Cyber Security: The Burden Approaches the Boardroom
With no specific legal road map on how to address cyber security issues, directors should consider making cyber security a regular agenda item.
by Jeremy Feigelson and Christopher S. Ford
Not long ago, the New York State Department of Financial Services (DFS) delivered a cyber security wake-up call to boardrooms across corporate America. The wake-up call took the form of an 8-page, single-spaced survey addressed to 31 of America’s largest insurers, asking dozens of detailed questions about how those companies protect their systems and data from attack. The survey included pointed questions about how senior management and the board of directors keep abreast of cyber security matters. Gov. Andrew Cuomo and DFS Superintendent Benjamin Lawsky prominently announced the insurance survey through a press release. Banks, being governed by different secrecy laws, received a less publicized version of the same survey from DFS.
What message, exactly, was DFS sending? After all, there is no specific legal or regulatory requirement, in New York or elsewhere, for a company to constantly update its cyber defenses. Nor is there any specific requirement that the board stay informed and involved regarding cyber-defense efforts. But the survey and other recent actions by regulators point to two evolving norms:
- First, companies are well advised to regard having a robust cyber security program, constantly refreshed to deal with the latest threats, not just as a matter of common sense and good business practice, but increasingly as a matter of legal obligation.
- Second, directors are well advised to treat cyber security not as just the province of the gearheads who live deep in the corporate org chart, but as an issue for which they should take clear and personal supervisory responsibility, akin to the audit function or other traditional areas of director focus.
To understand these lessons of the DFS survey, it may be useful to first rise up a few thousand feet and take a quick aerial survey of the cyber security landscape: practical, legal, and regulatory.
To start with the practical, few problems are as “hot” or as troubling as the ever-evolving threat of cyber attack. Every day brings a report of a new threat of cyber intrusion. The headlines often report not just a hypothetical threat but a real-world event—whether inadvertent on the part of the data holder, or deliberate on the part of an attacker—that has resulted in sensitive data actually being exposed.
The threats take many forms. There is inadvertence, the classic example being the employee who loses a laptop or thumb drive that contains personal information of customers, employees, or other corporate constituents. Then there is the proverbial hacker in pajamas in his basement, busily probing corporate firewalls for sport, profit, or both. Most troubling of all are “advanced persistent threats” or APTs, so called because they are generated by highly sophisticated, well-resourced and determined attackers, some quite likely deployed with the tacit or direct backing of certain foreign governments. APTs tend to involve complex forms of attack that are particularly difficult to defend against. Companies in nearly every major industry have been attacked by hackers aligned with foreign governments or by non-state hacking collectives like Anonymous.
The weapons in the bad guys’ arsenals are multifaceted and changing all the time. Examples include viruses designed to infect and destroy data and distributed-denial-of-service (DDoS) attacks that prevent customers from accessing websites or web-based content—a growing concern with the increasing prevalence of users keeping their data in the cloud. There are also “phishing” attacks, ranging from the crude to the complex. At the more complex end of the spectrum are APTs where the attacker burrows deep inside a system and generates authentic-seeming communications that trick network users into giving up passwords or key data. Cyber defenders also must worry about “Trojans” or “worms” that give a hacker access to an entire system. Banks hit by a DDoS attack may find their customers unable to access their accounts or use ATMs. The buyer in a merger may find its strategic documents stolen and sold to its potential targets; Ernst & Young has reported that a single data breach cost a London company around $1.2 billion in lost revenue during negotiations. A healthcare provider may find critically sensitive private medical records exposed to public view, leading to scrutiny by regulators. Companies that experience data security breaches are also likely to face a loss of investor and consumer confidence.
New threats almost certainly will have arisen in the time between the writing of this article and its publication. Cyber security in the 21st Century is not unlike riding the rails on an old-time cattle ranch. Each time a company finishes checking for gaps in its protection, it is time to start again—not only because the bad guys are constantly trying to punch new holes, but because routine maintenance is crucial, too. Many successful attacks would have been preventable by the use of known defensive measures that simply were not in place.
