clearinghouse_bannerNasdaq Governance Clearinghouse
Board Composition Cybersecurity PCAOB Proxy Season Outside Insight Q&A Audit Committee

board composition
Thinking Outside the Audit Committee Box: A Better Way to Manage Risk
Publication Date: May 23, 2017

An ever-increasing reliance on evolving technologies has left corporations vulnerable to cyber-attack and business model disruption. At the same time, enterprise risk management has landed squarely in the sights of institutional investors. As a result, boards must enhance their oversight of risk management.

Audit committee members, who have had responsibility for risk management on many boards, are feeling strained as regulatory demands intersect with that increased responsibility; in a recent survey of nearly 1,500 audit committee members by KPMG, half of those surveyed reported their committees may not have the time or expertise needed to be effective in all areas of responsibility.

Thus, there is a growing awareness that boards may need to evolve, including by altering board committee structures and reallocating workflows. To help us better understand these issues, we asked Betsy Atkins, veteran of 23 boards and 13 IPOs, to share her expertise on providing effective oversight of risk management in the boardroom.

Q: What is a board’s primary role with respect to enterprise risk management?

A: The board’s primary roles related to enterprise risk management are ensuring the company’s strategy is still relevant, examining the real risks the company faces and determining what risk oversight mechanisms are most effective. The lifecycle of S&P 500 companies has declined from about 60 years in 1958 to below 20 years now below 20 years now, begging the question “Why do so many established public companies go out of business?”

While some get acquired, go private, or become bankrupt, too many disappear because they don’t innovate or stay relevant. The rate of change in business today is alarming—a very real threat for the shareholders is that a company quietly loses market share for three or four years and then suddenly wakes up to realize they’ve lost nearly thirty percent of their market. When that happens, we see Blockbuster and Borders get replaced on the S&P 500 by Netflix and Amazon. Both of those companies might still be in business if their boards had been keeping an eye on new business models, digitally-born companies, and marketplace disrupters.

Q: What are some strategies boards can employ to better manage risk?

A: There are a number of tactics for load-leveling the risk management responsibility across a board, including:

Separating the oversight of future-looking risks from backward-looking risks.
Divide risks into two main categories: backward-looking risks and future-looking risks. Forensic, backward-looking risks include financial internal controls, review of quarterly financial statements, and compliance with FASB regulations. These are historically—and appropriately—the strength and domain of the audit committee.

Future (and emerging) risks include cyber-attacks, cyber breaches that damage brands, disrupted business models, and emerging digital marketplaces. Technology risk, too, needs to be examined. Although disaster recovery has long been a purview of the audit committee, oversight of cyber security and technology risks do not necessarily belong on the audit committee agenda.

Assigning oversight of forward-looking risks to the governance committee.
Audit committees are disproportionately busy on corporate boards. Compensation committees are also quite busy during certain times of the year, leaving governance and nominating committees as the least busy.

The nominating mandate is clear and happens in short bursts: refresh and renew the board. But what is governance on behalf of shareholders? Often, it’s limited to code of conduct, tone at the top, and preventing foreign corrupt illegal practices and sexually predatory behavior. However, governance really ought to be ensuring—on behalf of the shareholders—that the company is relevant, innovative, and vibrant.

I chair the Nominating and Corporate Governance Committee on the Board of HD Supply. Our Audit Committee looks at internal controls, financial reporting, and other functions that Audit Committees historically have performed. We created a more future looking-role for the Nominating and Governance Committee to look at business strategy, including the digital transformation of the company’s business. We’ve had outside speakers from major consultancies like McKinsey, Boston Consulting Group, and Accenture come in and educate us. We’re also working with artificial intelligence experts who can help us understand how to apply that technology to increase B2B sales revenue.

Incorporating working sessions into board meetings.
Like other boards, at HD Supply we have a nominating and corporate governance, audit, and compensation committee readout. But what’s a little different from other boards I’ve served on is that we have a lively discussion around the board table during these readouts, regularly debating our major initiatives of digital and business model transformation.

And we believe in working board dinners, held at our headquarters in the training center versus at a restaurant. We bring in the company’s senior leadership team, as well as contemporary and knowledgeable external speakers, to discuss topics we want to immerse ourselves in.

Leveraging technology to manage risks by monitoring corporate health.
There are a number of metrics that should be tracked to assess corporate health and flush out potential risk factors; these are related to compliance, digital advancement, product and service development pipelines, market share, customer satisfaction, and employee turnover.

There are companies and platforms out there, like Boardvantage that can capture and track those types of metrics to develop an automated corporate health dashboard. Are we as digitally advanced as Amazon? Are we developing and introducing new products and services as quickly as Lowes? Are we an innovation leader, laggard or fast follower? Are we growing market share or losing it? Are we using artificial intelligence as effectively as our competitors? These are the benchmarks we want to monitor.

Viewing board composition as a competitive asset.
It is incumbent on boards to consider, and actively discuss on the governance committee, whether the board should be viewed as a competitive asset to the shareholders or just fiduciaries who do oversight. If the determination is “we are a competitive asset” then the board really ought to look at the competencies around the table the same way a company looks at its management leadership team.

Boards ought to carefully consider, given the turbulent sea of changes that businesses are navigating, how best to refresh and bring on a director or two with skill sets they’ll need in the next three to five years. Boards should forward-appoint members the same way corporations forward-hire, rather than waiting passively for a retirement to free a seat at the table.

