Paula Loop, leader of PwC’s Governance Insights Center, will be speaking at The Boardroom Summit, April 23-25, 2018 in New York City. The event will provide corporate board members with an unparalleled opportunity to share ideas and exchange solutions to today’s greatest board leadership and governance challenges. Click here to register.
Q: Cyber risk has raised oversight to a new level. What should boards be doing to stay on top of it?
A: There are two ways to think about this. Individual board members need to stay connected to what’s going on with cyber. It’s a complicated area and probably not one that most directors have a deep expertise in, but I still think they need to try to stay current, understand the issues, pay attention to what’s going on in other companies and learn how to spot the trends.
From a board perspective, companies are continuing to do work and that work is never-ending. Most companies now are trying to think about their cyber program in terms of a framework and following a maturity scale related to that framework.
One best practice I would put forward is that boards should not hesitate to consult experts on this topic. So, while directors should be interacting with the company’s CSO, CIO or whoever owns cyber at their company, they should also consider getting input from outside advisers because it’s hard to have all the necessary skills in this area.
Q: In terms of the board agenda, how are the best boards handling their risk oversight duties? Is that responsibility falling to the audit committee or a separate risk committee?
A: I think it depends on each company’s board makeup and director skill sets. It also has to do with calendaring and workloads. So, that’s what I’m seeing boards think about when they’re making this decision.
Given that board agendas are already full, the concern is whether directors will have enough time to get through the added focus of all the things that would be part of a risk oversight exercise. As a result, companies are considering other options. Can the audit committee take this on? Or should we think about forming a risk committee?
One question I always ask is, “If you did form a separate risk committee, who would be on that committee?” If you can identify people who would be different from those individuals who are on the audit committee, I think you’ve got the basis to consider doing that. If the individuals you identify are the same people that are on the audit committee, then I think you have your answer. In that case, it probably doesn’t make sense to form a new committee; instead, you may need to expand the audit committee calendar. If you do think you would have different people who would add value and be able to take on the responsibility, then you need to figure out whether you can juggle their schedules to make it work.
Q: How can an outside investor gain comfort that a board has a good risk oversight plan, particularly regarding cyber risk?
A: This issue is going to get more and more attention, not only from the regulators but from investors and others. Companies are already required to put something in their proxy that talks about the board’s risk oversight. Many companies have a risk factor in their SEC Form 10-K related to cyber risk. And, like many topics, it is certainly an opportunity for boards to be more transparent about the good work that they are doing.
Outside investors will continue to ask for this kind of information and, depending on the relevance in the company’s industry, this is a topic that an investor might want to hear directly from a director about. We’re starting to hear more and more noise, if you will, from the investor groups and regulators about what the board is doing. Proactive boards will consider putting additional information in their proxies to explain more about this risk oversight activity.