The legal and regulatory landscape is in a sense equally fluid and challenging. Cyber security efforts are not governed by any single statute or regulation. No state or federal source of authority—be it statute, regulation, or caselaw—lays out an affirmative road map to a legally adequate cyber security program. Rather, a patchwork arrangement currently holds sway. A complete description of the patchwork is beyond the scope of this article, but for example:
- Organizations that suffer an actual data breach may have to disclose the breach to affected consumers and to certain state regulators. But figuring out whether you have a disclosure obligation may require puzzling through nearly four dozen separate state laws. For example, in New York, State Technology Law § 208 and General Business Law § 899-aa contain reporting requirements that may be triggered in the event of a breach. In California, various provisions of the Civil Code, such as 1798.82 and 1798.29, contain similar reporting requirements.
- Similarly, the Securities and Exchange Commission (SEC) has offered guidance on disclosure of cyber risk, both generally and with respect to specific cyber security incidents. Perhaps not surprisingly for a securities regulator, the SEC has not offered guidance on the content of a cyber security program.
- Massachusetts requires entities that hold data of customers or employees residing in that state to have a written information security program, or WISP. As a practical matter, the Massachusetts regulation touches any company doing business on a 50-state basis in the United States. But strictly as a legal matter, a WISP is neither a federal nor a multi-state requirement.
- Companies that maintain health information are subject to specific security requirements under HIPAA—including the requirement that they address “reasonably anticipated” threats. But these requirements are limited to the health sector and thus do not extend to corporate America generally.
- In the view of the U.S. Federal Trade Commission (FTC), the failure to maintain appropriate cybersecurity measures can constitute an “unfair” business practice, in violation of the broad federal law that allows the FTC to punish “unfair” or “deceptive” commercial conduct.
DFS is a relatively young regulator, formed in 2011 by the merger of New York’s then-existing departments of banking and insurance. DFS discharges all the standard duties of its predecessor regulators, policing corporate compliance with a wide variety of banking and insurance laws. But the whole of this new agency was clearly intended to be more than the sum of its parts. New York sought to create an omnibus modern financial regulator, vested with (among other things) so-called “gap authority” to step into areas that other regulators might not be fully policing. DFS has acted aggressively, independently and in a highly public way in certain cases. The highest-profile example to date was a money-laundering enforcement action that it alone brought against Standard Chartered Bank, at a time when other regulators were actively looking at the same issues. Standard Chartered agreed to pay $340 million to settle with DFS.
By stepping into the realm of cyber security with its survey, DFS is telling the world that it considers robust cyber security to be an essential element of any program of corporate controls and compliance. DFS is also telling the world that, despite its own lack of any specific statutory or regulatory mandate in cyber security and the large number of regulators already on the cyber scene, it considers cyber security squarely within its jurisdiction—and, by implication, within its considerable enforcement powers. This is consistent with DFS’s “gap filling” mission.
More specifically, DFS is clearly conveying to the companies it regulates that it has certain substantive expectations for what an appropriate cyber security program should include. The eight-page survey asked in detailed terms about, among other things, a company’s cyber-security budget, its use of internal vs. external resources, the frequency with which it engages in penetration testing (aka “hire a hacker,” in which a company’s own IT security employees or an outside contractor probe for weaknesses in the existing cyberdefenses), and the calendar cycle on which security measures are reviewed and updated.
By law, there are no right or wrong answers to these questions. But one would not want to be the company that delivers answers that DFS would regard as weak or troubling. Simply by asking the questions about penetration testing, for example, DFS plainly is signaling that it expects any company in its jurisdiction would be well advised to employ a robust program of penetration testing, and other proactive measures, and to frequently update that program to meet evolving threats.
