What boards need to know about whistleblowing

By Guest Contributor

whistleblower, whistleblowing, whistle, red card, yellow card

Big corporate scandals have made whistleblowing a headline topic. From Danske Bank to the Panama Papers, whistleblowers have thrown a spotlight on problematic behaviour.

Politicians and regulators have responded with measures to protect whistleblowers, seeing such individuals as a check on wrongdoing and a way of ensuring corporate accountability. But what are the key elements of whistleblowing in the UK and how do companies get it wrong?

The statutory regime for whistleblowing in the UK was established in 1998 with the Public Interest Disclosure Act, which followed a wave of corporate scandals.

Crucially, the legislation provides protection for whistleblowers. First, by deeming unfair any dismissal of a worker for making what is known as a “protected disclosure”. Second, by making unlawful any action that causes “detriment” to a worker if the action was prompted by the worker blowing the whistle.

Key to the legislation is the definition of “protected disclosure”. Whistleblowing is considered protected if a worker discloses information rather than making threats; the worker has a “reasonable belief” the disclosure is in the public interest; information is disclosed to specified persons such as the employer or to prescribed external bodies; and the disclosure relates to one of six kinds of “relevant failure”.

Failures considered relevant are breaches of a legal obligation and dangers to health and safety; criminal offences; miscarriages of justice; damage to the environment; and, lastly, covering up information about failures in these areas.

Public interest

Crowley Woodford, head of the European employment practice at law firm Ashurst, warns that the law in this area can be “tricky”. The requirement that workers need only have a “reasonable belief” that something is awry is a key example.

“That’s a relatively subjective test, “ says Woodford. “As long as the whistleblower subjectively believes that a breach has occurred and that is objectively reasonable, it does not matter if that belief later turns out to be wrong.”

There is a further warning as whistleblowing must be in the “public interest.” When originally enacted the legislation demanded that whistleblowing was in “good faith”. But, prompted by many workers reporting their own employment concerns, the public interest test was introduced as a counterweight.

“As long as the whistleblower subjectively believes that a breach has occurred and that is objectively reasonable, it does not matter if that belief later turns out to be wrong”

—Crowley Woodford, Ashurst

Woodford warns, however, that employment concerns can still be reported; all whistleblowers need do is show that their complaint applies to more than one individual.

The legislation is also open to use tactically by a worker. For example, when an individual’s professional performance is called into question, companies may find that he or she then blows the whistle and consequently argues that any dismissal
has arisen because of their whistleblowing.

“If the tribunal can see that there is a history of poor performance before the whistleblowing and a good paper trail evidencing this,” says Woodford, “that will present a powerful argument that the dismissal or detriment did not arise as retaliation for blowing the whistle.

“The problem is that employers often don’t do that and performance issues are often dealt with informally without documentation, leaving the company more exposed.”

As mentioned, whistleblowers are protected from “detriment” where they have made a protected disclosure. It is relatively easy for companies to ensure at the time of a report that a worker is not subjected to detriment.

According to Woodford, problems arise once an investigation has ended if a whistleblower is excluded from events as innocuous as project team meetings or discussions because that could be enough for someone to claim that detriment has taken place.

“The wider the knowledge of the whistleblowing spreads, the more potential there is for this type of exclusion to occur,” says Woodford. “It requires effective management and containment to a small group of individuals who are skilled in dealing with these issues.”

Restricting access to information also applies to anonymous whistleblowing because of the natural tendency for speculation to focus on who made the report. Protocols are therefore needed to govern access to information.

“Having these issues embedded in a policy is a powerful means of ensuring that the employer at each step is trying to afford the whistleblower protection,” concludes Woodford.

The situation in France

French multinationals have been implementing whistleblowing policies for some years, but the work was given added impetus in 2016 with the introduction of the Sapin II law.

The legislation details which companies must implement a whistleblowing policy (those with 50 employees or above), lays out step-by-step procedures to be followed and offers a definition of what constitutes whistleblowing.

However, according to Nataline Fleury, an employment law partner at Ashurst in Paris, a complex mesh of laws apply to whistleblowing in France. This includes Sapin II, data protection law (GDPR), law relating to works councils and legislation applying to disciplinary sanctions.

Sapin II procedures are designed to ensure whistleblowers do not face discrimination, while those found responsible for wrongdoing do not face sanctions that cannot be justified. That means taking great care with the process.

French whistleblowing is driven by a desire to avoid anonymous reports. Whistleblowers can claim anonymity but should not be encouraged. It is considered preferable for whistleblowers to be named.

