Brian Stafford is Chief Executive Officer of Diligent Corporation. Brian assumed the role of CEO in March 2015 and is responsible for all day-to-day operations, with a focus on accelerating global growth and incorporating scale into the business in order to seamlessly manage the growth. More here.
A decade of economic turmoil, regulatory reform, and technological change has reshaped how corporations must do business today. Yet for directors, governance often proceeds in “business as usual” mode. How can boards make use of new board mandates and technology to regain their oversight edge?
From December 2007 to June 2009, the United States economy was in recession and shed more than three million jobs. The markets declined by trillions of dollars as organizations like Fannie Mae and Freddie Mac were taken into government conservatorship. Companies like Lehman Brothers, now infamously “too big to fail,” failed, causing a ripple effect through the global economy that we still feel today.
As the fallout took its toll, the world demanded to know what happened and what was going to be done to prevent a similar catastrophe in the future. The financial crisis led to questions and calls for reform to protect consumers and the greater global economy from high-risk financial engineering.
Less than a decade removed from the recession, we have seen sweeping reforms enacted. Directors and senior management have been working hard to adapt to new regulatory requirements and better understand their evolving responsibilities. There is a growing consensus that compliance and security best practices should not just be observed by directors and senior management. These are business interests that need to be enculturated and pushed from the director level down.
How leaders understand and adapt governance to meet these new regulatory demands will in part determine how effective their companies are in the future. With leaders wanting to do the right thing on compliance and security, executives are looking to technology to help them be as compliant and secure as they can possibly be. It is becoming clear that compliance is an investment worth making, especially as people-heavy compliance initiatives can now be made more efficient and effective using big data and technology.
REGULATORY BLIND SPOTS
The conditions that led to the financial crisis have been well documented, however, a high-level review bears repeating. The Sarbanes-Oxley Act of 2002 grew out of calls for reform as several companies, most notably Enron and Arthur Andersen, were embroiled in scandal over various ethical and legal violations, including fraudulent accounting practices and insider trading.
Sarbanes-Oxley called for national accounting standards, new regulations, and holding CEOs and CFOs directly responsible for companies’ financial reporting. The law also required additional outside auditors to monitor the accounting activities of public companies, introducing new layers of objective observation to protect against the potential of ethical lapses. Many in the business community responded negatively due to the increased cost of doing business and potential to slow day-to-day activities.
The legislation, however, did not stop the meltdown in the housing market that began in 2008 and led to the recession. At its core, the financial meltdown was the result of government policies, which led to high-risk lending practices, which created a bubble in the housing market that eventually popped.
Detractors suggested that legally required independent auditors were too cozy with the companies they were working with. Others suggested that executives were so overwhelmed trying to meet existing regulatory requirements that they lacked the bandwidth to spot actual wrongdoing.
Whatever the case, a similar set of criticisms is now being levied against 2010’s Dodd-Frank Act, the legislation that emerged from the financial crisis. Dodd-Frank substantially increased the number of regulatory agencies responsible for overseeing financial activities for U.S. companies, extending regulations beyond those originally signed into law with Sarbanes-Oxley. The act also created several more regulatory layers for businesses to navigate.
A CHANGING WORLD
As all of this legislative activity was taking place, new technologies simultaneously converged to change the way that business is conducted. The early part of the 21st Century saw the global marketplace digitized, enabling a truly 24/7 economy. Laptops started the trend of working anywhere, anytime. Smartphones have extended that capability, allowing users to address business-critical issues as they occur from almost anywhere on the planet.
In addition, the rise of big data means that massive amounts of information are becoming available in real time. This offers companies the opportunity to understand consumer behavior and market reactions in new and profound ways. One good example is how PayPal is partnering with the U.S. Department of Commerce to analyze pools of economic data to study broad patterns in consumer behavior and boost American jobs and exports, by discovering previously unnoticed opportunities.
Further, while globalization and technological advances helped increase productivity, significant new risks also emerged. The introduction of mobile devices and the consumerization of enterprise IT have created new vulnerabilities. These increasingly fall outside the perimeters of traditional corporate firewalls, and thus, outside the realm of traditional network security. Malicious software now has dozens of new entry points into a company’s environment.
Over the past several years, a number of factors have contributed to the need for increased transparency and consideration around corporate governance practices. These factors include education, cybersecurity, diversity and activism.
As a result of the need for increased transparency around corporate governance, directors had to increase their regulatory education. They must learn to leverage new technologies, diversify their knowledge base and respond to the activists who reacted to corporate failures by demanding a greater say in governance.
The financial crisis and the legislation that came with it created new standards for boards related to reporting compliance and security. As a result, directors must be more educated on governance-and compliance-related issues, and have the right experts available to brief them.
Given the rapid rate of technological advancement, a quickly expanding gap between boards and IT departments began to reveal itself. For example, boards that believe that their data security is strong enough may still fail to understand the nature of data attacks, which have fundamentally changed over the past ten years. Attacks that were once perpetrated by lone hackers are now a lucrative criminal enterprise carried out by nation states, organized crime groups and whistleblowing activists.
High profile data breaches have threatened some of the largest companies in the world, perhaps most famously Target and Sony. Attacks against the U.S. Office of Personnel Management and the website Ashley Madison have kept the issue at the forefront for consumers and businesses. The attacks have brought international attention to current data security inadequacies. Further, groups such as WikiLeaks have built an infrastructure where activists can disperse information widely and instantly. These vehicles for mass-distribution of stolen information can exacerbate damages from a data breach.
