Building an agile governance framework
Governance Playbook
Building an agile governance framework:
Be ready to adapt successfully to changes affecting your business
Companies are operating in environments – both literal and figurative – that constantly evolve and change at a faster pace than ever before. From new regulations and technology to domestic political uncertainty, companies and the boards that oversee them must be able to identify emerging risks and opportunities and be prepared to adapt accordingly.
Corporate secretaries and other governance professionals play a key role in providing their board with the tools to help them fulfill their duties, including enterprise risk management. In this special report we provide advice from experts in the field on how to create and maintain a governance framework that helps the board, and therefore the company, adapt and respond to change.
‘It’s important to be able to adapt to the ever-changing needs of the company,’ says Carol Samaan, vice president, associate general counsel and corporate secretary at Healthpeak Properties, adding that at a macro level nothing has been ‘normal’ since the 2007-2008 financial crisis.
The purpose of any governance framework is to enable companies to manage risks and take advantage of opportunities
New risks and opportunities can arise suddenly or over longer periods of time. In the short term, a company could be faced with a crisis such as an emergency CEO succession, a government investigation, a catastrophic product failure or, as so many saw in recent years, a pandemic.
Over a longer period, changes might include regulation that requires new compliance work or board oversight, social attitudes toward issues such as diversity, emerging new technologies such as AI or broader geopolitical and military conflicts.
Governance frameworks include a variety of elements, from board bylaws and committee charters to individual director skills, group dynamics, emergency playbooks and technology. Short-term crises and longer-term trends in some respects require putting in place different elements but they also demand similar planning ahead of time, including board training and refreshment.
It’s important to be able to adapt to the ever-changing needs of the company
‘The purpose of any governance framework is to enable companies to manage risks and take advantage of opportunities,’ says Richard Gluckselig, vice president, associate general counsel and assistant secretary at Regeneron Pharmaceuticals. He notes that each framework is created without knowing what the future will bring and that it must be tailored to the needs of the business.
Sara Greenstein, president and chief executive of Axel Johnson and aboard member at BorgWarner, notes that the Covid-19 pandemic has changed the way in which boards engage, particularly as an event that impacted everyone both immediately and simultaneously.
‘I think that has helped boards become more flexible and agile because you can now connect without having to travel like we once did,’ she says.
‘We can connect more frequently – albeit more briefly – and remain current… Since Covid, a lot has gone on in the world that’s impacted business. And so that need to stay connected in a more agile, flexible, frequent way has also been ever-present – and that has supported the sustained change to the way we engage.’
Boards must be ready for new risks and opportunities to arise suddenly in a crisis or over longer periods of time.
Key elements of an agile governance framework include board bylaws and committee charters, director skills and experiences, group dynamics, emergency playbooks and director training.
More than nine in 10 governance professionals think their teams need greater flexibility, according to a new poll conducted by Governance Intelligence. Almost two thirds (64 percent) of respondents strongly agree with the statement: ‘Governance teams need to be more agile in their approach to risk management in today’s environment’. A further 27 percent agree with the statement, with just 2 percent disagreeing.
It’s not only governance teams that need to be better at managing effective change, the poll suggests. Just 13 percent of respondents say no improvement is needed in their board’s ability to identify and adapt to new opportunities and risks facing the company.
Those who do see room for improvement believe there are several possible solutions. More than three quarters (79 percent) of respondents point to the board receiving better information from management, with the same percentage suggesting director training as a solution. In addition, 68 percent say closer involvement with the company’s general counsel and/or corporate secretary would help, with the same proportion suggesting recruiting director(s) with relevant skills/experience would be useful.
Beyond those options, a majority of respondents (51 percent) say improved board governance – such as updated bylaws or committee structures – would improve their board’s ability to spot and adapt to new opportunities and risks. Other suggestions include:
Board evaluation
Knowing responsibilities and not getting bogged down in day-to-day activities/operations but instead adding value to overall corporate strategies
Challenging management decisions
Governance KPIs
Strategic reviews.
Respondents were also asked to rank several issues in terms of their impact on governance activities. Cyber-security regulation, the topic of much discussion among professionals for some time, emerges as the most influential topic, with a quarter of respondents citing it as their top issue, a further 18 percent placing it second and 14 percent third.
Almost a quarter (23 percent) of respondents rank as their top issue shareholder activism, while executive compensation is named as the most impactful topic by 16 percent and one in 10 respondents ranks human capital regulation top.
Broadly speaking, shareholder proposals, climate disclosure regulation and the universal proxy do not rank as highly among respondents as issues impacting their company’s governance activities.
Every board must be ready to oversee its company’s preparation for and response to crises. Those may include the sudden departure of a CEO, a corporate scandal, an aggressive shareholder activist or a regulatory problem.
