korn ferry market cap 100 - 2014 · korn ferry market cap 100 1 introduction cybercrime comes with...
TRANSCRIPT
About Korn Ferry
At Korn Ferry, we design, build, attract
and ignite talent. Since our inception,
clients have trusted us to help recruit
world-class leadership. Today, we
are a single source for leadership and
talent consulting services to empower
businesses and leaders to reach their
goals. Our solutions range from executive
recruitment and leadership development
programs, to enterprise learning,
succession planning and recruitment
process outsourcing (RPO).
Visit www.kornferry.com for more
information on our services, and
www.kornferryinstitute.com for
more articles, research and insights.
2014 KFMC
KO
RN
FE
RR
Y
KF
MC
100
20
14
The Korn Ferry Market Cap 100 2014
KORN FERRY MARKET CAP 100
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Translating cyber-risks into business terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Asking the right questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing cybersecurity risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The bigger context and the bigger threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appendix A: The KFMC100 companies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appendix B: The KFMC100 Class of 2013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appendix C: The KFMC100 boards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
4
8
12
16
20
24
30
42
1KORN FERRY MARKET CAP 100
Introduction
Cybercrime comes with a staggering price tag: an estimated .4% to 1.4%
of global GDP. The cost to the US economy alone could be as high as
$100 billion annually, according to a 2013 report by the Center for Strategic
and International Studies, a Washington, DC-based public policy research
institution.
High-profile companies—as well as those that don’t
make the headlines—routinely fall prey to cybercrime of
one variety or another: data theft, financial fraud, denial-
of-service attacks, corporate espionage. The losses are
not simply financial, but also of intellectual property,
equipment, consumer trust, reputation, and growth.
Boards are taking notice. Cybersecurity increasingly
is viewed as part of the array of risks boards are
charged with overseeing—and not something that
can be outsourced. According to a recent article in
The Wall Street Journal: “After a series of high-profile
data breaches and warnings, corporate boards are waking to cyber-threats,
grappling with security issues they once relegated to technology experts.”
But awareness doesn’t always translate into practical ways of addressing
the problem. How can boards fulfill their fiduciary duties and ensure their
companies are adequately prepared to deal with inevitable breaches?
In this year’s KFMC100 we focus on the questions that are of critical concern
to boards tackling cybersecurity: What information must directors review?
How can they ensure they are making informed decisions? What people and
expertise do they need in what roles? And how should they aim to improve
oversight going forward?
Complete protection is a lofty but unrealistic goal when it comes to
cybersecurity. Given the sheer number and types of incidents, and how
they are continually morphing, the odds of avoiding an attack are slim.
Preparedness and managing business consequences are realistic goals,
Cybersecurity
increasingly is
viewed as part
of the array of
risks boards are
charged with
overseeing—and
not something
that can be
outsourced.
2
however. In our report we suggest specific steps boards and management
can take—in advance of an attack—to ensure speedy detection, diagnosis,
response, and recovery in the event of a breach. These precautions can serve
to minimize damage and avert potential catastrophe.
At many companies, the line of sight that directors require to effectively assess
and deal with the issue remains obscured by barriers both structural and
informational. One way to surmount these barriers is to recruit a cybersecurity
expert to the board, a step those we interviewed had varying opinions on.
Our research shows that among the 98 directors
added to KFMC100 boards in 2013, only 3% had
specific security experience. But risk management
experience climbed from 5% of new directors in
2012 to 21% in 2013, and compliance experience
also rose, from 12% to 24% of new directors. Clearly
boards have their eye on risks. Recruiting some
variety of cybersecurity expert to the board may be
a necessity for some companies. But, depending on specific circumstances at
individual companies, there also are ways to properly manage the exposure
of networks and security without adding that expertise. We discuss a range
of options boards can employ to ensure they are covered.
We also address the broader concerns companies have about building a
more cybersecure world. The process of addressing cyberthreats may start
at the individual company level, but more effective, permanent solutions lie
in partnerships and initiatives taken with other companies and cooperation
with the public sector. The need to safeguard confidential corporate
information, customer data, and intellectual property is significant. But at
their worst, cyberattacks are not just threats to corporations but to the entire
global infrastructure, affecting a wide span of systems, from water to power,
transportation, communications, and others.
We would like to thank a number of individuals for their time and insights,
which added immeasurably to this report.
First, our external experts, who provided a range of views that helped
crystallize the issues and define steps forward for boards:
Melissa Hathaway — a private sector cybersecurity expert known for her
work as the director of the Joint Interagency Cyber Task Force within
the US Office of the Director of National Intelligence from 2007 to 2009.
The odds of
avoiding an attack
are slim. But
preparedness and
managing business
consequences are
realistic goals.
3KORN FERRY MARKET CAP 100
John Hinshaw — the executive vice president of technology and
operations for Hewlett-Packard and former chief information officer
(CIO) at Verizon Wireless and Boeing. He recently joined the board of
BNY Mellon.
Dr. Ronald Sugar — the former chairman and CEO of Northrop Grumman
who currently serves on the boards of Air Lease, Chevron, Amgen, and
Apple.
Ambassador R. James Woolsey Jr. — a former director of Central
Intelligence, who chairs the board of the Foundation for Defense of
Democracies, and is a Venture Partner with Lux Capital Management.
He has served on numerous corporate and non-profit boards.
We would also like to thank our internal team of experts who contributed to
this report: Vice Chairmen Dennis Carey, Robert Hallagan, and Stephen Mader
of Korn Ferry’s Board & CEO Services Practice, as well as co-leaders of the
firm’s cybersecurity practice, Aileen Alexander and Jamey Cummings.
It is our hope that the insights captured in this report will arm directors with
the right questions as they grapple with this newer, far more insidious breed
of risk and provide them with some focus as they determine how best to
protect all their stakeholders.
4
Translating cyber-risksinto business terms.
“I have a hypothesis,” says Melissa Hathaway, private sector cybersecurity
expert and former cybersecurity “czar” under Presidents George W. Bush and
Barack Obama: “Until cybersecurity is reflected in balance sheet terms, it’s
never going to be fully embraced by the board.”
