Business minister’s intervention on board diversity is long overdue

By Gavin Hinks

diversity, BAME

This weekend we learned that business minister Kelly Tolhurst has written to FTSE 100 chairs calling them out on their failure to welcome non-white members to their boardrooms and warning that change had to accelerate if business was to avoid government intervention.

We saw back in October with figures from Sir John Parker that things were not improving. Just 84 of the 1,048 directors, or around 8%, in the FTSE 100 were from black or ethnic minority (BAME) backgrounds.

Tolhurst’s letter, reported in The Sunday Times, is therefore the right thing to do, though it should have emerged soon after the Parker figures.

Pressure is what is needed, while admitting that progress is not always lightning fast. FTSE 100 companies have been asked to have at least one BAME director by 2021, the FTSE 250 by 2024.

Green Park, a specialist search agency, has noted an improvement in the talent pipeline but has also warned that Brexit, if it goes ahead, adds urgency to the issue. If British companies are to do more business with non-European companies, they will want to see boards that look more like themselves. Currently, most don’t.

Suki Sandhu, chief executive of INvolve and Audeliss, argues that boards should reject all-white shortlists when looking for board appointees.

Not only is it right, but the business case is clear: McKinsey argued in 2015 that companies in the top quartile for racial and ethnic diversity are 35% more likely to have financial returns above their respective industry medians.

But it does require action. Diversity policies need to be revisited and redrafted, as well as promotion and hiring criteria; chairs must lead their boards, non-execs and executives, to endorse change; shortlists and search agencies must be challenged to deliver the right candidates and not the same old names because they are top of their contacts list.

Changes have happened on gender representation and it is well within the capabilities of board to transform their BAME representation. As Sandhu says: “You can’t be what you can’t see.”

The post Business minister’s intervention on board diversity is long overdue appeared first on Board Agenda.

From:: Business minister’s intervention on board diversity is long overdue

Why poor cybersecurity is a ticking time bomb

By Kamal Bechkoum

data security, data protection

Organisations of all sizes are failing to recognise cybersecurity as a serious issue and are missing vital opportunities to take a proactive approach in the face of significant online threats. The bad news is that no one is immune from cyber-attacks, and it has never been more important to appreciate the damaging effect of failing to prepare on a company’s finances, reputation and legal position.

Consider the threats that boards should be aware of. A recent Ponemon Institute study highlighted that the cyber-attacks of most concern to respondents were: advanced malware; advanced persistent threats, otherwise known as a stealthy computer network attack; and DNS-based data exfiltration, or the unauthorised transfer of data from a computer.

If you’ve never heard of any or all of the above, now is the time to start genning up on your terminology and knowledge of the area. While almost everyone recognises the importance of having strong cybersecurity systems, there is mixed understanding, particularly at board level, as to how weak processes can affect business.

To put this in context, in 2018 alone the average cost of cybercrime in the UK ranged from £894 for microbusinesses, up to £8,180 for SMEs and around £9,260 for large companies. However, there’s more to this than simply a price tag. PwC’s Global State of Information Security Survey 2017 offers some alarming food for thought, including:

  • 18% of UK organisations don’t know how many cyber-attacks they suffered last year.
  • Nearly eight in 10 companies experienced down-time due to security incidents.
  • The average number of security incidents faced by UK companies increased by 23% to 5,792.
  • Only 28% of UK boards are involved in setting a security strategy.
  • Current employees are the top insider risk, but this is increasingly including business partners and the supply chain.

Add to this the difficulties faced by other victims, such as Dublin’s light rail system’s website, Luas, which ground to a halt while hackers demanded one Bitcoin in ransom. Then there’s the hotel chain Marriott International, which was recently forced to report that “fewer” than 383 million customer records were stolen in a massive cyber-attack, including the theft of 25.55 million passport numbers. This is all a drop in the ocean and gives just a taste of the scale of problems facing boards and their organisations at the present time. So, how should boards approach this vast landscape of challenges?

Education and preparation

Board members must have an unobstructed and detailed view of what the impact will be if customers’ data is lost or stolen, and understand who will take the lead in the face of an attack that interrupts or halts service as normal.

They should also be prepared to lead long-term strategic planning to protect organisational operations against an ever-evolving threat. Well-run businesses not only need to prioritise security at senior team meetings, they must also insist that all of their front-line employees do the same.

