Part V: Fireside Chats with the Board
So you find yourself in the boardroom, now what?
In my 90 minutes conversation with a Board Director, due to the sensitivity of the issues discussed, for the purpose of this article, I've initialled him as NK. I asked him his usual aggravations from having to sit through presentations being given to him in the boardroom, or as part of board conference calls.
"People needs to understand how the Board thinks, before talking to them."
Most people are unfamiliar with the environment of the boardroom, and what goes behind the scenes. In order to understand how the board thinks, it is important to understand WHO the board members are.
1. Most Board members consist of representatives from the shareholders and have mixed backgrounds
To begin with, it is worth noting that the board's main mission is to maximise the value of the shareholders' investment, though in particular cases, this could be detrimental to the interest of other shareholders (e.g. employees, consumers, etc.). Hence, the importance of finding a balanced outcome for both shareholders and other parties in a world market by heightened social awareness ("the need to preserve a social license to operate") and regulatory scrutiny.
In order to achieve that mission, the board should consist of directors with different but complementary experiences which could bring a holistic view in the decision-making process. In other words, the board of directors must be able to see the forest surrounding the tree, not just the tree itself. Practically speaking, this implies that for a company operating in the technology sector, the Board will not only consist of people with a computer engineering background but may also have people such as ex-regulators, tax experts, etc.
The structure of the board is determined in the shareholders agreement, a legal document executed by all the parties having a stake in the company. Rules of good governance would suggest that a minimum number of independent directors also be appointed to the Board to provide unbiased views and maintain checks and balances.
2. The Board has different committees created to evaluate technical decision
To operate more efficiently and leverage its resources, the board could gather some of its members with particular expertise into a committee which would address technical matters and provide views to the whole board to facilitate a decision. Depending on the industry, the following committees are usually formed: Audit & Risk committee, Regulatory committee, Remuneration committee, Capital structure committee, etc.
What do the committees e.g. the audit & risk discuss? What do they look at?
"Whatever you do in a company, you always need to take risks in order to generate returns. But the risk taken must be appropriate and thoroughly monitored. At the board level, the audit and risk committee will consider whether the risk register has been properly documented (identification and qualification of the main risks in relation to the internal processes, the tangible and intangible assets and the employees)."
"This register rates the various risks in terms of their probability of occurrence and impact significance for the company. It is the duty of the audit and risk committee to ensure that the company's management has elaborated and implemented a mitigation plan to limit the occurrence of risks as well as their significance before they materialise," NK continues.
This is done with the aim to preserve the sustainability/ resilience of operations as well as financial profits. This is why cyber is one of the risks that speaks to the Board.
Cyber is a risk.
In case a risk is very likely to occur on a daily basis, the company may need an internal permanent resource to monitor it continually. In other circumstances, an external temporary or periodic assistance may suffice. The board acknowledge that risks can't be eliminated but CAN be mitigated. This is incredibly important for the board as it will ultimately be held responsible if major risks damage the company’s business for lack of diligence (risks not identified and/ or properly managed).
3. Who shows up at the Board meetings?
First of all, the board meetings usually last two hours to half a day. It can happen at least every three months. They might call for extraordinary meetings on occasions they urgently need to make a decision or provide guidance to the management.
Meetings attended in person (vs via conference calls) are of better value as they give the opportunity to observe non-verbal expressions and have informal conversations.
Usually, the CEO, CFO and the Company Secretary attend these meetings. According to NK, the CTO seldom and rarely attends. However, based on my conversations with different organisations, it seems that there is a trend where the CISOs are increasingly being invited into the Boardroom. Some internal senior managers or external parties (e.g.: government agencies, advisory firms) can also be invited to attend a specific section of the board meeting agenda to present or discuss a topic relevant to their sector of expertise.
4. Behind the closed doors
It can happen that board members don’t necessarily wait till the actual board meeting to test their respective views and potentially reach a consensus. Pre and post every board meeting, many lines of communication are engaged amongst the different shareholders behind closed doors, especially when it comes to important decision.
At the board meeting itself, the management recommendations are either approved, rejected or subject to amendments requested by board members.
Ideally, the Board usually wants to come to a consensus. They want to avoid a deadlock. NK explains, "If there's a persistent sharp disagreement, this could eventually lead to a deadlock. In any case, the management is not be able to do anything until the board comes to a decision. Someone can even be a minority shareholder but still have a negative control if he/ she has a veto right. There needs to be an agreement amongst the shareholders according to the minimum approval threshold determined in the shareholder agreement document (e.g., minimum 80% vote)".
It is of paramount importance for Board members to understand each shareholder’s particular agenda, in order to influence their views and push through decisions. Informal lobbying often take place within the board itself when board members think of ways they can convince their peers of their own agenda. It is a game of influence.
5. How should one communicate with the Board?
Here are a few things to know when engaging with the board:
The board is expected to have read the board pack sent to them ahead of the presentation
Generally, 10 - 20 mins per presentation item followed by a period of questions
The Chair always provides an opportune time for board members to ask questions. It is the responsibility of the board members to ask questions and to have done their own due diligence
The material presented to the board must be relatively easy to understand for everyone since board members usually have different backgrounds. Total absence of questions could only be due to three causes: low strategic materiality of the discussed item, lack of interest or a lack of understanding
Every presentation must end with a recommendation in which the board must clearly know what they are asked to do as decision makers (approval or simply take note), what you need from them in terms of resources, what is the timeline for implementation, what are the risk/ issue the company will face (if applicable)
It is perfectly OK to take them out for informal coffees!
This is the finale of a Five-Part #CoffeewiththeCSuite Series: Part I: A Lesson from the World's very First CISO Part II: Coffee with a Former US President's CISO Part III: The View of Cyber Risk in the Retail Industry? Part IV: The CISO Strategy To read the entire collection of the CISO kit including global C-Suite insights and perspectives across industries, you can now get your very own Cyber Risk Leaders book in stores or the e-book on Amazon, Kindle or Google Playbooks. About the Author Shamane Tan is a published Author of Cyber Risk Leaders and the APAC Executive Security Advisor at Privasec, a leading and independent Security Consulting Firm. She has worked with exciting start-ups all the way to global organisations extensively in the Asia-Pacific region. Shamane advises the C-Suite and IT Executives on their business security posture to the reality of the challenges they faced from regulatory issues and cybercrime. She is also the founder of the Cyber Risk Meetup which is in four major cities in Australia, as well as Singapore. Her meetups offer Security Enthusiasts and Executives a unique platform to impart and exchange innovative insights.