www.pwc.co.uk

Board discussions What NEDs have been debating

March 2017 Contents

Introduction 1

A global political update 2

Data analytics and its role in relation to strategy 6

General Data Protection Regulation and data privacy 9

Blockchain and its far-reaching implications for business 12

Tax – a reputational risk for business? 15

Culture as a risk management tool and a licence to operate 18

Cyber security – stage 1 21

Cyber security – stage 2 24

Responding to investor activism 28

Crisis management 30

Executive remuneration 33

Audit Committee update (ACN) 37 Introduction PwC’s programme for Non- The workshops explored how the Board At a more macro level, in February we Executive Directors (NEDs) can influence and shape culture, had A global political update from includes a series of briefings, bringing values to life, building trust Eurasia Group. In these uncertain workshops and other events to help with stakeholders and assessing, political times, this early evening event address the need to keep up to date measuring and monitoring culture. provided an overview of Eurasia Group's with Board level issues. This As one specific area of risk, the darker top 10 political risks for 2017 to further document summarises the side of the relentless technology inform strategic decisions. discussions arising from our developments, such as Blockchain and Developments for Audit Committees events over the past six months. data analytics, was focused on in our two – which continue to have a full agenda – The season began with our September Cyber security workshops. The first were not overlooked. A series of update briefings on General Data Protection workshop covered a broad landscape of workshops provided a regulatory update, Regulation (GDPR) and data privacy. cyber security basics – setting context, a look at developments in corporate The GDPR is now in its final form and explaining why this is a Board issue and reporting and accounting, as well as a will come into force at the start of 2018, providing a framework to help NEDs session considering user access replacing the existing Data Protection think about the key areas. The second management. The latter has become ever Directive. It will transform the data allowed for a deeper dive into four key more important as the risk and threat privacy and protection landscape by areas – developing a business landscape continues to evolve putting all businesses at risk of fines and perspective, assessing current state, due to increasing interconnectedness. sanctions if they fail to protect personal improvement recipes and handling For those on Remuneration data. Individuals no longer have to prove incidents and crises. Committees there were sessions that they have suffered financial loss but Investor activism and how to respond exploring issues with executive pay, can just cite distress. was explored in another of our including public perceptions of An early evening event in September workshops. Investor activism is inequality. Recent corporate governance explored Blockchain and its far- increasing in the UK as volatile equity developments and Government reaching implications for business. markets provide activist investors with consultations aiming to address these This technology, which underpins the opportunities to build stakes in were discussed. Consideration was given crypto-currency Bitcoin, presents far undervalued companies. Boards can be to what this means for Remuneration wider opportunities and challenges than hesitant to react but being on the back Committees in 2017 and beyond in terms simply disrupting business models in the foot often makes it harder to respond of transparency, strategic alignment and financial services sector. It consists of effectively to shareholders further down flexibility, stakeholder engagement and ‘blocks’ of data in a digital ledger which, the line. The session considered what fairness. in turn, creates a single shared view of characteristics an activist looks for in a We also ran a number of interactive the blocks that every participant in the potential target and how Boards might sessions throughout the year including network can access simultaneously. respond, both in terms of taking steps to a 'Game of Threats'TM cyber attack Blockchain therefore has the potential prevent an approach but also what to do simulation, a 'False Assurance' film event to remove the need for a back office/ once one has happened. with the ICAEW and various webcasts reconciliation process and also eliminate Recognising that in today’s complex and exploring topical business issues. We plan the ‘middleman’. As it is sector agnostic, inter-connected business environment to include further interactive sessions in the potential implications of this are crises will happen, the workshop season future programmes. significant. concluded with a session looking at In all of the events there was considerable Our October early evening briefing Crisis management. Getting crisis debate, with a sharing of ideas on the looked at Tax – a reputational risk for response right is not something that can topics and discussion around the role every business. There is heightened be improvised when a crisis strikes and NEDs can play. The combination of public, media and political interest in the capabilities that underpin that expert knowledge with the invaluable matters of tax policy and fairness. This response take time to build. In today’s sharing of experiences with peers adds brings significant reputational risk and social media driven world, Boards no real value to these sessions, and I would has elevated tax to a Boardroom issue. longer have the luxury of time to consider like to thank all those NEDs who The need to respond to a broad range of their course of action and need to be able participated. We will continue to focus on stakeholders means that Boards need to to put a previously developed, and matters featuring on Board agendas and be comfortable that they understand and preferably rehearsed, plan swiftly into look forward to further insightful can appropriately articulate their operation. discussions over the next six months company’s tax strategy and how the Our January briefings revisited the of the programme. associated risks are being managed. technology angle looking at Data Risk is a constant feature on the Board analytics and its role in relation to agenda, even more so in these uncertain strategy. The world is at an inflection times, and we continue to focus on point where artificial intelligence and different aspects of this topic. Our winter data analytics can help businesses make workshop season included sessions better and faster decisions. However, too Andy Kemp considering Culture as a risk often data analytics is used to analyse the Chairman, management tool and a licence past rather than predict the future and Non-Executive Director programme to operate. inform decisions. To become a data- driven organisation, leadership needs to [email protected] Culture is currently an area of focus for set the tone and deliver on it, using March 2017 regulators and others as society attempts predictive analytics to support strategic to respond to a lack of trust in business. decision-making. Board discussions March 2017 | 1 A global political update

Political context is important for business as political stability Presenter: encourages a positive outlook which has a knock-on effect on the Sean West, Global Deputy CEO, economy. Political risk can impact all aspects of a company’s business Eurasia Group such as consumer sentiment, workforce quality and availability, taxes [email protected] and foreign exchange. Proper planning and management of political risks can therefore help to drive commercial success, especially in emerging and frontier markets.

Global political update Independent America • The need to prioritise stability over The session was structured around This is not about the US becoming difficult policy choices risks policy Eurasia Group’s top 10 political risks for isolationist but unilateralist. failures such as a re-inflation of asset 2017. bubbles. • Militarily, it’s all about America and As initial context, it was noted that the other nations will not necessarily be A weaker Merkel world is becoming riskier. For the first able to depend on US commitments. Merkel will be re-elected but with a time, Eurasia Group are using the term • Economically, it’s about industrial smaller majority. Previously Europe’s ‘geopolitical recession’, where a policy that squeezes countries and indispensable leader, she will be a substantial series of events has dragged companies for better deals for US weakened figure. down the positive impacts of politics. workers. • Externally, Europe will be For the last five years, Eurasia Group has • Values wise, the US focuses on challenged by France’s elections, been talking about a ‘G Zero world’, one transactions rather than principles. Greece’s finances, Brexit without global leadership. This has now Currently, therefore, there is the negotiations and relations with both combined with a populist revolt against Russia and Turkey. globalisation whereas domestic policies absence of a unified West supporting • Domestically, Germany will be were previously permissive towards it. democracy from the same point of view, challenged by their refugee policy, This negative trend in domestic politics as well as the potential for negative terrorist attacks, corporate crises in key economies combines with bilateral relations. Implications of an and populism with the Alternative negative external conditions at the independent America include: for Germany gaining ground. geopolitical level resulting in the • chaos from an absent superpower – geopolitical recession. particularly in Europe and the Merkel is increasingly becoming a lone voice for keeping Russian sanctions A geopolitical recession plays out over Middle East in place. a much longer timeframe. In Eurasia • weakening of global institutions – Group’s projections, few countries show global fragmentation No reform encouraging signs over the next six • the rise of China and possible Some countries that were previously months. In a sense, a neutral political conflict. planning to reform will no longer. environment is actually a positive outcome. China overreacts • Modi (India) will not get land reform Given its current leadership transition, through and Nieto (Mexico) has The world is therefore much riskier now China is not in a strong position to achieved as much as possible. politically than a year ago. The 10 risks, withstand trouble and will want to quell as assessed by Eurasia Group and • In Russia, France, Germany and anything that makes its leaders look explored below, are not meant to be China, reform must wait for political weak. exhaustive but are the highest impact transition. events with a material likelihood of • With the 19th Party Congress and • In Turkey, Britain and South Africa, impacting business. leadership transition, President Xi leaders are preoccupied with Jinping needs to appear strong. domestic challenges. • Hypersensitivity to external • In Brazil, Nigeria and Saudi Arabia, challenges (eg Hong Kong, Taiwan, ambitious plans will fall short of North Korea, regional waters, what is needed. Trump) may cause China to respond forcefully.

2 | Board discussions March 2017 China’s anti-corruption drive still results Central banks get political • This will exacerbate economic in a positive political outlook for this The independence of central banks has problems, leading to a further PKK country in terms of reform but other rarely been questioned but various crackdown and worsening foreign major economies are on a neutral or leaders have been publicly attacking the relations. negative trajectory as far as reform is rates policy. concerned. North Korea • Western central bankers are Usually there is little visibility over therefore newly vulnerable to developments in North Korea. However, political pressures. based on recent missile and nuclear • The political support for the ECB to tests, in 2017 North Korea is likely to 70% act if there are additional shocks will have the capability to reach the West be more questionable. Coast of America with its weapons of Americans want the new • The US Fed will be affected, either programme which is considered a red president to prioritise domestic through partisan appointments or line. Previously, the US and China would policy public criticism, as Fed tightening work together to prevent this but Kim policy and fiscal expansion run Jong Un has no interest in deal-making. Technology and the Middle East counter to each other. Eurasia Group foresee two scenarios: Middle East legitimacy previously came The White House versus Silicon • Trump increases pressure and from the outside and then from energy Valley military threats against North Korea money with the US and allies ensuring with secondary sanctions hurting Many technologists have a different security. However, this is no longer the Chinese banks and leading to a world view and will disagree with case due to technology in the following China-US crisis. Trump plus refuse to respond to respects: • If the US centre left government presidential requests. Differing views favours diplomacy with North Korea, • Energy – US technology such as are seen particularly regarding: fracking is destroying the Middle South Korea may cancel its US East business model, enabling new • security versus privacy missile order with possible Trump producers and competition. • social media and fake news retaliation generating a crisis. • jobs versus automated production • Connectivity – this enabled the Arab South Africa Spring but is now a threat. ISIS can • immigration and investment in There is currently a crisis within the use social media to inspire science. ANC. Zuma’s wife is likely to take over individuals anywhere in the world Despite the above, there are some but reform will slow. Global institutions and access to the internet is positives. Tax reform, streamlined that care about South Africa are encouraging the reinforcement of regulations and the H-1B visas are defunded and distracted. Trump will tribes. helpful to Silicon Valley. have no real interest in stabilising small • Cyber – Iran is less constrained and African countries and Europe will not be attacking Saudi Arabia. Regional Turkey in a position to. South Africa has terrorists will increasingly use cyber Europe is depending on Turkey previously aided regional security but weapons to attack infrastructure. regarding the refugee crisis and it also will be less able to as a result of the • Automation – persistent has a role to play in Middle East stability. economic impacts of ruling party unemployment due to technology However: infighting in the run up to the December eliminates the benefits of a 2017 internal conference. The region is demographic dividend. • Erdogan is using the state of emergency to tighten his hold on the therefore likely to become riskier. • Forced transparency – brittle judiciary, bureaucracy, media and regimes need secrecy but everything business sector. is becoming more transparent. • In 2017, he will hold a referendum to win the executive presidency that he has been seeking.

Board discussions March 2017 | 3 Red herrings Open forum Q&A Another NED asked if Turkey represents Eurasia Group also covered off a number The open forum Q&A was wide-ranging. a lost opportunity for the West. It is of issues that they consider to be red certainly a largely secular country with One NED was keen to understand herrings that do not merit significant a sizeable population that could have whether the Republican Party in concern: been embraced. It is also a pivot state Congress would put sufficient checks between Europe and the Middle East. • US domestic – might be positive for and balances in place against the effect Although Europe and Turkey are likely the economy and markets in the of Trump who appears to be ruling by to agree on short term solutions to the short term. Twitter. Eurasia Group noted that the refugee crisis, the possibility of long • India versus Pakistan – both unpredictability is at least constrained term collaboration is receding under governments are focused on by the legal system, as has been seen Erdogan. Eurasia Group therefore agree domestic issues and will look to already with a judge ruling that the visa that Turkey may well be one of 5-10 lost avoid conflict. ban for Muslims from certain countries opportunities as globalisation is wound • Brazil – lawmakers know that their was unconstitutional. The Republicans down. only chance of staying in power in are reluctant to stand up to Trump as it There was interest in the Putin/Trump 2018 is to move towards modest is rare to have one party control in the dynamic and how far relations with economic recovery so pension reform US government which is what they Russia would go. Eurasia Group’s view is may go through. currently have and there are certain things they would like to achieve. that Putin would actually have preferred Implications for NEDs and the However, they will back the judiciary. a weakened Hillary Clinton as president businesses on whose Boards they due to Trump’s unpredictability. Trump sit could easily change allegiance. Putin will play to Trump’s ego in the short Sean concluded by emphasising that term to gain minor reliefs but there is political risk matters to NEDs as it 57% unlikely to be the same harmony in 2-3 affects every aspect of a company’s years’ time. The Russian economy is business. Boards need a really good projected Grand Coalition in reasonably sound and Putin has a firm understanding of what is happening on German government following control on the government. His main the ground in territories where their election versus c80% currently aim appears to be to disrupt the West companies are investing and should also and create an alternative view of where assess the extent to which their five year A question was asked around the reform the world is going. Russia will not plans depend on globalisation point which showed the UK to be on a necessarily test NATO’s resolve in the continuing. To gain an understanding negative trajectory. This is because there Baltic States but may do in other areas. of whether political risk is on executive is such focus on Brexit that it is difficult management’s agenda, NEDs can ask: to think more broadly. There is talk of A NED enquired what impact dialogue the two year process, following the between global leaders has these days • Is the company well organised to when social media seems to be taking detect and manage political risk? triggering of Article 50, leading to a transition deal but this in itself may not over. Eurasia Group’s view is that this • What are the processes and be certain when all 28 other European dialogue remains very important and governance mechanisms in place to territories have to agree to it. contrasted President Bush, who held make sure politics do not disrupt calls each week with key leaders, with company operations or investments? One NED had a specific question on President Obama who only talked • How do strategic planning efforts whether the far right party coming to regularly to Merkel. This had an impact account for political risk? power in the Netherlands would lead to on their respective influence on the • What is the company’s track record a continuing ‘Brexit’ trend. Eurasia global stage. However, at the same time, on integrating political changes into Group’s view is that the Freedom Party it is difficult to speak frankly if there is forward planning? will come first in the elections but will an increasing risk of leaks. There will be • When entering a new market or not form a government and so ‘Nexit’ is real cause for concern if diplomacy at an making a strategic acquisition/ unlikely. institutional level, such as the United divestment, how well does Nations, breaks down. management understand the political environment? • How are expectations risk-adjusted on the basis of political changes?

