Navigating Risk & Reputation in a Digital Age
December 4, 2019
This article was originally published in the Fall 2017 Issue of Listed Magazine and features perspectives from our faculty members Richard LeBlanc and Kim West.
The list of cyber victims is long and growing: No organization is too cool, too savvy or too critical in its core mission to avoid a hack attack. For institutions experiencing these silent yet lethal invasions, the repercussions are vast and incalculable.
Client privacy is invaded, customer loyalty is eroded, corporate reputations are threatened, huge remediation costs are incurred, and finger-pointing ripples up the ranks to the C-suite and the board of directors.
The common refrains are: Why weren’t you prepared? Where was the crisis management plan? And where were the directors? The damage to reputation can last for years, compounded by the cascade of social-media attention that can rain down upon an inattentive management and board.
“Every organization at some point will face a breach,” concludes Kim West, partner and chief client officer for National Public Relations and a teacher in risk management and crisis communication at The Directors College. “It is not if but when.”
Yet cyber security still ranks relatively low among directors’ lists of enterprise risk concerns, according to various surveys of board members – well below other financial, strategic and operational perils. Directors know the risks are out there, but do not grasp the scale of the potential damage.
This inattention happens at a time when every organization — large and small, profit-seeking or non-profit— must have a digital strategy for value creation, or to cope in a disruptive environment. Yet that comes with the attendant perils of being hyper-connected, and vulnerable to the vortex of cyber attack, social media firestorm, and unprecedented demands on crisis management and communication.
‘’The iPhone can put your brand in play in five minutes,” says Richard Leblanc, a member of The Directors College faculty who is an academic authority on governance and ethics. “Boards tend to freeze up; it hits the social media, and you are on the news that night.”
“If you are reacting after the fact, you are scrambling and people notice that.”
A moment of truth came in late 2013, when a cyber breach hit the big U.S. retailer Target, potentially exposing the personal information of 70 million people. When a proxy advisory firm recommended that most of the board be replaced because of a lack of oversight, it sent a chill through corporate boardrooms.
The reality is many directors still lack the tools of understanding the digital world. Nowhere is this more evident than with social media, which offers great leverage in marketing, communications and customer analytics — and a window on how the brand is seen in the wider world.
Yet many a corporate director will still say, “I don’t do Facebook,” or “I don’t get Instagram.” Directors can be so out-of-touch, they do not know the potential for leveraging a Facebook presence or its central role in crisis communication.
Directors, of course, come from many backgrounds. In some organizations, they trend older, often chosen for deep knowledge and wide experience in financial, legal and talent-management matters. That is valuable input, but it often comes with gaps in digital experience.
“Everybody is trainable and that is where The Directors College comes in,” says Leblanc, who teaches a session on audit committee priorities in the Chartered Director program. Even learning the language of digital commerce is valuable. Besides such education tools, he also advises boards to maintain expert sources, independent of the company, to help bring them up to speed.
Kim West says the approach should reflect a general mindset on all risk. “Boards that are well organized and attuned make sure, in the regular course of business, that they ask good questions: What is our policy? Our risk tolerance? Our reputational risk? Do we have a plan?”
“Asking those questions before an incident happens pays huge dividends,” she says. If something happens and there has not been due diligence, management has to deal with the crisis at the same time it is scrambling to maintain the confidence of the board, West explains.
For West, the new imperative of cyber awareness underlines the need for increased board diversity of all kinds – age, gender, communities, and skill sets. West sees value in The Directors College’s short program on innovation governance which explores the value-creation, but also the complexities and risks of an innovation strategy. This balance should be the goal of any organization, and thus any board, she maintains.
Clearly, more data is needed on how boards are performing. Michael Hartmann, principal of The Directors College and professor of human resources management at the DeGroote School of Business, McMaster University, is working with Jean-Philippe Deschamps, emeritus professor of innovation management at IMD, in Lausanne, Switzerland, on a global survey on how boards are responding to issues of innovation and disruption. (Deschamps is an instructor in The Directors College’s Innovation Governance program.)
This need for board awareness is enhanced by the emergence of a new breed of corporate officer focused on digital value creation and risk – such as a chief digital officer or a chief information security officer. A Conference Board of Canada briefing outlines the evolving relationships as these new officers seek more direct reporting lines with the CEO, but also take their concerns to the board.
And audit committees, which are on the front line of such discussions, are increasingly asking to meet directly with corporate officers specializing in risk, compliance and internal audit – and often without the presence of the CEO and CFO, Richard Leblanc says.
Yet there remains this understanding gap. The Conference Board of Canada concludes that many directors do not classify cyber security as a top strategic threat, do not believe they possess a high level of readiness, and do not give high marks to the information they receive. On the other side, those presenting to boards do not feel their presentations are being heard. This gap emphasizes the need for new skills and attitudes on both sides.
It heightens the value of experiential learning for directors – through case studies as well as by role-playing exercises of the kind found in the Chartered Director’s program. “It puts the director in the room so that when it actually happens, you have gone through it,” Leblanc says.
All this becomes more imperative as we enter the age of the internet of things when everything from toasters to teapots will be linked to networks. That magnifies the potential rewards of connectivity, but also the risks. If directors are not already preparing for this digital transformation, they will not be part of the solution – they will remain part of the problem.