In that regard, DFS’s entry into the field of cyber security is consistent with multiple other threads in the regulatory patchwork. Taken together, the regulators have woven a de facto requirement that companies deploy a program of robust and proactive cyber security. Relevant threads include DFS’s obvious view that penetration testing should be employed; the HIPAA requirement to anticipate and address “reasonably anticipated” threats; and the SEC disclosure guidance, which by necessary implication calls on responsible companies to do more than just say what the threats are, but to take steps to prevent and detect them in the first place. Perhaps most pointedly, the FTC’s vigorous assertion that poor cyber security is “unfair,” within the meaning of the FTC Act’s prohibition on “unfair and deceptive” practices, and thus illegal.
FTC Commissioner Maureen Ohlhausen remarked in January 2013 that the FTC brings enforcement actions when, in its view, a company’s “failure to employ reasonable security measures causes or is likely to cause substantial consumer harm.” This inclination was put on display just recently, when the FTC brought and simultaneously settled a case against TRENDnet, a manufacturer of webcams and baby monitors, because of insufficient privacy protections. The webcam software contained a security flaw that allowed anyone to read customers’ login information as it was transmitted over the Internet. TRENDnet agreed to a 20-year auditing program and a consent order that would allow for fines for any future security lapses.
The TRENDnet case is just the most recent example of what is by now a consistent trend in FTC enforcement actions. In another recent case, against HTC, the FTC alleged that the way HTC customized the Android software on its phones left numerous security vulnerabilities hackers could exploit. A major test case now in process against Wyndham Hotels began when the FTC alleged that three Russian hackers’ breach of customer data was a result of Wyndham Hotels leaving its network unreasonably vulnerable.
It remains unclear whether the FTC can sustain its legal position that cyber security fits within the agency’s “unfairness” jurisdiction. Many companies investigated by the FTC simply settle, as TRENDnet and HTC did. But at this writing, Wyndham Hotels is actively challenging the FTC’s authority in federal court litigation. For now, a prudent company must at least consider the possibility that the FTC will prevail on this issue, and that it will continue to generate a sort of “common law” of cyber security through its individual enforcement cases.
Even where the FTC does not use its “unfairness” jurisdiction, it is clearly able and willing to use its “deception” jurisdiction to bring actions against companies that promise security and then later experience breaches that reveal private customer data. The FTC has brought both unfairness and deception claims against companies that experiences a breach, the “deception” theory being that companies that promise to maintain good data security (which is common rhetoric in online terms of service and privacy policies) have engaged in deceptive conduct if they do not live up to that promise. Even if the Wyndham litigation succeeds in minimizing unfairness cases, companies may still be on the hook if they do not live up to their own promises. Similar theories are being advanced in consumer class action litigation as well.
Pulling these threads together, the conclusion seems clear that—for the time being, at least—any company that fails to maintain robust, proactive and frequently updated cyber security measures should expect to run afoul of one or more state or federal regulators.
The board has an important role in oversight of the corporation’s IT department as well as the corporation’s response to any breaches of secure or private data. Not only can cyber-security breaches lead to potentially wide-ranging government investigations, they can lead to civil litigation and public relations difficulties, and can require disclosure to various levels of government, shareholders and the investment community. When Heartland Payment Systems, a credit-card payment processor, suffered a major data security breach in 2009, it accrued almost $140 million in expenses in just the first year. One cannot help but wonder if Heartland could have prevented or mitigated that loss by investing a fraction of the $140 million prior to the breach on upgrades to its IT architecture.
The DFS questionnaire mentioned C-Suite management six times and the board of directors twice, making clear that regulatory attention is focused squarely at the top of the corporate hierarchy. DFS asked companies to report how frequently the board of directors receives updates on information security: annually, quarterly, monthly, ad hoc, or never. There are no specifically right or wrong answers to this question as a legal matter; no statute or regulation dictates, for example, that the board receive quarterly cyber security updates. As with pen testing, though, just by asking the question DFS may well be signaling what it sees as the better answers. A 2012 report by Carnegie-Mellon University found that roughly 40 percent of the boards of financial corporations rarely or never reviewed their company’s security budgets or responsibilities—with over 50 percent of boards failing to address any information security issue at all. One can picture a world where, down the road, DFS regards poor answers to such questions as indicative of a management control failure and possibly a legal violation.
