Where’s the Board? Questions for Equifax

Gary Cook is Managing Director of Cook & Company. This post is based on a recent publication by Mr. Cook.

On Tuesday, October 3, 2017, Richard F. Smith the former CEO of Equifax testified before the House Energy And Commerce Committee. In his apology for the exposure from Equifax files of sensitive personal information for nearly 146 million Americans, he indicated that an “individual” in Equifax’s technology department had failed to heed security warnings and did not ensure the implementation of software fixes that would have prevented the breach.

Well, Mr. Smith has already paid the price for Equifax’s mistake in his stepping down as CEO—the jury is still out as to whether he will be allowed to keep tens of millions of dollars in severance.

To complicate matters, the Chief Legal Officer of Equifax approved stock sales by three senior executives in the days after the breach was discovered but before it was disclosed.

Interestingly enough, in several articles in the popular press about this incident the Board of Directors of the company was never mentioned. Does the Board have no culpability here? Did the Board set the right expectations for the CEO and senior leadership team? Did the Board of Equifax periodically evaluate the CEO and senior team against those expectations? And could such a process have likely kept this incident from occurring?

At this juncture it is hard to answer any of these questions with certainty, except the last: Obviously it is impossible to know what steps might have definitively prohibited such a massive data breach from occurring.

However the purpose of this article is to assert that Boards must set more granular expectations for CEOs and senior leadership teams, whether or not the law requires it to do so. Advances in technology which not only increase the risks of cyber security issues, but also contribute to the rapidity with which information is disseminated, and the acceleration of business operating cycles means that Boards must be much more engaged with their senior teams if they are to avoid, at a minimum, reputational damage from failure to engage, much less the potential for adverse legal consequences.

Equifax is not an isolated example of potential lack of Board engagement: From the recent Wells Fargo scandal reaching back to a long line of similar events, one can parse a pattern of lack of Board engagement. The author himself has seen in his Board consulting practice as well as in own observation repeated examples of such lack of engagement, and the loss of hundreds of millions of dollars in value and the loss of inestimable reputational capital as a result of these failures.

What is the chain of logic that suggests that Boards should become more deeply involved in setting expectations for CEOs and senior leadership teams?

In virtually every organization only the Board, as the representative of the owners of the enterprise, have the perspective necessary to both conceive of the strategic and ethical imperatives by which the organization must live, and have the ability to set expectations around those imperatives for the CEO.

Example: Equifax. No matter how the facts eventually come out with regard to the role of the Board in this matter one thing is certain: Only the Board had the perspective to weight appropriately of value of the willingness of consumers to grant Equifax the right to access their data. While the customers of Equifax (businesses, individuals and governments who rely on the credit reports they generate) are of critical importance to the business, the fact of the matter is that strategically, the most important stakeholder in Equifax’s value chain is the consumer who is at least implicitly granting Equifax the right to dig into his or her financial affairs, in order to provide credit-related insight to Equifax’s customer.

From the above observation flows the notion that the Board has an opportunity, if not a reputationally-driven obligation, to engage the senior leadership of the organization in a discussion around what the Board’s expectations are for the organization in valuing its relationship with its consumers

From the above notion, then, it is an easy step for the Board to set expectations for the senior team with regard to the very few levers of management that are available to create value in an organization. Those levers are:

  • Strategy
  • Structure, including information flows and decision rights
  • Culture, including values and behaviors
  • Metrics and incentives
  • Business processes and information technology
  • Leadership
  • Skills and competencies

The reason to look at all of these dimensions from the Board perspective is that highly reliable organization theory (HRO theory) posits that virtually no disaster, catastrophe, or major reputational issue has a single point of failure. This is not to say that Mr. Smith of Equifax may not be right when he said that a single individual failed to take steps to patch a security breach, but that is only the proximate cause of the issue here. In fact, at least in terms of raising questions, one might appropriately ask for each of the levers identified above, a question or questions which relates to this breach, the answer to which might have helped ensure that the breach did not occur. Example:

  • Strategy: Did the Board of Directors make it clear to the CEO and senior leadership team that the strategic value of individual consumer information was such that, effectively, the company needed to have a zero defect approach to keeping that information safe?
  • Structure: Did the Board of Directors make it clear to the CEO and senior leadership team that wanted to see information flows and decision rights that ensured that the probability of a breach was less than (for example) .00001% of the total number of consumers in the Equifax system (not the number of interactions with such consumers).
  • Culture: Did the Board of Directors make it clear to the CEO and senior leadership team that the number one priority of every single employee was to ensure the sanctity of consumer data, and that meant that every single employee up to and including the CEO were to constantly think about the potential for such a breach and exhibit those behaviors associated with a zero defect organization (for example, a high degree of sensitivity to operations, deferring to expertise as opposed to authority in the face of a potential breach, being highly sensitive to weak signals of a potential breach and following up religiously on every such weak signal with an appropriate response).
  • Metrics: Did the Board of Directors make it clear to the CEO and senior leadership team that the consequences to them individually as well as to their employees of a breach, no matter whose fault it was, would be commensurate to the importance of consumer data to the organization, and that that weighting had clear consequences for continued employment, current compensation, and the possible claw-back of previous bonuses?
  • Business processes and information technology: Did the Board of Directors make it clear to the CEO and senior leadership team that it should never be satisfied with the robustness of current business processes, and should be constantly on the lookout for new technologies that might materially improve the security of consumer information?
  • Leadership: Did the Board of Directors make it clear to the CEO and senior leadership team that they bore a disproportionate burden for safeguarding information and would clearly be the first to be held responsible for any breach, regardless of cause?
  • Skills and Competencies: Did the Board of Directors make it clear to the CEO and senior leadership team that the cyber team needed to be top notch, that the company needed to “hire the best,” and that that itself could be turned into a competitive advantage?

But, you may say, the effort above requires significantly more time and effort from the Board of Directors. You would be correct. No longer can Boards of directors merely say (as I have repeatedly seen), “CEO, you figure out what to do then come back to us in your own time and tell us your plan,” no longer can directors say, “there are a number of reasons why we didn’t (hire a new CEO) (use the process we have established for recruiting new directors) (let the company lose $300 million).

From Tyco to Enron. From WorldCom to AIG. From Wells Fargo to Equifax. We have looked at Board composition, Director ownership, Board competence, Board ethics. It is time we started looking at Board expectations of the CEO.

Both comments and trackbacks are currently closed.