If you were to canvass your board and ask what Canadian directors should be concerned with for the balance of 2019, do you think you'd find consensus on a few key topics?
While there are commonalities across the country, boards in some sectors will have issues that may be notably pressing or even unique. The cannabis industry is one such example. Directors of companies within this recently legalized industry will want to maintain focus on corporate governance practices this year and beyond. Directors need to ensure that the companies they lead meet investors' needs for increased degrees of disclosure and transparency.
Given that the Canadian Securities Administrators (CSA) has issued Staff Notices (51-352 and 51-357) to provide guidance and outline expectations of licensed producers (LPs), the majority of cannabis company boards will want to ensure that their companies have improved disclosures of risks, including potential legal issues, relative to their American operations. The same boards will also want to maintain oversight of supply chains, in light of Ontario's announcement of the results of its second cannabis retail lottery; 42 winners are now eligible to apply for licensing with the Alcohol and Gaming Commission of Ontario.
Whatever the sectors and boardrooms in which they serve, Canadian (and other) directors will want to approach their roles with awareness of the elevated expectations of directors and boards. Acceleration of expectations, along with the pace of change, places increasingly significant demands on individual directors and their boards.
This speaks to the need to foster board resilience, and so boards can be well served by dedicating attention to board culture and engagement. Not to add undue pressure, but boards will also want to focus on organizational culture.
Technology, including but not limited to artificial intelligence (AI), cybersecurity, data and data privacy, should be in the forefront of directors' minds. Increasingly, directors should be considering agenda items with technology in mind. When the board is asked to approve a proposal from management, directors reasonably anticipate that the executive summary, brief or context memo will include references to financial requirements, risks (of both action and inaction), opportunities and implications.
It makes sense, in this digital age, for such proposals to also include assessments of technological requirements, risks, opportunities and implications. The board should know whether the organization is appropriately resourcing efforts from a technological perspective, and it should have confidence in the organization's technology strategies. If such context isn't provided, directors need to know the right questions to ask. This requires that board composition reflect the related expertise, which speaks to the significance of effective board succession planning and recruitment.
Few boards are likely to have an abundance of directors with technological expertise, let alone cybersecurity- or AI-specific education and experience. It's important, though, that directors without such expertise not abdicate their responsibility for oversight of technology matters by placing such oversight burdens solely on the shoulders of one or two directors. Again, boards should seek out development opportunities facilitated by both internal and external experts so that all directors can effectively contribute to board decision-making.
As well, boards need to be mindful of cybersecurity in the context of third-party risk. In its 2016 global survey on Third Party Governance and Risk Management (TPGRM), Deloitte found that third party risk incidents were on the rise. Boards would be well served by learning about the emergence of security rating services (SRS) that provide independent, quantitative and continuous technical analyses and scoring 'for public-facing digital assets of organizational entities across geographies'. Such ratings are the cybersecurity equivalent of a personal credit rating.
BitSight, an SRS provider, developed its ratings on the basis of data related to compromised systems, breach events, user behavior and diligence. In March of this year, Gartner, Inc. included SRS among its list of top 10 security projects for 2019.
Directors also need to regularly review and be satisfied with metrics, statistics and information on their organization's cybersecurity practices. They should be prepared to respectfully challenge assumptions, and ask relevant questions. Directors can learn from the Desjardins data breach – not only in terms of being prepared to pose questions about potential for insider cybersecurity threats, but also in terms of crisis preparation.
While directors are paying attention to crisis preparation, their boards would also be well served by turning their consideration to social media. In Qu?'bec City last week, corporate director and competitive and strategic intelligence expert Estelle M?'tayer impressed upon an audience of governance professionals the importance of social media oversight. Given the reactions from delegates at Governance Professionals of Canada's (GPC's) 21st Annual Corporate Governance Conference to M?'tayer's keynote presentation, I suspect that more than a few Canadian directors may soon be engaging in questions related to social media and disclosure policies.
While there are commonalities across the country, boards in some sectors will have issues that may be notably pressing or even unique. The cannabis industry is one such example. Directors of companies within this recently legalized industry will want to maintain focus on corporate governance practices this year and beyond. Directors need to ensure that the companies they lead meet investors' needs for increased degrees of disclosure and transparency.
