Who is Responsible for What? Cybersecurity Risks and Boardroom Agendas

20 Feb Who is Responsible for What? Cybersecurity Risks and Boardroom Agendas

Effective board and board committee meetings start with a well-built agenda. The agenda outlines the intended flow of the meeting or call. While there is great diversity in how they are crafted and by whom, every agenda should advance the board of director’s effort in meeting their strategic and oversight responsibilities. Ideally, it is the outside directors who have the loudest voice regarding the board’s oversight responsibilities. Outside directors must position themselves to make well-informed decisions to fulfill their fiduciary duties without assuming the role of management.

While directors can only exercise their decision-making powers by acting collectively as a board or board committee, it is the individual director’s awareness of specific topics that they believe merit inquiry or action which need to percolate to the agenda. This awareness is essential from both management directors and independent directors. All directors should view the agenda as an opportunity to discuss what they deem important in protecting and growing shareholder value. It is well beyond the purpose of this article to identify and tackle a comprehensive list of agenda topics. Rather, this article aims to discuss some common agenda considerations and challenges such as: control, focus, roles, and even cybersecurity matters.

Control of the Agenda

Ultimately it is the chairman of the board who controls the agenda. If an independent chairman exists, then that director should collaborate with the CEO in crafting the agenda. Otherwise, the executive chairman should team-up with the lead independent director. Either way, there should be a healthy dose of both management and non-management perspectives. If management is solely authoring the agenda without input from the independent directors, this could call into question the oversight responsibilities of the board and its committees, especially for the independent directors. Any director should be able to request agenda items. All director voices should be heard through the agenda over the course of a year. If an individual director remains relatively silent this is a red-flag raising into question the value of that director. Finally, deciding who authors the agenda and the underlying process should be an item for periodic board evaluations.

Keep Looking Forward

Many agenda items stem from the master annual agenda of items that must be addressed. This includes: approval of the annual budget, financial statements, and a slew of legal compliance items. While these are important matters to tackle, boards and their committees often get too caught up in routine agenda items and lose sight of more creative and value-added topics, such as strategies to preserve and grow shareholder value over the next several years.

Simply looking through the rear-view mirror is not enough for boards and their committees. The agenda needs to be dynamic and forward-looking in order to keep pace with changing business environments, opportunities, and risks. Boards and their committees need to foresee their competitors’ next moves, understand future talent needs, identify new markets, and aggressively address risks. Much of this information will come from management, but independent directors need to be bold in ensuring that these topics make it to the appropriate agendas.

Education

Boards and their committees are only as good as the collective expertise of the directors. Board education begins with the directors’ desire to be the very best they can in serving their organization. This entails keeping informed of industry developments, stakeholders, regulatory landscape, and much more. For an audit committee, this could include education on the revised COSO Internal Control-Integrated Framework or the new revenue recognition accounting standard. Directors do not need to become experts on these matters, but rather gain a core understanding of key developments and how they could impact their company.

Education goes well beyond a classroom, new credential, or management presentation. It can include attending client conferences, visiting company facilities, and traveling to new geographies to explore merger and acquisition opportunities. An agenda item that routinely discusses the educational needs of the board and a strategy towards fulfillment is a good idea.

Who is Responsible for What? – e.g., Cybersecurity Risks

This one is growing in importance as boards are increasingly struggling with the accountability of topics that cross committee lines. A prime example of this is cybersecurity matters. While oftentimes it is the audit committee who will take charge of this beast, the ramifications extend well beyond the audit committee’s core purpose of providing independent oversight of accounting, financial reporting, and relating controls.

To the extent possible, committees should stay true to their central purpose as spelled out in their charters. This is why we are seeing a trend of risk oversight committees being added as a standing committee to governance structures. However even with a risk committee, who should be in charge of cybersecurity oversight? There are pros and cons both ways between giving the duty to the audit committee or a risk committee. The bottom line is that accountability should be centralized to a single committee. There will always be the need to share information across committee lines, especially regarding risks. As a result, some companies coordinate this through a Chief Risk Officer (CRO) reporting through the CEO directly to the board of directors or one of its committees. This makes sense since the CEO is the person ultimately responsible for risk management activities and ensuring that no major risk is overlooked. However, this does not replace the need for board-level oversight of the CEO, CRO, and management’s enterprise risk management program.

This discussion would not be complete without mentioning the importance of having technology savvy individuals on the board. Just as directors who are financial experts are in demand for audit committees, directors with technology and data security expertise should be recruited to serve on the committee assigned to cybersecurity oversight. Cross-pollinating committees that have technology-related oversight responsibilities with these directors is a good idea to ensure continuity of a risk-response plan.

Finally, companies for which technology forms the backbone of their business will often have a dedicated cyberrisk committee that focuses exclusively on cybersecurity. Chief security officers are also becoming more popular in many industries. Considering the constant news headlines we are seeing, these trends are likely to continue.

Take it Off-Site and bring in a Facilitator

There may be occasional topics, such as discussing a special risk assessment report or a potential acquisition with the executive management team, that are simply too deep to tackle in a two or three hour meeting. For these instances, the board or its committees should consider an off-site retreat with an independent facilitator at the helm. The facilitator is not a decision maker, but rather a skilled professional at maneuvering through large amounts of information in a group setting.

Don’t Let the Agenda Become Stale and Repetitive

Too many times agendas fall into the boilerplate trap of redundancy. If your agenda is looking the same period after period, then it is likely time to introduce some creativity in the name of enhancing shareholder value. One suggestion is to have a minimum of one new item on the agenda for every meeting. Of course, these agenda items must make sense and be consistent with the governing body’s charter. Perhaps one way to do this is to introduce a different risk or opportunity for discussion purposes. Risks and opportunities should be an agenda item for every meeting, but the specific sub-topic can rotate to focus on the most pressing matters at that time.

In conclusion, directors need to give plenty of thought to board and committee agendas to best utilize their valuable time for the sake of growing shareholder value. Robust agendas are those that not only address ‘today’ but also ‘tomorrow’ in terms of objectives, risks, and controls.