clearinghouse_bannerNasdaq Governance Clearinghouse
Onboarding Engagement Webinar Shareholder Approval Board Composition Cybersecurity PCAOB Outside Insight

Onboarding New Directors: Beyond the Board Manual
Publication Date: June 27, 2017 

The process of acclimating a new director to a corporate board can have a profound impact on boardroom dynamics. In this post, Joan Conley, Senior Vice President and Corporate Secretary at Nasdaq, shares key elements of Nasdaq's onboarding process as well as insights into the importance of a robust onboarding program.

Ideally, the onboarding process enables a new director to hit the ground running at their first board meeting. Proper onboarding also ensures critical alignment between management, the board and stockholders. Given those ambitious goals, there is much more to onboarding than asking a new director to read a manual and leaving them to tackle their role through trial and error.

Many companies mistake orientation for onboarding. Orientation is a one-time event designed to welcome a new director to the company and the board, outline meeting schedules and board service logistics, define their role, and provide a big picture overview of the company.

Onboarding, on the other hand, is a continuous process. It includes the orientation event and indoctrinates a new director into every aspect of the company's business, culture and the competitive environment it operates in, thereby facilitating meaningful contributions from directors and growth in long-term value for shareholders.

Nasdaq's onboarding process has evolved over time and includes the following key components, all of which are designed to help a new director shorten the learning curve and quickly become a meaningful contributor to the work of the board.

Establish a structured onboarding process.
Given the amount of information new board members need to absorb before their first board meeting, it's critical to have a focused plan in place to deliver that information. At Nasdaq, our onboarding educational process includes:

  • An orientation program that covers the following: board membership and meeting logistics; governance and director responsibilities; Nasdaq business strategy, goals, risks, operating environment, and recent financial performance; and presentations from corporate departments related to information security, corporate communications, and investor relations.
  • Face-to-face meetings with key executives and business unit managers.
  • Required reading of board meeting minutes and documents (including strategy, budget assumptions, compensation, and meeting minutes), investor presentations and analyst reports.

The different elements of governing a company fit together like a puzzle, and the onboarding process should help a new director fit the pieces of that puzzle together. New directors benefit tremendously from granular context on a company's operating environment, corporate strategy, goals, risks, opportunities, financial performance, and cyber security programs.

For example, at Nasdaq, we provide strategy slide decks from the prior year that outline the 1, 3, and 5-year strategies, along with minutes from subsequent update meetings, so new directors can see how the strategy has been followed. We encourage them to spend time researching our largest long-term stockholders and what motivates them to hold Nasdaq stock in their portfolio. We provide new board members with current and historical analyst reports, to give them a sense of how the company's strengths and weaknesses are perceived in the investment community.

Start the onboarding process before election day.
Don't wait until election day to engage new board members--start the onboarding process as soon as the proxy is released. At Nasdaq, onboarding of new directors starts as soon as a new director's nomination has been confirmed by the board and it is determined that the nomination is uncontested. That means even before the vote is final, we begin the very robust educational process outlined above.

Some general counsels may be concerned with providing confidential information to new board members prior to the election; in that case, a company can begin the education process with their public investor presentations and after that arrange for meetings with business unit leaders and others that may include confidential and proprietary information.

Make Audit Committee membership mandatory for new directors.
Every new Nasdaq director serves on the Audit Committee. Through audit committee service, new board members learn key enterprise risks, the financial and operating conditions of the company, how management relationships function within the organization, and details of the operations of each business unit. Audit Committee members hear presentations from internal and external auditors and experts within the company, review every internal audit report, and learn detailed financial information about the business. It's the best "on the job training."

Assign a mentor to new board members.
Board members with long tenure are an indispensable resource of institutional knowledge and historical context for new board members. Seasoned directors have seen the company through its most significant events: companies' success, market downturns, lawsuits, shareholder activism, acquisitions, and business model transformations. Pairing new directors with a mentor from the board accelerates cultural acclimation and encourages meaningful contributions from new directors during their first year.

Customize onboarding to individual directors.
Each director is carefully chosen for a board based on their unique skillsets, experiences, and talents. The onboarding process should be tailored to leverage those strengths, ensuring they contribute to their full potential and nurturing their interests in the company.

Ensure onboarding is ongoing.
Onboarding is essentially a process of continuing education. The three main elements of continuing education for board members at Nasdaq are knowledge sharing, rotating committee assignments, and offering opportunities to broaden and deepen their knowledge base.

I see a key role of the Corporate Secretary as aligning executives and board members, so the more opportunities I find to bring them together to exchange information the better. This continues even after new members have completed their first year, and these opportunities to meet with executives and business unit leaders are also individualized to each board member.

Rotating committee memberships is another excellent way to expand a board member's knowledge of the company. When a director is assigned to a new committee, they need a complete orientation on that committee's mandate, charters, and principals. Rotating committees begins a new sequence of onboarding events, refreshes the committee, and opens a whole new information silo for the board member.

I also continuously push news and information out to board members, again on an individualized basis. I send them relevant articles, updated analyst reports, links to subscriptions and alerts they may be interested in, and Nasdaq's daily news clips. I utilize Director's Desk for this, as well as the NACD daily summary. I maintain a budget for events and educational sessions that our board members may want to attend, such as director conferences.

Assess the fit and performance of new directors.
During a board member's first year of service, it's critical to assess whether the director is contributing effectively to the board and fits the group dynamic. That assessment takes place throughout the board cycle, not just during semiannual board assessments. If a new director needs assistance I work confidentially with the board chair to develop an action plan: perhaps a new director needs tutorials on non-GAAP financials, or information about a new product line or context on strategy in a certain business area, we tailor the onboarding plan to meet these needs.