The key to a board’s successful oversight of cybersecurity, observes Hathaway,
is identifying it as risk, albeit in a new guise, and managing it with the same
diligence and processes applied to other risks. That will help to ensure
cybersecurity remains visible on directors’ dashboards and that key metrics
will be used to measure how well the job is being done.
Cybersecurity is a major concern at companies of all sizes and has a
measureable impact on many facets of operations, and certainly profitability.
Yet the scale of that impact is often obscured or lost in translation. Unless
directors can cut through the technical jargon in what are often massive
amounts of information they receive, the size of the risk and the steps to
mitigate it may not be clear. Instead, Hathaway says, the risks need to be
translated into a language most directors know well: dollars and cents.
Companies have for years turned to IT to lower
manpower costs and increase productivity to
add to the bottom line. But—and this is a big
but, Hathaway warns—as companies leverage
this “IT dividend,” more open and available
access to networks presents a far greater risk
of service disruption, unprecedented crimes
against the infrastructure, IP theft, and more.
It’s a chilling prospect, especially when one
considers how our essential services, from the power grid to the banking
system to air traffic control, are all dependent on a functioning Internet.
Capturing this increased risk, and potential attendant costs, is crucial. As
companies reduce operations costs through technology, they should factor
As companies reduce
operations costs through
technology, they
should factor into the
equation—in both capital
and operational terms—
the toll of inevitable
breaches.
5KORN FERRY MARKET CAP 100
into the equation—in both capital
and operational terms—the toll
of inevitable breaches. “How do
you measure the cost of replacing
infrastructure? Or replacing millions
of credit cards? Most companies
are not reflecting this in balance
sheet terms, so costs are hidden,”
Hathaway says.
Tackling cybersecurity will also require some ingenuity. “We can’t solve the
problem with the same thinking that was used when we created the Internet,”
Hathaway observes. The US government-funded Internet was created with
the express and limited purpose of enabling direct communications between
the president and the military in the event of nuclear disaster.
“It was not designed to be the global backbone of e-commerce,” she contends.
“In 1990, the World Wide Web was created by an engineer working at CERN,
the particle physics laboratory in Geneva, Switzerland. That innovation was
quickly followed by the development of search engines designed to navigate
the web. From that point, governments were challenged to enable and ensure
ready availability of high-speed connectivity at a low price point so we could
all benefit from the information society. That challenge unfortunately did not
include a focus on security.”
The Internet grew exponentially more sophisticated and accessible over
those 25 years, but it now has to be retrofitted to build security into its
very infrastructure. “Currently, we all have two or three Internet-enabled
devices. By 2015 we’ll have an average of five or so, and by 2020 we’ll have
a minimum of 10,” Hathaway says. “If we haven’t addressed security issues,
cyber-risks will double by 2015 and continue to multiply. We’re running out
of time.”
As part of a plan to make their companies more cybersecure, boards should
be aware of all the unauthorized ways individuals or organizations can gain
access to their networks. Hathaway notes that “it might be a trusted employee
who comes to work with tainted technology,” a more common scenario now
given the popularity of bring-your-device-to-work policies. “Or it could be an
employee with more malevolent intentions using a thumb drive or a DVD to
steal critical information or poison the infrastructure,” she says.
6
Another burgeoning threat stems from employees’ use of their own devices
over free Wi-Fi networks that lack a secure connection. “It’s easy for someone
to get sensitive information and gain access to the enterprise by deploying a
technology in the proximity of a network or database,” she explains. Perhaps
an even more troublesome threat, according to Hathaway, is infiltration that
might happen somewhere in the global supply chain. Mechanisms are needed
to protect against malicious modification or substitution of technology
anywhere along the IT product life cycle: design, manufacturing, integration,
distribution, operation, maintenance, and retirement. Hackers also can gain
access via the digital links used by third parties—suppliers, contractors, or
consultants—a security gap that may be overlooked.
“This strain is particularly insidious because it is difficult to determine if
illicit activity is taking place in the infrastructure. We’re facing a dangerous
combination of known and unknown vulnerabilities—strong adversary
capabilities and weak situational awareness—across those different attack
vectors,” Hathaway says.
As both a cybersecurity consultant and corporate director, she sees some
possible solutions but is also realistic about the challenges of taming the
cybersecurity risk. Looking through her director’s lens, she says, boards
should be regularly asking:
Is cyber-risk accounted for in our overall corporate planning process? The
board needs to be assured that cyber-risk is an element of a broader risk
framework and that exposures are recognized and being planned for. “For
most companies, this is not the case,” Hathaway observes. “Cyber-risk is not
viewed alongside other risks in the planning process.”
What is the process for evaluating security and measuring liabilities? Boards
should know not only what controls are in place, but how they are evaluated.
Is the company following best practices for its security? If so, what is the
source? “Boards should also know whether there is a third-party audit and
how often there are breaches and their costs,” she says. “All of this will vary by
company and industry, but you’ve got to measure the cost and make sure it’s
reflected on the balance sheet like other liabilities.”
Do we have directors with relevant expertise? Although there is a difference
of opinion on whether boards require general technology expertise—let alone
specific security expertise—Hathaway believes it’s important to have one or
7KORN FERRY MARKET CAP 100
more directors who understand IT and its associated risks, or have a security
background. “It’s an important risk area that must be managed by someone
with qualifications. And it needs to be integrated properly into the committee
process, whether on the audit, finance, governance, or risk committee, rather
than a general topic that is discussed in detail with the full board,” Hathaway
says.
Have we identified executive ownership of the issue? Hathaway believes
the CEO has ultimate accountability for cybersecurity. “The CEO should
have controls in place that indicate how cybersecurity is being managed and
the true costs to the business, which should be part of both an internal and
external audit,” she suggests.
What will we do in the event of a breach? If and when there is a problem, can
we deal with it quickly and minimize the damage? Do we have a process for
communicating effectively, internally and externally? How will we deal with
the costs?
