Un guide complet sur la gouvernance des sociétés publiques, privées et OBNL à l’intention des administrateurs | Richard Leblanc

Voici, en primeur, un aperçu de la première édition du livre de Richard Leblanc qui sera publié par Wiley (disponible en mai 2016).

On me demande souvent des références sur un volume incontournable en gouvernance. En voici un de 450 pages que je vous recommande fortement !

Vous pouvez le précommander sur le site d’Amazon.com

J’ai reproduit, ci-dessous, le descriptif du livre tel qu’il apparaît sur le site d’Amazon.

The Handbook of Board Governance: A Comprehensive Guide for Public, Private and Not for Profit Board Members

Build a more effective board with insight from the forefront of corporate governance

The Handbook of Board Governance provides comprehensive, expert-led coverage of all aspects of corporate governance for public, nonprofit, and private boards. Written by collaboration among subject matter experts, this book combines academic rigor and practitioner experience to provide thorough guidance and deep insight. From diversity, effectiveness, and responsibilities, to compensation, succession planning, and financial literacy, the topics are at once broad-ranging and highly relevant to current and aspiring directors. The coverage applies to governance at public companies, private and small or medium companies, state-owned enterprises, family owned organizations, and more, to ensure complete and clear guidance on a diverse range of issues. An all-star contributor list including Ram Charan, Bob Monks, Neil Minow, and David Nadler, among others, gives you the insight of thought leaders in the areas relevant to your organization.

A well-functioning board is essential to an organization’s achievement. Whether the goal is furthering a mission or dominating a market, the board’s composition, strategy, and practices are a determining factor in the organization’s ultimate success. This guide provides the information essential to building a board that works.

Delve into the board’s strategic role in value creation

Gain useful insight into compensation, risk, accountability, legal obligations

Understand the many competencies required of an effective director

Get up to speed on blind spots, trendspotting, and social media in the board room

The board is responsible for a vast and varied collection of duties, but the singular mission is to push the organization forward. Poor organization, one-sided composition, inefficient practices, and ineffective oversight detract from that mission, but all can be avoided. The Handbook of Board Governance provides practical guidance and expert insight relevant to board members across the Spectrum.

Les dix (10) billets vedettes en gouvernance sur mon blogue en 2015

Voici une liste des billets en gouvernance les plus populaires publiés sur mon blogue en 2015.

Cette liste constitue, en quelque sorte, un sondage de l’intérêt manifesté par des dizaines de milliers de personnes sur différents thèmes de la gouvernance des sociétés. On y retrouve des points de vue bien étayés sur des sujets d’actualité relatifs aux conseils d’administration.

Les dix (10) articles les plus lus du Blogue en gouvernance ont fait l’objet de plus de 10 000 visites.

Que retrouve-t-on dans ce blogue et quels en sont les objectifs ?

Ce blogue fait l’inventaire des documents les plus pertinents et les plus récents en gouvernance des entreprises. La sélection des billets est le résultat d’une veille assidue des articles de revue, des blogues et des sites web dans le domaine de la gouvernance, des publications scientifiques et professionnelles, des études et autres rapports portant sur la gouvernance des sociétés, au Canada et dans d’autres pays, notamment aux États-Unis, au Royaume-Uni, en France, en Europe, et en Australie.

Je fais un choix parmi l’ensemble des publications récentes et pertinentes et je commente brièvement la publication. L’objectif de ce blogue est d’être la référence en matière de documentation en gouvernance dans le monde francophone, en fournissant au lecteur une mine de renseignements récents (les billets) ainsi qu’un outil de recherche simple et facile à utiliser pour répertorier les publications en fonction des catégories les plus pertinentes.

Quelques statistiques à propos du blogue Gouvernance | Jacques Grisé

Ce blogue a été initié le 15 juillet 2011 et, à date, il a accueilli plus de 170 000 visiteurs. Le blogue a progressé de manière tout à fait remarquable et, au 31 décembre 2015, il était fréquenté par des milliers de visiteurs par mois. Depuis le début, j’ai œuvré à la publication de 1 305 billets.

En 2016, j’estime qu’environ 5 000 personnes par mois visiteront le blogue afin de s’informer sur diverses questions de gouvernance. À ce rythme, on peut penser qu’environ 60 000 personnes visiteront le site du blogue en 2016.

On note que 44 % des billets sont partagés par l’intermédiaire de LinkedIn et 45 % par différents moteurs de recherche. Les autres réseaux sociaux (Twitter, Facebook et Tumblr) se partagent 11 % des références.

Voici un aperçu du nombre de visiteurs par pays :

Canada (64 %)
France, Suisse, Belgique (20 %)
Maghreb (Maroc, Tunisie, Algérie) (5 %)
Autres pays de l’Union européenne (3 %)
États-Unis (3 %)
Autres pays de provenance (5 %)

En 2014, le blogue Gouvernance | Jacques Grisé a été inscrit dans deux catégories distinctes du concours canadien Made in Blog (MiB Awards) : Business et Marketing et médias sociaux. Le blogue a été retenu parmi les dix (10) finalistes à l’échelle canadienne dans chacune de ces catégories, le seul en gouvernance. Il n’y avait pas de concours en 2015.

Vos commentaires sont toujours grandement appréciés. Je réponds toujours à ceux-ci.

N.B. Vous pouvez vous inscrire ou faire des recherches en allant au bas de cette page.

Bonne lecture !

Voici les Top 10 de l’année 2015 du blogue en gouvernance de www.jacquesgrisegouvernance.com

1. Un document complet sur les principes d’éthique et de saine gouvernance dans les organismes à buts charitables
2. Guides de gouvernance à l’intention des OBNL : Questions et réponses
3. Vous siégez à un conseil d’administration \| comment bien se comporter ?
4. Que faire avec un membre de CA « toxique » ?
5. LE RÔLE DU PRÉSIDENT DU CONSEIL D’ADMINISTRATION (PCA) \| LE CAS DES CÉGEP
6. Éloge à la confiance du PCD envers son CA
7. Le rôle du comité exécutif versus le rôle du conseil d’administration
8. Vous prenez un nouveau poste ? Bravo, mais attention !
9. Les 10 plus importantes préoccupations des C.A. en 2015
10. Quelles sont les qualités managériales recherchées par les C.A. \| Entrevue avec le PCD de Korn/Ferry

Joyeuses fêtes !

Top priorités des CA en 2016 | EY

Aujourd’hui, je vous présente les cinq priorités des CA pour 2016, telles qu’identifiées par Ruby Sharma et Ann Yerger, de l’Ernst & Young Center for Board Matters.

Encore une fois, les auteurs invitent les administrateurs à prendre les devants et à être proactifs dans la mise en œuvre de stratégies à long terme pour répondre à ces défis.

Je suis très heureux que l’on parle de 5 priorités plutôt que 10 ou 15, car dans ces cas, les termes priorités ne valent plus rien dire ! Le texte qui suit donne les grandes lignes de chacune de ces priorités. Je vous invite donc à vous y référer.

La première priorité consiste à examiner la composition du CA, évaluer son efficacité et réfléchir à son renouvellement.
La deuxième priorité est de se questionner sur les relations entre les investisseurs et les parties prenantes. La communication avec les actionnaires est de plus en plus une responsabilité du CA, car les investisseurs sont appelés à jouer un rôle prédominant dans la gouvernance des sociétés.
La troisième priorité pour le conseil est de s’assurer que l’organisation est adéquatement préparée pour réagir aux situations susceptibles de compromettre la sécurité cybernétique.
La quatrième priorité est de bien superviser la nature et l’importance des risques que court l’organisation.
Enfin, la cinquième priorité est de s’assurer que l’entreprise a un bon système de gestion des talents et que ses risques sont minimisés à cet égard.

Bonne lecture ! Joyeuses fêtes.

Top Board Priorities for 2016

Board effectiveness, composition and refreshment

It is a recurring question for directors and their organizations—how do good boards become great? Improving board effectiveness, making sure boards maintain the right combination of skills and experience, and enhancing transparency and accountability will characterize exceptional boards in 2016. Performing robust and thoughtful board self-assessments, with consideration of peer and individual director evaluations, will be critical for board effectiveness.

Effective boards will balance the viewpoints of tenured directors with the fresh perspectives of new members. These boards will make certain that the appropriate breadth of industry expertise is represented in the boardroom and that the composition of the board reflects the increasing convergence of sectors. Boards will seek directors with a greater diversity of knowledge and experience in order to match boardroom talents with evolving business strategies reflective of the interconnected global economic environment and technological and demographic changes.

We recently found that among Fortune 100 companies with retirement-age policies, 19% of directorships are held by individuals within five years of reaching the board’s designated retirement age. [1] Since a significant number of directors are currently approaching retirement, boards will have an opportunity to review their oversight needs and engage in strategic director succession planning in the coming year.

