Archive for the ‘IT Governance’ Category

How Tweeting by a PwC Partner During the Oscars Sullied PwC’s Reputation and Offers Lessons for Distracted Board Members

PwC partner, Brian Cullinan, evidently was tweeting backstage moments before he handed the wrong envelope to Warren Beatty, resulting in reputational damage for PwC in its assurance role over award envelopes and the announcing of the wrong award for Best Picture.

Social media use can become an addiction, and can compromise not only reputation, but decision-making as well.

The most common complaint I have during my reviews of boards of directors’ performance is distracted directors. I see distracted directors in boardrooms and distracted students in classrooms all the time. More leadership and common sense is needed by board chairs and professors.

I was auditing a graduate university class recently, and most of the students were on their laptops, typing away, apparently oblivious to the lecture occurring in front of them. Their eyes were not on the professor or their colleagues. They were not engaged in the moment. This is like directors looking at iPads and laptops during the board meeting instead of each other.

I stopped the class and asked what the point was that the professor had just made. No one could answer. I instructed all students to close their laptops and discontinue all technology for the remainder of the class. Further, students were not to consult any notes and stay in the moment for the entire class.

In another board meeting, the board chair was obsessively using his cellphone during the board meeting. When I walk around boardrooms and classrooms, I see directors and students typing, answering emails, texting, using social media – in other words, not doing their job.

The laptop creates a physical and psychological barrier. It also takes two hands to type, as opposed to one hand to write.

Certain Toronto high-schools announced a few days ago that they are banning cellphones from classrooms. Hospitals and courtrooms also ban the use of cellphones.

The answer for boardrooms and classrooms is not to ban technology, but rather to use technology to enhance individual and meeting performance, not diminish it.

You are four times as likely to be distracted when you use technology. Studies show that retention increases when notes are taken the old-fashioned way, on paper, rather than on a computer. Technology does not necessarily enhance performance; indeed, studies show it may diminish it.

If you are prepared for class or a for board meeting, there is no need for any technology, or very many notes for that matter. The use of technology, including PowerPoint slides, can be a safety blanket or used to manipulate your audience. If a person reads PowerPoint slides, chances are they are unprepared, and further, you have a weak board chair or weak professor.

A great board – management discussion or presentation can occur without any technology whatsoever. Think of twenty years ago when this technology did not exist. Some of the best discussions that I have moderated and witnessed in boardrooms and classrooms do not include any technology.

What is the answer for boards of directors and classrooms, and the use of technology?

• Resist the use of technology simply because it is available. The litmus test for technology is performance.
• Lay down the rule if you are the board chair or professor: No technology unless it is directly related to the meeting. And lead by example.
• Make sure all discussions, agendas and information are relevant, to respect your audience’s time, and resist their temptation to be distracted.
• Insist on full preparation and focus on the discussion. The discussion is where the learning and important decisions get made.
• Have students submit 2-page summaries of the readings at the start of class, to validate their preparation.
• The foregoing would be draconian for directors, but it is blindingly obvious to directors who is prepared for the meeting and who is not. Have a system to enforce preparation.
• Insist on peer assessment of directors and students.
• Make sure that you can see someone’s eyes. If you cannot see their eyes, chances are they are distracted.
• Take frequent breaks to use technology for personal purposes.
• Insist on in-person meetings to the fullest extent possible.
• Self-police any errant director or student who cannot comply with the above.
• Most of all, lead by example.

Dr. Richard Leblanc, Editor of The Handbook of Board Governance (Wiley, 2016), can be reached at rleblanc@boardexpert.com.

Technology-Ignorant Boards Are Costing Shareholders Billions: What Should Boards Do Differently?

Five years ago, social media was perceived by many to be a passing fad. Then came the introduction of tablets and mobile devices. Now, cyber security has emerged as one of the greatest threats facing Anglo-American corporations. It is front and centre in the minds of directors, or should be.

In the area of technology, are boards fulfilling their duty of care in overseeing management and protecting shareholders’ investment? Indicators are that many boards and directors may not be. Plaintiffs’ lawyers are suing companies and their boards over technology failure. Here are some recent statistics and trends:

  • “Our entire lives are on the internet,” according to FBI Director, James Comey, adding “The internet is the most dangerous parking lot imaginable”;
  • “Social media is the number one activity on the web,” according to Belle Beth Cooper in a Huffington Post article;
  • The average user picks up their device 1,500 times a week, and reaches for it at 7:31am each morning, according to MailOnline;
  • The average smartphone owner uses his or her smartphone for three hours, sixteen minutes, each day;
  • Cybercrime constitutes the “greatest transfer or wealth in history,” according to the National Security Agency’s General Keith Alexander;
  • Russian hackers initiated almost 2.5M attacks in a month, followed by Germany and Taiwan, in the Province of China, according to a 2013 report by the Centre for European Policy Studies;
  • Only 13% of companies have BYOD (bring your own device) policies, according to a 2014 report by Ernst and Young;
  • Fewer than 50% of companies use encryption techniques for devices;
  • 38% of companies do not address cloud risks;
  • “Only 56% of companies conduct penetration tests, and 19% fail to test at all,” according to an Ernst and Young report;
  • Less than one-third of boards are addressing risk management in relation to IT operations or computer and information security, according to a 2012 report from Carnegie Mellon; and
  • “Most policies currently in place,” “are too weak to reasonably ensure that systems are not breached,” according to a 2014 NACD (National Association of Corporate Directors) report.

