Why boards have a duty to reinforce resilience

By Didier Duret IDP-C, Non-Executive Director and Independent Adviser

Change is risky for firms and boards of directors must see beyond talk of disruption and innovation to ensure companies focus on their essential qualities and a handful of best practices

The current global lockdown, enforced by governments to minimise the Covid-19-led public health emergency, has led to the shelving of many firms’ multi-decade strategies to correctly allocate resources across different regions.

Boards of directors must now re-focus on their organisations’ long-term resilience. This must not be confused with short-term crisis management, which demands quick reactions, analysed relentlessly across digital media.

Prudence and strength

Resilience is a mixture of prudence and strength before a crisis and should be ingrained in firms. It is defined as “the degree of freedom we can deploy to act on events we cannot control”, by Boris Cyrulnik, French psychiatrist, author and Holocaust survivor. For most firms, it derives from a mix of efficient risk management and organisational flexibility. In order to boost resilience, boards must question assumptions, nail down governance principles and adopt sound stewardship.

The idea of resilience in business was popularised by Nassim Taleb in his 2012 best-seller Antifragile: Things That Gain From Disorder, which argued that both humans and organisations are poorly equipped to cope with shocks that accelerate change and have cascading consequences. While hardwiring to think in categories has helped our species survive, most phenomena in nature and society follow non-linear patterns with little respect for categories. Although we can model risk from yesterday’s data, we cannot apply it confidently to tomorrow’s uncertainties.

In modern corporate life, despite a professional culture that has elevated disruption to a virtue, change remains risky and unpredictable. Many start-ups do not survive, and large firms struggle to adapt. Disruptive ideas facilitated by ‘agile management’ have limited impact once they encounter bureaucratic inertia. The board is in a key position to see beyond management techniques and reflect on the essential qualities of a resilient firm.

Focus on what works

Rather than being hypnotised into a reverie of ‘innovation’, it makes sense to focus on a handful of best practices. Of these, financial resilience and access to cash is the most important. Heavy debt and weak solvency ratios undermine resilience. Boards have explicit responsibility for their firm’s capital structure and access to finance, plus oversight of remuneration and dividend and share buyback policies. In a crisis, when survival is at stake, board members may seek access to new capital, renegotiate bank loans or seek being bought out by a larger firm. Board oversight is crucial for the firm to exit a crisis with resilient, if battered, financials.

Diversification of activities, markets, products and suppliers makes good business practice. Diversity of opinions, talents and skills among management, staff and board members also contributes to strategic resilience. A mix of genders, races, cultures, languages and expertise strengthens reliability of operations and leadership competencies. External advisers and independent board members can help identify new trends signifying a paradigm shift. They reduce groupthink and corporate bias, constructing a vision differing from the past. External think-tanks or business school experts can be valuable resources for the board to refocus long-term strategy based on short-term crisis-induced changes.

Discernment through judgemental resilience is a major governance skill exercised by the board. It can be reinforced to balance quantitative resource optimisation versus qualitative operational resilience. Better data-driven “dashboards” do not mean better resilience, just as last week’s stock price does not tell us what next week’s will be. The board can ask the CEO to review crisis planning and solidity of the strategy though a qualitative-scenario lens differing from traditional quantitative-scenario planning. which, most of the time, is consensual to the industry or macro environment.

ESG goes mainstream

Environmental, social, and governance (ESG) policies have become mainstream, reinforcing resilience by reducing financial, operational, and reputational risks through selecting reputable commodity providers or avoiding financing controversial industries. But ESG-driven governance does not guarantee resilience. Recent 20-year-low oil prices are just as disruptive for power producers using wind farms and solar panels in the transition to renewable energy as for shale oil firms, radically transforming capital spending plans. But today’s unprecedented economic crisis is impacting global social and political dynamics as well as consumers’ visions of the world and leadership expectations. Authentic ESG culture may yet prove a competitive advantage in the post-Covid-19 ‘new normal’.

Humility offers a hidden dimension to resilience, counterbalancing the excessive risk-taking and corporate hubris associated with charismatic CEOs. Would WorldCom have survived with board members questioning its overmighty CEO Bernard Ebbers more explicitly? Good practice involves yearly independent assessment of performance and behaviour of the board chairman, members, CEO and executive committee. Humility does not mean timidity, as it can be courageous. An advisory board I sat on during the early weeks of the Covid-19 crisis pursued investment in strategic areas that had suffered from heavy losses through massive disruptions, but gave the CEO wide latitude to implement high-level decisions.

I believe boards of directors, by focusing more on conditions for resilience, can help firms achieve better financial, ethical and environmental results. Resilience in all its aspects, has become a strategic requirement and unless boards take a more socially-oriented and strategic outlook for their organisations, billions of people will suffer, to the ultimate detriment of these firms.

Didier Duret IDP- C is a non-executive director, an investment committee member, and independent adviser to several private family offices and foundations. 

This article was first published in the Private Wealth Management Magazine from the Financial Times on 23 May 2020, and can be found at https://www.pwmnet.com/Wealth-Management/Business-Models/Private-View-Blog-Why-boards-have-a-duty-to-reinforce-resilience

The Board’s role in Cyber Resilience

Webinar with Katja Severin Danielsson and Dimitri Chichlo – 9 June 2020

On 9 June 2020, IDN members discussed the board’s role in Cyber Resilience with guest speakers, Katja Severin Danielsson, IDP-C, NED and Dimitri Chichlo, IDP-C, NED in a webinar facilitated by Liselotte Engstam, IDN Board Member, and with Q&A support by Hagen Schweinitz, IDN Board Member.

