Tag Archives: board of directors

Your Next Director Should Be a Geek

Imagine that you were a major investor in a leading company, and its board of directors had no members with independent, world-class financial expertise. Who would look after your interests? You could probably coach the directors to ask good questions, but they would lack the competence to judge the answers. The board would not be able to engage management in robust conversations about the complexities of capital structure, mergers and acquisitions, financial accounting, reporting, regulatory compliance or risk management. Most investors and regulators would deem such a board unfit to carry out its fiduciary guidance and governance responsibilities.

Yet that’s precisely where many companies are when it comes to information technology. Digitally driven change is becoming as critical an issue to most companies as finance. Companies are being called on to reimagine and reconstruct every aspect of their business; customers, suppliers and markets expect no less. Consider the rapidly expanding use of mobile phones in retail and banking. Or the changes foreseen in the transportation industry due to car-hailing algorithms and driverless vehicles. Already, one MIT study has found that digitally adept companies are, on average, as much as 26% more profitable than their competitors. And that advantage is only likely to increase.

The boards of many large companies are ill-equipped for these shifts. That was the conclusion of our 2015 study of more than 1,000 nonexecutive and executive directors at 112 of the largest publicly traded companies in the U.S. and Europe. By analyzing company filings and public information, we found that all too many boards lacked the expertise needed to understand how technology informs strategy and affects execution. In Europe, for example, 95% of the companies we assessed, excluding technology and telecommunications companies, still had no non-executive directors with deep technology fluency. In the U.S., almost half of the surveyed companies had no technology expertise on their boards. These included major financial-services, insurance, industrial and consumer products companies. Yet each of those industries is grappling with complex strategic questions that hinge on technology.

See Also: How Leadership Will Look in 20 Years

Even boards with world-class technology expertise can have blind spots in areas of strategic importance; these include analytics, cybersecurity and digital fabrication. And even experts who keep up with particular technologies may miss the general effects of rapid technologically driven change on core products, business models and customer preferences.

Many board members are aware of these deficiencies. They know that their companies will either embrace technological change and claim the markets of the future or be put out of business. In 2015, a PwC global survey of large-company directors found that 85% of the respondents were dissatisfied with the way their companies were “anticipating the competitive advantages enabled by technology.” Almost as many, 79%, said their boards did not sufficiently understand technology.

The pervasiveness of the problem is troubling for anyone who cares about these companies — but it also represents an enormous opportunity. At the board level, there is a need for knowledgeable, incisive “geeks”: independent directors with experience and perspective in putting technology to use. In the past, many boards have compensated by relying on management or external consultants for strategic advice. But the stakes are now too high to take that approach.

Boards can no longer duck the responsibility for the company’s digital transformation. They must take real ownership by ensuring that they are equipped to fully understand this part of the board agenda. Otherwise, how can they adequately oversee their company’s strategy, investments and expense base? How can they guide profitability, manage risk, assess management performance and ensure proper talent supply? Below are three critical steps you can take to better prepare your company for these challenges.

1. Hold out for sufficiently broad and deep expertise. Although company leaders agree on the need to attract technology-fluent directors, they often approach the undertaking as an exercise in diversity. They “check the box” by bringing in one person to stand for the full technological field, rather than seeking multiple directors with relevant experience and insight.

To assess the severity of this deficiency in the companies we studied, we analyzed the resumes of their nonexecutive directors on four distinct aspects of technology: pure-play disruptive digital business, enterprise-level IT, cybersecurity and the digital transformation of Fortune 500–sized enterprises. Each is critical to boards’ oversight responsibilities, and fluency in each requires a distinct body of knowledge and experience. Few experts in enterprise-level value-chain IT could offer expert guidance on building disruptive digital business, and vice versa. We found that more than 90% of the companies, including technology and telecommunications firms, lacked expertise in one or more of these critical technology areas. Our research revealed only two companies that addressed all areas: Google and Wells Fargo.