What should boards of directors be doing to exercise their duty of care over technology risk, including social media, BYOD, and cyber security?

  1. “You have to own this problem as a leader,” in the words of Admiral Michael Rogers, Director of the National Security Agency. You do not need to be an expert in technology as a director, but you now need to be literate and informed. If you are not, then get educated. Request a glossary of acronyms from management as a start. There are several leading standards and frameworks from which to learn, including the National Institute for Standards and Technology; ISO/IEC 27032 Guidelines for Cybersecurity; the SANS Institute for Critical Security Controls; and the IoD and NACD in London and Washington. If your board lacks information technology expertise, consider putting this on your competency matrix for director recruitment. If you are in a key industry such as financial services, retail, utilities, defense or health care, technology should be represented at the boardroom table. If much of your company’s business model resides on the Internet, consider having a separate technology and strategy committee.
  2. Examine your committee structure. If your audit committee oversees the substance of all risk oversight, you may be at risk if committee members lack recent and relevant information technology and risk expertise, or are overworked. All material business risks, financial and non-financial, should be covered off and mapped to one or more board committees, and these risks should be made explicit within committee charters and board guidelines, including technology, reputation, operations, and heath and security risk. The audit committee is not necessarily qualified to oversee non-financial risks, including terrorism.
  3. See technology risk as a broader enterprise risk, and as a strategic and business imperative, not a narrow technology issue. Regulators should be requiring your board to approve the risk appetite framework, which includes explicit internal controls, assurance, reporting, and limitations. Ask management to see the real-time, prospective internal controls over technology risk, in writing. This is where many companies are weak, and if you are, you should see this gap and ensure it is remedied as a director. This is not micromanagement, but good oversight.
  4. Understand and demand information on the internal controls over social media, BYOD and cyber crime. This will facilitate a learning curve to question management, including over training, education, acceptable use, mobile device management, risk and control assessment, situational awareness, threat and vulnerability risk management, and cyber security incident management and governance. Does management show you internal control results over each material risk, including their interactions, and how each risk is identified, controlled and assured? Are you satisfied? Do you have a good dashboard? Does risk culture support cyber security? (Human error and carelessness are big risks.) A recent NACD survey showed a quarter to a third of directors were unsatisfied with the quality and quantity of IT information.
  5. Obtain third party assurance if you have any doubt about how technology risk is being mitigated, or of the strength of the technology and assurance bench. Are you satisfied with the IT, risk management, and internal audit bench strength? These are your eyes and ears. You may need to direct changes and resources. Do you have the power, within your board and committee charters, to request an independent audit of technology risk? Do you exercise this responsibility? If you are blocked by management, this is a red flag. Do you meet separately with risk, compliance and audit to assure cyber security risk?
  6. Information technology risk, compliance and auditing should functionally report to you as a board or committee, not senior or operating management. Senior management should no longer own the risk function. The chief risk officer, the chief compliance officer, and the chief audit executive, should now be independent and report functionally to the board and its committees, not senior management such as the CEO or CFO. This means that the work-plan, independence, resources, reporting, compensation and succession of these three functions (risk, compliance and audit) are now recommended by committees and decided by directors, not management. Do you practice the foregoing? If not, you could be the last to know for a major technology breach and the resulting reputational and financial loss. Experts will scrutinize how you directed reporting and assurance.
  7. Management may be adverse to spending what is needed, and the imposition of internal controls over technology, including those that are reputation or behavour-based. This is why risk oversight rests with the board. Your job is to understand, identify, and oversee, not to manage. The budget, talent, resources, reporting, assurance and disclosure of enterprise risk mitigation, including technology, should rest with you. Information, documentation and informed, best practice and precise questions are your management influence and oversight touch-points.
  8. Become engaged. If you have one or more laggard directors who resist technology or keeping current, these intransigent directors are compromising the governance of the company and should be addressed or replaced, especially if they are on or chair key committees. Good boardrooms are now paperless, and good directors use devices and social media with acumen.
  9. Have technology stress testing. Do you direct management to implement and report on scenario testing and mock exercises over social media attacks and cyber breaches? When it happens, it is too late.
  10.  Most of all, protect your company’s crown jewels. Think like a hacker. Protect the perimeter, but once inside, are your company’s valuable assets still protected? How? Agree on a platform and framework and direct management to have an action plan and target date for full implementation.

