Copyright © 2019 by John Wiley & Sons, Inc. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993, or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Cataloging-in-Publication Data
Names: Calder, Alizabeth, 1958- author.
Title: Duty of care : an executive's guide for corporate boards in the digital era / Alizabeth Calder.
Description: Hoboken, New Jersey : John Wiley & Sons, Inc., [2019] | Includes bibliographical references and index. |
Identifiers: LCCN 2019006656 (print) | LCCN 2019009174 (ebook) | ISBN 9781119578130 (ePDF) | ISBN 9781119578192 (ePub) | ISBN 9781119578154 (hardback)
Subjects: LCSH: Boards of directors. | Corporate governance. | Information technology—Management.
Classification: LCC HD2745 (ebook) | LCC HD2745 .C35 2019 (print) | DDC 658.4/22—dc23
LC record available at https://lccn.loc.gov/2019006656
Cover Design: Wiley
Cover Image: © Alexander Supertramp/Shutterstock
Dedicated with gratitude to Tom, Geoff, and Avery for their support and encouragement.
Dedicated with appreciation for my readers and supporters. Vic, Celia, Leonie, and Mike, thank you.
Dedicated with respect to all corporate leaders who understand the impact of technology on all of their stakeholders and incorporate that understanding in operations, oversight, and strategy.
In the lead up to the banking crisis of 2008, smart PhDs developed complex formulas that aggregated large volumes of high-risk mortgages and made it seem as if those funds were the next great investment opportunity. They even created a whole new vocabulary, using terms like synthetic derivatives to sound even more clever, while they effectively hid the risks of the subprime mortgage market.
The magnitude of the collapse suggests that many directors were taken in. They must not have really understood what was being done, or they would never have agreed. They ignored the terms they did not understand and trusted the smart people to have fully thought through the strategic and risk implications.
It is human nature to behave as if we understand things when we do not. Responsible boards need to ask more questions to make sure that they understand.
Technology is the next vulnerable frontier. The new mantra for corporate directors needs to be if you cannot explain it so I can understand it, I will not support what you are proposing. You need to explain it so I can understand it. Duty of Care is designed to help.
Duty of Care gives you case studies … specific examples where a board either really messed up, or they really got it right, with a very clear takeaway from each example:
What the companies that messed up can teach us:
Fortunately, we can also learn from examples of companies really getting it right:
Duty of Care also gives you Smart Questions organized by the topics you need to understand. They will help you know what things you should be thinking about, and frame your conversations with the smart-but-maybe-terrifying people who may confuse you. This book will equip you to lead your board conversations by helping you lead management to understand what you, as the board, need to know.
Finally, Duty of Care offers a fulsome but easy-to-understand discussion on most of the topics that you may find yourself considering. You can start with the Case Studies and Smart Questions. Then, use the written material to help interpret the answers and broaden your own foundations to genuinely understand the risks and productively discuss the opportunities that technology can offer.
Let's start with the case of Yahoo, shown in Figure I.1.
Figure I.1 The Case of Yahoo
What questions did the board ask of Yahoo management before the breach was fully disclosed? If the directors were asking questions, did they understand the answers, or did they rely on other people to interpret?
But when it comes to technology decisions, many directors rely on the staff to understand the risks and to know what to invest in. Whether through fear or ignorance, most corporate directors are not providing effective governance.
Duty of Care covers everything you need to be effective and self-sufficient.
The book starts with an overview of the types of technology, in accessible language, so you can hold your own in conversations. As with understanding what earnings before interest, tax, depreciation, and amortization (EBITDA) is to talk about earnings, you need a basic vocabulary.
You will have a framework to understand the essentials – social, mobile, data and cloud – so you can confidently engage in both risk and strategy conversations. In addition, Duty of Care de-mystifies emerging technologies, like block chain and AI, so you are fully empowered as an active and informed director.
Cybersecurity and cyber-risk are among the most stress-inducing topics faced by directors, for good reason:
Chapters 2 through 5 consider four predominant aspects of cyber-risk:
Duty of Care arms you with director-appropriate insight into the actual risks and the regulatory requirements, including strategies for meaningful and effective oversight.