4 | Board discussions March 2017 c70% internet penetration in Iran and Saudi Arabia.

There was a question as to why social inequality had not featured as a risk. Undoubtedly, there is currently a great deal of scrutiny on fairness, pay ratios, tax policies, etc and citizens will try and hold companies to account where they do not agree so Boards should be prepared for this. It was noted that some new business models almost create an ‘addiction’ (cf Uber and Air BnB) such that consumers will respond to attempts to curb their activities. Another NED asked for some comments about oil, both in terms of pricing and the environmental issues. Eurasia Group noted that prices are recovering but more production will be brought online to control this, although they see a price of US$60/70/80 per barrel in the medium term. The climate change agenda has undoubtedly taken a step backwards with the election of Trump who will seek to backtrack from the Paris Agreement, possibly encouraging other countries to follow suit. The final question was whether Eurasia Group thought Trump would be re- elected in four years’ time. The view was that if he makes it to then he could be unstoppable but he may well not make it to this point.

Board discussions March 2017 | 5 Data analytics and its role in relation to strategy

The world is at an inflection point where artificial intelligence and Presenters: data analytics can help businesses make better and faster decisions. Tom Lewis However, too frequently, data analytics is used to analyse the past [email protected] rather than predicting the future and informing decision-making. Oliver Bernath To become a data-driven organisation, leadership needs to set the tone [email protected] and deliver on it, with greater acceptance of experimentation. This was an opportunity for NEDs to explore some of the developments in this area and their implications for business.

Context Businesses should therefore consider As it is difficult to predict ‘unknowns’, The session began with some context- where they can source data from and the data lake can be trawled for relevant setting. Intelligent use of data could help what they can use it for. One company data once an ‘unknown’ has happened. used the shopping history of individuals people and organisations to think Clearly, there are privacy and other from their smart phones to advertise laterally and use data to answer ethical issues relating to the storage of relevant products or services on bins as questions other than simply ‘what data, especially when an organisation they passed by. Additionally, the serial happened?’. Today, there is a sea of does not yet know the use to which it numbers of phones have been used to information that tracks everything we will be put, and NEDs need to be model how individuals use stations on do. Additionally, with the cloud, the cost mindful of these. It is, however, worth their journey. Google uses phone GPSs of computing is collapsing so that noting that the younger generation has to track when traffic is stationary and extensive analysis is now feasible. a much more relaxed attitude to the alert users of its route mapping Questions can be auctioned to providers privacy of data, preferring the benefits products. who will bid to answer them. and convenience that sharing can bring. Organisations therefore have the Companies should also consider Questions that NEDs might want to opportunity to analyse anything but whether they have a data asset others consider in the context of their need to evaluate how much it is worth. might want to buy. For example, some businesses include: A short film was shown to illustrate credit card providers pay a fee to phone these points. providers to check the location of a • What data assets do we own? phone if one of their cards is being used • Are they accurate, complete, useful? What data is there? overseas as a means of verifying the • What is the data used for? Is it It is important to recognise that data is legitimacy of this use. valuable to others? Is it licensed? not just text and numbers. It can also • Does the company have a data lake? come from emails, sensors in the A council in New York found that What is in it? Who uses it? Internet of Things and pictures. In fact, monitoring social media traffic on the 90% of data is images and videos. state of public toilets was a more • Is it secure? Is it a risk? Who wants to Turning to some examples: effective method of checking for steal it? maintenance issues than sending out a • Who is responsible for it? • Email histories can be used to team of inspectors. This can also analyse how people are interacting reinforce behavioural change if people The last question is particularly with one another (rather than what notice that a problem is responded to pertinent as the prevalence and value of is in the emails). For example, this promptly after a social media complaint. data is too great for this to be left to the could illustrate whether a merger has IT department. been successful or whether there in The concept of a ‘data lake’ was briefly fact remain two opposing sides. considered. Previously, if a report with certain data was required, the various • Sensors in the Internet of Things, parameters would be given to the IT such as ‘nodding donkeys’, can be department to create it. Now it is more a used to predict when the equipment case of maintaining a data lake with any will fail. 30% and all information in it, even if it is not • Pictures can be used to recognise currently known what the data may be of UK companies are highly whether documents have been used for, so that it is available should a data-driven versus 53% in China signed. need arise in the future.

6 | Board discussions March 2017 What do businesses use data for? This was further illustrated by a picture Data, often a combination of structured, of a heron. Trying to explain to a semi-structured and unstructured data, computer what a heron is in sufficiently 23% distinct terms is very difficult but can be analysed using algorithms and business models to generate a required use data analytics to describe showing a computer thousands of output. what happened. images of a heron will enable it to learn for itself. A model was discussed illustrating the data analytics delivery cycle where the The UK is therefore lagging behind These principles can be applied in following questions are explored: other parts of the world in terms of business. For example, having cameras data-driven decisions. NEDs should on fridges in stores to see what products • What value exists in your data? consider their organisations’ capabilities are being sold and to understand buying • Can you trust your data? in this area. There are excellent patterns, as well as the actions of the • What happened and why? products available to perform the stockists. In the case of Brexit scenario • What might happen next? analytics so this does not necessarily all modelling, computers can read contracts • What is the right answer for your need to be in-house. In order to think as to model the impacts of various business? expansively as technology makes decisions. possible, there is a need to combine • Is insight being delivered to the right It is important to recognise that instinct with analytics. It has been people at the right time? computers have a point of view that is shown that productivity levels are much • How do you embed data analytics in clean and non-biased. Today, computers higher within organisations that are your organisation? are not just calculators but can see, good at data analytics. listen and read. The Board of an As an organisation moves around this The session continued with a brief look organisation called Deep Knowledge delivery cycle, it can progress from at Artificial Intelligence and Machine Ventures already has some members using data analytics to analyse the past Learning. that are algorithms. to using it to predict the future and even to change the future in order to achieve In the first machine age, the Industrial a desired outcome. Revolution saw the automation of physical work. In today’s second It is, however, worth reflecting that machine age, there is increasing advanced data analytics can be 36% augmentation and automation of underpinned by some very complex manual and cognitive work. Part of this maths. This often concerns users and use data analytics for diagnostics second machine age is the rise of so most big decisions are currently still Artificial Intelligence which is being made with human judgement and “intelligence” that is not the result of the unconscious bias that this might What does data analytics mean human cogitation. involve. in the context of your business? Machine Learning is a subset of Another short film illustrated some of Questions NEDs might want to ask Artificial Intelligence involving the the key findings of PwC’s Global data include: creation of computer algorithms that and analytics survey 2016, involving enable machines to learn through • What decisions are we using data more than 2,000 executives in 10 experience and acquire ‘knowledge’. analytics to solve? countries. These include: Typically Machine Learning is used to • How are we balancing analytics and • 23% of organisations are using data build ‘models’ that accurately make experience in decision making? analytics to describe what has predictions or identify patterns from • Who oversees the algorithms? happened. data. • Are we thinking out of the box • 36% are using data analytics for Moreover, machines get better at enough? diagnostics. learning really quickly as they are never • Do enough of our people think this • Only 13% are using data analytics off. Reference was made to an article in way? to automate decisions. The New York Times Magazine entitled • How do we encourage innovation? • Executives in data-driven ‘The great AI awakening’. This includes • How do we recruit, motivate, organisations are 3x more likely to a description of how Google used manage and retain these people? report significant improvements in Artificial Intelligence to transform their decisions. Google Translate through the computer • 30% of UK companies are highly effectively learning by itself. data-driven versus 53% in China.

Board discussions March 2017 | 7 Today’s start-ups are already thinking Equally, computers have begun writing NEDs were concerned about the human very differently. There is a need to music and it would be feasible for dimension and whether technology is an create the right balance between computers to be able to design the décor invaluable aid or something that will computers and humans, and the right of rooms based on known preferences lead to the ‘de-professionalisation’ of culture for each to thrive, in order not to for colour, materials, etc. As with many people’s roles. At the same time, Boards be overtaken by disruptors. areas, a diverse team is likely to be more may need to be considering whether it is creative. negligent not to avail themselves of The session concluded with a brief look technological tools when others will. at three examples of real world uses of There was a question around data analytics as follows: intellectual property and whether In the future, there will undoubtedly be patent wars could become more significant impacts on a large number of • Hospital simulator – gaining frequent. However, an open source existing roles. It has already been shown deeper insight into a hospital’s mindset dominates in this space. This that initial medical diagnosis can be demand, capacity and process flow leads to consideration of whether performed very effectively by challenges and testing possible companies are needed in the same way computers. Arguably, an individual in solutions. today. Previously a corporate body was search of a diagnosis would prefer to • Trader intelligence – monitoring set up to raise capital, employ resources benefit from data from every known risks and reducing exposure to and provide premises but much of this scenario rather than a single doctor’s potential market abuse activities. can now be done online with auction brain. • Organisation design model sites used to solve problems. Effectively, There will, however, be difficulties to – gaining a single view of an people are being paid to do what they overcome along the way. For example, organisation’s workforce. enjoy but, with everything so mobile, one of the biggest problems with there can be a blurring between work Open forum Q&A driverless cars is that they are unable to and home. The open forum Q&A was wide-ranging. comprehend that humans break the law There was a specific enquiry regarding and therefore do not all drive as One NED enquired about finding the questions a NED sitting on a healthcare predicted. Overall, however, the upsides right people able to do this and Board might wish to ask. A good in the area of data analytics are so vast successfully bringing them into an question for any Board is: “If Google was that the downsides are likely to be organisation. It was noted that to enter my sector, what would it do?” or ignored or rejected. leadership is key in this area. “Who is our fiercest competitor and One NED enquired whether the Organisations have to be prepared to what would they look to do?”. NEDs can governance of data analytics/data ‘dream’ and then attempt to convert the also ask: dream to reality which means being security/data privacy should all come prepared to try and fail, as long as • Are the business’s leaders thinking under the CDO. It is right that there lessons are taken from the failures. about data analytics? should be a role around the governance Individuals with the deep mathematical • Is it just lip-service or are thoughts of information assets but this needs to skills required for advanced analytics being converted to actions? be alongside ‘data evangelists’ who are can sometimes be introverts. They need • Does the business have skilled prepared to test the boundaries. It is to be given space once in the resources? helpful for there to be a subset of the organisation and be recognised for what • If not, is it taking appropriate advice? risk function that understands data they are good at, rather than being analytics concepts and language. Over As mentioned above, Boards need to be moulded to ‘the norm’. time, regulations are likely to adjust as prepared for failure but should ensure people become increasingly comfortable Another attendee asked whether there is that the organisation learns from them. in this space. evidence of machines generating originality, flair and creativity. This is At a big picture level, there was a final indeed starting to happen. For example, question around which countries are a US car manufacturer has fed in data doing this best if the UK is lagging from focus groups on why people like Only 13% behind. The west coast of America has certain cars from an aesthetics point of hugely impressive resources attracted view. Computers can work with this to use data analytics in a by, and prepared to work hard for, design a car that a greater percentage of prescriptive manner to automate significant economic rewards. There people will like the look of. decisions is also real investment in this space happening in China.

8 | Board discussions March 2017 General Data Protection Regulation and data privacy

The General Data Protection Regulation (GDPR) comes into force in Presenter: May 2018, replacing the existing law, the Data Protection Directive. It Stewart Room will totally transform the data privacy and protection landscape as Partner, PwC, Global Cyber any entity of any size, public or private, anywhere in the world dealing Security and Data Protection Legal with personal data of European (EU & EEA) origin will be impacted. Services Leader; UK Data Protection Leader This was an opportunity for NEDs to have an overview of the far- [email protected] reaching implications of this regulation.

Context GDPR and Brexit As examples: The session began with some context- The implementation of the GDPR will • News of the World – the ‘phone setting. Stewart first emphasised the not be impacted by Brexit for the hacking saga ultimately led to the sheer scale of this law as most other laws following reasons: demise of this organisation. have ‘perimeters’ that ring fence and • Data Retention Directive – this limit their scope. For example, • It was the UK that initially proposed regulated the holding of data by employment law only applies to the law and the UK Government telecos and ISPs for security/ employers and employees. However, the supported its passage through the terrorism purposes but was GDPR gives rights to all living EU processes. ultimately unwound having been individuals whose personal data are in • The GDPR comes into effect in May deemed to breach human rights, Europe and will affect the largest 2018 so will be in force before the • Right to be Forgotten – an multinationals, most of the public sector end of the two year period that runs individual’s request to have old data and all the way through to small once article 50 is triggered. removed from a Google search busineses, such as the window cleaner • Trading with the EEA/EU will be affected Google’s ‘crown jewel’ web with customer details on their iPad. conditional on the UK accepting the search in Europe. Some B2B deals are already featuring GDPR. • Safe Harbour – this was audit rights for data handling in • UK based data importers and contracts. It is highly likely that the dismantled following Facebook’s multinationals operating in the UK transfer of personal data from regulation will give rise to more and the EU will need GDPR-type disputes/litigation once in effect. Europe (Ireland) to the US adequacy to avoid legal challenge. (California). It is worth noting that security is only • Multinationals operating in the UK one issue of the GDPR. There are many and the EU will build to a GDPR All of the above examples illustrate how other key requirements ranging from common denominator. powerful the ‘Bears’ can be when they combine. transparency rules to rules on data • Domestic law is independently quality and rules on how to build data moving towards the GDPR’s An advert from a firm of solicitors protection compliance programmes. objectives (breach disclosure, was used to expand on the wider Many organisations are not ready for its distress compensation, marketing). background. A disgruntled internal impact. Although the GDPR comes into auditor had left a major retailer taking Moreover, the Government has force in May 2018, it was first proposed an employee database with him. The announced in the Brexit White Paper in 2009 and promulgated in draft in individual was convicted and jailed but that the UK will meet the standards of 2012 so there will be little sympathy for the solicitors initiated a class action for the GDPR after Brexit. those who are not ready by the compensation against the retailer and implementation date. Background to the GDPR almost 7,000 employees have signed up. This case is continuing through the Awareness around data protection has courts. grown significantly since 2007. A relentless torrent of data and privacy The GDPR therefore came into being breaches has affected the political, against this backdrop and the financial public and regulatory psyche. This can penalties can be significant with fines be viewed as a 'Regulatory Bear Market' of up to 4% of an entity's annual with multiple bears (judicial, citizen, turnover in addition to compensation political, regulatory) uniting with payable to those affected in litigation. significant impact.