Cyber damage is accelerating

Katja shared that cyber damage has been increasing as companies are becoming more digital and has accelerated dramatically during the COVID-19 crisis. However, according to PwC’s 22nd Annual Global CEO survey, only 15% of CEOs strongly agree that their company can withstand cyberattacks and recover quickly.  Unfortunately, many boards are not engaged enough with cyber resilience, and need to increase their focus on it, and make it a key part of their agendas.  Further, Dimitri added that 76% of security professions are focused on detection and containment and not prevention.  For companies, it is not a case of whether they will be hacked, but when it will be hacked, and how much the magnitude of the impact of attack will be.  Dimitri notes that the 15% from the PwC survey is rather a grim figure, taking into consideration by how much senior managers are prone to overestimate their capacities.

Katja highlighted key messages on current status and what needs to be done of the World Economic Forum on cyber risk, and specifically emphasised that leaders need to create a culture of cybersecurity from entry level to top level of an organisation.

Source – World Economic Forum

Dimitri further noted that leveraging technology is an opportunity, however many companies were not prepared for the pandemic.

Five cyber risk governance principles

Katja shared the five cyber risk governance principles mentioned in the revised 2020 Cyber-Risk Handbook which was released out by the Internet Security Alliance, ecoDA, and AIG and which was supported by PwC Sweden.  This guide was developed for Europe, however, can be used by a global audience.  There are also specific handbooks developed for other markets for example the US and the UK market.

The first three principles are the responsibilities of the board, with principles 4 and 5 noting how the board should work with and expect from management.

The principles are:

  • Principle 1 – Directors need to understand and approach cybersecurity as an enterprise-wide risk management and strategy issue, not just an IT issue. Katja mentioned that cybersecurity should be integrated with business decisions, its assessment should be comprehensive, and it should consider the ecosystem of organisations (including third parties such as vendors and customers) which the company deals with.  Directors not only need to understand the technical IT matters but also operational matters which impact critical components of the business.
  • Principle 2 – Directors should understand the reputational and legal implications of cyber risks as they relate to their company’s specific circumstances. Katja noted that directors need to consider the industry that the company operates in and the type of company they have. They should note that the type of company impacts the standards which the company needs to comply with; some types of companies may need to maintain certain levels of security and comply with more transparency requirements, else face sanctions if they don’t comply with regulations.
  • Principle 3 – Boards should ensure adequate access to cybersecurity expertise, with appropriate reporting, at both Board and Committee level. Board members should be fully engaged, make enquiries and challenge management.  They also ensure that they have access to the right reporting, at an appropriate level of detail, in plain English which is understandable and easy to use.  Dashboards are often useful to follow trends.  They should integrate experts/competence into the board room for training.
  • Principle 4 – Board directors should ensure that management establishes an enterprise-wide cyber-risk management framework which encompasses culture, preventive, detective, and response capabilities, monitoring and communication at all levels.  Resources should be adequate and allocated appropriately by the strategies adopted. Katja stated that the cyber-risk management framework should be aligned to the organisation’s strategy.  Further, the risk management of cyber is an iterative process, whereby companies need to continuously update understand and act on the  changes in their threat profile and current risk position.  She highlighted the importance of understanding the company’s crown jewel assets, understand the current security posture – capture strengths and deal with the vulnerabilities, and ensuring that the controls and investment plans protect the right assets.
  • Principle 5 – Board-management discussions about cyber risk should include strategies on their management (mitigation, transfer through insurance or partnerships, acceptance, etc). Katja highlighted the importance of good reporting to allow directors to challenge management, and of the need to understand strategies that management plans to use to reduce/mitigate or avoid risk, considering the cost/benefit of the strategies. This to ensure investments in cyber security targets the company’s threat profile and contributes to the company being more secure. Ask the question to management “are we spending our money wisely”?

The guide has five tool kits which directors/management can use to benchmark their cyber risk governance.

Participants then engaged in a lively Q&A session which covered a broad number of topics including aligning the cyber strategy to the broader company strategy and day to day operations; how directors and their companies can improve their cyber resilience; whether boards should participate in crisis exercises; the benefits of having a cyber resilience committee; that cyber resilience is as much a HR/people and process issue than a technical risk; the importance of focusing on all stakeholders and dimensions when looking at the risks of a cyber attack (including financial, customer, reputational/media, shareholders, third parties/ecosystem partners); understanding the crown jewels of the company; and how to have the right knowledge of cyber at the board level, and across the three lines of defence.

Summary

In her closing comments, Katja noted that cyber resilience is a board responsibility, and

  • Cybersecurity is one of the fastest growing threats to organisations
  • Cybersecurity is an enterprise wide risk management topic not an IT issue
  • The board needs to increase insights and guide their organisation
  • Boards need to ensure the investments are targeted to company context
  • Boards are responsible to address these threats

Finally, Dimitri concluded by stressing the necessity to have technology and cybersecurity experts in boards, and not only business experts and leaders.

 

Recommended reading

Cyber Risk-Oversight 2020 Handbook – https://ecoda.org/wp-content/uploads/2019/08/ecoDa-cyber-handbook-Final-15.4.20.pdf

Impact of COVID-19 on Cybersecurity (PwC) – https://www.pwc.co.uk/cyber-security/pdf/impact-of-covid-19-on-cyber-security.pdf

CEOs face test of resilience in 2019 (PwC) – https://www.pwc.com/us/en/services/consulting/cybersecurity/PwC_CEOs-face-test-of-resilience-in-2019.pdf

Cyber Handbook 2020 (NACD ISA) – http://isalliance.org/wp-content/uploads/2020/02/RD-3-2020_NACD_Cyber_Handbook__WEB_022020.pdf

WEF Cybersecurity Platform – https://www.weforum.org/platforms/shaping-the-future-of-cybersecurity-and-digital-trust

Cyberattack Map – https://cybermap.kaspersky.com