Event Blog

 

Disruption and Transformation – The Board’s Role in Overseeing Opportunities and Risk

By Ellen Pekilis
November 23, 2018

Innovation and disruption are top of mind for every board.  Women Get On Board recently held a panel discussion to provide expert insight on the board’s role in guiding transformational change and learning to embrace risk. Hosted by KPMG, the panel was moderated by Lori O’Neill, board member and independent governance consultant.  Panelists included Craig O’Neill, CEO of VersaPay and Leslie Luk, audit partner in KPMG’s technology, media and telecommunications practice.

Building Trust

Boards are necessarily focused on risk management and compliance, particularly in a public company context.  Encouraging the board to consider risking truly transformational change requires the CEO to take deliberate steps to build trust between the board and management.

Craig O’Neill took VersaPay through a transformational change which involved selling their main revenue-generating asset to create the bandwidth to focus on new directions.  Getting board approval for such a dramatic divestiture required focused trust-building.

“When you can build that trust and that healthy tension, it’s kind of magical,” said O’Neill. “You can be very productive as a board if you have it.  If you don’t have it, it can be very unproductive and very, very divisive.”

Key tactics included putting a premium on transparency.  O’Neill used a “skip level” approach by which he put key board members in direct touch with his direct senior reports including the CFO, keeping a close eye on roles and responsibilities to counter the tendency of board members to meddle in operations if they get too close to management.

“I wanted them to know that what I tell them is straight up the truth. It’s not varnished, it’s not filtered. You’re going to hear the good, the bad and the ugly. If there is any bad and ugly–and there is always bad and ugly–you can trust what I’m telling you,” said O’Neill.

Leslie Luk advised that establishing mutual understanding with the board about the type and frequency of information flow is key to establishing board trust.  She suggested that pre-meetings with the Audit Chair could also go a long way to help.

Let Sub-committees Take a Deep Dive

The panel recommended establishing sub-committees for the really big transformational decisions.  Sub-committees permit a small number of board members to set aside the time for a focused deep dive in the issues.  While the ultimate decisions remain with the board, the fact that some board members are recommending the change from an informed position may encourage a higher trust level by the rest of the board members in terms of embracing transformational risk.

Sub-committees should be established with a specific purpose and with the same rigour that a Board would put into establishing the audit committee.  Be purposeful about identifying the special skill-sets required from sub-committee members to get the best governance oversight.

Implementing Implementation

Many strategies die on the shelf.  Tone from the top is key to encouraging management to actually operationalize the strategy once it has been approved. Adopting an innovation culture can also help de-risk a project.

“Fail quick and fail small,” advised Leslie Luk.  “Try things on a smaller scale.  Having the board with that mindset will help incentivize management to actually try things.”

It is critical that management establishes appropriate indicators and consistently reports on them as a standing item on each quarterly board meeting agenda.

“The board has to ask management, ‘what are the signs of success?’,” stated Craig O’Neill.  “Lead indicators.  Not lagging indicators.  What do we watch to see if we are on the road to success, not lagging indicators that will let us know that we have already succeeded in the past.  We use a report card on both leading and lagging indicators, but the lead indicators are way more important.”

Women Get On Board is a leading member-based company that connects, promotes and empowers women to corporate boards. We do this through an engaged community of women and men in Canada committed to advancing gender diversity in the boardroom. Find out more about becoming a member of Women Get On Board.

 

Cyber for the C-Suite – A New Reality

By Ellen Pekilis
May 3, 2018

Cyber risk is expanding in scale, scope, severity and source, landing near the top of most boards’ risk profiles. Catherine Evans, National Cyber Practice Leader, led a recent Women Get On Board session exploring the new realities of cyber risk for board members. Key learnings include:

1. The Internet of Things

The astronomical rise in connectivity will fundamentally change the nature of cyber risk. By 2020, there will be an estimated 50 billion connected devices. That means 50 billion ways in. Centralized system controls can no longer provide the same degree of assurance that they have traditionally delivered.

2. The Rise of Nation States as Threat Actors

2017 saw a rise in the sophistication of cyber attacks, stemming from military-grade techniques developed by nation states. Russia, North Korea and China are most commonly cited as applying the full force of government funded technology with extreme capability far beyond the wildest imagining of the teen hacker in the basement who used to haunt boards’ nightmares. New tools and responses will be required to meet this degree of threat.

3. Cybercrime Motives and Goals Are Evolving

Cybercrime typically had a simple driver: money. Key breaches focused on monetizing sensitive personal information such as credit card numbers, social insurance/security numbers and health data. No more. The market is now so flooded with easy access to stolen personal information such as credit card numbers that the price has dropped. While the market for illicit personal information is still there, it’s not as lucrative. The focus of cybercrime has broadened to include intellectual property theft and causing operational disruption to extort a ransom. Nation states are also focused on causing actual damage to physical infrastructure, for example, attacks on power grids in the Ukraine & the US.

4. With Evolving Goals Comes New Targets

As the motives for cybercrime change, so do the targets. Organizations with deep holdings of personal information have typically been the focus of cybercrime. Manufacturing – particularly in a pure business to business environment – has so far escaped the brunt of cybercrime, but this is changing. As the focus shifts towards IP theft, operational disruption, and physical plant damage, manufacturing companies need to move cybercrime higher on their risk management agenda.

5. The Regulatory Landscape is Changing

A raft of new compliance requirements are coming into play. In Canada, the Digital Privacy Act 2018 will come into force in November, 2018. It includes mandatory breach notification of both affected individuals and regulatory authorities. The notification requirements are subject to a variety of triggers including the sensitivity of the information involved and the risk of harm. The EU General Data Protection Regulation comes into effect this month and also include mandatory breach notification requirements as well as the right for EU residents to receive their information and have it permanently deleted from all sources.

In the US, the SEC has issued Guidance on breach disclosures. The Guidance stresses the importance of establishing proactive policies and procedures before there is a breach. The SEC focuses on the importance of board oversight and establishes expectations that the Board understands the company’s relevant policies and procedures. The SEC has also expanded the financial disclosure certification to include board certification that the company’s cyber-security and response plan are adequate for the risks.

6. Governance Needs to Develop With the Same Intensity As the Risk

In a recent Marsh study, most organizations appropriately identify cybercrime as a top 5 key risk. However, most advise that they can’t effectively measure or evaluate the risk. 34% have no way to measure cyber-risk and a further 46% have only qualitative measures that may be insufficiently robust. Most view governance as functional, not strategic, with 65.9% of respondents saying that cyber risk is a technical matter owned by IT, not an organizational risk owned by all key risk owners/managers. In reality, IT may control the mechanisms, but the broader organizational exposures are way beyond IT’s capacity. 45% of senior executives say they provide cyber-risk information to the Board, but only 18% of Directors say they receive such information. This disconnect is particularly sobering given the staggering rise in the scope of the risk, coupled with the SEC guidance (for US reporting issuers) that the Board certify the adequacy of the company’s cyber-security and response plan.

Women Get On Board is a leading member-based company that connects, promotes and empowers women to corporate boards. We do this through an engaged community of women and men in Canada committed to advancing gender diversity in the boardroom. Find out more about becoming a member of Women Get On Board.