Transparency & Disclosure Requirements For Board Directors
Expectations of transparency and disclosure are not unique to cannabis providers, but such boards will want to ensure that the companies they lead meet International Financial Reporting Standards (IFRS) and provide solid reports on past fair value and fair value-related disclosures. Boards in this sector may well focus on oversight of compliance and licensing, particularly on the heels of CannTrust Holdings Inc. receiving a non-compliance order from Health Canada and becoming the subject of an investigation by the Ontario Securities Commission.Given that the Canadian Securities Administrators (CSA) has issued Staff Notices (51-352 and 51-357) to provide guidance and outline expectations of licensed producers (LPs), the majority of cannabis company boards will want to ensure that their companies have improved disclosures of risks, including potential legal issues, relative to their American operations. The same boards will also want to maintain oversight of supply chains, in light of Ontario's announcement of the results of its second cannabis retail lottery; 42 winners are now eligible to apply for licensing with the Alcohol and Gaming Commission of Ontario.
The Importance of ESG, Board Culture & Organizational Culture
Canadian directors will be mindful of economic and geopolitical issues. Depending on the boardroom, discussions may range from boards of educational institutions querying international enrollment trends and related impacts to directors assessing both risks and opportunities associated with global trade tensions. While projections of a global recession continue, Canada recorded a trade surplus of $762 million in May 2019. Indigenous relations, environmental, social governance (ESG) and shareholder and stakeholder activism will also draw directors' attention.Whatever the sectors and boardrooms in which they serve, Canadian (and other) directors will want to approach their roles with awareness of the elevated expectations of directors and boards. Acceleration of expectations, along with the pace of change, places increasingly significant demands on individual directors and their boards.
This speaks to the need to foster board resilience, and so boards can be well served by dedicating attention to board culture and engagement. Not to add undue pressure, but boards will also want to focus on organizational culture.
Board Directors Cyber & Risk Oversight
The scope of boards' oversight responsibilities requires attention to succession planning that will support directors' capacity to govern effectively. Boards may plan to recruit for additional expertise as well as other diversities. In the face of elevated expectations, boards would do well to identify development needs, establish budgets to support ongoing development, and then source expert facilitators.Technology, including but not limited to artificial intelligence (AI), cybersecurity, data and data privacy, should be in the forefront of directors' minds. Increasingly, directors should be considering agenda items with technology in mind. When the board is asked to approve a proposal from management, directors reasonably anticipate that the executive summary, brief or context memo will include references to financial requirements, risks (of both action and inaction), opportunities and implications.
It makes sense, in this digital age, for such proposals to also include assessments of technological requirements, risks, opportunities and implications. The board should know whether the organization is appropriately resourcing efforts from a technological perspective, and it should have confidence in the organization's technology strategies. If such context isn't provided, directors need to know the right questions to ask. This requires that board composition reflect the related expertise, which speaks to the significance of effective board succession planning and recruitment.
Few boards are likely to have an abundance of directors with technological expertise, let alone cybersecurity- or AI-specific education and experience. It's important, though, that directors without such expertise not abdicate their responsibility for oversight of technology matters by placing such oversight burdens solely on the shoulders of one or two directors. Again, boards should seek out development opportunities facilitated by both internal and external experts so that all directors can effectively contribute to board decision-making.
How Boards Can Better Understand Cybersecurity
As the year progresses, directors should continue to be concerned about cybersecurity. If you and your board are using email – corporate or personal – for governance-related communications outside the boardroom, then you're collectively contributing to the risk of a potential cyber breach. Secure messaging and file sharing software can mitigate cyber risks.As well, boards need to be mindful of cybersecurity in the context of third-party risk. In its 2016 global survey on Third Party Governance and Risk Management (TPGRM), Deloitte found that third party risk incidents were on the rise. Boards would be well served by learning about the emergence of security rating services (SRS) that provide independent, quantitative and continuous technical analyses and scoring 'for public-facing digital assets of organizational entities across geographies'. Such ratings are the cybersecurity equivalent of a personal credit rating.
BitSight, an SRS provider, developed its ratings on the basis of data related to compromised systems, breach events, user behavior and diligence. In March of this year, Gartner, Inc. included SRS among its list of top 10 security projects for 2019.
Directors also need to regularly review and be satisfied with metrics, statistics and information on their organization's cybersecurity practices. They should be prepared to respectfully challenge assumptions, and ask relevant questions. Directors can learn from the Desjardins data breach – not only in terms of being prepared to pose questions about potential for insider cybersecurity threats, but also in terms of crisis preparation.
While directors are paying attention to crisis preparation, their boards would also be well served by turning their consideration to social media. In Qu?'bec City last week, corporate director and competitive and strategic intelligence expert Estelle M?'tayer impressed upon an audience of governance professionals the importance of social media oversight. Given the reactions from delegates at Governance Professionals of Canada's (GPC's) 21st Annual Corporate Governance Conference to M?'tayer's keynote presentation, I suspect that more than a few Canadian directors may soon be engaging in questions related to social media and disclosure policies.