To address the gap, you must open multiple board seats for people with technological experience. Just as having only one woman on a board has proven to be insufficient, having just one IT-savvy member is problematic. To fill these seats, you may have to reach beyond the traditional search targets of former CEOs and CFOs. Tap into recent CIOs, CTOs and other C-level leaders at successful information-intensive companies; retired military officers with large information-technology commands; and senior consulting and private equity partners with deep cross-industry expertise in enterprise technology transformations. Resist the urge to rely solely on Silicon Valley experience. Start-up experience is valuable, but addresses just a small part of the large enterprise technology challenge. Likewise, the “move fast and break things” attitude in Silicon Valley often does not translate well to other industries.

When recruiting these board members, be wary of candidates without fresh experience; in fast-moving fields such as cybersecurity or disruptive digital technology, people who are no longer active don’t always keep up with the latest trends. If executives in the business sector are scarce, look elsewhere; other sectors may be surprisingly relevant. In financial services, for example, understanding sophisticated process control is increasingly important. The best prospective board member may come from the logistics industry — from, say, FedEx or UPS.

2. Support robust discussions of technology with the right kinds of practices and management structures. There are two possible mechanisms for accomplishing suitably robust discussions. The first is to establish a formal technology-focused subcommittee of the full board, on par with other oversight functions such as audit or compensation. This can be helpful in raising critical issues and promoting deep discussion of complex topics. It also creates a mechanism for engaging external advisers.

Alternatively, set up a technology advisory committee that meets regularly with top management and periodically reports to the board. AT&T does this. It may be easier, with such a committee, to attract best-in-class expertise, given that the time commitment is low and there are no full fiduciary responsibilities. Typically, advisory committees can also rotate members more frequently than a board can. It must be remembered, however, that an advisory committee reports to management, not the board. This will color its advice.

Whatever the structure, it is important for this group to address topics that go beyond technology strategy and IT governance. The most important priority may be enterprise strategy and the ways in which technology makes new value propositions possible. FedEx, which is as much a technology company as a transportation icon, has used such a board to great effect for many years.

3. Set the right context. Alan Kay, one of the foremost pioneers in personal computer conception and design, once said, “Point of view is worth 80 IQ points.” The context with which your board of directors views technology is a critical element for enterprise success. They must collectively understand the 10 to 15 drivers of technology that have taken quantum leaps in the past decade — for example, big data and analytics, cloud computing, mobile technology, artificial intelligence, the Internet of Things and autonomous transportation — and the potential implications each has for the company.

They must also have a clear view of their own company’s IT landscape: their existing hardware and software, including estimates of redundancy, age, robustness, any risk of obsolescence and costs. For example, how many marketing systems, customer databases and human resource systems does the company have? How interoperable are those systems? The need to ask these types of questions about a factory or back-office footprint would be obvious, but boards have generally neglected such inquiries regarding technology. The board must also understand risks related to technology, the defenses currently in play and any weaknesses in those defenses. Most important, the board must understand how the company’s IT systems relate to the company’s overall strategy, and what capabilities are needed to support it.

It falls to the board to ensure that the company has a multiyear plan to address technology needs while reducing costs and risk. Boards need not grant a license to spend. On the contrary, the hallmark of computers and networks is that they continually get faster, better and cheaper. These benefits accrue only to those with modern gear, however, so frequent upgrades are essential.

Finally, the board must incorporate its expanded technology context into larger deliberations. Talent recruiting and leadership development should be designed to fill gaps in technological fields. The criticality of IT should inform the review of proposed mergers and acquisitions. A close link to the audit committee is important because technology affects regulatory compliance and ethical issues. And the relationship to full board strategy discussions is critical.

Of course, placing someone with world-class technology expertise on a board does not guarantee success. Many technically proficient companies have lost to upstarts with a better product or service. But without this expertise, boards cannot play their most important role: intervening with substantive conversations about strategic decisions early enough to make a difference. And without these focused conversations about technological investments and decisions, boards cannot fulfill their fiduciary responsibilities.

Today, every board of directors has a once-in-a-generation chance to leapfrog the competition through technology competency. The opportunity is great because the task is difficult, and there is no large pool of talent waiting to be recruited. Those companies that meet this challenge successfully will capture the markets of the future.

A version of this article appeared in the Summer 2016 issue of strategy+business.

7 Stakeholders for Cyber Risk

Imagine you’re the CFO at a firm involved in sensitive M&A discussions with your bankers, and you receive an email asking for a small bit of non-public information on your company, the kind you’ve passed on before. You send the information – and later find you were the victim of a sophisticated cyber-attack.