Solicit feedback from new directors.
An onboarding process and curriculum is not something to develop and put on a shelf because it continually evolves with the business landscape and ideally is tailored and individualized. At Nasdaq, we solicit feedback on the onboarding process from new directors during their frequent first-year check-ins with the board chair and CEO. We continually modify our onboarding program based on that feedback, information they share about business units they may not fully understand, topics they felt they spent too much time on, or areas where they have a greater thirst for information.

Joan Conley is Senior Vice President and Corporate Secretary of Nasdaq and its global subsidiary organizations and, in that role, is responsible for the Global Nasdaq Corporate Governance Program and Nasdaq Global Ethics Program. She also serves as Managing Director of the Nasdaq Educational Foundation and is a Director of the Nasdaq Entrepreneurial Center Board.

What's New in Shareholder Engagement: Telling Your Own Story
Publication Date: June 22, 2017 

Tactical communication with shareholders is critical, as shareholder activism increases and institutions begin to rely more on their own independent research and less on the opinions of proxy advisory firms. By aligning corporate messaging with investor interests and concerns, companies build better relationships with their investment communities—and in the process, eliminate information vacuums that can be exploited by activists.

Proxy statements are an often-overlooked opportunity for companies to share compelling corporate governance stories and improve stockholder engagement. Investors are keenly interested in succinct and articulate explanations of the following:

  • the company's strategic and risk management plans;
  • the company's corporate governance values;
  • why executive officers are compensated appropriately; and
  • why the company believes it has the right people sitting on the board.

By transforming proxy statements from compliance tools into highly effective communication tools, companies can improve shareholder engagement and nurture investor support for annual meeting ballots. Following are best practices we have observed (and also applied here at Nasdaq) for utilizing proxies to tell a compelling corporate story.

Engage with shareholders proactively.
In addition to building relationships and ensuring shareholders support the company's strategy, a key goal of engagement is discovering investor perspectives on their areas of focus (such as board composition, pay-for-performance metrics, and engagement). Effective shareholder engagement is a two-way dialogue, some of which ought to take place with the company's largest investors outside of proxy season. If institutional investors aren't available to meet during the off-season, take advantage of quarterly earnings calls, industry conferences, and investor presentations to engage.

Bring the proxy process in-house.
Once the company has identified investor concerns and refined its corporate story, it should consider bringing the process for writing and editing the proxy in-house. An outside consultant or vendor cannot do a better job aligning corporate messaging with investor concerns than the company itself. Complex topics such as board composition, executive compensation policies, corporate strategies, and enterprise risk management should be explained succinctly and clearly, a task best left to corporate insiders.

When bringing the proxy development process in-house, it is helpful to create a benchmark of best-in-class proxies that stand out in terms of innovation and formatting. At Nasdaq, we spent months researching and creating a "look book" of noteworthy proxies that our development team used as a reference tool to guide improvements in the messaging, readability, disclosure, and formatting of the proxy.

Enhance disclosure and transparency.
When developing the elements of the company's story that address investor hot buttons, don't settle for the bare minimum in disclosure. Transparency around board composition, executive compensation, and corporate governance builds trust and assists investors in evaluating the board's effectiveness and independence. For example, shareholders like to map the skill sets on the board to the company's corporate strategies and enterprise risks. A holistic overview of board composition—including committee assignments, tenure, experience, and diversity—can be helpful for this, as is a board skills matrix. The structure and philosophy of executive compensation should also be outlined in a thorough and very readable analysis.

Enhanced disclosure is especially important when a company has a great governance story it hasn't been sharing effectively. Through our own research at Nasdaq, we have unearthed many Nasdaq-listed companies that have quietly achieved exemplary track records with regards to board composition and diversity. However, these efforts often go unnoticed because only a handful of companies highlight board composition metrics in their proxies using charts and graphs.

Transform the proxy into a communication tool.
Different types of investors read and use proxies differently: for retail investors, it's a reading document; for institutional investors, it's a reference document. To motivate institutional investors to support the company's annual meeting ballot, proxy messaging needs to be clear and compelling (and navigation intuitive) so investors can locate topics of interest quickly and understand them easily.

Readability is key—writing content in plain English, eliminating redundancies to condense the document, and hyperlinking a detailed table of contents are all ways to enhance the readability of a proxy. Key messages should be highlighted in such a way that shareholders can't miss them: In addition to enhancing the summary to include critical information, companies can draw attention to (and summarize) main ideas by incorporating charts, matrices, graphics, and bulleted lists.

Launch an interactive digital proxy.
A growing number of investors prefer to access proxies and vote online, and interactive proxies are transforming online stockholder engagement. The intuitive framework and visually appealing layouts of interactive proxy documents make it easy for shareholders to navigate and digest proxy content on their own terms, and on any device. These interactive versions include multiple features allowing for easy search and maneuverability, such as section and sub-section headers, expanded table of contents, and linked page references throughout the document.

Interactive proxy platforms also provide companies with useful analytics regarding which sections of proxy statements, and which search terms, are most popular with shareholders. User analytic data will be valuable to companies seeking to identify proxy content elements that most resonate with investors, as well as fine-tuning digital layouts and navigation.

During the past few weeks, a number of Nasdaq-listed companies published their 2017 proxy statements using an interactive format including eBay, Inc., Intel Corporation, Nasdaq, Inc., Northern Trust Corporation, and Otter Tail Corporation.

Perhaps the most compelling piece of PR advice dispensed by Don Draper, ad man extraordinaire of the series Mad Men, was this: "If you don't like what they are saying about you, change the conversation." By taking control of their own story, corporations can do just that.