Tis the Season to Prevent Cyber-Hacking

What are best practices individuals can employ to lessen the chance of hacking of their computer or device?

Here is a quick “top 20 list,” based on part of an education session I have been providing to directors of company boards on cyber security.

  1. Never click on unknown or non-credible emails, attachments or downloads.
  2. Never click “save password.”
  3. Never use the same password across multiple devices or accounts.
  4. Use smart, strong passwords, and regularly update and change your passwords.
  5. Have a second credit card that you use online, with a low limit.
  6. Use two-step authentication whenever possible.
  7. Install firewalls on all your computers and devices.
  8. Always update your software.
  9. Always logout at the end of your work-time.
  10. Always install anti-virus, anti-spam and anti-spyware or adware programs.
  11. Use only your own computers and devices.
  12. Never leave your device or desktop computer unattended or accessible.
  13. Have a professional validate all of the above and never give your password out.
  14. Cover any cameras that are not in use.
  15. Browse anonymously whenever possible.
  16. Use secure, encrypted connections: https where “s” means “secure.”
  17. Resist unencrypted, public wifi hotspots.
  18. Back up your data in real time, twice as a fall-back.
  19. Be careful what you store or send (crown jewels).
  20. Always use a document shredder.

“Our entire lives are on the internet,” according to FBI Director, James Comey, adding “The internet is the most dangerous parking lot imaginable.”

Russian hackers initiated almost 2.5M attacks in a month, followed by Germany and Taiwan, in the Province of China, according to a 2013 report by the Centre for European Policy Studies.

The greater individuals are aware of steps that can be proactively taken, the less the chance that your property or data can be breached.

Social media trends and listening for boards

I was asked to give brief talks on social media trends and the board’s role in “listening” at an NACD conference. Here are my notes, as well as a reading list, if group members are interested:

https://dl.dropboxusercontent.com/u/79214614/NACD%20Richard%20LeblancNACDDiscussNotes14Oct13.docx

https://dl.dropboxusercontent.com/u/79214614/NACD%20SM%20lab%20possible%20readingsv2.docx

I am pleased to be asked to assist the National Association of Corporate Directors in a social media pod at their annual Board Leadership Conference, October 11-13, to expose directors in a more in-depth and hands on way to social media (forthcoming).

I am assisting the NACD by gathering potential readings for issue identification, etc., from my library and online, and specifically seeing things from a governance and board perspective.

Here is a listing:

July 21, 2013, updated July 29, 2013

Richard Leblanc

Associate Professor, Law, Governance & Ethics, York University

Prof Dr Richard W Leblanc

York University

4700 Keele Street

Toronto, CANADA M6S 1P3

Webpage: http://www.yorku.ca/rleblanc

Dr. Leblanc prepared this list of readings and potential issues/trends below, on IT related topics

Board’s role in Social Media “listening”

Lead or be left behind: A chairman’s perspective on social media

http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_chairman_LeadorLeftBehind_042213.pdf

What Do Corporate Directors and Senior Managers Know about Social Media?

http://www.gsb.stanford.edu/sites/default/files/documents/TCB_DN-V4N20-12.Social_Media.pdf

50 Top Tools for Social Media Monitoring, Analytics, and Management

http://socialmediatoday.com/node/1458746

Social Media and the Board: Why #Hashtags Matter to Directors

http://business-ethics.com/2012/04/12/1642-social-media-and-the-board-why-hashtags-should-matter-to-directors/

Seven Steps for Board Success in the Facebook Age

http://knowledge.wharton.upenn.edu/article.cfm?articleid=2940

Cameras May Open Up the Board Room to Hackers

http://www.nytimes.com/2012/01/23/technology/flaws-in-videoconferencing-systems-put-boardrooms-at-risk.html?_r=0

Nonprofit Boards and the iPad: a Good Fit?

http://nonprofit.about.com/od/boardquestions/a/Nonprofit-Boards-And-The-Ipad-A-Good-Fit.htm

Potential Issues/Trends

  • Lack of direct digital media management experience for some/many directors, even incumbent CEOs / SMT (senior management team);
  • Psychological / comfort issues as well, but this is changing as boards are going paperless (tablets, portals, etc.) and there is pressure on laggarts;
  • Concerns with Reg FD and equal treatment of investors: directors more comfortable listening;
  • Directors are listening and reading, and this should not be misunderstood for lack of appreciation or passivity: there is high awareness among good boards and directors, which usage statistics above may not reflect;

 

Social Media and Reputational Risk

Reputation Risk: A Corporate Governance Perspective

http://processunity.com/cms/wp-content/uploads/2012/05/Reputation-Risk-Conference-Board.pdf