Hathaway offers a few other cautionary observations, starting with attending
to the executive reporting structure. “Often the chief information security
officer (CISO) reports to the CIO, and decisions made this way could potentially
make the enterprise less secure,” she notes. “The CISO is responsible for
keeping the enterprise safe and the CIO is responsible for keeping the
enterprise running 24/7. An inherent conflict. It should be a shared decision in
the C-suite with the CEO assuming ultimate responsibility.”
Hathaway also warns that computer network security regulations are probably
coming down the pike; the SEC’s recent announcement of “no-notice audits”
of financial institutions is a signal of what boards should anticipate. “Will
the SEC provide general guidance or be prescriptive? Or will boards be in
a position to tell the SEC what they’re already doing? Certainly boards that
can demonstrate rigorous oversight of cybersecurity prior to any formal
regulations will be in a far stronger position,” she says.
8
Asking the right questions.
Boards should recognize that it is best governance practice—indeed, directors’
fiduciary duty—to anticipate digital attacks. Taking aggressive cybersecurity
steps, rather than merely battening down the hatches and waiting for
regulations to emerge, is the way to go. The challenge of cybersecurity can’t
be overstated.
That’s the view of Dr. Ronald Sugar, former CEO of Northrop Grumman,
who currently serves on the boards of Air Lease, Chevron, Amgen, and
Apple. He quotes former NSA Director General Keith Alexander, who called
cyberindustrial espionage—possibly the most serious digital threat to major
corporations—“the greatest transfer of wealth in history.”
Perhaps in part because he served as CEO of
a major defense contractor, Sugar has been
hyperaware of the need for greater cybersecurity
and the changing nature of the threats companies
face. The focus used to be on updating antivirus
software and building a protective firewall around
systems. But with increasingly complex networks
and mobile device access, there is no longer a
clear perimeter.
“We have to figure out other ways to deal with this,” he says. “The whole
concept of the Internet is that it is uncurated; it was created to connect, not
to protect. No one is in charge of it. There’s no magic bullet that will solve the
security problem, but it helps to have smart people in your company, advised
by other smart people on the outside, and to build layered defenses.”
As a defense industry leader, Sugar sounded the alarm early, in 2009, in an
open letter to President Obama: “These cyber attacks occur daily and are
increasing. The race to defend against them constitutes the most critical
military and economic imperative of this century. Yet this is a race we are
9KORN FERRY MARKET CAP 100
losing,” he wrote. In the letter, published in Aviation Week & Space Technology
magazine, he recommended actions government and industry should
consider to meet this challenge.
Five years on, he’s seen some gains. “There’s been enormous progress in the
area of awareness,” Sugar notes. “Unlike 2009, there is no one in corporate
America today in a serious position of responsibility who doesn’t know about
this threat. Everyone is talking about it—although some are doing more than
others.”
As Sugar sees it, that’s the challenge that remains: moving from knowing
about the threat to putting controls in place. “On boards I’m involved with,
I see management paying more attention
to cyber-risk now; they understand
the serious consequences to finances
and reputation. CEOs can be fired over
this. So it’s garnering more attention in
boardrooms across the country,” he says.
“The big challenge is that very few board
members have expertise in this area. What
should the board be asking management
so the board knows the company is
reasonably protected?”
Adopt the perspective of a hacker, Sugar suggests. Ask this question: If you
wanted to destroy the value of your company, what would you do? “The
board should regularly be addressing this topic with management: What are
the biggest threats we face and what are the potential consequences?” he
says. This is a dialogue the board should have with the CEO, Sugar contends,
not something you want only a report on from the CIO.
Boards also must scrutinize how the company invests in IT security. Is
it spending just enough to get by, or investing to get a reasonable level
of protection given the assumption that some risk will always remain?
Dashboards and charts may aid these discussions, but in the end, directors
fundamentally must decide if they are confident that management has a
comprehensive cybersecurity plan in place. “There may be a quantitative
basis to the discussion, but it really comes down to a gut feel the board has
concerning whether management knows what it’s doing,” Sugar says.
“The big challenge is
that very few board
members have expertise
in this area. What should
the board be asking
management so the board
knows the company is
reasonably protected?”
— Dr. Ronald Sugar
10
To reach that degree of confidence, boards should seek answers to the most
basic questions:
In the event of a breach, who is in charge internally and how is it communicated
externally? “The company’s brand is the trust people put in you,” Sugar says,
“and, for example, laying low on reporting credit cards that were stolen three
weeks ago is not a good strategy.”
Do we have the right team and resources dedicated to this? The CISO needs
to come before the board at least twice a year. But if his or her briefings are
unduly technical or complicated, that’s a red flag.
If that gut feeling is that the company is at risk and management isn’t taking
appropriate action, it is the board’s fiduciary duty to bring in an outside
consultant. But that should be a last-ditch option, Sugar says, because it’s
one that indicates a lack of confidence in
management—equivalent to bringing in outside
counsel rather than relying on the general
counsel.
In Sugar’s view, the board doesn’t necessarily
need a director with cybersecurity expert
credentials. Rather, the board requires directors
with a high level of awareness regarding the
issue. “You need broad expertise on the board,
but it is helpful to have one or two directors who are capable of understanding
the key issues related to cybersecurity,” Sugar notes. He or she doesn’t need
to be a certified expert, he explains, but should be someone who is capable
of grasping the issues, formulating questions for management, and willing
to serve on the committee responsible for risk. That’s the role Sugar says he
plays on several of his boards.
Another modus operandi that Sugar suggests is to periodically drop in—with
the CEO’s blessing—on the people who manage cybersecurity day to day to
“spend time with them in their native habitat and gain an understanding of
threats they’re dealing with.” It’s a more natural way of learning and absorbing
information, and far preferable to putting someone on the spot in a formal
board meeting. It’s in these less-formal conversations with someone like the
CIO or CISO that board members may identify risk-protection measures that
“You need broad
expertise on the board,
but it is helpful to have
one or two directors
who are capable of
understanding the
key issues related to
cybersecurity.”
— Dr. Ronald Sugar
11KORN FERRY MARKET CAP 100
are needed but not appropriately budgeted for. In that case, it’s the board’s
duty to bring the gap to the attention of the CEO, asking, “What if something
went bad and we hadn’t adequately funded security efforts?”