Companies that collect information from customers are not the only ones that need to build in data security protections. Virtually every corporation has important trade secrets or company confidential information residing on its servers, or in the cloud, that it does not want exposed to competitors.
Ensuring that a company’s network and data are secure is a complicated process, not only because of the wide variety of threats, but also because many companies build their networks as they grow, layering new technology on top of old without necessarily addressing the bigger cyber-security picture. The risks of a board and senior management failing to understand a company’s risk profile thus can be serious.
What, exactly, are directors supposed to do in this dynamic environment? Just as there is no specific legal definition of a legally adequate cyber security program, there is not yet a specific legal road map for how a board should address these issues. But one broad principle seems clear: If cyber security is a key area of legally required corporate focus, then as night follows day, cyber security also should be a regular topic of board oversight. A few governance practices seem logical and worthy of a board’s consideration.
First, the board should consider assigning oversight of cyber risks to a particular committee or committees on an ongoing basis. It is less important which committee (audit, risk, etc.) than that the responsibility has an organizational home of some sort within the board committee structure. For example, responsibility for oversight of day-to-day cyber security could be assigned to the audit committee. The risk committee could play a role, too, including the consideration of any available insurance. These responsibilities also could be consolidated entirely within a single committee. As a means of quickly building expertise and assessing possible structures, an ad hoc committee may be desirable. Whatever particular structure is selected, this approach will ensure that board members are receiving regular updates on cyber-risk issues and will provide a platform for asking questions of management and generally exercising oversight of the area.
Second, whether at the committee level, the full board level or both, directors and appropriate senior management should receive regular briefings on cyber security. These briefings might come from in-house IT managers, outside risk assessment professionals, or both. An analogy can be drawn to the regular reports that boards receive both from a company’s CFO and from its outside auditors or other consultants.
Third, boards should consider reviewing their ranks and considering whether it is desirable to add one or more individuals with experience in cyber security matters. Again, no legal requirement applies in this regard. But just as boards historically have been well served by including (for example) individuals with a variety of senior management, accounting, legal and other areas of expertise, the list of important fields of expertise today would seem to include cyber risk. Not only can the technical nature of cyber issues present a high barrier to entry for non-specialists, but having one or more directors with knowledge in the area can provide a clear focal point for board efforts and a “go-to” resource for fellow directors and for senior management.
While the unsettled cyber risk environment poses threats to businesses, it also presents enormous opportunities. Corporations that take cyber security seriously and are proactive in addressing potential problems before they arise can save time and money down the road, and head off inquiries by regulatory agencies like the New York DFS. Boards and upper management are a key part of this process, and should be evaluating how they can best play the key role that regulators now expect them to have in the oversight of their companies’ cyber security.
I WISH I WERE ON YOUR BOARD OF DIRECTORS!
IMAGINE
BASIL VENITIS
ON YOUR BOARD
OF DIRECTORS!
In the Venitis paradigm, a board serves as a check on a cowboy CEO. Boards often lack the intestinal fortitude for the level of risk taking that healthy growth requires. Board members are supposed to bring long-term prudence to a company, but this often translates to protecting the status quo and suppressing the bold thinking about reinvention that enterprises need when strategic contexts shift.
Conservatism tends to grow with the scale of the enterprise. At a very young company, directors do things early on that, have they not succeeded, would have led to their failure. Fresh boards consider those ambitious things to do. But old boards explore a couple of things that would be very high risk and decide not to pursue them. Because they’ve grown, the risk-reward envelope has changed shape, and there’s a lot more value at stake.
Directors’ risk aversion is driven by fears of bad press. The rise in stakeholder and proxy-analyst pressures has made directors sensitive to any decision that might provoke a negative reaction from the media, proxy-advisory firms, institutional analysts, or activist investors.
During a discussion about a merger, a director might point out that the company is front-page news for other reasons, and that a consolidation would likely fuel further media attention. The risk appetite is out of balance. Many corporate directors are wasting time on image topics when they need that time to debate business issues.
