This newsletter’s Table of Contents is as follows:
- Appointing Devil’s Advocate
- Social Media and the Board
- Opportunities for enhancing communications around long-term strategy
- Cyber-Risk Hygiene and Boards
- Where’s the Greenium (the “green premium”)?
- Financial Reporting in 2019: What Management and the Audit Committee Need to Know (and Ask)
- ESG Oversight Lessons from the PG&E Bankruptcy Filing
- Is your board dysfunctional?
1. Appointing a Devil’s Advocate
When it comes to major strategic and capital spending decisions, boards should consider “officially appointing” a devil’s advocate to argue the negatives so that all board members will have access to different perspectives and viewpoints before a decision is made. Rotating the devil’s advocate position amongst board members depersonalizes any conflict that may arise from the process.
Source: Corporate Board Member
2.Social Media and the Board
Strategy and risk are two key areas for board oversight. As social media is becoming an increasingly important component of strategy, and as its usage poses potentially serious reputational and other risks to the enterprise, it is appropriate for the board to oversee the company’s social media usage and the policies that
accompany such usage. Boards of directors often deal with new challenges, and oversight
of social media usage is no exception. Principal means of effective
oversight include the following three items:
- Learn how the company and its stakeholders use social
media: Different companies use social media in different ways.
Directors should focus on how their companies use social media,
And understand how its stakeholders use social media as well.
- Consider governance, resources, and investments aligned to
social media: While there is no one model governing where social
media responsibility lies within the company, directors should
understand both their organization’s social media policies and who is responsible for social media usage and for
managing the related risks.
- Understand how social media policies are disseminated,
monitored, and enforced: It is important that companies
disseminate social media policies and conduct training to assure
that employees are aware of them. According to recent studies,
80 percent of the companies surveyed said they had such policies,6
but 45 percent of the employees said their companies had no such
policies,7 suggesting that the companies may not be effectively
disseminating the policies and/or educating their employees about
them. Companies also need to monitor compliance with social
media policies and take appropriate disciplinary action when
those policies are not followed. For example, if a policy prohibits
employees from posting information about the company on their
social media accounts, but employees see that executives do so
with impunity, the policy may be viewed as meaningless.
Source: Deloitte
3. Opportunities for enhancing communications around long-term strategy
To assess whether companies are effectively balancing the short- and long-term, a 2019 Proxy Season survey of investors reported that they are looking at:
- The company’s story. Is the company consistently communicating a strategy around long-term growth? Is there a strong articulation of the company’s purpose and how the company is managing its business to create long-term value?
- Executive compensation. Does the pay program promote longer-term focus or does it primarily emphasize a one-year time frame? Are companies rewarding innovation, investment in the company, and progress tied to environmental or social goals?
- Capital allocation/stock buybacks. How is the company investing in services, products, retraining or innovation that could build long-term value? And how do recent stock buybacks reflect the best use of cash?
- Environmental and social metrics. Is the company investing energy, focus and disclosures around long-term sustainability goals? Does company strategy address business-specific opportunities and risks on environmental and social matters?
- Risk disclosures. Does there appear to be an underappreciation of significant risks, such as environmental risks, cybersecurity or broader technology challenges?
- Sell-side research. Is the company articulating business planning for the long-term?
Key Board Takeaway: Assess opportunities for enhancing communication of long-term strategy, and how near-term goals and pay incentives support that strategy.
Source: EY
4. Cyber-Risk Hygiene and Boards
Directors are in a great position to thwart attacks by stepping into hackers’ shoes, advises Dave DeWalt, Delta’s security director, former McAfee CEO, and private company director and investor.
When assessing cyber risks, boards may want to try and think like a cyber thief. However, a lot of private companies are naïve about their cyber risks, he notes.
Too often company management and boards don’t spend time assessing potential nefarious players and many end up surprised at who cyber thieves may be and what they are looking for, DeWalt points out. “Who would have thought Facebook and Twitter and other social media might be attacked by Russian intelligence agencies? Who would have thought a next generation design of an industrial product would be stolen by the Chinese trying to improve their own industrial infrastructure?”
And, he adds, “a lot of companies miss the insider threat. Over 50% of all breaches actually occur from the inside — disgruntled employees, radicalized employees, plants from nation states.”
“The primary methodology used by internet thieves is spear phishing,” DeWalt explains. “Spear phishing is the art of sending emails (or other communications) that have malicious links or attachments that download keyloggers to steal credentials and identities. Amongst other things, boards should help ensure there is adequate training, education and tools to prevent this primary cyberattack vector.”
He suggests bringing outside experts to do a risk assessment for the board and management. And it’s also a good idea to add a board member who is also a cybersecurity expert. “In the case of Delta, that’s what I do,” he says.
But throughout the boardroom, he advises, “getting educated on the risk is job number one for any director.”
Getting accurate information from management and is critical, as is keeping the amount of tech reports given to boards in check. “It’s important to have precise information according to the metrics that are agreed upon and it’s mandatory for all directors to become educated, especially if they’re on the audit or risk committee.”
Directors should be asking, he says, “about the basic building blocks of good cyber hygiene – what is the risk, what are we doing, how are we reporting what we’re doing, are we doing that quarterly or monthly to the board.”
Source: Private Company Director
5. Where’s the Greenium (the “green premium”)?
A recent Stanford Business School study investigated whether investors are willing to trade-off wealth for societal benefits. The study took advantage of the unique institutional features of the US municipal securities market to provide insight into this question. Since 2013, over $23 billion Green Bonds have been issued to fund eco-friendly projects.
Comparing Green securities to nearly identical securities issued for non-Green purposes by the same issuers on the same day, the study reported economically identical pricing for Green and non-Green issues.