Investor and stakeholder engagement

The day of the passive investor is behind us. Investors around the globe are increasingly asking tough questions on the issues that matter most to them. They want to understand the board’s role in the oversight of enterprise risk, including emerging risks, strategy and execution. They want to know if boards are robustly evaluating their own performance and confirming that the right portfolio of skill sets aligned with company strategies are represented in the boardroom.

Investors will continue to seek meaningful communications and engagement with board leadership and committee chairs on issues such as company strategy, board composition (including diversity), director tenure, succession planning and executive compensation.

As a result, effective communication is emerging as a growing responsibility of corporate directors. Boards will focus on shareholder communication plans to ensure first, that required filings are not merely “compliance” documents but effective communication tools, and second, that designated directors are fully prepared to engage directly with investors on appropriate governance matters such as oversight of strategy, disclosure effectiveness and board refreshment processes.

Cybersecurity

The advent of new technologies and an ecosystem of digital interconnectedness significantly increase an organization’s exposure to theft of its most valuable assets, which include confidential customer data and vital information such as intellectual property and strategic blueprints. Preparedness is the first line of defense. Yet only 7% of organizations claim to have a robust incident response program that includes third parties and law enforcement and is integrated with their broader threat and vulnerability management function. [2]

The emphasis for boards will be to make sure that companies are shoring up critical infrastructure, enhancing crisis response and mapping a strategy that emphasizes a good balance of preventive and responsive tactics. This means being able to efficiently guide an organization through the layers of risks and threats, and boards should appropriately set the risk appetite and be prepared to swing into decisive action to handle any incidents.

Boards accept that the risk of a cyber breach needs to be continually managed, and adequate preparation that enables an organization to get back up and running quickly following an attack will be a key consideration for boards.

Knowing where the vulnerabilities lie is vital. Boards will continue to confirm that companies have a system and backup plan that facilitates data migration in a crisis. They will also need to make sure that their organizations firm up relationships with federal investigating authorities, who can move swiftly in response to attacks and minimize exposure and damage.

Oversight of ERM

As boards continue to focus on their roles in long-term value creation, effective oversight of ERM will be high on their agendas. Oversight of ERM will comprise operational, financial, strategic, compliance and reputational risks.

Board oversight will entail setting the “tone at the top” by promoting, assessing and monitoring risk culture and appetite.

Oversight of talent risk management

Boards recognize the crucial role they play in human capital matters as they relate to overseeing the management of three key risks: culture, talent and strategy. The business reason is compelling since talent and culture are arguably the biggest drivers of innovation, growth and the ability to outperform the competition. In recent conversations we have had with board directors, three out of four said that human capital strategy will be one of the top emerging risks that boards will face in 2016.

Boards will play an important role in ensuring that leadership stays focused on building the right talent strategy. Boards will focus on how to prepare for generational transitions in their organizations and anticipate the changing dynamics at the boardroom and management levels. As new and complex opportunities and risks emerge with evolving strategies and growth markets, having the right people to execute on strategies is an important imperative for success.

For many boards, talent management remains a big challenge. Failure to understand and mitigate human capital risks and complexities will impact strategy and value creation.

Endnotes:

[1] “Five-year outlook: nearly 20% of directors poised for board exit,” Ernst & Young LLP, August 2015, (discussed on the Forum here).
(go back)

[2] “Creating trust in Ruby Sharma is a principal and Ann Yerger is an executive director at the EY Center for Board Matters at Ernst & Young LLP. The following post is based on a report from the EY Center for Board Matters, available here.

En rappel | Ce que chaque administrateur de sociétés devrait savoir à propos de la sécurité infonuagique

Cet article est basé sur un rapport de recherche de Paul A. Ferrillo, avocat conseil chez Weil, Gotshal & Manges, et de Dave Burg et Aaron Philipp de PricewaterhouseCoopers. Les auteurs présentent une conceptualisation des facteurs infonuagiques (cloud computing) qui influencent les entreprises, en particulier les comportements de leurs administrateurs.

L’article donne une définition du phénomène infonuagique et montre comment les conseils d’administration sont interpellés par les risques que peuvent constituer les cyber-attaques. En fait, la partie la plus intéressante de l’article consiste à mieux comprendre, ce que les auteurs appellent, la « Gouvernance infonuagique » (Cloud Cyber Governance).

L’article propose plusieurs questions critiques que les administrateurs doivent adresser à la direction de l’entreprise.

Vous trouverez, ci-dessous, les points saillants de cet article lequel devrait intéresser les administrateurs préoccupés par les aspects de sécurité des opérations infonuagiques.

Bonne lecture !

Cloud Cyber Security: What Every Director Needs to Know

« There are four competing business propositions affecting most American businesses today. Think of them as four freight trains on different tracks headed for a four-way stop signal at fiber optic speed.

First, with a significant potential for cost savings, American business has adopted cloud computing as an efficient and effective way to manage countless bytes of data from remote locations at costs that would be unheard of if they were forced to store their data on hard servers. According to one report, “In September 2013, International Data Corporation predicted that, between 2013 and 2017, spending on pubic IT cloud computing will experience a compound annual growth of 23.5%.” Another report noted, “By 2014, cloud computing is expected to become a $150 billion industry. And for good reason—whether users are on a desktop computer or mobile device, the cloud provides instant access to data anytime, anywhere there is an Internet connection.”

The second freight train is data security. Making your enterprise’s information easier for you to access and analyze also potentially makes it easier for others to do, too. 2013 and 2014 have been the years of “the big data breach,” with millions of personal data and information records stolen by hackers. Respondents to the 2014 Global State of Information Security® Survey reported a 25% increase in detected security incidents over 2012 and a 45% increase compared to 2011. Though larger breaches at global retailers are extremely well known, what is less known is that cloud providers are not immune from attack. Witness the cyber breach against a file sharing cloud provider that was perpetrated by lax password security and which caused a spam attack on its customers. “The message is that cyber criminals, just like legitimate companies, are seeing the ‘business benefits’ of cloud services. Thus, they’re signing up for accounts and reaching sensitive files through these accounts. For the cyber criminals this only takes a run-of-the-mill knowledge level … This is the next step in a new trend … and it will only continue.”

The third freight train is the plaintiff’s litigation bar. Following cyber breach after cyber breach, they are viewing the corporate horizon as rich with opportunities to sue previously unsuspecting companies caught in the middle of a cyber disaster, with no clear way out. They see companies scrambling to contend with major breaches, investor relation delays, and loss of brand and reputation.

The last freight train running towards the intersection of cloud computing and data security is the topic of cyber governance—i.e., what directors should be doing or thinking about to protect their firm’s most critical and valuable IP assets. In our previous article, we noted that though directors are not supposed to be able to predict all potential issues when it comes to cyber security issues, they do have a basic fiduciary duty to oversee the risk management of the enterprise, which includes securing its intellectual property and trade secrets. The purpose of this article is to help directors and officers potentially avoid a freight train collision by helping the “cyber governance train” control the path and destiny of the company. We will discuss basic cloud security principles, and basic questions directors should ask when considering whether or not the data their management desires to run on a cloud-based architecture will be as safe from attack as possible. As usual when dealing with cyber security issues, there are no 100% foolproof answers. Even cloud experts disagree on cloud-based data security practices and their effectiveness] There are only good questions a board can ask to make sure it is fulfilling its duties to shareholders to protect the company’s valuable IP assets.

What is Cloud Computing/What Are Its Basic Platforms

“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services). Cloud computing is a disruptive technology that has the potential to enhance collaboration, agility, scaling, and availability, and provides the opportunities for cost reduction through optimized and efficient computing. The cloud model envisages a world where components can be rapidly orchestrated, provisioned, implemented and decommissioned, and scaled up or down to provide an on-demand utility-like model of allocation and consumption.”

Cloud computing is generally based upon three separate and distinct architectures that matter when considering the security of the data sitting in the particular cloud environment.

……

Cloud Cyber Governance

As shown above, what is commonly referred to as the cloud actually can mean many different things depending on the context and use. Using SaaS to manage a customer base has a vastly different set of governance criteria to using IaaS as a development environment. As such, there are very few accepted standards for properly monitoring/administering a cloud-based environment. There are many IT consultants in the cloud-based computing environment that can be consulted in that regard. Our view, however, is that directors are ultimately responsible for enterprise risk management, and that includes cyber security, a subset of which is cloud-based cyber-security. Thus it is important for directors to have a basic understanding of the risks involved in cloud-based data storage systems, and with cloud-based storage providers. Below are a few basic questions that come to mind that a director could pose to management, and the company’s CISO and CIO:

1. Where will your data be stored geographically (which may determine which laws apply to the protection of the company’s data), and in what data centers?

2. Is there any type of customer data co-mingling that could potentially expose the company data to competitors or other parties?