Most acutely, Sugar worries about the inevitability of a “cyber Pearl Harbor,”
an attack that would require a fast and coordinated response from the public
and private sectors. A chief concern is that US policies are generally reactive
rather than proactive. “The regulatory response to Enron was Sarbanes-Oxley;
the financial crisis led to Dodd-Frank. What will we as a nation immediately
do when there is a risk to our water or power or communication systems?
They are the only things that separate us from living in the Stone Age,” he
says.
In the boardroom, however, directors have to view risk management—
including the digital kind—as a balancing act. “Some people want to ensure
that companies never take big risks. But a company can’t be competitive
without innovation and calculated risk,” Sugar contends. “In the end, the
greatest risk is getting overwhelmed by the competition. That’s why you want
people with judgment on boards—because if you’re not willing to take some
risk, and you’re just doing what everyone else is doing, why should you be
entitled to a superior financial return?”
12
Managing cybersecurity risk.
As the executive vice president of technology and operations at Hewlett-
Packard, John Hinshaw oversees the company’s global information
technology group as well as key operations, including global sales operations,
procurement, real estate, and global business services. With this, comes
responsibility for HP’s cybersecurity.
Hinshaw knows that discussions on cybersecurity can quickly become a deep
technical debate with the potential to lose
relevance to the business impact. His years
as a CIO—previously at Boeing and Verizon—
plus his broad management experience give
him the ability to advise on security topics
at the board level, educate in nontechnical
terms on cybersecurity, and recommend
approaches for cybersecurity oversight.
Although the topic is new to many boards, it’s
familiar terrain to Hinshaw. In the late ’90s, he
was responsible for briefing Verizon’s board
on the Y2K threat. At that time there was no
framework for assessing risks to information
technology systems at the board level. Shortly thereafter came the Sarbanes-
Oxley Act, which addressed controls and risk in key systems and processes.
As the risks to IT systems and cyberthreats are now reality for all companies,
a framework focused on people, processes, and technology is the right
approach for boards to guide their discussions and make sure they are taking
a rigorous and systematic approach to cybersecurity.
People. “First, it’s essential to make sure the right people are in the right jobs,”
Hinshaw says. The team working on cybersecurity must fully understand
today’s array of risks and know how to stay abreast of new threats. They
have to build a network with other companies and educate employees about
As the risks to IT systems
and cyberthreats
are now reality for
all companies, a
framework focused on
people, processes, and
technology is the right
approach for boards to
guide their discussions
and make sure they are
taking a rigorous and
systematic approach to
cybersecurity.
13KORN FERRY MARKET CAP 100
safe computing practices. “Directors need
to be assured that they have the right chief
information security officer with the best
technical team to mitigate the cybersecurity
risk for the company,” he warns.
Processes. To ensure boards are addressing
a wide array of cybersecurity risks,
Hinshaw advises that directors review a
comprehensive list of computing risks and
understand the remediation and timeline
accordingly. “Some security risks focus on
compliance and have a standard associated
with them. Examples of compliance risks
are processing credit cards, resetting passwords, and establishing firewalls,”
he explains. The goal is to thoroughly grasp how the security issues could put
the company at risk. “You have to possess an in-depth understanding of the
company, the products and services offered, and where the risk points are,”
he asserts. For retailers, that is likely point-of-sale systems. For manufacturers,
it’s the factory and supply chain systems. For connected devices, it’s the
products themselves and the microcode that enables them. On top of that,
every company needs to protect employee and customer data, Hinshaw says.
Technology. There are some specific questions boards need to ask on a regular
basis, according to Hinshaw: “Do we have adequate firewalls and intrusion
prevention in place, and how often are the associated policies updated? Are
desktops and mobile devices fully secured to prevent attacks from malicious
websites and Trojan horses? How often do we educate employees on
cybersecurity risks and what to do if they think they’ve been breached? How
is company data encrypted and who has access to the encryption keys?”
One growing challenge, at HP as elsewhere, is the “bring your own device”
trend. With more than 160,000 such devices at HP, a great deal of coordination
is required for people to access what they need without compromising
corporate security. “Employees expect to connect to our global systems on
their smartphones and it’s key to business needs in many cases. We employ a
variety of technologies to protect corporate data,” Hinshaw says. “We have to
ensure employees’ personal use of the device doesn’t compromise corporate
security.”
14
The most crucial information in the company needs special safeguarding.
“The ‘keys to the kingdom’ should be locked down on their own separate
network, with a multilayered defense strategy, and accessible to as few people
as possible,” he advises.
Even with the right people, processes, and technology, every company
remains at risk and a frequent review by directors is vital to ensuring these
risks are understood and addressed with urgency.
As he explains his framework, Hinshaw says he realized early in his career that
security was going to be an important topic. “I took a computer security class
in college 25 years ago and heard about students hacking into the library so
they could check out more than one book at a time. Today major corporations
being hacked is an everyday event and as I meet with HP’s key customers,
security is always top of mind.”
16
The bigger contextand the bigger threat.
“You’ve got to think like a bad guy,” advises Ambassador R. James Woolsey
Jr., former director of Central Intelligence. Woolsey is waging an awareness
campaign about a potentially devastating cyberattack: one on the electrical
grid.
Even a major corporate breach seems like small potatoes compared with a
serious blow to the foundation on which we all depend for survival. “Anyone
who understates the problem doesn’t really
understand it,” says Woolsey, who now chairs
the board of the Foundation for Defense of
Democracies and is a venture partner with
Lux Capital Management.
The nation’s critical infrastructure—the systems that deliver water, power,
fuel, transportation, communications, and more—were developed largely
by happenstance over time and are fragile. They also are all dependent on
electricity. A power disruption of more than a few days could make companies
forget the inconvenience and expense of replacing customers’ credit cards or
reversing the corrosive effects of malware. “We would quickly move into a
world where people would not have access to water or food and wouldn’t be
able to communicate or gain access to resources,” Woolsey says. “Financial
assets would be useless because, let’s face it, what most of us own is not
anything tangible but rather a collection of ones and zeroes in a computer in
some bank somewhere.”