By employing these tactics, boards can better fulfill a critical governance mandate: identify business-killing risks before it’s too late.

Betsy Atkins serves as President and Chief Executive Officer at Baja Corp, a venture capital firm and is currently the Lead Director and Governance Chair at HD Supply. She is also on the board of directors of Schneider Electric, Cognizant and Volvo Car Corporation and served on the board of directors at Nasdaq LLC and at Clear Standards as CEO and Chairman.

A self-proclaimed “veteran of board battle scars,” Ms. Atkins will be collaborating with Nasdaq to produce a series of corporate governance “nuts and bolts” articles.

Other popular posts featuring Betsy Atkins on the Governance Clearinghouse:

Seven Critical Elements of a Board Refreshment Plan >>
What Makes a Great Board? >>

Top Cybersecurity Concerns for Every Board of Directors: Data Mapping and Encryption
Publication Date: May 17, 2017

This is the fourth of a four-part series of white papers authored by Cybersecurity expert John Reed Stark. This series -- published for the first time on Nasdaq’s Governance Clearinghouse --outlines a strategic framework for boards of directors to effectively analyze and supervise corporate cybersecurity risks.

This final part of the series Top Cybersecurity Concerns for Every Board of Directors discusses the board’s oversight responsibilities with respect to two of the largest enterprise undertakings in the field of cybersecurity: data mapping and encryption.

  • Data Mapping: Every cyber-attack response begins with the forensic process of preserving any electronically stored information (ESI) that may be relevant to the cyber-attack. The most well-run companies establish sophisticated and intelligent data classification schemes to mitigate the costs and challenges of preserving ESI after an attack. Creating an accurate data map for a company is imperative: before a company can figure out how to protect its data, the company needs to know where that data is.

  • Encryption: While encryption systems require constant maintenance, and may complicate communications lines, encryption is typically a company’s last line of defense from cyber-attacks. Target’s hackers had access to everything, from the deli meat scales to the cash registers, because there were no controls such as encryption limiting access. Merely encrypting sensitive data is not enough—the type of encryption is of equal importance.
This four-part series of white papers covers the following cybersecurity topics:

Part 1, Cybersecurity Governance: critical components related to the governance practices, policies and procedures of a strong cybersecurity program.

Part II, People: cybersecurity recruitment, training and retention as well as hiring outside firms for digital forensics and data breach response.

Part III, Technology: the technical systems that provide the foundation for cybersecurity infrastructure. 

Part IV, Data Mapping and Encryption: an overview of the board’s oversight responsibilities with respect to encryption and data mapping.

By using these white papers as a guide, boards of directors can become not only more preemptive in evaluating cybersecurity risk exposure but they can also successfully elevate cybersecurity from an ancillary IT concern to a core enterprise-wide risk management item. 

Read John Reed Stark's Latest White Paper on Data Mapping and Encryption >>

John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, "The Cybersecurity Due Diligence Handbook," available as an eBook on Amazon, iBooks and other booksellers.

Nasdaq Talks to . . . PCAOB's Office of Outreach and Small Business Liaison about Its Mission and How It Can Help Public Companies
Publication Date: May 9, 2017

Nasdaq often hears questions from listed companies about their annual financial statement audit or a specific accounting directive. To help answer these questions, Nasdaq investigated and found that, although the Public Company Accounting Oversight Board (PCAOB or the Board) does not have an official “ombudsman,” it does have an Office of Outreach and Small Business Liaison. Read our interview below to find out how this office can help answer these questions.

Want to know more?  Nasdaq will be hosting a webinar with a representative from the PCAOB on Wednesday morning June 7 at 11:30 am EDT. You can register for this event here >>

Q: What is the Office of Outreach and Small Business Liaison?

A: The Office of Outreach and Small Business Liaison was established in 2010 after the passage of the Dodd-Frank Act. The Office plans and conducts forums for auditors of smaller public companies and for auditors of smaller broker-dealers. The Office also acts as a liaison between the Board and accounting firms and others affected by the Board's work; assists with arranging Board member and PCAOB staff speaking engagements; and serves as a contact for anyone who may have questions about the Board’s regulatory activities or needs assistance in locating publicly available information issued by the Board.

Q: How can you help public companies?

A: The PCAOB website contains a number of resources which inform companies about the work of the PCAOB including inspection reports of registered accounting firms and summaries of inspection findings. More information on these pages is provided below.

In addition to our website, PCAOB Board Members and Senior Staff speak to representatives from public companies at events across the country. This includes groups of CFOs as well as Audit Committee members.

In addition to the website, public companies may contact our office if they have questions related to anything on the website.

Q: What’s the best way to reach you?

A: The office can be reached by telephone at (202) 591-4135 or by email at either or

Q: What are the most common questions you get? How do you respond?

A: The Office of Outreach receives questions on many topics. The most common requests typically involve assistance with locating information on registered firms. Generally, staff from the office will respond directly to the person who contacts us. In some instances, due to the technical nature of the question(s) posed, messages are sent to the appropriate division within the PCAOB for a response. Additionally, if the question or request relates to an issue outside of the PCAOB’s jurisdiction, we will direct people to the organization or agency best suited to respond.

We encourage people who contact us to provide enough detail in their message so that the request can be handled promptly.