Board discussions March 2017 | 9 Scope of, and points to note The GDPR is built around three Punishment regarding, GDPR key pillars • There are tougher enforcement The GDPR applies to any entity Transparency powers for regulators. processing personal data of European • Financial penalties are up to 4% This needs to be considered over the origin. The definition of ‘processing’ is of the legal entitiy's annual turnover. entire life cycle, right from prior to broad and includes adaption, transfer, collection of the data. • Compensation rights exist for sending etc, – really any act that can be distress. performed to data except dreaming or • Entities need to be much clearer • Civil Society Organisations can sue thinking about it. about how they use personal data. on someone’s behalf without the The key points to remember are: • Consent rules have been toughened individual’s consent. with new proof requirements • Data processors are liable in their • The GDPR is law to regulate the (assumed to be none in the absence own right. processing of personal data. of proof). The compensation point is particularly • All industry sectors are affected. • Access rights have been increased key as some of the most complex • The reach of the law goes beyond with a shortened delivery time challenges in the regulation are likely to Europe – any entity worldwide will (reduced from 40 days to 20). come from citizens. Individuals do not be caught if it deals with Europe. • Mandatory breach disclosure have to demonstrate financial loss or • Lawmakers foresee significant requires entities to come clean after physical harm but can just claim problems with data protection and data breach cases and tell the distress. Given there are 500 million EU feel the market is not responding so regulator within 72 hours of citizens and 28 EU Data Protection are regulating accordingly. detection of the incident and the Authorities, this represents a huge • Financial risk is seen as the solution people affected in serious cases potential financial exposure. to the issue. without undue delay. • Entities have to re-contract with • Enhanced rights of regulatory Considerations for NEDs their stakeholders. inspections and audit will be In light of the above, NEDs may want to • Repairs can be packaged up using introduced. consider two fundamental questions: a risk-based approach. Compliance • How will their organisations deal • Entities need to maintain trust in and cope with the challenge? their digital futures. The existing Data Protection Act in the UK has eight principles which will be • How will they be able to prove that • They will have to quickly remedy their entities are ‘good’ (have any problems given how long the expanded by the following new requirements. appropriate systems and operations GDPR has been in existence. in place)? • However, entities can easily lose • ‘Privacy by design’ means entities their way without appropriate have to get data handling right from support. the start. Given the amount there is to be done, • ‘Privacy impact assessments’ will entities will need to optimise their have to be routinely carried out. 500m • ‘Accountability’ means all data use approach to address key risks. For most citizens in Europe benefitting organisations, there is probably not and the related risks have to be from new rights and powers enough time to map all data and come documented. up with a full legislative compliance • ‘Data portability’ permits people to journey so it may be better to take a take their data with them (e.g. when risk-based approach. As the law has switching energy/insurance/ legislated for a principle-based system, financial services providers). it is likely to be more effective to look • ‘Right to be forgotten’ means that at where harm might arise. people will have greater power to demand deletion.

10 | Board discussions March 2017 Open forum Q&A Another NED enquired about the The open forum Q&A covered a range interaction with other legislation, e.g. of issues. health & safety, an example being where 28 an entity uses telematics to monitor One NED enquired how the UK phone use while driving. There is compares to the US situation where EU Data Protection Authorities unlikely to be pushback where employee class actions seem to be more frequent monitoring is for legitimate purposes. and there also appears to be more freedom re personal data. It was noted The law will tolerate some failure if NEDs enquired about the skill sets of the that in the US the law is harm-based there are appropriate systems and regulators and whether they are likely (e.g. financial loss) whereas the UK is processes in place. It will also be to be able to cope with the volume of principle-based so the situation does advisable to take a risk-based approach reporting that may result from the not translate directly. The UK could – for example, ensuring there is an GDPR. It was noted that skill sets have mimic the US 'class action' phenomenon. appropriate script in place for dealing improved in recent years but resource with complaints at a call centre may be constraints are likely to be an issue and NEDs asked where the Achilles heel more valuable than detailed mapping so the regulators may have to make might be, particularly for small of data. Flashpoints are likely to involve choices about where to focus. companies. This could be in the supply compulsory breach disclosure and there There was some concern that chain so there is a need for greater due is no ‘de minimis’ for disclosure (unless unintended consequences of the diligence and stronger contractual the data lost was encrypted) and regulation could lead to an industry relations as the data controller and the marketing and 'surveillance' activities growing up around compensation, data processor will both have liability. (eg monitoring actitivities online or as with PPI. This is a possibility as There was also concern around the other behavioural aspects). accountability and portability aspects. barristers and solicitors have been A NED was interested in who should meeting to discuss the expected Another NED enquired whether the own this and it was agreed that this is increase in cases post 2018. Board could go to prison and it was not solely a legal or IT matter but needs One NED noted that the impact on noted that there are no jail sentences to be owned by the business. The CEO people, customers and the business attached to the regulation, although also needs to be able to talk model when a privacy issue occurs is there could be personal civil liability if a knowledgeably about data protection significant and NEDs need to be aware Board member connived or collaborated wherever it sits. in the non-compliance or was guilty of of this more broadly. It can often neglect. There was also interest in whether there become a ‘licence to operate’ issue. is diversity across the EU in this area. It Finally a NED enquired if insurance The NEDs were interested in how they was noted that every member state has could be taken out in respect of GDPR can satisfy themselves that their entities different laws currently and one aim of breaches. It is possible that insurance are fulfilling their responsibilities with the regulation is to resolve this. regard to data protection. Organisations may cover some of the aftermath but need to take appropriate steps with it cannot cover regulatory fines. regard to technical and organisational Additionally, individuals cannot matters to ensure that they are on the contract out of statutory protection ‘bell curve’ of the consensus of rights. professional opinion regarding what is adequate.

Board discussions March 2017 | 11 Blockchain and its far-reaching implications for business

Blockchain, the technology that underpins the crypto-currency Presenters: Bitcoin, presents far wider opportunities and challenges than just Patrick Spens, Director, PwC and disrupting business models within the financial services sector. It Chair of the Governance consists of ‘blocks’ of data in a digital ledger and is believed to be Committee of the Whitechapel highly resistant to malicious tampering. The ledger also creates a Think Tank, member of UCL single shared view of the blocks which every participant in the network financial computing faculty board, can access simultaneously. member of GovCoin systems advisory board, on global Blockchain therefore has the potential to remove the need for a back- leadership team of ID2020, office/reconciliation process as well as the requirement for a honorary adjunct professor of middleman, reducing cost, delay and risk. In addition, using digital Macquarie University and an identities to unlock the capacity of blockchain could lead to huge executive fellow at the Henley societal change by bringing the 30% of the world who do not have a Business School [email protected] legal identity into mainstream society. This was an opportunity for NEDs to have an overview of the far-reaching implications of this David Moloney, Director, PwC technology. [email protected]

Context • If valid, the transaction is combined • Santander estimate banks could The session began with some context- with other transactions to create a reduce costs by $15-20bn per year setting. Just as the internet had new block of data for the ledger. by 2022. revolutionised the exchange of • The new block is added to the chain • A report by PwC estimates that information, blockchain has the in a way that is permanent and insurers could save $5-10bn through potential to revolutionise how we unalterable. faster and more accurate claims exchange value by creating trust on the • The transaction is complete. settlements and compliance checks. internet. Currently, exchanging value • A report by the World Economic This technology could be used in on the internet requires a trusted central Forum highlighted the potential for numerous ways beyond financial party because when value is represented blockchain to disintermediate the services such as supply chain digitally it can be duplicated or financial services industry and save provenance, land registries, airlines, etc. manipulated. For example, we instruct 10% of global GDP ($7.5tn). It requires a closed user group that sets our bank to make a payment, the bank the rules/protocols for the group. verifies we have sufficient funds and then makes the payment. Blockchain Transformative potential of enables the distribution of trust which blockchain potentially removes the need for a A video was shown of a short extract $15- trusted intermediary which in turn of Patrick’s appearance before the House reduces cost, delay and risk. of Lords Economic Affairs Select How does blockchain work? Committee to talk about blockchain. 20bn This illustrated the level of engagement Blockchain creates a single trusted the Lords had in the subject but also savings per annum for banks version of the truth using a distributed some of their concerns. ledger, consensus protocols and cryptography. In simplistic terms, how The distributable ledger technology that it works is as follows: is blockchain is not new as the original code was released on the internet eight • Someone in a network requests years ago and has been worked on by a transaction. bright minds since. It is complex code • The transaction is broadcast to other and encryption but potentially computers (nodes) in the network. transformative as recent headlines • The network of nodes validates the have demonstrated: transaction using agreed consensus protocols.

12 | Board discussions March 2017 Dispelling some myths including the Whitechapel Think Tank The ‘big brother’ issue is really a Patrick continued by dispelling some (made up of regulators, Government, question of policy. As an example, myths that have developed around the Central Bank, banks, universities concerns have been expressed about blockchain: and Fin Tech organisations) and the limiting benefit payments such that they Alan Turing Institute, exploring the art can only be spent in food/housing 1. Blockchain is just for Financial of the probable. stores. However, a similar policy has Services – in fact, blockchain is been applied in South America for many Brexit may have slowed things down but industry agnostic. It requires a user years. group to set the rules and then change is coming in the Government enables the exchange of value with which has the largest back office in the minimal settlement and credit risk. country and the largest bank in terms It can therefore be used in any of the DWP. The DWP is today engaged organisation with a supply chain to in South Manchester making its 10% eliminate the need for work orders, distributions via blockchain and turning purchase orders, invoices, receipts, fiscal utility into social utility. Although of global GDP could be saved in etc. Auditors, regulators and tax this may result in redundancies, there the FS industry authorities could have read-only will be significant opportunities in R&D.

access to the information, all helping Parallels can be drawn with earlier The art of the possible to reduce cost, delay and risk. ‘technology’ developments, such as the spinning jenny, where higher The session finished with a look at what 2. Blockchain is just about money – in productivity in fact led to the industry blockchain could mean for personal fact, the technology can be applied becoming more commercial and identity. The UN published their to almost any business process across employing more people. In a similar 17 Sustainable Development Goals all sectors. For example, there will be vein, PwC employed more people after with 169 targets in September 2015 European legislation within two PCs were introduced. and one of these is a legal identity for years requiring all pharma all. Currently 1.5bn people have no legal companies to have a bar code linked Areas of concern identity and 53m children born every to a central depository allowing an The House of Lords had three key year are not registered. Human individual to identify a medicine as concerns: trafficking is a big problem and ID2020 genuine. is a not for profit organisation set up to • monopoly explore whether blockchain technology Blockchain does four things: • security can be used to achieve the legal identity • It removes the requirement for • ‘Big Brother’. target. reconciliation/a back office. Monopoly will not necessarily be an • It removes the need for a middleman issue as long as blockchains can interact Considerations for NEDs (e.g. insurance broker, travel agent). (cf a Vodafone call to a BT ‘phone). Returning to business, NEDs may want • It provides immutable proof to bear in mind: of provenance. Most issues with security have been • Blockchain is both industry agnostic • It has embedded business logic. due to the protocols established and the implementation rather than the and policy agnostic. Where could this go? technology itself. Bitcoin has survived • If their company’s 3-5 year plan has not considered blockchain, this The Bank of England is excited about the despite many minds trying to crack it. should be revisited. It may be right distributed ledger technology and has its Nevertheless, organisations will want that blockchain is not relevant but own blockchain lab. In addition, two assurance around the security of a the question should at least be asked. ministers are in charge of delivering the blockchain implementation. eight recommendations in Sir Mark • Identity is the key that unlocks the Walport’s (UK Government Chief technology of blockchain. Scientific Adviser) report ‘Distributed Ledger Technology – beyond blockchain’. In respect of recommendation 2, considerable R&D across all sectors is already being carried out by institutions

Board discussions March 2017 | 13 Open forum Q&A There was a concern that removing the Finally a NED asked what this means The open forum Q&A was wide-ranging. middleman removes the ‘neck of the for education. There may well be less hour glass’ where there is an overview administrative roles going forward and The NEDs were keen to understand why of what is going on. This could be a greater need for technology skills. The the encryption is so unbreakable. Any counteracted by having accountants/ Government is aware of this. hacks/breaches to date have been due to regulators as read only users where Sir Mark Walport, the Government’s flaws in the implementation set-up and necessary. The question is probably one chief scientist, published a well-written not the technology itself. It often comes of whether current intermediaries add report into the uses of the technology down to cyber security hygiene as there real value or just cost. is no fundamental vulnerability in the across government in January 2016. blockchain technology. Implementation The supply chain application was is the risky element and companies may queried in terms of a major organisation want to seek assurance over this. which might have sensitive intellectual property it wants to protect. If a prime Another NED wanted to know who owns supplier wants to protect IP, it may be 1.5bn the data. This will be a policy decision possible to grant different permission and will also need to comply with the levels to different suppliers. A supplier people without a legal identity General Data Protection Regulation. could also be excluded by changing the However, it is likely that a state will be code which means they are no longer reached where digital identity needs to able to participate. The user group sets be owned by each individual who then the rules. grants access. The NEDs were interested in the likely Given the technology has been timeframe to significant implementation described as immutable, NEDs were of blockchain. This is unlikely to be far interested in how it would work if off, although an exact timescale is something needed to be changed. It is difficult to predict. However, once one likely that different types of blockchain company adopts blockchain, others will will develop over time. They may probably follow very quickly. The multiply initially and then stabilise to a adoption is not hindered by technology few. but by behaviours. The take-up by the One NED asked if a distributed ledger is younger generation is likely to be much more resilient. It is because data is much quicker as they are more familiar and less likely to be lost than if, for example, comfortable with the sharing concepts. there are only two data centres. In a It may be tempting to begin with a blockchain set-up, data could always ‘middle ware’ version, taking out some be reinstated from one of the multiple but not all business processes, but the nodes. It is also worth bearing in mind risk is that a 100% adopter could then that Bitcoin is permission-less as quickly disrupt the business model. opposed to blockchain which is permissionable. The technology is developing every day.

14 | Board discussions March 2017 Tax – a reputational risk for business?