The “bad guy” mindset Woolsey adopts to fashion solutions to such a
potential catastrophe is something he learned from his father, who was a trial
lawyer. Preparing your opponent’s case is always the way to start, his dad told
him, “not only what he’s likely to do but anticipating the worst, nastiest thing
you can imagine. Prepare that case and figure out how to defeat it.”
The nastiest attack Woolsey imagines could come from cybercriminals,
terrorists, or hostile nations. As he asks himself what they might do, Woolsey
“Anyone who understates
the problem doesn’t
really understand it.”
— Amb. James Woolsey
17KORN FERRY MARKET CAP 100
returns to our dependence on the electrical grid and its vulnerability. “Our
enemies have the ability—if they hate us enough—to take down all or part of
the grid for a substantial period of time and cause greater devastation than
if they were to use nuclear weapons, which might destroy a vast area but not
undercut all of the infrastructure,” Woolsey warns.
The electrical grid is vulnerable to physical attacks but also to an electromagnetic
pulse, whether naturally occurring or intentionally created. The pulses that
cause the greatest concern are long wavelength pulses from the sun or a
nuclear source, he says. “They travel along long transmission lines and destroy
transformers at the heart of the grid,” Woolsey explains. “Those transformers
are tooled for specific applications and if you lose them you’re one to two
years away, at best, from fixing them.”
Certain solar events can cause these long wavelength pulses, but so can
detonation of a nuclear weapon in orbit perhaps only 50 miles above Earth,
Woolsey says.
Considering the sci-fi-like scenario of destruction and the relative ease of
such an attack, Woolsey is stunned by how little the federal government
and industry are doing to prevent such disasters. Russia, Israel, and China
are protecting their infrastructure against electromagnetic pulses, but not
the United States. To raise awareness and marshal support for his view, he
recently wrote an op-ed in The Wall Street Journal supporting the Secure
High-voltage Infrastructure for Electricity from Lethal Damage, or SHIELD
Act, and the Critical Infrastructure Protection Act.
So far the federal government has taken little action on grid vulnerability.
Utility companies have been similarly disinclined to action. “Who’s in
charge? No one, really. There are 50 public utility commissions, one for
each state, usually run by retired public utility executives,” he says. The lack
of incentive also has to do with utility companies’ shared infrastructure
dependence, meaning a whole grid could collapse because of one weak
spot anywhere along the line. “Each utility
says, if I fix these things and my neighbor
goes down he’s taking me with him so it’s
not worth the investment. Ain’t anybody in
charge? Why don’t we have a national energy
strategy? Because no one is in charge,”
Woolsey laments.
“Ain’t anybody in
charge? Why don’t we
have a national energy
strategy? Because no
one is in charge.”
— Amb. James Woolsey
18
There are simple, relatively inexpensive fixes, he
says. Surge arrestors, for example, which would
cost a few billion dollars to install as opposed to
the hundreds of billions it would cost to recover
from a serious incident. “That would mean
adding a few cents to the kilowatt hours on
people’s electric bills, that’s all,” he notes.
The core problem, as Woolsey frames it, is that
no one wants to contemplate an electrical grid-
induced Armageddon. But corporate boards,
whose duties include scoping unimagined risks,
can step into this leadership vacuum. His own
consulting firm, Energy Security Group, is pulling together public and private
partners to work for change, initially at the state level.
“To make this approach work and to gain the cooperation of individual
companies and various state governments, you need a mover and a shaker
or two. But I’ve been on 15 boards over the years, mostly in aerospace, and it
matters a lot whether you have a chairman and one or two key members who
are willing to step up and look at a crucial issue from a national perspective
rather than from a quarterly bottom-line perspective. Get the right people
together and you can get something done quickly.”
20
Conclusion
A recent cartoon in The New Yorker features a group of directors around
a boardroom table, with the chairman addressing them: “We may need to
rethink our strategy of hoping the Internet will just go away.”
Indeed, the Internet is not going away. For better and worse, it is the main
artery to a company’s heart: its employee data, operations systems, customer
account information, and more. With cyberthreats proliferating, and the
negative implications for stakeholders multiplying, security is an issue boards
must get a handle on. Security breaches have the potential to bring large
corporations to their knees, rapidly eroding hard-won reputation and market
share.
It’s become a tech cliché, but unfortunately it seems true: there are companies
that have been hacked, and those that just don’t know they’ve been hacked.
Even if your company hasn’t suffered a damaging breach, is that because of
effort or luck?
A few startling statistics from the Ponemon
Institute, which conducts independent research
on privacy, data protection, and information
security policy: The number of breached records
rose by 350% in 2013, with approximately half
of the US population’s personal information
exposed in a 12-month period. The average time
it took an organization to detect a breach was 32
days—a period during which a great deal of damage could have been done—
an increase of 55% from the prior year.
And the expense of dealing with security breaches? Ponemon’s 2014 Cost of
Data Breach Study: Global Analysis states that the average cost to a company
was $3.5 million, 15% higher than the previous year. Cleanup averaged $250
per data record, and $250,000 to clear up an infection. Most organizations
experience two successful breaches per week in which their core networks
or enterprise system is infiltrated, and all told, most companies will spend
With cyberthreats
proliferating, and the
negative implications
for stakeholders
multiplying, security
is an issue boards
must get a handle on.
21KORN FERRY MARKET CAP 100
at least $1 million on cleanup. And that doesn’t account for “cost” in terms
of lost intellectual property, competitive advantage, customer confidence,
potentially plummeting stock price, and job losses.
Fortunately there are concrete steps boards can take to protect their
companies from this new form of risk, which should be added to the broader
risk portfolio they oversee.
One expert we spoke with was Edward Guiliano, president of the New
York Institute of Technology, which provides intensive training for the next
generation of cybergatekeepers. Board members, he says, need ongoing
education on cybersecurity. They must personally understand where security
risks lie, in hardware as well as software, and ensure that there is proper
training throughout the organization.
