The Unspoken Barriers to Traditional Methods
The past few years have seen the largest security breaches in history. As risk and compliance professionals scramble to predict and prevent future breaches, one aspect that could strongly impact the outcome is how the company’s board of directors are impacting security.
Recent research suggests it might be time for GRC to get involved, particularly in board evaluations. While evaluations are a required task, many treat it as a “check-the-box” activity; meaning board performance problems permitted to persist, especially cyber risks. This piece will dive into the top five challenges of current board evaluations and how GRC can get involved.
Board evaluations are not generally in the domain of risk and compliance professionals; however recent research suggests it might be time to change this process and give GRC a seat at the table. When conducted correctly, board evaluations are an incredibly valuable tool for not only evaluating the effectiveness of directors, but also identifying areas of potential weakness, risk, or even non-compliant behavior.
However, there are challenges to get to that point; here are the top five reasons why:
#1: Complacency is Rampant
Public directors currently have a tenure of 8.7 years; however, more than one-third of directors surveyed in PwC’s 2016 Annual Corporate Directors Survey believe that at least one person on their board should be replaced, citing factors such as unpreparedness, a lack of expertise, and even age as reasons calling for a change. What’s worse, survey respondents have maintained this sentiment for the past five years, with more than half saying that no changes were made after their last board evaluation. This infers that there are potentially persistent issues impacting board performance at many companies—with too little attention being paid to remediating those issues. Yet, poor board performance can put the organization, its investors and others at risk.
#2: There’s Little Pressure to Go the Extra Mile
While entities such as the New York Stock Exchange require listed companies to conduct board self-assessments annually, these activities are typically done within the confines of the boardroom, with only 21 percent bringing in third parties to handle evaluations. Additionally, assessments are most commonly done through a single questionnaire about the board as a whole; a lens that provides extremely limited visibility into individual director performance. Most private companies, as well as non-profits, are not required by any regulations to conduct board assessments, further clouding the ability to identify potential risks or areas where change is required.
#3: We’re Not Getting the (Whole) Truth
If someone asked you to rate your own performance, what are the chances you’d answer with complete honesty, knowing there are likely consequences for under- or poor-performance? Most people wouldn’t. So why is it acceptable to assume that board members are reporting accurately on their own personal performance? Therein lies the potential risk.
A study conducted last year by The Miles Group of 187 corporate boards, found that less than half of companies conduct self-assessments on the individual at the director level. When they do, directors are not asked to rate themselves, rather the performance of other board members. Furthermore, for companies offering peer review-type evaluations, directors admit that they are extremely uncomfortable giving candid feedback on the performance of their fellow board peers. In the Miles Group study, less than half reported that they strongly believe their board tolerates dissent – which likely discourages directors from voicing concerns about individual director performance. It’s these accepted practices that allow ineffective board members to continue serving and prevent any potentially damaging behavior from being addressed quickly.
#4: Important Issues Are Being Ignored
Board members are being held increasingly accountable for corporate missteps, and at the same time, are facing growing risks that put them personally in the line of fire. Cyber-attacks such as whaling, for example, are extremely successful at targeting high-net-worth individuals like board members and C-level executives – just ask former FACC CEO Walter Stephan who was removed after falling for a phishing attack that set the company back $50 million.
Typically, most board evaluations don’t include questions on how well directors adhere to security practices. In fact, according to a recent survey from NYSE Governance Services and Diligent, almost two-thirds of directors are not required to undergo cybersecurity training at all. It’s no surprise then to learn that security risks are rampant in the boardroom, with 92 percent saying they at least occasionally use their personal email —a channel that is notorious for hacking—to communicate with fellow board members. Annual assessments should provide an opportunity for the board to take stock of the areas requiring attention and create board development plans – like ensuring directors receive adequate data security oversight, tools, and training on handling sensitive data.
#5: The Process of Distributing & Collecting Evaluations is Antiquated
Part of the problem with getting candid and honest remarks is that most companies are not automating the board evaluations process, and as a result, reduce the potential for true anonymity. In most companies, distributing and collecting board evaluations is manual – or by email – with corporate secretaries having to chase down board members to complete their forms. This process also limits the degree of thoughtful responses that can be collected, particularly as board members rush or are pressed for time to finish.
Meanwhile, since few regulators provide any guidance on the questions that the board evaluation should include, most companies err on the side of brevity, meaning the results will be surface level at best and might gloss over problems lurking beneath the surface. Additionally, because directors lack confidence that any candid comments they might make will lead to constructive results, they tend to rate the board’s performance higher than they might otherwise.
Companies need to evolve with the times. There are secure technology platforms available that let corporate secretaries customize questions and response types (yes/no, rating scale, etc.) and automate distribution/collection, with features that allow them to get richer, more insightful data that is more indicative of true board health. Better still, some providers have begun offering high-quality samples and templates for board surveys that include both full-board review questions, as well as collecting feedback on individual director performance. These tools allow directors a more convenient way to respond to board evaluations, anonymously and securely from mobile devices, increasing their confidence in submitting candid feedback, and flagging areas of concern. Armed with the data in aggregate, the board chair, perhaps in concert with the audit committee or governance committee chair, can sit down with each director to discuss peer review results and act if necessary.
While many boards are required to conduct evaluations, most see the activity as merely a “check-the-box” exercise. Unfortunately, this means that board performance problems are permitted to persist, which can increase the company’s risk. By embracing modern tools that offer anonymity and deliver better feedback, board leaders will have the candid insights and data needed to take actions that might have been long overdue.
As business risks continue to expand, and regulators sharpen their focus on ensuring companies are taking the right steps to identify, address and mitigate risk, the board evaluation process needs to focus on getting towards the heart of effective performance. GRC professionals will benefit from closer involvement in the board evaluation process and the ability to accurately assess any issues of concern in line with local, federal and international laws.