Directors too often put self-interest and self-preservation ahead of shareholder interests. They like their board seats, because of the prestige. They can be reluctant to consider recapitalization, going private, or merging, because they might lose their board positions! In many situations, directors have a merger not go through because of who was going to get what number of board seats.
If directors join a board because of status or reputation or are risk-averse because of legal liability, then they are not as interested in making money, and they don’t represent the interests of the shareholders. For a business to thrive, both management and the board must always focus on long-term shareholder value.
One of the most important functions of the board is to insulate the CEO from short-term considerations. Although you can’t shout in media reports that the board is looking out for more than just the profit motive of today’s shareholders, directors still have a responsibility to provide air cover for management decisions that look beyond the next quarter’s, or even the next year’s, earnings.
In the Venitis paradigm, no one should accept a director role unless he is willing to thoroughly prepare for boardroom discussions. Well beyond reading the briefing books sent out a week or more before meetings, directors should make sure they understand the workings of the company and stay abreast of industry developments. If you don’t take the time and effort to learn the business, the CEO can’t really have a dialogue with you.
In the Venitis paradigm, CEOs have a responsibility to keep directors in the know. Formal board minutes are sparse and legalistic and can’t be counted on to trigger memories of earlier board discussions and conclusions. It’s easy to lose the continuity of thought from meeting to meeting.
If directors want more communication between their regularly scheduled meetings, a CEO should send an update letter in the middle of each quarter. And he shouldn’t hesitate to pick up the phone. If a CEO is dealing with a highly sensitive subject, he should call the lead director.
Compensation issues are increasingly a big deal; when one comes up, a CEO will talk to the HR committee to make sure they are on the same wavelength. All this between-meetings communication is necessary, because it’s a complex, complicated business. A CEO sends a weekly Sunday morning an informal e-mail to directors. He just wants them to know what’s on his mind.
With most topics, management can overwhelm the board with the facts, but that doesn’t mean management is right. The Venitis paradigm advocates a board of well-informed directors so that management doesn’t have to carry the burden of keeping the board up to speed. When the board has a collective sense of the issues, it can discipline the discussion.
When a company is facing a big decision, the Venitis paradigm gives directors extra time to conduct due diligence and to deliberate. With key decisions, nobody is going to present an idea and ask for resolution in the same cycle. They’ll let the board know their thoughts and allow for conversation and discussion. The decision might be made at the following board meeting, or maybe the issue gets deferred until their next meeting, and they discuss it again.
Some CEOs would pack the board with like-minded cronies. But most CEOs don’t want a board populated by their golf buddies. In the Venitis paradigm, diversity is required in order to bring perspective and specialized knowledge to bear on important deliberations. It’s important to have directors from outside the company with different skill sets.
The Venitis paradigm abhors the celebrity director — the unengaged board member whose main contribution is star power. A marquee name on the board has a tiny marginal impact on overall corporate image. More likely, directors get a certain amount of prestige and social standing by saying they’re on a board.
There are many professional directors, who’ve retired from full-time employment. By some estimates, about a third of new board members fall into this category, and the concern is that their first interest is the preservation of their board seats. You want it to be a minority group that is doing it for the income.
There is an absence of energetic debate in the boardroom. One reason such debate is lacking is that conflict aversion sets in. On the one hand, that’s surprising, given that the room is full of opinionated, powerful people; on the other hand, it fits with what we know about the psychology of teams.
A fraternity culture can easily take hold in the boardroom, suppressing discussion and disagreement. In the boardroom, the thinking is you have to be equal, don’t be overwhelming or dominant, don’t hurt feelings, and don’t take someone’s chair. It’s all about getting along.
The Venitis paradigm strikes the right balance between the necessities for collegiality and for the board to function effectively as a team. You want to deal with multiple points of view and not make it hard for people to express their views, but you don’t want to have overpronounced collegiality that allows any person to dominate.
A bad habit is when directors take their opinions outside the open boardroom discussions, where they can’t be contrasted and integrated with other views. A director might drop in on the CEO after board meetings, often trying to overturn a decision or divert the direction the board was taking. A director might storm out of many board meetings on principle. He might pride himself on raising difficult subjects, but he isn’t willing to have a debate.