Now imagine you’re in charge of operations at a manufacturing facility. Out of the blue, your employees report that they have lost control of key systems. It’s impossible to shut down a blast furnace correctly, endangering the safety of employees and others and threatening massive damage. You, too, have been the subject of a cyber-attack.

These events underscore the new reality in cyber risk management: It is no longer just an IT issue. Everyone – from individual employees to risk managers to your board of directors – now has a stake in managing cyber risk comprehensively, across the enterprise.

Following are seven key stakeholders to consider as you look at your cyber risk management strategy:

  1. Risk manager: Risk managers can ensure various stakeholders are connected in terms of assessing, managing and responding to cyber risk. Understanding the evolving cyber insurance market and overall risk finance options is also important.
  2. CFO: Concerns range from the potential costs of a cyber event and what the impact could be on the bottom line to the security of the office’s sensitive information.
  3. CEO/board of directors: Accountable for overall business and company performance, they have a fiduciary duty to assess and manage cyber risk. Regulators, including the Securities and Exchange Commission and Federal Trade Commission, have made clear they expect companies’ top leadership to be engaged on the issue.
  4. Legal/compliance: As regulations around cyber develop, legal and compliance roles become increasingly important in keeping other stakeholders informed and engaged. And, if a cyber incident occurs, lawsuits often follow within hours.
  5. Operations: Maintaining daily operations, business processes and workplace stability is critical during a cyber event.
  6. Human resources/employees: Simple errors – or deliberate actions – by employees can lead to costly cyber incidents. Training on best practices is critical, especially with the rise in sophisticated “spear phishing” attacks targeting specific employees.
  7. Customers/suppliers: Interactions with customers and vendors can open you up to an attack. You need to understand the protections they have in place so they don’t become the weak point in your cyber defenses.

Protecting your organization’s data and individuals’ privacy is becoming more difficult by the day. Successful cyber-defense strategies are comprehensive and multi-pronged. A critical component is understanding and defining the roles and responsibilities of all key stakeholders.

To participate in a webcast on how to assess cyber risk, click here.

It’s Time to Discuss the Upside of Cyber

Based on what our clients are telling us, I can’t imagine that there are many boards of directors that haven’t recently talked about data. With everyone focusing on security issues and the risks inherent in not adequately plugging data vulnerabilities, every board has had its wake-up call.

Managing the downside is only one part of the issue. There is also great upside to be found in the data to drive strategic growth. Studies have shown that organizations that have already transformed themselves through data continue to get better at using data faster than others. The leaders are still increasing their leads. Where there is the opportunity for revolutionary data use, there is also the possibility of being left in the dust. For every WalMart and Uber, there’s a Sears and Yellow Cab company.

So, boards need to look at the upside and see data as the means to cross-enterprise improvement. For better market penetration, use your data. For greater operational efficiency, look to your data. For lower risk or reduced fraud or stronger service, create a data framework that will give you both utility and knowledge.

We are entering into an explosive period of data availability from outside the organization. If we use it well, it will yield insights that will make today’s decision-making look like the punch-card era.

Though these data conversations are started at the highest levels, they must be continued and fostered at every level. In coming weeks, we will be looking at the opportunities and consequences of data conversations — where to start, what to avoid, building a data culture and understanding data’s true value to your organization. I hope you’ll join the discussion.

Checklist to Mitigate ‘Big Data’ Risks

The last few years have witnessed truly astounding developments in the area of information management. We’ve become masters at creating, storing, analyzing and uncovering the hidden value of massive volumes of information.

It seems that, every day, we’re hearing about how all this big data has been used for amazing purposes, such as to improve customer service, uncover fraud, develop pharmaceutical products, predict diseases, improve airline travel and so on.

Unfortunately, it also seems that, every day, we’re hearing about how big data is causing big headaches arising out of improper management and security breaches.

Recent headlines about cyber incidents have forced companies to analyze their risk of incurring information-related liability and to take steps to mitigate those risks. Concern over these issues, however, shouldn’t stop with the IT department or even the C-suite. As Target and other companies have recently experienced, legal claims related to data-related events are now being asserted against corporate boards in the form of shareholder derivative actions.