“Where there is an opportunity to pass the matter to a regulator, it is better for them to investigate”

—Hubert Blanc-Jouvan, Ashurst

Confidentiality must also be maintained. This is why many French firms choose third-party service providers to handle their whistleblowing hotlines and investigatory procedures. It’s not mandatory, but it provides a level of assurance against leaks.

Risk then arises when an investigation is complete and a company must decide on what disciplinary action they will take.
Hubert Blanc-Jouvan, a regulatory partner with Ashurst, explains that in financial services, this is the point when matters are often handed to a regulator when related to financial regulations.

“Where there is an opportunity to pass the matter to a regulator, it is better for them to investigate,” he says. Additional requirements apply to financial firms and French regulators implement specific procedures to collect and deal with the reports received from whistleblowers, he adds.

Employers in unregulated sectors must decide which disciplinary action to take themselves. Here confidentiality remains paramount, as does the need to follow procedure as it is set down in law.

Fleury warns: “You need to ensure that the whistleblowing policy, the consultation process of the employee representatives, the information of the employees and the manner in which the whistleblowing procedure was followed through all comply with the law, or an employee can challenge any sanction faced by arguing that the process did not comply with the regulations.”

German flagThe situation in Germany

Unlike the UK and France, Germany has no specific whistleblower law. However, according to Andreas Mauroschat, an employment law expert at Ashurst in Frankfurt, German companies, especially those in financial services, have been implementing whistleblowing plans for many years. These have also become a mandatory part of the risk management obligations stipulated in the German Banking Act.

Regulatory requirements from BaFin, Germany’s financial regulator, are broad and simply ask firms to have some form of whistleblowing plan and procedure which allows employees to secretly provide information on breaches of certain laws, such as MAR (Market Abuse Regulation), the German Banking Act, the German Securities Trading Act and others.

“When there is a follow-up, or a challenge to a decision, we frequently see documentation for the original incident is not complete and elements of the process are undocumented”

—Andreas Mauroschat, Ashurst

Employee protection comes through labour laws because employment agreements impose a fiduciary duty on employees to disclose problematic behaviour, or go to an external body if the issue is thought to be in the public interest. In these circumstances an employer is prevented from taking any retaliatory action because the employee is not in breach of their employment contract.

According to Mauroschat, whistleblowing policies need to be robust with standard procedures that allow for benchmarking, action plans for containment and prevention plans addressing future processes. Most importantly, systems need to document each step taken during the whistleblower process, especially the reasons for any decisions taken on issues such as disciplinary action.

A failure to keep adequate records can lead to problems later. “We often see an incident is handled professionally,” says Mauroschat, “but when there is a follow-up, or a challenge to a decision, we frequently see documentation for the original incident is not complete and elements of the process are undocumented.”

One way to resolve that issue is through the use of new internet-based integrity systems. “These systems allow you to move away from managing data to managing a process, and avoid people failing to act correctly because the system forces you to take steps in line with internal policies,” says Mauroschat.

“They can be a very powerful tool and massively reduce risk.”

This article has been prepared in collaboration with Ashurst, a supporter of Board Agenda.

The post What boards need to know about whistleblowing appeared first on Board Agenda.

From:: What boards need to know about whistleblowing

Nissan’s governance report is a warning for all boards

By Gavin Hinks

Carlos Ghosn

Just 20 minutes. That’s the time Carlos Ghosn allegedly allowed for each board meeting when he was heading Nissan.

Whatever the facts surrounding Ghosn’s guilt or innocence of the charges he now faces, that nugget of information stands out as a red warning light.

The disclosure that Nissan’s boardroom get-togethers were so brief comes in the report published this week from the car maker’s Special Committee for Improving Governance.

Headline writers were quick to highlight the report’s conclusion that a “personality cult” existed around Ghosn that made his behaviour “impenetrable territory” that could not be questioned.

The report says Ghosn “realised concentration of authority in himself” through domination of appointments and remuneration of senior managers. It alleges he cemented this power through the appointment of a single director, Greg Kelly, to run administrative affairs. According to the report, any questioning of remuneration or appointments, Kelly, or the so-called “office of the chief executive” were met with vague answers that gave little away.

At Nissan, the report says “dissenting views” could be met with suggestion that “they would be removed”.

What emerges, therefore, in the under-reported recommendations of the committee, is a strategic effort to drastically reduce the powers of the CEO at Nissan.

The process of distributing accountability through committees may be considered bureaucratic and mundane. But try functioning without it and the risks are all too clear

Those used to Western norms will be surprised to hear that the major prescription for improved governance will be to move Nissan from its current complex, “traditional” Japanese governance structure to a slimline “three statutory committees” system. In other words: audit, nominations and remuneration committees.