There is a superficial thinking of the corporate governance. The board is a social entity. And the human beings on it — they act like human beings do in groups. The longer individuals are there, the more allies they have, the more they have their dislikes, the more irrational they become in terms of personal conflict. I am amazed that more work has not been done to illuminate the social contract within a board.
Worst of all is when outspoken comments are completely unconstructive, focused on rehashing past mistakes or otherwise unrelated to the questions on the table. We don’t need directors on the sidelines saying, Oh, you missed the shot. You should’ve stayed in that city. Board members should police one another. It’s difficult when you make the CEO accountable for dealing with disruptive personalities.
Instead of aggressively advocating a point of view, directors should ask probing questions. Important decisions should emerge from intelligent stress testing, if only because that will help forge mutual conviction. A rubber stamp might be expedient in the short term, but a casual “sounds like a great idea” won’t have enough tread for a longer journey.
The payoff from the constructive conflict in the Venitis paradigm is that it’s their decision, too — and you hope they’ll have your back when the vultures come around.
In the Venitis paradigm, CEOs do not keep their boards in the dark or chip away at directors’ power. They recognize that they and their shareholders will get more value if the partnership at the top is strong. Great CEOs know that if governance isn’t working, it’s everyone’s job to figure out why and to fix it.
Most boards aren’t working as well as they should, and it’s not clear that any systemic reforms will remedy matters. Although governed by bylaws and legal responsibilities, interactions between CEOs and directors are still personal, and improving them often requires the sorts of honest, direct, and sometimes awkward conversations that serve to ease tensions in any personal relationship.
When strong relationships are in place, it becomes easier for CEOs to speak candidly about problems — for example, if the board isn’t adding enough value to decision making, or if individual directors are unconstructive or overly skeptical. For their part, directors should be clear about what they want — whether it’s less protocol and fewer dog and pony shows or more transparency, communication, and receptivity to constructive criticism.
In the Venitis paradigm, the best leadership partnerships are forged, there is mutual respect, energetic commitment to the future success of the enterprise, and strong bonds of trust. A Venitis board does not adopt an adversarial show-me posture toward management and its plans. Nor does it see its power as consisting mainly of checks and balances on the CEO’s agenda. Venitis boards support smart entrepreneurial risk taking with prudent oversight, wise counsel, and encouragement.
The Venitis paradigm turns the focus to the human level, to what’s really going on in that boardroom, and listens to every informed perspective on what goes on there.
Corporate governance, the system by which a company’s board of directors and management executives align themselves with shareholders’ interests in order to make strategic decisions, can be a catalyst (or constraint) to value creation. Value creation is a product of business fundamentals and investor perceptions.
Effective corporate governance in the Venitis paradigm enhances business fundamentals and investor perceptions, primarily through greater transparency and more effective decision making, and thus generates more value for shareholders.
In the Venitis paradigm, well-functioning boards of directors play an increasingly important part in shaping corporate performance and investor perception. In addition to their checks-and-balances roles, boards’ strategic guidance, oversight, and effective decision making can provide invaluable direction and support to companies as they grapple with the challenges of globalization, enhanced business volatility, and intensifying levels of competition.
Following standard practices, as traditionally defined, does not ensure success. Among companies that do achieve best-practice corporate governance in the Venitis paradigm, outcomes in performance and quality vary widely. In other words, there is more to governance best practices than most people think.
There are major factors that play an important role in fostering effective corporate governance. The real key to effective governance lies in its practices and processes that are often overlooked precisely because they appear to be mere details. In fact, these details, individually and collectively, have a tremendous impact on governance.
Addressing the magnificent seven factors can create an environment that facilitates proper flow of information, preparation of members, and setting of priorities. In the Venitis paradigm, boards can fulfill their overarching purpose: better decision making and improved investor perception, which are the catalysts to superior value creation.