Read More about Interactive Proxy Statements Here >>

Read More about Reasons to Bring the Proxy Process In-House Here >>

Public Companies and the PCAOB: Insights from the PCAOB, BDO, and Grant Thornton
Publication Date: June 16, 2017

David Wicks, Vice President of Listing Services at Nasdaq, recently hosted a webinar with Greg Scates, Acting Director of the PCAOB's Office of Outreach and Small Business Liaison; Blake Wilson, National Assurance Partner at BDO USA; and Timothy O'Neil, Audit Partner at Grant Thornton LLP. Panelists shared insights on ways publicly traded companies can ensure their voices are heard at the PCAOB and auditing firms alike.

Excerpts from this discussion are presented below and have been edited for length and clarity. The views expressed here reflect those of the speakers and do not necessarily reflect those of their organizations.

Q: How does the Office of Outreach and Small Business Liaison work with public companies? What's the best way for companies to reach you?

PCAOB: We conduct public forums with smaller public companies and brokers and dealers around the country each year, to provide updates on new standards and new activities going on at the PCAOB. These forums are also a good opportunity for us to hear from smaller firms about problems or issues they are having as they conduct their audits.

The PCAOB Office of Outreach and Small Business Liaison can be reached by phone at (202) 591-4135 or email at

Q: What type of questions should a company direct to PCAOB vs. the SEC?

Our staff responds to questions related to auditing standards and auditing-related matters with respect to the audits of public companies and brokers and dealers. When we get questions about accounting related matters, accounting standards or SEC filing and reporting matters—none of which are in our jurisdiction—we refer those to the SEC.

Q: How can publicly traded companies participate in PCAOB's standard-setting process? Are there other ways public companies can engage with PCAOB?

The principle way companies, accounting firms, investors, and others participate in the standard-setting process is through submitting comment letters to the PCAOB on proposals we have outstanding. Outstanding proposals are always posted on our homepage, with links to the releases describing the proposed changes to the PCAOB standards as well instructions on how to comment on our proposed standards. Those comments are the most valuable to the staff and the Board. We take those comments very seriously as we go through the standard-setting process.

The PCAOB is somewhat unique compared to other standard setting groups such as the FASB or the IAASB in that our standards go through two approval processes. Once a new standard or amendments to existing PCAOB standards are adopted by the PCAOB, changes to PCAOB standards are subject to approval by the SEC before changes to PCAOB standards become effective. It's a rigorous process, but it gives public companies, firms, and investors multiple opportunities to comment.

Management of public companies can also apply for membership in the PCAOB's Standing Advisory Group (SAG), which meets two or three times a year to advise the PCAOB on the standard setting agenda and related activities. Members of the SAG include individuals employed by public companies, accounting firms, investors, and other regulatory bodies.

Q: What role do accounting firms play in the standard setting process? Can you suggest how companies can better participate?

The comment forum is the most predominant way Grant Thornton drives standard setting. Leveraging relationships with the companies, private equity firms and investors on PCAOB's SAG is another opportunity for both auditing firms and companies to have impact.

We urge our partners, when they are meeting with management or with the audit committee, to have a dialogue around the PCAOB's agenda, what standards are coming down the pike, what they should expect when new standards are adopted. If a company is concerned about a given standard, I encourage them to work with their audit engagement team, or the firm itself at a higher level, to collectively craft a comment letter relevant to the company's audit agenda.

Q: We often hear from our listed companies that the PCAOB might recommend a new control, test or procedure to cover a specific item—perhaps for a specific company or industry—but instead of applying the new control to just the situation PCAOB identified, the audit firm in turn applies it to all clients. Is this the PCAOB's intent when it gives comments to auditors? If a company thinks this is happening, what recourse does the company have?

PCAOB: Based on this question, it seems there may be some confusion about the PCAOB's inspection process. The PCAOB's inspection process assesses compliance with existing auditing standards and is designed to identify and address weaknesses and deficiencies related to how a firm conducts audits under these standards. These are noted in the inspection report. The firm then goes through the process of remediating the deficiencies identified. In response, a firm may revise its existing quality control policies and procedures as well as the firm's methodology.

Q: BDO and GT, what advice would you give companies that feel they are in this situation? What recourse do they have?

In general, companies should expect their engagement team to articulate why they are performing a specific procedure. Responses in that dialogue should be rooted in a firm methodology, perhaps mapped back to a PCAOB standard or inspection finding. A company needs to challenge the auditing engagement team to understand whether they are identifying the right risks and if the responses to those risks make sense in the context of the financial statement that is currently being audited.

BDO: The PCAOB typically will only comment on a material matter, and auditing firms take those matters very seriously. As part of our QC process, we will determine why the issue occurred, if it is specific to that particular engagement and if corrective actions should be limited to that engagement, or if it is a broader QC issue that may be a methodology concern. I would encourage companies that feel they are in an over-auditing situation to have a dialogue with the engagement partner as to why they think a procedure may be necessary and to further understand what is driving it.

PCAOB: If company management is concerned about over-auditing in a particular area, then management should take it up with the audit committee. Each year, the audit engagement team discusses an overview of the audit strategy with the audit committee. This could provide an opportunity for management to have a productive dialogue with the auditor and the audit committee as to a particular auditing issue management may be concerned about.

Q: On June 1, the PCAOB introduced a new audit standard, AS #3101, that will initially make certain changes to the audit report, and eventually change the way auditors describe "Critical Audit Matters" in both the audit report and when interacting with audit committees. PCAOB, can you discuss this new standard?

The new AS #3101 is a standard that's been adopted by the Board, but not a standard of the PCAOB yet, since it is subject to a notice and comment process by the SEC. The SEC will post it in the Federal Register and public companies, broker-dealers, accounting firms, investors and others will have another opportunity to comment on this standard. The SEC will consider public comments received in deciding whether the new standard and related amendments are consistent with the requirements of the Sarbanes-Oxley Act, the securities laws, in the public interest or for the protection of investors.

