Board Governance Trends: What Retailers Need to Know

Board responsibilities are escalating, as regulatory pressures mount and corporations, including retailers, face a barrage of new technology and cybersecurity risks. How are board members managing these risks, and how do they see their role changing?

BDO polled 160 corporate directors of public company boards in September 2016 for their opinions on financial reporting, risk management and other corporate governance issues. Three key areas of concern emerged in the BDO Board Survey: cybersecurity, reporting on non-GAAP metrics and the issue of “overboarding” (directors serving on too many boards).

Worrying Cybersecurity Vulnerabilities

Twenty-two percent of board directors report their company experienced a cyber breach during the past two years—consistent with last year’s results, but doubling since 2013 (11 percent). A majority (74 percent) said the board is more involved with cybersecurity than 12 months ago. Most (88 percent) are briefed on cybersecurity at least once annually—34 percent of those individuals are briefed quarterly.

Retailers are certainly feeling the heat when it comes to cybersecurity. According to our 2016 Retail RiskFactor Report, 100 percent of retailers surveyed noted possible security breaches resulting in the release of confidential customer, employee and corporate information as a risk to their business.

Following large, cyber breaches at national retailers like CVS, Costco, Walmart Canada, Sams Club, Rite Aid and Tesco—as well as the recent DDOS attacks affecting Etsy, Paypal and other e-commerce sites— more boards are recognizing the serious ramifications cyber-attacks can have on their organization, and are investing more in protecting their companies. Eighty percent of board members said that budgets to defend against cyber-attacks have increased over the last year, with an average budget expansion of 22.

One area to watch: only 27 percent said their company is sharing information on cyber-attacks with entities outside of their business. Over the last two years, there has been a big push to increase public-private information sharing around significant cyber threats. The Cybersecurity Information Sharing Act (CISA) passed in December 2015 made it easier for private sector companies to share intelligence with government agencies, recognizing that more can be done by working collectively to reduce and mitigate threats.

Reporting Non-GAAP Metrics

Regulatory scrutiny on the use of non-GAAP (Generally Accepted Accounting Principles) metrics, which are unaudited and often used in press releases or management discussion and analysis (MD&A), is intensifying. On May 17, 2016, the U.S. Securities and Exchange Commission (SEC) issued new Compliance & Disclosure Interpretations (C&DIs) on the use of non-GAAP financial measures. A day later, the Public Company Accounting Oversight Board (PCAOB) held a Standing Advisory Group Meeting that included a focus on non-GAAP measures and the role of auditors. Since then, the SEC has sent more than 30 comments letters to companies about their use of non-GAAP metrics and took the rare step of charging American Realty Capital Properties (now called VEREIT) with the misuse of a non-GAAP measure.

Board members believe non-GAAP measures can provide important insight into the business, but there is a need for greater diligence in the process. The BDO Board Survey found that 70 percent of board members believe that all of the disclosures required in financial statements today can make it confusing to determine what information is most important. Directors believe the most meaningful non-GAAP financial measures are critical audit matters that involve complex judgements on material issues (49 percent), supplemental information on the company’s financial performance (29 percent) and details about the organization’s risk management strategy (19 percent). A majority (67 percent) believe auditing non-GAAP measures could improve investor confidence.

Non-GAAP measures typically have an influence on executive pay as well. Not surprisingly, 74 percent of directors oppose prohibiting the use of non-GAAP measures in executive compensation calculations.

Overcommitted Board Directors

The board directors we surveyed also expressed growing concern with the issue of overboarding. The responsibilities and time commitment required of board members have increased in recent years. In 2014, directors of public companies spent an average of 278 hours annually to board-related matters, according to a National Association of Corporate Directors (NACD) survey. And the demands are growing.

Three-quarters (74 percent) of the board directors we surveyed were supportive of placing limits on the total number of boards on which a director can serve. Among those who favor limitations, 79 percent would set more stringent limitations than the proxy advisory firm recommendations. Forty-four percent would set the limit at three boards, more than a quarter (28 percent) chose four; 19 percent of directors agreed with the five-board maximum suggested by proxy advisors.

To view and download the full 2016 Board Survey, click here.