Boards of directors are facing a mixture of challenges and opportunities as they steer their companies through continuing uncertainty in 2013.
Boards of directors are facing a mixture of challenges and opportunities as they steer their companies through continuing uncertainty in 2013. With the European debt crisis still unresolved, China’s economic growth slowing from its breakneck pace of the last decade and the US economy potentially one political stalemate away from relapsing into recession, how can any corporate director feel confident about fulfilling his or her duties?
Most directors are feeling a bit uneasy these days, but global financial uncertainty is not the most pressing thing on their minds. Here’s what the experts say are the issues most likely to keep directors awake at night over the coming year.
Cyber-security
Data breaches are so common now that only the biggest and most disastrous seem to become headline news. However, whether the company is large or small, the damage that electronic security breaches can cause is too significant to be taken lightly.
Over the last six months, hackers were able to access the user names and passwords of 250,000 Twitter customers; hackers obtained passwords for reporters and other employees of the New York Times and Wall Street Journal; and six banks, including JPMorgan Chase, Citigroup, Bank of America and US Bank, had their websites overloaded with traffic until they shut down. These types of disruptions have far-reaching consequences.
‘There’s too much at stake,’ says Francine Friedman, senior policy counsel in the consumer protection and privacy policy practice for Akin Gump Strauss Hauer & Feld. Few things scare customers away faster than the feeling that their credit card information and other pertinent data are not safe. As customers go, so go corporate sales.
These types of events also affect corporate credibility. If your company can’t safeguard data, how can you be as good as you claim you are at what you do? After a data breach, companies can expect lawsuits and other costs like having to provide credit monitoring services and paying the expense of notifying millions of customers who may have been harmed. And no one can predict how much it will cost to get customers back – indeed, some of them may never return.
A recent Ponemon Institute survey found that the value of brand and reputation can decline 17 percent to 31 percent of annual gross revenues after a data breach, and it can take an organization a year to recover its corporate image. Cyber-security has become an even bigger issue given the rise of mobile devices and the ever-increasing use of cloud computing. Under current SEC regulations, public companies need to assess and disclose significant data security risks, and if a breach occurs, a number of state and federal laws require disclosures to investors and affected individuals. Companies also risk legal and regulatory liability.
‘Data security is an area that can be difficult for board members to assess because the risks are dynamic and difficult to predict,’ says Mike Donovan, focus group leader for technology and media liability insurance at Beazley, an insurance company. ‘Large and costly data breaches have affected many types of companies.’
In addition to adequate investment in information security systems, companies must be prepared to quickly and effectively address a breach in order to mitigate the serious reputational harm that often accompanies breach events. Purchase of comprehensive data breach insurance can be a key step companies can take to help mitigate costs as well as legal and reputational damage from a breach event, says Donovan.
Boards often do not understand the complexities of cyber-security, however – so says Alan Rudnick, principal at corporate governance specialists Masters-Rudnick & Associates. ‘The big threats to IT systems often come not from local amateurs but from skilled hackers working on their own or, potentially, on behalf of another government,’ he observes. ‘Corporate directors in their 50s, 60s and 70s have not grown up professionally with the complex and sophisticated IT systems that companies have today. They may not be in a position to understand the risks, let alone to oversee company efforts for security.’
Board members must be fully aware of the company’s privacy policy and what it says it is supposed to do, and directors must hold the company accountable for fulfilling the promise of protection. ‘The board should also be conscious of how the company’s privacy policy will be viewed by the public,’ says Friedman.
Friedman advises that the board should be sure to have at least one member who understands IT and internet law. Certainly for any business that uses data as part of its core business, hiring a chief privacy officer is something the board should be asking for, she adds. Experience overseeing data security and technology systems is becoming another important characteristic for boards to add to the mix of skills and expertise they are looking for when selecting new directors, notes Rudnick.
Patricia Lenkov, founder of Agility Executive Search, says the continued use and reliance on new technologies to compete means that every company can be considered a technology company in one form or another. As such, ‘the board must think about technology strategy and the implications of new technology,’ she explains.
Perhaps the biggest challenge for boards in dealing with cyber-security is that so much involving IT law has yet to be determined. Some 20 privacy bills were introduced in Congress in 2012 – says Friedman, ‘If you come up with a way to share, maintain and safeguard information and then the law changes, you’ll have to make changes too.’
Reputational risk
The good name and reputation of a company are priceless assets – sully your company’s name and it may never recover. ‘Goldman Sachs paid a fine of $540 million to the SEC to get the agency’s inquiry off the front pages,’ says John Alan James, executive director of the Center for Global Governance, Reporting and Regulation. ‘Its stock value was plummeting and its top clients were concerned. It was the same for all the big banks, which together paid $18 billion in fines to regulatory agencies in 2012.’
Although such fines can certainly be hefty, the costs those companies paid in lost stock price value, social media criticism and reduced customer confidence levels could be twice that amount, according to James. Protecting a company’s reputation is part of internal governance (in contrast to external governance policies and procedures which comply with laws and regulations), and James says it is one of the most important responsibilities – if not the most important responsibility – of the board of directors.