This is worth reflecting on. For many in business the process of distributing accountability through committees may be considered bureaucratic and mundane. But try functioning without it and the risks, as far as Nissan’s special committee is concerned, are all too clear.

Some of the other recommendations of the committee include:

  • The majority of directors should be independent and from outside the company;
  • The number of directors should be enough to prompt “lively discussion”;
  • Diversity among directors should be “fully considered”;
  • The nominations committee should have a majority of external, independent directors;
  • One role of the nominations committee should be to refresh membership of the board “on a regular basis”;
  • All members the remuneration committee should be external, independent directors;
  • The chair of the board should be an independent, external appointment;
  • Independent members of the board should meet regularly;
  • Third-party providers should evaluate the effectiveness of the board, but the audit committee should also conduct audits in “respect to the effectiveness of the supervisory function” of the board of directors;
  • Internal audit should report directly to the audit committee if it encounters “misconduct”. Directions to internal audit from the audit committee trump those from the chief executive.

The report highlights the need for corporate culture to change, not least switching attention from short-term aims to mid and long-term objectives. The CEO’s office will become subordinate to other departments and the rather opaque “CEO’s reserve” fund is to be abolished.

Rebuilding trust

Over-reliance on a single chief executive is always risky. However, it’s not hard to see how it happens if they appear particularly successful.

But there’s a further issue connected to Nissan’s report. The business world has for some time battled with a “trust” deficit. Ever since the financial crisis, a succession of corporate scandals and endless headlines shining a light on excessive executive pay, the discussion among business organisations and politicians has been focused on how to rebuild trust in business—indeed, how to rebuild trust in the capitalist system.

Reports of a chief executive who was “deified”, who could not be questioned, who built opaque corporate structures to duck accountability, only feeds into the public perception of business being much less than honest. It confirms the narrative of business suffering from moral bankruptcy.

What Nissan’s report recognises is that even high-flying CEOs are accountable to their companies, not the other way round. That’s something worth remembering, not just in Japan, but here in Europe too, where chief executive pay settlements seem to indicate that chief executives are treated reverentially.

The special committee concludes:

“Although it is a matter of course that business strategies shall be proposed on the CEOs’ responsibility, such strategies must be discussed by not only the board of directors but also management meetings such as the executive committee, and eventually, approved at the board of directors.

“SCIG [the special committee] believes that it is unfortunate for Nissan that under the Ghosn system, there is a perspective that no goals that it should reach had necessarily been discussed in an effective way in meetings of the board of directors or the executive committee and other management meetings.”

The board is there for a reason. It must be allowed to do its work, not least to actively prevent the “deification” of its CEO, to question and to challenge. Most of all, it should define an organisation’s purpose. Without those elements we will always see CEOs who come to believe their own propaganda.

The post Nissan’s governance report is a warning for all boards appeared first on Board Agenda.

From:: Nissan’s governance report is a warning for all boards

Sir Roger Carr: What makes a good non-executive?

By Gavin Hinks

Sir Roger Carr

A lifetime achievement award has the thrill of a corporate Oscar—tinged with a slight sense of concern as a business obituary.

Nonetheless—having chaired these awards in the past, and seen previous winners—I receive this award with a mix of enormous gratitude and considerable humility. So, thank you very much.

In these turbulent times, the need for non-executives has never been greater. Having had the privilege of sitting on many boards, in good times and the not so good (of which there have been a few) I am often asked what I think makes for a good non-executive. So, I felt I would take this moment to share with you my top five.

First: Make sure you have the right motives when joining a board. The risk reward ratio is rarely favourable. The standard five principles of life: “What’s in it for me?”, must be outweighed by, “What can I contribute to it?”

To contribute you must have a genuine interest in the business, a desire to add value, a willingness to give advice, but the tolerance to be ignored.

And where you add value is critical: independent judgement on people; clarity of mind on risk management; vision for the future on strategy; focus on succession planning, and help in the day to day.

In summary, rule one, you need the skillset to contribute as an individual, but the mindset of a team player.

Rule two: Don’t confuse helping with meddling. This is one of the greatest challenges, particularly for those used to executive roles.

To help, you have to understand the business. Read the papers, visit the sites, engage with management, listening more than transmitting, thinking more than doing, advising more than telling.

So remember, board members challenge, advise, and encourage. Executives execute; non-executives execute the executive if they continually fail. Role confusion is dangerous for everyone.

Rule three: Have the humility to believe that others have something to offer and the patience to judge if you are right.