Although the legal liability of board members for information-related mishaps is an emerging area of the law, longstanding principles make clear that board members have a fiduciary duty to act on an informed basis, in good faith, for the best interests of the company. The emerging area of information governance, including privacy and data security, is no exception to this rule.

Checklist of Issues to Consider

Every organization is different and presents its own unique information risk profile. Corporate boards should be informed of and take steps to address the potential sources of information risk applicable to their specific organization. Those areas may include the following:

  • What types of information is the entity managing, and does it include sensitive data such as health information, credit card data or intellectual property?
  • How is enterprise data being managed throughout its entire life cycle, from creation or collection through final disposition or destruction?
  • Are policies and procedures in place to ensure that information with no business value or compliance/legal restrictions is destroyed in a legally defensible manner?
  • Have policies been implemented relating to the company’s use of information, including privacy concerns and social media usage?
  • Are there policies in place to manage IT assets, including mixed-use devices (those used for both personal and business purposes), while at use and at the time of disposition?
  • Have reasonable data and network security policies, protocols and procedures been created, and are they regularly updated?
  • Are all information-related policies actually in effect, enforced and updated, or are they just sitting on a shelf?
  • If the company engages in big data projects, is the collection, storage, use and resale of data consistent with customer consents, applicable laws and regulations?
  • Is there effective vetting and management of third parties that handle the company’s data or have access to the company’s computer network?
  • Does the enterprise have up-to-date plans to address information-related incidents, such as a data breach, and are those plans vetted and practiced, before a breach ever happens?

Take-Away Message

Responsibility for the management of enterprise information and mitigation of information-related liability has now reached the board level of many corporations. Active oversight by engaged and informed board members can reduce those risks to the corporation as well as to the members of the corporate board themselves.

How to Understand Your Risk Landscape

This is part two of a series of five on the topic of risk appetite and its associated FAQs.

The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards are mobilized in terms of their comprehension of the links between risk and strategy. This is achieved either through painful and expensive crises or through the less expensive development of a risk appetite framework (RAF). Understanding risk appetite is very much a work in progress for many organizations. The first article made a number of observations of a general nature based on experience in working with a wide variety of companies. This article describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management.

The Risk Landscape

Lessons learned following the great financial crisis (GFC) include the importance of establishing an effective risk governance framework at the board level. In essence, two key questions must now be addressed by boards.

First, do boards express clearly and comprehensively the extent of their willingness to take risk to meet their strategic and business objectives?  Second, do they explicitly articulate risks that have the potential to threaten their operations, business model and reputation?

To be in a position to provide credible answers to these fundamental questions, we must first seek to understand the relationship between risk and strategy.

It is RMI’s experience that risk and strategy are intertwined. One does not exist without the other, and they must be considered together. Such consideration needs to take place throughout the execution of strategy. Consequently, it is vital that due regard is given to risk appetite when strategy is being formulated

Crucially, risk is now defined as “the effect of uncertainty on objectives.”

It is clear, therefore, that effective corporate governance is strategy- and objective-setting on the one hand, and superior execution with due regard for risks on the other. This particular landscape is what we in RMI refer to as the interpolation of risk and strategy. For this reason, RMI describes board risk assurance as assurance that strategy, objectives and execution are aligned. Alignment is achieved through operationalization of the links between risk and strategy, which will be described in the final article in this series.

Before further discussion, however, we would like to draw attention to observations based on our practical experience that give cause for concern, namely:

1.  Risk appetite: While we now have a globally accepted risk management standard3 and sharper regulatory definition of effective risk management for regulated organizations, there is as yet much confusion, and neither a consensus nor an internationally accepted guidance, as to the attributes of an effective risk appetite framework.

2.  Risk reporting: In relation to risk reporting, two significant matters arise:

Risk registers that are primarily generated on the basis of a compliance-centric requirement, as distinct from an objectives-centric4 approach, tend to contain lists of risks that are not explicitly associated with objectives. As such, they offer little value in terms of reporting on risk performance.

Note: RMI supports the adoption of a board-driven, objectives-centric approach5 to reporting and monitoring risks to operations, the business model and reputation.

