There are two questions that I'm commonly asked related to my work on boards. The first is, “How are boards of Silicon Valley companies evolving?” and the second, “What is the top risk keeping board directors up at night?” My response to those questions is 1) Not fast enough and 2) It's not just one area of risk, but many, respectively.
As one of a handful of female, African American CEOs and board directors, I am passionate about helping organizations not only understand and manage risk, but also to use risk intelligence to protect their brand and reputation, preserve their corporate integrity, and drive better business performance.
I will delve deeper into some of the key issues that are shaping today's boardroom conversations and influencing the evolution of boards in companies across Silicon Valley and corporate America.
Key Risk Factors
At the 2015 MetricStream GRC Summit in Washington, D.C., I had the pleasure of hosting a panel discussion alongside notable board directors including Herman Bulls, vice chairman-Americas of Jones Lang LaSalle and board director at Tyco International, Comfort Systems USA Inc., Rasmussen Inc., and USAA; Linda Hudson, chairman and CEO of The Cardea Group and board director at Bank of America and Southern Co.; and Craig Wilson, board director at Sterling Global and former director of Intelligence Policy in the Office of the Secretary of Defense. It was abundantly clear through our discussion that as corporate directors this notion of risk is at the forefront of boardroom discussions, and the top risks facing organizations today include cyber security risk, third-party/supplier risk, and reputation risk.
Cyber Security Risk
Cyber security, critical virtual infrastructure protection, and data privacy are all critical areas of focus for boards today, with over 80% of board directors saying that cyber security is talked about at almost all board meetings. This demonstrates a major shift, given that as recently as 2012 boards were not actively discussing or advising on an organization's cyber security risk management program. Recent headlines have given us no shortage of examples of cyber-related incidents, compelling board directors to ask important questions such as: “What information do we need from management in order to feel comfortable that the right amount of attention and resources are being focused on managing cyber security risks in the short and long-term?”
According to Herman Bulls, “There are two types of companies out there: those that have been compromised by a cyber breach, and those who are going to be compromised. The best approach to managing cyber risk is to ensure that diligent management is applied in understanding the risk.”
Likewise, Linda Hudson says, “Top management of enterprises regarded cyber risk as one of those things that the tech people took care of. Those days are now long gone. If you look at major cyber breaches like Target and Sony, which resulted in CEOs losing their jobs, in this environment it is critical that the board is aware of the potential risk and the resources available, and that both people and technology are being brought to bear and that management stays on top of events happening out there.”
Today, organizations need to focus both on preventing the next cyber attack as well as developing an incident response plan that can effectively address and respond should a cyber attack occur. To support both of these important priorities, boards of large and small companies alike are recommending the hire of a chief information security officer (CISO). The CISO serves as the middleman between the C-suite and the board, and has the important job of communicating to the board, in simplistic terms, regarding all enterprise-wide cyber security-related risks as well as the strategies to mitigate those risks.
Notably, corporate boards are also increasingly selecting qualified female executives to fill important cyber security-related roles, including oversight roles at the board level. According to the data, 16 of the largest companies in the U.S. have appointed one or more directors with cyber security backgrounds, 10 of them being women. Of note, there are also several directors with cyber-related backgrounds who have been appointed to the boards of major corporations, including AIG, BlackBerry, Delta Airlines, General Motors and Wells Fargo. However, as noted in the Los Angeles Times, “There's a big problem with the whole trend, though: a shortage of cyber-qualified board candidates.” So, while organizations are taking steps in the right direction, cyber risk will continue to evolve. As such, organizations need to constantly evaluate and assess their team to ensure that they have the right perspectives, experiences, and expertise at the table.
Third-Party/Supplier Risk
Third-party/supplier risk is another risk that has become a top focus area for boards, as a result of increasingly global supply chains and complex regulations with serious financial and reputational consequences. For instance, a labor strike in a foreign country could negatively alter a contractual agreement, elevating price and resulting in loss of revenue or future market opportunity. According to Craig Wilson, the scope of third-party supplier risk is multifaceted and includes “foreign nationals, third-country nationals, and what regulatory requirements pertaining to labor market conditions are, which adds to the complexity of managing the risk. Added to this is the potential conflict of compliance issues; for instance, compliance regulations applied by the U.S. may not coincide with those of another country.”
Relatedly, cyber risk is oftentimes interlinked with third-party supplier risk. For example, contracted third parties likely have access to an organization's proprietary product information and critical supply chain processes and connections. Even if the parent company has the right controls in place, its third-party suppliers may not have the same defense strategies, thus potentially providing a “back door” to an organization's data. This is a risk that many organizations are just now working to address.
With so many different pieces of the puzzle, it can be difficult for senior management to have visibility across the end-to-end supply chain. With the right tools and technologies, however, organizations are able to gain the real-time information they need to understand the activities and actors across their supply chain, as well as use that data to influence vendor relationships and contracting processes, guide strategy, and ultimately make more intelligent risk-based decisions.
Reputation Risk
At the end of the day, the long-term success of any organization — large or small — is hinged upon its reputation. Many of today's most well-regarded, trusted and successful technology companies have their origins right here in Silicon Valley. However, building and scaling a strong and enduring company is no easy feat.
Everyone in the company, from those on the front lines interacting with customers to those at the board level, need to care about the reputation of the organization. Especially in light of today's business environment, with new risks and threats evolving every day, it is imperative to have the right people, processes, and technologies in place to understand and manage reputation as an asset.
From my experience, there are some practical steps that companies can take as they aspire to be reputable and successful leaders long-term:
1. Be clear and consistent about your mission and value proposition.
2. Focus on your strengths and become an authority in those areas.
3. Empower your employees and they will become brand ambassadors.
4. Strengthen your delivery and customer experience.
5. Integrate community and social sharing elements into all areas of your business strategy.
Best positioning
Today's rapidly evolving, global, social, networked world has brought about new complexities and new risks, as well as new opportunities. In turn, this landscape has created new responsibilities and introduced new focus areas for the board. In spite of so much change, as board directors it is important that we go back to the basics; focusing on understanding and managing risk, demonstrating sound leadership and good governance, and ensuring compliance with all applicable laws and regulations. In doing this, organizations will be best positioned to pursue new opportunities for growth and transformation, while also building their brand equity and reputation, and ensuring a market leadership position in the days, months and years to come. â–
The author can be contacted at this email address: mpalm@metricstream.com.