Skip to main content


Questions to Raise at Your Next Quarterly Board Meeting

Executive Resource
Boards and management should examine how traditional and emerging risks, especially generative AI and other new technology, may affect their operations.
October 11, 2023

This quarter, boards and management should plan to examine how traditional and emerging risks, especially the introduction of generative AI and other new technology, may affect their operations. Weaver, knowledgeable in advisory services, offers the following topics to incorporate into your next board meeting to generate productive discussion.

1. How will ChatGPT and other generative AI change risks and opportunities for our business?

The introduction of generative AI creates new risks as well as opportunities that management and boards need to consider for business processes across the organization. For example, AI is likely to increasingly affect financial statements, not just in their creation but in the way business processes are linked to AI. In addition to larger ethical and legal issues, board members should be asking questions related to technology, business value, workforce impact, security and other issues.

Here are some questions to evaluate the effect of generative AI on your operations:

2. Has the organization evaluated and prepared for new SEC rules requiring public companies to not only timely report material cybersecurity incidents, but also to annually disclose additional information regarding cybersecurity risk management, strategy and governance?

On July 26, 2023, the Securities and Exchange Commission (SEC) approved rules requiring public companies to disclose material cybersecurity incidents in Form 8-K within four days of the incident. Public companies will also be required to incorporate information in Form 10-K filings about their cybersecurity risk management, strategy, and governance. Organizations that have not begun reviewing internal processes for identifying, assessing and reporting cybersecurity incidents, as well as their company’s overall cybersecurity risk management and governance practices, will need to perform an expedient and thorough review with a wide range of stakeholders.

Here are some questions to help your organization prepare for the new cybersecurity requirements:

3. Has the board reviewed the company’s capabilities to prepare for new ESG reporting requirements for public companies?

While final climate reporting rules for public companies are still under consideration with the SEC, California’s governor recently signed two bills that would require public and private businesses to begin reporting climate risks and emissions, if they operate in that state. To prepare for compliance with any future SEC and state requirements, boards continue to work with management to develop and refine procedures for planning, measuring and refining their organization’s commitments to ESG reporting. This includes governance of the ESG program, and the way ESG is considered in strategic decision making, as well as readiness for certain disclosures to be audited.

Here are some questions to evaluate your organization’s maturity in addressing ESG factors and sustainability reporting:

4. Has the board evaluated the company’s Three Lines of Defense?

A crucial element of an effective risk response strategy is establishing a broadly accepted understanding of who owns the risk. The executive team is not solely responsible for risk ownership, and to be truly successful at risk response, it’s imperative that all team members understand and embrace their roles in the process. Organizations must determine their own appropriate, pragmatic structures, taking into account their objectives and circumstances against a backdrop of an ever-evolving risk landscape.

For several decades, organizations have used the “Three Lines of Defense” defined by the Institute of Internal Auditors to identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk.” The IIA released an update in 2020 called The Three Lines Model.

The Three Lines Model provides boards and management with a more comprehensive view of how their teams control and respond to risk, resulting in the most effective risk management and improved decision making. It can be used to improve communication and clarify roles and responsibilities in the risk response process for all employees, from top to bottom.

Here are questions to consider in evaluating your organization’s risk response strategy:

5. Has the company incorporated new clawback controls into its executive compensation structure?

In late 2022, the SEC adopted final rules that require an issuer to recover, or “clawback,” from its current or former executive officers incentive compensation when the issuer reports an accounting restatement which resulted in executives erroneously receiving incentive-based compensation. The final rules also direct securities exchanges to establish listing standards that require each issuer to develop, implement and disclose a compensation recovery policy as an exhibit to its annual report in the event a recovery analysis is triggered. When preparing their policies, companies should also consider whether internal controls related to clawback triggering events and calculations are needed. At this time, NYSE and Nasdaq listed issuers will need to comply with clawback policies by December 1, 2023.

Here are some questions to determine whether your organization is prepared to comply with the disclosure requirements and implement new internal controls:

Weaver offers information and insights to prepare for your next board meeting. We can help you ask the right questions and determine appropriate plans of action based on topics and trends as they unfold. Subscribe to our monthly insights for articles and information to help you review your organization’s operations and prepare for change in an uncertain world. Contact us for information about these areas of Board governance.

© 2023