Weighing the evidence is vital, listening and learning. Rushing to judgement is risky, just as delay in acting on poor performance is dangerous. The best boards comprise individuals who are sure of themselves, but respect colleagues for their contribution; who are measured in forming opinions, but swift in implementing conclusions. A good principle—action this day—having slept on it overnight.

Rule four: Remember that you may have been hired for your experience but you will be valued most for your character.

As a chairman I look for those who are authentic in manner: who look to the mirror for judgement not the gallery for applause; who have the courage to speak truth to power and the resilience to be rebuffed.

Most importantly the integrity to know—whatever the pressure from shareholders, competitors, customers or peers—a board must do the right thing simply because it is the right thing to do.

Finally, rule five: Remember shareholders, employees, prospective employees and customers increasingly focus on how you make money, not simply how much money you make.

Honesty, integrity and diversity are the hallmarks of a good board. And diversity is not box ticking. It provides the healthiest environment for collective decision making, it is a combination of merit and gender. We have made good progress in the boardroom, it is work in progress in executive management, and we have a long way to go to see more women in the role of chair.

Let’s not forget this is not simply a gender issue, it’s about making business better. Plus respect for the environment, concern for all stakeholders.

These are not optional extras. They are at the heart of the business and the key to social acceptability. If capitalism is to thrive, the reputation of business must improve and in this, the role of the non-executive is key; how we conduct ourselves, present ourselves, govern ourselves and pay ourselves.

In short business and business leaders must be performance driven, value led. Being a non-executive is not simply a job, it is a privilege and vital if business is to be of value to society and valued by the community in which we live. Thank you.

The post Sir Roger Carr: What makes a good non-executive? appeared first on Board Agenda.

From:: Sir Roger Carr: What makes a good non-executive?

Sir Roger Carr: What makes a good non-executive?

By Gavin Hinks

Sir Roger Carr

A lifetime achievement award has the thrill of a corporate Oscar—tinged with a slight sense of concern as a business obituary.
Nonetheless—having chaired these awards in the past, and seen previous winners—I receive this award with a mix of enormous gratitude and considerable humility. So, thank you very much.

In these turbulent times, the need for non-executives has never been greater. Having had the privileged of sitting on many boards, in good times and the not so good (of which there have been a few) I am often asked what I think makes for a good non-executive. So, I felt I would take this moment to share with you my top five.

First: Make sure you have the right motives when joining a board. The risk reward ratio is rarely favourable. The standard five principles of life: “What’s in it for me?”, must be outweighed by, “What can I contribute to it?”

To contribute you must have a genuine interest in the business, a desire to add value, a willingness to give advice, but the tolerance to be ignored.

And where you add value is critical: independent judgement on people; clarity of mind on risk management; vision for the future on strategy; focus on succession planning, and help in the day to day.

In summary, rule one, you need the skillset to contribute as an individual, but the mindset of a team player.

Rule two: Don’t confuse helping with meddling. This is one of the greatest challenges, particularly for those used to executive roles.

To help, you have to understand the business. Read the papers, visit the sites, engage with management, listening more than transmitting, thinking more than doing, advising more than telling.

So remember, board members challenge, advise, and encourage. Executives execute; non-executives execute the executive if they continually fail. Role confusion is dangerous for everyone.

Rule three: Have the humility to believe that others have something to offer and the patience to judge if you are right.

Weighing the evidence is vital, listening and learning. Rushing to judgement is risky, just as delay in acting on poor performance is dangerous. The best boards comprise individuals who are sure of themselves, but respect colleagues for their contribution; who are measured in forming opinions, but swift in implementing conclusions. A good principle—action this day—having slept on it overnight.

Rule four: Remember that you may have been hired for your experience but you will be valued most for your character.

As a chairman I look for those who are authentic in manner: who look to the mirror for judgement not the gallery for applause; who have the courage to speak truth to power and the resilience to be rebuffed.

Most importantly the integrity to know—whatever the pressure from shareholders, competitors, customers or peers—a board must do the right thing simply because it is the right thing to do.
Finally, rule five: Remember shareholders, employees, prospective employees and customers increasingly focus on how you make money, not simply how much money you make.

Honesty, integrity and diversity are the hallmarks of a good board. And diversity is not box ticking. It provides the healthiest environment for collective decision making, it is a combination of merit and gender. We have made good progress in the boardroom, it is work in progress in executive management, and we have a long way to go to see more women in the role of chair.

Let’s not forget this is not simply a gender issue, it’s about making business better. Plus respect for the environment, concern for all stakeholders.

These are not optional extras. They are at the heart of the business and the key to social acceptability. If capitalism is to thrive, the reputation of business must improve and in this, the role of the non-executive is key; how we conduct ourselves, present ourselves, govern ourselves and pay ourselves.