The new standard retains the pass/fail model that is in the existing standard today and contains a new element related to the communication of critical audit matters, or CAMs, in the auditor's report. Critical audit matters are matters arising from the audit of the financial statements that are communicated or required to be communicated to the audit committee, relate to accounts or disclosures that are material to the financial statements, and involve especially challenging, subjective, or complex auditor judgment. If there are no critical audit matters to be communicated, then that fact should be disclosed in the report.

PCAOB board members don't intend for the CAMs to result in boiler plate language. The Board anticipates the new standard will make the auditor's report more relevant, useful and informative to investors and other financial statement users with respect to a particular company. CAMs are determined using a principles-based framework and should be tied to a particular audit engagement in which they arise. The communication of CAMs in the auditor's report should inform investors and other financial statement users of matters arising from the audit of the financial statements that involved especially challenging, subjective, or complex auditor judgment, and how the auditor addressed those matters. We anticipate there will be different CAMs between companies within the same industry. The point is to make sure the information is useful to the investing public.

We also made some other changes to the audit report in the adopted standard, including a new disclosure of audit tenure (that is the year in which the auditor begins serving consecutively as the company's auditor).

If approved by the SEC, we plan to phase in the effective date for Standard AS #3101 over several years. The new auditor's report format, excluding the reporting requirements of CAMs, would be effective for audits of fiscal years ending on or after December 15, 2017. The communication of CAMs would become effective for audits of large accelerated filers for fiscal years ending on or after June 30, 2019. Communication of CAMs for audits of all other companies would become effective fiscal years ending on or after December 15, 2020.

Q: BDO and Grant Thornton, how do you think the adoption of this standard will change your interaction with your public company clients? What do you think will be the most challenging aspect of adopting this new standard?

I'm not sure the interaction with public companies will change. The CAMs information that's expected to be included in the report is akin to an MD&A in a public company filing, meant to give insight into our audit approach. That information is already communicated not only to management, but also to those charged with governance. I think where the sensitivity will come in is that this is not generally public information currently. While management absorbs it, understands it, and challenges it, audit committees and those charged with governance in a similar fashion will have some sensitivity as to what they would like us to include and not include in a report. I expect certain firms and/or companies will have robust discussions around CAMs, and others will disclose them in more vague and general terms.

BDO: Discussions related to the new standard are already happening with engagement teams, and those are robust discussions, in terms of those CAMs: what those disclosures are, how they will be written, and discussions between the auditor and the companies in terms of the robustness of CAMs disclosures.

Q: We hear from our listed companies that audit fees are increasing because of the additional testing and audits being required by the PCAOB, and auditors have no incentive to keep them down. Do auditors use a cost/benefit analysis when deciding what procedures are necessary? How can this be addressed in a meaningful and constructive way?

We have to perform our audits to achieve high audit quality, in accordance with the auditing standards which govern our work. There's not much in terms of cost that we can do from that perspective. We are in a competitive market across all the auditing firms—margins are actually declining because of what it requires in today's world to perform a high quality audit. So we need to stay focused on performing the procedures that are necessary, and companies need to be involved in a dialogue to understand why we are doing certain things. As we discussed today, companies can also be involved in the standard setting process.

GT: There's a minimum level of effort on an audit, whether it be public or private, and a company should determine that either through their own research or their engagement team articulating what that minimum level of effort is. Because as Blake [BDO] said, that effort is rooted in the standards. There will be issues that go above and beyond the standards, because of unique industry factors or circumstances related to a given transaction or company situation.

Companies can help keep costs down by understanding the minimum level of effort, determining whether the team can leverage internal audit for controls testing, and identifying ways to leverage other information the company is using to get to the right answers.

Q: In other countries, audit reports provide much more detail than is currently provided in the U.S. Do you foresee that audit reports will become more granular in nature and less standardized? If so, how?

The proposed PCAOB standard we spoke about earlier adding CAMs to reports is a first step in that direction. It's hard to make a global comment because every jurisdiction is a little different. For example, in certain European jurisdictions, you see director information, compensation and other information in auditor's reports; this information is already public here in the U.S. but it exists in different areas. I do think we will start to see a bit more standardization across the global economy, because global investors want to see reporting that's somewhat similar, not only from an accounting standard perspective but from an audit perspective as well.

Listen to June 7th webinar >>

Visit the PCAOB homepage to view current auditing standard proposals >>

Read more about the PCAOB's Office of Outreach and Small Business Liaison >>

shareholder approval
Comment Solicitation: Shareholder Approval Rules
Publication Date: June 14, 2017

Click here to read our Comment Solicitation >>

Last year, Nasdaq solicited comments on our shareholder approval rules. These rules were adopted in 1990 and have remained largely unchanged since then. The comment solicitation was designed to elicit views on whether the rules could be updated given changes in the capital markets since then, without sacrificing the crucial investor protections they provide.

Following review of the comments provided, Nasdaq is considering a rule amendment to: (i) change the definition of market value for purposes of the shareholder approval rules from the closing bid price to a five day trailing average of the closing price; and (ii) eliminate the requirement for a company to obtain shareholder approval for issuances of common stock at a price less than book value.  As part of these changes, Nasdaq would also require that an issuance of 20% or more of the company's outstanding securities be approved by the company's independent directors where shareholder approval is not required.

We encourage all interested parties to review the detailed description of these proposed changes in our Comment Solicitation and provide comments before July 31, 2017. 

Electronic responses are preferred and may be addressed to:

You may also review last year's comment solicitation here.

board composition
Thinking Outside the Audit Committee Box: A Better Way to Manage Risk
Publication Date: May 23, 2017

An ever-increasing reliance on evolving technologies has left corporations vulnerable to cyber-attack and business model disruption. At the same time, enterprise risk management has landed squarely in the sights of institutional investors. As a result, boards must enhance their oversight of risk management.