Q: How can a company participate in PCAOB’s standard-setting process? Are there ways for PCAOB to accept input from public companies? What is it?

A: The PCAOB collects comments from all interested parties, including public companies, as part of the standard-setting process. If a proposal is open for comment, it will be listed on the PCAOB home page. The PCAOB has also made available a rulemaking docket which lists the status of all rulemaking projects, including standards. More information on the comment process is available here. All comment letters that are received are posted on the PCAOB website.

Additionally, all PCAOB standards are subject to SEC approval. Once a proposed standard is submitted to the SEC, there is an additional period in which comments are accepted.

The PCAOB also has a Standing Advisory Group which advises on the development of auditing and related professional practice standards. Public company executives and audit committee representatives are among the members of the group.

Broad-based organizations whose members are public companies such as Financial Executives International, the Society for Corporate Governance, the American Bankers Association, and others may seek to meet with Board members and senior staff to discuss issues of mutual interest. Public companies could also reach out to the Board through Nasdaq.

Q: What other resources are available at PCAOB for public companies with auditor-related questions or concerns?

A: As noted above, the PCAOB website has a number of documents and pages that may be of interest to public companies. The Board frequently issues general reports along with staff inspection briefs. In addition, the Board has created a page with information specifically for audit committee members. Information on firms registered with the PCAOB is available through the registration and reporting system. Users of the system can search for any firm and see inspection reports and enforcement actions for each firm as well as view filings required by the PCAOB. Questions not specifically answered on our web site should be directed to the email address and phone numbers listed above.

We encourage anyone interested in the work of the PCAOB to sign up for email updates or to follow us on Facebook, Twitter and LinkedIn.


outside insight
Reputation Risk and Opportunity Governance: A 5-Point Blueprint for Boards by Andrea Bonime-Blanc, JD/PhD
Publication Date: May 2, 2017

Andrea Bonime-Blanc is the Chief Executive Officer of GEC Risk Advisory and Author of The Reputation Risk Handbook.

Reputation risk and opportunity management is the front line job of management – however, it is the job of the board to provide reputation risk and opportunity oversight for their company. And most boards don't even think about reputation risk until the crisis or scandal hits and their company's reputation, as well as their own personal reputations possibly, may be at risk.

In this article, we define reputational risk, identify recurring themes that were present in cases where reputation risk has gone wrong, and offer a high level five point blueprint for boards to oversee reputation risk and opportunity at their companies. Why do this? Because effective reputation risk management – just like effective enterprise risk management – is not only useful to mitigate losses and liabilities but also to build reputation opportunity and value with and from key stakeholders (customers, employees, regulators, etc.).

Reputation Risk Defined

Within the context of an organization (whether a company, a government agency, a university or a non-profit), reputation risk is a strategic risk that can amplify other underlying and related risks especially non-financial or ESG (environmental, social and governance) risks when those risks have not been properly identified, managed or mitigated. Here is a simple definition of reputation risk I offer in my book, The Reputation Risk Handbook:

Reputation risk is an amplifier risk that layers on or attaches to other risks – especially ESG risks – adding negative or positive implications to the materiality, duration or expansion of the other risks on the affected organization, person, product or service.

When one couples the notion of an amplifier risk with the notion of stakeholder expectations and impact, one can surely start seeing the gestalt of why reputation risk has both qualitative and quantitative dimensions.

Reputation Risk Management Gone Wrong

It is important to note a recurring theme throughout cases where reputation risk went wrong: something or some things did not work well within these companies in advance of the crisis and there are three critical topics that seem to appear in most of these cases:

  1. The Board did not have a proactive stance on effective risk oversight, let alone reputation risk oversight.
  2. The CEO/c-suite were not creating or supporting a culture of accountability and customer-centricity thus allowing for the erosion key stakeholder trust.
  3. The company itself does not appear to have effective risk management and/or views risk as a liability that happens to unlucky companies (instead of a manageable asset that also has embedded opportunity and potential value).

Why Good Reputation Risk Management and Oversight Matter

Reputation risk matters for worse and for better because it’s what happens when the expectations of stakeholders – potentially a multitude of them – are missed, met or exceeded. Reputation risk acts as an amplifier and accelerator of an underlying risk that is not managed at all, poorly managed or is managed up to and possibly beyond the expectations of key stakeholders.

While stakeholder expectations can be characterized as being largely behavioral, emotional or intangible, what happens as a consequence of exceeding, meeting or missing stakeholder expectations is far from intangible:

  • An organization’s meeting or exceeding its stakeholders’ expectations can have neutral to positive qualitative and quantitative consequences.
  • An organization’s missing its stakeholders’ expectations can have negative consequences – both qualitative and quantitative.

Reputation Stakeholders

How well an organization understands and incorporates a qualitative assessment of its key stakeholders and their expectations is where the qualitative and quantitative dimensions of reputation risk meet: one does not make sense without the other and one feeds upon the other. The below chart from my book, The Reputation Risk Handbook, shows a range of some of the key stakeholders that organizations should be considering in such an assessment.

Outside Inside Graph 1

The bottom line is this: flying without a reputation risk net is tantamount to hoping for the best in a world full of challenges, risks, threats and (lost) opportunities. Adopting such a framework, in turn, provides the resilience needed for long-term survival and even out-performance as risks are managed and new opportunities are identified on the way to effectively managing reputation risk.

