Cyber Lessons and #MeToo Risk

Laurie Hays is managing director and Jamie Singer is senior vice president at Edelman. This post is based on an Edelman memorandum by Ms. Hays, Ms. Singer, Harlan Loeb, and Lex Suvanto.

Five years ago, when the reality of the cyber security threat began reaching the boardroom and audit and risk committees, only 15 percent of directors felt “very confident” their board oversaw cyber risk adequately.

Today, cyber security preparedness and investments are front and center for directors. Increasingly, they are overseeing cyber security as a function of the audit committee with a top-level review headed by security experts. Seventy-two percent of board members in a recent survey by advisory firm BDO said their board is more involved with cyber security than a year ago.

Almost two years into the #MeToo movement, human capital risk is heading in the same direction, posing equally complicated high-stakes challenges for boards to assess the warning signs of misconduct by top management and take action to reduce risks. Culture and conduct, especially as it relates to senior management, is of increasing concern to investors, according to the 2019 Edelman Trust Barometer’s Institutional Investor Special Report.

Like cyber breaches, misconduct poses significant risk to the corporate entity. The Massachusetts Gaming Commission recently completed an investigation into the suitability of Wynn Resorts to be granted a gaming license after an extensive attempt to cover up co-founder and CEO Steve Wynn’s sexual harassment of employees reported by The Wall Street Journal.

As a first step, some companies are starting to include sexual harassment alongside cyber security in the business risks section of their annual reports and internal policies are strengthening around harassment behavior.

“We are in the very early stages of board-level attention to culture and conduct risks and the cyber experience is a very good analogy,” said KPMG Board Leadership Center Senior Advisor Stephen Brown. “Boards realized they had to rewrite the rulebook,” remarked Brown, who also served on an NACD Blue Ribbon Commission study of corporate culture in 2017.

There are a host of risks for boards to prepare for from #MeToo. They include litigation liability in the form of class-action lawsuits; regulatory risk from the SEC in terms of high-level misconduct disclosures and from the EEOC around workplace compliance; personal liability with shareholders bringing legal action against directors as they did after high-profile breaches; and the potential for long-term reputation risk to the brand following a significant crisis. Like cyber oversight, boards need to remove as much risk as possible from the system.

1. Assess risk. Directors are ensuring their organizations conduct a comprehensive assessment of their distinct vulnerabilities, both from an IT/operational perspective and through a reputational lens. Beyond their own organizations, the majority of directors (73%) now say their organizations require that third-party vendors or partners also meet certain cyber risk requirements, up 30 percentage points from 2016.

Leading indicators of #MeToo risk include pay disparities, lack of senior level diversity, high turnover, employee surveys, complaints data including exit interviews.

2. Invest resources. Boards are pushing for increased investments in cybersecurity defenses. Three-fourths of directors say their organizations have increased investment in cybersecurity during the past 12 months, marking the fifth consecutive year board members have reported increases in time and money spent on cybersecurity.

Misconduct defenses include mandatory conduct training for all employees, backing HR departments with the resources to fully investigate harassment and take the appropriate actions against offenders, a commitment from the board that no employee is too valuable to be dismissed for bad behavior and linking compensation to culture metrics.

3. Establish partners. In advance of an issue, boards are spearheading efforts to establish relationships and formal contracts with outside experts—cyberinsurers, cyber counsel, crisis communications firms and IT forensics providers.

Many experts are available to consult on human capital risk and boards need to engage with them to understand the challenges they are up against to understand how best to assess what is going on outside their usual lens.

4. Develop a plan. Boards are pushing their executive leaders to develop or refresh cyber incident response plans to ensure their companies are ready to respond to the operational and communications challenges these issues present. Nearly four-in-five companies have an incident response plan in place to respond to potential cyber risks.

Likewise, boards need to ask managers how they are handling problems as they arise, who answers the hotlines and who looks at data around complaints. When considering the scope, boards need a plan for how to look beyond compliance and how to communicate their commitment.

5. Create muscle memory. Directors are assuming more active roles in cybersecurity education and preparedness, from recruiting Board members with specific expertise in this area and requesting regular updates on progress (more than half of board members say they are briefed at least annually on cybersecurity) to participating in crisis trainings and simulation exercises around a public-facing data security event. Culture and conduct reviews need to become routine before a problem emerges.

Muscle memory for #MeToo won’t be difficult for any director familiar with media accounts of more than 400 executives fired for misconduct in the last 12 months. The NACD study concluded culture “can no longer be considered as a soft issue by management and boards. It’s strength or weakness has a lasting impact on organizational performance and reputation.”

Cyber data hacking and #MeToo moments both constitute high-risk events. And their hazards are largely invisible until they aren’t. Similar assessments of risk and return apply, and similar tools will become available to boards with the courage and foresight to take action.

Not only might a crisis be averted, but employees who feel safer and more comfortable at work are a good investment for any business. Harvard Business School Professor Amy Edmondson’s work on workplace “psychological safety” shows there is indeed more money to be made when employees are not being harassed.

“A lack of psychological safety in the workplace turns smaller problems into far bigger reputational risks, explains Professor Edmondson. “A culture in which employees feel they can express concerns when they’re uncomfortable and people in positions of power will listen thoughtfully is one in which inappropriate behavior can be caught and corrected before it festers and spirals into headline-grabbing harm or scandal. Of course, this is not to say that all reports of discomfort are necessarily indicative of bad behavior but, rather, that without a palpable culture of speaking up and listening, organizations increasingly are at risk of incurring severe reputational damage.”

Trackbacks are closed, but you can post a comment.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  • Subscribe or Follow

  • Supported By:

  • Program on Corporate Governance Advisory Board

  • Programs Faculty & Senior Fellows