Audit committee members, who have had responsibility for risk management on many boards, are feeling strained as regulatory demands intersect with that increased responsibility; in a recent survey of nearly 1,500 audit committee members by KPMG, half of those surveyed reported their committees may not have the time or expertise needed to be effective in all areas of responsibility.

Thus, there is a growing awareness that boards may need to evolve, including by altering board committee structures and reallocating workflows. To help us better understand these issues, we asked Betsy Atkins, veteran of 23 boards and 13 IPOs, to share her expertise on providing effective oversight of risk management in the boardroom.

Q: What is a board’s primary role with respect to enterprise risk management?

A: The board’s primary roles related to enterprise risk management are ensuring the company’s strategy is still relevant, examining the real risks the company faces and determining what risk oversight mechanisms are most effective. The lifecycle of S&P 500 companies has declined from about 60 years in 1958 to below 20 years now below 20 years now, begging the question “Why do so many established public companies go out of business?”

While some get acquired, go private, or become bankrupt, too many disappear because they don’t innovate or stay relevant. The rate of change in business today is alarming—a very real threat for the shareholders is that a company quietly loses market share for three or four years and then suddenly wakes up to realize they’ve lost nearly thirty percent of their market. When that happens, we see Blockbuster and Borders get replaced on the S&P 500 by Netflix and Amazon. Both of those companies might still be in business if their boards had been keeping an eye on new business models, digitally-born companies, and marketplace disrupters.

Q: What are some strategies boards can employ to better manage risk?

A: There are a number of tactics for load-leveling the risk management responsibility across a board, including:

Separating the oversight of future-looking risks from backward-looking risks.
Divide risks into two main categories: backward-looking risks and future-looking risks. Forensic, backward-looking risks include financial internal controls, review of quarterly financial statements, and compliance with FASB regulations. These are historically—and appropriately—the strength and domain of the audit committee.

Future (and emerging) risks include cyber-attacks, cyber breaches that damage brands, disrupted business models, and emerging digital marketplaces. Technology risk, too, needs to be examined. Although disaster recovery has long been a purview of the audit committee, oversight of cyber security and technology risks do not necessarily belong on the audit committee agenda.

Assigning oversight of forward-looking risks to the governance committee.
Audit committees are disproportionately busy on corporate boards. Compensation committees are also quite busy during certain times of the year, leaving governance and nominating committees as the least busy.

The nominating mandate is clear and happens in short bursts: refresh and renew the board. But what is governance on behalf of shareholders? Often, it’s limited to code of conduct, tone at the top, and preventing foreign corrupt illegal practices and sexually predatory behavior. However, governance really ought to be ensuring—on behalf of the shareholders—that the company is relevant, innovative, and vibrant.

I chair the Nominating and Corporate Governance Committee on the Board of HD Supply. Our Audit Committee looks at internal controls, financial reporting, and other functions that Audit Committees historically have performed. We created a more future looking-role for the Nominating and Governance Committee to look at business strategy, including the digital transformation of the company’s business. We’ve had outside speakers from major consultancies like McKinsey, Boston Consulting Group, and Accenture come in and educate us. We’re also working with artificial intelligence experts who can help us understand how to apply that technology to increase B2B sales revenue.

Incorporating working sessions into board meetings.
Like other boards, at HD Supply we have a nominating and corporate governance, audit, and compensation committee readout. But what’s a little different from other boards I’ve served on is that we have a lively discussion around the board table during these readouts, regularly debating our major initiatives of digital and business model transformation.

And we believe in working board dinners, held at our headquarters in the training center versus at a restaurant. We bring in the company’s senior leadership team, as well as contemporary and knowledgeable external speakers, to discuss topics we want to immerse ourselves in.

Leveraging technology to manage risks by monitoring corporate health.
There are a number of metrics that should be tracked to assess corporate health and flush out potential risk factors; these are related to compliance, digital advancement, product and service development pipelines, market share, customer satisfaction, and employee turnover.

There are companies and platforms out there, like Boardvantage that can capture and track those types of metrics to develop an automated corporate health dashboard. Are we as digitally advanced as Amazon? Are we developing and introducing new products and services as quickly as Lowes? Are we an innovation leader, laggard or fast follower? Are we growing market share or losing it? Are we using artificial intelligence as effectively as our competitors? These are the benchmarks we want to monitor.

Viewing board composition as a competitive asset.
It is incumbent on boards to consider, and actively discuss on the governance committee, whether the board should be viewed as a competitive asset to the shareholders or just fiduciaries who do oversight. If the determination is “we are a competitive asset” then the board really ought to look at the competencies around the table the same way a company looks at its management leadership team.

Boards ought to carefully consider, given the turbulent sea of changes that businesses are navigating, how best to refresh and bring on a director or two with skill sets they’ll need in the next three to five years. Boards should forward-appoint members the same way corporations forward-hire, rather than waiting passively for a retirement to free a seat at the table.

By employing these tactics, boards can better fulfill a critical governance mandate: identify business-killing risks before it’s too late.

Betsy Atkins serves as President and Chief Executive Officer at Baja Corp, a venture capital firm and is currently the Lead Director and Governance Chair at HD Supply. She is also on the board of directors of Schneider Electric, Cognizant and Volvo Car Corporation and served on the board of directors at Nasdaq LLC and at Clear Standards as CEO and Chairman.

A self-proclaimed “veteran of board battle scars,” Ms. Atkins will be collaborating with Nasdaq to produce a series of corporate governance “nuts and bolts” articles.

Other popular posts featuring Betsy Atkins on the Governance Clearinghouse:

Seven Critical Elements of a Board Refreshment Plan >>
What Makes a Great Board? >>

Top Cybersecurity Concerns for Every Board of Directors: Data Mapping and Encryption
Publication Date: May 17, 2017

This is the fourth of a four-part series of white papers authored by Cybersecurity expert John Reed Stark. This series -- published for the first time on Nasdaq's Governance Clearinghouse --outlines a strategic framework for boards of directors to effectively analyze and supervise corporate cybersecurity risks.