Consider the Venitis pyramid of the magnificent seven hidden factors, the preconditions for achieving corporate-governance success:
1. Senior leaders’ engagement
2. A disciplined approach to decision making
3. Clear, carefully crafted mechanisms and protocol
4. Keeping things simple
5. Combining intuition with business models
6. Establishing a corporate soul based on values and virtues
7. A robust information infrastructure
The Venitis pyramid structure reflects the hierarchy of interdependencies. Engagement, the hardest factor to achieve, depends on the three lower layers of factors being firmly in place. The information infrastructure is at the base of the pyramid because it supports all the other factors.
These seven Venitis factors won’t apply to all companies in the same way; there is no one-size-fits-all approach. In implementing them, each company must consider its own particular characteristics and circumstances: its industry, ownership structure, organization, operations, and culture. It’s equally important to weigh the balance of power between the board and the CEO and how evolved the company’s governance policies and practices are.
No board can be expected to make sound decisions without the right information in hand, without open lines of communication, or without clear governance processes and protocols. Yet for many boards, these elements are often missing. Important but nonstrategic matters that should fall within management’s jurisdiction sometimes land in the board’s lap, while truly strategic issues that merit the board’s deliberation are dealt with by company management. Complex issues that merit preliminary analysis by a committee sometimes end up on the main board agenda prematurely, crowding out other matters that are ready for deliberation.
A host of other inefficiencies can impede the decision-making process, from less-than-ideal approval flows to poor meeting dynamics that distract members from the most essential issues. Underutilized or ineffective committees, ambiguous deadlines that create confusion, the absence of confidentiality protocols or guidelines on appropriate deliberation times—all can hamper decision making. Many of these inefficiencies can not only block the board’s ability to respond swiftly to critical company challenges but also undermine the quality of its decisions.
In an effort to ensure proper oversight, boards can also go too far in the other direction. Too much centralization can create needless delays, in turn impeding the company’s ability to execute or to respond in a timely fashion to external change. In the Venitis paradigm, boards can adopt any of a number of measures to orchestrate, streamline, inform, and improve their decision making.
In the Venitis paradigm, the board reviews managements’ approval levels, and segments decision flows, by topic. The goal here is to ensure that the right parties are dealing with the right types of decisions in the right order. Which decisions should be delegated to management? Which ones might require preliminary review by a committee? Which ones should go straight to the board? Which ones might require advanced consultation and alignment with controlling shareholders?
Segmenting approval flows by topic facilitates in-depth analysis (clarifying when certain committees or other types of expertise are warranted). It also helps identify the types of decisions that have urgent deadlines, are confidential, have any statutory restrictions or requirements, or should be supported with additional data. Finally, the process prevents decision bottlenecking. It ensures that managers have the discretion they need to make decisions, and that their decisions are visible to the board. It also ensures that the board is freed up to focus on important elements of its mandate, such as issues of true strategic importance.
Evaluating approval levels in the Venitis paradigm, directors first decide whether current levels allow for sufficient autonomy and agility while properly controlling and mitigating risk. Analyzing the company’s recent performance under current levels and assessing relevant benchmarks is useful. In the Venitis paradigm, boards review approval levels on a regular basis, to ensure that they match current business realities and company focus.
The Venitis paradigm leverages committees to maximize their impact on board effectiveness.Many boards fail to capitalize on the analyses their committees produce. That means they also fail to take advantage of the other benefit that committees provide: alleviating the load of nonurgent issues for the board.
To ensure that committee work is integrated into board decisions, the Venitis paradigm board reviews and, if necessary, redefine how its committees are structured. It looks at their activities, their timelines, and the roles of their individual members.
In addition, the Venitis paradigm board establishes standard channels and systematic opportunities for allowing committee intelligence to get into the board’s hands when needed. Not all committees need to be permanent, either. A temporary committee can be useful for ad hoc initiatives, such as exploring a potential acquisition or the possible need for an enterprise-wide IT overhaul.