“People are always the weakest link in cybersecurity,” Guiliano says. Raising the
average information technology IQ can go a long way toward “safeguarding
business plans, patents before they’re filed, employee data, and everything
else that may be easily accessible on the Internet,” or what he refers to as “our
global nervous system.”
At a minimum, boards should regularly address:
Security strategy. The board must ensure that the company has a strategic
vision and a tactical road map that proactively protect assets and keep pace
with escalating threats and evolving regulatory requirements.
Policy and budget review. Company security policies, and roles and
responsibilities of all relevant leadership, should be evaluated, along with data
security and privacy budgets to ensure they are adequately funded.
Security leadership. The board needs to confirm that the organization has
the credible leadership and talent to develop, communicate, and implement
an enterprise-wide plan to manage cyber-risk.
Incident response plan. The board should oversee the development of a
comprehensive incident response plan that is widely understood, rehearsed,
and stress tested.
Ongoing assessment. The board should periodically review a thorough
assessment of the organization’s information security capabilities, targeting
internal vulnerabilities and external threats.
22
Internal education. The board should ensure that the company implements
a strong communication and education program to create an environment in
which all employees embrace responsibility for cybersecurity.
These recommendations are a beginning, not an end. Boards that seek to
manage cyber-risk as well as they realistically can must distill these items
into specific goals and actions that can be counted, measured, and results
discussed with management.
The precise metrics will depend on the nature of the business and the likely
threats. Those we interviewed suggested some possibilities: If management
should be collaborating with external organizations, such as the government,
to share knowledge of threats and enhance mutual security, what are they
doing to further that objective? Whom are they partnering with? Similarly, if
the time to recognition of a security breach is unacceptably long, what is a
more appropriate target, and what action is management taking to achieve
that? Have we defined the categories of likely security breaches, determined
the response to each, and assigned executive ownership for each step in the
process? These are but a few examples of cyber-security topics on which
boards and management will need to engage.
Cyber threats abound, from vengeful acts by disgruntled employees, to data
theft by organized gangs of hackers, to foreign industrial espionage. Although
there may be no infallible prophylactic, board involvement and oversight can
keep a company vigilant and go a long way toward safeguarding its value and
reputation.
24
About the 2014 Korn Ferry Market Cap 100.
The Korn Ferry Market Cap 100 (KFMC100) are the US companies that had
the largest market capitalization as of the close of markets on May 1, 2014,
after the end of most firms’ 2013 fiscal year. Companies were removed from
the list if they were not traded primarily on the NYSE or Nasdaq, or were real
estate investment trusts or public investment firms.
Appendix A: The KFMC100 companies
Eight companies joined the ranks of the KFMC100 in the last year:
Twenty-First Century Fox, Inc. EOG Resources
Lockheed Martin Corp. Accenture
LyondellBasell Industries Thermo Fisher Scientific Inc.
Capital One Financial Corp. DirecTV
Market capitalization of the KFMC100 companies.
The KFMC100 companies had a median market capitalization of $74 billion
on May 1, 2014, after the close of most companies’ fiscal year. Of the 100
companies, 34 were valued at $100 billion or more. This was the first year
there were no KFMC100 companies valued at less than $40 billion.
Market Cap Companies
$40 billion – $59.99 billion 32
$60 billion – $79.99 billion 22
$80 billion – $99.99 billion 12
$100 billion – $149.99 billion 14
$150 billion – $199.99 billion 9
$200 billion and over 11
Figure 1
25KORN FERRY MARKET CAP 100
Industry sectors represented.
Technology and services were the two largest sectors again this year, and
together represented more than a third of the 2014 KFMC100 list.
Sector Companies
Basic materials 13
Conglomerates 3
Consumer goods 13
Financial 13
Health care 14
Industrial goods 6
Services 20
Technology 15
Utilities 3
The Korn Ferry Market Cap 100.
The KFMC100 companies ranked in order of market capitalization as of the
close of markets on May 1, 2014.
Rank CompanyMarket cap* Industry
1 Apple Inc. (NasdaqGS:AAPL)
$509.7 Computer hardware
2 Exxon Mobil Corp. (NYSE:XOM)
$439.0 Integrated oil and gas
3 Google Inc. (NasdaqGS:GOOG)
$356.5 Internet software and services
4 Microsoft Corp. (NasdaqGS:MSFT)
$330.2 Systems software
5 Johnson & Johnson (NYSE:JNJ)
$283.9 Pharmaceuticals
6 General Electric Co. (NYSE:GE)
$268.7 Industrial conglomerates
7 Wells Fargo & Co. (NYSE:WFC)
$260.5 Diversified banks
8 Wal-Mart Stores Inc. (NYSE:WMT)
$257.1 Hypermarkets and super centers
*on May 1, 2014 (in billions USD)
Figure 2
Figure 3
26
Rank CompanyMarket cap* Industry
9 Chevron Corp. (NYSE:CVX)
$238.6 Integrated oil and gas
10 Procter & Gamble Co. (NYSE:PG)
$223.3 Household products
11 JPMorgan Chase & Co. (NYSE:JPM)
$210.4 Financial services
12 Pfizer, Inc. (NYSE:PFE)
$198.6 Pharmaceuticals
13 International Business Machines Corp. (NYSE:IBM)
$195.3 IT consulting and other services
14 Verizon Communications, Inc. (NYSE:VZ)
$195.0 Integrated telecommunication services
15 AT&T, Inc. (NYSE:T)
