This could be a significant year in the development of governance. Among the big topics in 2019, boards need to get to grips with cybersecurity, manage the changing nature of engagement and come to terms with the needs of diversity.

Cyber risk

As Mark Camillo, head of cyber, EMEA, at insurance provider AIG, explains in a recent article for Board Agenda: “There is no such thing as 100% secure.” This sets the tone for corporate attitudes toward cybercrime in 2019.

His comments come against a backdrop of rising awareness of and concern about cybercrime in the business community. Open any newspaper and on most days there is likely to be a story about the latest attack—or threat of attack—on a company or government office, compromising the data of thousands, sometimes millions, of people.

Last year a security breach at Facebook saw the data of 50 million users compromised; Fifa, the football body, saw 70 million documents leaked; two million US customers of mobile network operator T-Mobile had their data stolen, including their names, account numbers, billing details and passwords.

When it happens, security breaches cause companies lost revenue, reputational damage and potential regulatory action. The average cost of a data breach is now estimated to be around $3.86m.

The focus this year for companies is ensuring they have plans for dealing with a data breach, which needs to cover compliance issues, data protection, recovery (what happens after a breach) and education of staff on how to prevent a breach in the first place.

This last issue is critical. According to research by Experian, two-thirds of cybersecurity experts believe employees are the weakest link.

Insurance could also play a big part in the battle against cybercrime. Camillo says: “We are modelling risk, looking at attack probability, claims data, internal security controls and so on to build a picture of a company’s risk.

“This also helps with modelling risk costs and give companies clearer insight into what they need to do to reduce risk and insurance premiums.”

Kamal Bechkoum, head of the school of business and technology at the University of Gloucestershire, highlights the current risk to companies: advanced malware, stealthy computer network attacks and DNS-based data exfiltration.

In a recent article for Board Agenda, Bechkoum writes: “Cybersecurity cannot be solved by simply buying in more technology to patch problems. It is about taking a strategic approach to budget allocation that delivers genuine improvements in security and protection.”

One of those strategic issues is the location of data assets. According to Javvad Malik, security advocate at AT&T Cybersecurity, the advent of cloud computing and data storage has led to increased complexity in tracking the location of digital information.

On examination, companies often find their data is fragmented, stored in multiple locations with multiple cloud suppliers. Malik says knowing precisely where the assets are can “build confidence and trust with stakeholders”.

Another trend this year will be a growth in the engagement and knowledge of senior managers. Awareness is one thing, says Malik, but that’s not the same as “having your arms around the problem”. He warns large companies could remain vulnerable for some time to come because they have large legacy systems to replace.

Overall though, things are improving. “I’m optimistic,” says Malik, “because the way technology is being built now, it comes with a lot of security.”

He cites Microsoft as a case in point. More than a decade ago the company would not have been viewed as leaders in the field. “But they’ve made massive improvements,” Malik concludes.

Inclusivity

When it comes to inclusivity there is good news and bad. The good news is that women are making progress in the boardroom and elsewhere in business. Last year the Hampton-Alexander Review concluded that the FTSE 100 is “on track” to reach the 33% target for women on boards by 2020.

The celebrations were somewhat muted by news that in the FTSE 350 half of all non-executive and executive appointments would need to be women if the target is to be reached.

Fiona Hathorn, managing director of Women on Boards, sees two major drivers for women in leadership roles in 2019: regulatory pressure and demands for increased transparency. She points to a speech at the end of last year by Christopher Woolard, an executive at the Financial Conduct Authority, which signalled how important inclusion was from a regulator’s point of view.

“How a firm approaches diversity and inclusion tells us a lot about its culture,” he said “And the way firms handle non-financial misconduct, including allegations of sexual misconduct, is potentially relevant to our assessment of that firm, in the same way that their handling of insider dealing, market manipulation or any other misconduct is.”

This year will also be the second year of gender pay gap reporting, an important moment for observers hoping to see indications of change. In addition, firms will be preparing CEO pay ratio reports ready for 2020, another element that could prove important in highlighting the importance of diversity.