Barely a day passes without news headlines publicly examining the tax Panelists: affairs of business, with heightened public, media and political Kevin Nicholson interest in matters of tax policy and fairness. This discussion has PwC Head of Tax elevated tax to a Boardroom issue. NEDs need to be comfortable that [email protected] they understand and can appropriately articulate their company’s tax Giovanni Bracco strategy and how the risks associated with tax are being managed. PwC Tax partner This roundtable discussion led by a panel of experts was an [email protected] opportunity for NEDs to discuss the direction of travel of the tax Stella Amiss environment, the future of tax reporting and how they can influence PwC Tax partner the right discussions in the Boardroom. [email protected] John Connors FTSE 100 Group Tax Director John Whiting Tax Director of the Office of Tax Context A key reason why corporation tax has Simplification and NED at HMRC. The session opened with some context- become a smaller part of the tax mix is setting around the current interest in that successive governments have corporate tax affairs. It was noted that reduced the headline rate and offered tax came more to the fore as an issue corporation tax incentives to maintain around five years ago as a result of the UK’s attractiveness for investment. a combination of factors: In the current environment, businesses can find themselves harangued by the 7% • The fallout from the financial crisis. media for taking up the incentives • The politics of the time. offered to them. Arguably, greater of total tax take is corporation tax • The growth of social media, allowing transparency and understanding of UK stories to escalate more easily. tax policy could help relieve some of the tension and confusion. • The tax system being unable to cope The big test is whether Boards could with the modern business While the media focus is on corporation cope with a ‘Today programme’ environment and new business tax, it is not the only tax that warrants interview on their business’s tax affairs. models. Boards’ attention. There is also Tax is undoubtedly a reputational risk It is worth noting that the UK has been significant risk in payroll taxes and for organisations and many different very much at the centre of this debate. indirect taxes such as VAT. stakeholders, including a company’s employees, have an interest in it. Australia has now caught up to some Previously, there was an inconsistent extent but in European territories, such interest taken in tax by Boards as the as France and Germany, interest has What we are seeing with our tax department was often viewed as ‘a clients tended to be more subdued, while bit of a mystery’. Now, however, NEDs Companies are recognising the benefits emerging economies are often more view tax as another commercial risk and of increased disclosure on tax. There are focused on tax fraud. are getting more involved asking also more transparency requirements, It is also worth bearing in mind that the questions such as: such as the need to publish a tax debate in the UK has been very focused • Is there an appropriate strategy? strategy. To some extent, putting on corporation tax which is only around • Does the tax department have the together a tax strategy document is 7% of the treasury tax take (7-15% right skills? relatively easy, although some are too globally). For every £1 of corporation generic. A good tax strategy needs to tax, the largest UK businesses now pay • Do we understand and agree on the be very specific to the business. Also, £4 in other taxes such as business rates. tax strategy? putting together the statement is one thing, the difficulty comes in operationalising it.

Board discussions March 2017 | 15 Tax authorities are following guidance Country-by-county reporting also makes A focus of the government has been on coming out of the OECD in terms of a tax an issue for the Executive getting better at collecting taxes rather framework. Although the requirement Committee and local reviews are than raising tax rates and this goes for for the tax strategy to be formally performed, as well as a review at group all taxes not just corporation tax. The approved by the Board was removed, in level, looking at both on and off balance ‘tax gap’, ie the difference between what practice Boards will still want to agree sheet matters. should be collected and actual collection the tax strategy that is published on the is £34bn which translates to 6% of total There is more discussion of internet. Boards are considering: tax take. This is better than most other international tax developments and the countries. • Who takes responsibility for the potential impact on the FTSE 100 strategy? organisation, as well as discussions Avoidance amounts to around £3bn or • What governance and systems are in around brand and reputation. The 10% of the total but the biggest element place once the strategy has been set? whole conversation has therefore shifted is due to the cash/hidden economy and • How are they tested? from when it was just focused on the approximately 50% is due to small numbers in the accounts. The businesses. It is possible that country-by-country discussions at Board level are replicated The tax gap has remained reasonably reporting may ultimately become public, at Executive Committee level and the constant in recent years in cash terms rather than just being for the tax whole process is more rigorous and and so is a reducing % of tax take, as tax authority as currently. Disputes with tax satisfying. authorities may then become more authorities have more power, focus and frequent. An earlier suggestion that the intelligence. However, pressure to close international tax system is broken was the gap further is still there. The Since 2010 as noted above, the focus has queried. The arm’s length principle government has been successful in been on corporation tax but risk also remains appropriate but the difficulty is conveying to business that paying the comes with employment and indirect how to apply it in a digital environment. right amount of tax matters. HMRC taxes. operates a risk-based approach and it is Final points made were: therefore better for companies to take Experience of a FTSE 100 tax • NEDs have a key role to play and the matter seriously. director need to ask relevant questions. For CSR purposes, companies need to The group tax director outlined how he • Transparency is key (the FTSE 100 felt the situation had developed over the be seen to be good tax citizens and staff group publishes more than required want to work for organisations with past 6/7 years. Previously tax was because they feel the context is viewed as a ‘niche/specialist’ subject to good ethics. Tax will therefore remain necessary and it is also helpful on the political agenda and needs to be be dealt with by experts. The tax to employees). numbers in the accounts were flagged to on Board agendas. the Board but the tax department Views from a long term tax remained a ‘black box’ responsible for practitioner now working as a compliance and some planning. Now it civil servant is very much a public issue and a Tax has always been a reputational issue Boardroom topic because of the public but it has risen up the agenda because 34bn and government focus. Boards are the government is short of money and having to take greater interest and = ‘tax gap’ between expected and there is a 24 hour media circus. Both proper processes need to be in place. collected tax of these combine to create political The fact that tax strategy now needs to attention and pressure to do something be published means that the Board looks about it. at tax more holistically. Whilst the group is entitled to be tax efficient, they will not engage in inappropriate structures and aim to work on a ‘more likely than not’ basis that an approach would meet both statutory and reputational requirements.

16 | Board discussions March 2017 Open forum Q&A Some participants thought future policy It was also noted that it is worth trying The open forum Q&A covered a range and debate may be influenced by to broaden the debate to overall of issues. potential changes to the US tax system, economic contribution and not just a particularly in the area of double narrow focus on tax. In Africa, the Given that campaigns often drive taxation. The occasional situation has argument that the government has been behaviour, one NED enquired where the been seen where a company has chosen deprived of significant tax revenues next high profile campaign might focus. to be taxed twice to avoid the through pricing by multinationals has This could potentially arise out of reputational risk of being challenged. gained some traction but the overall country-by-country reporting, as However, tax authorities may not all picture in terms of employment and previously the focus has been much want to work together in a sensible way. other economic benefits needs to be more on UK tax. While it is not HMRC’s The political aim will be to maintain considered. role to be the world’s policeman, it may competition and not give up sovereign One NED raised the question of deferred be necessary to take more of a global rights to determine tax. view going forward. tax which is often more complex due to A NED noted that the Board has a fiscal the impact of possible future events. Full Another NED noted that issues duty to its shareholders and it was and transparent disclosure around sometimes arose because of government agreed that tax strategy as a whole deferred tax was agreed to be helpful. to government matters, as with recent needs to be debated at Board level. Finally, a NED questioned whether there state aid cases. Corporates put their Companies need to be alert to the is evidence that HMRC is becoming business operations in locations where ethical debate, however, otherwise they keener to litigate. In fact, much of what there are incentives to do so but are then will be challenged by their customers. It is currently going through the courts is blamed for this or tainted by association. was felt that the AC Chair has a specific historical and HMRC are actually trying Going forward, it was agreed that there role in relation to compliance and to avoid litigation. However, it is not yet may need to be more international control but values and reputation need clear what Theresa May’s stance may be. coordination. We are unlikely to get to a to be debated by the Board. More Corporation tax discussions are unlikely position where there is one overarching companies now have tax as a to go away and deferred tax is poorly international fiscal authority but there reputational risk and there are good understood. However, it is equally may be more cooperation between opportunities for NEDs to ask questions. different national authorities and more possible that the next major issue could influence from the OECD, the World come from employee tax. The debate Bank or some other supranational around tax, and the reputational risk authority. involved, is therefore likely to continue.

Board discussions March 2017 | 17 Culture as a risk management tool and a licence to operate

Culture has been a focus for financial services organisations since the PwC/third party experts: financial crisis but recognition of the importance of an organisation’s Tracey Groves culture is now becoming even more widespread across all sectors. [email protected] Regulators are particularly interested in this area and, in July 2016, David Taylor the FRC released a report on ‘Corporate culture and the role of the [email protected] Board’. Mark Goyder Culture can happen by default or it can be designed. A strong culture CEO, Tomorrow’s Company happens when it becomes a focal point throughout the business Richard Sermon through setting clear purpose, vision and values which are aligned Chairman, City Values Forum with the organisation’s strategy. Ultimately, a company’s culture will impact how it interacts with, and is perceived by, the external Oonagh Harpur environment – culture is key to reputation. Board member, City Values Forum and Senior Advisor to Tomorrow’s Company

This workshop began with a look at the In order to be able to address culture, Financial targets and ‘short termisim’ context and some definitions to ensure there is a need to break it down to its can impede the ‘right’ behaviours and so that there was a common understanding constituent inputs which can then be leadership action and appropriate of culture. used as levers to influence and inform performance management and reward culture. It was recognised that whilst are particularly important. In order to Context values should be global in a drive a strong culture, alignment is There is no doubt that culture is multinational organisation, how they needed between intention and these important. This was illustrated by a are manifested in different cultures may reinforcers. An informally developed number of statistics from a variety be affected by cultural norms and culture without these aligned of surveys: traditions. Indeed, the core underpinning drivers may appear to understanding of values may vary in work but may not be sustainable long • 50% of the largest corporate different cultures. term when pressures are brought to bear bankruptcies were due to unethical and business dilemmas emerge. business. A model for organisational culture and • 70% decided not to purchase a behaviours was discussed where a In order to identify when behaviours are company’s product because of its company’s purpose, vision, values and misaligned, NEDs can consider questionable ethics. behaviours, reflected through decisions questions such as: and ways of working, result in higher • 84% agree that their organisation’s • What does success look/feel like in performance in terms of business results culture is critical to business success. terms of building a strong culture? and outcomes. Looked at another way, • 1 in 3 people have left a job due to business outcomes (including financial • How do we make decisions? disagreeing with ethical standards. performance) come from good decisions • How do we behave? • Individuals are 38% more likely to with the right ways of working based on be productive if they feel engaged in • What are the desired behaviours we a company’s purpose, vision and values. the role. are looking to achieve? • 60% say culture is more important In order to have some confidence that • What will that look/feel/sound like? than an organisation’s operating there will be the desired outcome, • How can we measure this? What model. various behavioural reinforcers are would the key indicators be? required: Definitions were explored of concepts such as purpose, mission, values, • leadership action behaviours, ethics and integrity – all of • communication which are inputs leading to culture as an • people practices 50% outcome. • performance management and reward of the largest corporate • organisational structure bankruptcies were due to • external environment. unethical business.

18 | Board discussions March 2017 A guide to Board leadership in Lessons from financial services purpose, values and culture Following the financial crisis, there has Representatives from Tomorrow’s 84% been a great deal of focus on culture Company and the City Values Forum within financial services. The FCA’s talked through their guide ‘Governing agree that their organisation’s 2016/17 business plan has a number of culture: risk and opportunity?’ and the culture is critical to business paragraphs addressing culture and related toolkit. It was noted up front that success. states that “Boards have a critical role in Tomorrow’s Company’s work on the setting the ‘tone from the top’.” Board mandate precedes this in terms term results. However, this was not seen Regulated firms are being challenged to of defining purpose, vision, values and to be the whole issue, although Boards address four risks: behaviours. As stated above, there is could potentially help to shape now a great deal of focus on culture and • Poor cultures in firms drive discussions with investors more. getting culture right can add real value behaviours that result in poor to an organisation. Promoting and embodying considers consumers and markets. how the tone flows down throughout • Firms’ strategies, business models Tomorrow’s Company/City Values the organisation and how people behave and governance arrangements are Forum’s guide gives NEDs key questions when out in the business. Embedding not aligned with firms’ values and to ask in this area – both of the Board culture was illustrated by the example good conduct. and of executive management – set of a customer service awards event at a around six pillars: • Incentive structures and company where the CEO, over a period performance management do not • inspiring purpose and values of more than 30 years, had never missed reward behaviours that act in the • aligning purpose, values, strategy the ceremony. long-term interests of customers and and capability Guiding decision making should be market integrity. • promoting and embodying purpose supported by clear processes. Having a • Weak governance and lack of and values triple bottom line – people/customers/ accountability create poor oversight • guiding decisions using purpose and results – can be more effective in terms of risks to customer and market values of developing a good culture than pure integrity risks in how firms are run. • encouraging desired behaviours financial metrics. An Individual Accountability Regime is being instigated with three facets: • assuring progress is being achieved. Encouraging desired behaviours is This is intended to be an iterative important and a culture of fear needs • The Senior Manager Regime. process as companies and the business to be avoided. People need to be enabled • Certification Regime. environment will evolve over time. to do the right thing and there should • Conduct Regime. be repercussions/penalties for those For each of the six pillars, three levels that do not. However, this needs to be A key principle of individual are set out to help Boards identify where balanced with the need to encourage accountability is that it will no longer be their organisations currently are and transparency when concerns arise. acceptable to say “I didn’t know” in the where they may want to get to. These event of an issue/breach. range from being at the beginning of The final pillar is around assurance. The regulators are looking for greater the journey through to being quite There are often a number of measures interaction from NEDs and increased advanced in this area and this needs that can be looked at within an time commitment. Two of the prescribed constant revisiting as the world and the organisation (e.g. surveys, complaints, responsibilities are: organisation’s own geographic footprint etc) and these need to be triangulated changes. Forcibly, the questions and the with the Board member’s own • Responsibility H: embedding the levels are somewhat generic and should experience and speaking to the head firm’s culture and standards in therefore be tailored to an organisation’s of HR, Compliance, Internal Audit, etc.. relation to the carrying on of its specific business. Boards should work out where their business and the behaviours of its colleagues in the day-to-day The first two pillars above – inspiring organisations are and prioritise where management of the firm (typically and aligning – set the ‘tone from the they want to get to. Culture can be a assumed by the Chairman). top’. In addition to the Board, it was matter for specific focus at awaydays but noted that the CEO plays a vital role in should also be brought into all Board • Responsibility I: leading the this. There was some debate around meetings. It needs to express the development of the firm’s culture by whether the current joint stock model ‘personality’ of the business. the firm’s governing body as a whole impedes this, through a focus on short (typically assumed by the CEO).