Director: Reputations at Risk

http://www.director.co.uk/magazine/2010/6_June/social_media_63_10.html

Ten Keys to Manage Reputation Risk

http://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/xsp/.ibmmodres/domino/OpenAttachment/KnowledgeLeader/Content.nsf/C3C1BFD887594D4B88257B58006610E6/body/The%20Bulletin,%20Issue%202,%20Volume%20V%20–%20Ten%20Keys%20to%20Managing%20Reputation%20Risk.pdf

Virtual world, real risks: When social media becomes a liability

http://www.grant-thornton.co.uk/PageFiles/3572/Virtual%20World_Real%20Risk.pdf

Reputational Risks & The Role Of Social Media

http://www.youtube.com/watch?v=qoTtmRgDThs

Social Media Said to Present Significant Reputational Risks

http://www.marketingcharts.com/wp/direct/social-media-said-to-present-significant-reputational-risks-22952/

Three Steps Towards Managing Reputational Risk

http://deloitte.wsj.com/riskandcompliance/2013/04/25/three-steps-toward-managing-reputational-risk/

The Board, Social Media and Liabilities

http://www.mediabadger.com/2012/12/the-board-social-media-and-liabilities/

Reputation risk management on the rise

http://www.camagazine.com/reputationrisk/

Social media reputation damage high on risk managers’ list of concerns

http://www.ferma.eu/2011/10/social-media-reputation-damage-high-on-risk-managers-list-of-concerns/

The Risks of Social Media: Self-Inflicted Reputation Damage

http://www.riskmanagementmonitor.com/the-risks-of-social-media-self-inflicted-reputation-damage/

Potential Issues/Trends

  • Speed, inter-connectedness and unpredictability of transmission;
  • Personal vs executive vs corporate reputations now merging;
  • Design and implementation of internal controls, balanced with communication and opportunity;
  • SM was junior position at outset, but now best practice is senior management oversight or member ownership;
  • Crisis planning involves digital stress testing and response plans in advance; mock runs also;
  • Reputation online background checks for directors, management, employees now; good firms will do regular reviews of current members;
  • Online analytics part of information flow to good SMTs and boards;

 

Integrating Social Media into overall strategy/questions the board should be asking management

Why boards need to adopt social media

http://blogs.reuters.com/lucy-marcus/2012/03/22/why-boards-need-to-adopt-social-media/

What Directors Think About Social Media

https://www.boardmember.com/MagazineArticle_Details.aspx?id=9128

Boards remain uneasy about social media, says women’s directors group

http://www.corporatesecretary.com/articles/technology-social-media/12487/boards-remain-uneasy-about-social-media-says-womens-directors-group/

Directors and IT: What works best?™

http://www.pwc.com/en_US/us/corporate-governance/publications/directors-and-it/assets/pwc-it-for-corporate-directors-full-report.pdf

Social Media – questions for directors to ask

http://www.cica.ca/focus-on-practice-areas/governance-strategy-and-risk/directors-series/director-alerts/item63118.pdf

20 Questions Directors Should Ask about Information Technology Security

http://www.cica.ca/focus-on-practice-areas/information-technology/publications/item46763.pdf

SOCIAL MEDIA: What Boards Need to Know

http://www.weil.com/files/upload/May2012_Opinion.pdf

Elevating technology on the boardroom agenda

http://www.mckinsey.com/insights/business_technology/elevating_technology_on_the_boardroom_agenda

10 Questions You Should Ask Your Social Media Expert, Guru or Wizard

http://www.socmedsean.com/10-questions-you-should-ask-your-social-media-expert-guru-or-wizard/

52 Questions To Ask When Hiring A Social Media Company

http://outspokenmedia.com/social-media/quesitons-hiring-a-social-media-company/

The Key to Social Media Success Within Organizations

http://sloanreview.mit.edu/article/the-key-to-social-media-success-within-organizations/

The Board’s Responsibility for Information Technology Governance

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1947283

MONITORING RISKS BEFORE THEY GO VIRAL:?IS IT TIME FOR THE BOARD TO EMBRACE SOCIAL MEDIA?

http://www.gsb.stanford.edu/sites/default/files/research/documents/CGRP25%20-%20Social%20Media.pdf

Privacy and Boards of Directors:; What You Don’t Know Can Hurt You

http://www.ipc.on.ca/images/Resources/director.pdf

Execs Not Using Social Media At Board Level Strategy

http://www.business2community.com/social-media/execs-not-using-social-media-at-board-level-strategy-0318067

Social Media — The New Business Reality for Board Directors

http://www.pwc.com/en_CA/ca/directorconnect/publications/pwc-social-media-new-reality-for-directors-2012-09-28-en.pdf

Too Many Top Executives Aren’t Taking Social Media Seriously

http://www.businessinsider.com/top-executives-dont-take-social-media-seriously-2013-5

Why 1700 CEOs Are Wrong about Social Media

http://socialmediatoday.com/thoughtreach/991031/why-1700-ceos-are-wrong-about-social-media?inf_contact_key=3791995094c307c4b1d275d00b36b16025118ec3bcf13175ef3d187c59ac45b8&goback=.gmp_4220981