“We know diversity makes us better,” says Hathorn. “It enables innovation. Different people from different backgrounds enable problem-solving. Research also shows that diversity changes the way people think.”

The news is not so good for ethnic minority representation at board level. In 2017 Sir John Parker set a target for FTSE 100 companies to appoint at least one director from a minority group by 2021. In October a review of the Sir John Parker recommendations found just 84 of the 1,048 director positions in the FTSE 100 were occupied by leaders from an ethnic minority.

For Suki Sandhu, founder and chief executive of Involve, which helps promote minority group members to senior roles, many minorities—LGBT as well as ethnic groups—remain painfully underrepresented at board level.

Talent pipelines are diversifying but, he says, this has the greatest impact at middle and senior management levels. “The same still isn’t true for diverse talent being targeted or prepared for board or C-suite level positions.”

Sandhu expects to see more strident language in corporate diversity policies, where only around a third of the FTSE 100 include a specific mention of ethnicity.

“I’d like to see corporates do more to improve the diversity of their own pipelines from bottom to top—focus more on retention and development than just attracting diverse talent. When you get diverse talent to stay and to succeed—that’s when you know you have an inclusive culture,” says Sandhu.

This year could be important for more transparency of ethnic minority pay. January saw the government close a consultation on how such reporting might work. Sandhu says the consultation, along with gender pay gap reporting, is “sending a signal to business that it is no longer acceptable to carry on with the status quo”.

Compliance

When it comes to governance, companies across Europe, especially those in the UK and Germany, are facing major changes. Both countries have issued new codes, and in Britain’s case there are additional changes in the form of a new regulator for governance and reforms for audit committees as the audit market goes through a revamp.

Germany’s boardrooms are coming to terms with the first review of its code in 16 years, one that is geared to addressing rising levels of executive pay by offering companies the opportunities to clawback pay from underperforming executives.

The code has faced criticism, especially from investors concerned that the measures form a “one-size-fits-all” approach that may not suit some companies.

The UK code presents a number of challenges to boards in 2019. Roger Barker, head of corporate governance at the Institute of Directors, says: “This is a bigger year than usual with new codes coming into place.”

He sees two major compliance issues for boards: implementation of measures in the new code that insist on employee views being heard in the boardroom; and a provision that limits the tenure of board chairs to nine years, a move he says that could affect a number of FTSE 350 companies.

Engagement with the workforce figures heavily in the new code, with boards offered three options for understanding the views of employees: an employee appointed to the board; a formal workforce advisory panel; or a non-executive designated to gather workforce opinions.

Polls by ICSA: The Governance Institute have already indicated that companies are unlikely to go with an employee director, so it remains to be seen what choices will be made.

Barker also raises an issue of conflict many boards may feel acutely this year as a result of the new code. Principle A says the board should promote “long-term sustainable success of the company” which should be “contributing to wider society.” Principle B says the board should ensure “purpose” and “culture” are aligned. That’s fine until an activist investor arrives on the scene. And activism is on the rise.

“On the one hand there’s purpose, and on the other there’s the activist agenda, which is about realising short-term gains,” says Barker.

Alex Beidas, a partner and incentives expert at law firm Linklaters, warns boards they should pay attention to remuneration this year and the ability to cut or recover pay if things go wrong.

“Firms need to ensure that they’ve got the discretion to reduce remuneration for executives…because there hasn’t been enough discretion exercised in the past and remcos’ hands have been tied,” she says.

“It’s up to remcos and the companies to actually make those changes effective enough that they will be able to rely on them.”

The long term

When the Financial Reporting Council published a new stewardship code for consultation in January it included this definition: “Stewardship is the responsible allocation and management of capital across the institutional investment community to create sustainable value for beneficiaries, the economy and society.”

While the paper was ostensibly for investment managers, the definition underlines the centrality of managing companies for long-term value.