Board discussions March 2017 | 19 The regime currently applies to banks There also needs to be a balance • Are we aware of our leadership and insurers but will apply to all between qualitative and quantitative biases/cultural blind spots? financial services organisations by 2018. assessment of the ‘speak up’ culture. • Do our policies, procedures and It has encouraged debate and clarity Sometimes flagging everything can help systems describe and drive the right around what an individual is responsible to identify themes. A tolerant attitude behaviours? for and given more focus to the towards errors is needed to encourage • Are we incentivising good ethical escalation of issues. NEDs need to reporting but, at the same time, there behaviour and dealing with mis- demonstrate they have taken reasonable needs to be a consequence for offences. aligned behaviour? steps in this area and part of this is Transparency is important. • How would we demonstrate to a consideration of the management What does this mean for NEDs? regulator (or other stakeholders) information/data they have access to in that we are taking culture seriously? order to get a feel for what is happening. The Volkswagen emission tests issue was used as a case study to further There was debate around whether a Conclusion consider how NEDs might respond. Even ‘regime’ encourages a ‘tick box’ exercise In conclusion, it was noted that culture before the matter became public, there and a fear culture. It does, however, go can happen by default or an were a couple of flags that something some way towards guiding against organisation can design it. In order to do was not right – one from a whistle- systemic flaws, although one-off human the latter Boards need to: blower and another from a university mistakes may still happen. The spirit conducting some independent research. • Define their cultural aspirations in needs to be that individuals may still get In 2012, the CEO made a public line with the company’s strategy. things wrong but should not be actively commitment regarding clean engines • Assess their current state. doing things wrong. which the engineers knew was not • Identify the behavioural priorities. A discussion around whistle-blowing achievable but they were too scared to • Intervene to evolve and align suggested there may be concern if there speak up. culture. is nothing being reported, although it Boards sometimes find it difficult to • Monitor progress. was recognised that this is not the only challenge success, even when there is route for raising issues and some an element of knowing it may be too individuals may go through their line good to be true. The younger ‘millennial’ manager where there are high levels generation care about making a of trust. Staff and customer surveys, difference and Boards should find ways exit interviews, complaints, etc can all to tap into this. They also need to guard be valuable sources of data, as can the against group think. informal networks that exist within an organisation. Overarching questions NEDs can ask are: • Is our culture in line with our strategy? • What channels do we have for 1 in 3 employees to report concerns and people have left a job due escalate issues? to disagreeing with ethical • Are our new hires and existing standards employees trained and guided to be aware of the corporate values?

20 | Board discussions March 2017 Cyber security – stage 1

Cyber threats are very real and are having a huge impact on a wide PwC/third party experts: range of businesses. Richard Horne [email protected] However, this is not just a technology issue. It belongs in the Boardroom and is one of risk tolerance. The goal should be to accept Dr Stephen Page the right amount of risk in the context of the company’s competitive NED and senior adviser to PwC strategy in a digital age. [email protected] Boards need new skills, management, tools and language to lead in the digital age but there are basics – both technical and behavioural – which should also be in place and need to be measured.

This workshop began with a look at the Current snapshot of cyber There appears to be an increasingly threat environment. We live in an era of threats hostile climate which encourages data rapid, revolutionary change enabled by The workshop reviewed current threats theft and the ethical complexities of technology. There is much greater as seen by our clients, observed through ‘LuxLeaks’, the ‘Panama Papers’ and the consumer engagement via online our Forensic capabilities and reported Wikileaks publication of Sony internal platforms and more complex integrated by UK government sources. Topical emails were discussed. A number of supply chains with business partners areas of concern include: media outlets and others have sharing data, often via cloud models. developed sophisticated tools which At the same time, there is rapid global • leakage of customer records assist leakers to deposit large volumes knowledge exchange – sometimes (hundreds of millions) of stolen data for public inspection. resulting in innovation sharing and • engagement of organised criminal This can be helpful (in the case of access to rich data sets among both groups shifting to a more aggressive whistleblowers) yet also damaging external and internal communities. posture (extortion, ransomware, etc) (e.g. where collateral damage occurs There are also changes to how we work • increasing scale and sophistication as a result of bulk exposure of with flexible working further enabled of attacks, especially in financial commercially and personally sensitive by portable devices. services (exploiting business data). processes) However, there is a dark side to these • 'Internet of Things' risks beginning Implications for Boards and exciting times with a dramatic growth NEDs in cyber threat over the last 2-3 years. to be realised (webcams, DVRs) Today there are more potential • state-related targeting and The Board has a significant adversaries with more power, more penetration (destructive attacks/ responsibility – to investors, regulators, access, more motivation and more industrial control systems, supply insurers, employees, customers and impact. Managing information risk is chains and professional service suppliers, amongst others – to protect critical as failures can lead to economic providers) information assets. This covers loss, reputational damage and, in some • politics, ethics and regulation everything that might be of value to other parties including: cases, risks to safety. A diagram • insider threat (corrupt, well- produced by the National Crime meaning, unintentional) • intellectual property, inventions Agency indicating the cyber crime • continued rise of technologies which • financial integrity ecosystem illustrated how criminals are outside the reach of law • supply chain, process integrity are increasingly organised and enforcement. • customer personal data sophisticated, making use of the tools of the digital world – both legitimate • supplier commercial data and otherwise. • market critical data • pricing, sensitive algorithms • safety critical systems • ….and anything else where failure 30% would be embarrassing. of strategic risk registers did not include cyber risk

Board discussions March 2017 | 21 The richer the data, the greater the In terms of the Board’s assurance role, threat, plus social media amplifies the directors should: risks. People can also have very different • inspect measurement systems for Over views of the risk involved. With 1/3rd focus on the right outcomes Millennials the default position is to • assess strength and independence of companies believe they have share. Part of the issue is that had no security incidents in the information resides in many places and of assurance last 12 months or do not know the sheer volume of data is a real • assess (and seek proof of) crisis how many they have had problem. readiness. Cyber security is Board business. There Results presented from client surveys Seize the advantage is a close link between digital innovation demonstrated that, in practice: • set risk appetite and cyber risk and this needs to feed • there is a mixed understanding of into the Board’s overall risk cyber risks and their impact at Board • check that digital trust is embedded considerations. level in the strategy • ensure compliance with privacy and The Board has a role to play in its • risks are often delegated below the regulation direction setting role to: Board • there is room for better • challenge the balance being struck • establish the risk appetite communication between Boards and between speed to market and • assess (and continually re-assess) cyber risk owners ensuring confidence in the security the threat and its implications for of new products and services. • skills, knowledge and understanding strategy could be improved. • help management set values, Their risk is your risk behaviours, beliefs, limits and Boards are often at a stage of • understand the extent of an ethical boundaries ‘awareness’ of cyber issues and are organisation’s interconnectedness. • help to solve ‘big’ questions of ‘updated at’ but need to move at least to structure, strategy, pace, disclosure, a stage of ‘understanding’ where an People matter ethics. appropriate risk appetite has been • build and maintain a secure culture developed with management so that people behave appropriately The Board needs to be supported in this information that supports this. in the ‘moments that matter' by the top executive team – not the IT • identify key individuals who could people – who can assess whether a step A discussion then ensued around what have a disproportionate impact on change is needed and drive pace, energy NEDs could do in practice to manage the organisation if they acted and culture. Executive management cyber risk. It was suggested that there maliciously. should: were six areas in particular where NEDs need to be confident that an enterprise Fix the basics • deliver a mitigation programme to is on top of this: close any gaps – at the right pace • ensure that an organisation’s IT systems are well built and operated. • define policies and operate controls Priorities in line with the Board’s risk appetite • ensure that the right priorities have It’s not if but when • appoint senior leaders (not just IT) been set to protect what matters and • ensure that an intelligence-led, rapid with accountability and influence in light of the threat intelligence cyber response plan is in place as • sustain insight and capacity across • look at the strategy, organisation, part of its crisis management IT, Commercial and throughout line governance and enterprise security strategy. business architecture • develop an appropriate culture in • ensure that strategic decisions line with the Board’s risk appetite. consider digital risk appropriately.

22 | Board discussions March 2017 The second half of the workshop Conclusion Beyond the basics, Boards should explored a recent cyber attack which has The workshop concluded with some discuss questions such as the following: damaged the operational and strategic questions it was agreed Boards might • What can we actually control? How performance of a major business. Those want to consider around cyber defence do we prioritise/segment? present discussed, admittedly with the split into the following areas: value of hindsight, what questions the • How much variation/innovation/ NEDs could have asked to fully • Do we have the right skills? flexibility do our people need and understand their exposure and risk. • Do we have the right fact base? what does this do to our risk profile? • Are we making active, well-founded • Should we proceed at a slower pace The conversation covered: choices from the top? to keep risk under control, especially • how difficult it can be to foresee • Do we measure and improve? re digital innovation in an ‘agile’ some of the risks involved in large business methodology? technology investments which are In terms of breach response, Boards • How can we control the risks our often seen by the Board primarily in should consider: suppliers expose us to? terms of business opportunity • Is there a practised plan for breach • Can we afford to keep up with our • Boards sometimes lack the language response that operates at ‘social customers and manage risk? and skills to dig deeper media’ speed? • What personal data should we • in this particular company, NEDs, • Is the organisation willing to share retain? – ethics vs business value and especially members of the Audit intelligence with others? • Do we trust our staff? How do we Committee, were under the spotlight balance control/monitoring with for the way in which they may have personal privacy/freedom when lines failed to foresee and mitigate digital are blurred between home and risks. work? The discussion also addressed a second 29% Each company will need to steer its own company which unwittingly provided course taking well-reasoned risk choices the pathway through which the attack of companies do not think there and executing them well. was conducted and discussed what is a senior executive who NEDs on this Board should have done to proactively communicates the establish a stronger, safer digital importance of information environment. It is vital for Boards today security to consider any exposure via their extended enterprise of partners, suppliers, contractors, etc.

Board discussions March 2017 | 23 Cyber security – stage 2

No business is immune to cyber threats and the issue of cyber security PwC/third party experts: is firmly on the Board agenda. Richard Horne [email protected] For those NEDs who had covered the basics on the cyber security stage 1 workshop and begun to work through cyber issues with their Boards, Kris McConkey this session was an opportunity to explore in more detail some of the [email protected] key challenges at Board level via four important areas: Dr Stephen Page • developing a business perspective NED and senior adviser to PwC [email protected] • assessing current state • improvement recipes • handling incidents and crisis.

This workshop began with NEDs • Determining risk appetite – setting Developing a business discussing the impact of technology, and the boundaries to frame executive perspective therefore cyber security, on every aspect management’s work to close the It is vital for the Board to first assess of our lives from national defence and gaps. what the company is and does and then infrastructure to retail and health. It • An assurance role – looking at the to determine how cyber affects the was agreed that Boards need to engage measurement systems and assessing sector. Characteristics to consider in with this topic quickly and the strength and independence of determining which aspects of the comprehensively. assurance as well as proof of crisis business yield high cyber security risk There was a look at the National Crime readiness. include: Agency’s cyber crime ecosystem which The important role of Boards in ‘setting • Economic sector – risks vary between shows, rather alarmingly, the extent to the tone’ was discussed, including some sectors with some intrinsically which criminals have organised of the choices where they need to guide higher risk than others. themselves into a sophisticated management such as: • Geography – defence mechanisms marketplace – a comprehensive may not be fit for purpose ecosystem with ready access to assets, • speed to market versus risk control. everywhere. tools and techniques for cyber attack. • data analytics versus ethics and • Business change – often not There was also a recap of the latest disclosure appropriately taken account of in common cyber security issues, the • sharing of information versus management information. Board’s role in setting direction and segmenting the business assuring outcomes as well as the six • everything in house versus alliances • Business operations – e.g. industrial/ confidences framework covering areas • trusting employees versus supply chain. where Boards can seek to manage the surveillance. • Ethics and culture – e.g. how much risk – refer to the cyber security stage 1 customer data is held, particularly workshop on pages 21 to 23. The workshop then moved into detailed pertinent with today’s desire for a debate around four key areas where ‘single customer view’. Boards need to take a thoughtful, NEDs can focus to get under the skin of • Risk appetite – derived after taking holistic view of what’s important to their cyber security risk. In each area, in account of all of the above. business. This is a hard debate to have, addition to discussing the issues, useful often due to a lack of skills and time, frameworks were provided as well as Consideration of these special and the preponderance of technological case studies of approaches that have characteristics help Boards to make terminology. It will also vary from one been seen to work. choices and set a vision/strategy for industry sector to the next. However, cyber risk. the Board has two fundamental roles around executive management’s risk control processes and mitigation plans: 90% of CEOs are changing how they use technology to deliver on wider stakeholder expectations

24 | Board discussions March 2017 A framework was presented to help with Assessing current state this consideration by mapping attacks The workshop moved on to discuss how 68% from low, through to medium, then high Boards can get beyond narrow and finally advanced levels of presentations from IT and delve into the of CEOs back the power of data sophistication and split between real state of cyber readiness as a and analytics in understanding external and internal threats. For business issue. Cyber security can be a what the customer wants external threats, from low to advanced root cause for many other types of risk, sophistication, these ranged from: such as fraud, reputation, business continuity, etc.. The scope of cyber Bearing in mind that it would be • opportunistic or non-targeted attack activities pervades all areas and prohibitively expensive to protect • targeted, remote attack therefore Boards need to probe across: everything fully, Boards also need to • targeted attack with internal consider what matters most which is not assistance • Strategy, governance and risk – are always an easy exercise but is invaluable • unconstrained attack. there people with the right skills, in the long run. A collective view is experience and capabilities, that are needed as different functions will value For internal threats, the spectrum was: ‘future proofed’? different data. • unknowing insider (human error) • People and culture – is there training Boards need to ask what types of data • malicious insider acting within and awareness with focus on key they hold, such as: authorisation roles from a risk perspective? • malicious insider acting outside • Threat, intelligence and capabilities • personally identifiable information authorisation – including how risks are changing • financial information • advanced and expert insider. as new technologies are adopted • supply chain information • Information discovery and Rogue employees can be difficult to • pricing/commercial information management – what is critical and identify so systems need to be • mergers and acquisition information how well protected is it? constructed so that any one individual • Connections – which partners does • Board papers/strategic intentions cannot do too much damage. It was the business share with and are they noted that the CPNI has issued a paper ...and what is the purpose of properly protecting the information? protecting it: addressing managing the employee threat. • Testing and crisis management • regulatory – how well would the company • stakeholder interest Questions that the Board (or a respond to an incident? • sensitivity subsidiary committee) can ask in this • Business processes – are these area include: • evidence appropriate and resilient? • reputation • What data do we capture, create or Answering each of the above questions • share price handle and what are our obligations may require significant work led by the • trust to protect it? CEO/CFO. NEDs need to ensure there • availability. • What is our appetite for risk and are measurement systems in place to against what type of adversaries? ensure the executives are dealing with There was some concern among the • What may impact reputational risk? this appropriately and a Board sub- NEDs that it might be difficult to defend • How do we apply priorities? What committee may need to be set up to a position of not protecting everything have we decided not to protect? monitor this at least initially. but Boards often need to make such • How do we set the tone? What Connections with third parties need to choices. The ‘crown jewels’ need to be questions should we address? be considered as today’s extended identified along with where they are and enterprise increases risk. who can access them. • By when should risks be reduced? What sense of urgency is required? There was a discussion around Boards should also reflect on the types Developing a business perspective in the penetration testing and the fact that this of attacks from which they need to has changed. Traditional penetration protect the business. ways suggested above can lead to a more meaningful risk appetite. testing assesses vulnerabilities and poor configuration within IT systems.