This final part of the series Top Cybersecurity Concerns for Every Board of Directors discusses the board's oversight responsibilities with respect to two of the largest enterprise undertakings in the field of cybersecurity: data mapping and encryption.

  • Data Mapping: Every cyber-attack response begins with the forensic process of preserving any electronically stored information (ESI) that may be relevant to the cyber-attack. The most well-run companies establish sophisticated and intelligent data classification schemes to mitigate the costs and challenges of preserving ESI after an attack. Creating an accurate data map for a company is imperative: before a company can figure out how to protect its data, the company needs to know where that data is.

  • Encryption: While encryption systems require constant maintenance, and may complicate communications lines, encryption is typically a company's last line of defense from cyber-attacks. Target's hackers had access to everything, from the deli meat scales to the cash registers, because there were no controls such as encryption limiting access. Merely encrypting sensitive data is not enough—the type of encryption is of equal importance.
This four-part series of white papers covers the following cybersecurity topics:

Part 1, Cybersecurity Governance: critical components related to the governance practices, policies and procedures of a strong cybersecurity program.

Part II, People: cybersecurity recruitment, training and retention as well as hiring outside firms for digital forensics and data breach response.

Part III, Technology: the technical systems that provide the foundation for cybersecurity infrastructure. 

Part IV, Data Mapping and Encryption: an overview of the board's oversight responsibilities with respect to encryption and data mapping.

By using these white papers as a guide, boards of directors can become not only more preemptive in evaluating cybersecurity risk exposure but they can also successfully elevate cybersecurity from an ancillary IT concern to a core enterprise-wide risk management item. 

Read John Reed Stark's Latest White Paper on Data Mapping and Encryption >>

John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, "The Cybersecurity Due Diligence Handbook," available as an eBook on Amazon, iBooks and other booksellers.

Nasdaq Talks to . . . PCAOB's Office of Outreach and Small Business Liaison about Its Mission and How It Can Help Public Companies
Publication Date: May 9, 2017

Nasdaq often hears questions from listed companies about their annual financial statement audit or a specific accounting directive. To help answer these questions, Nasdaq investigated and found that, although the Public Company Accounting Oversight Board (PCAOB or the Board) does not have an official "ombudsman," it does have an Office of Outreach and Small Business Liaison. Read our interview below to find out how this office can help answer these questions.

Want to know more?  You can listen to a re-play of a recent webinar Nasdaq hosted with PCAOB, BDO, and Grant Thornton here >>

Q: What is the Office of Outreach and Small Business Liaison?

A: The Office of Outreach and Small Business Liaison was established in 2010 after the passage of the Dodd-Frank Act. The Office plans and conducts forums for auditors of smaller public companies and for auditors of smaller broker-dealers. The Office also acts as a liaison between the Board and accounting firms and others affected by the Board's work; assists with arranging Board member and PCAOB staff speaking engagements; and serves as a contact for anyone who may have questions about the Board's regulatory activities or needs assistance in locating publicly available information issued by the Board.

Q: How can you help public companies?

A: The PCAOB website contains a number of resources which inform companies about the work of the PCAOB including inspection reports of registered accounting firms and summaries of inspection findings. More information on these pages is provided below.

In addition to our website, PCAOB Board Members and Senior Staff speak to representatives from public companies at events across the country. This includes groups of CFOs as well as Audit Committee members.

In addition to the website, public companies may contact our office if they have questions related to anything on the website.

Q: What's the best way to reach you?

A: The office can be reached by telephone at (202) 591-4135 or by email at either or

Q: What are the most common questions you get? How do you respond?

A: The Office of Outreach receives questions on many topics. The most common requests typically involve assistance with locating information on registered firms. Generally, staff from the office will respond directly to the person who contacts us. In some instances, due to the technical nature of the question(s) posed, messages are sent to the appropriate division within the PCAOB for a response. Additionally, if the question or request relates to an issue outside of the PCAOB's jurisdiction, we will direct people to the organization or agency best suited to respond.

We encourage people who contact us to provide enough detail in their message so that the request can be handled promptly.

Q: How can a company participate in PCAOB's standard-setting process? Are there ways for PCAOB to accept input from public companies? What is it?

A: The PCAOB collects comments from all interested parties, including public companies, as part of the standard-setting process. If a proposal is open for comment, it will be listed on the PCAOB home page. The PCAOB has also made available a rulemaking docket which lists the status of all rulemaking projects, including standards. More information on the comment process is available here. All comment letters that are received are posted on the PCAOB website.

Additionally, all PCAOB standards are subject to SEC approval. Once a proposed standard is submitted to the SEC, there is an additional period in which comments are accepted.

The PCAOB also has a Standing Advisory Group which advises on the development of auditing and related professional practice standards. Public company executives and audit committee representatives are among the members of the group.

Broad-based organizations whose members are public companies such as Financial Executives International, the Society for Corporate Governance, the American Bankers Association, and others may seek to meet with Board members and senior staff to discuss issues of mutual interest. Public companies could also reach out to the Board through Nasdaq.

Q: What other resources are available at PCAOB for public companies with auditor-related questions or concerns?

A: As noted above, the PCAOB website has a number of documents and pages that may be of interest to public companies. The Board frequently issues general reports along with staff inspection briefs. In addition, the Board has created a page with information specifically for audit committee members. Information on firms registered with the PCAOB is available through the registration and reporting system. Users of the system can search for any firm and see inspection reports and enforcement actions for each firm as well as view filings required by the PCAOB. Questions not specifically answered on our web site should be directed to the email address and phone numbers listed above.