3. What sort of encryption does the cloud-based provider use?

4. What is the vendor’s backup and disaster recovery plan?

5. What is the vendor’s incident response and notification plan?

6. What kind of access will you have to security information on your data stored in the cloud in the event the company needs to respond to a regulatory request or internal investigation?

7. How transparent is the cloud provider’s own security posture? What sort of access can your company get to the cloud provider’s data center and personnel to make sure it is receiving what it is paying for?

8. What is the cloud servicer’s responsibility to update its security systems as technology and sophistication evolves?

9. What is the cloud provider’s ability to timely detect (i.e., continuously monitor) and respond to a security incident, and what sort of logging information is kept in order to potentially detect anomalous activity?

10. Are there any third party requirements (such as HITECH/HIPAA) that the provider needs to conform to for your industry?

11. Is the cloud service provider that is being considered already approved under the government’s FedRamp authorization process, which pre-approves cloud service providers and their security controls?

12. Finally, does the company’s cyber insurance liability policy cover cloud-based Losses assuming there is a breach and customer records are stolen or otherwise compromised? This is a very important question to ask, especially if the company involved is going to use a cyber-insurance policy as a risk transfer mechanism. When in doubt, a knowledgeable cyber-insurance broker should be consulted to make sure cloud-based Losses are covered.

High-profile breaches have proven conclusively that cybersecurity is a board issue first and foremost. Being a board member is tough work. Board members have a lot on their plate, including, first and foremost, financial reporting issues. But as high-profile breaches have shown, major cyber breaches have almost the same effect as a high profile accounting problem or restatement. They cause havoc with investors, stock prices, vendors, branding, corporate reputation and consumers. Directors should be ready to ask tough questions regarding cyber security and cloud-based security issues so they do not find themselves on the wrong end of a major data breach, either on the ground or in the cloud. »

Gestion des risques informatiques en rappel | Les administrateurs doivent poser les bonnes questions !

Voici le résumé d’un article paru dans le Wall Street Journal le 21 juillet 2015, basé sur un billet de NACD In The News*.

Les administrateurs doivent être au fait de la situation de l’entreprise eu égard à la sécurité informatique. Cependant, la plupart des administrateurs ne savent pas trop comment s’y prendre pour s’assurer qu’ils s’acquittent de leurs responsabilités.

L’article propose six questions que les administrateurs devraient poser à l’équipe de la sécurité informatique de l’entreprise afin de mieux saisir la problématique de la sécurité cyber informatique.

Ces questions ne couvrent certainement pas tous les angles mais elles ont l’avantage de contribuer à une meilleure connaissance, partagée par tous les administrateurs.

Les questions suggérées sont vraiment percutantes :

What was our most significant cybersecurity incident in the past quarter? What was our response?

What was our most significant near miss? How was it discovered?

How is the performance of the security team evaluated?

Do you have relationships with law enforcement, such as the FBI and Interpol?

Do you work with business leaders on due diligence of acquisition targets? With supply chain leaders on security protocols of vendors and other partners?

What process is in place to ensure you can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies?

* Source: National Association of Corporate Directors (NACD)

Bonne lecture !

Cybersecurity: Boards Must Ask Sharper, Smarter Questions

Boards are trying to build more productive, transparent relationships with cybersecurity chiefs to decrease the risk of attack. But directors can by stymied by a lack of basic security knowledge.

New guidance from the National Association of Corporate Directors suggests asking more searching questions of chief information security officers, including how they measure their teams and technology and whether they have ongoing contacts with the Federal Bureau of Investigation and other law enforcement bodies that investigate attacks.

Former Thomson Reuters CEO Tom Glocer chairs Morgan Stanley’s technology committee. Philippe Lopez/AFP/Getty Images

The most common question directors ask of CISOs is whether their company is vulnerable to breaches similar to those at Target Corp., Anthem Inc. and the U.S. Office of Personnel Management, said Phil Ferraro, a former CISO at Las Vegas Sands Corp. who now consults with boards. But that approach is simplistic, he said. “Directors don’t understand that no security is ever perfect.”

More productive are conversations about how to decrease the risk of attack and the process for managing one when it occurs, Mr. Ferraro said. For example, the NACD suggests boards continuously ask about the most significant cybersecurity incident in the prior quarter and how the security team handled it, so that the discussion may lead to better practices.

Key Questions Directors Must Ask Cybersecurity Chiefs

What was our most significant cybersecurity incident in the past quarter? What was our response?

What was our most significant near miss? How was it discovered?

How is the performance of the security team evaluated?

Do you have relationships with law enforcement, such as the FBI and Interpol?

Do you work with business leaders on due diligence of acquisition targets? With supply chain leaders on security protocols of vendors and other partners?

What process is in place to ensure you can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies?

Still, there is no single set of questions directors can ask to uncover all cybersecurity weak spots, said Tom Glocer, a director at Morgan Stanley and Merck & Co. Inc., and the former CEO of Thomson Reuters Corp.

“My experience is that the horribly dangerous cyber threats are the ones you don’t even know about,” said Mr. Glocer, who chairs Morgan Stanley’s board-level technology committee.

But directors should engage CISOs in continuous discussion to let management know that the board “cares and is watching,” he said. Security is a regular agenda item at Morgan Stanley board meetings, discussed boardwide and in the risk and technology committees. Morgan Stanley is one of just 15 of the Fortune 100 with a formal technology committee at the board level.

At boards less versed in technology and cybersecurity, CISOs must often first educate directors about the range of potential security problems because many members “simply don’t know,” Mr. Ferraro said.

Just 11% of board members across industries say they have a “high level” of knowledge about the topic, according to a recent NACD survey of 1,034 directors.

An important check is for CISOs to talk with board members about developing a process to ensure they can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies, the NACD advised. “That’s something boards have got to pay attention to, because they’re on the line as much as management when something bad happens,” Mr. Ferraro said.

Gestion des risques informatiques | Les administrateurs doivent poser les bonnes questions !

Voici le résumé d’un article paru dans le Wall Street Journal le 21 juillet 2015, basé sur un billet de NACD In The News*.

Ces questions ne couvrent certainement pas tous les angles mais elles ont l’avantage de contribuer à une meilleure connaissance, partagée par tous les administrateurs.

Les questions suggérées sont vraiment percutantes :

What was our most significant cybersecurity incident in the past quarter? What was our response?

What was our most significant near miss? How was it discovered?

How is the performance of the security team evaluated?

Do you have relationships with law enforcement, such as the FBI and Interpol?

Do you work with business leaders on due diligence of acquisition targets? With supply chain leaders on security protocols of vendors and other partners?

What process is in place to ensure you can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies?

* Source: National Association of Corporate Directors (NACD)

Bonne lecture !

Cybersecurity: Boards Must Ask Sharper, Smarter Questions

Boards are trying to build more productive, transparent relationships with cybersecurity chiefs to decrease the risk of attack. But directors can by stymied by a lack of basic security knowledge.

New guidance from the National Association of Corporate Directors suggests asking more searching questions of chief information security officers, including how they measure their teams and technology and whether they have ongoing contacts with the Federal Bureau of Investigation and other law enforcement bodies that investigate attacks.

Former Thomson Reuters CEO Tom Glocer chairs Morgan Stanley’s technology committee. Philippe Lopez/AFP/Getty Images

The most common question directors ask of CISOs is whether their company is vulnerable to breaches similar to those at Target Corp., Anthem Inc. and the U.S. Office of Personnel Management, said Phil Ferraro, a former CISO at Las Vegas Sands Corp. who now consults with boards. But that approach is simplistic, he said. “Directors don’t understand that no security is ever perfect.”

More productive are conversations about how to decrease the risk of attack and the process for managing one when it occurs, Mr. Ferraro said. For example, the NACD suggests boards continuously ask about the most significant cybersecurity incident in the prior quarter and how the security team handled it, so that the discussion may lead to better practices.

Key Questions Directors Must Ask Cybersecurity Chiefs

What was our most significant cybersecurity incident in the past quarter? What was our response?

What was our most significant near miss? How was it discovered?

How is the performance of the security team evaluated?

Do you have relationships with law enforcement, such as the FBI and Interpol?

Do you work with business leaders on due diligence of acquisition targets? With supply chain leaders on security protocols of vendors and other partners?

What process is in place to ensure you can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies?

Still, there is no single set of questions directors can ask to uncover all cybersecurity weak spots, said Tom Glocer, a director at Morgan Stanley and Merck & Co. Inc., and the former CEO of Thomson Reuters Corp.

“My experience is that the horribly dangerous cyber threats are the ones you don’t even know about,” said Mr. Glocer, who chairs Morgan Stanley’s board-level technology committee.

But directors should engage CISOs in continuous discussion to let management know that the board “cares and is watching,” he said. Security is a regular agenda item at Morgan Stanley board meetings, discussed boardwide and in the risk and technology committees. Morgan Stanley is one of just 15 of the Fortune 100 with a formal technology committee at the board level.