How Kodak Squandered Every Single Digital Opportunity It Had

http://mashable.com/2012/01/20/kodak-digital-missteps/

Potential Issues/Trends

  • SM seen in the main as a risk (: defensive, liability), versus being seen opportunistically and strategically;
  • CIOs/CTOs may lack broad P&L experience for board membership; this may not change;
  • Technology / reputation risk may need board committee oversight, depending on sector and opportunity/threat;
  • SM advocates may have self interest (e.g., vendors, service providers): assurance and analytics are immature but evolving;

 

Big Data/ Analytics

Big data: The next frontier for innovation, competition, and productivity

http://www.mckinsey.com/insights/business_technology/big_data_the_next_frontier_for_innovation

Big data

http://en.wikipedia.org/wiki/Big_data

http://searchbusinessanalytics.techtarget.com/definition/big-data-analytics

Guide to big data analytics tools, trends and best practices

Experts share perspectives and identify best practices for big data analytics projects in this Essential Guide.

http://searchbusinessanalytics.techtarget.com/essentialguide/Guide-to-big-data-analytics-tools-trends-and-best-practices

Severe Consequences Face Big Data Analytics Without Governance, Experts Say

http://www.crn.com/news/security/240158457/severe-consequences-face-big-data-analytics-without-governance-experts-say.htm

INFORMATION TECHNOLOGY AND FIRM PROFITABILITY: MECHANISMS AND EMPIRICAL EVIDENCE

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1000732

New research suggests using big data, particularly social media data, can lead to a biased representation of the data based on societal factors.

http://sloanreview.mit.edu/article/the-pitfalls-of-using-online-and-social-data-in-big-data-analysis/

Potential Issues/Trends

  • Big Data is somewhat tangential to my area of expertise, so I will not comment; however; big data / analytics are an important area, with significant capacity and opportunity, and it is correct for this item to be on this list;

 

Social Media & CRM

Three Out of Four Social Networkers are Logging in on Company Time, Ethics Resource Center Reports

http://www.ethics.org/news/three-out-four-social-networkers-are-logging-company-time-ethics-resource-center-reports

How the Voice of the People Is Driving Corporate Social Responsibility

http://blogs.hbr.org/cs/2013/07/how_the_voice_of_the_people_is.html

Social Media in Corporate Social Responsibility (CSR)

http://blogs.cisco.com/csr/social-media-in-corporate-social-responsibility-csr/

Tying Together Social Media and Corporate Social Responsibility

http://www.convinceandconvert.com/pr-20/tying-together-social-media-and-corporate-social-responsibility/

Mashable: Corporate Social Responsibility

http://mashable.com/category/corporate-social-responsibility/

Why Social Media Is Vital to Corporate Social Responsibility

http://mashable.com/2009/11/06/social-responsibility/

A Guide To Social Media For CSR Professionals

http://www.csrwire.com/blog/posts/721-a-guide-to-social-media-for-csr-professionals

Telus Corporate Social Responsibility Report 2012

http://csr.telus.com/en/

Tying Together Social Media and Corporate Social Responsibility

http://www.convinceandconvert.com/pr-20/tying-together-social-media-and-corporate-social-responsibility/

Potential Issues/Trends

  • Digital media is the new stakeholder communication platform;
  • CSR lacks rigor of reporting that US GAPP / IFRS have; this is changing, but regulators are waiting for maturity; GRI has made good efforts, as have others (e.g., integrated reporting);
  • CSR (including Climate change/environmental) may lag because of austerity and jobs concerns since 2008;
  • Exemplary companies (see above) are communicating CSR through social media, communicating directly with stakeholders;
  • Opportunity to affect messaging and communication: needs to be genuine and two way; listening and acting; stakeholder groups are sophisticated, even activist;

 

Trends/Emerging Topics

What Do Corporate Directors and Senior Managers Know about Social Media?

http://tcbblogs.org/governance/2012/10/31/what-do-corporate-directors-and-senior-managers-know-about-social-media/

Use of board portals and social media

http://www.conference-board.org/retrievefile.cfm?filename=TCB-CoW_V2N11.pdf&type=subsite

2012 CEO, social media & leadership survey

http://www.brandfog.com/CEOSocialMediaSurvey/BRANDfog_2012_CEO_Survey.pdf

Taming Information Technology Risk:

A New Framework for Boards of Directors

http://www.oliverwyman.com/media/OW_EN_GRC_2011_PUBL_Taming_IT_Risk.pdf

IBM CEO Predicts Three Ways Technology Will Transform The Future Of Business

http://www.forbes.com/sites/jennagoudreau/2013/03/08/ibm-ceo-predicts-three-ways-technology-will-transform-the-future-of-business/?goback=.gmp_4220981.gde_4220981_member_221432830

The Next Digital Paradigm

http://www.forbes.com/sites/gregsatell/2013/02/02/the-next-digital-paradigm/?goback=.gmp_4220981