Risk registers and other reporting tools detail known risks and what we know we know. They tend not to detail emerging or high-velocity risks that have the potential to threaten the business model. As such they tend to be of limited value in terms of reporting or monitoring either unknown knowns6, or unknown unknown7 risks. This is a matter that should give boards cause for concern given pace of change, hyper-connectivity and the disruptive nature of new technologies.

3.  Risk data governance: The quality, rigor and consistency in application of accounting data that is present in well-managed organizations does not equally exist in those same organizations in the risk domain.

The responsibility of directors to use reliable accounting information and apply controls over assets, etc. (internal controls) as part of their legally mandated role extends equally to information pertaining to risks that threaten financial performance. The latter is not, however, treated in an equivalent fashion to accounting data. Whereas the integrity of accounting data is assured through the use of proven and accepted accounting systems subject to audit, information pertaining to risks typically relies on the use of disparate Excel spreadsheets, word documents and Power Points with weak controls over the efficacy of copying and pasting of data from one level of report to another.

Weaknesses and failings in risk data governance can be addressed in much the same way as for other governance requirements.

For example:

a.    Comprehensive training for business line managers and supervisors on:

  •  (Risk) Management Processes,
  •  (Risk) Vocabulary,
  •  (Risk) Reporting,
  •  Board (Risk) Assurance Requirements

b.    Performance in executing (risk) management roles and responsibilities included in annual performance appraisals,  

c.   System8 put to process through the use of database/work flow solutions, providing an evidence basis of assurance that:

  • The quality, timing, accessibility and auditability of risk performance data is as rigorously and consistently applied as that for accounting data,
  • Dynamic management of risk data (including risk appetite/tolerance/criteria) can be tracked at the pace of change
  • Tests can be applied to the aggregation of risks to objectives at the pace of change and prompt interdictions applied when required,
  • Reports, or notification, of significant risks are escalated without delay, and without risk to the originator of information.

4.  Lack of understanding of the nature of the risks that need to be mastered in the boardroom:

Going back to our definition of risk as the effect of uncertainty on objectives: There are many types of objectives — for example, economic, financial, political, regulatory, operational, customer service, product innovation, market share, health safety, etc. — and there are multiple categories of risk. But what is uncertainty?

Uncertainty9 is the state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence or its likelihood.

There are essentially two kinds of uncertainty:

1.   Measurable uncertainties: These are inherently insurable because they occur independently (for example, traffic accidents, house fires, etc.) and with sufficient frequency as to be reckonable using traditional statistical methods.

Measurable uncertainties are treated individually through traditional (risk) management supervision, and residually through insurance.

Measurable uncertainties are funded out of operating profits.

2.   Unmeasurable uncertainties:  These are inherently un-insurable using traditional methods because of the paucity of reliable data. For example, whereas we can observe multiple supply chain and service interruptions, data breaches, etc. they are not sufficiently similar or comparable to be soundly put to a probability distribution and statistically analyzed.

Un-measurable uncertainties are treated on a broad basis through organizational resilience. For the top 5-15 corporate risks10 that are typically inestimable in terms of likelihood of occurrence, the organization seeks to maintain an ability to absorb and respond to shocks and surprises and to deliver credible solutions before reputation is damaged and stakeholders lose confidence.

Un-measurable uncertainties are funded out of the balance sheet.

The hyper-connected and multispeed world in which we live today has driven the effect of un-measurable uncertainties on company objectives to unprecedented, heights, and so amplified the risk potential enormously.

5.  Urgent need to recognize the mission-critical importance of building  and preparing management to always be prepared to offer credible solutions in the face of unexpected shocks and surprises  Figure 1 below describes the evolution of risk management as depicted within the red dotted line11 and the next stage of the evolution (resilience) as envisioned by RMI.

RMIFINAL

Figure 1: Evolution of risk and the emergence of “resilience” as the current era in the evolution of 21st century understanding of risk  

Resilience was the theme that ran through the World Economic Forum: Global Risks 2013, Eight Edition Report.  Resilience was described as capability to

  1. Adapt to changing contexts,
  2. Withstand sudden shocks, and
  3. Recover to a desired equilibrium, either the previous one or a new one, while preserving the continuity of operations.

The three elements in this definition encompass both recoverability (the capacity for speedy recovery after a crisis) and adaptability (timely adaptation in response to a changing environment).