In short business and business leaders must be performance driven, value led. Being a non-executive is not simply a job, it is a privilege and vital if business is to be of value to society and valued by the community in which we live. Thank you.

The post Sir Roger Carr: What makes a good non-executive? appeared first on Board Agenda.

From:: Sir Roger Carr: What makes a good non-executive?

Taking control of cyber risk

By Guest Contributor

globe, world, magnifying glass

When Facebook chairman and CEO Mark Zuckerberg faced the press after hackers stole data from up to 50 million social networking accounts last September, he said “we need to do more to prevent this from happening”.

It’s a typical response, the sort of reaction you get from CEOs when the data horse has already bolted. Unlike the CEO of Equifax, which saw 693,000 UK data records stolen in 2017, Zuckerberg kept his day job.The problem most boards have is that, following a cyber-attack and data breach, there is little more you can say other than “sorry”.

For Facebook and the many other businesses that suffered cyber-attacks in 2018, the real implications are still being felt: lost revenue, lost customers, fines (Facebook was fined £500,000 by the UK’s ICO) and ongoing reputational damage. The average cost of a data breach to a business is around $3.86m. For all businesses—even Facebook—it’s not just a case of “doing more” and expecting this will be sufficient in preventing further attacks.

Understanding the gravity of the cybersecurity threat and how to manage resources effectively to mitigate against it should be fundamental to boardroom decision-making

If 2018 proved anything, it’s that everyone and everything is a target, hackers are persistent and mistakes happen. This is why the forecast figures are always rising. On a global basis, cybercrime will cost $6trn annually by 2021, double the toll of 2015, according to the Official 2019 Annual Cybercrime Report from Cybersecurity Ventures. It’s one of many similar forecasts.

The important thing to remember is that it’s not someone else’s problem to solve. As AON revealed in its Global Risk Survey 2018, cybercrime is top of the charts when it comes to ranking risk, so businesses and boardrooms have to take control and minimise that risk where possible.

“There is no such thing as 100% secure,”says Mark Camillo, head of cyber, EMEA at global insurance organisation AIG. Understanding the gravity of the cybersecurity threat and how to manage resources effectively to mitigate against it should be fundamental to boardroom decision-making. It’s about top-down culture: if the boardroom takes it seriously and acts, the rest of the organisation will take it seriously too. A key part of that is being prepared for all eventualities.

Make a plan

A cybersecurity plan should be as much about cure as prevention. If you accept, in all likelihood, that at some point the business will be breached, the mindset has to be about continuity and recovery. No board wants to see all the hard work of a business be undermined within a few days due to a cyber-attack.

Every business should have a cybersecurity policy. This is essentially a plan for making sure the whole organisation pulls in the same direction when it comes to preventing attacks, but also knowing what to do post-breach. A comprehensive plan for
protecting data, networks and devices will ensure nothing is left to chance.

A cybersecurity policy should cover four main areas—compliance, infrastructure protection, recovery and employees.

  • Compliance Detail what is expected of the business when it comes to managing data and how to adhere to the EU’s data protection rules in GDPR or US rules such as the HIPAA.
  • Infrastructure protection What and who will be protecting the data? Ensure that there is a coherent plan of protection, from a multi-layered software approach (antivirus, firewall, anti-malware and anti-exploit software) to comprehensive insurance cover. Who is in charge of this and how will software updates and patches be applied and data backed up?
  • Recovery Who does what in the event of a breach? What is the action plan to isolating an incident and getting the business back up and running as quickly as possible? Who is going to communicate with regulation bodies, customers, partners and suppliers and deal with an insurance claim?
  • Education The business needs a clear communication strategy to all staff about internet and email usage and best practice. Clear guidelines on what is acceptable usage, how to detect scams, how remote workers should access the network, social media regulations, password management systems and reporting incidents.

Building a plan will focus the minds of the board. Cybersecurity is no longer a specialist field that concerns only the IT department or a chief security officer. A breach can affect the whole organisation and even put it out of business, so cybersecurity awareness training is now essential for everyone within the company. Human error is after all, the biggest culprit. According to Experian’s Managing Insider Risk Through Training and Culture report, 66% of the data protection and privacy training professionals questioned said employees were the weakest link.

The insurance safety net

More than ever, businesses need to protect themselves, physically, virtually and financially, from the threat of cyber-attack. By transferring risk to an insurer, boards can build a robust strategy to deal with threats.

Knowing where to start is often a problem, but risk can be measured. An insurance firm or broker should be able to model a company’s risk and provide feedback in terms of how their current risk level will translate in terms of premiums. This will also have recommendations on how to improve their risk score.

“We are modelling risk, looking at attack probability, claims data, internal security controls and so on to build a picture of a company’s risk,” says Camillo at AIG, adding that this data also builds a benchmark for vertical sectors. “This also helps with modelling risk costs and give companies clearer insight into what they need to do to reduce risk and insurance premiums.”

Interestingly, despite being one of the biggest safety nets for businesses, insurance is underutilised when it comes to cybersecurity. A survey in August last year by digital research firm Ovum found that only 38% of firms had cybersecurity insurance covering all eventualities. The survey also revealed a lack of understanding among companies of the impact a cyber-attack can have across an organisation.

A risk assessment goes a long way to educating both boardrooms and management, and bringing cyber intelligence into the business

A risk assessment goes a long way to educating both boardrooms and management, and bringing cyber intelligence into the business. “It’s an essential tool in giving more transparency and intelligence back to companies, and an entry point to more comprehensive cover that could also include incident response, forensics and legal and PR support from crisis management experts,” says Camillo at AIG.

A recent PwC report believes this is the future, and it’s already gaining recognition from organisations looking for solutions to the growing threat. PwC estimates that annual gross written premiums for cyber insurance will rise from roughly $2.5bn today to $7.5bn by the end of the decade. “Businesses across all sectors are beginning to recognise the importance of cyber insurance in today’s increasingly complex and high-risk digital landscape,” says the report.

However, the problem for the board is identifying policies that work specifically for cybersecurity and are not just bolted-on, often expensive, extras. As the Ovum study found, 62% of US companies reported they don’t believe their cyber insurer priced their premium based on an accurate analysis of their risk. This has to be an education for both insurer and insured, and demands more extensive risk modelling.

As with all specialist insurance sectors, cyber insurance cannot blanket cover a business and expect to be sufficient. Cover has to be designed to meet the urgent needs of a breach. It has to be 24/7 responsive, help cover investigations and fines, protect a business from the intensive costs of data recovery and reputational mitigation but also lost revenue.

Supplier and customer trust are fundamental to the ongoing success of a business. Few if any businesses can afford to jeopardise that trust. A cybersecurity breach, with potential loss of sensitive data is now one of the biggest, if not the biggest threat to that trust, placing more importance than ever on remediation, insurance and that often under-appreciated notion, peace of mind.

TOP FIVE RECOMMENDATIONS FOR MANAGING CYBER RISK

  • Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
  • Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
  • Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular time on board meeting agendas.
  • Board directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
  • Board–management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.

For more details download the Internet Security Alliance’s Managing Cyber Risk: A Handbook for Boards of Directors.

This article was produced in association with AIG, which is a supporter of Board Agenda.

The post Taking control of cyber risk appeared first on Board Agenda.

From:: Taking control of cyber risk

Performance and accountability: the changing role of the chair

By Guest Contributor

chair, boardroom

Once a stately figurehead, the chair now faces the glare of publicity, and has become the potential focus of public anger at corporate governance failures.

Since the financial crisis the chair has increasingly been held to account, along with the CEO, when organisations fail to perform. Shareholders, regulators, legislators and the media now have little patience with narrow definitions of the chair’s role when problems arise: as a leading chair stated baldly in recent research by board formation consultancy Fidelio Partners: “The buck stops here.”

Pressure on the chair is compounded by disruption and accelerating change in the business environment, and against this backdrop judging the performance and success of the chair is a challenge. To whom—and how—is the chair accountable?

Challenges for board leaders

Fidelio has been conducting structured interviews across a broad range of sectors to understand leading chairs’ perspectives on the challenges they face. Based on this work we offer the following action points for chairs, and those who aspire to the role.

1. Prepare for disruption
The possibility of disruption to existing business models is clearly near the top of most boards’ agendas, and the sources of disruption mentioned by our interviewees are as follows:

  • Technology: 45%
  • Politics and regulation: 24%
  • Consumer behaviour: 14%
  • Social norms: 12%
  • Board/executive dynamics: 5%

Technology is clearly the leader here, and there’s no shortage of companies which have been radically changed or even made obsolete by its march.

But the political environment is also very unstable, especially in the UK and US, making capital allocation decisions difficult.

Consumer behaviour is also shifting, in part also driven by technology: the impact of online shopping on the retail landscape is a case in point.

The key to dealing with disruption is for the chair to ensure the right board composition including the skills and diversity to deal with change

Lastly, the impact of mass and social media makes rapid shifts in social norms much more common— #MeToo and the growing awareness of environmental issues, for example.

In our view, the key to dealing with disruption is for the chair to ensure the right board composition including the skills and diversity to deal with change, and also to drive the right board process to ensure the strategic context gets the time and focus it needs.

It’s vitally important that the organisation’s antennae are tuned with sufficient sensitivity to pick up signals of change that may be weak today but can rapidly grow into a real threat to the status quo.

Climate change is the one to watch here: though there is still denial in some quarters, stringent decarbonisation legislation is sure to follow eventually, with major impacts on many sectors.

2. Deal with the governance environment

The volume of governance, regulation and guidance for boards both public and private has grown to a point where it requires discipline on the part of the chair to stay on top of the detail, but also to ensure the board retains its long-term strategic focus.

The formal obligations of the chair in major jurisdictions typically have a statutory basis. This is often light on detail, while corporate governance codes offer more guidance:

“The chair leads the board and is responsible for its overall effectiveness in directing the company. They should demonstrate objective judgement throughout their tenure and promote a culture of openness and debate.”
(UK Corporate Governance Code, Financial Reporting Council, 2018)

There are international nuances. While the UK governance remains an international benchmark, there are important differences in emphasis between the UK’s unitary board structure and the two-tier governance structure in Germany:

“The supervisory board chair is elected by the supervisory board from among its members. The chair coordinates the activities of the supervisory board, chairs its meetings and safeguards the matters of the supervisory board externally.”
(German Corporate Governance Code, 2017)

The difference is still more pronounced in the US, where there is no single generally accepted governance code and no consensus that the role of the chair is separate from that of the CEO.

Corporate governance, including the requirements of the chair, is typically less onerous for smaller privately held companies. For public companies, especially those that are highly regulated, the expectations of the chair increase substantially.

The chair of a systemically important financial institution could well be devoting four days a week to this role. And while chairs in other sectors will not be subject to the same level of scrutiny, there is a clear trend towards more oversight, even for private companies.

3. Balance stakeholders

While economic purists may claim that the sole purpose of a company is to generate returns for shareholders, back in the real world companies must also deal with other stakeholders. These include employees, customers, suppliers and regulators, as well as governments local and national.

Employee representation on the board—long a feature of the corporate landscape in mainland Europe—is also on the agenda in the UK due to new provisions in the 2018 Corporate Governance Code.

All stakeholders presumably want the long-term, sustainable health of the company, but in practice there are many instances of conflicting interests

All stakeholders presumably want the long-term, sustainable health of the company, but in practice there are many instances of conflicting interests. Shareholders, especially those of an activist bent, are frequently accused of putting short-term financial gain ahead of the longer-term interests of others, while internal stakeholders will typically be focused on changes to staffing or work patterns.

In extremis the chair becomes the arbiter of competing interests, and in order to do so it’s clear there needs to be a regular and well-structured programme of communication and engagement in place. A proactive approach pays dividends here: no chair wants a shareholder revolt resulting, for example, from a poorly communicated remuneration report.

4. Focus on performance and accountability

What does success look like for the chair, and how can their performance best be evaluated? Much has been written about board evaluation and guidance is typically also provided on evaluation of the chair:

“There should be a formal and rigorous annual evaluation of the performance of the board, its committees, the chair and individual directors. The chair should consider having a regular externally facilitated board evaluation.”
(UK Corporate Governance Code, Financial Reporting Council, 2018)

Provision is also increasingly being made in most corporate governance codes for a deputy chair or senior independent director to lead the process of evaluating the chair. Given that it is often the chair who initiates and mandates evaluation, it is key to ensure the review of the chair receives the attention it deserves.

Closely linked to evaluation is the question of accountability. The role of the chair is clearly no longer ceremonial: for example in financial services the role is directly accountable to the regulator and chair and board-level engagement with the regulator is required.

Institutional investors are also demanding greater accountability from and access to the chair, even in the two-tier German board system where supervisory boards have traditionally felt legally constrained from engaging with shareholders.
In the UK the Companies Act provides a broad range of responsibility for the chair, as for all directors, who must promote the success of the company with regard to:

“…the likely consequences of any decision in the long term,

the interests of the company’s employees,

the need to foster the company’s business relationships with suppliers, customers and others,

the impact of the company’s operations on the community and the environment,

the desirability of the company maintaining a reputation for high standards of business conduct, and

the need to act fairly as between members of the company”.
(Section 172, Companies Act 2006)

In short, it’s tough to envisage something for which the chair is not responsible, or a constituency to whom they do not have to answer for the actions of their company.