With these themes in mind, let’s take a look at the five keys to successful ongoing board reputation risk oversight.

A Five Point Reputation Risk Governance Blueprint

Below is what I would consider to be the five key tasks of a board intent on overseeing reputation risk and opportunity effectively for their company:

  1. As an Amplifier and Strategic Risk, Reputation Risk should be on the Board Agenda Regularly. Reputation risk does not occur in isolation but in relation to other underlying risks. As such, reputation risk must be on every board agenda together with strategic and enterprise risk oversight.
  2. Boards Must Oversee Effective Enterprise Risk Management (ERM). Reputation risk cannot be properly understood, managed or supervised without robust underlying ERM that identifies all risks and allows related reputation risk to be properly gauged.
  3. The Board Must Know Who the Company’s Key Stakeholders Are. Why? Because every stakeholder has expectations of a company’s behaviors and results both financial and non-financial. If and when those expectations are not met, both qualitative and quantitative consequences will follow, most of them negative. The reverse is true as well: the better an organization understands, nurtures and tends to its principal stakeholders, the better off that organization will be when and if crises occur, with both qualitative and quantitative consequences, most of them neutral or positive.
  4. A Cross-Disciplinary Team of Company Experts Should Manage Reputation Risk. And it is up to the Board to understand from such experts – from the chief risk officer and head of public relations and communications to the general counsel and the audit executive. They are best prepared to understand the reputation risk of the company if they prepare accordingly. That team must also be synchronized with a proper and effective crisis management program.
  5. Reputation Risk is Directly Connected to Corporate Resilience, Opportunity & Value Creation. It is the board’s role to ensure that the company and its management develop and implement resilience measures to counteract and mitigate material risk and to take advantage of risk opportunity – reputation risk oversight is a critical part of this process. The more prepared an organization is for its risks, the greater chance it will have to successfully manage the risk, associated crises and value opportunities.

For more information and case studies, readers should go to the thought leadership page of the GEC Risk Advisory website.


Dr. Andrea Bonime-Blanc is CEO founder of GEC Risk Advisory and a global governance, risk and value creation strategist. Her firm specializes in governance, risk, ethics, compliance, corporate responsibility, reputation and crisis advice to the private, public, governmental and non-profit sectors worldwide. She is author of The Reputation Risk Handbook and Emerging Practices in Cyber-Risk Governance and has been consistently recognized by Ethisphere as one of the “100 Most Influential People in Business Ethics.” In 2017, she was appointed Ethics Advisor to the Financial Oversight and Management Board of Puerto Rico, created by the U.S. Congress to oversee the restructuring of the Puerto Rican economy. She tweets @GlobalEthicist and writes the Risk2Value Blog.

The views and opinions expressed herein are the views and opinions of the author at the time of publication and may not be updated. They do not necessarily reflect those of Nasdaq, Inc. The content does not attempt to examine all the facts and circumstances which may be relevant to any particular company, industry or security mentioned herein and nothing contained herein should be construed as legal or investment advice.

Fredrik Voss, Nasdaq Vice President, Talks About What Blockchain Could Mean to Your Company, Part 2
Publication Date: April 28, 2017

Following up on our interview last year, we had the chance to speak again with Fredrik Voss, who is spearheading Nasdaq’s blockchain innovation initiative. Fredrik described the advances and accomplishments over past year, and gave us some idea of what to expect in the future. Excerpts from our conversation follow.

Q: Last year, Nasdaq announced a blockchain-based solution for voting in Annual General Meetings in Estonia, an application of the technology that went beyond settlement and clearing, an area that seems to be garnering a lot of attention. What made you choose this project?

A: We chose that project for a couple of reasons. One, we deliberately wanted a project that wasn’t related to the issuance and settlement of assets on blockchain. We wanted to do something else. We also wanted a project where we really had to explore issues around identity on the blockchain: the identity of a person, identity of a person representing a firm and then firms and people representing other firms in a proxy arrangement.

So those were two things we wanted to explore and then we wanted to find a space where we could do that with internal knowledge and by leveraging the blockchain technology and know-how from our partner Chain. It so happens that in Estonia, we actually do run annual general meetings for a number of companies, as a service. So we had a good understanding of the current business process, so to speak. Also, we would have to rely on a central security depository (CSD) for a share ownership data and we actually own and operate the CSD in Estonia.

As we explored leveraging that environment, we also identified that the Estonian government has put in place a system called e-Residency, which is an advanced way of handling digitized identity for Estonian citizens, but anyone can become an electronic resident of Estonia through that mechanism. So a lot of planets aligned while we picked that particular use case and that particular market as the pilot.

Q: With respect to annual meetings, what are the advantages of a blockchain-based system versus the traditional model?

A: You can obviously do electronic remote voting using traditional technology but the blockchain (or distributed ledgers) has some inherent capabilities that make them quite attractive for a use case like annual meetings, in that it’s very easy to track the provenance of a digitized asset. A digitized asset can be anything, but in this case, it’s a vote, and it is easy to track its whereabouts in a blockchain user base.

One of the problems with the proxy process today is actually demonstrating to the shareholder that their vote was cast in accordance with the instructions of the shareholder. It is actually difficult to do that. But with blockchain technology, you can easily track the whereabouts of that vote. Also, with this system, the ledger is immutable; you cannot change the records, you can undisputedly prove that votes were cast in accordance with the instructions.

