In Roman mythology the two-faced god Janus has one face looking forward towards the future and one backward toward the past guarding against any lurking surprises. This may be an apt description of a single corporate director or officer, who carries substantial personal obligations and liabilities in steering their companies forward with an eye to the past. The expectations on modern boards, however, are not just singular and bidirectional, boards are expected to form an omnipresent panopticon where all facets of their organizations and the attendant risks are not only known to them, but measured, managed and mitigated in a mythical form of supergovernance.
Corporate and institutional governance along with myriad organizational failures have been on the docket lately. There is much to learn from where governance goes awry and unwanted sunlight shines through the dark recesses of how large institutions are run. It does not help that every emerging risk, opportunity and trend is laid at the board’s feet as something a panel of (mostly) wise men should have anticipated. Indeed, adding to the long list of classical board obligations, which includes strategic direction, governance, corporate reporting, executive remuneration, risk management (loosely worded), compliance, ethics, accountability, succession planning, among others, is the growing pressure to own cyber and technological risks, as well as the ever-present perils of moral hazard and human malfeasance. This now includes, although no one should be surprised, the Weinstein-style weaponization of sexual abuse, harassment and corporate cornering of women, which has had its day in the court of public opinion and the year-old tide of the MeToo movement.
While diversity, or the lack thereof, may be at the heart of these challenges, board evolution is not only being prodded by the sharp edge of regulatory, investor and market pressure, it is also being prompted by corporate soul searching. The reality, however, is that much more needs to be done to get boards and the enterprises they govern to become a more perfect reflection of society. California, an increasingly impatient host when it comes to future-proofing industry, has passed a law mandating the gender diversification of all-male boards on a step ladder basis. Publicly traded firms will need to add at least one woman to their boards by the end of 2019 and companies with five directors will have to add at least two women by 2021. Firms with boards of six or more people, will have to add three women by the end of 2021. This type of affirmative action may not resolve underlying pressures to perform or adapt, but nevertheless it marks an important sea change in regulatory approaches to governance diversity. These changes are increasingly echoing European and particularly Nordic countries, which have gone the furthest in ensuring women have an equal footing not only in boards, but in the workforce writ large.
Assuming perfect gender parity and diversity quotients, it is not clear whether all large company boards would in fact improve their performance. This is so because of other factors relating to corporate dynamics and the often god-like qualities bestowed at the head of the table. All too often, there is no proverbial separation of church and state between the chairman and CEO roles. These hats are most often worn by the same archetypally male leader, for whom the line between individual success and that of the enterprise are inextricably linked. At least this much was clear in Elon Musk’s and Tesla’s settlement with the SEC, wherein he dodged potential banishment from public-company directorships by stepping down as Tesla’s chairman following a $40 million tweet. While Tesla’s board and shareholders may have avoided a more complex case, their governance challenges remain the same, which is how do you rein in a leader whose success or failure could bring the company to its knees. Indeed, there is a very large elephant in Tesla’s board room, which is Elon Musk’s public exhortation that someone else can have his job. It cannot help board room or shareholder anxiety that an unrepentant Elon Musk took Twitter to mock the Securities and Exchange Commission, labelling the financial regulator as the “Shortseller Enrichment Commission.”
Adding to this type of pyrrhic succession planning and leadership question, the endless volley of cybersecurity, privacy and digital transformation challenges that come with modern directorships – bodies that historically favored status quo – it is easy to see the mismatch between capabilities and expectations. The reality is that most large enterprises, if for nothing else by virtue of their size, are incapable of anticipating, digesting and affirmatively responding to the global risk landscape. Herein one of the board’s perennial struggles is laid bare – namely the tug-o-war between compliance and enterprise risk management, for which all too often large enterprises merely pay lip service. In fairness, not unlike the CIA, corporate directors are never heralded for the many risks and company threats they fend off in a year or over the long term. Rather, they are in a constant crucible walking a fine line between value creation and risk mitigation, for which risk management is a footnote in annual reports, which are often our best windows to peer into the board room and into the minds of those sentinel guardians around the table.
In Equifax’s case, peering into 5 years’ worth of annual reports (and therefore the hive mind of the board) after the massive data breach of more than 150 million personally-identifiable records, reveals a shocking lapse of governance that could have very well killed the firm. Like many large firms answering the siren call of quarterly earnings, growth often trumps longevity, prudence and safety. By word count, over 5 years growth, shareholder and investor, all signaling a pro-growth investor-forward culture, appeared more than 649 times. Meanwhile, key words like cyber risk, privacy and data security, which would be essential guardrails for a company that is little more than a giant database of sensitive personal information appeared no more than once. While this alone does not capture the entire Equifax cyber risk governance story, is it a rudimentary form of forensic analysis that suggests a perilously low-level of risk awareness on the board. Clearly, with the rampant global spread of cyber threats, which do not respect board meeting schedules or quorum, Equifax is not the only firm to be caught flat footed by Moore’s law.
This same pattern of readiness does not only weigh boards down when it comes to managing technological risks, like cyber threats or privacy – which have been made all the more complicated by Europe’s far-reaching privacy laws, GDPR – it also holds true with digital transformation efforts. By this measure, there is probably not a single large company board that is not evaluating substantial investments in digital transformation, as all manner of emerging technologies are bandied about by executives and their hired consultants as the panacea of years of structural ossification and competitive pressure. Indeed, a recent report suggests that the 50 largest public companies have ongoing blockchain experiments, which probably holds true with those other newfangled trends, like artificial intelligence and industrial automation, among others. The challenge, not unlike the tenuous return on investment calculations that link the degree of cybersecurity to the degree of cyber spend, is that investments in digital transformation and its lifeblood, which likens data as the new oil, have no economic calculus that accountants, regulators, executives and let alone board rooms understand.
Faced with these dilemmas then, it is unsurprising that decision avoidance and the preservation of status quo have become the modus operandi of many corporate boards. Confronted with so many intangible and unmeasurable choices, which all have a temporal mismatch with the quarterly earnings cycle or board meeting schedule, boards would be well served to harden three pillars in their enterprises. The first being corporate value systems, remembering the maxim that values matter most when it is least convenient. The second, setting clear rules on risk tolerance and establishing guardrails around decentralized decision making. Third, strategic direction. Beyond these three points, which are hard enough on their own to implement and measure, it seems little more is truly in the board’s control.