At boards less versed in technology and cybersecurity, CISOs must often first educate directors about the range of potential security problems because many members “simply don’t know,” Mr. Ferraro said.

Just 11% of board members across industries say they have a “high level” of knowledge about the topic, according to a recent NACD survey of 1,034 directors.

An important check is for CISOs to talk with board members about developing a process to ensure they can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies, the NACD advised. “That’s something boards have got to pay attention to, because they’re on the line as much as management when something bad happens,” Mr. Ferraro said.

Principes de gouvernance et règlementations en vigueur dans les pays membres de l’OCDE

Ce matin, je porte à votre attention un document-clé de l’Organisation de coopération et de développement économiques (OCDE) qui présente en détail toutes les informations concernant les pratiques de gouvernance dans les 34 pays de l’OCDE ainsi que dans un certain nombre d’autres pays influents : Argentine, Brésil, Hong Kong, Chine, Inde, Indonésie, Lituanie, Arabie Saoudite et Singapore.

Le document intitulé Corporate Governance Factbook est une ressource informationnelle indispensable pour mieux comprendre et comparer les codes de gouvernance et les règlementations relatives aux diverses juridictions. Il s’agit de la deuxième édition de cette publication; celle-ci alimente les révisions apportées annuellement aux Principes de Gouvernance de l’OCDE, principes de gouvernance universellement reconnus.

Le Canada a collaboré activement au partage des informations sur la gouvernance. Ainsi, le rapport présente une multitude de tableaux qui comparent la situation du Canada avec celle des autres pays retenus. C’est une mine d’information vraiment exceptionnelle.

Le document est en version anglaise pour le moment. Vous trouverez, ci-dessous, la référence au document ainsi que la table des matières :

Corporate Governance Factbook

Introduction

The Corporate Landscape

– The ownership structure of listed companies

The Corporate Governance Framework

– The regulatory framework for corporate governance
– Cross-border application of corporate governance requirements
– The main public regulators of corporate governance
– Stock exchanges

The Rights of Shareholders and Key Ownership Functions

– Notification of general meetings and information provided to shareholders
– Shareholder rights to request a meeting and to place items on the agenda
– Shareholder voting
– Related party transactions
– Takeover bid rules
– The roles and responsibilities of institutional investors

The Corporate Board of Directors

– Basic board structure and independence
– Board-level committees
– Board nomination and election
– Board and key executive remuneration

Quatre grandes tendances mondiales susceptibles de déboulonner nos paradigmes !

Aujourd’hui, je veux vous faire partager un aperçu de l’univers qui confrontera nos organisations dans le futur.

Cet extrait d’un nouveau livre publié par Richard Dobbs, James Manyika, et Jonathan Woetzel*, tous trois directeurs d’un des groupes du McKinsey Global Institute, expose les quatre grandes forces susceptibles de fracasser les paradigmes existants.

Les auteurs expliquent comment l’ampleur et l’interdépendance des changements provoqueront une redéfinition de nos sociétés, et comment nos dirigeants devront s’ajuster à la nouvelle réalité. Ils doivent en être conscients maintenant !

Voici les quatre tendances chocs :

1. La montée fulgurante de l’urbanisation

2. L’accélération des changements technologiques

3. La réalité d’une population vieillissante

4. Un réseau d’interconnections globales

Je vous invite à lire ce court extrait présenté par les auteurs.

The four global forces breaking all the trends

In the Industrial Revolution of the late 18th and early 19th centuries, one new force changed everything. Today our world is undergoing an even more dramatic transition due to the confluence of four fundamental disruptive forces—any of which would rank among the greatest changes the global economy has ever seen. Compared with the Industrial Revolution, we estimate that this change is happening ten times faster and at 300 times the scale, or roughly 3,000 times the impact. Although we all know that these disruptions are happening, most of us fail to comprehend their full magnitude and the second- and third-order effects that will result. Much as waves can amplify one another, these trends are gaining strength, magnitude, and influence as they interact with, coincide with, and feed upon one another. Together, these four fundamental disruptive trends are producing monumental change.

1. Beyond Shanghai: The age of urbanization

The first trend is the shifting of the locus of economic activity and dynamism to emerging markets like China and to cities within those markets. These emerging markets are going through simultaneous industrial and urban revolutions, shifting the center of the world economy east and south at a speed never before witnessed. As recently as 2000, 95 percent of the Fortune Global 500—the world’s largest international companies including Airbus, IBM, Nestlé, Shell, and The Coca-Cola Company, to name a few—were headquartered in developed economies. By 2025, when China will be home to more large companies than either the United States or Europe, we expect nearly half of the world’s large companies—defined as those with revenue of $1 billion or more—to be headquartered in emerging markets. “Over the years, people in our headquarters, in Frankfurt, started complaining to me, ‘We don’t see you much around here anymore,’” said Josef Ackermann, the former chief executive officer of Deutsche Bank. “Well, there was a reason why: growth has moved elsewhere—to Asia, Latin America, the Middle East.”

Perhaps equally important, the locus of economic activity is shifting within these markets. The global urban population has been rising by an average of 65 million people annually during the past three decades, the equivalent of adding seven Chicagos a year, every year. Nearly half of global GDP growth between 2010 and 2025 will come from 440 cities in emerging markets—95 percent of them small- and medium-size cities that many Western executives may not even have heard of and couldn’t point to on a map.¹ 1.For more, see Urban world: Cities and the rise of the consuming class, McKinsey Global Institute, June 2012. Yes, Mumbai, Dubai, and Shanghai are familiar. But what about Hsinchu, in northern Taiwan? Brazil’s Santa Catarina state, halfway between São Paulo and the Uruguayan border? Or Tianjin, a city that lies around 120 kilometers southeast of Beijing? In 2010, we estimated that the GDP of Tianjin was around $130 billion, making it around the same size as Stockholm, the capital of Sweden. By 2025, we estimate that the GDP of Tianjin will be around $625 billion—approximately that of all of Sweden.

2. The tip of the iceberg: Accelerating technological change

The second disruptive force is the acceleration in the scope, scale, and economic impact of technology. Technology—from the printing press to the steam engine and the Internet—has always been a great force in overturning the status quo. The difference today is the sheer ubiquity of technology in our lives and the speed of change. It took more than 50 years after the telephone was invented until half of American homes had one. It took radio 38 years to attract 50 million listeners. But Facebook attracted 6 million users in its first year and that number multiplied 100 times over the next five years. China’s mobile text- and voice-messaging service WeChat has 300 million users, more than the entire adult population of the United States. Accelerated adoption invites accelerated innovation. In 2009, two years after the iPhone’s launch, developers had created around 150,000 applications. By 2014, that number had hit 1.2 million, and users had downloaded more than 75 billion total apps, more than ten for every person on the planet. As fast as innovation has multiplied and spread in recent years, it is poised to change and grow at an exponential speed beyond the power of human intuition to anticipate.

Processing power and connectivity are only part of the story. Their impact is multiplied by the concomitant data revolution, which places unprecedented amounts of information in the hands of consumers and businesses alike, and the proliferation of technology-enabled business models, from online retail platforms like Alibaba to car-hailing apps like Uber. Thanks to these mutually amplifying forces, more and more people will enjoy a golden age of gadgetry, of instant communication, and of apparently boundless information. Technology offers the promise of economic progress for billions in emerging economies at a speed that would have been unimaginable without the mobile Internet. Twenty years ago, less than 3 percent of the world’s population had a mobile phone; now two-thirds of the world’s population has one, and one-third of all humans are able to communicate on the Internet.² 2.Smartphone Users Worldwide Will Total 1.75 Billion in 2014,” eMarketer, January 16, 2014, emarketer.com; The state of broadband 2012: Achieving digital inclusion for all, Broadband Commission September 2012, broadbandcommission.org. Technology allows businesses such as WhatsApp to start and gain scale with stunning speed while using little capital. Entrepreneurs and start-ups now frequently enjoy advantages over large, established businesses. The furious pace of technological adoption and innovation is shortening the life cycle of companies and forcing executives to make decisions and commit resources much more quickly.

3. Getting old isn’t what it used to be: Responding to the challenges of an aging world

The human population is getting older. Fertility is falling, and the world’s population is graying dramatically. While aging has been evident in developed economies for some time—Japan and Russia have seen their populations decline over the past few years—the demographic deficit is now spreading to China and soon will reach Latin America. For the first time in human history, aging could mean that the planet’s population will plateau in most of the world. Thirty years ago, only a small share of the global population lived in the few countries with fertility rates substantially below those needed to replace each generation—2.1 children per woman. But by 2013, about 60 percent of the world’s population lived in countries with fertility rates below the replacement rate. This is a sea change. The European Commission expects that by 2060, Germany’s population will shrink by one-fifth, and the number of people of working age will fall from 54 million in 2010 to 36 million in 2060, a level that is forecast to be less than France’s. China’s labor force peaked in 2012, due to income-driven demographic trends. In Thailand, the fertility rate has fallen from 5 in the 1970s to 1.4 today. A smaller workforce will place a greater onus on productivity for driving growth and may cause us to rethink the economy’s potential. Caring for large numbers of elderly people will put severe pressure on government finances.

