provide the capacity to “flex up,” or to increase the number of board seats for a period of time. For instance, a board may know that a director will soon be retiring. In order to facilitate a smooth transition, leadership will bring on one or two new board members 12 to 18 months in advance of the director’s departure. Or, a board may simply come across outstanding diverse candidates with valuable skills, either through networking or an intentional search.

By flexing up, the organization can seize the opportunity to add these valuable strengths and perspectives, while simultaneously achieving diversity. Research suggests that some boards may be taking this approach. According to the Missing Pieces Report from Deloitte and the Alliance for Board Diversity, the number of Fortune 500 board seats increased from 5,440 in 2016 to 5,670 in 2018, reversing a trend of flat to negative growth since 2010. 

Remember inclusion. No discussion of advancing diversity is complete without addressing inclusion. Leading-practice boards are very meticulous about not only identifying and recruiting candidates, but also onboarding them and providing mentorship so that they feel comfortable contributing to boardroom conversations. Targeted committee assignments are one way of encouraging fresh directors to lean into their new roles. For example, the audit committee may invite a new director who has extensive financial expertise to contribute their perspectives on financial reporting, risk, and internal controls.

Go the Distance

As more institutional investors speak out about the importance of diversity, and more boards understand the importance of inclusion to sound governance of their companies, having a succession plan that better matches their investment horizons—perhaps extending 5, 10, or 15 years into the future—may soon be expected, not simply preferred. But, proactive, long-term succession planning for boards can often be neglected amid myriad competing responsibilities.

To ensure a board continuously has the broad range of skills, experiences, and perspectives needed to govern a complex company today, the succession planning process has to be thoughtful, intentional, and thorough. This means it should start with cultivating a diverse bench of talent and move all the way through onboarding new directors. Whether by leveraging a skills matrix, flexing up, or some other means, going the distance on board refreshment is an essential component of achieving a diverse and inclusive board.

Deb DeHaas is a vice chair and national managing partner, Center for Board Effectiveness, Deloitte.

As used above, Deloitte refers to a US member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (DTTL). This article contains general information only and Deloitte is not, by means of this article, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This article is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this article. Copyright ©2019 Deloitte Development LLC

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

“May you live in interesting times.” Given the current period of profound geopolitical change and turmoil—the US-China trade war, tensions with Iran, populist nationalism in Europe, and Venezuela’s economic collapse—corporate leaders today are certainly living in interesting times. Characterized by ambiguity, these events pose real threats to supply chains, business models, revenues, and profits, making geopolitical risk a critical board imperative.

While business leaders develop strategies to mitigate these risks, the NACD Blue Ribbon Commission on Adaptive Governance recommends leveraging adaptive governance. As the report warns, organizations can have “a pattern of blind spots, where senior leaders [report] high levels of confidence in their ability to transform in response to a fast-changing business environment, but significantly [underestimate] the importance of specific threats.”

NACD recently spoke with former Allied Commander of NATO Admiral James Stavridis about how companies and their boards can best adapt to changing international conditions. Stavridis currently is operating executive of The Carlyle Group, chair of the board of counselors of McLarty Global Associates, and chair of the board of the US Naval Institute. He is a monthly columnist for TIME magazine and chief international security analyst for NBC News. 

The wide-ranging interview covered the key developments shaping uncertainty, volatility, and disruption in the world of geopolitics, as well as the future of board leadership. NACD will publish a second blog based on our conversation with Stavridis, who will be a featured speaker at the NACD 2019 Global Board Leaders Summit.

Friso Van der Oord: The world’s changing rapidly. What do you see as the critical geopolitical trends that will impact American companies in the short- and long-term?

Admiral Stavridis: At the top of the list is cybersecurity—we’re so utterly dependent on operating in the digital world, and yet we’re still grossly unprepared for malevolent activities. Second is the rise of authoritarian regimes globally, and their accompanying populist tendencies. On this issue, I’m cautiously optimistic that we’ll work our way through the challenges. (See why in a piece I wrote called “Democracy isn’t Perfect, but It Will Still Prevail” in Time Magazine.) Third, the rise of technology, as seen through the rivalry between the US and China, especially around artificial intelligence (AI). Fourth, the population explosion in sub-Saharan Africa will have significant economic and geopolitical impact on the world. And finally, the rise of India both as a key market and geopolitical actor. I would argue that over 300 years from today, the history of this century will say more about the rise of India than that of China, principally because of demographics and democracy.

Van der Oord: As you work with clients and meet with executive teams, what are the biggest blind spots you observe during these engagements?