One of the most common types of crisis, and one that is posing new regulatory questions following the introduction of new SEC rules, involves cyber-attacks (see Cyber-security is top of mind). The Covid-19 pandemic also forced companies to see how well their governance frameworks were placed to enable them to adapt to radically altered circumstances.
The necessary ingredients for a board to have the right governance set-up are varied, but all experts agree there needs to be a playbook that can be called upon in a moment of crisis.
For example, if there is an emergency CEO succession, a playbook can spell out who at the company is in charge until a permanent replacement is appointed. A playbook for dealing with a variety of crises could also include directions on:
How to assemble a board meeting quickly
How to ensure an emergency board meeting can be conducted confidentially, given that directors may not be accessible via the usual secure technology
Which internal functions are to be contacted to lead a response – for example, legal and investor relations teams
Which external bodies should be contacted – for example, regulators, outside counsel and communications firms
Who is authorized to speak to the media.
The degree of specificity in the playbook will vary depending on the type of crisis involved and the thinking of those involved.
There is a need to balance having clear and detailed instructions with leaving room for flexibility. It is important to acknowledge that every situation will be different.
Chris Weber, managing counsel for corporate, securities and governance at McDonald’s, warns against having overly prescriptive crisis plans. For example, it is important to lay out who should be ‘in the room’ but not necessarily exactly what they have to do, he says. If a company has a policy laying out a detailed list of steps to be taken in a situation such as a cyber-attack and one of those steps is missed, the SEC might perceive that there has been a controls violation, he notes.
On the other hand, he continues, enterprise risk management is the board’s responsibility and not having a playbook in the event of a crisis could be used as ammunition if a shareholder wanted to target a director at the next AGM.
Boards need to be aware of the crisis playbook and what it entails. Governance experts also recommend that management takes part in regular – ideally annual – tabletop exercises to ensure all relevant parties are aware of their responsibilities and to review whether any updates are necessary.
Greenstein says boards should be involved in tabletop exercises and make sure the playbook is updated each year. Another board member tells Governance Intelligence that playbooks and tabletop exercises should set expectations for directors.
One of the most common types of short-term incidents boards need to prepare for involves cyber-attacks and complying with related SEC rules.
Management and boards need playbooks on how to deal with a variety of situations.
Playbooks should be tested annually and reviewed for any necessary updates.
Playbooks should balance detail with allowing for flexibility in response, depending on the nature of the event.
Keep boards in the loop on crisis planning.
An online survey conducted for this report finds that, among other issues such as executive compensation and shareholder activism, cyber-security regulation is most frequently cited as having the greatest impact on governance activities.
Under SEC rules that went into effect at the start of 2024, companies must report on a Form 8K material cyber-security incidents within four business days of determining that the incident is material. The rules also require companies to make disclosures in their Form 10K filings about their cyber-security risk management, strategy and governance. Companies must describe their processes for assessing, identifying and managing material risks from cyber-security threats.
Governance professionals have been asking questions about both the 8K and 10K requirements, including how to determine whether an incident is material and how to meet the SEC’s expectations while not revealing information that could raise security or liability risks. Data that emerges from companies’ responses this year will help provide answers.
Michael Rouvina, assistant general counsel for corporate governance and securities at Lumen Technologies, is among those whose company has a playbook for dealing with cyber-incidents. Among other things, the playbook makes clear when an incident needs to be escalated to the board. He explains that strong disclosure controls and procedures are needed in this area and that Lumen has worked on deciding who drafts disclosures, who vets those disclosures and who can talk publicly about cyber-incidents.
Michael Rouvina, Lumen Technologies
A key ingredient in a flexible governance framework is drafting effective board bylaws and committee charters. ‘Charters are something I think can often be overlooked until they matter – and when they matter, they really matter,’ Greenstein says.
As with crisis playbooks, charters and bylaws cannot be written with the knowledge of every possible eventuality, but they should be reviewed regularly and refreshed as necessary to take account of changing circumstances, governance professionals say. For example, there is a need to ensure committees are properly authorized to deal with specific issues such as the SEC cyber-security rules, Samaan notes.
One trick to this is keeping track of what peer boards are doing. Rouvina says Lumen benchmarks its charters with other companies and looks at whether there are rules coming down the pike that might necessitate changes. For example, he says the company made changes to its charters in anticipation of the SEC’s cyber-security and climate change disclosure rules. He adds that it is best practice to treat this area as one requiring continuous improvement.
Charters are something I think can often be overlooked until they matter – and when they matter, they really matter
‘As a corporate secretary it’s important to keep your eyes on your company and peer set and make sure you’re not falling behind on any governance topics,' Gluckselig says. 'Try to learn from the best,’
In addition to keeping track of changing SEC rules and exchange listing requirements, corporate secretaries should ensure they stay up to date on governance feedback from investors, he adds.
