In an effort to make your (work) life better, we recently wrote about how to communicate with leadership successfully. Happily, the response to the blog and the accompanying guide was off the charts – this is clearly a topic that’s near and dear to the heart of Compliance leaders. Now, let’s assume you’ve memorized our advice and you’ve just been asked to present to the board. You might think you know how to do it, since you know how to communicate with leadership. Well first, thank you for memorizing. (But really, you can always look that stuff up, so you may want to consider using your brain cells on other things). Second, eh, not quite.
Your company’s leadership and the board have different perspectives and goals, so successful communication regarding Security Compliance posture with each group requires different preparation and different focus. For example, the kind of detailed granular reporting leadership expects regarding control status is wrong for the board. On the other hand, the board may want to talk about things that leadership already knows without being told. So let’s discuss five key points on how to approach talking to your board about Compliance.
One further point. When you are talking to the board, you are probably talking to only part of the board, like the audit committee. We’ll use both terms interchangeably, unless we say so.
You likely will not have much time to deliver your presentation so be prepared to stick to the basics. Aim to discuss your top three to five points, leave time for discussion, and be ready for a back-and-forth.
The board’s role tends to take a more adversarial slant than internal leadership does. Not that they are your enemy, of course – they just want to make sure that the business is protected. More specifically, the audit committee’s role, according to Investopedia, “includes the oversight of financial reporting, the monitoring of accounting policies, the oversight of any external auditors, regulatory compliance and the discussion of risk management policies with management.” These are broad responsibilities that don’t require deep dives into technical detail. The questions they’ll ask are more broad, like “Is this issue a concern?” and “Why haven’t we fixed that?” So you need to be prepared. You’re not all on the same side, talking about things you both understand well. They have questions and you’ll need to know the answers.
How issues affect your business - This is their main focus. How does the company’s Compliance program support the business’s goals? How do we know we're going to stay compliant? Are we in a position to discover fraud internally? How are we managing material risks? etc. Be prepared to give enough detail to make your points without getting bogged down in stories the board has no time or interest to hear. In addition, their awareness and understanding of external threats may prompt further questions. Which leads to the next point…
Current events - Check headlines of financial publications board members are likely to be reading. If those pages are full of warnings about X vulnerability or Y malware, they’ll likely ask you about it. You, of course, know full well how the company is protected against the threat, or why the threat is no longer an issue, but the board doesn’t; they want to be able to sleep at night, so they need to know why the company is safe. You can’t count on them to forget to ask about the company’s internal programs and Compliance posture, so consider how you’ll answer if they jump to the issues on everyone’s mind.
“What’s that red thing?” - Naturally, the board will want to know about anything on a slide that’s in red. Be proactive about it: come prepared with reasons for that issue and alternatives that can make it turn around. Let them know how the problem is being chipped away — or what can resolve it, even if that action can’t be taken right now.
The historical perspective - Board members want to see a reduction in risk levels and other unfavorable elements. If the company has said in the past that something will be improved, the committee will want to hear how it’s been fixed. If they see the same risk level every quarter, they’ll want to know why the company isn’t reducing that risk. Is it a lack of resources? Is the team not doing its job? Anticipate those questions.
The risk narrative - Rather than avoid questions about risk, bring it up and lead the convo. Report on the company’s risk management program—and consider whether talking to Security first will help you frame the discussion. Thanks to your risk register, you should be able to talk about how risks have evolved quarter-over-quarter (or whatever the relevant time period), the relative priorities of those risks, which ones are low-level, and what is being done to minimize the likelihood that the other risks will affect the company. You want to be able to say: “Here’s what we said we would do last time, and here’s how well we’ve done on that count.” Otherwise, you may have to think fast on your feet when the questions start.
Don’t go into minutiae - When you talk to internal leadership, you’re generally talking to someone higher up who knows the finer points of what you do and why that’s important. But talking to the board requires a different skill than line reporting. The board is often made up of very smart people without the precise technical knowledge you have. It’s likely they don’t deeply understand the technical details of the issues you’re dealing with. And they don’t need to. They need to see the bigger picture and how issues affect the business. Avoid details that don’t help answer their concerns.
Don’t complain - Presenting to the board is not a gripe session. You cannot dump problems on the board and think you’ve done your part. You can’t blame others. The board needs to know about problems that could affect the business, but it’s your job to have assessed those problems, figured out solutions, and started to implement them. Or if you need the board’s input to decide on solutions, you can present the choices: “We're at a crossroads; we can either continue to not invest in what we need, and face X risks, or we need Y money to protect us.” The presentation should be action-oriented. You’re there to give the board context that drives them to make decisions. But saying, “Here’s a problem, please fix it” won’t give the board what they need.
Don’t pretend everything is great if it isn’t - Do not paint a fake rosy picture. Again: These are smart people who take their responsibilities seriously. You know they have fears and concerns. Your job is to anticipate them and address them. So if there are challenges that the company is facing, your job is to focus the board on which are the most important and what the company is doing about them.
If you believe that success depends on getting more funding, now’s the time to bring this up. The board may ask questions like, “Are we spending enough to protect the company?” If you don't think so, say, "We are under-investing and that's not good." Again: no blaming the C-Suite. Here’s where you need to voice what could help the business, without tattling on higher-ups. It’s a delicate balance. But now’s the chance to get funding, by focusing on how your needs and the board’s priorities are aligned. So if, for example, you believe that a certain expenditure is necessary for the business to adapt to changed global circumstances, show the board how you’ve used data to reach your conclusions.
A successful presentation to the board starts with putting yourself in their minds, in terms of what they value and what they worry about when it comes to Compliance posture. Whatever you say should be relevant in terms of the business as a whole, because that’s what matters to the board. Make the most of the limited time available. Cover issues that are important to you and would also be important to them. But be prepared for questions. Don’t get into details that will only muddy what you’re trying to say. Think, and present, from the point of view of a business person.
Finally, if you prepare year-round by taking a structured approach to data, so that you are always prioritizing risks and paying attention to the things that most warrant it, you’ve got a great start. You are able to show the board that you know the risks and that you’ve made progress over time by solving problems based on data. That’s how you give the board members confidence that the business is protected. That’s how they know you’re making the right decisions. And this is the basis of a successful Compliance presentation.