Admiral Stavridis: Let’s start with the rise of great power competition. Here it reminds me of the pre-World War One world, when there was an assumption that there may be small skirmishes, but that we’ll never have great powers come into conflict with one another. I’m not so sure about that. It’s unlikely that we’ll end up in a nuclear exchange, but the possibility of kinetic military activity in the South China Sea, the Arabian Gulf, or the Eastern Mediterranean is not impossible.

Additionally, there’s an increasing assumption that, despite minor or occasional outages, the Internet will remain open and accessible to all. So many companies have not taken any precautions to guard themselves against a prolonged shutdown. However, there are significant structural challenges today in terms of small and large nations being able to block access to electric grids, or control networks in ways that corporate executives haven’t fully considered.

Lastly, India, which is almost invisible in our current dialogue, and then Africa, will experience an enormous population boom mid-century that will really distend geopolitics and demographics.

Van der Oord: Can you talk more about Africa and the continent’s predicted demographic boom? How might that manifest itself?

Admiral Stavridis: People in more desperate regions of the continent will increasingly migrate north. This may have destabilizing effects, and cause humanitarian crises. A big boom in human capital is also expected, which in some parts of the continent will be relatively well managed over time, resulting in major productivity centers. Of note, Africa is a market of increasing importance, but a difficult one to tap into because it’s so differentiated. Strictly because of its size, the continent will have an increasing impact on global culture in ways that may be hard to foresee and predict today. I believe there will be a cultural explosion that will bring new thinking from that domain into the global zeitgeist, in the mid- to late-century timeframe.

Van der Oord: Many boards don’t spend much time in dialogue with management on the topic of geopolitics. But a growing number are considering formalizing oversight of this issue. In your view, what’s the right approach to engaging management teams on these complex issues?

Admiral Stavridis: It really does depend on the board; though I do generally believe that all boards need to spend more time on this. I’m on the board of a Greek shipping company with vessels operating worldwide. Its international trade is the absolute métier of the corporation, so it’s extremely sensitive to geopolitical risk, both tactically (in terms of where our ships go) and strategically (as global trade becomes less stable). That board is extremely focused on geopolitical risk. In the middle of the spectrum, I sit on the board of an international financial advisory mutual fund. The company is fairly aware of geopolitics because of international funds and the general importance of that.

My main point is that it varies, and that’s okay. Boards should assess and have a clear-eyed view of their specific needs. This should all be driven into the strategic planning process of the business. It’s necessary but insufficient for directors to have a conversation about what’s going on in the world and how that might impact their companies. Instead, as corporate leaders lay out five, 10, or 50-year plans, they ought to be thinking about geopolitics, and that should be included in the strategic planning process at the front end.

Van der Oord: How are you making sense of what’s happening now at the nexus of cyberinstability and geopolitics, particularly with China, and how do you place that in a long term context?

Admiral Stavridis: In my view, there are four big irritants in the US-China relationship—cyberwarfare, intellectual property [IP] theft, imbalances or “unfair” practices in trade, and territorial disputes over the South China Sea. In the end, the easiest to address will be trade. IP over time will likely also resolve itself, given that China is developing its own intellectual capital with extreme rapidity. I also believe cybersecurity issues will likely be resolved through a rough, nuclear-like deterrence regime that emerges over time.

The hardest one will be the South China Sea. China is adamant that they own it. The US is adamant that they do not. That said, China has the advantage of geography and determination—because it’s critical to its Belt and Road Initiative. But I am cautiously optimistic that over time, Washington and Beijing will avoid an open conflict with one another. Ultimately, it’s in neither side’s interest to get into a war; and neither side is trying to fundamentally change the other. So I would categorize outright conflict as a low, but not impossible, probability. It’s certainly worth watching; and for those who want a deeper dive, I would recommend Graham Allison’s book Destined for War: Can America and China Escape Thucydides’s Trap?

Van der Oord: NACD staff are working on a major study right now on the future of board leadership in the United States. What are critical skills and abilities that boards or directors should adopt in next five to 10 years?

Admiral Stavridis: First in my mind is proficiency in cybersecurity. Board members themselves have to be a hard target, because they represent their corporations. Each board member should undergo a checklist from the company’s chief information risk officer, ensuring that they’re effectively protecting themselves against potential attacks.

Directors also need dedication to the task of being a board member. I’ve been passing out copies of the book Bad Blood: Secrets and Lies in a Silicon Valley Startup to my fellow board members. It’s a great cautionary tale about the abject failure of arguably the most prestigious board assembled in American history. These are preeminent folks who just didn’t pay attention, and didn’t have the hard core skills needed. Directors should have respect for the craft of being a board member—if you sit on the board of a biotechnology company, consider who in the boardroom possesses the requisite expertise. This doesn’t mean every board member has to have every skill, but directors individually and boards collectively should be thoughtful about composition.

Read for later

Articles marked as Favorite are saved for later viewing.
close
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview