Upcoming Events

There are no upcoming events.

East Kent Hospitals University NHS Foundation Trust – Non-Executive Director

Non-Executive Director – East Kent Hospitals University NHS Foundation Trust East Kent Hospitals University NHS Foundation Trust are looking for a Non-executive Director with clinical experience to join the Board of their wholly owned subsidiary company, 2gether Support Solutions. East Kent Hospitals University NHS Foundation Trust (EKHUFT) are recruiting a Non-Executive Clinical Director to join […]

The post East Kent Hospitals University NHS Foundation Trust – Non-Executive Director appeared first on NEDworks.

[…]

Guidance: Memorandum of understanding: DfE and The Insolvency Service

An agreement between DfE and The Insolvency Service about sharing information and the regulation of academy trusts. […]

Winchester Science Centre – Trustees

Trustees – Winchester Science Centre Organisation: Winchester Science Centre Reference: Vacancy Type: Other Deadline: 31st July 2019 Region: South East Vacancy Details Winchester Science Centre: Trustees with legal or marketing/PR experience required in 2019 Winchester Science Centre (WSC) is an independent educational charity dedicated to sparking curiosity and building science capital for all. With two […]

The post Winchester Science Centre – Trustees appeared first on NEDworks.

[…]

Press release: Diamond trader banned for falsifying sales invoices

Diamond boss disqualified for 11 years after falsifying high-end jewellery sales invoices worth $1.75 million. […]

How to become a Non-Executive Director – Birmingham 25 June 2019

Find out how you can obtain a Non-Executive Director position by booking a place on this interactive 1-day course. “As an introduction to the world of NED’s this course is well structured to give an honest and practical insight in to how to identify and prepare for a move in this direction. Money well spent!” […]

The post How to become a Non-Executive Director – Birmingham 25 June 2019 appeared first on NEDworks.

[…]

Banking on better cybersecurity

cybersecurity, technology

J P Morgan Chase’s chief executive and chair Jamie Dimon has been touted as a potential US presidential candidate, but anyone scouring his annual letter to shareholders for evidence of political ambitions will have found the boss of one of the world’s biggest banks has more pressing concerns.

“[Poor] cybersecurity may very well be the biggest threat to the US financial system,” Dimon said in April. The company revealed in its most recent annual report that it spends around $600m a year on its efforts to protect its business and customers, and has more than 3,000 employees dedicated to cybersecurity.

Big banks are spending billions of dollars to tackle cybersecurity and regularly test the resilience of their systems using “ethical hackers” who are tasked with testing their systems to breaking point.

But while banks are making progress in recruiting the right talent, there is considerable regional variance and room for improvement, according to a survey of US and European banks by Aktis, a leading provider of bank governance data.

Big financial institutions need to ensure they have an overarching view of one of the growing risks facing their businesses. Recessions come and go, but a cyber-attack that compromises the data and wealth of a bank’s customers could capsize its share price and hole its reputation permanently below the waterline.

With increasing levels of digitisation, widespread access to banking services and the advent of new computing techniques, cyber-attacks could lead to technology failures, security breaches, unauthorised access, loss or destruction of data or unavailability of services—all of which would be catastrophic for shareholder value.

Boards must ensure they have the right level of expertise and control so that they prevent attacks where possible and, where not, formulate an adequate response and action plan

Failures are damaging, whether or not they are a result of malicious intent, and they go beyond the scope of a technology problem. In April 2018, TSB customers were locked out of their accounts and some gained access to other people’s details when the UK lender’s migration to a new IT system hit problems.

The incident prompted a parliamentary inquiry and reached all the way to the boardroom, with the bank’s CEO Paul Pester eventually stepping down. Meanwhile, the bank’s balance sheet was as battered as its reputation, with TSB reporting an annual loss for 2018 after spending £330m to address the IT failure, including fraud and operational losses of £49m.

In an increasingly connected world, cyber-attacks can be devastating and with hackers becoming ever more sophisticated, banks are vulnerable. So while it’s hard to plan for every eventuality, boards must ensure they have the right level of expertise and control so that they prevent attacks where possible and, where not, formulate an adequate response and action plan.

But in this rapidly evolving area, what does best practice look like and how do bank boards in the US and Europe ensure they have the right approach—and the expertise in place—to meet the challenge? How can they ensure investment dollars are allocated in the right way? And how can boards monitor progress while setting the tone for cybersecurity in a way that all employees understand and relate to?

Expertise and experience

Banking is one of the more advanced industries when it comes to cybersecurity. Within banking, there is a convergence between cybersecurity, anti-money laundering (AML) and fraud issues as part of big banks’ Know Your Customer (KYC) programmes.

These areas are usually the responsibility of chief information officers, although they are sometimes too focused on day-to-day operations. At a time when banks are engaged in an arms race for digital dominance, cybersecurity is an issue that should be owned by the business.

Despite the large volume of investments in cybersecurity, bank boards are still lagging when it comes to their own expertise. In order to move towards a model of best practice, the first challenge is to ensure that boards have the right level of knowledge by appointing non-executive directors with expertise and preferably executive experience in the field of cybersecurity.

The Aktis research looked at the number of non-executive directors on bank boards in two areas: those who have held full-time executive positions with responsibility over matters of cybersecurity, and those with knowledge of either cybersecurity or technology.

Aktis found that of 30 of the biggest US banks, only 4% had non-executives on their board with prior executive responsibility for cybersecurity. Only four—Citigroup, Morgan Stanley, State Street and Bank of New York Mellon—had established technology committees.

In 2017, only one US bank provided cybersecurity training to its board and there is currently no stand-out example of best practice.

Among the sample of US banks, more than two-thirds of the non-executives with executive experience in cybersecurity served as risk committee members in 2017, meaning that their experience is deemed to add value to the work of risk committees, according to Aktis.

More than two-thirds of non-executives with executive experience in cybersecurity roles have a board tenure of five years or less, showing that the focus on boosting expertise is a recent phenomenon. By contrast, NEDs without cyber or technology expertise have an average tenure of nine years.

Aktis cybersecurity graph 2In Europe, banks face a welter of regulatory issues in an industry that is in flux. The introduction of GDPR in 2018 has placed a greater emphasis on compliance with cybersecurity policies.

Meanwhile, the rise of digital banking poses fresh challenges to customer security. The emergence of open banking and the introduction of the second Payment Services Directive throws up questions about the security capabilities of new market entrants.

Local regulators are also focusing more on cyber and operational resilience. In the UK, the Financial Conduct Authority is engaging in ongoing discussions about systemic risk associated with cloud services.

Perhaps as a result of the more dynamic regulatory environment in Europe, its financial institutions are ahead of their US peers when it comes to board expertise. Research into 30 of Europe’s biggest banks by Aktis shows that 12% have NEDs with prior executive responsibility for cybersecurity.

Six European banks provided cybersecurity training to their boards in 2017, compared with one in the US. Three European banks—BBVA, Banco Santander, and Royal Bank of Scotland—have dedicated technology committees, although only BBVA’s has “cybersecurity” in the title.

An evolving approach

Typically banks maintain three lines of defence when it comes to cybersecurity: technology, comprising the chief information security officer (CISO); risk; and internal audit. Under this model, the CISO acts as overall gatekeeper. But this approach is evolving.

Aktis cybersecurity graph 3“Since the financial crisis, supervisory authorities have nudged banks to transfer responsibility for cybersecurity from the audit committee to the risk committee,” says Stilpon Nestor, founder and CEO of governance advisory firm Nestor Advisors. “As a result the risk committee is replacing the audit committee as the second line of defence.”

Having one committee with overarching responsibility for all aspects of risk and compliance may constitute a neat solution for regulators, but is it the right approach for banks themselves?

“The audit committee is equipped to look at breaches of compliance and fraud, while the risk committee is more focused on overall operational and credit risk at the bank. Moving towards a model where these are under the same roof may not be the optimum approach,” says Nestor.

Banks vary in the approach they take to cyber-risk and the model they choose is shaped by where the expertise lies. There is, however, a conundrum for boards: individuals with narrow cyber expertise do not always possess the broader board-level experience to contribute adequately as non-executives.

“Cybersecurity is first and foremost an issue for the business to manage and for the senior management team to get its arms around”

—Stilpon Nestor, Nestor Advisors

“Simply hiring a non-executive because they have cyber expertise runs the risk of undermining good governance,” says Nestor. Moreover, since the financial crisis, boards have become smaller and more nimble, but the race to hire talent with expertise in cybersecurity could lead to bloated boards.

In some cases, a better solution may lie in creating an external advisory board, which meets twice a year and provides counsel to the main board.

“Cybersecurity is first and foremost an issue for the business to manage and for the senior management team to get its arms around,” says Nestor.

The business is the first line of defence, so having the right chief technology officer and risk committees in place is crucial. One approach, which has been adopted by Spanish banks Santander and BBVA, is to embed cybersecurity as part of the strategic dialogue at executive board level. “Then cybersecurity becomes part of digitisation strategy and banks can look at opportunities as well as threats,” says Nestor.

This ultimately enables the business to make decisions about new products, services and channels and weigh the strategic risks as they would for other areas of the business.

By adopting this approach, businesses can make cybersecurity decisions based on in-depth assessments of all risks— including regulatory risks—and therefore make more solid arguments and disclosures regarding compliance to regulatory authorities. This will create a more holistic approach to tackling the changing nature of operational risk in an increasingly digitised industry, and help banks to develop robust technologies that provide business solutions.

A culture of resilience

There is no silver bullet when it comes to best practice. Banks should base their approach to cybersecurity according to their expertise.

As a rule of thumb, those that have long-term management teams and demonstrated resilience during the financial crisis have a deep culture of understanding risk, and may not need to overhaul their operations. But it is not necessarily the job of the board to own the issue of cybersecurity and impose it on the business.

More than any other industry, banks have a risk management culture that should serve as a solid foundation for tackling cybersecurity. For example, no bank fell victim to the criminal ransomware NotPetya and WannaCry that affected many industries in 2017.

But more needs to be done to ensure that individuals take ownership of cybersecurity. And this does not just apply to potential rogue employees or lower-ranked staff members. In 2017 Barclays CEO Jes Staley and Bank of England chief Mark Carney both fell victim to email hoaxes, showing that breaches can occur at the very top of an organisation.

Last year the Bank of England and the Financial Conduct Authority said in a discussion paper that banks must be alive to operational risks and cyber-threats that could weaken financial stability, threaten the existence of individual firms or hurt consumers.

FCA chief executive Andrew Bailey, Jon Cunliffe, the Bank of England’s deputy governor for financial stability, and Sam Woods, who heads the central bank’s Prudential Regulation Authority, wrote: “The financial sector needs an approach to operational risk management that includes preventative measures and the capabilities—in terms of people, processes and organisational culture—to adapt and recover when things go wrong.”

The report made it clear that they want to see banks assuming that IT systems will go wrong at some point, and building backups. Rather than pursuing the impregnability of individual systems, they said, financial institutions should focus on ensuring the services they offer to customers are maintained, by whatever means.

Strengthening operational resilience is key. But expanding the board by hiring non-executives with technology expertise might give a false sense of security. As Stilpon Nestor concludes: “There is no single best practice, the model needs to be a function of where expertise lies. Ultimately, cybersecurity is a business issue.”

This article has been prepared in collaboration with Aktis and Nestor Advisors, supporters of Board Agenda.

The post Banking on better cybersecurity appeared first on Board Agenda.

[…]

Shareholders call for greater transparency on dividend policies

shareholder, vote, voting, raised hands

Shareholders have called for greater transparency on dividend policies following a review that found one in five companies are failing to stage an annual vote on dividend payouts, or are simply making interim payments.

The Investment Association (IA), a professional body for asset managers, found that 22% of FTSE-listed companies fail to seek an annual shareholder vote on distributions. IA described this as a “notable issue”.

The IA now recommends that all listed companies, including those that do put their dividend to a shareholder vote, should publish their dividend policies. A policy should set out a company’s “long-term approach” to making decisions on the sums and timing of shareholder dividends.

Chris Cummings, chief executive of the IA, said if companies fail to seek annual approval for dividends payments they risk “depriving shareholders” of a say on an issue that is “pivotal to the organisation’s long-term attractiveness to investors.”

“A distribution policy will provide shareholders with an opportunity to engage on companies’ approaches to paying dividends and structure of returns to shareholders, including how the dividend payments fit within with the wider capital allocation decisions the company takes,” said Cummings.

“We want to ensure that they are being decided in a way that delivers long-term, sustainable returns. It will also allow companies to explain their logic behind not holding annual votes where they have a legitimate business reason.”

Interim dividends

The IA examined dividend payments on behalf of the department for business because of growing concern that companies were switching to paying “interim” dividends that do not require shareholder approval.

In the FTSE 100, 17 companies were found to have ducked a vote on a final or interim dividend, including Shell, HSBC and Unilever.

In the FTSE 250, RIT Capital Partners, GVC Holdings and Jupiter Fund Management were on the same list.

The IA noted that almost three-quarters of the companies that declined to seek shareholder approval were investment companies.

“Investors consider it essential that companies are transparent and accountable to shareholders about their approach to distributions, set in the context of their approach to capital management”

—Investment Association report

There was a number of reasons put forward for avoiding a shareholder vote. Some companies structure dividends to provide quarterly income streams, meaning approval for a final dividend could delay the fourth quarter payment.

There are also regulatory considerations for financial services companies under which a “final” dividend is considered a debt, which would hit capital requirements.

Other boards want the flexibility to declare a dividend in “short order”, which could be affected by “final” dividends which typically take months to pay after the initial declaration.

In dual-listed companies there are concerns that a “final vote” could prevent shareholders in different jurisdictions from being treated equally.

The IA will now establish a working group to define best practice guidance for writing a dividend policy. The IA’s report reminds companies that a shareholder vote on dividends is an “essential mechanism for accountability to shareholders”.

It concedes that forcing every company to have a yearly vote may not be in the interests of companies or shareholders.

“Nevertheless, investors consider it essential that companies are transparent and accountable to shareholders about their approach to distributions, set in the context of their approach to capital management,” said the report.

The post Shareholders call for greater transparency on dividend policies appeared first on Board Agenda.

[…]

Connexus – Chair of Audit and Risk

Chair of Audit and Risk – Connexus Recruiter: Campbell Tickell Location: West Midlands Salary: £10k remuneration pa Posted: 24 May 2019 Closes: 17 Jun 2019 Job Function: Chair Industry: Not-For-Profit, Housing / Regeneration Chair of Audit and Risk £10k remuneration pa / West Midlands Formed in July 2017, Connexus brought together two successful housing groups […]

The post Connexus – Chair of Audit and Risk appeared first on NEDworks.

[…]

Corporate report: Insolvency practitioner regulation: process review 2018

Review of the regulation of the insolvency profession. […]

FRC reveals increased budget as it prepares for transition

Stephen Haddrill, FRC

The Financial Reporting Council (FRC) is set to increase its workload and budget, monitoring audits as well as compliance with the UK corporate governance code, before its transition to a new regulator.

The watchdog revealed its intentions as part of its plan and budget for 2019–20.

The work will include probing the way companies report on governance issues and how they put into practice the new code of governance introduced last year. It will be looking for key issues in company reporting of governance, including boardroom diversity.

In line with recent government policy statements, the FRC will also work to ease the transition to a new regulator— the Audit, Reporting and Governance Authority—proposed by the Kingman Review, which argued it should have an expanded remit and greater powers.

The FRC’s plan includes a substantially increased budget that grows from £28.6m to £37.8m, much of it aimed at recruitment to support increased activity. “Enforcement case costs” are expected to grow from £100,000 to £5m, sending a clear signal where the regulator intends to intensify its work.

Headcount is set to increase by at least 80. The FRC says if more staff are required it may ask the government for permission to use its reserves.

Stephen Haddrill, the FRC’s chief executive said: “The FRC’s Plan sets out a clear pathway towards the establishment of an enhanced authority, with stronger powers and greater resources, as quickly and effectively as possible.

“Ahead of full implementation of the Kingman proposals, the FRC will do all in its power to promote transparency and integrity in business, and improve audit quality, corporate governance and investor stewardship.”

At the core of the FRC plans is also an effort to combat a loss of confidence in audit. The watchdog has already set out how this might be achieved in a position paper and will consult over the summer. There is also a review under way of auditors’ “going concern” statements.

A more strategic approach

The FRC will also start monitoring compliance and reporting against the new corporate governance code published in 2018. This will include statements on diversity.

The FRC said: “Following the 2018 report from the Hampton Alexander Review, we are encouraging boards to take a more strategic approach to diversity and inclusion, and to consider their approach to reporting on it.

“We expect to see more of our largest companies providing greater information about their approach to boardroom diversity and insights on the actions they are taking to increase diversity at all levels.”

Elsewhere, the FRC is concerned with corporate culture and sustainability. The plan sets out how the new code “takes a broader view of governance” to emphasis corporate culture and stakeholders relations.

“The intention is that, by reporting on the application of the principles in a manner that can be evaluated, companies should demonstrate how the governance of the company contributes to its long-term sustainable success and achieves wider objectives.”

One of the key principles in the new code introduced the idea of a board’s responsibility to “wider society”. Principle A says: “A successful company is led by an effective and entrepreneurial board, whose role is to promote the long-term sustainable success of the company, generating value for shareholders and contributing to wider society.”

The post FRC reveals increased budget as it prepares for transition appeared first on Board Agenda.

[…]