4. Trade, people, finance, and data: Greater global connections

The final disruptive force is the degree to which the world is much more connected through trade and through movements in capital, people, and information (data and communication)—what we call “flows.” Trade and finance have long been part of the globalization story but, in recent decades, there’s been a significant shift. Instead of a series of lines connecting major trading hubs in Europe and North America, the global trading system has expanded into a complex, intricate, sprawling web. Asia is becoming the world’s largest trading region. “South–south” flows between emerging markets have doubled their share of global trade over the past decade. The volume of trade between China and Africa rose from $9 billion in 2000 to $211 billion in 2012. Global capital flows expanded 25 times between 1980 and 2007. More than one billion people crossed borders in 2009, over five times the number in 1980. These three types of connections all paused during the global recession of 2008 and have recovered only slowly since. But the links forged by technology have marched on uninterrupted and with increasing speed, ushering in a dynamic new phase of globalization, creating unmatched opportunities, and fomenting unexpected volatility.

Resetting intuition

These four disruptions gathered pace, grew in scale, and started collectively to have a material impact on the world economy around the turn of the 21st century. Today, they are disrupting long-established patterns in virtually every market and every sector of the world economy—indeed, in every aspect of our lives. Everywhere we look, they are causing trends to break down, to break up, or simply to break. The fact that all four are happening at the same time means that our world is changing radically from the one in which many of us grew up, prospered, and formed the intuitions that are so vital to our decision making.

This can play havoc with forecasts and pro forma plans that were made simply by extrapolating recent experience into the near and distant future. Many of the assumptions, tendencies, and habits that had long proved so reliable have suddenly lost much of their resonance. We’ve never had more data and advice at our fingertips—literally. The iPhone or the Samsung Galaxy contains far more information and processing power than the original supercomputer. Yet we work in a world in which even, perhaps especially, professional forecasters are routinely caught unawares. That’s partly because intuition still underpins much of our decision making.

Our intuition has been formed by a set of experiences and ideas about how things worked during a time when changes were incremental and somewhat predictable. Globalization benefited the well established and well connected, opening up new markets with relative ease. Labor markets functioned quite reliably. Resource prices fell. But that’s not how things are working now—and it’s not how they are likely to work in the future. If we look at the world through a rearview mirror and make decisions on the basis of the intuition built on our experience, we could well be wrong. In the new world, executives, policy makers, and individuals all need to scrutinize their intuitions from first principles and boldly reset them if necessary. This is especially true for organizations that have enjoyed great success.

While it is full of opportunities, this era is deeply unsettling. And there is a great deal of work to be done. We need to realize that much of what we think we know about how the world works is wrong; to get a handle on the disruptive forces transforming the global economy; to identify the long-standing trends that are breaking; to develop the courage and foresight to clear the intellectual decks and prepare to respond. These lessons apply as much to policy makers as to business executives, and the process of resetting your internal navigation system can’t begin soon enough.

There is an urgent imperative to adjust to these new realities. Yet, for all the ingenuity, inventiveness, and imagination of the human race, we tend to be slow to adapt to change. There is a powerful human tendency to want the future to look much like the recent past. On these shoals, huge corporate vessels have repeatedly foundered. Revisiting our assumptions about the world we live in—and doing nothing—will leave many of us highly vulnerable. Gaining a clear-eyed perspective on how to negotiate the changing landscape will help us prepare to succeed.

____________________________________

Richard Dobbs is a director of the McKinsey Global Institute and a director in McKinsey’s London office, James Manyika is a director of the McKinsey Global Institute and a director in the San Francisco office, and Jonathan Woetzel is a director of the McKinsey Global Institute and a director in the Shanghai office.

This article is an edited excerpt from No Ordinary Disruption: The Four Global Forces Breaking All the Trends, to be be published on May 12 by PublicAffairs. To learn more about it and preorder copies, please visit Amazon, Barnes & Noble, or other leading bookstores.

Ce que chaque administrateur de sociétés devrait savoir à propos de la sécurité infonuagique |En rappel

L’article propose plusieurs questions critiques que les administrateurs doivent adresser à la direction de l’entreprise.

Vous trouverez, ci-dessous, les points saillants de cet article lequel devrait intéresser les administrateurs préoccupés par les aspects de sécurité des opérations infonuagiques.

Bonne lecture !

Cloud Cyber Security: What Every Director Needs to Know

What is Cloud Computing/What Are Its Basic Platforms

Cloud computing is generally based upon three separate and distinct architectures that matter when considering the security of the data sitting in the particular cloud environment.

……

Cloud Cyber Governance

1. Where will your data be stored geographically (which may determine which laws apply to the protection of the company’s data), and in what data centers?

2. Is there any type of customer data co-mingling that could potentially expose the company data to competitors or other parties?

3. What sort of encryption does the cloud-based provider use?

4. What is the vendor’s backup and disaster recovery plan?

5. What is the vendor’s incident response and notification plan?

6. What kind of access will you have to security information on your data stored in the cloud in the event the company needs to respond to a regulatory request or internal investigation?

8. What is the cloud servicer’s responsibility to update its security systems as technology and sophistication evolves?

10. Are there any third party requirements (such as HITECH/HIPAA) that the provider needs to conform to for your industry?

La contribution du comité d’audit à la stratégie | KPMG

Comment le comité d’audit contribue-t-il à la stratégie de l’entreprise ?

C’est le sujet abordé par Laurent Giguère, associé Audit chez KPMG, dans cet excellent article dont je vous propose la lecture.

Voici le questionnement qui a donné naissance à cet article :

Au cours de la dernière décennie, le comité d’audit a surtout mis l’accent sur la conformité, la gouvernance et diverses questions d’approbation. Toutefois, dans la plupart des cas, les comités d’audit d’aujourd’hui ont établi des cadres de surveillance rigoureux qui permettent de consacrer moins de temps à la surveillance. Les comités d’audit ont-ils ainsi l’occasion de se pencher sur de nouveaux domaines? Voilà la question qui se pose. Compte tenu de l’évolution du rôle du comité d’audit dans la surveillance des risques, y a-t-il des domaines nouveaux dans lesquels le comité d’audit peut améliorer la qualité de la surveillance?

Vous trouverez, ci-dessous, un extrait de l’article qui traite des moyens utilisés pour obtenir la bonne information.

Je vous invite à lire ce court article.

Bonne lecture !

La contribution du comité d’audit à la stratégie | KPMG

L’efficacité stratégique du comité d’audit dépend, dans une certaine mesure, de sa capacité de bien comprendre les indicateurs clés de performance de l’organisation, de même que de la question de savoir si ces indicateurs respectent et appuient les objectifs stratégiques d’ensemble. Étant donné que le comité d’audit a récemment mis l’accent sur la surveillance de l’information financière, il pourrait ne pas s’être investi autant dans ce domaine qu’il ne l’aurait fait autrement.

Toutefois, le comité d’audit a maintenant la chance d’améliorer le « dialogue en matière de finances » entre le conseil d’administration et la direction concernant la façon dont les systèmes de gestion évaluent la performance. Les comités d’audit favorisent également cet objectif en déployant des efforts accrus pour que des experts opérationnels les aident à mieux comprendre l’entreprise elle-même et à déterminer les indicateurs clés de performance les plus efficaces.

Compte tenu de ces défis et de l’ampleur considérable des enjeux qui entourent le risque financier, les comités d’audit semblent être les seuls à être qualifiés pour discuter de certaines questions, notamment les suivantes :

Quels sont les objectifs de performance quantifiés que nous devons évaluer?

De quelle façon pouvons-nous les surveiller à l’avenir?

Quels sont les contrôles en place?

À quel point nos systèmes et nos contrôles sont-ils solides?

Nos systèmes permettent-ils de mesurer ces indicateurs clés de la performance?

Procédons-nous régulièrement à un examen des indicateurs clés de la performance afin de déterminer leur pertinence?

Procédons-nous à un examen rétrospectif des résultats obtenus par rapport aux objectifs établis dans les plans sur trois ou cinq ans?

Pouvons-nous arriver à obtenir une combinaison optimale d’expertise financière et opérationnelle afin de répondre aux préoccupations de façon globale?

Devrions-nous faire appel à des experts externes afin d’élargir la discussion?

Devrions-nous avoir recours aux connaissances opérationnelles des membres du conseil d’administration qui ne font pas partie du comité d’audit?