We encourage anyone interested in the work of the PCAOB to sign up for email updates or to follow us on Facebook, Twitter and LinkedIn.

outside insight
Reputation Risk and Opportunity Governance: A 5-Point Blueprint for Boards by Andrea Bonime-Blanc, JD/PhD
Publication Date: May 2, 2017

Andrea Bonime-Blanc is the Chief Executive Officer of GEC Risk Advisory and Author of The Reputation Risk Handbook.

Reputation risk and opportunity management is the front line job of management – however, it is the job of the board to provide reputation risk and opportunity oversight for their company. And most boards don't even think about reputation risk until the crisis or scandal hits and their company's reputation, as well as their own personal reputations possibly, may be at risk.

In this article, we define reputational risk, identify recurring themes that were present in cases where reputation risk has gone wrong, and offer a high level five point blueprint for boards to oversee reputation risk and opportunity at their companies. Why do this? Because effective reputation risk management – just like effective enterprise risk management – is not only useful to mitigate losses and liabilities but also to build reputation opportunity and value with and from key stakeholders (customers, employees, regulators, etc.).

Reputation Risk Defined

Within the context of an organization (whether a company, a government agency, a university or a non-profit), reputation risk is a strategic risk that can amplify other underlying and related risks especially non-financial or ESG (environmental, social and governance) risks when those risks have not been properly identified, managed or mitigated. Here is a simple definition of reputation risk I offer in my book, The Reputation Risk Handbook:

Reputation risk is an amplifier risk that layers on or attaches to other risks – especially ESG risks – adding negative or positive implications to the materiality, duration or expansion of the other risks on the affected organization, person, product or service.

When one couples the notion of an amplifier risk with the notion of stakeholder expectations and impact, one can surely start seeing the gestalt of why reputation risk has both qualitative and quantitative dimensions.

Reputation Risk Management Gone Wrong

It is important to note a recurring theme throughout cases where reputation risk went wrong: something or some things did not work well within these companies in advance of the crisis and there are three critical topics that seem to appear in most of these cases:

  1. The Board did not have a proactive stance on effective risk oversight, let alone reputation risk oversight.
  2. The CEO/c-suite were not creating or supporting a culture of accountability and customer-centricity thus allowing for the erosion key stakeholder trust.
  3. The company itself does not appear to have effective risk management and/or views risk as a liability that happens to unlucky companies (instead of a manageable asset that also has embedded opportunity and potential value).

Why Good Reputation Risk Management and Oversight Matter

Reputation risk matters for worse and for better because it’s what happens when the expectations of stakeholders – potentially a multitude of them – are missed, met or exceeded. Reputation risk acts as an amplifier and accelerator of an underlying risk that is not managed at all, poorly managed or is managed up to and possibly beyond the expectations of key stakeholders.

While stakeholder expectations can be characterized as being largely behavioral, emotional or intangible, what happens as a consequence of exceeding, meeting or missing stakeholder expectations is far from intangible:

  • An organization’s meeting or exceeding its stakeholders’ expectations can have neutral to positive qualitative and quantitative consequences.
  • An organization’s missing its stakeholders’ expectations can have negative consequences – both qualitative and quantitative.

Reputation Stakeholders

How well an organization understands and incorporates a qualitative assessment of its key stakeholders and their expectations is where the qualitative and quantitative dimensions of reputation risk meet: one does not make sense without the other and one feeds upon the other. The below chart from my book, The Reputation Risk Handbook, shows a range of some of the key stakeholders that organizations should be considering in such an assessment.

Outside Inside Graph 1

The bottom line is this: flying without a reputation risk net is tantamount to hoping for the best in a world full of challenges, risks, threats and (lost) opportunities. Adopting such a framework, in turn, provides the resilience needed for long-term survival and even out-performance as risks are managed and new opportunities are identified on the way to effectively managing reputation risk.

With these themes in mind, let’s take a look at the five keys to successful ongoing board reputation risk oversight.

A Five Point Reputation Risk Governance Blueprint

Below is what I would consider to be the five key tasks of a board intent on overseeing reputation risk and opportunity effectively for their company:

  1. As an Amplifier and Strategic Risk, Reputation Risk should be on the Board Agenda Regularly. Reputation risk does not occur in isolation but in relation to other underlying risks. As such, reputation risk must be on every board agenda together with strategic and enterprise risk oversight.
  2. Boards Must Oversee Effective Enterprise Risk Management (ERM). Reputation risk cannot be properly understood, managed or supervised without robust underlying ERM that identifies all risks and allows related reputation risk to be properly gauged.
  3. The Board Must Know Who the Company’s Key Stakeholders Are. Why? Because every stakeholder has expectations of a company’s behaviors and results both financial and non-financial. If and when those expectations are not met, both qualitative and quantitative consequences will follow, most of them negative. The reverse is true as well: the better an organization understands, nurtures and tends to its principal stakeholders, the better off that organization will be when and if crises occur, with both qualitative and quantitative consequences, most of them neutral or positive.
  4. A Cross-Disciplinary Team of Company Experts Should Manage Reputation Risk. And it is up to the Board to understand from such experts – from the chief risk officer and head of public relations and communications to the general counsel and the audit executive. They are best prepared to understand the reputation risk of the company if they prepare accordingly. That team must also be synchronized with a proper and effective crisis management program.
  5. Reputation Risk is Directly Connected to Corporate Resilience, Opportunity & Value Creation. It is the board’s role to ensure that the company and its management develop and implement resilience measures to counteract and mitigate material risk and to take advantage of risk opportunity – reputation risk oversight is a critical part of this process. The more prepared an organization is for its risks, the greater chance it will have to successfully manage the risk, associated crises and value opportunities.

For more information and case studies, readers should go to the thought leadership page of the GEC Risk Advisory website.