Make Social Media an Organizational Asset – Right Now!

http://www.thecmosite.com/author.asp?section_id=1237&doc_id=246605

THE FUTURE OF DIGITAL [SLIDE DECK]

http://www.businessinsider.com/future-of-digital-slides-2012-11?goback=.gmp_4220981

Ten Technology Trends that Will Change the World in the Next Ten Years

http://www.zawya.com/story/ZAWYA20120212081954/

Technology, Strategy and Shareholder Engagement Driving Corporate Governance

http://www.deloitte.com/view/en_us/us/press/ac998d5e23835310VgnVCM2000001b56f00aRCRD.htm

Potential Issues/Trends

  • Rapid change and transformation occurring: a few have said ‘revolution’, e.g., cloud, meta data, digital payment, social platforms, ease of use, direct contact with users;
  • Intermediaries in any value chain may need to transform because of technology;
  • Board should be in position to predict, press and stretch management if / when SMT is off-course or in denial;
  • Some industries/sectors will need to transform or die / be replaced: opportunities here; we are seeing transformation and complacent vs strong boards;
  • Boards should not be in denial if SMT (day to day) may be, and see up and out (what is coming) to fullest extent possible;

 

Cyber

Cyber Risk Management – A Board Level Responsibility:
http://www.bis.gov.uk/assets/biscore/business-sectors/docs/c/12-1119-cyber-risk-management-board-responsibility

10 Steps to Cyber Security – Executive Companion:

http://www.bis.gov.uk/assets/biscore/business-sectors/docs/0-9/12-1120-10-steps-to-cyber-security-executive

http://www.gchq.gov.uk/Press/Pages/10-Steps-to-Cyber-Security.aspx

Cyber risk, Guidance note

https://www.icsaglobal.com/assets/files/Guidance%20notes/gn06-2013cyberrisk.pdf

Cyber security: Considerations for the audit committee

http://www.ey.com/Publication/vwLUAssets/Cybersecurity_Considerations_for_the_audit_committee/$FILE/Cybersecurity_considerations_for_the_audit_committee_GA0001.pdf

Cyber Security and the UK’s Critical National Infrastructure

http://www.chathamhouse.org/publications/papers/view/178171

Cost of cyber attacks triples in a year

http://www.ft.com/intl/cms/s/0/bb3fcc90-ab4a-11e2-ac71-00144feabdc0.html#axzz2Zcz9iIg1

Cyber threats and security breaches forcing companies to re-evaluate risk management

http://www.canadianunderwriter.ca/news/cyber-threats-and-security-breaches-forcing-companies-to-re-evaluate-risk-management/1002271537/

The Art of Cyber War

http://www.nacdonline.org/Resources/Article.cfm?ItemNumber=6807

U.S. Outgunned in Hacker War

http://online.wsj.com/article/SB10001424052702304177104577307773326180032.html

Cybersecurity and Internet Governance

http://www.cfr.org/cybersecurity/cybersecurity-internet-governance/p30621?goback=.gmp_4220981

Time to get real over cyber security

http://www.cbronline.com/blogs/cbr-rolling-blog/time-to-get-real-over-cyber-security-230212

Cyber crime is now a booming industry

http://www.business-standard.com/article/technology/cyber-crime-is-now-a-booming-industry-112012300057_1.html

Potential Issues/Trends

  • Rogue players beyond domestic enforcement, sanctions (e.g., Al Qaeda, China, Russia, Ukraine, other);
  • Lack of full understanding of precise vulnerabilities by some/many directors;
  • Under-reporting by companies who have been hacked, and industry specific (e.g., defense, utilities, banking);
  • Government action increasing (e.g., NSA): privacy concerns;
  • Literature is still very general (some exceptions, e.g., NACD above (The Art of Cyber War), others), suggesting lack of knowledge, immaturity;
  • Multi/bi-lateral agreement to enforce within rogue states needed;
  • Good industry-specific boards will do (have done) thorough cyber review and strengthen defective controls, with expert input;
  • Some boards have IT as a desired board competency, and IT as material business risk;

 

BYOD- Security

Good Governance Guide: Issues to consider in the use of tablets for accessing board papers

http://www.csaust.com/media/365618/2012_ggg_tablets_boardroom_v2.pdf

10 steps for writing a secure BYOD policy

http://www.zdnet.com/10-steps-for-writing-a-secure-byod-policy-7000006170/

For BYOD Best Practices, Secure Data, Not Devices

http://www.cio.com/article/711258/For_BYOD_Best_Practices_Secure_Data_Not_Devices

Security Think Tank: BYOD – key tenets and best practices

http://www.computerweekly.com/opinion/Security-Think-Tank-BYOD-key-tenets-and-best-practices

Bring Your Own Devices Best Practices Guide – Dell

http://i.dell.com/sites/doccontent/business/smb/sb360/en/Documents/good-byod-best-practices-guide.pdf