The point is further emphasised in the UK’s new corporate governance code, published in July: “A successful company is led by an effective and entrepreneurial board, whose role is to promote the long-term sustainable success of the company, generating value for shareholders and contributing to wider society.”

If companies are to work on anything this year it will be ensuring their strategies meet these demands. Richard Howitt, chief executive of the International Integrated Reporting Council—a body dedicated to campaigning for company reporting that advocates long-term thinking—says prioritising purpose and long-term value has “gone global” and is now in the mainstream of business thinking.

“We are part of a movement. We are still living in the aftermath of the financial crisis where the impact of short-termism was felt,” Howitt says.

Last year, Barend van Bergen, an EY partner working on a project to encourage, measure and demonstrate long-term value creation, told Board Agenda: “Because there is evidence now that just focusing on the short term not only causes economic
damage and erodes trust in business, the question of balancing the short with the long term is at the forefront of the corporate agenda.”

Factors affecting the way businesses think long term include the growth of the knowledge economy and the growing importance of intangible assets, climate change and the demands from politicians and public that companies operate with a “societal purpose” front of mind.

Boards face a number of questions in 2019 if they are to ensure their companies are working for long-term value. These include pushing management to demonstrate their commitment to long-term value through strategies that align mission and purpose; disclosing and communicating plans to investors and stakeholders; listening to stakeholders and integrating their views; measuring and monitoring of executive efforts.

Measuring and analytics are likely to prove central to the pursuit of long-term value. There are projects under way to develop the right metrics, including the Embankment Project led by the Coalition for Inclusive Capitalism. This is important because investors increasingly rely on data to make decisions.

“Increasingly, data will help make the case [for long-term value],” says van Bergen. “Some investor groups, such as ‘quants’, do not interact with businesses at all, they just use data, and they are finding a correlation, and sometimes a causation, for long-term value.

“As these correlations become stronger, and quant investors more successful, boards will start pushing for more data. In this context, data enables rather than disrupts.”

Engagement

Boards get a good idea of what’s coming in the year’s engagement because many of the big investors are good enough to announce their themes in carefully worded letters.

Larry Fink, chief executive of BlackRock, says his engagement officers will be asking to hear about company purpose; State Street will be looking for alignment between corporate culture and strategy; Wellington Management will seek reassurance about “human capital management”.

Keen observers of engagement and investment managers will know this will be a big year for engagement, in Europe as well as the UK, for a number of reasons.

With sustainability and climate change dominating Davos and the news, boards will be pushed to explain how they are coming to terms with the challenge. This is not new, but this year will see a real demand from engagement teams for boards to explain how they will handle disclosures.

David Shammai, corporate governance director with Morrow Sodali, says boards will need to show how they are implementing disclosure guidelines from the G20 Task Force on Climate-related Financial Disclosures. Sustainability will require boards to come to terms with the investor agenda.

“It’s a material business issue, and an ethical issue,” says Shammai. But the other big topic he sees on the agenda is culture and how it is linked to business strategy.

“In the UK we have the new corporate governance code, which requires boards to oversee that culture is aligned with the strategy of the company,” he says.

Ali Saribas, partner at management consultancy SquareWell Partners, also sees the push on climate coming through. But it may manifest in a different way. “Some investors are really pushing for the UN Sustainable Development Goals to be considered,” he says, as a useful framework for corporate climate policies.

But engagement habits may be changing too. In Europe engagement officers will increasingly seek to meet with board members, a practice already well established in the UK.

In addition, engagement may take place with fund managers present, not just the governance experts. Engagement is also likely to switch to taking place all year round and not just during AGM season, a way for small engagement teams to get around to more investee companies.

“Investors are saying that speaking to directors is a good way of getting a sense of how the board is dealing with culture,” says Shammai.

Meanwhile, Saribas says of fund managers in meetings: “Discussions carry a lot more weight because it is the person making the investment decision, as opposed to someone making a decision on which way to vote.”