Dr. Andrea Bonime-Blanc is CEO founder of GEC Risk Advisory and a global governance, risk and value creation strategist. Her firm specializes in governance, risk, ethics, compliance, corporate responsibility, reputation and crisis advice to the private, public, governmental and non-profit sectors worldwide. She is author of The Reputation Risk Handbook and Emerging Practices in Cyber-Risk Governance and has been consistently recognized by Ethisphere as one of the “100 Most Influential People in Business Ethics.” In 2017, she was appointed Ethics Advisor to the Financial Oversight and Management Board of Puerto Rico, created by the U.S. Congress to oversee the restructuring of the Puerto Rican economy. She tweets @GlobalEthicist and writes the Risk2Value Blog.

The views and opinions expressed herein are the views and opinions of the author at the time of publication and may not be updated. They do not necessarily reflect those of Nasdaq, Inc. The content does not attempt to examine all the facts and circumstances which may be relevant to any particular company, industry or security mentioned herein and nothing contained herein should be construed as legal or investment advice.


Governance Clearinghouse RSS Feed Governance Clearinghouse RSS Feed

In the News
U.S. Supreme Court to Review Scope of Dodd-Frank Whistleblower Protections
Publication Date: June 27, 2017

The U.S. Supreme Court agreed on Monday to consider whether corporate insiders who blow the whistle on their employers are shielded from retaliation if they only report alleged misconduct internally rather than to the Securities and Exchange Commission. The Justices will hear Digital Realty Trust Inc's appeal of a lower court ruling in favor of Paul Somers, an executive fired by the San Francisco-based company after he complained internally about alleged misconduct by his supervisor but never reported the matter to the Securities and Exchange Commission. If the Supreme Court ultimately sides with the company, then it could force corporate whistleblowers to report wrongdoing to the SEC in order to be protected from retaliation. The Court will hear the case during the next term that starts in October.


SEC Emphasizes Role of Audit Committee in New Developments and Continuing Trends in Auditor Oversight
Publication Date: June 21, 2017

A recent speech by the SEC Chief Accountant provided guidance for audit committees on several key areas of responsibilities, including with respect to new accounting standards, and on perennial issues of auditor evaluation and independence.


Read the speech >>

House Approves Financial CHOICE Act
Publication Date: June 12, 2017

The U.S. House of Representatives passed the Financial CHOICE Act, legislation designed to replace certain provisions of the Dodd-Frank Act, including some public company disclosure and governance requirements. Specifically, the CHOICE Act would repeal disclosure requirements related to conflict minerals, extractive industries, and mine safety. It would also require registration of Proxy Advisory Firms and require those firms to manage their conflicts and provide public companies with a reasonable opportunity to comment on draft recommendations. The CHOICE Act also would require the SEC to revise its shareholder proposal rules, including so that a shareholder must hold at least 1% of the company's voting shares for three years before the shareholder can include a proposal on a company's proxy. It is unclear whether the Senate will consider the bill.


PCAOB makes major changes to auditor's report
Publication Date: June 8, 2017

On June 1, 2017, the Public Company Accounting Oversight Board adopted a new auditor reporting standard that includes the communication of critical audit matters (CAMs). The standard requires the communication in the auditor's report of CAMs that involved "especially challenging, subjective, or complex auditor judgment and how the auditor responded to these matters." The standard will significantly expand the auditor's report to include CAMs as well as additional information, such as auditor tenure and a statement of independence, which the PCAOB believes will be useful for investors and other financial statement users. The new format is proposed to be effective for audits of fiscal years ending on or after December 15, 2017. Provisions related to CAMs would be effective for audits for fiscal years ending on or after June 30, 2019 for large accelerated filers, and December 15, 2020 for all other companies. The new standard is subject to SEC approval, following a notice and comment process.

Read the PCAOB's Press Release >>

WEBINAR RE-PLAY: A Conversation with PCAOB, BDO and Grant Thornton
Publication Date: June 8, 2017

Nasdaq hosted a web seminar with representatives from the PCAOB, BDO USA and Grant Thornton to discuss the PCAOB resources available for public companies on June 7.

Listen to the Re-Play Here >>

House Democrats Ask SEC to Improve Corporate Board Diversity Disclosures
Publication Date: May 30, 2017

A group of 29 Democrats recently wrote to SEC Chair Jay Clayton urging him to require enhanced disclosure regarding public company boards’ racial, ethnic, and gender composition. The letter notes that the existing requirements do not define “diversity” and gives companies too much discretion on what they report. The letter also highlighted a recommendation of the SEC’s Advisory Committee on Small and Emerging Companies that the SEC require companies to include specific disclosures about the self-identified race, gender, and ethnicity of their board members and nominees.

Read more from Congressman Gregory Meeks >>

Reporting Annual Meeting Results
Publication Date: May 22, 2017

Annual meeting season is in full swing, which means public companies must report the results of voting at their meetings. Gibson Dunn’s Securities Regulation and Corporate Governance Monitor provides the top five reminders for these reports, including that they must be filed on a Form 8-K four business days after the annual meeting, with day one starting the day after the date on which the shareholder meeting ends. Another tip is a reminder that if the company holds a “say on frequency” vote, it must disclose (or amend the Form 8-K to disclose) the company’s decision as to how often the company plans to conduct future say on pay votes. Companies must also update the Form 8-K cover page to reflect recent changes and pay attention to the appropriate voting standard and how votes are reported.


Nasdaq Governance Clearinghouse
App Store       Google Play       Windows Store       Governance Clearinghouse RSS Feed
The Nasdaq Stock Market, Nasdaq, The Nasdaq Global Select Market, The Nasdaq Global Market, The Nasdaq Capital Market, ExACT and Exchange Analysis and Compliance Tracking system are trademarks of Nasdaq, Inc.
FINRA® and Financial Industry Regulatory Authority, Inc.® are registered trademarks of Financial Industry Regulatory Authority, Inc. OTCBBTM and OTC Bulletin BoardTM are trademarks of FINRA