Board members are in the hot seat, or to put it another way – they are in a hot kitchen. The question is whether they can stand the heat of the hot kitchen.
Plaintiff’s lawyers are out in full force these days, ready to sue any company board when a major catastrophe hits. In the aftermath of the massive data breach suffered by Target, plaintiff’s lawyers are now suing Target and its board of directors for breaching their fiduciary duties by ignoring the warning signs that a data breach could occur and failing to ensure adequate cyber-security controls.
Similar lawsuits are filed in response to every corporate miscue and disaster. The issue always boils down to whether or not the board ignored warning signs of impending trouble. Or another way of putting it is whether the board addressed those risks that are reasonably foreseeable. Many misfortunes, such as a group of employees who engage in bribery, cyber-attacks, and data security breaches, are becoming more common and “foreseeable” for corporate planning purposes.
Corporate boards need to pay more attention to the risk planning process and ensure that management adequately addresses the risk issues. The board has to exercise due care to ensure that safeguards have been implemented to address foreseeable events.
As a first step, the board should make sure that management has a robust risk identification and management process. Management should be required to explain this process to the board and demonstrate that it has adequate plans in place to respond to any significant risk that might occur.
The focus of this risk assessment process should not be on risk alone but in conjunction with the company’s strategic business objectives.
The board should focus on a fairly common list of significant risks, some of which may be more relevant than others to the specific business:
Crisis Management: Does the company have a crisis management plan to respond quickly to a serious negative event. Planning for these events is even more important in this era of instant news coverage and media reaction.
Data Security: Does the company adequately address data privacy and security, especially given the proliferation of cloud computing, social media and mobile platforms?
Government Enforcement Action: Has the company identified its most significant legal and regulatory risks and has the company developed aa response plan for the execution of a search warrant, the serving of a grand jury subpoena or any other government action?
Product Recalls: Product recalls can have a serious negative impact on a company but are a fact of life for auto companies and other industries. Besides litigation and government enforcement actions, the reputational damage to a company can be significant.
Shareholder Activism: Large shareholders are relying on organization and even litigation to seek change in the company’s operations. Companies subject to this risk have to develop plans to respond to large activist shareholders who can disrupt business operations.
Executive Compensation: Companies have to ensure that their executive compensation program adequate balances the need to create positive incentives for performance while taking into account risks of a serious negative event. A company that has large data security and legal enforcement risks has to take that into account when creating an appropriate executive compensation package.
Social Media: Does the company have a strong social media presence, and more importantly, does the company have adequate policies to protect against the improper use of social media by employees and communication of confidential information.
Intellectual Property: If the company’s intellectual property is a critical asset, does the company have adequate protections in place?
Corporate Social Responsibility: Does the company have a strong image of social responsibility, such as care for the environment, labor conditions and other important social issues?
Insurance: Risk management includes ensuring appropriate insurance coverage. A review of insurance policies while assessing risks has to be part of the overall risk management process.