Basically, the way it works is that when a vote is coming up, you poll the CSD, and you issue the right number of voting tokens to the shareholders. An individual shareholder can then transfer that voting token to a delegate, or of course they can vote on their own as well. Then you can actually track the whereabouts of that voting token in the network. You can also see in which ballot – if it was in the yes one or the no one –it was cast. There are some inherent functions in blockchain that make it an easy technology to use for that particular use case.

Q: So a company is no longer just sitting back and waiting for the votes to come in? They actually have total visibility into the whole process from beginning to end?

A: Exactly. They have total visibility from the issuance of those voting tokens. You can allow various parties to see where the votes are in the network, and if you are the shareholder, for example, and if you delegated your vote to someone, you can actually see where it is, you can see when it’s cast, you can see in what ballot it was cast, depending upon the rules of the voting process. You can allow the issuing company to see the complete picture of where the votes are for everyone in the network.

The technology provides transparency and certainty to these processes. You cannot quite emulate that using the existing technology of trusted third parties and traditional databases. That would be a more complex and cumbersome solution to build than versus leveraging the inherent capabilities of blockchain ledgers.

Q: In a report issued in January 2017, the Estonia AGM project was described as “successful” and well received by the user community. What were the highlights from this effort?

A: As highlighted in the report, we tested our solution in cooperation with a recently listed Nasdaq Tallinn company, LHV Group, an Estonian financial group. Some reactions from LVH’s management team were:
  • Mr. Erki Kilu, CEO of LHV Pank: Testing the prototype was simple and user friendly. The options were intuitive and required minimal amount of clicks. It is a joy to use a blockchain-based system that actually works and which is awaited by the market and can be used by thousands of people at the same time.
  • Mr. Madis Toomsalu, CEO of LHV Group: It is a good initiative (i.e. start-up) and has a lot of potential. Testing of the prototype was convenient and simple. If the future solution enables mobile ID authentication as well and the security is granted, then we would definitely consider using the product in the future.
Some feedback we received from various investors included:
  • “The GUI was very clean and intuitive, design is nice.”
  • “Everything was logical, simple and understandable. The only disappointment is that I did not find any bugs to report.”
  • “Quick and simple way to vote. The future seems bright!”
They appreciated the transparency in the process. We had proxy companies and custodians involved in the process, and for them, the fact that they now could validate and have evidence that they have fulfilled their obligations was helpful for them. We also learned a couple of things on what is needed to do to make it a complete product, so that was helpful as well.

Q: Looking back on the Estonia project, in what areas do we still need to make improvements?

A: I think the core piece of the solution is very solid. To make this a complete and attractive solution for the users there are some areas we can improve upon. Currently, for example, you have to use a laptop to participate remotely. Obviously you want to be able to provide handheld capabilities. What we delivered was sort of a first minimum viable product or a pilot, and there are some analytics and additional features we’d like to add to it when we turn it into a full blown product.

Q: Do you think that blockchain technology will facilitate shareholder engagement?

A: Totally. That’s one of the key promises of the technology. We explore, broadly speaking, three uses of the technology. The first would be post-trade issuance and settlement, as you mentioned earlier. We’re also looking to regulatory transparency. But we also are looking at whether this technology can be used to bring issuers and investors closer to each other. And I think this project proves that is the case.

We think that a solution like this could promote a more active investor base. It will be a cheaper, more intuitive, more effective way of participating. For example, in a shareholder meeting, it doesn’t mean that everyone wants to participate on their own, but the delegation methodology is a more attractive solution for the issuer, the investor and the proxy custodian. So this project is actually evidence that the technology potentially has that capability.

Of course, to continue on that theme, that voting token we talked about earlier could basically be any digitized asset. If you’re a coffee company, the token could be a beverage coupon that you can easily send to your shareholders using the electronic ledger network, as an example of something you could do in the future. So we definitely think the technology will facilitate shareholder engagement.

Q: Nasdaq is utilizing blockchain technology with private companies through the Nasdaq Private Market. How are private companies utilizing the blockchain technology?

A: That is the first project we embarked upon, what we call the Linq project, which combines Nasdaq solutions with technology developed by our partners at Chain. That falls into the first bucket of the areas we’ve explored: the issuance, settlement and transfer (in the case of secondary market transactions) of ownership of securities. So that is mainly how we’ve used the technology in the private company space.

So basically, a private company using this solution issues shares, and it can transfer those shares to its investors. When investors trade in the secondary market, they can transfer ownership of those shares using this technology. This is all electronic, secure, and done in real time. But there is no trusted third party in the middle. There is no central depository involved so this is a true peer-to-peer network that’s leveraging the technology. It is actually the technology that keeps track of who owns what, instead of a trusted third party in the middle, like a depository.

Q: With private companies, what advantages does the distributed ledger provide over traditional systems?

A: In the U.S. for example, you’ve traditionally had paper certificates. You’ve had capitalization tables being managed in Excel spreadsheets. You have had these certificates being shipped by common carrier, and stored in vaults. You’re talking about a labor intensive, error prone infrastructure…but the key feature has been a peer-to-peer network between these parties. Now you can actually keep this peer-to-peer network if this industry does not want to have a depository function in the middle. This technology secures the processes, provides capitalization information in real time, and is cheaper than the way it happens right now.