Learn BYOD policy best practices from templates

http://www.techrepublic.com/blog/it-consultant/learn-byod-policy-best-practices-from-templates/

Best practices to make BYOD simple and secure

A guide to selecting technologies and developing policies for BYOD

http://www.citrix.com/content/dam/citrix/en_us/documents/oth/byod-best-practices.pdf

Dell Outlines The Death Of The PC

http://www.forbes.com/sites/adriankingsleyhughes/2013/03/30/dell-outlines-the-death-of-the-pc/?goback=.gmp_4220981

Potential Issues/Trends

  • Usage may have overtaken internal controls and policies in some companies;
  • Demographic and talent issues (e.g. education sector, younger students may: bring only a smartphone to class; not have used pen and paper);
  • Theft, loss: purging of data, passwords, signatures, controls to mitigate: policies all progressing, at differential speed;
  • Better policies available (see above); Whitehouse example: http://www.whitehouse.gov/digitalgov/bring-your-own-device
  • Devices may be opportunities, e.g., over 100K online course registrants in Harvard-MIT course: devices may be (or already are) the main channel of communication to customers, other stakeholders;

 

Executive Security

Corporate Theft? Build a barrier with access governance

http://www.kpmg.com/US/en/IssuesAndInsights/ArticlesPublications/Documents/corporate-theft-build-barrier-access-governance.pdf

Global Status Report?on the?Governance of Enterprise It (GEIt)—2011

http://www.isaca.org/Knowledge-Center/Research/Documents/Global-Status-Report-GEIT-10Jan2011-Research.pdf

Cobit: An information security survival kit

http://www.pkfavantedge.com/wp-content/uploads/2013/COBIT_Security.pdf

Potential Issues/Trends

  • See cyber;
  • There should be rigorous controls, and third party validation if possible, e.g., separation of duties, prevention of management over-ride, treatment of passwords, restricted digital areas, separation of development and approval, record retention, etc.;
  • Assume IT and executive management self interest: control environment and board oversight/reporting important to deter fraud schemes, internal cyber;

 

Social Media & Investor Relations

A Virtual Annual Meeting Approach

http://www.directorship.com/adopting-a-virtual-approach-to-the-annual-meeting/

Call to move huge annual reports online

http://www.ft.com/intl/cms/s/0/71dc17ba-19d5-11e0-b921-00144feab49a.html#axzz2Zcz9iIg1

Twitter Speaks, Markets Listen and Fears Rise

http://www.nytimes.com/2013/04/29/business/media/social-medias-effects-on-markets-concern-regulators.html?pagewanted=all

Dress rehearsal for disaster shows why Twitter has no place on Wall Street

http://opinion.financialpost.com/2013/04/26/dress-rehearsal-for-disaster-shows-why-twitter-has-no-place-on-wall-street/

SEC Says Social Media OK for Company Announcements if Investors Are Alerted http://www.sec.gov/News/PressRelease/Detail/PressRelease/1365171513574#.Uer4KFMpcvQ

New SEC Guidance on Social Media Levels Playing Field for Investors

http://blogs.cfainstitute.org/marketintegrity/2013/04/08/new-sec-guidance-on-social-media-levels-playing-field-for-investors/

How to Use Social Media for Regulation FD Compliance

https://blogs.law.harvard.edu/corpgov/2013/04/16/how-to-use-social-media-for-regulation-fd-compliance/

SEC Blesses Social Media Disclosures

http://www3.cfo.com/article/2013/4/disclosure_regulation-fair-disclosure-twitter-facebook-social-media-sec-guidelines-governance

The Push and Pull of Social Media for Investor Relations

http://blog.businesswire.com/2013/06/20/the-push-and-pull-of-social-media-for-investor-relations/

The Greatest Social Media for Investor Relations Panel Ever*

http://blog.investorrelations.com/2013/06/24/the-greatest-social-media-for-investor-relations-panel-ever/

Social Media’s Place in Investor Relations

http://thesocialmediamonthly.com/social-medias-place-in-investor-relations/

Social Media for Investor Relations

http://www.slideshare.net/IRSmartt/social-media-for-investor-relations-12976664

Survey finds social media gap between investors, companies

http://irwebreport.com/20130611/iros-vs-investors-social-media/

Crisis investor relations in the age of social media

http://irwebreport.com/20111208/crisis-investor-relations-social-media/

SEC’s social media guidance has devil in details

http://irwebreport.com/20130403/secs-social-media-guidance-has-devil-in-details/

Social Media Strategy for Investor Relations

http://www.brandchannel.com/images/papers/530_ccg_wp_social_media_strategy_ir_0911.pdf

