Here is a ‘top ten’ list of forward-focused governance issues, and what forward-facing boards of directors are doing—or should be doing—to govern more effectively under disruption.
1. Disinformation
Chronic disinformation, which can lead to radicalisation and conspiracy across the political spectrum, may reach into management and boardrooms, or be used to attack the corporation.
A cause of disinformation, which is the intentional passing off of false information, and of misinformation (the innocent or negligent passing off of what may be false information) is social media companies not being treated as a publisher or a speaker would, with the exception of criminal and intellectual property-based claims. As a result, political, business and other leaders, and foreign governments, promulgate disinformation.
What should boards be doing?
• Training on unconscious bias and techniques by threat actors to manipulate information, including by weaponising artificial intelligence;
• Training on validated, accurate, and reliable information and work product, and disciplining by companies and professional bodies for employees or professionals who pass on disinformation;
• Counter-explaining and awareness training on any denial, non-facts, or conspiracy indicators;
• Requiring that regulated media (for example, newspapers, TV, radio, journals) reach all directors and senior management, to balance social media algorithms, particularly for work-from-home or hybrid employees or directors;
• Requiring evidence-based and substantiated facts to ground all recommendations coming to the board;
• Being prepared to promptly counter rumours, exaggeration, or lies concerning the company, its directors or senior management, through fact-checking, challenge panels, triangulation, table-top exercises, and litigation as necessary;
• Engaging in reputation and brand control over disinformation, for vendors, the company, and employees, before hire and ongoing, and reporting exceptions to the board of directors; and
• Recognising and acting upon possible ‘tells’, if the board is being lied to.
2. Generative artificial intelligence (AI) opportunity and risk
Regulation and internal controls over generative AI are weak in the following areas: algorithms, bias, bugs in the code, disinformation, ethics, explainability, interpretability, privacy, security, and transparency.
Boards in certain industries, including technology, consumer, financial and professional services, healthcare and others, should have (had) educational sessions with management and external experts on applicability of generative AI to the company and industry.
What should boards be doing?
• Reviewing auditing control standards adopted by management and tested by internal auditors as a condition of application of generative AI by the company;
• Having a line of sight to the controls, management competency, expected gains and opportunities, and peer industry use of AI;
• Ensuring the following occur: beta testing; enacting an AI usage policy; vendor validation; training dataset source and algorithm verification; human integration and limitation; audit trails; and confidentiality, privacy, copyright and compliance control assurance; which are all best practices being adopted and overseen by boards; and
• Recruiting and disclosing director competency and expertise in AI, as applicable.
3. Controls over new and emerging risks
Management and internal audit may lag designing and testing controls for new or emerging risks. Recent risks include AI, biodiversity, disinformation, emergency response, financial distress, fraud, geopolitical, ‘nth party’, regulatory, and wellbeing (or the equivalents), all of which are increasing.
New or emerging risks normally have immature controls and validation, which, if so, is the fault of audit committees and boards.
What should boards be doing?
• Approving a risk framework that is forward-facing, not retrospective (boards should look up and out, in other words);
• Requiring controls and resources to match the forward-facing risks, or not approving the risk framework;
• Ensuring auditor competency and resources match the control testing of forward risks in the work plan approved by the audit committee;
• Understanding the forward risks and controls, so they are cycled through at the board level, for example, table-top exercises, mock exfiltration and bitcoin payment demand by threat actors for cyber and AI; scenario planning for sanctions, tariffs, trade restrictions, political regime change, upon the company and industry, for geopolitical risk, and so on;
• Responding to generative questions by directors; and
• Greater use of technology and dashboards for boards to oversee risks in real time.
4. Financial stress testing
Bankruptcies and office vacancies are steadily climbing. Because of high interest rates, inflation, and pressure upon employees, regulators, audit committees and boards are becoming more active in the following ways:
• Proforma financial stress testing for unfavorable conditions, to the audit committee and board;
• Training on director duties during financial distress;
• Audit committees recommending budget balance and debt policies to the board;
• Payback plan for capital expenditures, reviewed by audit committee in advance;
• Changes to delegated authorities to the CEO;
• Revenue diversification to avoid concentration or vulnerability risk;
• Full cooperation and transparency with external and internal auditors; and
• Audit committees reviewing expense, waste, cost management, and fraud controls.
5. Agility in disruptive times
Partnering behaviours between the board and management requires trust, currency, credibility, and mutual respect for one another’s roles, and an orientation to consensus. Leadership behaviours during disruption for board chairs and directors include the right agenda, a bias to learn, preparation, and asking effective forward-oriented and contingent questions.
What should boards be doing?
• Strategic partnering, during business model and performance measurement development, and then pulling back to oversee execution;
• Revisiting committee and sub-committee structure, to oversee non-financial, core business performance, and emerging issues and risks;
• Revising calendars and work plans, to allocate appropriate items across virtual, hybrid, and in person meetings;
• Having futuristic, game theory, and scenario planning table-top exercises with the board;
• Greater use of shorter, more frequent micro meetings, with focus on pre-reads and discussion;
• Deliberative information layering, pre-narratives, hyperlinks, and consent agendas; and
• Greater availability and responsiveness for pivoting when required.