To that end, his team keeps a running list of comments from shareholders and other stakeholders. But he cautions against making ‘knee-jerk’ changes in response to certain developments. Rather, he says, it may be better to digest and see where those developments are headed.
Gluckselig explains that although it is not too difficult to update board documents, there still needs to be a process laid down that details how this happens and which allows for reviews of the documents at least annually.
Board bylaws and committee charters should be reviewed regularly and refreshed when necessary.
Keep up to date with new regulations that may require changes to board documents.
Keep an eye on what peer companies are doing with their board documents and consider investor feedback.
Of course, boards need the right mix of experience, skills, diversity of thought and other attributes if they are to be successful. That pertains as much to being flexible in the face of long-term and short-term changes as it does to other aspects of the board’s duties.
There continues to be debate about the need to have board expertise on specific issues such as AI, cyber-security or climate change. But a broad range of governance experts agree that, notwithstanding specific industry knowledge relevant to the company, it is often more important to have a diverse range of individuals who can ask management the right questions, use that information effectively and are flexible in their approach and outlook. A single director expert on, say, cyber-security might attract too much deference in that field, observers argue.
‘You have to trust true cyber-experts in the company’s leadership,’ Weber says, adding that the board’s oversight role is to ensure the company has good plans and people in place. It would also be impractical – or impossible – to have an expert on every new risk that emerges.
Gluckselig emphasizes the importance of having a well-rounded, experienced board with members who are ‘battle-tested’ in dealing with issues such as activist defense. He also points to having the right mix of tenures among directors, particularly at companies in highly regulated industries, to enable the transfer of institutional knowledge from longer-tenured directors.
Outside of diversity of background, experience, thought and skills, boards also need members – and governance teams – who are willing and able to adapt to different circumstances. For example, one board member notes that dealing with the Covid-19 pandemic forced boards to shift from day-long in-person meetings to shorter Zoom calls. This in turn required those taking part to concentrate on being concise and prioritizing the most important information in board materials.
Experts also comment that when looking at board members’ attributes it’s important to consider issues including potential over-boarding, whether a candidate already has a full-time day job and whether he or she will make the board a priority. In other words: will that director candidate be available when needed?
Boards need the right mix of experience, skills, diversity of thought and other diverse attributes to address short-term and long-term changes.
Experts on specific topics may be helpful but having a good balance of directors with the ability to think broadly is most valuable.
Are your directors flexible and ‘battle-tested’?
You have to trust true cyber-experts in the company’s leadership
Another key to ensuring the board is ready to adapt to changes and oversee evolving risk management is education, training and associated briefings.Corporate secretaries and other governance professionals play the central role in making sure the right information gets to the board, either directly from them or through in-house or external experts.
‘The importance of director training is directly tied to the health and wealth of the organization the board is overseeing, because if [the board] is fully informed and knowledgeable about what’s happening in the industry it’s supporting and/or the regulatory framework, it can give much better advice and counsel to the executive team,’ comments Angela Grant, chief legal officer and corporate secretary at Palomar Holdings, in a recent episode of Governance Intelligence’s Governance Matters podcast.
It’s important to tailor director training to the needs of the board and individual directors, governance experts say. ‘We typically try to have any sort of director training that’s in person during the time we’re all together… I think people learn from each other, and it’s much easier to ask questions when you’re all sitting around the room together,’ Grant says. ‘But sometimes, you know, we may have to have people just do their own individual training and then come back and share what they’ve learned, which is also great.’
Samaan describes board education as an area ‘where corporate secretaries and other governance professionals can shine.’ Among other things, her team tells the board each quarter about the educative opportunities open to them. She says it’s important for directors to meet with peers as part of this process.
People learn from each other, and it’s much easier to ask questions when you’re all sitting around the room together
In terms of agile governance, one board member emphasizes the need for directors not to be solely passive when receiving briefings in meetings and board materials. They should have an effective relationship and dialogue with management to say what they need, the board member says. For example, directors should be willing to say they need better board materials with helpful executive summaries, not simply voluminous documents.
Regulation is an important topic on which the board needs regular updates, not only because of potential compliance efforts but also because it may impact the business itself.
‘We don’t like [directors] to hear about [regulatory issues] from other companies where they’re on the board,’ Weber states.
Political developments including ‘anti-woke’ laws mean it is becoming increasingly important to monitor regulation at the state level. Experts say they keep up with regulatory developments and board education needs through outside counsel, industry groups, reading updates and institutional investor policies, general news and talking to board members, among other things.
Make sure the board is up to date on all relevant issues, including regulation.
Help develop a productive dynamic between the board and management to ensure the right information is shared and in the most effective manner.
Tailor director education and briefings to the needs of the business and individual directors, using a variety of sources, including consultation with directors.