The Global Risks 2013 Report emphasized that global risks do not fit neatly into existing conceptual frameworks but that this is changing insofar as the Harvard Business Review (Kaplan and Mikes12) recently published a concise and practical taxonomy that may also be used to consider global risks13.

The report advises that building resilience against external risks is of paramount importance and alerts directors to the importance of scanning a wider risk horizon than that normally scoped in risk frameworks.

When considering external risks, directors need to be cognizant of the growing awareness and understanding of the importance of emerging risks.

Emerging risks can be internal as well as external, particularly given growing trends in outsourcing core functions and processes.

table3

It is also interesting to observe the diversity in understanding of emerging risk definitions. For example:

  • Lloyds: An issue that is perceived to be potentially significant but that may not be fully understood or allowed for in insurance terms and conditions, pricing, reserving or capital setting,
  • PWC: Those large-scale events or circumstances beyond one’s direct capacity to control, that have impact in ways difficult to imagine today,
  • S&P: Risks that do not currently exist,

The 2014 annual Emerging Risks Survey (a poll of more than 200 risk managers predominantly based at North American re/insurance companies) reported the top five emerging risks as follows:

  1. Financial volatility (24% of respondents)
  2. Cyber security/interconnectedness of infrastructure (14%)
  3. Liability regimes/regulatory framework (10%)
  4. Blowup in asset prices (8%)
  5. Chinese economic hard landing (6%)

Maintaining business defense systems capable of defending the business model has become an additional fiduciary requirement for the board, alongside succession planning and setting strategic direction15.

References:

Influenced by COSO (Committee of Sponsoring Organizations of the Threadway Commission, Enterprise Risk Management (ERM)  Understanding and Communicating Risk Appetite, by Dr. Larry Rittenberg and Frank Martens

2 Source: ISO 31000 (Risk Management 2009). ISO 31000 is now the globally accepted risk management standard.

3 The new globally accepted risk management standard (ISO 31000) is not intended for the purposes of certification. Rather, it contains guidance as to risk-management principles, a framework and risk management process that can be applied to any organization, part of an organization or project, etc. As such, it provides an overarching context for the application of domain-specific risk standards and regulations — for example, Solvency II, environmental risk, supply chain risks, etc.

4 Risk Communication Aligning the Board and C-Suite: Exhibit 1 Top Challenges of Board and Management Risk Communication by Association for Financial Professionals (AFP), the National Association of Corporate Directors (NACD) and Oliver Wyman

5  The Conference Board Governance Centre, Risk Oversight: Evolving Expectations of Board, by Parveen P. Gupta and Tim J Leech

6 An unknown known risk is one that is known, and understood, at one level (e.g. typically top, middle, lower level management) in an organization but not known at the leadership and governance levels (i.e. executive and board levels)

7An unknown unknown risk is a so called black-swan (The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb)

8 Specified to the ISO 31000 series

9 Source: ISO 31000 (Risk Management 2009). ISO 31000 is now the globally accepted risk management standard

10 More than 80% of volatility in earnings and financial results comes from the top 10 to 15 high-impact risks facing a company: Risk Communication Aligning the Board and C-Suite, by the Association for Financial Professionals (AFP), the National Association of Corporate Directors (NACD), and Oliver Wyman

11 Source: Institute of Management Accountants, Statements on Management Accounting, Enterprise Risk Management : Frameworks, Elements and Integration

12 Managing Risks: A New Framework

13 Kaplan and Mikes’ third category of risk is termed “external” risks, but the Global Risk 2013 report refers to them as “global risks.” They are complex and go beyond a company’s scope to manage and mitigate (i.e. they are exogenous in nature).

14 Audit and Risk, 21 July 2014, Matt Taylor, Protiviti UK,

15 The Financial Reporting Council has determined that it will integrate its current guidance on going concern and risk management and internal control and make some associated revisions to the UK Corporate Governance Code (expected in 2014). It is expected that emphasis will be placed on the board’s making a robust assessment of the principal risks to the company’s business model and ability to deliver its strategy, including solvency and liquidity risks. In making that assessment, the board will be expected to consider the likelihood and impact of these risks materializing in the short and longer term;