Questions to Raise at Your Next Quarterly Board Meeting

This quarter, boards and management should plan to examine how traditional and emerging risks, especially the introduction of generative AI and other new technology, may affect their operations. Weaver, knowledgeable in advisory services, offers the following topics to incorporate into your next board meeting to generate productive discussion.

1. How will ChatGPT and other generative AI change risks and opportunities for our business?

The introduction of generative AI creates new risks as well as opportunities that management and boards need to consider for business processes across the organization. For example, AI is likely to increasingly affect financial statements, not just in their creation but in the way business processes are linked to AI. In addition to larger ethical and legal issues, board members should be asking questions related to technology, business value, workforce impact, security and other issues.

Here are some questions to evaluate the effect of generative AI on your operations:

• Has management conducted an analysis of the benefits and risks AI presents to the organization?
• Has the organization adopted a policy addressing the role of AI in the company’s operations?
• What training and communication is needed to ensure an understanding of appropriate and inappropriate uses of AI within the organization?
• How can the organization foster a culture of ethics and responsibility with regard to AI?

2. Has the organization evaluated and prepared for new SEC rules requiring public companies to not only timely report material cybersecurity incidents, but also to annually disclose additional information regarding cybersecurity risk management, strategy and governance?

On July 26, 2023, the Securities and Exchange Commission (SEC) approved rules requiring public companies to disclose material cybersecurity incidents in Form 8-K within four days of the incident. Public companies will also be required to incorporate information in Form 10-K filings about their cybersecurity risk management, strategy, and governance. Organizations that have not begun reviewing internal processes for identifying, assessing and reporting cybersecurity incidents, as well as their company’s overall cybersecurity risk management and governance practices, will need to perform an expedient and thorough review with a wide range of stakeholders.

Here are some questions to help your organization prepare for the new cybersecurity requirements:

• What processes and procedures do we currently have in place for identifying and reporting cybersecurity incidents?
• Are our incident response plans aligned with the new SEC disclosure timeline requirements?
• What training and awareness programs will be put in place to ensure all employees are aware of the new SEC rules and our internal procedures?
• How do we ensure that we can meet the four-day disclosure deadline for material cybersecurity incidents?
• Have we established a clear chain of communication and responsibility for reporting incidents to the SEC?

3. Has the board reviewed the company’s capabilities to prepare for new ESG reporting requirements for public companies?

While final climate reporting rules for public companies are still under consideration with the SEC, California’s governor recently signed two bills that would require public and private businesses to begin reporting climate risks and emissions, if they operate in that state. To prepare for compliance with any future SEC and state requirements, boards continue to work with management to develop and refine procedures for planning, measuring and refining their organization’s commitments to ESG reporting. This includes governance of the ESG program, and the way ESG is considered in strategic decision making, as well as readiness for certain disclosures to be audited.

Here are some questions to evaluate your organization’s maturity in addressing ESG factors and sustainability reporting:

• Has the organization developed a broad ESG strategy that fulfills the needs and expectations of the broad range of stakeholders, and also considers geographical requirements?
• If the organization is in the early stages of addressing ESG reporting considerations, have key metrics been identified and reporting processes established?
• Which other risk and assurance functions can contribute to the organization’s sustainability reporting structure?
• How has the organization prepared for looming climate risk and human capital reporting rules?
• Does the company’s internal audit plan include coverage related to ESG risks and data supporting disclosures?
• Do board and committee charters reflect the organization’s ESG risks and priorities?

4. Has the board evaluated the company’s Three Lines of Defense?

A crucial element of an effective risk response strategy is establishing a broadly accepted understanding of who owns the risk. The executive team is not solely responsible for risk ownership, and to be truly successful at risk response, it’s imperative that all team members understand and embrace their roles in the process. Organizations must determine their own appropriate, pragmatic structures, taking into account their objectives and circumstances against a backdrop of an ever-evolving risk landscape.

For several decades, organizations have used the “Three Lines of Defense” defined by the Institute of Internal Auditors to identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk.” The IIA released an update in 2020 called The Three Lines Model.

The Three Lines Model provides boards and management with a more comprehensive view of how their teams control and respond to risk, resulting in the most effective risk management and improved decision making. It can be used to improve communication and clarify roles and responsibilities in the risk response process for all employees, from top to bottom.

Here are questions to consider in evaluating your organization’s risk response strategy:

• Does management communicate with the board on the identification of risks, as well as how they are monitored and mitigated through policy, process, and control?
• Does management have sufficient internal compliance, quality, and inspection practices? Is the board regularly on the activities and results of procedures performed by these teams?
• Is the internal audit function regularly reporting to the Audit Committee? Is the audit plan focused on key, strategic initiatives and risks? Are projects from the audit plan started, completed, and reported on in a timely manner?

5. Has the company incorporated new clawback controls into its executive compensation structure?

In late 2022, the SEC adopted final rules that require an issuer to recover, or “clawback,” from its current or former executive officers incentive compensation when the issuer reports an accounting restatement which resulted in executives erroneously receiving incentive-based compensation. The final rules also direct securities exchanges to establish listing standards that require each issuer to develop, implement and disclose a compensation recovery policy as an exhibit to its annual report in the event a recovery analysis is triggered. When preparing their policies, companies should also consider whether internal controls related to clawback triggering events and calculations are needed. At this time, NYSE and Nasdaq listed issuers will need to comply with clawback policies by December 1, 2023.

Here are some questions to determine whether your organization is prepared to comply with the disclosure requirements and implement new internal controls:

• Does the company have an existing clawback policy that can be leveraged for purposes of policy and disclosure preparation?
• Has the company evaluated implications to the control environment, including key controls that need to be formalized and evaluated as part of the Internal Controls over Financial Reporting (ICFR) program?
• Has the company determined whose compensation must be covered by the policy and reviewed their existing employment or compensation agreements to determine if any amendments are needed?
• Has the company identified those who are responsible for the identification, execution and subsequent review of a recovery analysis?

Weaver offers information and insights to prepare for your next board meeting. We can help you ask the right questions and determine appropriate plans of action based on topics and trends as they unfold. Subscribe to our monthly insights for articles and information to help you review your organization’s operations and prepare for change in an uncertain world. Contact us for information about these areas of Board governance.

© 2023