In contrast to a number of recent theoretical and experimental studies, this particular study found that in real market settings investors appear entirely unwilling to forgo wealth to invest in environmentally sustainable projects. When risk and payoffs are held constant, municipal investors view Green and non-Green securities by the same issuer as almost exact substitutes. Thus, the “greenium” is essentially zero.
Source: Stanford
6. Financial Reporting in 2019: What Management and the Audit Committee Need to Know (and Ask)
Top officials and staff from the SEC, the PCAOB and the FASB gathered in mid-December in Washington, D.C. at the 2018 AICPA Conference on Current SEC and PCAOB Developments to provide year-end accounting, auditing and disclosure guidance to corporate management, audit committees and outside auditors. Here are some key takeaways for management, as preparers, and the audit committee, as overseers, of the 2018 annual report and ongoing financial reporting in 2019. Specifically, regulators’ expectations are increasing for enhanced disclosure and related controls in the following areas:
- Escalating risks around cybersecurity, Brexit and the transition away from LIBOR
- “New GAAP” standards and the end of provisional income tax accounting
- Non-GAAP financial measures, which remain on the SEC’s radar screen
- Identification and disclosure of material weaknesses in internal control over financial reporting
Additionally, regulators are encouraging “dry runs” by the audit committee, the outside auditor and management together in preparation for the impact of the PCAOB’s new critical audit matters (CAMS) standard, which will apply to the fiscal 2019 audit of calendar-year large accelerated filers.
While it is clear that the specific areas of risk-related disclosures and GAAP compliance mentioned above will be under the regulatory microscope in 2019, it is important that companies and audit committees expect, in a proactive way, that others will emerge. This reality—that companies must engage in careful contingency planning for, and quickly adapt to, the unexpected or unforeseeable risk or event that materializes—highlights the importance of developing and maintaining robust corporate controls and procedures that will flag incipient or emerging risks or events on a “real-time” basis, communicate the relevant information promptly to responsible senior management for materiality analysis and timely disclosure, and thus enable companies to fulfill their Regulation FD and insider trading compliance obligations.
Source: Weil, Gotshal & Manges LLP
7. ESG Oversight Lessons from the PG&E Bankruptcy Filing
The recent news that California utility PG&E Corp. filed bankruptcy should cause pause in every corporate boardroom. On Monday January 14,2019, The Wall Street Journal (WSJ) reported that analysts had pegged PG&E’s wildfire liability exposure to be as high as $30 billion—roughly triple the company’s market value of $9.12 billion. By Friday that week, WSJ called this “the first major corporate casualty of climate change.” The company filed for bankruptcy on January 29, 2019.
But judging its external environmental, social, and governance (ESG) ratings, PG&E was doing fine. Clearly, this situation shines a spotlight on the serious limitations of external ESG ratings. It also highlights the need for companies across virtually all industry sectors to build robust ESG governance systems.
Judging by the praise voiced by external ESG ratings organizations, PG&E seemingly had its ESG house in order. PG&E rated number one among utilities and twenty-second overall in Corporate Responsibility Magazine’s 100 Best Corporate Citizens
So we have a situation of high external ratings and a company apparently in compliance. Yet a $30 billion environmental liability exposure happened anyway. Clearly, there is a disconnect somewhere. An earlier NACD blog noted that “without getting governance right, it’s hard to get anything else right.” That is precisely the lesson companies can learn from the PG&E situation.
How can other companies learn from this situation? It starts by avoiding two fatal flaws:
- It’s often not about compliance. U.S. companies have a 50-year history of looking at environmental, safety, and societal issues as compliance. They often view ESG oversight and management through a compliance lens. That’s yesterday’s view. Managing the mega risks today (climate change, water shortages, etc.) is often not about compliance. You might comply with your water intake permit requirements, but what happens when the well runs dry, or when, like in Flint, Michigan, the water is contaminated?
- Beware the 80/20 governance trap. Only a very small portion (let’s call it 20 percent) of what constitutes robust management and oversight of environmental and social risks can be measured from outside the company. The other 80 percent—what I call “the soft stuff” —is comprised of the internal company practices and business processes to manage risk. That 80 percent does not easily lend itself to being measured.
External ESG raters look at “the hard stuff”—aspects of corporate governance and strategy that can be measured. But while external ESG raters may measure the existence of a board ESG committee, it is almost impossible for them to measure the effectiveness of C-suite and board deliberations about ESG risk.
Bottom line: Directors should insist on measuring the other 80 percent of what constitutes robust governance…because the “soft stuff” actually can be measured
Source: NACD
8. Is your board dysfunctional?
Does your board have directors who trust each other, are committed, are comfortable with conflict, hold each other to account and are focused on results?
If not, your board is likely to have some degree of dysfunctionality and is possibly in need of an intervention.
Most Boards of organizations of all sizes, and in all sectors exhibit, at one point or another, some degree of dysfunctionality.
Directors who can agree with most of the following statements are more than likely to be sitting on more effective boards:
– Board members are clear on what is expected of them.
– Board meeting agendas are well planned so that the board is able to get through all necessary board business.
– Most board members come to meetings prepared.
– Written reports to the board are received well in advance of meetings.
– All directors participate in important board discussions.
– Different points of view are encouraged and discussed.
– All directors support the decisions reached.
– The board has a plan for the further development of directors.
– Board meetings are always interesting and frequently fun.
How many of the above statements are you able to agree with?
If you disagree with a number of them, the likelihood is that you are a member of a dysfunctional board … and If your business has a dysfunctional board, it is also likely to be a dysfunctional business.
Source: Corporate Governance Institute