Board discussions March 2017 | 25 However, as the tools, tactics and Questions the Board may wish to This sends a message that cyber is procedures of attackers have become consider when assessing the current important to the Board. more sophisticated, their attacks now state include: Questions the Board can ask in this area tend to focus on the end user. A new • Do we have adequate breadth (e.g. include: approach to penetration testing is people, technology, engineering, therefore needed that is intelligence led, • Are we seeing the sorts of actions we business process, commercial, value driven and has a strategic focus. should expect from management? legal)? NEDs should not take false comfort from • How do we know whether these are • How can we confirm that our policies penetration testing which is too narrow sufficiently complete? reflect our risk appetite? or too technical. Simulating the most • Are the actions progressing fast • How can we confirm whether our likely attack and seeing how the enough? responses cope can be good practice. policies are being implemented thoroughly? • How do we know where we are on Sharing of threats is also valuable and the journey? likely to become more developed going • Have we covered the basics forward. sufficiently to preserve our Handling incidents and crises reputation? NEDs should seek strong metrics which The final section of the session began • To what extent does a lack of demonstrate the strength of cyber with a look at a case study showing a incidents indicate that we are resilience, not just the volume of attack typical financial services breach secure? attempts. Examples include: response. The incident involved 500 Improvement recipes compromised machines, 35Tb of log • % of systems accredited to security data, 1,300 formats and 600 billion standards Risk mitigation covers a broad scope of activities in terms of the business events requiring analysis. The attack • % of desktops at target patch level environment, the security environment was 10 months work which ultimately • % of encrypted laptops and control frameworks. The PwC cyber yielded $8m for the fraudsters. As a • number of unrecognised assets on capability framework was discussed to result, to get the full picture of what had local area network indicate how companies can identify, happened took considerable time. The • % of supplier contracts with clauses protect, detect and respond. If legacy information a company initially has on for information protection systems make good protection too discovering a breach will be very limited • % of staff with critical access with time-consuming/costly, there may be a and there is therefore a need to take up-to-date vetting need to over-invest in detection. care with any messages that are • number of days between employee However, this is not just about buying communicated to avoid early false role change and systems privilege tools but about building a capability that conclusions. change can then invest in the most appropriate There was a brief consideration of the • average time from incident detection tools. different types of crises – classic, rapid to escalation/resolution. A few of the most common risk- onset events, hidden crises, operational disruption, strategic disruption. Major Boards can ask to see where the reduction activities were considered – classic crises (e.g. fire, flood) are exceptions are and how they are getting asset control, legal policy, employee generally easy to detect but with IT it fixed. NEDs recognised that asking for access, digital user authentication, cyber may not be obvious that a crisis is some of these measurements will expose incident detection and industrial control developing until a significant impact is helpful gaps in how well risk is systems – the message being that this experienced, although often there are controlled. should not all end up with the CIO but ownership should be spread right across warning signs along the way. the organisation. There was some NEDs should agree in what debate regarding how much the CEO circumstances management need to can be relied on to assess this on behalf bring the Board in to help shape the of the Board and when there may be response to a crisis. They should also a need to go direct to individuals. The bear in mind that incident handling individual responsible for the supply requires capabilities to both detect chain should have a view on cyber risk and respond. just as much as the individual who is monitoring fraud risk.

26 | Board discussions March 2017 This is an area that lends itself to Conclusion In order to move from an awareness scenario planning. Playbooks should While NEDs can make great use of of cyber security to an understanding, be developed for a cyber security existing skills, such as probing gaps in NEDs should seek to ensure that breach, taking into account that at the controls and seeking evidence of there is: point at which the company becomes management’s measurement system, • a risk appetite based on a Board grip aware of a breach, there are likely to be for many businesses it may be time to of what data is held, why, for how many unknowns in terms of what has address any shortfall in digital skills long and accessed by whom happened and what has been impacted. around the Board table. Most Boards • enterprise MI which shows actual Questions the Board can usefully ask need at least one NED who is fluent in risk profile and compliance digital issues which should span both around handling incidents and crises • Internal Audit meaningfully innovation and cyber risk, and both new are: assessing the above and old technologies, in order to lead a • How are investments prioritised business in the digital age. Some Boards • a fact base about how cyber risk is between prevention, preparation, would also benefit from a specialist shared with suppliers and business response and recovery? Board committee (e.g. information risk partners • Has the Board recently practiced its or digital) but this cannot substitute for • agreed policies compliant with data response to a cyber crisis? an adequate understanding and protection law • Who has authority (training, overview by Board members. • a practised crisis plan with MI which decision-making remit) to respond shows time from event to detect to in less than an hour? act • How robustly are minor incidents • a CEO and Chairman who are handled? Are we signalling the confident to address shareholder Board’s risk appetite and values to 223 questions. employees and suppliers? The concluding questions at the end • If we discover a long-term days = typical time between cyber of the cyber security stage 1 workshop penetration, can we determine what breach and impact were revisited as a good starting point data has been accessed, changed or for NEDs – refer to page 23. exfiltrated? • Is the action plan for emergency management thorough, well- rehearsed and effective (including with no IT)? It was noted that regulations in Europe are changing such that the regulator will need to be notified of any breach.

Board discussions March 2017 | 27 Responding to investor activism

Investor activism is on the rise. Volatile equity markets are providing PwC experts: activist investors with opportunities to build stakes in undervalued Nick Rea public companies. We are used to seeing activist activity in the US but [email protected] activist investor approaches are now becoming more common in the Abhi Shah UK and their campaigns are increasingly public. Boards therefore [email protected] need to be prepared. Ralph Dodd Companies can be hesitant to react but being on the back foot often [email protected] makes it harder for the company to respond effectively to shareholders further down the line. The workshop provided an opportunity to consider what characteristics an activist looks for in a potential target and how Boards can respond.

Context Activism is expected to continue based The workshop began with a look at some on an established trend in the US where of the major players in UK activism – it is much more prevalent, partly due to: 2 Cevian Capital, Crystal Amber, Elliott, • weaker Board governance in the US Harris Associates, Sherborne Investors • less communication with activist events per week in UK in and ValueAct Capital. It was noted that shareholders 2016 these often seek out campaign allies • proxies having more power from major UK institutional shareholders. The activist investors are • greater visibility of shareholders 80% of activist approaches in the UK in prepared to do considerable research on the register 2015 were in the mid, small cap and which they then take to the institutional • a degree of short termism. micro sectors, possibly because the potential opportunities are larger, the investors to support their case. Activists commonly seek Board seats companies themselves have fewer Institutional investors are more in order to drive through their agenda. resources and the activists can acquire frequently taking note and investing in Actions have become more a larger stake with their funds. Often activists or setting up funds. Some fundamentally about the Board/its there is an uplift in the share price on activists therefore already have funding strategy/changing its structure than initial involvement. However, whether or raise it while others are making the tinkering with financial or operational the benefit is sustained over the long most of the liquidity in the market, areas. Often activists come in and take term once the activist has left is more leading to increasing capital at their an executive position or have a name mixed. disposal. in mind and it is not uncommon for the All this adds up to more UK companies existing CEO or Chairman to depart. There was some discussion around whether Boards had become too focused having had some experience with Activists have been targeting companies on compliance and not enough on investor activism, ranging from minor in every sector, including major strategy and performance. However, agitation through to a hostile bid. household names such as Rolls-Royce, whilst this might be one reason for the Activism in the UK has been a growing Electra, BP, Royal Mail, Reckitt rise in activism, it is also possible that phenomenon, ever since the shareholder Benckiser, AstraZeneca and Alliance Boards aren’t communicating their spring executive remuneration cases in Trust but will go after companies of all strategy well enough to shareholders, 2012, with two activist events estimated sizes where they perceive there is value including the timeframe for to have occurred every week in 2016. to be had. Activism is therefore sector achievement, in order for the company This is likely to have been driven by low and size agnostic. interest rates and uncertainty with to be given the chance to deliver on the investors looking for higher returns. strategy.

28 | Board discussions March 2017 Each campaign is different but typically Tips for preparing and activists use a series of common tactics responding to activist investors that companies often significantly A Board should prepare for an activist underestimate: >1,000 approach as they will be under pressure • research potential targets activist events expected in the US once it happens. The activists will have a • acquire stake and build in 2016 game plan and the first meeting is very • engage Board and demand change important. They may give the impression that it is just a casual chat • full campaign (public or private) Characteristics of potential but it is best to over-prepare. The Board • AGM/meeting, Board seat and targets should also be prepared to read between strategic review. The workshop then considered 10 the lines, as the activists may hint at As a result of their extensive research, characteristics of potential targets as their plans, and should demonstrate that activists often have more detailed follows: they are taking any concerns seriously. Activists often publish their research on analysis than is available in internal • shareholder value record can be the internet and this can provide helpful papers. Strategy is often not fully challenged (existence of a insights. Boards can be better prepared developed at a company – Boards and ‘management discount’?) executives may be preoccupied with by: • concentrated ownership (top three operational aspects and approach it with shareholders own c20%?) • having a clear view on their an operational lens rather than from a • announced merger or acquisition valuation (and communicating value perspective. (‘strategic acquisition’?) it better to shareholders) Activists are often prepared to make • management’s track record can be • being prepared to defend against public statements about what they aim criticised (‘corporate myths’ recently the company’s vulnerabilities by to achieve as they are not held to exposed?) understanding where they are and account in the same way as corporate • inefficient balance sheet (current what the strategy is to change them directors, at least prior to having a seat WACC/gearing unjustified?) • having a team in place to react on the Board. They will try to engage • complex group apparently lacking quickly to an activist investor/hostile the Board first but may go public if they strategic focus (intra-group bid. feel progress is not being made. synergies not exploited?) Final questions a Board can consider in Case studies • scope for portfolio optimisation/ this space include: rationalisation (value erosion in An activist approach can be very • How would an activist investor view non-core assets?) distracting for management. PwC has our group as an opportunity? • intrinsic value not fully recognised developed a unique shareholder risk • What plans do we have to address by the market (unconvincing value diagnostic that evaluates a potential opportunities and standalone strategy?) company’s performance against its vulnerabilities that could be • operational under-performance global peers across a number of markets exploited by activist investors? (underperforming peers?) using operational, structural and • How would we respond if an activist • corporate governance can be governance metrics. The tool highlights contacted us? the extent of a company’s vulnerability criticised (executive remuneration?). to investor activism and the results help If a CEO or Chairman is saying that a to articulate the company’s performance company is undervalued, it is important as understood by the market in order to that the Board understands and can inform its investor communication communicate why there is a difference. strategy. 2/3 This was illustrated by a couple of case campaigns are undertaken studies using information in the public in private domain. In both cases, the activists took a fairly long-term view and eventually managed to secure their desired Board seats to effect change.

Board discussions March 2017 | 29 Crisis management

Getting crisis response right is not something that can be improvised PwC experts: at the time a crisis strikes as the capabilities that underpin any Paul Robertson response take time to build. In today’s social media driven world, [email protected] Boards are being pushed to respond rapidly and strategically to major Claudia Van Den Heuvel crises, even while the organisation is still forming its operational [email protected] response. They therefore need to be able to put a previously considered, and preferably rehearsed, plan swiftly into operation. Getting crisis response wrong goes beyond significant financial pain and affects reputation and relationships. The workshop provided the opportunity to discuss a number of issues relating to crisis management including the link to the Board’s risk appetite, building the right crisis capability, communication with internal and external stakeholders and testing response plans.

The workshop began with a look at why It should also be borne in mind that When thinking about these various crisis management is important. There crises can give rise to opportunity. An potential crises, Boards need to assess is considerable evidence from a variety example was the recall of Tylenol after it them against their risk appetite. It can of sources that illustrates that the scale had been tampered with on the shelves be possible to develop metrics to and frequency of crises are growing and of retailers. Rather than dismissing the indicate when vulnerabilities are will continue to have a big impact. issue as a retail problem, the company developing – for example, having more Examples include, but are not limited to: took back all the product and then than 14 expatriates working in a danger introduced new tamper proof zone if the private jet only takes 14. • cyber breaches packaging. This ultimately led to them It was noted that, when dealing with • natural disaster losses gaining market share. Another crises as opposed to ongoing risk • product recall fines opportunity that sometimes comes from management, likelihood is of less • regulatory breaches a crisis is the ability to implement interest. A remote event has the • terrorism. organisational and cultural changes potential to be a crisis if it could bring more easily. Definition of what constitutes a crisis down a company. Ensuring that the is difficult because it will depend on Types of crises reporting of bad news is enabled within individual circumstances. However, a an organisation is important so that A graph was used to illustrate different good starting point would be something matters are identified at an early stage types of crises. non-routine that requires significant and escalated appropriately. involvement of the senior management • Classic rapid onset event, e.g. A further graph illustrated that the team. A crisis is not just a big incident fire, flood – most plans tend to be premium for companies that recover that may be part of doing business, designed around this and are very well from a crisis over those that do not although it was noted that a major operationally focused. is around 22%. incident can become a crisis because • Hidden crises – these tend to of the impact of social media. The already be very serious by the time ongoing implications can be substantial they come to light which makes the in terms of relationships and time to respond even shorter. recruitment, particularly among • Operational disruption – this millennials who may be more attuned can often bubble along at a low level 66% to ‘social capital’. Equally, an before something happens to make of CEOs believe their business organisation that has accrued social the issue develop into a crisis. capital tends to be given more leeway faces more threats today than • Strategic disruption – this can when a crisis strikes. 3 years ago arise where the business model is flawed and should be challenged.