Cybersecurity cannot be solved by simply buying in more technology to patch problems. It is about taking a strategic approach to budget allocation that delivers genuine improvements in security and protection. The ideal organisational culture sees managers and staff taking a second-nature approach to keeping information safe and viewing security as a positive force. This requires a checklist that boards can become familiar with and adhere to as part of their regular order of business.

If the organisation falls victim to cybercrime it is vital to act quickly. First, ensure that the incident is contained while the business continues to operate. Then, prepare to notify all relevant stakeholders, including insurers, regulators, lawyers, the police and clients. Training is also important to prepare board members for “what if?” scenarios and a clear pathway of roles and responsibilities in case of a cyber-attack.

Explore where the source of a threat may come from and ask who might have an interest in compromising confidential information and infrastructure. How would the organisation respond to its networks being compromised or customers being unable to access online services? These issues should become a standing agenda item at board meetings, if only to confirm that no changes are needed since the previous review.

The threat landscape moves quickly and, while it may be unrealistic to ask executives to follow the details of what is happening, they can encourage IT managers or the chief operating officer to join external organisations and forums where information and good practice is shared. This can also serve to feedback and provide regular updates that are specifically prepared for the executive. If the organisation then suffers a cyber-attack, the practical response of the board will be to activate the relevant sections of the policy they have helped develop.

A chair who has a detailed and accurate picture of their organisation’s information asset has an appreciation of where the threat might come from. They have also prepared, with colleagues, a mitigation plan and so are in the best possible position to activate the necessary actions.

These include being briefed about the scale of the attack and the information that has been compromised. What size and kind of data has been impacted? Who is affected? What infrastructure has been compromised? How might this stop customers from accessing online services or the company from paying its suppliers? What has been done to avoid such attacks, and how will these be avoided in the future?

A cybersecurity checklist

To help boards prepare for all of the above, consider the following steps:

  • Educate employees It’s essential that everyone, from the board through to back-office employees are trained in your company’s security policies and updated on new protocols frequently. Ensure each individual is informed and understands the consequences of not following security policies. Executives should have a pretty good idea about the nature and travel itineraries of their data and information. They should similarly be focused on how to protect their key information assets and associated network infrastructure. Mitigation against any unauthorised access to—and malicious manipulation of—these assets should be a top priority for boards.
  • Plan for personal devices The spread of remote employees working on their own devices means security measures need to be put in place. Ensure a layered approach such as device authentication, data encryption and the ability to remotely wipe data if a device is lost or stolen.
  • Employ a firewall One of the first lines of defence against a cyber-attack is an external-facing firewall. Many companies are also installing internal firewalls for additional protection. Employees working from home should install a firewall on their personal network.
  • Back up data Having a backup procedure should be a crucial part of your cybersecurity culture. It is also important to check that your backup is safe as cybercriminals can target this as well. Remember, failing to protect essential documentation and data can threaten your business to its core.
  • Employ anti-malware software Phishing attacks can install malware on an employee’s computer when an offending link is clicked. Have anti-malware software installed on all devices and the network to protect against this.
  • Document cybersecurity policies Cybersecurity policies and protocols should be documented and supported by staff training, checklists and information specifically to protect businesses. This is not just for those at the business delivery level and should include the senior team. Given the financial and reputational risks associated with cyber-attacks, board members should have a detailed picture to hand of what the impact would be of, for example, a data breach on the organisation’s reputation. A key question that needs to be answered is how the company would respond to its networks being compromised or customers not being able to access online services.
  • Use safe password protocols If users think of ‘passphrases’ the annoyance of having to frequently change a password can be easily overcome. ‘The Boy Stood On The Burning Deck’ is a much stronger password than “QX!”:143”, even though it only contains letters. Increasing the number of characters in a password dramatically improves security and makes brute-force attacks far more difficult for hackers.
  • Don’t forget mobiles It’s essential that company employees set up automatic security updates and require that the company’s password policy applies to any mobile devices accessing the network. In addition, while it’s tempting to connect to public Wi-Fi, attackers can intercept your traffic over an unencrypted network. Never send sensitive information such as passwords over public Wi-Fi or carry out internet banking transactions.
  • Remember: lack of preparedness can lead to disastrous consequences on share value, reputation, staffing and financial health. While online threats will continue to evolve, the good news is that as long you treat cybersecurity as a primary part of your business strategy, so will the ways we combat them.