$184.8 Integrated telecommunication services
16 Oracle (NasdaqGS:ORCL)
$182.1 Systems software
17 The Coca-Cola Co. (NYSE:KO)
$178.7 Soft drinks
18 Merck & Co., Inc. (NYSE:MRK)
$174.8 Pharmaceuticals
19 Bank of America Corp. (NYSE:BAC)
$158.6 Financial services
20 Facebook, Inc. (NasdaqGS:FB)
$155.1 Social media
21 Citigroup, Inc. (NYSE:C)
$144.7 Financial services
22 Amazon.com Inc. (NasdaqGS:AMZN)
$141.5 Internet retail
23 Walt Disney Co. (NYSE:DIS)
$139.2 Movies and entertainment
24 Philip Morris International, Inc. (NYSE:PM)
$135.9 Tobacco
25 Comcast Corp. (NasdaqGS:CMCSA)
$135.0 Cable and satellite
26 QUALCOMM, Inc. (NasdaqGS:QCOM)
$133.6 Communications equipment
27 Schlumberger Limited (NYSE:SLB)
$131.5 Oil and gas equipment and services
28 Intel Corp. (NasdaqGS:INTC)
$131.4 Semiconductors
29 Visa, Inc. (NYSE:V)
$130.5 Data processing and outsourced services
30 PepsiCo, Inc. (NYSE:PEP)
$129.5 Soft drinks
31 Gilead Sciences, Inc. (NasdaqGS:GILD)
$121.2 Biotechnology
*on May 1, 2014 (in billions USD)
27KORN FERRY MARKET CAP 100
Rank CompanyMarket cap* Industry
32 Cisco Systems, Inc. (NasdaqGS:CSCO)
$118.3 Communications equipment
33 The Home Depot, Inc. (NYSE:HD)
$109.1 Home improvement retail
34 United Technologies (NYSE:UTX)
$107.0 Aerospace and defense
35 McDonald’s (NYSE:MCD)
$99.9 Restaurants
36 The Boeing Co. (NYSE:BA)
$93.6 Aerospace and defense
37 ConocoPhillips (NYSE:COP)
$92.0 Integrated oil and gas
38 3M Co. (NYSE:MMM)
$92.0 Industrial conglomerate
39 American Express Co. (NYSE:AXP)
$91.6 Consumer finance
40 United Parcel Service, Inc. (NYSE:UPS)
$90.6 Air freight and logistics
41 MasterCard International Inc. (NYSE:MA)
$88.3 Data processing and outsourced services
42 CVS Caremark Corp. (NYSE:CVS)
$86.0 Drug retail
43 Union Pacific Corp. (NYSE:UNP)
$85.6 Railroads
44 Amgen Inc. (NasdaqGS:AMGN)
$85.2 Biotechnology
45 Bristol-Myers Squibb Co. (NYSE:BMY)
$82.0 Pharmaceuticals
46 AbbVie, Inc. (NYSE:ABBV)
$81.9 Pharmaceuticals
47 Altria Group, Inc. (NYSE:MO)
$79.5 Tobacco
48 American International Group, Inc. (NYSE:AIG)
$77.0 Multi-line insurance
49 Occidental Petroleum Corp. (NYSE:OXY)
$75.6 Integrated oil and gas
50 UnitedHealth Group, Inc. (NYSE:UNH)
$74.6 Managed health care
51 The Goldman Sachs Group, Inc. (NYE:GS)
$74.3 Investment banking and brokerage
52 U.S. Bancorp (NYSE:USB)
$73.5 Diversified banks
53 Twenty-First Century Fox, Inc. (NASDAQ:FOXA)
$73.1 Movies and entertainment
54 Honeywell International, Inc. (NYSE:HON)
$72.3 Aerospace and defense
*on May 1, 2014 (in billions USD)
28
Rank CompanyMarket cap* Industry
55 Biogen Idec Inc. (NasdaqGS:BIIB)
$68.0 Biotechnology
56 eBay Inc. (NasdaqGS:EBAY)
$67.1 Internet software and services
57 Walgreen Co. (NYSE:WAG)
$66.0 Drug retail
58 Caterpillar Inc. (NYSE:CAT)
$65.7 Construction and farm machinery and heavy trucks
59 Nike, Inc. (NYSE:NKE)
$64.0 Footwear and apparel
60 Eli Lilly & Co. (NYSE:LLY)
$63.2 Pharmaceuticals
61 Ford Motor Co. (NYSE:F)
$62.7 Automobile manufacturing
62 Hewlett-Packard Co. (NYSE:HPQ)
$61.7 Computer hardware
63 Colgate-Palmolive Co. (NYSE:CL)
$61.4 Household products
64 priceline.com, Inc. (NasdaqGS:PCLN)
$61.4 Internet retail
65 Morgan Stanley (NYSE:MS)
$61.3 Investment banking and brokerage
66 E.I. DuPont de Nemours & Co. (NYSE:DD)
$61.2 Diversified chemicals
67 Mondelez International, Inc. (NasdaqGS:MDLZ)
$60.5 Packaged foods
68 Celgene Corp. (NasdaqGS:CELG)
$60.4 Biotechnology
69 Time Warner, Inc. (NYSE:TWX)
$59.7 Movies and entertainment
70 Abbott Laboratories (NYSE:ABT)
$59.7 Pharmaceuticals
71 Medtronic, Inc. (NYSE:MDT)
$59.3 Health care equipment
72 The Dow Chemical Co. (NYSE:DOW)
$58.0 Diversified chemicals
73 Monsanto Co. (NYSE:MON)
$57.7 Fertilizers and agricultural chemicals
74 MetLife, Inc. (NYSE:MET)
$57.7 Life and health insurance
75 General Motors Co. (NYSE:GM)
$55.9 Automobile manufacturers
76 Starbucks Corp. (NasdaqGS:SBUX)
$53.7 Restaurants
77 Halliburton Co. (NYSE:HAL)
$53.4 Oil and gas equipment and services
*on May 1, 2014 (in billions USD)
29KORN FERRY MARKET CAP 100
Rank CompanyMarket cap* Industry
78 EOG Resources (NYSE:EOG)
$52.9 Oil, gas, and coal
79 Duke Energy Corp. (NYSE:DUK)
$52.7 Electric utilities and natural gas distribution
80 Lockheed Martin Corp. (NYSE:LMT)
$51.9 Aerospace and defense
81 EMC Corp. (NYSE:EMC)
$51.8 Computer storage and peripherals
82 Danaher (NYSE:DHR)
$51.6 Industrial machinery
83 Express Scripts Holding Co. (NasdaqGS:ESRX)
$51.4 Health care services
84 Costco Wholesale (NasdaqGS:COST)
$50.7 Hypermarkets and super centers
85 Accenture (NYSE:ACN)
$50.5 Business services
86 LyondellBasell Industries (NYSE:LYB)
$50.3 Chemicals
87 Allergan, Inc. (NYSE:AGN)
$50.2 Pharmaceuticals and medical devices
88 Anadarko Petroleum Corp. (NYSE:APC)
$49.9 Oil and gas exploration and production
89 Phillips 66 (NYSE:PSX)
$49.4 Integrated oil and gas
90 Texas Instruments, Inc. (NYSE:TXN)
$49.1 Semiconductors
91 Emerson Electric Co. (NYSE:EMR)
$47.6 Electrical components and equipment
92 Lowe’s Companies, Inc. (NYSE:LOW)
$47.1 Home improvement retail
93 Thermo Fisher Scientific Inc. (NYSE:TMO)
$44.9 Medical equipment
94 PNC Financial Services Group Inc. (NYSE:PNC)
$44.5 Regional banks
95 NextEra Energy, Inc. (NYSE:NEE)
$43.5 Electric utilities and renewable energy
96 Capital One Financial Corp. $42.3 Financial services
97 Dominion Resources, Inc. (NYSE:D)
$42.2 Electric utilities and natural gas distribution
98 Kimberly-Clark Corp. (NYSE:KMB)
$42.0 Household products
99 DirecTV $41.1 Cable and satellite
100 The TJX Companies, Inc. (NYSE:TJX)
$41.0 Apparel retail
*on May 1, 2014 (in billions USD)
30
Appendix B: The KFMC100 Class of 2013Turnover on KFMC100 boards remained low during the 2013 calendar year.