Q: How do you see the landscape changing in 2017? What roadblocks are limiting the mass adoption of the blockchain technology?

A: In terms of blockchain in capital markets, we are sort of moving out of the proof of concept (POC) era. Not only at Nasdaq, but among the blockchain industry as a collective, there are fewer POCs, and we are seeing more and more solutions, products being deployed for real assets with real customers. So we are leaving the POC era and entering into more of a pilot era with real products. It’s going to be interesting to follow how those products perform over the next, let’s say, two years. We are seeing increased certainty in the technology. That said, blockchain is not yet, of course, a mature technology.

We will see a lot of evolution in blockchain protocols over the coming years and there are still certain issues around functionality that need to be developed. But we and others increasingly believe that actually these types of enhancements they will be achievable and where companies like our partners Chain are in the forefront. So the technology seems to be increasingly validated as a good candidate for use in capital markets. Now the focus is on the obstacles or challenges limiting wide-scale adoption, and they are mainly non-technology related and non-technical in nature.

One challenge is actually going from vision to concrete designs of how these solutions, these networks, are going to work. The blockchain has wonderful potential as an enabler of faster transaction processing, lower need for capital, better operations, lower cost for IT, among other things. That is the vision – but actually bringing that down into a concrete design that a community of users can agree upon? That’s not a show stopper but it takes a bit of time to achieve. So that’s one area.

A second area is legislation and regulation. Some of these new business models and market structures that are being thought about are so innovative that they are simply not contemplated by existing laws and regulations. The issue is not that they are prohibited, the issue is that there’s a legal uncertainty around them in the current regulatory context. You cannot expect capital market participants to allocate billions worth of assets into solutions where there is legal uncertainty. So there needs to be some legal and regulatory innovation in parallel with the technical innovation. Again, that is not a show stopper – we change laws and regulations all the time, but it takes a bit of time and effort to do it.

Third is something Nasdaq has been thinking about from the beginning: the integration and transition processes. Whatever you want, the fact of the matter is that this technology is being implemented in a pre-existing context – a rather complex technology infrastructure. It needs to be integrated in an efficient way. And then, of course, if your business idea or your business model relies upon replacing a pre-existing piece of infrastructure, you also need to have a credible transition plan to put in the new and get rid of the old technology. You don’t want to be stuck halfway through a transition process because then you end up having to support both the old infrastructure and the new infrastructure. We don’t want that to happen.

So while technology evolution is still very important, that is less of a concern. Now, more and more focus in terms of challenges is being directed to these three things I just spoke about.

Q: What effect do you think the proposed changes to Delaware General Corporate Law (DGCL) will have on the adoption of blockchain technology for corporate purposes?

A: That is an example of an initiative that addresses the challenge of legislative and regulatory uncertainty. If you can create legal certainty that, for example, shares issued in the blockchain format actually represent ownership in the company that would be tremendously helpful. So I think these proposed changes are a sign that these challenges are starting to be addressed, and that is positive for the landscape.

Q: Besides annual meetings and settlement and clearing, what other uses of blockchain do you foresee for publicly-held and private companies?

A: In terms of the corporate nature of things, those are definitely the key areas. Particularly, issuance, settlement, and transfer of ownership combined with services like voting. That is core. There are a lot of use cases that could be relevant for companies in certain industries.

We know, although we are not active in some of those industries ourselves, that there are a lot of use cases being explored in the insurance industry, in supply chain management, and a number of initiatives in the healthcare industry. So there could be broad implications – some in specific industries, but also general features that address needs for all companies, regardless if they are private or public.

Q: Basically new infrastructure for them to utilize at that point?

A: New and better infrastructure. Of course, if the technology delivers on its promises in terms of creating better transparency into who owns a company’s shares, you can think of all kinds of interesting things that a company can do with that information to become a more valuable company to its shareholders.

Q: Last question: do you have any other projects planned for 2017?

A: Yes, there are a number of exciting projects going on. Some are public; some are yet to be publicized. One that has been publicized is that we are working together with a company called The New York Interactive Advertising Exchange (NYIAX) to create a blockchain-based marketplace for advertising instruments.

We are continuing to work on the Linq concept with our partners at Chain and expanding the feature sets. We’re expanding the markets for which it is used. We already use it for company shares and we’ve announced that we’re going to use it for alternative investments as well. And as I said, we are working on the features included in the Linq solution as well.

We have also added blockchain capabilities to the Nasdaq financial framework, which is basically a platform for capital market applications, where a user of that platform can use any data store they want. You can use the blockchain or you can use a traditional data base or you can use them in combination.

And then we have a couple of other projects that we actually cannot talk about publicly yet, but when we can, we can add them to the list.

Q: Sounds good. Let’s catch up again next year and you can tell us more about this.

A: Yes, we should.

Frederik Voss is a Vice President at Nasdaq responsible for Nasdaq's blockchain innovation initiative.

audit committee
Is Your Audit Committee Overloaded?
Publication Date: April 20, 2017

Strained audit committee agendas are a growing concern of the corporate governance community. In addition to the already weighty oversight responsibilities over financial reporting, internal controls, and the qualification and independence of a company’s independent auditor, audit committees are increasingly tasked with taking a larger role in corporate risk management. Nasdaq asked Angela Brock-Kyle, an experienced risk and governance consultant and audit committee veteran, to share her insights on this topic. She described the warning signs of potential audit committee overload and outlined strategies to mitigate it.