Guide sur les responsabilités des administrateurs au Canada

Voici un excellent guide sur les responsabilités et les obligations des administrateurs de sociétés au Canada produit par Osler.

Vous pouvez visionner la vidéo (en français) produite par Osler en cliquant su le lien suivant : Responsabilités des administrateurs au Canada

La version écrite, présentée ci-dessous, est en anglais (la version française sera bientôt disponible).

Bonne lecture !

Directors’ Responsibilities in Canada | Osler

Le guide Responsabilités des administrateurs au Canada, issu de la collaboration entre Osler et l’Institut des administrateurs de sociétés, est un outil de référence de choix dont tous les administrateurs ont besoin pour comprendre les pratiques exemplaires en matière de gouvernance et pour s’acquitter de leurs responsabilités, dans le contexte actuel des tendances commerciales en constante évolution et des changements dans le marché.

Le guide couvre :

les devoirs et l’obligation de rendre compte des administrateurs, et le rôle des actionnaires

les questions de gouvernance, y compris les conflits d’intérêts des administrateurs, les lois sur les valeurs mobilières et les exigences des marchés boursiers

les obligations d’information des sociétés ouvertes

les questions de financement, de marchés des capitaux et d’offres publiques d’achat

les responsabilités imposées par la loi, y compris les opérations d’initiés, la législation sur l’environnement et les questions d’ordre fiscal

la responsabilité pour les infractions en vertu des lois sur les sociétés

la gestion du risque

Inscrivez-vous pour obtenir un exemplaire en cliquant sur le lien ci-dessous. Il vous sera envoyé par courriel dès sa publication.

Vidéo de formation sur les tendances en matière de gouvernance de sociétés au Canada et aux États-Unis | Une réalisation du CAS

Récemment, le Collège des administrateurs de sociétés (CAS) a répondu à la demande de l’organisme « ecoDa » (The European Confederation of Directors Associations) de produire une capsule vidéo de formation sur les tendances en matière de gouvernance de sociétés au Canada et aux États-Unis. Cette vidéo sera présentée par ecoDa à chaque offre de son cours « New Governance Challenges for Board Members in Europe » présentée en classe à Bruxelles en Belgique, siège social de l’ecoDa.

Ce mandat a été réalisé avec succès grâce à la contribution de Gilles Bernier, directeur des programmes du CAS, qui a réuni Mme Alexandra Lajoux, Chief Knowledge Officer de la National Association of Corporate Directors (NACD) aux États-Unis et M. Chris Bart, Founder and Lead Faculty du Directors College en Ontario.

Intitulé « Where is Corporate Governance Going : The View from Canada and the USA », cette vidéo de formation vise à sensibiliser les participants à l’évolution des pratiques de gouvernance à l’extérieur de l’Europe.

D’une durée de 20 minutes, les experts invités discutent des sujets suivants :

(1) le rôle du CA à l’égard de la stratégie et du risque

(2) la réglementation et les enjeux touchant les investisseurs

(3) les nouvelles tendances en matière de gouvernance des TI et celles touchant la gouvernance des principales sociétés œuvrant dans le secteur technologique

(4) l’importance du talent et de la diversité sur les conseils, ainsi que l’importance de la formation des administrateurs de sociétés.

La capsule vidéo (en anglais) est disponible sur la page You Tube | CASulaval.

Bon visionnement !

Responsabilités des administrateurs au Canada | Osler

Voici un excellent guide sur les responsabilités et les obligations des administrateurs de sociétés au Canada produit par Osler.

La version présentée ici est en anglais (la version française sera bientôt disponible).

Bonne lecture !

Directors’ Responsibilities in Canada : Osler

Le guide Responsabilités des administrateurs au Canada, issu de la collaboration entre Osler et l’Institut des administrateurs de sociétés, est un outil de référence de choix dont tous les administrateurs ont besoin pour comprendre les pratiques exemplaires en matière de gouvernance et pour s’acquitter de leurs responsabilités, dans le contexte actuel des tendances commerciales en constante évolution et des changements dans le marché.

Le guide couvre :

les devoirs et l’obligation de rendre compte des administrateurs, et le rôle des actionnaires

les questions de gouvernance, y compris les conflits d’intérêts des administrateurs, les lois sur les valeurs mobilières et les exigences des marchés boursiers

les obligations d’information des sociétés ouvertes

les questions de financement, de marchés des capitaux et d’offres publiques d’achat

les responsabilités imposées par la loi, y compris les opérations d’initiés, la législation sur l’environnement et les questions d’ordre fiscal

la responsabilité pour les infractions en vertu des lois sur les sociétés

la gestion du risque

Inscrivez-vous pour obtenir un exemplaire en cliquant sur le lien ci-dessous. Il vous sera envoyé par courriel dès sa publication.

Tendances en gouvernance et CA du futur | PwC’s 2014 Annual Corporate Directors Suveys

Il y a dans le document de PwC un exposé clair des principales tendances en gouvernance au cours des prochaines années. Le site de PwC présente également les chapitres individuels du rapport.

Voici un résumé de l’échantillon des entreprises, suivi d’un rappel des 12 tendances observées. Vous trouverez beaucoup de points communs avec l’article que j’ai publié dans le journal Les Affaires : Gouvernance : 12 tendances à surveiller

Bonne lecture !

In the summer of 2014, 863 public company directors responded to our survey. Of those directors, 70% serve on the boards of companies with more than $1 billion in annual revenue, and participants represented nearly two-dozen industries. In PwC’s 2014 Annual Corporate Directors Survey, directors share their views on governance trends that we believe will impact the board of the future, including: board performance and diversity, board priorities and practices, IT and cybersecurity oversight, strategy and risk oversight, and executive compensation and director communications.

Trends shaping governance and the board of the future | PwC’s 2014 Annual Corporate Directors Suveys

Board performance takes center stage

Many boards are giving even more attention to enhancing their own performance and acting on issues identified in their self-assessments.

Board composition is scrutinized

Board composition is under pressure to evolve to meet new business challenges and stakeholder expectations. Today’s directors are more focused than ever on ensuring their boards have the right expertise and experience to be effective.

Board diversity gets attention

Stakeholders are more interested in board diversity, and boards are increasingly focused on recruiting directors with diversity of background and experience.

More pressure on board priorities and practices

Director performance continues to face scrutiny from investors, regulators, and other stakeholders, causing board practices to remain in the spotlight.

Activist shareholders get active

With over $100 billion in assets under activist management¹, more directors are discussing how to deal with potential activist campaigns.

The influence of emerging IT grows

Companies and directors increasingly see IT as inextricably wed to corporate strategy and the company’s business. IT is now a business issue, not just a technology issue.

Increased concerns about the Achilles’ heel of IT—cybersecurity

Cybersecurity breaches are regularly and prominently in the news. And directors are searching for answers on how to provide effective oversight in this area.

It’s still all about risk management

Risk management is a top priority for investors, and they have high expectations of boards in this regard.

Investors question company strategies

Effective oversight requires that the board receive the right information from management to effectively address key elements of strategy.

Executive compensation remains a hot topic

Boards are devoting even more time and attention to the critical issue of appropriate compensation.

Stakeholders are showing continuing interest in how proxy advisory firms operate.

The interest of stakeholders in the proxy advisory industry is a key trend.

Increasing expectations about director communications

In response, boards must determine their role in stakeholder communications—and evaluate their processes and procedures governing such communications

Les risques de gouvernance associés à l’OPA d’Alibaba

Lucian Bebchuk, professeur de droit, d’économique et de finance, et directeur des programmes sur la gouvernance corporative à la Harvard law School vient de publier un article très important dans le New York Times.

L’auteur met les investisseurs en garde contre de réels risques de gouvernance liés à l’offre publique d’achat (OPA) de l’entreprise chinoise Alibaba.

Je crois qu’il est utile de mieux comprendre les enjeux de gouvernance avant d’investir dans cette immense OPA.

Bonne lecture !

Wall Street is eagerly watching what is expected to be one of the largest initial public offering in history: the offering of the Chinese Internet retailer Alibaba at the end of this week. Investors have been described by the media as “salivating” and “flooding underwriters with orders.” It is important for investors, however, to keep their eyes open to the serious governance risks accompanying an Alibaba investment.

Several factors combine to create such risks. For one, insiders have a permanent lock on control of the company but hold only a small minority of the equity capital. Then, there are many ways to divert value to affiliated entities, but there are weak mechanisms to prevent this. Consequently, public investors should worry that, over time, a significant amount of the value created by Alibaba would not be shared with them.

In Alibaba, control is going to be locked forever in the hands of a group of insiders known as the Alibaba Partnership. These are all managers in the Alibaba Group or related companies. The Partnership will have the exclusive right to nominate candidates for a majority of the board seats. Furthermore, if the Partnership fails to obtain shareholder approval for its candidates, it will be entitled “in its sole discretion and without the need for any additional shareholder approval” to appoint directors unilaterally, thus ensuring that its chosen directors always have a majority of board seats.