Since 2000, 52% of the companies in the Fortune 500 have gone bankrupt, been acquired, or have ceased to exist, due in large part to the disruption of traditional industry models … and yet …
Only 35% of companies say they are investing in digital as part of their overall strategy.1
Navigating how much to invest, what to invest in, and how to prioritize your investments is a bit like being in a “perfect storm,” as shown in Figure I.2.
Figure I.2 The Perfect Storm
Each of the weather patterns has its own momentum. Each is daunting. The eye of the storm is where things are most clear.
Consider the example of Microsoft. In 2016, they seemed to be losing their advantage as the more ubiquitous platform of Apple took dominance. The CEO and board decided that finding a new customer base or market segment was a strategic imperative. They found clarity in accessibility technology. For Microsoft, the eye of the storm offered unmet and even unanticipated needs in the market that they could uniquely satisfy. In a very short time, Microsoft became a world leader in delivering solutions for people with disabilities.
Chapter 6 – Start with how much to invest. How much to invest depends on what technology you have already, and how proactive you want to be. Do you want to be a leader or a follower? Understanding your company's maturity will help you assess how much investment is right for you, and how aggressively you can expect to progress.
Not every company has to be the digital leader, but intent and leadership are key. Companies with a higher level of digital maturity are 9% to 26% more profitable than their average industry competitors,2 so you need to be deliberate and understand the risks if you are investing as a follower. Drawing on your newly developed vocabulary, ask questions about what investments are being made. Make sure that investment plans align with your business strategy.
Top-decile companies track their IT spending to have no more than 75% of it going to steady state. Does your management team look at how their spending is aligned? What should you be investing the strategic 25% on?
Chapter 7 – Think about what your company's priority should be. This chapter gives you an example of how to consider new opportunities. Traditional business models, like Porter's Five Forces,3 can help you set priorities:
What do you need to accomplish to hold (or improve) your position?
Chapter 8 – Find Clarity. Think of clarity as confidence. You should feel ready to articulate your technology vision and sense of direction as part of a genuine conversation with your CEO and other board members.
Today's competent director can articulate what an investor would want to know about the company's technology strategy. Directors demonstrate important leadership and they can comprehend the elevator version of the company's digital aspirations.
The chapter is focused on the best-practice leadership concepts that uniquely resonate in the technology aspects of investment oversight. It provides the smart questions to help you find clarity.
In 2017, Hurricane Irma was so far off the expected landfall that cities like Naples, Florida, took the brunt of the damage because they didn't know they needed to prepare, whereas on the east coast of the state the cities were prepared beyond what they needed. Winds shift, and weather patterns are unpredictable.
Technology governance is like managing in that perfect storm, so you need to understand the external factors to know where the eye of the storm is actually going to touch down. See Figure I.3.
Figure I.3 The External Factors
On the positive side, the winds that push and pull can make technology governance a unique opportunity. It is one of the few areas in which you can directly influence the outcome of your investment. It is as if you can buy a stock, and then be in the boardroom making the decisions that will affect share price.
On the negative side, those winds are also multipliers for risk. Every miscalculation can be magnified through speed and volume.
Governance experts are converging on the view that “it is insufficient for the board to say that they delegated responsibility to the CEO when major strategic investments fail.”4 It is strategically important that the board have:
Anything less is a failure.5 For purposes of your digital strategy and technology investment, Duty of Care considers navigating those prevailing winds as functions of oversight.
The final chapter of the book takes it up a level to the broader considerations aligned with your duty of care:
* * *
Today's director does not have to settle for confusing risk updates or opaque investment proposals. It should be the exception rather than the rule that you need outside help to know the right questions to ask. You should not have to agree to an investment and then wait a year and hope that it all works out as expected.
Use the targeted Smart Questions at the end of each chapter to genuinely understand where you have risk and where you have opportunity.
Duty of Care will help you develop your strategy, so you can weather the storm.