Q: Are audit committees overloaded and if so, what is causing this trend?

A: Yes, some audit committees are overloaded and overwhelmed, but the causes depend on the particular situation.

One factor causing this trend is that audit committees are often viewed as the natural place for boards to move items that are new or of concern, whether from a risk perspective or understanding a new regulation. That practice may be driven by the fact that boards often rely on the audit committee to be a “committee of experts” that can quickly slice and dice to get to the core of new issues and come back with either a plan of attack or some reassurance that things are well in hand.

Another factor is that business changes seem to, immediately or long term, drive new issues toward the audit committee. As companies grow and evolve, they offer new products or new services, enter new geographic regions, or they begin dealing with new suppliers. In addition, the paradigm shifts that all companies are dealing with, for example in the technology space, means boards must examine cyber risk, understand big data, and become familiar with any number of other technology-related issues.

Like many organizations, audit committees in and of themselves are subject to inertia. If you compare what was on their docket five years ago to their agenda today, they may not have made necessary changes to the pace of meetings or the intervals between meetings, or taken a “white board” approach to thinking about how to do things differently or what other resources might be brought to bear on the situation.

Q: What are some red flags that an audit committee may be overtaxed?

A: A number of signs may indicate that an audit committee is struggling to address the scope of its assigned workload in the proper level of detail:
  • Meetings that are consistently rushed, because a committee is still allocating the same hour or 90 minutes to cover double the number of topics that were covered before.

  • Board books that are edited right up to the start of the meeting or sometimes during the meeting. Although that can happen from time to time, it shouldn’t happen at all. If there isn’t predictability, deadlines and order to the process of updating board books in advance of meetings, that is one indication of being overwhelmed.

  • Too many one-off or sidebar conversations, where some audit committee members are muttering amongst themselves or reaching out to the audit chair to express concerns that issues aren’t being handled properly because there isn’t enough time during the meeting.

  • A board assessment result that indicates board members aren’t confident the audit committee is doing its job properly.

  • Lack of a structured board refreshment process to identify who should be on the audit committee and what skills and knowledge they bring to the table.

  • No time or effort to access expertise outside of the company, either for director education or industry education.
Q: What strategies can the board implement to effectively manage a robust audit committee agenda?

A: Start with a clean perspective. Don’t rely on the way the committee has done things in the past: focus instead on what needs to be done, what issues the audit committee should be handling and how they should handle them. Look across that broad landscape to develop strategies to ensure the audit committee is effective.

In my experience, there are several strategies that work well:

Delegate work to other board committees or audit subcommittees.
A good first step is to examine the audit committee “kitchen sink” and talk through whether all agenda items properly belong there. Some items may belong under the purview of another committee, or a subcommittee should be convened to better handle certain topics. Subcommittees are an effective way to compartmentalize issues and have a subset of the audit committee work on problem A, and a different subset of the committee work on issue B.

“Right size” the audit committee meeting schedule.
It’s critical to look at the calendar to ensure there are enough official audit committee meetings scheduled to support the audit agenda and any special situations that arise. The committee can also consider scheduling more meetings between the official board meetings, with relevant experts. For example, if there's a technology issue that's arisen and you don’t have that expertise on your audit committee—which is a regular occurrence these days—there should be room in the meeting schedule to tap outside resources that can help the committee understand those issues or bring things back online without over-burdening the agenda.

Tap outside expertise to fill in knowledge gaps and triage agenda items.
Many corporate boards view themselves as being time constrained and don’t reach out to a wider than normal array of resources (both inside and outside the company) to get a holistic perspective of how the company is doing. Taking the time to gain additional insights helps the audit committee to focus meeting time on the right topics for the right amount of time.

Although there may be ten different issues on the agenda, they should not all receive the same weight or attention. And some of them can drop off for a while, and then come back. For example, there are often issues a board may think are critically important, but once they get outside information on those topics, they realize they have it better covered than they thought. Or, they become aware of other simmering issues. I've had more of the latter experiences, where with the help of outside resources we identified issues that had not fully developed and nipped them in the bud.

Building time into the calendar for regular engagements with experts inside the company, like the CFO, internal audit, the CRO, the CISO, and other folks who have important perspectives frequently proves as helpful as meetings with outside experts like external auditors.

Be flexible on the spot to fully accommodate agenda items.
I once participated in an audit committee meeting that had a crowded agenda and a new audit committee member. That meeting absorbed not just the time that was allocated to the audit committee, but also the time that was allocated to the board meeting immediately following. While it took much more time than expected, after the meeting a few committee members expressed that it was one of the best audit committee meetings that they had participated in. When it’s possible, an on-the-spot extension of a meeting time to sufficiently cover a crowded agenda helps ensure committee members are satisfied that critical issues are well in hand.

Q: Is the audit committee the right place for risk management?

A: No, I don’t believe that the audit committee is the right place for risk concerns to land, unless they are related to the audit process. While the audit committee can handle certain risk issues, enterprise risk is a subject that everyone on the board needs to engage in and share their perspectives. There are three topics that the entire board owns: dealing with the CEO and compensation issues, strategy, and risk management.