    Professor Kamal Bechkoum is head of the school of business and technology at the University of Gloucestershire.

    The post Why poor cybersecurity is a ticking time bomb appeared first on Board Agenda.

    From:: Why poor cybersecurity is a ticking time bomb

    King IV code change favours quantity over quality

    By Theo Botha

    South Africa, corporate governance

    Disclosure is at the heart of corporate governance. To be effective, stakeholders must have access to the information needed to substantiate boardroom claims that the company adheres to governance standards. But it is the quality and not the quantity of information made available to stakeholders that is critical.

    The overwhelming volume of information that has been generated in the wake of the 2017 introduction of the King IV code of corporate governance poses a significant threat to the effectiveness of a governance system based on oversight and requiring disclosure.

    The reality is that some companies use the governance code as an opportunity for little more than virtue signalling

    It is difficult to assess what has happened to levels of corporate governance since the release of King’s first set of recommendations in 1994. While widespread media reports on corporate failures and corruption do not encourage optimism, such reporting may itself be proof of progress. But it is indisputable that a large and powerful industry has grown up around the enforcement of corporate governance codes. Aspects of King IV, including its “apply and explain” approach, suggest it is the interests of this industry rather than of stakeholders that are paramount.

    While the majority of listed companies in South Africa are committed to good corporate governance, the reality is that some use the governance code as an opportunity for little more than virtue signalling. This cynical approach is sometimes enabled by institutional shareholders, who either do not have the time or the inclination to look too closely at governance details of individual companies.

    For them, claims of supporting the King Code are generally taken as evidence of good corporate governance.

    Information overload

    This is a damning indictment of the governance industry that it has forced companies to devote increasing resources to the measurement and reporting of governance without giving stakeholders any greater certainty of the quality of that governance.

    The launch of King IV has seen South African companies issue a slew of reports that provide boards with almost infinite opportunity for publicising “good” corporate behaviour without enabling readers to gain an accurate sense of the underlying governance substance. The cynical amongst us might suspect that this information overload is designed to discourage all but the most determined of stakeholders.

    This “dumping” of information onto corporate websites can create a sense of disempowerment

    To make it worse, much of the content of the various reports is repetitive. Ironically, this “dumping” of information onto corporate websites can create a sense of disempowerment, as analysts fear they may have overlooked a crucial piece of information in an obscure section of the site. It is easier for analysts to accept headline claims that the principles of the King Code are entrenched in a company’s conduct as evidence of good corporate governance rather than wade through the reports to prove it.

    The inevitable consequence will be cynicism and a distrust of the corporate sector. It is a consequence that South Africa cannot afford. A critical weakness in King IV is the “apply and explain” approach that underpins its implementation. This, combined with the wall of information being generated, makes it difficult not to suspect our governance system is being implemented for the benefit of the corporate governance industry rather than the corporate stakeholders.

    Time to revert

    It is time the Institute of Directors in Southern Africa scrapped the “apply and explain” approach and reverted to the “apply or explain” approach used by King III. The essential difference between King III and IV is that the former dealt with 75 principles and the latter just 17—one of which applies only to institutional investors.

    The other 16 principles are bland statements with which nobody can quarrel. For example: “The governing board should lead ethically and effectively” and “The governing body should govern the ethics of the organisation in a way that supports the establishment of an ethical culture”.

    Under King IV, companies are merely required to state that they apply these principles and explain how they are reflected in practice. Essentially, this means that no company’s corporate governance, as perceived by the company itself, would fall foul of the code.

    King III used the more rigorous “apply or explain” method. This made it significantly easier for stakeholders to determine in what areas a company’s practices were not in step with the code and why the board thought it was appropriate.

    With commission after commission unearthing corrupt dealings involving politicians, the corporate sector may currently feel it has the moral high ground. This will not last much longer. We need to be prepared. An essential first step is to change the “apply and explain” approach.

    Theo Botha heads Proxy View, a proxy advisory service based in Johannesburg, South Africa.

    The post King IV code change favours quantity over quality appeared first on Board Agenda.

    From:: King IV code change favours quantity over quality