Many public companies around the world, especially in emerging economies, have a large shareholder with a lock on control. Such controlling shareholders, however, often own a substantial portion of the equity capital that provides them with beneficial incentives. In the case of Alibaba, investors need to worry about the relatively small stake held by the members of the controlling Alibaba Partnership.

After the I.P.O., Alibaba’s executive chairman, Jack Ma, is expected to hold 7.8 percent of the shares and all the directors and executive officers will hold together 13.1 percent. Over time, insiders may well cash out some of their current holding, but Alibaba’s governance structure would ensure that directors chosen by the Alibaba Partnership will forever control the board, regardless of the size of the stake held by the Partnership’s members.

With an absolute lock on control and a limited fraction of the equity capital, the Alibaba insiders will have substantial incentives to divert value from Alibaba to other entities in which they own a substantial percentage of the equity. This can be done by placing future profitable opportunities in such entities, or making deals with such entities on terms that favor them at the expense of Alibaba.

Alibaba’s prospectus discloses information about various past “related party transactions,” and these disclosures reflect the significance and risks to public investors of such transactions. For example, in 2010, Alibaba divested its control and ownership of Alipay, which does all of the financial processing for Alibaba, and Alipay is now fully controlled and substantially owned by Alibaba’s executive chairman.

Public investors should worry not only about whether the Alibaba’s divesting of Alipay benefited Mr. Ma at the expense of Alibaba, but also about the terms of the future transactions between Alibaba and Alipay. Because Alibaba relies on Alipay “to conduct substantially all of the payment processing” in its marketplace, these terms are important for Alibaba’s future success.

Mr. Ma owns a larger fraction of Alipay’s equity capital than of Alibaba’s, so he would economically benefit from terms that would disfavor Alibaba. Indeed, given the circumstances, the I.P.O. prospectus acknowledges that Mr. Ma may act to resolve Alibaba-Alipay conflicts not in Alibaba’s favor.

The prospectus seeks to allay investor concerns, however, by indicating that Mr. Ma intends to reduce his stake in in Alipay within three to five years, including by having shares in Alipay granted to Alibaba employees. But stating such an intention does not represent an irreversible legal commitment. Furthermore, transfers of Alipay ownership stakes from Mr. Ma to other members of the Alibaba Partnership would still leave the Partnership’s aggregate interest to be decidedly on the side of Alipay rather than Alibaba.

Given the significant related party transactions that have already taken place, and the prospect of such transactions in the future, Alibaba tried to placate investors by putting in a “new related party transaction policy.” But this new policy hardly provides investors with solid protection. Unlike charter and bylaw provisions, corporate policies are generally not binding. Furthermore, Alibaba’s policy explicitly allows the board, where the nominees of Alibaba partnership will always have a majority, to approve any exceptions to the policy that the board chooses.

Of course, the Alibaba partners might elect not to take advantage of the opportunities for diversion provided to them by Alibaba’s structure. And, even if the partners do use such opportunities, the future business success of Alibaba might be large enough to make up for the costs of diversions and leave public investors with good returns on their investment.

Before jumping in, however, investors rushing to participate in the Alibaba I.P.O. must recognize the substantial governance risks that they would be taking. Alibaba’s structure does not provide adequate protections to public investors.

__________________________________________

Article relié :

Alibaba Raises the Fund-Raising Target for Its I.P.O. to $21.8 Billion (Sept. 15, 2014)

Ce que chaque administrateur de sociétés devrait savoir à propos de la sécurité infonuagique

L’article propose plusieurs questions critiques que les administrateurs doivent adresser à la direction de l’entreprise. Vous trouverez, ci-dessous, les points saillants de cet article lequel devrait intéresser les administrateurs préoccupés par les aspects de sécurité des opérations infonuagiques. Bonne lecture !

Cloud Cyber Security: What Every Director Needs to Know

What is Cloud Computing/What Are Its Basic Platforms

Cloud computing is generally based upon three separate and distinct architectures that matter when considering the security of the data sitting in the particular cloud environment.

……

Cloud Cyber Governance

1. Where will your data be stored geographically (which may determine which laws apply to the protection of the company’s data), and in what data centers?

2. Is there any type of customer data co-mingling that could potentially expose the company data to competitors or other parties?

3. What sort of encryption does the cloud-based provider use?

4. What is the vendor’s backup and disaster recovery plan?

5. What is the vendor’s incident response and notification plan?

6. What kind of access will you have to security information on your data stored in the cloud in the event the company needs to respond to a regulatory request or internal investigation?

8. What is the cloud servicer’s responsibility to update its security systems as technology and sophistication evolves?

10. Are there any third party requirements (such as HITECH/HIPAA) that the provider needs to conform to for your industry?

Comment le C.A. peut-il s’acquitter de la surveillance des cyber-risques ?

Aujourd’hui, j’attire votre attention sur un article publié par Tom Hogue, paru sur le site Cisco Blog, qui porte sur les nouvelles responsabilités qui incombent aux membres des conseils d’administration en matière de surveillance des risques cybernétiques globaux de la société..

Il existe des « guidelines » très utiles qui peuvent aider les membres de la direction (CxC), ceux qui doivent attester (signer) de la véracité des éléments de divulgation relatifs aux risques cybernétiques.

Également, il existe des moyens pour les membres de conseils d’administration de s’assurer qu’ils exercent une veille efficace de ces risques. Cet article fait écho à la conférence du Gartner Security and Risk Management Summit , plus particulièrement à la session « Finding the Sweet Spot to Balance Cyber Risk ».

Tammie Gartner Session

À mon avis, tous les administrateurs devraient se familiariser avec l’environnement et la gestion des cyber-risques car ceux-ci peuvent avoir des conséquences dramatiques sur la performance de l’organisation.

La lecture de cet article vous sensibilisera davantage à votre rôle d’administrateur et aux conséquences qui en découlent. Voici un extrait de celui-ci. Bonne lecture !

Cyber Threat Management from the Boardroom Risk: Lost in Translation

During the session, the panel had been discussing how the senior leadership teams address the problem of putting their signatures against the risk that cyber threats pose to their organizations. Tammie Leith made a point to the effect that it is just as important for our teams to tell us why we should not accept or acknowledge those risks so that we can increase investments to mitigate those risks.

What caught my attention was that the senior management teams are beginning to question the technical teams on whether or not appropriate steps have been taken to minimize the risks to the corporation. The CxO (senior leadership team that has to put their signature on the risk disclosure documents) teams are no longer comfortable with blindly assuming the increasing risks to the business from cyber threats.

To make matters worse, the CxO teams and the IT security teams generally speak different languages in that they are both using terms with meanings relevant to their specific roles in the company. In the past, this has not been a problem because both teams were performing very critical and very different functions for the business. The CxO team is focused on revenue, expenses, margins, profits, shareholder value, and other critical business metrics to drive for success. The IT security teams, on the other hand, are worried about breaches, data loss prevention, indications of compromise, denial of services attacks and more in order to keep the cyber attackers out of the corporate network. The challenge is that both teams use the common term of risk, but in different ways. Today’s threat environment has forced the risk environment to blend. Sophisticated targeted attacks and advanced polymorphic malware affect a business’s bottom line. Theft of critical information, such as credit card numbers, health insurance records, and social security numbers, result in revenue losses, bad reputation, regulatory fines, and lawsuits. Because these teams have not typically communicated very well in the past, how can we ensure that they have a converged meaning for risk when they are speaking different “languages”?

In order to fully explore the variations to the term “risk” for the business, I wanted to understand what the Security Exchange Commission (SEC) required of corporations in reporting requirements to their shareholders. The 2013 Cybersecurity Executive Order signed by President Obama, and the release of the NIST Cyber Framework seemed to be giving the SEC a new reason to revisit the topic of cyber security with a revitalized vigor.

The SEC had already published guidance on how corporations should provide cyber security risk disclosures in the CV Disclosure Guidance: Topic No. 2 Date: October 13, 2011. However, the speech that SEC Commissioner Luis A. Aguilar gave at the “Cyber Risks and The Boardroom Conference” at the New York Stock Exchange on June 10 discussed what the “boards of directors can, and should, do to ensure that their organizations are appropriately considering and addressing cyber risks.” In proposing a strong case for the boards of directors to take action, he discussed the “threat of litigation and potential liability for failing to implement adequate steps to protect the company from cyber-threats.” He also discussed the derivative lawsuits that were brought against companies, their officers and directors relating to data breaches. What caught my attention most about the speech is when he said, “Thus, boards that chose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”

Commissioner Aguilar made a strong recommendation for corporations to voluntarily adopt the NIST Cybersecurity Framework in order to begin addressing the problem with the statement, “While the Framework is voluntary guidance for any company, some commenters have already suggested that it will likely become a baseline for best practices by companies, including assessing legal or regulatory exposure to these issues or for insurance purposes.”