30 | Board discussions March 2017 Views from CEOs As business today generally operates A pulse survey on crisis management through an extended enterprise with recently undertaken with 164 global outsourced business models and a >US$ variety of partners, it is vital that CEOs from firms of a range of sizes found that: relationships have been developed with any third parties in the supply chain/ • 65% of CEOs had experienced at 375bn customer base before a crisis strikes. least one crisis in the last three years. This will ensure that there is an • In 91% of those cases, the CEOs felt it economic losses from cyber crime appropriate contact who will help with was up to them to lead the response. in 2014 the response. • 64% of those CEOs had experienced Crisis management standards more than two crises and 20% had The lack of planning is concerning, experienced more than four. particularly when social media limits The contents of the recently-developed • 40% of those CEOs expect at least the time there is to come up with a British and European standards (BS one crisis in the next three years. considered response. Preparation is 11200 and CEN TS 17091) were therefore vital. An engagement response discussed. These both suggest that crisis Despite feeling they were expected management is at least 50% to lead the crisis response: based on stakeholder mapping is required and this needs strength in preparatory. The proposed Crisis • 57% of the CEOs consider their depth across a range of domains, e.g. Management Framework splits the business to be vulnerable because legal, operational, communications. activities between preparation – of out of date plans. anticipate, assess and prepare – and • 65% feel vulnerable about their Crisis management should not be driven response which includes respond and ability to gather accurate by the public relations team, even recover. Supporting both of these areas information quickly in a crisis. though communication is an important is a ‘learn and review’ process from: element. Stakeholders will want to hear • 55% feel vulnerable about from the senior management of the • actual crises experienced communicating with external company and so having media training • others’ crises stakeholders in a crisis. in advance can be a useful element • near misses. • 47% feel that an unclear definition of preparation. of what constitutes a crisis will lead The British standard is more advisory to a poorly handled response. A crisis response will not be linear but and a measure of professionalism in this • 38% feel vulnerable over a lack will 'ebb and flow' in different areas at area whilst the European standard is of clarity as to the responsibilities different times. Equally, a Business moving towards developing a more of the management team. Continuity Plan is not the same as a ‘testable’ process with indicative crisis management plan even though elements that would be expected to be While being in charge and concerned many companies often think it is since in place. Neither have been tested in a about their plans and ability to respond: these generally focus on operational court of law but NEDs should be aware • 21% plan on starting a programme disruption, often due to an insurable of the standards as their company’s to address this in the next risk. response to a crisis may be viewed with these in mind. 12 months. NEDs should be part of the crisis • 25% have not started a programme management plan as an additional or have decided to accept the risks capability for the executive team to instead. draw on. They can also take the role • 30% have plans in which the CEOs of the ‘strategic thinker’, looking ahead have confidence. to other possible repercussions whilst the executive team are having to focus on the immediate issues. Simply asking the executive team how they can help may make the NEDs more accessible.

Board discussions March 2017 | 31 The attributes of a crisis- Individuals should also be aware of the • Do teams and team members work prepared organisation tendency to be biased towards more well together to coordinate a There are some key attributes of recent information which can make business-wide response and a crisis-prepared organisation: teams react to the latest thing that has communicate in a controlled manner happened rather than following a internally and externally? • Existing and emerging risks are predetermined plan. There will also be Crisis exercising programme proactively identified, mitigated a tendency for people to deal with the and monitored. areas they personally feel comfortable • Has a programme been implemented • Crisis tools and technologies are with when there is sometimes a need to assess and continually improve in place and understood. to rise above this and see the bigger the effectiveness of plans and • Leadership promotes an picture. A key question to keep in mind procedures for incident response and organisational culture that is “Have we made decisions that are true crisis management? empowers action and quick decision to our values?”. • Are training exercises designed to making during a crisis. build the capabilities and confidence • Leadership encourages continuous Indicators for NEDs of a mature within the teams required to respond improvement of its crisis capabilities. crisis capability to real incidents? • Leaders and crisis responders are A selection of indicators NEDs can look • Are exercises designed to simulate a ‘battle-tested’, trained and exercised. for to assess the maturity of an realistic response and enable responders to ‘learn by doing’ by • In-house crisis capabilities, organisation’s crisis capability was actively making consequence-based vulnerabilities and gaps are discussed in four key areas: decisions? understood and addressed. Incident response framework • Roles and responsibilities exist and Final overarching questions for NEDs to • Are values and principles clearly are understood. ask include: defined and communicated which • There are clearly defined response guide the business-wide response to • How would the business identify a priorities. an incident? potential crisis and who would take Increasing maturity in crisis exercising • Have response teams, levels and charge? programmes is important. For example, members been clearly defined? • Is that documented, validated and a more mature crisis scenario exercise • Do people understand the assured? might be run alongside the day job as touchpoints between all response • How are investments between this is what would happen in reality. teams? prevention, preparation, response There also needs to be some ‘exposure’ and recovery prioritised? Tactical and strategic policies, training, e.g. knowing what systems do • Does a preparatory function exist in advance in case there is a need to turn plans and procedures and what is their role? something off in the event of a cyber • Are there updated plans in place to • What would happen if the breach. support the tactical and strategic organisation suffered a major crisis level response to an incident or Clear responsibility should be set tomorrow? How would they crisis? regarding when there is a need to respond? • Do the plans set out an operating escalate matters. There are often some • What are the expectations of the rhythm that defines how the right clear ‘black or white’ cases but there is Board and their role? people will be brought together to a need to manage the ‘grey’, where respond across the business? judgement calls will be required. It should be possible to establish • Do the plans define how teams a delegated authority framework, should assess the impacts and as often exists for financial aspects. implications, make decisions, US$ coordinate and manage all There was a discussion around the stakeholders during a response? psychological impacts of a crisis. Under stress, an individual’s ability to think Competencies 194bn • Are existing and emerging risks wider narrows and people also tend to insured and uninsured losses proactively identified, mitigated and become more risk averse. They may from natural catastrophes request more information before making monitored? (10 year average to 2014) decisions and delay taking action. • Are responders well versed in Individuals therefore need to be managing uncertain information to empowered to make decisions in line create situational awareness and with the organisation’s values based on understand short and long term information available at the time. business impacts of a crisis? • Does leadership empower action and promote quick decision making during a crisis?

32 | Board discussions March 2017 Executive remuneration

Executive remuneration remains an area in the media spotlight. A PwC experts: number of perceived issues have been identified by the public, media, Marcus Peaker politicians and shareholders and there have been several recent [email protected] corporate governance publications and Government consultations Fiona Camenzuli seeking to address these. At the same time, there is the increasing [email protected] influence of proxy investors to consider. Einar Lindh All of this is happening at a time when many Remuneration [email protected] Committees will be seeking approval for an updated remuneration policy as these were set for three years in 2014 under the new remuneration regulations at the time. The workshop provided an opportunity to reflect on the many developments in the area of executive remuneration and the potential implications for Remuneration Committees in 2017 and beyond.

The workshop began with a look at There is real political impetus to Governance developments in current public perception of executive respond to the public perception of lack executive remuneration pay. Findings from a 2015 British Social of fairness, although PwC’s view is that There have been a number of corporate Attitudes Survey across all income more regulation and policy is not governance developments since summer groups included: necessarily going to help. Following the 2016 including: financial crisis, there has been a great • 59% believe there is one law for the deal of attention on this area with many • The Executive Remuneration rich and another for the poor. focusing on the gap between CEO pay Working Group on pay simplification • 60% think ordinary people do not and that of the average worker. This has (July 2016). get their fair share of the nation’s widened partly because of the • Updated GC100 Guidance on wealth. increasing scale and complexity of Remuneration Reporting (August • 53% feel big business benefits business and there may not be a full 2016). owners at the expense of employees. understanding of today’s CEO role. In • High Pay Centre/Chris Philip – A number of issues have been identified a recent PwC survey, the public had a Restoring responsible ownership by the public, media, politicians and reasonably accurate idea of what CEOs (September 2016). shareholders specifically in relation to are paid but felt they should get • Updated LGIM Principles of executive pay: considerably less than this. European Executive Remuneration (September countries are less fixated on this issue, 2016). • Executive pay encourages short-term although there is increasing interest behaviour to the detriment of the • BIS Select Committee Enquiry from the public and government, but it (response deadline October 2016). British economy. has been a cause for concern in the US • Investment Association Principles of • Executive pay is disconnected from for some time. the pay of ordinary people and is Remuneration (October 2016). threatening social cohesion. • Hermes Remuneration Principles – • Current rules do not give Clarifying Expectations (November shareholders adequate control over 2016). executive pay practices. 59% The BIS Select Committee had questions • Shareholders are not adequately on executive pay, directors’ duties and engaged in the stewardship of the public think there is one the composition of boardrooms. Five of companies. law for the rich and another for specific questions were asked in relation the poor to executive pay: • What factors have influenced the steep rise in executive pay over the past 30 years relative to salaries of more junior employees?

Board discussions March 2017 | 33 • How should executive pay take Do shareholders need stronger account of companies’ long-term powers to improve their ability performance? to hold companies to account on 53% • Should executive pay reflect the executive pay and performance? value added by executives to The current system of binding and feel big business benefits owners companies relative to more junior advisory votes already gives at the expense of employees employees? If so, how? shareholders the powers they need • What evidence is there that in most cases. Any reform should be Do steps need to be taken to executive pay is too high? How, focussed on the small number of cases improve the effectiveness of if at all, should Government seek to where companies either lose a vote or Remuneration Committees and influence or control executive pay? achieve consistently low levels of their advisers, in particular to • Do recent high-profile shareholder shareholder support. A targeted encourage them to engage more actions demonstrate that the current approach based on the escalation model effectively with shareholder and framework for controlling executive which would affect only those pay is bedding in effectively? Should companies that had consistently employee views before shareholders have a greater role? received a low level of shareholder developing pay policies? support would be the most practical The existing model of shareholder PwC’s view on the current framework approach. engagement works well but the extent is that an advisory vote is better than to which employee views are heard a binding one. However, one proposal Additionally, most investors have remains a weakness. The use could be that if a company gets a vote indicated that they would not use a of some form of Fair Pay Charter would of less than 75% two years in a row, binding vote on executive pay. be a practical way for companies to do then it has to have a binding vote on more in this area. executive pay. Does more need to be done to encourage institutional and A Remuneration Committee chair More recently BEIS published a Green retail investors to make full use should have an appropriate level of Paper on 29 November 2016 with a of their existing and any new experience but we do not consider it a White Paper due before summer 2017 voting powers on pay? necessary requirement for a chair and any regulatory change expected to to have previously served on the take effect during 2018. As noted above, There could be benefits in mandating Remuneration Committee of a specific PwC’s view is that more regulation is not the disclosure of fund managers’ voting company before chairing the Committee necessarily going to help and indeed records. It is difficult to see how any of that company, as has been suggested. previous regulation may have been part shareholder committee model could operate successfully given the nature of the problem with increased Should a new pay ratio reporting of the UK capital market where a disclosures having a ratcheting effect requirement be introduced? by encouraging companies to pay the number of large shareholders While publishing pay ratios might be median. predominate, the increasing number of overseas investors in UK companies the right decision for some companies, However, change is definitely coming as and the unitary Board structure in the there is a danger that it could lead to political will supports this. The BEIS UK which the Government has been misleading and unhelpful comparisons consultation focuses on three key areas clear is a successful model it has no across companies. For example, – executive pay, worker representation desire to change. comparing pay ratios between a and private companies (the latter more hospitality company and a bank will from an overall governance The BEIS Green Paper does not address offer little actionable data and is perspective). The six key questions on the role of proxy agencies which is an unlikely to lead to any real change. executive pay were discussed along with important issue as a vote against by ISS A more meaningful approach would be PwC’s initial views: in the recent AGM season cost 35-40% the publication of some form of Fair Pay of the vote since much of the tail of the Charter or narrative where companies register will follow their explain the principles of pay in the recommendation. Given their power, organisation and how these link to it may be appropriate for ISS to start decisions on executive pay. indicating which way they will vote so that companies know what they are dealing with.

34 | Board discussions March 2017 Should the existing, qualified Key themes arising Strategic alignment and requirements to disclose the From all the recent reports and flexibility performance targets that trigger developments in executive pay, there This area links to the complexity of CEO annual bonus payments be are four key themes emerging: pay and pay for performance. If pay is strengthened? genuinely aligned to strategy, the In our view, investor pressure has been Transparency current ‘one size fits all’ approach is effective in changing behaviour in Here the aim is to improve the quality unlikely to be appropriate. Currently respect of performance target disclosure of remuneration reporting and use it as only 10% of the FTSE 350 have non- and the majority of companies now an opportunity to build trust amongst standard arrangements, with the provide a good level of information. shareholders, employees and other standard being base pay plus an LTIP stakeholders. In the various guidelines with a three year vesting period and How can long-term incentive and recommendations issued, this is often a two year holding period post plans be better aligned with the being addressed via: vesting. Shareholders should trust long-term interests of quoted Remuneration Committees to go outside • Greater expectation of retrospective of normal pay structures. Suggestions in companies and shareholders? target disclosure. It is crucial that incentives are designed the reports on how to address strategic • Maximum salary must be stated in alignment and flexibility include: to support long term behaviour and monetary terms or otherwise. sustained business performance. The • Benchmarking peer groups should • More flexibility to choose a best way to ensure this is to design plans be consistent and fully disclosed. remuneration structure appropriate (which would ideally be simpler) so that • Shareholders expect Remuneration for the company’s strategy. executives become significant Committees to take a balanced view • Endorsing the use of restricted stock shareholders for the long term. on the use of discretion. with the right safeguards. However, clearly there is more than • Executives should have meaningful one way to achieve this, and any policy The aim is more communication equity holdings while employed and developments should encourage the of context and not just compliance. thereafter. adoption and use of principles rather The remuneration report should provide • Simpler package designs whilst than prescribe any particular models. insight into how pay outcomes have ensuring pay delivered reflects the been reached and how these relate to There is a suggestion that performance change in long term value of the the rest of the workforce. Looking to the vesting periods might move from three company. future, the report may become a two to five years but setting targets for three part document with communications • Increased shareholding years is already challenging and such a in the front end and a compliance requirements/clearer expectations move may make executives focus more appendix. The aim should be to explain of shareholding requirements. on salary plus bonus and discount the context for pay decisions in the long-term incentives more than they Looking ahead, high and long-term Remuneration Committee Chairman’s do already. A lock-in post vesting may shareholding with phased release statement. It may also be appropriate be more workable, although average coupled with lower emphasis on to more fully reflect the link to strategy CEO tenures are not lengthy. performance vesting, ie increased use here as there is no guarantee that a of restricted stock, probably with an What is clear in all of the above is that stakeholder will read the whole of the underpin, could become the new model. the Government does not want to be annual report and accounts. The example of two FTSE 100 mandating quantum. companies that had both introduced restricted stock plans, one where the resolution failed and the other where it was passed – in part because there was an underpin – was discussed.