PREPARE FOR THE FUTURE
JPMorgan Chase’s Response
JPMorgan Chase’s response to the tumultuous aftermath of the great recession has put the company in a far better place in terms of compliance, infusing a greatly heightened awareness of compliance issues throughout the firm’s more than 260,000 employees.
According to JPMorgan Chase Chairman, President and CEO Jamie Dimon – who has at points complained about the new regulatory environment – the firm has deployed big data solutions and other technologies to increase the efficiency of their compliance officers over time with the ultimate goal of greater efficiency in meeting regulatory demands. The company has also implemented far-reaching government-mandated stress testing in addition to their own homegrown test in terms of data security. The firm spent $250 million in security measures in 2014 and it says it is increasing this spend by 80 percent over the next two years.
Sound financial acumen and a solid grasp on present day market realities could be the reason that JPMorgan Chase is doing well, the company certainly had a record 2014 – with almost $100 billion in revenue. Dimon noted its positive long-term growth potential in his annual letter to shareholders, suggesting that even if new regulatory requirements can cause firms headaches, they ensure that institutions can weather the storm by taking such proactive measures to remain in compliance.
While corporations have become more diverse and global, the demographic of boardrooms has remained relatively consistent. When the financial crisis hit, leaders of affected organizations were accused of “groupthink” denial about the reality of real estate markets and their potential to cause wider damage.
Attention was called to the lack of diversity on corporate boards. The feeling was that people of different genders and ethnic identities, with different backgrounds and experiences, may have been able to break through common thinking, and that the lack of diversity in the boardroom limited leaders’ ability to see past their own very similar points of view.
Finally, investor activism has increased in the past decade, with some shareholders making attempts to force change. Activist investors have recently had some success in affecting the corporate activities of companies as huge and diverse as Apple, GM and Macy’s, compounding the difficulties and responsibilities that directors face.
At the board level, companies have taken steps to avoid exposure to potential liability and a weakened competitive position. Companies have begun to make the cultural and technological changes necessary to improve corporate governance practices. Directors and senior management are now working to better understand the subtleties of governance and drive regulatory compliance from the top down, seeking out opportunities to build a culture around compliance with engrained awareness of security concerns. We will examine key steps taken through some of the same lenses examined earlier.
Corporate leaders are ensuring that the tools and technology are in place to meet regulatory requirements and detect violations more quickly. These include increasing the number of on staff and independent compliance officers to better communicate regulatory concerns to board members and senior management. Further, companies are providing better training on compliance at all levels,and introducing technology that will play an increasing role in driving efficiency and effectiveness.
Chief Compliance Officers and Chief Information Security Officers are also being appointed. These give boards and executives a better understanding of the risks that they face, from operations to IT, and can correct vulnerabilities.
As Kim Nash wrote in The Wall Street Journal, the appointment of chief information officers to boards is on the rise. Companies across various sectors now realize that future growth and risk mitigation depend on the organization’s ability to stay ahead of the technological curve.
Boards are also working to ensure that companies automate compliance processes wherever possible in order to reduce the risk of human errors. For example, improved information management and workflow tools enable secure collaboration when the board and senior management review confidential materials, allowing versions to be tightly controlled by administrators. Directors are also overseeing the deployment of data security solutions that actively protect against data attacks in mobile environments. As Kim Nash wrote in The Wall Street Journal, the appointment of chief information officers to boards is on the rise. Companies across various sectors now realize that future growth and risk mitigation depend on the organization’s ability to stay ahead of the technological curve.
Boards are also working to ensure that companies automate compliance processes wherever possible in order to reduce the risk of human errors. For example, improved information management and workflow tools enable secure collaboration when the board and senior management review confidential materials, allowing versions to be tightly controlled by administrators. Directors are also overseeing the deployment of data security solutions that actively protect against data attacks in mobile environments.
Efforts to increase diversity of gender, ethnicity, experience, age and background among board members and C-staff are growing. This inspires different ways of thinking about business and governance.
Companies are taking appropriate action at the leadership level and communicating with potential activists before problems arise. This helps to mitigate the perceived risks that lead to activism in the first place.
In conclusion, the cost of failing to keep up with best practices in governance and compliance may be the best reason to make this a core component of your company’s culture. What may seem like a financial innovation or security lapses can quickly cost billions of dollars in fines or reputational damage.
Bringing compliance into the wider corporate culture in order to avoid these kinds of hurdles before they present themselves is critical, and creates better value for shareholders. Despite the sizable investment that are sometimes required, these efforts almost always prove to be a net positive when compared to the potentially costly results of a crisis that could have been prevented.
This article was submitted by our partners at Diligent Corporation. Diligent is the leading provider of secure corporate governance and collaboration solutions for boards and senior executives. For more information visit Diligent.com
More from Diligent:
About the Author
Brian Stafford is Chief Executive Officer of Diligent Corporation.
Brian previously served as a Partner at McKinsey & Company, where he founded and led their Growth Stage Tech Practice. While there, he concentrated on helping Growth Stage Technology companies scale faster and did extensive work with Software-as-a-Service (SaaS) companies, focusing on growth strategy, sales operations and strategy, pricing, international growth strategy and team building. Prior to his tenure at McKinsey, Brian was the Founder, President and CEO of CarOrder, a division of Trilogy Software based in Austin, Texas.
Brian holds a Master’s Degree in Computer Science from the University of Chicago and a BS in Economics from the Wharton School at the University of Pennsylvania. He currently lives in Manhattan.