A collective effort should be made by the board to gather information from many resources (inside and outside the company), to engage with accounting firms and law firms, to read about all sorts of governance issues and current events. They should position themselves to understand, at a minimum, as much about the company as the CEO understands. Then board members can lift their heads above the treetops and survey the landscape from that perspective to get a sense of the range of risks, and put their heads together as an entire group (not a subset!) to strategize how to address and mitigate those risks.


Betsy Atkins

Angela Brock-Kyle is founder and CEO of B.O.A.R.D.S., a privately held governance, strategy and risk advisory firm. In addition, Angela sits on public and non-profit boards. She serves as audit chair and member of the nominating and governance committees of Infinity Property and Casualty Corporation (NASDAQ: IPCC); a trustee of Guggenheim’s Rydex Funds on the audit, governance and risk and compliance committees; a trustee of the YMCA Retirement Fund on the investment and compensation committees; and formerly served on the audit committee of the United Way. Angela enjoyed a 25-year career with TIAA, where she served as a senior leader in the asset management and risk management organizations.


Governance Clearinghouse RSS Feed Governance Clearinghouse RSS Feed

In the News
Reporting Annual Meeting Results
Publication Date: May 22, 2017

Annual meeting season is in full swing, which means public companies must report the results of voting at their meetings. Gibson Dunn’s Securities Regulation and Corporate Governance Monitor provides the top five reminders for these reports, including that they must be filed on a Form 8-K four business days after the annual meeting, with day one starting the day after the date on which the shareholder meeting ends. Another tip is a reminder that if the company holds a “say on frequency” vote, it must disclose (or amend the Form 8-K to disclose) the company’s decision as to how often the company plans to conduct future say on pay votes. Companies must also update the Form 8-K cover page to reflect recent changes and pay attention to the appropriate voting standard and how votes are reported.


Learn More About the Shareholder Services Association
Publication Date: May 16, 2017

Nasdaq recently talked to the SSA to learn more about its mission, the benefits of membership, and its advocacy efforts on behalf of the shareholder services industry. They also shared the agenda for their 2017 Annual Conference that will take place in Florida on July 18-20.

Read our interview with the SSA >>

Webinar: Public Companies and the PCAOB
Publication Date: May 16, 2017

On Wednesday, June 7 at 11:30 am EDT, Nasdaq will be hosting a webinar with representatives from the PCAOB and BDO USA to discuss the PCAOB resources available for public companies.

Register for this event >>

Vell Report Encourages More Board Diversity in Small Tech Firms
Publication Date: May 12, 2017

A new report conducted by Vell Executive Search took an inside look at how companies can improve diversity within the board room. The report, titled “Women Board Members in Tech Companies: Strategies for Building High Performing Diverse Boards,” examined 581 large public technology companies in the U.S. and Canada, and found that while many of these firms are embracing women on boards, there is still room for improvement, especially among smaller companies. The report found that while the technology industry has made strides in large firms, focus is needed on the entire sector, beyond those large companies, in order to gain balance on boards. Recommendations to help achieve diversity include extending succession planning timelines, providing internal training in governance matters, and assisting smaller companies to find diverse board members.

Read the Vell Executive Search Report>>

Nasdaq's Blueprint for Reigniting and Revitalizing America's Capital Markets
Publication Date: May 4, 2017

Nasdaq introduced a blueprint for achieving much-needed reforms in order to maintain healthy equity markets in the U.S. Our insights, recommendations, and proposed actions are included in a new whitepaper, The Promise of Market Reform: Reigniting America’s Economic Engine. This whitepaper focuses on three main themes: Reconstructing the Regulatory Framework, Modernizing Market Structure, and Promoting Long-Termism in the Markets.

Read Wall Street Journal Op Ed >>

Read Nasdaq Whitepaper >>

Watch Nasdaq CEO Adena Friedman’s Interview on Squawk Box >>

10 Nasdaq Companies in the Russell 3000 Reach Gender Parity in the Boardroom
Publication Date: May 3, 2017

The latest Equilar Gender Diversity Index, a quarterly study of female directors in the Russell 3000, found that 10 Nasdaq companies have reached gender parity in the boardroom: Ascena Retail Group, Avid Technology, Connecticut Water, Heska Corporation, Hologic, HSN, Navient, Select Comfort, Trevena, and Viacom. The report also showed signs of progress in addressing gender diversity, including the fact that 25% of new board members in the first quarter of 2017 were female.

Read the Equilar Report >>

Read Nasdaq’s interview with the CEO of Connecticut Water about the role board diversity plays in strengthening corporate governance and improving company performance >>

Jay Clayton confirmed as SEC Chair
Publication Date: May 3, 2017

The United States Senate confirmed the appointment of Jay Clayton as Chair of the Securities and Exchange Commission. Mr. Clayton’s testified at a hearing in March. He is expected to be sworn in later this week.

Nasdaq Governance Clearinghouse
App Store       Google Play       Windows Store       Governance Clearinghouse RSS Feed
The Nasdaq Stock Market, Nasdaq, The Nasdaq Global Select Market, The Nasdaq Global Market, The Nasdaq Capital Market, ExACT and Exchange Analysis and Compliance Tracking system are trademarks of Nasdaq, Inc.
FINRA® and Financial Industry Regulatory Authority, Inc.® are registered trademarks of Financial Industry Regulatory Authority, Inc. OTCBBTM and OTC Bulletin BoardTM are trademarks of FINRA