6. Increasing fraud and corruption
Opportunity, pressure, and rationalisation, in work from home and high interest rate environments, have resulted in occupational fraud and corruption increases in organisations with weak controls, including criminal exploitation of disruption, and employee bribery.
What should boards be doing?
• Board refresh on anti-fraud, corruption, organised crime, money laundering, and terrorist financing;
• Investing in technology to detect hot-spots, collusion, and local or deep control over-rides;
• Re-resourcing internal audit and compliance groups with direct reporting to the board;
• Authorising fraud audits under internal audit work plans;
• Using claw-back, malus, risk-adjusted pay, behavioural gateways, and just cause revisits in executive contracts;
• Background control testing for key employees, including links to organised crime;
• Strengthening of AML, procurement, cryptocurrency, and other fraud controls;
• Reviewing of management expense policies and controls; and
• Greater use of special committees.
7. Employee wellbeing and culture
Investor pressure, legal changes, government mandates, and COVID-19 have all generated focus on employee wellbeing.
Costs of flawed employee wellbeing may include absenteeism, brand and reputation impairment, coordination difficulty, mental health issues, morale impairment, productivity loss, succession difficulties, talent flight, and media leaks and adverse press.
What should boards be doing?
• Reviewing employee, wellness and exit surveys, and culture audits;
• Implementing or updating whistle-blowing programmes to detect toxicity and wrongdoing;
• Overseeing mental health resources available to employees;
• Tours and walk arounds, and employee presentations at board meetings;
• Reviewing internal human resource governance structure;
• Reviewing training programmes and policies;
• Reviewing talent management and succession plans, total rewards policies, and critical labour relations issues, including collective agreements;
• Reviewing base and incentive pay structure for key employees and functions; and
• Thanking of employees by the board.
8. Working from home and meeting effectiveness
Just like most workplaces are not returning to exclusively five-day office attendance, boards are incorporating a blend of in-person, virtual and hybrid meetings, to enhance effectiveness, efficiency and output.
What should boards be doing?
• Approving virtual and hybrid board meeting policies, addressing equity, fairness, geography, effectiveness, and technology;
• Having robust books and records integrity controls for directors during hybrid and virtual meetings;
• Having cameras on during virtual meetings, with distraction restrictions;
• Investing in boardroom and director technology, including voice-activated, mobile or roving cameras and microphones; and
• Deliberative and flexible meeting agendas set by chairs.
9. Refreshing and offboarding
Surveys, year after year, indicate that many directors often believe that one (or more) directors should not be serving on their board.
Boards are, gradually, becoming less forgiving of director under-performance, in many forms, but especially in mistreatment of other directors or management.
What should boards be doing?
• Having term limits, with peer reviews to advance, and an overall cap in years;
• Having annual professional development plans for each director;
• Instituting deeper background and attribute checks for the director talent pool;
• Mentoring, competency, and behaviour upskilling;
• Appointing non-director committee members, to develop board-ready talent;
• Having larger, validated, and diverse prospective director evergreen lists;
• Setting less coaching time for director behavior issues or recidivism; and
• Being more willing to carry out elegant and respectful offboarding and hold tougher discussions.
10. Further disruption preparedness
There are further disruptive risks that are not implausible in the medium or short term, including:
(i) Coordinated threat actor ransom over critical regional or national infrastructure (for example over commerce, energy, telecoms, transportation or water);
(ii) Depleted or inaccessible agriculture, emergency, financial, health, natural, or social resources, accompanied by predictive intelligence;
(iii) Extreme high net worth individual influence over policy or national infrastructure; and
(iv) Possible escalation of regional wars, or heightened civil unrest erupting in the United States. (See Disruptions on the Horizon: 2024 Report,)
Emerging risks, and how these risks affect the company and industry, are on good boards’ radar screens.
What should boards be doing?
• Reviewing business continuity and disaster recovery plans, tailored to extreme weather, service disruption, power outage, supply failure, active shooter, cyber-attack, civil unrest, or possible terrorism (including CBRNE (chemical, biological, radiological, nuclear and explosive));
• Reviewing ransomware plans, including controls, penetration, backup, rebuild, and threat actor communication;
• Reviewing scenario planning and response exercises, of industry, sector and company impact, based on high impact and plausible risk or events, with a line of reasoning;
• Presentations to boards by intelligence firms on geopolitical risks, industry impacts, and company responses; and
• Media training for CEOs, so they are camera ready for any crisis scenario or event.
Are you ready?
Boards of directors should never be in denial to what is happening, or what could plausibly occur, and how the company must be protected.
Companies do not fail. Boards do.
Dr Richard Leblanc is one of Canada’s leading experts on corporate governance and accountability.