Chapter 2

Question 1

T 1.1 Risk - how does this NACD text define it (based on an ISO definition)? What are 2 related definitions?

Answer 1

• Risk is “the effect of uncertainty on objectives,” which can be a negative or positive deviation from expectation
• Pure risk - possibility of loss without possibility of a gain
• Speculative risk - can bring either loss or gain

Question 2

T 1.2 8 practices for effective risk oversight

Answer 2

1. Understand the company’s risk profile, i.e., the major risks inherent in the company’s business model and strategy
2. Define the company’s risk appetite, i.e. “ the amount and type of risk that the organization is prepared to pursue, retain or take in pursuit of its strategic objectives” (ISO)
3. Clarify roles of board, committees, and mgmt.- all parties matter (as well as often outside advisors), and it is important to have a protocol for how they should work together
4. Integrate discussions of strategy, risk, and performance
5. Ensure transparent and dynamic risk reporting, including regular reporting of top risks, risk rankings and approaches take to manage risks
6. Reinforce clear accountability for risk
7. Verify that mitigation reduces risk exposure
8. Assess risk culture, defined as “the behavioral norms of a company’s personnel with regard to the risks presented by strategy execution and business operations.”

Question 3

T 1.3 What are 3 challenges to providing effective risk oversight

Answer 3

1. Oversight of disruptive risks
2. Quality of the risk mgmt process
3. Oversight of reputational risks

Question 4

T 1.4 Guidance for providing risk oversight - 10 recommendations

Answer 4

1. Understand the company’s key drivers of success.
2. Assess the risk in the company’s strategy.
3. Define the role of the full board and its standing committees with regard to risk oversight.
4. Consider whether the company’s risk management system is appropriate and has sufficient resources.
5. Work with management to understand and agree on the types (and format) of risk information the board requires.
6. Encourage a dynamic and constructive risk dialogue between management and the board, including a willingness to challenge assumptions.
7. Closely monitor the potential risks in the company’s culture and its incentive structure.
8. Monitor critical alignments, including that of strategy, risk, controls, compliance, incentives, and people.
9. Consider emerging, disruptive, and interrelated risks. What’s around the next corner?
10. Periodically assess the board’s risk oversight processes and culture. Do they enable the board to achieve its risk oversight objectives?

Question 5

T 2.1 Which definition of the term crisis does the NACD use?

Answer 5

A crisis can be defined as a “realized risk that threatens to substantially disrupt, damage or destroy the organization’s operations, business, or reputation.”

Question 6

T 2.2 What are 3 roles of boards in relation to crisis situations (before, during, after)?

Answer 6

• Before: providing oversight of crisis preparations, including regular discussions, simulations/table tops
• During: actively participate, as needed (particularly if the crisis involved the CEO!)
• After: conduct post mortem to ensure that lessons are learned and plans are adjusted

Question 7

T 2.3 10 (potential) board action steps during a crisis

Answer 7

1. Assess the magnitude of the crisis and how active of a role the board should pla
2. Add additional directors to the board with certain skill sets, if more expertise related to the crisis is needed.
3. Consider creating a temporary board committee
4. Hold board meetings with independent directors only to assess management’s response
5. Ask management to provide regular reports to the board on the status of the crisis. Give feedback to management.
6. Determine with management what happened, who was involved, how company operations have been affected
7. Question management’s assumptions
8. Consider additional sources of information e.g., an independent investigation. Anticipate what additional facts the investigation may find
9. Ensure all relevant internal business lines have been notified of the crisis and that management is informing all impacted stakeholders
10. Assist management in providing communications that take responsibility for the crisis, if necessary, while also considering the implications for the company’s liability.

Question 8

T 2.4 4 key board challenges in the face of a crisis

Answer 8

1. If CEO is part of the crisis - board needs to take a big role
2. Escalation of information to the board - consider establishing guidelines for what should be communicated to the board (no trivialities, but also no cover-ups)
3. Maintaining company performance (in addition to effective crisis response)
4. Board and management disposition and experience - consider board and management traits to handle crises during the selection process

Question 9

T 3.1 Which definition of the term “cyber security” does the NACD use?

Answer 9

Cyber security ios here defined as “the preventative techniques used to protect the integrity of networks, programs and data from attack or unauthorized access”

Question 10

T 3.2 Which definition of the “data privacy” does the NACD use? How does data privacy (in this definition) relate to cyber security?

Answer 10

Data privacy is “the appropriate use and protection of personal information”; it is contingent cybersecurity

Question 11

T 3.3 What are 6 common types of cyber attacks?

Answer 11

● Malware: malicious software variants, including viruses, ransomware, and spyware. These programs can harm business by, e.g., destroying databases, causing damage to business infrastructure.
● Botnets: a network of compromised computer systems that can perform automated tasks without the permission or knowledge of device owners. Attackers use the computer resources of these systems to execute large-scale attacks and other malicious activity
● Social engineering: social engineering attempt to extract sensitive business information, such as login credentials, employee records, and banking details.This form of attack is typically distributed through phishing emails
● Advanced persistent threat (APT): Using stealthy and sophisticated tactics, attackers gain unauthorized access to a network or system and can remain undetected for months or years.
● SQL injection: code injection technique commonly found on malicious websites or unsecured web browsers. The vulnerability allows attackers to manipulate queries that an application makes to the connected database. This allows the attacker to view and edit source code as well as access data stored in the underlying servers.
● Denial-of-service attack: an attacker inundates a server with traffic and drains the resources necessary to keep it functional

Question 12

T 3.4 What are the 3 key components of cybersecurity oversight?

Answer 12

• Establishing an enterprise-wide cyber-risk management framework; most common standard - NIST
• Giving regular and adequate time on board and committee agenda to cyber security. Recommended MINIMUM frequency: semi-annual for the full board, quarterly (!) to the committee charged specifically with cybersecurity oversight
• Adhering to public disclosure and reporting requirements

Question 13

T 3.5 What are 7 common elements of data privacy programs?

Answer 13

● identifying and prioritizing the data to be protected;
● complying with relevant laws and regulations;
● developing and reinforcing a comprehensive data privacy policy;
● establishing roles and responsibilities;
● identifying and mitigating threats, external and internal, to sensitive data;
● setting and tracking metrics; and
● training employees and other stakeholders

Question 14

T 3.6 What are 3 common challenges to providing cybersecurity oversight?

Answer 14

1. Ensuring that the board has access to cybersecurity expertise
2. Recognizing the legal implications of cyber risks; note - business judgment rule protects directors if they perform reasonable levels of oversight!
3. Determining the organization’s cyber-risk tolerance

Question 15

T 3.7 What is the NACD’s guidance on providing oversight of cybersecurity and data privacy (5 items)?

Answer 15

1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
2. Directors should understand the legal implications of cyber risk as they relate to their company’s specific circumstances.
3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.
4. Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
5. Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.