Reputation risk is top of mind for directors, says Lenkov. With so many examples of verbal implosions by corporate executives and the many casualties of the tough economic environment over the past few years, everyone is a bit more attuned to risk. ‘The explosion of social media has led to much more transparency on so many fronts,’ Lenkov observes. ‘Reputations can be made or broken exponentially faster through the use of technological tools to which we now have access for the first time. There is risk implicit here; board members need to pay attention to this new variable that is affecting corporations. Shareholders are more empowered than ever and are using this power to influence the perception of corporations.’
The board needs to make sure that the company has an effective and up-to-date crisis response plan in place. Companies that quickly confess their mistakes tend to recover faster than those that dance around the truth until the media spotlight shines so bright that they have no choice but to come clean.
Rudnick asks, ‘Does the board have someone who understands social media? Does the company have watchdog systems and a plan if it is subject to a reputational attack? It is the board’s responsibility, as part of risk management, to ask these questions and to make sure that the answers are sufficient.’
Executive compensation
Executive compensation has long been a sensitive subject that ignites major disagreements between high-level executives and investors, and it continues to be a hot topic for boards. ‘The board is the oversight committee,’ says Rolf Zaiss, a partner with Akin Gump’s employee benefits and executive compensation group. ‘It is up to the board to make sure management is doing what they are supposed to be doing in terms of the ‘big picture’ with regard to executive compensation.’ The board has a hand in the CEO’s compensation and may approve bonus targets for C-suite executives.
Say on pay has risen to the forefront of governance concerns – no company wants to endure the shame of a failed say-on-pay vote. While say-on-pay votes are non-binding, boards, and in particular compensation committees, are realizing the importance of receiving a positive voting result, and companies are therefore monitoring and scrutinizing executive compensation policies more than ever. ‘I’ve heard it said that 2012 was the year of the activist investor, and this has certainly put increased pressure on boards and highlighted compensation issues,’ Lenkov says. ‘I believe 2013 will be another year of activist activity.’
Zaiss says the difficulty for the compensation committee is in trying to balance the interests of their ultimate client, the shareholders, while being mindful of the company’s need to hire and retain executive talent. ‘When you’re competing for market share you need the right people, and you need to be sensitive to incentives that are appropriate for your industry,’ he explains.
While there is much on the compensation committee’s to-do list, boards should begin planning how they hope to implement and comply with the evolving new rules required by Dodd-Frank once they are adopted. In a client alert, Akin Gump notes, for example, that Dodd-Frank calls for companies to disclose in their annual proxy statements the relationship between executive compensation and the company’s financial performance, as well as the ratio of the CEO’s annual total compensation to the median annual total compensation of all other employees. Unfortunately, clear rules on exactly what should be disclosed have not been finalized.
Companies would be wise to begin laying the groundwork in their 2013 proxy statements by showing a strong link between pay practices and performance. They should also begin thinking about how to explain the pay disparity between the CEO and employees. Simply put, there will be much work to do for compensation committees in the year ahead. ‘They have a tough job,’ says Zaiss.
Healthcare
Many of the provisions of the Patient Protection and Affordable Care Act (PPACA) will take effect in 2014. Boards need to start planning how their companies will comply with these regulations and what effect such compliance will have on cost structures and strategy going forward. It’s an ideal time for companies to review and redesign, if necessary, their current healthcare programs. The cost of employer healthcare is high, and it is expected to increase another 5.3 percent in 2013. Finding ways to slow healthcare costs should be a priority.
Federal agencies have already begun issuing guidance addressing parts of the PPACA, and more will likely come down the pike this year. A top task will be coming up with a game plan for ‘play or pay’. Employers aren’t required under healthcare reform to provide health insurance to employees, but as of January 1, 2014, employers with 50 or more full-time employees will have to pay a penalty if they do not offer health insurance to employees who work more than 30 hours. They can also be fined if they offer health insurance to employees but the insurance does not meet certain affordability or benefit requirements. It will be important, points out Akin Gump, for the board of directors to know the company’s options and responsibilities under the statute to best determine whether the company should ‘play’ by providing the required level of health insurance coverage for employees or take the ‘pay’ approach and accept the penalty of $2,000 per employee not covered appropriately by 2014.
Says James: ‘In January, Blue Cross and other private companies increased premiums to groups and individuals, in some cases by over 30 percent. The Congressional Budget Office predicts huge costs increases for Obamacare when it really kicks in in 2014 – costs may equal GDP by 2040. Is anyone listening? Are boards aware? Are actions being planned to alleviate costs to the company and employees? They’d better be.’
Talent
Despite millions of Americans being out of work or underemployed, many companies still can’t seem to find qualified candidates for jobs. Experts say the dearth of highly skilled and experienced employees isn’t expected to change any time soon.
‘Boards need to understand the implications of this issue on overall strategy and the execution thereof,’ warns Lenkov. ‘The overall approach and philosophy around human capital can stem from decisions made in the boardroom.’ Human resources representation in the boardroom becomes more important in taking on the demands of say on pay and other compensation issues, she adds.
Boards will need to assess management’s plans to address current and future talent needs. Is it the right time to begin hiring for expansion? Are succession plans for key employees in place? Has management identified the employees and skills that are most critical to the company’s success? Are there appropriate strategies to attract and retain key talent?
‘Retention and motivation are obtained by good and effective leadership implementing clearly explained and understood career path policies, procedures and programs,’ says James.
The bottom line is that for the coming year, board members will be anything bored.