Board discussions March 2017 | 35 The right structure is more important Similarly, different potential approaches Looking forward to 2017 and than quantum and long-term exist to employee representation: 2018 AGMs shareholdings do have a positive impact • employees on Boards/Remuneration The final messages for Remuneration on behaviour. However, a different Committees Committees in order to build trust in a ‘same answer’ may not be better than changing environment are: the existing ‘same answer’ as a • Shareholder Committees (e.g. the company’s pay structure needs to reflect Swedish model) • Transparency – Remuneration its strategy and should therefore be • block-holder encouragement Committees need to be tougher on specific to the company. • stewardship obligations or levy. targets and assessments. Fairness • Strategic alignment and flexibility Stakeholder engagement – shareholders need to encourage the This relates to the perception of the Suggestions in the area of shareholder development of new pay models. excessive quantum of executive pay and stewardship and control include: • Stakeholder engagement – the differential between executive and shareholders should come together • Focus on strategic rationale for all-employee pay. Suggestions for to exercise their existing rights remuneration structures and involve addressing this include: decisively. both investment and governance • Introduction of mandatory perspectives. • Fairness – companies should set out publication of CEO to median worker their approach to fairness in a fair • NEDs to serve on the Remuneration pay ratios. pay charter. Committee for at least a year before • Remuneration Committees should becoming Chair. guard against the potential • Shareholder representation. inflationary impact of market data. • Employee representation on a • Annual bonus level should be Shareholder Committee. reduced with 200% or more of salary • Annual binding shareholder votes 1/3 only appropriate for the largest on actual pay awards. global companies. less on average is what the public Investors have a responsibility to engage • Publication of total cap on pay. think CEOs should be paid with the companies they are investing To take account of fairness, in 2017 in. Although their views are generally companies could think about: on their websites, the challenge is in their implementation. Sometimes • justifying executive pay, through investors use a pay vote to signify clear disclosure and open dialogue dissatisfaction with something else. with shareholders Communication is key and the • introducing a fair pay charter with remuneration report should be used to principles of pay fairness and tell the whole story. explanation of pay policy There are several possible approaches • disclosing a pay ratio. the UK could adopt to the shareholder Mandatory pay ratios are coming but the binding vote: challenge will be how to make them • on the implementation report meaningful. • on incentive outcomes in the year • the escalation approach, as described above, after two years of poor advisory votes • special measures binding regime.

36 | Board discussions March 2017 Audit Committee update

The Audit Committee Network holds technical workshops three times a PwC experts: year which cover a regulatory briefing, a corporate governance and Mark O'Sullivan reporting update and an accounting development update. [email protected] At the most recent workshops, there was also a look at user access Iain Selfridge management. [email protected] Peter Hogarth [email protected] The first session began with a corporate Being distinctive reporting update. With little regulatory Greater individuality is needed in Dave Walters change the focus was on highlighting corporate reporting. There is a natural [email protected] emerging trends/good practices, inclination at the start of the reporting Jessica Taurae appreciating that what is good now will cycle to dust off the annual report and [email protected] become common practice in two to consider what needs to be added – three years’ time. rather than starting from scratch to John Patterson [email protected] The basis for the discussion was our consider what needs to be reported. annual review of reporting practices in Similarly, an unintended consequence of Iain Robinson the FTSE 350 and the work the the drive to adopt good practices is that [email protected] corporate reporting team do in many reports in the FTSE 350 are starting to look and feel the same with Phillip Paterson shortlisting companies for the ‘Strategic [email protected] Reporting’ and ‘Excellence in Reporting’ high level, often boiler-plate language. awards at the annual Building Public Too often companies present generic Trust Awards. risks that could apply to any organisations or make references to However, only 11% of FTSE 350 Overall companies’ strategic reporting ‘competitive advantages’ or ‘distinctive companies appear to discuss strategy continues to evolve rather than change capabilities’ when discussing their beyond the next 12 months. dramatically. In the last year there has business model without backing them There are two challenges: been an improvement in the quality of up. risk and governance reporting – • firstly, to try and map strategic presenting a more dynamic and The Financial Reporting Council (FRC) priorities to the business model, risks integrated narrative that focuses on how in their year end reminders to CFOs and and KPIs – where there are gaps can risks are changing or what a Board has AC Chairs also picked this up with a these be explained? actually done in the year. This is in part request for disclosures to be specific and • secondly, is the strategy presented due to the introduction of the 2014 relevant to the organisation and its reflective of the one used for Corporate Governance Code and the industry. strategic planning or a simple point requirements for a robust assessment in time? of risk and a viability statement. Looking Being strategic further back there has also been an Despite the improvement noted earlier Being relevant improvement in the quality of strategic in the reporting around strategy, There was a debate around how reporting – how the strategy is company reporting still falls short in reporting needs to adapt and evolve to increasingly used to underpin the how strategy is integrated through the reflect the dependency a company has strategic report and link to other key disclosure and whether a forward- on key stakeholders, their expectations, components such as business model, looking orientation is presented: and the impact – positive and negative risks and KPIs. • Integration – only 40% of the FTSE – on them. This will require companies The rest of the session focused on the 350 align KPIs with their strategy; to explain why these relationships three reporting challenges that are 35% link risks to their strategy and matter, what impact they have on fundamental if corporate reporting is to only 1% align their market data to financial performance, how they are remain relevant for business in the 21st strategy. managed, and ultimately, to report new century. For each challenge the findings • Forward-looking - 98% of FTSE 350 ways of measuring success. from our work were presented companies based their viability PwC’s 2016 Global CEO and Investor supported by good practice examples. period on their strategic/business survey found that 63% of investors and These challenges are: plans with the majority using 3 years 76% of CEOs said business success in the for the period. 21st century will be defined by more than financial profit.

Board discussions March 2017 | 37 Closer to home this trend/challenge can Accounting update Judgements and estimates: IAS 1 be demonstrated by how business requires the disclosure of judgements The next session focussed on recent models have evolved since the and estimates. The CRRT is accounting developments – first with an requirement was introduced three years challenging Boards on the exact nature update on FRC Corporate Reporting ago. of their company’s critical judgements. Review Team (CRRT) activity and an • Over 50% of these disclosures now overview of their priorities. Pensions: more transparency is identify the key resources/ needed in the impact of low interest In the past year, the CRRT looked at the relationships – either owned, or rates on pension scheme liabilities. annual reports of around 200 companies ‘borrowed’. and, as is typical, wrote to about one Tax: the FRC performed a tax • However, only 17% of companies third of them to explore areas of their thematic review in the summer of align their business model and reporting. The FRC has also been 2016. The headlines from that exercise strategic objectives. consulting on CRRT’s operating are: • Only 14% clearly link the business procedures for reviewing company • most companies responded model with their KPIs. reports. positively A shift to a more stakeholder-orientated It is likely that the revised procedures • there was evidence of discussion of model may take time to get the right will result in greater transparency tax matters in their strategic report information and performance metrics regarding which companies have been • reconciliations of effective tax rates but it is a task that needs to be started reviewed and the issues that were were included. sooner rather than later. raised. However: Emerging themes The two thirds of companies whose • less than one third of companies Finally, other areas of focus from the accounts are reviewed but who do not talked clearly about uncertain tax FRC year end reminders letter to CFOs know will, in future, be informed that positions and AC Chairs were considered – in the CRRT did not identify any • there was a lack of clarity around particular, climate change, cyber substantive issues. Revised guidance for policies, judgements and estimates. security and Brexit risks. The discussion Audit Committees, issued in April 2016, focused on how: will require AC Chairs to report on For 2016/2017, the CRRT priority interactions with the CRRT. sectors include: • reference to these risks might lead to excessive clutter and boiler-plate The FRC’s annual Corporate Reporting • extractive companies Review, issued in October 2016, disclosure • companies servicing the extractive identifies the following areas on which • companies should be clear whether industries the CRRT will focus in 2016/17: any of them (or others) are a risk, or • companies serving the public sector not, to avoid undue Strategic report: the remit is to • media. misunderstandings ensure that reports are fair, balanced • ultimately companies should not and understandable. If you are an AC Chair/Board member allow boiler-plate disclosures to of one of these companies, there is an Clear and concise: Audit Committees undermine the quality of discussion/ increased risk that you might be should be identifying disclosures which processes and the confidence of reviewed by the CRRT. Nonetheless, are too detailed and should instead management/Boards they aim to look at all FTSE 350 focus on materiality. companies on a cyclical basis. Accounting policies: the CRRT are looking for companies to be clear on revenue streams, and the specific accounting policies for each. Looking ahead, with IFRSs 9, 15 and 16 coming into force in 2018/2019, the CRRT expects to see an increasing amount of information about what those standards will mean for a company.

38 | Board discussions March 2017 Amendments to IFRSs effective in 2016 The following is a breakdown of IFRS amendments to be aware of:

Standard Nature of amendment

Amendments to IFRS 11 Acquisition of interests

Amendments to IFRS 10 and Consolidation exemption and sale/contribution IAS 28 of an asset

IASs 16 and 41 Bearer plants

IASs 16 and 38 Methods of depreciation

IAS 1 ‘Disclosure initiative’

IFRS 10 and IAS 28 Investment entities

Annual improvements Various

As well as IFRS amendments, we also Prior to the ESMA guidance being covered ESMA guidelines on Alternative applied, PwC conducted a survey and Performance Measures (APMs) which found the following observations from is a focus for the CRRT over the next the FTSE 100: 18 months. The guidelines came into • 95% of companies use an APM. force on 1 July 2016. Issuers must: • 93% showed a reconciliation. • define the chosen APMs clearly • <38% had the reconciliation on the • reconcile back to the nearest GAAP face of the financials. number • <43% had the reconciliation in the • explain the purpose front half. • not display APMs with more • 4% did not present a reconciliation. prominence than GAAP measures • 54% presented it in the notes. • present comparatives • Seven presented reconciliations in • define consistently year on year and other areas. if making changes, explain why. • Some even had separate non-GAAP sections at the end of their report. • Total GAAP profit measure was £119bn and the total APM was £187.1bn giving a net upward adjustment of £68.1bn.

Board discussions March 2017 | 39 Regulatory update The key points arising were: 2) whether the process of approving The following session looked at the non-audit service engagements on a Sectoral competence regulatory changes arising from the EU case-by-case basis needs to change Audit Regulation & Directive (‘ARD’) for The Audit Committees of all EU PIEs because the use of pre-approval is the Audit Committees of EU Public will need, as a whole, to have now much more restricted (which Interest Entities. This was timely as competence in the sector in which the will depend on the extent to which many Audit Committees are currently company operates. Participants debated pre-approval has been used in the updating their terms of reference and how this requirement is being addressed past). in practice, which is a matter for auditor independence policies ahead of NEDs shared their views on appropriate case-by-case judgement. the start of the first year to which the thresholds, which varied significantly changes apply (so from 1 January 2017 Approval and pre-approval of - some related the choice to the quantum for a December year end company). non-audit services of the audit fee, while others did not. The session explained: The use of ‘pre-approval’ (whereby the The key issue in relation to the non-audit • how the ARD has been implemented Audit Committee has set a policy that service approval process was identified in the UK by the FCA, PRA, and FRC individual engagements relating to as the extent to which Committees are • the basic legal requirements for certain services do not need any specific entitled (and choose) to delegate their Audit Committees from the approval because of their nature or the responsibilities to approve services in Directive, which are set out in the size of the fee) has been limited by the advance. FCA Handbook and PRA Rulebook FRC in its ‘Guidance on Audit This is an area that requires some care, • how the FRC has added to the basic Committees’ to those that are deemed particularly in the case of FTSE 350 requirements. by the Committee to be ‘clearly trivial’. companies where delegation is restricted under the CMA Order to the We also looked at how the Competition This has resulted in the attention of Chairman of the Audit Committee & Markets Authority Order (‘the CMA many Committees being focused on two (although the CMA Order does not Order’) on the statutory audit market matters: restrict the use of pre-approval to deals with the same areas, and includes 1) how to define and set a quantitative services that are deemed to be clearly a number of more specific requirements threshold for ‘clearly trivial’ and trivial). NEDs were reminded that all for FTSE 350 companies. services that are not directly part of the statutory audit are non-audit services, The channels that apply to different types of EU PIE. including reviews of interim results – there is no exemption for ‘audit-related uoo iscosur orora oiion and Bans and and ornanc ars uori services’ in this case. It was noted that insurrs ransarnc od and rdr some Committees will now approve (on us uidanc a case-by-case basis) all known specific

nisd non-audit service engagements at the Bans and start of the relevant financial year. insurrs The session ended with a brief andard isd indication of the changes to auditor coan reporting that are being brought about by a combination of the EU ARD, the EU on 350 riu isd Accounting Directive and the IAASB’s coan revision to international auditing standards. For the most part the changes 350 coan are not fundamental for companies that incororad are already used to long-form audit reports. However, the definition of a quoted company used by the IAASB means that companies registered on AIM will now also be the subject of long-form reports from their auditors on a mandatory basis.

40 | Board discussions March 2017 User access management 3. Processes – there are fragmented Looking to the future, continued The last session focussed on user access processes that are different across evolution of technology will play a management. Four common areas of applications, a lack of governance, significant role in the area of user access interest are: and controls not embedded early in management with a challenge posed as the development phase of system to how far advanced company thinking • clarity around who should own the and process changes. is around the impact and effective use. process These include: • how to reduce cost around the However, there are a number of process mitigating activities that fundamentally • Continuous Controls Monitoring come back to ensuring the basics are (CCM) • how to manage user identities across done right and that means end to end the organisation • robotics controls throughout the access lifecycle. • cloud solutions • accessing the different levels of risk These cover: of access management. • risk based control solutions. • Security Settings – passwords to Under the traditional IT model, Some key questions NEDs can ask their applications and security CFO or CIO include: employees used traditional applications configurations are set in an effective on PCs accessed in the office, through manner. • What access risks does the closed corporate networks, with a small • Joiners – access requests to the organisation currently carry and number of internal IT specialists having application are properly reviewed how are they being managed? access to the underlying data and and authorised by management. • Are there any user access projects operating systems. However, due to a • Leavers – terminated application underway and what are the number of factors, including emerging objectives? technologies such as ‘the Cloud’, user rights are removed on a timely • What are the extent, severity and increasing use of third parties with basis. route cause of any access issues? direct access to company networks and • User Access Review – access rights the need to access applications whilst on to applications are periodically • Does the company's IT and the move, the risk landscape has now monitored for appropriateness. information security strategy include evolved. A number of different failures Regular management review is consideration of user access arise, mainly: performed of all accounts and management? related privileges. • Who has sensitive/ privileged levels • former employees not being removed • Privileged Users Monitoring of access and how is it managed? in a timely manner – super-user/administrative • Has an appropriate evaluation been • incomplete identification of users application transactions or activities performed to mitigate the financial subject to review and sensitive generic IDs are reporting risks of any access issues? • privileged access assigned to users monitored. who do not need it (or no longer • Segregation of duties – policies need increased access). are maintained for segregation of These failures mainly derive from three duties and are monitored. different root causes: • Traceability – all users and their activity on IT systems are uniquely 1. Technical complexity – identifiable. companies have a high number of • Logging – an audit trail is systems and different platforms and maintained of technologies, yet there are system limitations and can be a lack of –– direct changes to data technical knowledge. –– access of super-users 2. People – companies see a high –– changes to configuration turnover in staff, a lack of –– sensitive access. accountability between different departments and staff and contractors and third parties not being well monitored.

Board discussions March 2017 | 41 This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2017 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

170120-160250-LS-UK