As an enthusiastic member of the Private Directors Association, I read with interest the solicitations of candidates for director positions across the country and in a wide variety of industries. Often written by search firms who are anxious to diligently reflect their client’s concerns and desires, sometimes the announcements that come out reflect such a strong need to avoid conflict at Board meetings that they may err on the side of missing a primary reason Boards exist – to protect the organization from making costly mistakes in its business. When organizations search for new director candidates, we often see phrases in the section called Candidate Requirements that look like this:
And, in reality, all those phrases are valid for an effective director. But so are these:
As you can see, the first list of requirements speaks to candidates who will be cooperative Board members, an admittedly important trait, but it doesn’t temper those traits with the kind of toughness that may become necessary when issues arise that management may not be effectively dealing with. This often results in Boards where the majority of directors routinely support the CEO’s view regardless of their belief in its effectiveness. This is where the team player must also remember that loyalty extends to all the stakeholders in the company, and be able to make that transition in a way that moves the Board to resolution without causing chaos at meetings. That is the true meaning of an effective director.
Some months ago, as an Advisory Board member of a mid-sized privately owned company, I raised the issue of cybersecurity protection at a quarterly Board meeting. Actually I raised the issue at a couple meetings before it made it to the agenda. After a brief discussion the president assured everyone that the company was well protected and had no need to consider either an independent assessment or stronger insurance coverage. The decision was accepted by everyone at the meeting, myself included.
Fast forward five months and 29 days, one day before a quarterly meeting, and Board members got an email from the company president announcing that the Board meeting had to be cancelled due to a cybersecurity event the week before, and from which they were still attempting to recover. To date, no serious damage was done to the company’s operations due to effective backup processes, although they had to advise thousands of customers about the potential loss of their personal information and offer free credit monitoring to them, a common and costly aftermath of such events. The issue of better protection is now firmly back on the company’s agenda, hopefully with a different answer this time.
Since this is an Advisory Board and not a fiduciary Board, we could only advise, not require. I think we did that. Perhaps we should have been firmer in our advice. What do you think? As always…
We are Your CFO for Rent.