I am not disagreeing with Commissioner Aguilar, but in practice, this is an incredible challenge for any board of directors as they are now being asked to provide direct cyber security oversight to the internal day-to-day operations of the organization or risk “peril.”

…..

La gouvernance, les cyber risques et la reponsabilité du C.A.

Voici la présentation de M. Luis A. Aguilar, commissaire à la Securities and Exchange Commission (SEC). Le billet paru dans Harvard Law School Forum on Corporate Governance sonne l’alarme en ce qui regarde les menaces posées par les cyber attaques et les rôles et responsabilités des conseils d’administration à cet égard.

C’est un article qui met en perspective les besoins d’un changement significatif dans le focus de la gouvernance des entreprises.

Ci-dessous, un extrait de l’introduction à cet article, Bonne lecture !

I am pleased to be here and to have the opportunity to speak about cyber-risks and the boardroom, a topic that is both timely and extremely important. Over just a relatively short period of time, cybersecurity has become a top concern of American companies, financial institutions, law enforcement, and many regulators. I suspect that not too long ago, we would have been hard-pressed to find many individuals who had even heard of cybersecurity, let alone known what it meant. Yet, in the past few years, there can be no doubt that the focus on this issue has dramatically increased.

Boards of Directors, Corporate Governance and Cyber-Risks | Sharpening the Focus

Cybersecurity has become an important topic in both the private and public sectors, and for good reason. Law enforcement and financial regulators have stated publicly that cyber-attacks are becoming both more frequent and more sophisticated. Indeed, according to one survey, U.S. companies experienced a 42% increase between 2011 and 2012 in the number of successful cyber-attacks they experienced per week. As I am sure you have heard, recently there have also been a series of well-publicized cyber-attacks that have generated considerable media attention and raised public awareness of this issue. A few of the more well-known examples include:

The October 2013 cyber-attack on the software company Adobe Systems, Inc., in which data from more than 38 million customer accounts was obtained improperly;

The December 2013 cyber-attack on Target Corporation, in which the payment card data of approximately 40 million Target customers and the personal data of up to 70 million Target customers was accessed without authorization;

The January 2014 cyber-attack on Snapchat, a mobile messaging service, in which a reported 4.6 million user names and phone numbers were exposed;

The sustained and repeated cyber-attacks against several large U.S. banks, in which their public websites have been knocked offline for hours at a time; and

The numerous cyber-attacks on the infrastructure underlying the capital markets, including quite a few on securities exchanges.

Official portrait of Securities and Exchange Commission (SEC) Commissioner Luis A. Aguilar. (Photo credit: Wikipedia)

In addition to becoming more frequent, there are reports indicating that cyber-attacks have become increasingly costly to companies that are attacked. According to one 2013 survey, the average annualized cost of cyber-crime to a sample of U.S. companies was $11.6 million per year, representing a 78% increase since 2009. In addition, the aftermath of the 2013 Target data breach demonstrates that the impact of cyber-attacks may extend far beyond the direct costs associated with the immediate response to an attack. Beyond the unacceptable damage to consumers, these secondary effects include reputational harm that significantly affects a company’s bottom line. In sum, the capital markets and their critical participants, including public companies, are under a continuous and serious threat of cyber-attack, and this threat cannot be ignored.

As an SEC Commissioner, the threats are a particular concern because of the widespread and severe impact that cyber-attacks could have on the integrity of the capital markets infrastructure and on public companies and investors. The concern is not new. For example, in 2011, staff in the SEC’s Division of Corporation Finance issued guidance to public companies regarding their disclosure obligations with respect to cybersecurity risks and cyber-incidents. More recently, because of the escalation of cyber-attacks, I helped organize the Commission’s March 26, 2014 roundtable to discuss the cyber-risks facing public companies and critical market participants like exchanges, broker-dealers, and transfer agents.

Today, I would like to focus my remarks on what boards of directors can, and should, do to ensure that their organizations are appropriately considering and addressing cyber-risks. Effective board oversight of management’s efforts to address these issues is critical to preventing and effectively responding to successful cyber-attacks and, ultimately, to protecting companies and their consumers, as well as protecting investors and the integrity of the capital markets.

La dématérialisation du conseil d’administration | Une nécessité ! *

Cette semaine, nous avons demandé à Amanda Biggs, gestionnaire web et rédactrice en gouvernance, d’agir à titre d’auteure invitée. Son billet présente le basculement dans l’ère du numérique comme incontournable pour les entreprises et leurs instances dirigeantes.

Dématérialiser et digitaliser sont des termes que l’on retrouve à l’ordre du jour de nombreux conseils d’administration depuis quelques années.

Voici donc l’article en question, reproduit ici avec la permission de l’auteur. Vos commentaires sont appréciés. Bonne lecture.

La dématérialisation du conseil d’administration, un « must »

par Amanda Biggs

De quoi parle-t-on ?

La dématérialisation concerne l’ensemble des actions menées pour remplacer au sein d’une organisation les supports matériels d’information, de communication et de gestion par des fichiers et outils informatiques. C’est un processus propulsé par la révolution des technologies et qui s’inscrit dans une politique globale de zéro papier et d’acteurs interconnectés.

Où se déroule la digitalisation ?

Des échanges par courriel aux factures électroniques, il n’y a aucun métier qui échappe aux apports des nouvelles technologies de communication. Le conseil d’administration, garant de la bonne gouvernance au quotidien de l’organisation, doit donner le ton au sommet « the tone at the top ». Les administrateurs montrent l’exemple et se doivent d’embrasser les technologies pour leurs bénéfices mais également pour comprendre leur importance dans les activités et l’économie actuelle.

Efficacité, sécurité, responsabilité et leadership.

L’ère du digital et de l’interconnexion a bouleversé les structures traditionnelles de l’information et de la communication. Elle a aussi été source de nouveaux défis pour les conseils d’administration. En effet, une récente étude par Reuters confirme une augmentation de la taille des conseils, de la quantité de mandats détenus ainsi que le nombre de membres résidant dans des pays différents. De plus, avec l’accumulation et la démultiplication d’informations apportées par les nouvelles technologies, on assiste à un accroissement de l’épaisseur des pochettes d’informations des réunions des conseils. La gestion des réunions et d’une communication sécurisée entre membres deviennent ainsi de véritables challenges, complexes et couteux si des procédures papier sont maintenues.

ipad (Photo credit: Sean MacEntee)

Pour répondre à ces nouveaux défis et accompagner la transition digitale des conseils d’administration, des spécialistes comme Leadingboards, Idside, Diligentboard ont développé des logiciels sous le nom de « board portals » qu’on appelle en français des « conseils-sans-papier ».Les administrateurs ont tout intérêt à adopter un tel outil informatique afin d’organiser et sécuriser leur information, la consulter au besoin et simultanément ainsi qu’accéder aux archives pour pratiquer une prise de décision éclairée.

Sachant que l’intelligence économique est une arme à part entière dans un contexte d’économie globalisée, les risques pesant sur les administrateurs sont démultipliés. On note que les documents papiers comportent un risque élevé de perte, d’oubli ou de vol. Pour éviter cela, de nombreux administrateurs utilisent désormais des courriels privés pour échanger, faisant naitre de nouveaux risques sous-estimés : ces comptes peuvent être piratés, les courriels interceptés ou stockés sous le « US Patriot Act ». Si les données sensibles des conseils ne sont pas hautement sécurisées, cela peut mettre en péril toute l’activité de la société ainsi que les intérêts des parties prenantes. C’est pourquoi les board portals offrent plusieurs niveaux de sécurité afin de garantir la confidentialité des échanges.

Pour terminer, on note une popularité croissante des appareils mobiles auprès des administrateurs grâce à leur mobilité bien entendu mais aussi pour les nombreuses fonctionnalités intuitives proposées. Pour rendre l’expérience digitale la plus agréable possible, certains conseils-sans-papiers disposent d’applications iPad dédiées. Ces applications permettent aux membres d’accéder aux informations de leur conseil en tout temps mais également de prendre des notes et de communiquer entre eux pour une gouvernance améliorée et exemplaire.

Il y a bel et bien des outils aux fonctionnalités avancées pour aider et faciliter le rôle des administrateurs tout en réduisant les risques. Un conseil d’administration 2.0 permet de répondre aux nouveaux enjeux économiques efficacement tout en participant aux objectifs d’un développement durable.

__________________________________

* En reprise

La gouvernance dans tous ses états | Huit (8) articles parus dans Lesaffaires.com

Voici une série de huit articles, publiés le 31 mars 2014 par les experts du Collège des administrateurs de sociétés (CAS) dans le volet Dossier de l’édition Les Affaires.com

Découvrez comment les entreprises et les administrateurs doivent s’adapter afin de tirer profit des meilleures pratiques.