Lessons from a leading director: Governance outtake

type
Article
author
By Guy Beatson, GM Governance Leadership Centre, IoD
date
22 Sep 2023
read time
3 min to read
grey building and sky

If you missed the Lessons from a leading director session at the 2023 IoD Leadership Conference, we’ve captured some outtakes from Ann Sherry FAICD.  These highlight some key themes and insights from her session and outline a few specific actions for directors and boards arising from it.

The practical lessons and action steps for board members were that they should:

- take a long-term value add perspective, while paying attention to the short-term

- anticipate risks and look to the opportunities that come with mitigating and managing these

- take proactive steps to manage cybersecurity with a clear-eyed view of the risk-adjusted costs and the investment required to manage/ mitigate these risks

- move to effective and meaningful engagement with stakeholders and beyond cursory engagement

- see not-for-profit boards in the same way as other boards and not as a “parking lot for the well intentioned”.

Australian director Ann Sherry FAICD, with significant private sector governance roles (banking and transport), and experience of the not-for-profit and public sectors (university), shared key lessons for directors, canvassing what good governance in the future could look like.

Taking a long-term view is seen as the “holy grail” for governance. Yet many directors and boards, particularly in the current difficult financial and economic climate nationally and globally, suggest that without a focus on the short-term there won’t be a business or organisation in the long-term.

Sherry had a different take on this. While recognising the need for some short-term focus, she emphasised that:

  • Boards need to understand long-term value drivers and make “sharp judgements” in relation to them.
  • Boards should recognise that the short-term downside risks are always going to be more visible and take a more balanced view across the medium and long term.
  • Boards should take the time to consider and anticipate risk. This permits opportunities to be seen more clearly, alongside the investment required to manage risk and seize those opportunities.

Cyber was among the highest-probability, consequential risks she concentrated on. In many cases, hackers are more organised than companies and other organisations the target. She offered boards some practical questions to ask chief technology officers and chief information security officers:

  • How secure are systems, particularly storage, and what is the standard being used to assess this – for example, this might be assessed using the NIST Risk Management Framework
  • Why does the company/organisation hold data? Where is it held? How long is the data held and why? These are critical security considerations and important in meeting the organisation’s privacy obligations and maintaining customer, supplier and other stakeholder’s trust
  • What is the pathway to next generation systems (moving from legacy systems, which are less secure)? What is the risk-adjusted net present value for the investment required to make this change? This needs to take into account the costs to the company/organisation of a cyber-breach, including ransomware, relative to the investment required. Sherry commented: “If you have a seven-year plan you could be gone at that rate” given the inevitability of a cyber-incident and the significant costs involved.

Stakeholder engagement

Cyberattacks were raising the profile of many organisations with stakeholders. Climate change, business practices (notably in banking), concern about the quality of environmental disclosures and practices (“greenwashing”) and concerns about workplace bullying and sexual harassment (alongside wider concerns about workplace health and safety generally) were also driving stakeholders to be more organised and active.

Faced with this situation, directors and their boards need to ensure that they and their organisations:

  • move to more authentic and considered engagement with stakeholders and beyond “cursory engagement”. Australia’s banking Royal Commission, ongoing action by the Australian Securities and Investment Commission and action on bullying and sexual harassment provided insights on this
  • consider the increasing push in Australia, and an increasing trend in New Zealand, toward greater levels of personal director liability. In New Zealand, this is often with insufficient understanding of the role directors play in organisations, including through collective governance and board decision making, and a poorly developed sense of how directors and boards are incentivised.

NFPs face the same challenges

Not-for-profit (NFP) boards, including those for universities and in the public sector, are facing the same challenges with complexity as all other boards.

Sherry noted that NFP boards are “not a parking bay for the well intentioned”. In that sense, NFP boards needed to have the same focus on their capability, skill and experience requirements and ongoing learning as the boards of any other organisation, including those in the commercial sector.

Conclusion

While many directors hearing Sherry’s view of the governance future might feel weighed down by the issues and challenges, she concluded that:

  • governance is exciting and challenging
  • all directors and their boards needed to keep on learning, to understand the changing environment and, with an eye on the long-term, continue to support management to solve the range of issues companies and other organisations face
  • ongoing “re-education” for everyone –staff, management and boards – is required to adapt to new situations and meet the challenges head on, and to take the opportunities these challenges create.