Potential Issues/Trends

  • SEC permits investor contact using SM: significant;
  • Accuracy and fair disclosure concerns by companies and investors;
  • Regulators are reviewing proxy plumbing (shareholders) and will inevitably address SM, perhaps even (eventually) digital investor voting, fora, collaboration, communication using digital platform [think of a LI or FB group within a company investor section of a website];
  • Investor relations will use (are using) SM, including digital communication, hybrid annual meetings, Q and A, outreach, etc.: this will mature and eventually be regulated to provide structure, expectations;
  • Paper, in person meetings, email, even voting may/will be replaced with digital (text, visual, audio – multi media): the changes are starting;

 

Other:

Director skills

Recruiting the Digital Director

http://www.spencerstuart.com/research/bg/1535/

Wanted: More Directors With Digital Savvy

http://online.wsj.com/article/SB10001424127887324031404578483043683328314.html?goback=.gmp_4220981.gde_4220981_member_241245618

CIOs Say Corporate Directors Are Clueless About IT

http://www.cio.com/article/721456/CIOs_Say_Corporate_Directors_Are_Clueless_About_IT?goback=.gmp_4220981

Risk and IT intersection

Observations on Developments in Risk Appetite Frameworks and IT Infrastructure

http://www.newyorkfed.org/newsevents/news/banking/2010/an101223.pdf

Recruiting a Nonprofit Digital Board Director: Limitations & Alternatives

http://non-profit-management-dr-fram.com/2013/05/27/recruiting-a-nonprofit-digital-board-director-limitations-alternatives/

Nonprofit Board Responsibility Social Media – What Needs To Be Done? Revised & Updated

http://non-profit-management-dr-fram.com/2013/06/23/nonprofit-board-responsibility-social-media-what-needs-to-be-done-revised-updated/

 

Management suite:

Digital diaspora in the enterprise: Arrival of the CDO and CCO

http://www.zdnet.com/digital-diaspora-in-the-enterprise-arrival-of-the-cdo-and-cco-7000016193/

CIOs Can Strengthen Your Board of Directors

http://blogs.cio.com/careers/17010/cios-can-strengthen-your-board-directors?goback=.gde_4220981_member_111162885

KPMG brochure:

Risk management in an evolving world

Making the case for social media governance

http://www.kpmg.com/US/en/IssuesAndInsights/ArticlesPublications/Documents/social-media-brochure.pdf

IT Skills Needed Around the Board Table

In a speech I gave this week to a large room of directors in Montreal, I asked for a show of hands as to how many directors use iPads. About 80% of the hands went up. When I asked the question a year ago, the figure was only about 20%. If you are a director who does not own an iPad, request management purchase iPads for all your directors, or better yet buy your own. Request that your board have a board portal installed. Within a year, most boards will be paperless. Good boards are now paperless. If a laggard director blocks technology or refuses to up-skill, the director should be asked to step down. Technology has gotten a lot easier to use in the last year.

Information technology literacy at the board table is rapidly becoming a must-have for boards, ranking up there with international, risk management and executive experience as necessary boardroom conditions on director skills matrixes. Termed an information technology “revolution” by some directors, technology is rapidly changing how boardrooms and companies operate and compete. IT skills are necessary not only for prudent risk mitigation, but more importantly, for strategic opportunity, innovation and the way companies communicate with a new generation of investors, consumers and employees. Virtual meetings, electronic reporting and social networks are now becoming the new communications platforms. Mailed proxy statements, in-person meetings, and even email may be a relic of the past.

If your board of directors does not have a solid understanding of IT-drivers, such as cloud computing, big data, consumerization, mobile computing, cyber-crime, e-corruption and social media, which are increasingly pervasive / possible throughout all industries and B2B and B2C companies alike, it will not have the clout with senior management to operate. It will not recognize deficiencies, weak benches, red flags, product/service distribution channels, or even basic opportunities or relationships to exploit (such as fundraising for not for profits). Management –and the competition for executive and employee talent– will perceive the board as dated. Management and investors can now go online and find out whether a director is IT literate or not.

IT literacy can no longer be learned on the job or though educational primers for older directors, as the turnover and learning curves are too great. The world is changing and the notion that a 65 or 70-year-old former executive possesses IT competency is a myth. Generational shifts and emerging demographics need to be embraced by boards, including recruiting IT subject matter experts and mentoring first time directors. Women, younger directors and other directors with IT expertise must be at the board table to have the credibility and experience with management to drive change and ensure that boardroom discussion contains multiple informed perspectives.

How does your board fare on the above? Specifically,

  • Does your board have enough strategic IT experience to advise management credibly?
  • Do you have a full understanding of IT opportunities and threats facing your company and industry?
  • Does the board have a committee that oversees IT risks, internal controls and reporting?
  • Do the company and your investor relations department use social media and other emerging technologies (such as shareholder forums) for engagement with institutional and individual investors?
  • Do directors use social media to listen and learn?
  • Are you satisfied with the quality of IT management?

These are some of the questions that need to be asked at the board table. Boards likely won’t get past the second question or the wrong answer by management if they themselves are not IT literate.

Back to top