The Venitis paradigm creates a fast track for urgent decisions. The Venitis paradigm boards define in advance the types of issues that justify rapid approval and establish procedures that will facilitate speedy decision making. They consider ways to get the necessary information to decision makers quickly and determine which communication channels (videoconference, phone conference, or e-mail, for example) are the most appropriate. This is particularly important in an era of increasing volatility and uncertainty, when problems can rapidly devolve into crisis.
The Venitis paradigm modifies the organization of board meetings. Agenda management may seem minor, but it can have a tremendous impact on effective decision making. Typically, agendas are developed in a way that presumes equal importance for each item by allocating equal time. That approach almost ensures that critical issues, especially those that aren’t at the top of the schedule, will be shortchanged. In planning the agenda, members consider the relative strategic relevance of each item and allocate time accordingly. That also means minimizing the time allotted to issues already explored in depth beforehand in selected committees.
In the Venitis paradigm, the almighty CEO cowboy is over. Leading a company today has become a far more complex and more pressurized endeavor, thanks to globalization, market and economic volatility, more influential stakeholders, and more complicated business alliances and partnerships. The sheer speed of business compounds the challenges of due diligence and timely decision making. Moreover, all of these pressures have taken a toll on the chief officers; we’re witnessing shorter CEO tenures, higher CEO turnover, and executive posts going unfilled for longer periods.
In the Venitis paradigm, chief officers navigate the business landscape with the support, strategic guidance, and collective wisdom of a well-functioning board. A board cannot function well when its members and company management distrust each other, when crucial information is routinely missing or late, when meeting agendas are overfilled with nonstrategic matters. These disconnects impede cooperation and impair decision making. Ultimately, they can result in an underperforming board that, rather than mitigating company risk, amplifies it.
In the Venitis paradigm, corporate governance extends beyond compliance with rules and protocols. It is also about giving the company the power to overcome significant challenges and seize opportunities that build enterprise value.
The Venitis paradigm requires a robust information infrastructure that supports transparency and timely information flow. It requires processes that ensure the efficient and judicious use of time and resources. It calls for an approach to decision making that lets management and the board support, but not impede, each other in classic checks-and-balances fashion. These prerequisites in turn foster cooperation and engagement—the most critical ingredients for effective corporate governance.
Given that the all-powerful CEO is likely a thing of the past, we believe firmly that there is no longer room for laissez-faire boards or board-management power struggles. The Venitis paradigm is a powerful way to cultivate the partnership between CEOs, their teams, and their boards—and to govern the company wisely and skillfully to sustained value creation.
Directorship is a part-time job with full time accountability. Inherent in the board-CEO relationship is an information imbalance. However, with the right culture and board leadership, the board and CEO can easily communicate expectations and information.
A CEO’s leadership style can serve as an indicator that the risk of information asymmetry has become too high. Directors establish a level of trust with the CEO to allow for board access to other members of the senior management team, as well as site visits to see the company’s operations.
With an expanding board agenda, process and expectation setting are critical. The board should clearly communicate to CEO the types and format of information that need to be presented.
An empowered lead director can help mitigate the risk of information imbalance. By facilitating communication channels and work between the independent directors and the CEO, this leadership position can break down some of the road blocks that may develop between the CEO and directors. The relationship between the CEO and lead director should be transparent.
Culture is critical in effective dialogue between the board and the CEO cowboy. With the right culture, directors can be sure they are aware of the risks that are keeping the CEO up at night.
Sharing information via performance metrics, which are focused on what directors need to know, can bridge gaps in information flow. The board has to make winning decisions based on data, models, and intuition.
Directors balance short-term shareholder expectations with generating long-term sustainable profit. The role of the stakeholder, though, is more significant than ever before and expected to grow. In the Venitis paradigm, directors balance shareholder return with stakeholder concerns.
It’s difficult for the board to address and to communicate with every stakeholder. In the Venitis paradigm, the board identifies which stakeholders are critical to the strategic plans, and targets communications to those groups.
DOES YOUR
BOARD OF
DIRECTORS
DESERVE
BASIL VENITIS?
Offering Basil Venitis a seat at the table of your Board of Directors will drastically increase your profits.
0 komentar:
Post a Comment