Meeting the challenge—Fidelio’s Masterclass

In March 2019 Fidelio will host a “Chair Masterclass” for recently appointed and prospective chairs, as well as those keen to hone their skills and effectiveness as a chair. Taking place in central London, we will be joined by chairs internationally from both public companies and private organisations. The Masterclass will draw upon the insight of highly experienced chairs and board experts, as well as Fidelio’s research and the highly acclaimed “A Seat at the Table” board learning programme.

In the programme, we will review the statutory requirements of the chair, as well as the expectations set out in respective corporate governance codes. We will explore how chairs navigate when expectations of shareholders and stakeholders clash.

Chairs are tasked with leading and building the board, reviewing strategy and ensuring CEO succession and, therefore, a major theme of the Masterclass is the governance of search, including frameworks for diversity in making best in class board appointments, as well as promoting diversity and inclusion throughout the organisation.

For more information on the Masterclass, as well as Fidelio’s board evaluation and search capabilities, please contact Amy Wright on awright@fideliopartners.com

The post Performance and accountability: the changing role of the chair appeared first on Board Agenda.

From:: Performance and accountability: the changing role of the chair

MPs call on regulator to get tough on executive pay


By Gavin Hinks

UK parliament, governance reform

The new governance and accounting regulator for the UK should have powers to tackle companies over excessive executive pay levels, according to a report from an influential House of Commons committee.

The report from MPs on the commons business, energy and industrial strategy (BEIS) committee ramps up pressures on boards over pay levels yet again.

The Financial Reporting Council is about to be replaced by a new regulator—the Audit, Reporting and Governance Authority—following a review. The committee’s report says the new body should be “given the tools and encouragement to be tough on those companies that behave unreasonably on executive pay and fail to adhere to the tighter requirements of the revised UK Corporate Governance Code on higher quality pay reporting”.

Rachel Reeves, chair of the BEIS committee, urged boards to look carefully at the pension packages given to chief executives. She also called for worker representatives on remuneration committees.

“The roll call of dishonourable executive pay decisions… highlight the persistence of executive pay policies where far too little weight is given to delivering genuine long-term value, investing in the future, or ensuring rewards are shared with workers”

—Rachel Reeves MP

Reeves said: “The roll call of dishonourable executive pay decisions at firms including Persimmon, Unilever, Royal Mail, BT, Melrose and Foxtons, tell the all-too-familiar tale of corporate greed which is so damaging to the reputation of business in our country.

“But these examples also highlight the persistence of executive pay policies where far too little weight is given to delivering genuine long-term value, investing in the future, or ensuring rewards are shared with workers.”

She added: “When they fail, we need a regulator with the powers and mindset to step in and get tough on businesses who pay out exorbitant sums to their CEOs.”

The MPs also called for changes to the UK stewardship code, believing it should place more pressure on asset owners rather than asset managers to act. The report calls on the code to call on asset owners to report on their investment objectives, including those in relation to pay.
 MPs also want the new regulator powers to take action against asset owners who fail to “sign up to or meet their responsibilities, under the code”.

Proxy advisors also face calls to ensure their advice offers policies that “resist excessive and poorly designed pay policies and rewards.”

‘Wider social responsibilities’

Broadly, the MPs are disappointed that the the “investment chain” is not achieving more success at holding pay levels down.

“At present we do not believe that the incentives of all those involved in the investment chain are sufficiently aligned and attuned to the wider social responsibilities of companies,” the report said.
 The committee said only a revised stewardship code can achieve “genuine and effective engagement between companies and their shareholders on executive pay”.

The stewardship code was in fact recently revised to ensure investment managers report more on outcomes of their investment policies than the policies themselves. 
The revised code does call on owners to report “at least annually” on their policies and their implementation. Signatories to the code are expected to include owners.

Think tank the High Pay Centre monitors executive pay levels in the UK and general income inequality across the workforce. Its Pay Counter concludes that the average FTSE 100 chief executive takes just just three days to earn as much as a UK worker on average pay.

In January the High Pay Centre called for major reforms to remuneration committees, proposing they that become “people and culture” committees. It suggested companies dump long-term incentive plans as default CEO pay models in favour of a system based on basic salary plus an incentive to “deliver sustainable long-term performance” through smaller restricted share awards.

In August last year the High Pay Centre’s annual survey found that median pay for a FTSE 100 CEO had jumped 11% during 2017 to £3.93m, though the rise was affected by pay deals at Persimmon and Melrose. Calculating the mean figure for CEO pay showed a 23% rise.

The post MPs call on regulator to get tough on executive pay
 appeared first on Board Agenda.

From:: MPs call on regulator to get tough on executive pay