Thirty-nine companies in the KFMC100 added no new director at all during
the year.
The Class of 2013 comprised 105 total appointments, down from 113 in 2012.
With 1,208 total board seats available, that represents a turnover rate of just
8.7%.
Governance experience in the Class of 2013.
The large majority of KFMC100 boards added directors with previous board
experience with a public company—87%, compared with 73% the previous
year.
New directorships by governance experience (n=105)
First time directors 13%
Experienced directors 87%
CEO experience in the Class of 2013.
Even as companies restrict their CEOs’ availability for outside board service,
the large companies in the KFMC100 have continued to attract high levels of
current and retired CEOs to their boards: 56% in 2013, up from 41% in 2012.
Past or present CEO experience with a public company
Seats newly filled in 2013 56%
Incumbents’ seats 53%
Figure 4
Figure 5
31KORN FERRY MARKET CAP 100
Professional experience in the Class of 2013.
The KFMC100 covers a wide array of industries, and board makeup varies
accordingly. But two types of experience emerged as prominent in the Class
of 2013: finance/audit experience rose to 53% from 35% the previous year.
And marketing/sales was 38%, up from 17% in 2012. Technology also rose to
22% from 13%.
New directorships (n=105)
Same-industry experience 42%
Finance/Audit 53%
COO/Operations 30%
Public policy/Government 24%
Academic/Research 17%
Marketing/Sales 38%
Academic administration 7%
Nonprofit 6%
Technology 22%
Legal 11%
Age of Class of 2013 directors.
The median age of a director joining a board in 2013 was 59, six years
younger than the median age for all directors.
3% 49 or younger
20% 50 to 54
33% 55 to 59
25% 60 to 64
16% 65 to 69 3% 70 and over
Figure 6
Figure 7
32
Board service among the Class of 2013.
A majority of the 99 new non-executive directors were on only one or two
boards, but 14 served on four or more.
1
2
3
4
5
6
26 directors
36 directors
23 directors
9 directors
3 directors
2 directors
Number of boards served
Women in the Class of 2013.
Of the 105 total directors added to these boards in 2013, 22% were women,
a proportion nearly unchanged from the year before.
22% Female
78% Male
Figure 8
Figure 9
33KORN FERRY MARKET CAP 100
Minorities in the Class of 2013.
KFMC100 boards added twice as many new African American and Hispanic American directors in 2013 as they did in 2012. But the overall rates of diversity hardly changed on KFMC100 boards. Note that ethnicity information was not available for all of the directors.
Class of 2013 (n=80) Incumbents’ seats (n=966)
African American 13% 9%
Asian American 1% 1%
Hispanic American 6% 3%
Nationality of the Class of 2013.
The percentage of foreign director appointments to KFMC100 boards returned to 15%, after a rise to 21% in 2012.
American Non-American
Seats filled in 2013 85% 15%
Incumbents’ seats 86% 14%
Figure 10
Figure 11
Global experience of the Class of 2013.
Other indicators of global experience also dropped in 2013. International work experience among new appointees dropped to 28% from 36%. Only 17% of new appointees were born or educated abroad, down from 29% in the previous year.
International work experience
Seats filled in 2013 28%
Incumbents’ seats 26%
Born and/or educated abroad
Seats filled in 2013 17%
Incumbents’ seats 17%
Figure 12
34
Edward (Spencer) AbrahamNew BoardOccidental Petroleum Corp. ProfileIndependent Vice Chairman, Occidental Petroleum Corp.Other board(s)Two Harbors Investment Corp.; NRGEnergy, Inc.; PBF Energy, Inc.
Rodney C. AdkinsNew BoardUnited Parcel Service, Inc. ProfileSenior Vice President, Corporate Strategy, International Business Machines Corp.Other board(s)Pitney Bowes, Inc.
Robert J. AlpernNew BoardAbbVie, Inc. ProfileDean, Yale School of MedicineOther board(s)Abbott Laboratories
Shellye L. ArchambeauNew BoardVerizon Communications, Inc. ProfileChief Executive Officer, MetricStream, Inc.Other board(s)Arbitron, Inc.
Jaime ArdilaNew BoardAccenture ProfileExecutive VP/Regional President South America, General Motors Co.
Timothy ArmstrongNew Boardpriceline.com, Inc.ProfileChairman/CEO, AOL, Inc.Other board(s)AOL, Inc.
Delphine Arnault-GanciaNew BoardTwenty-First Century Fox, Inc.ProfileDirector, Louis Vuitton SAOther board(s)Havas SA; Christian Dior SA; M6-MetropoleTelevision SA; Louis Vuitton SA
Roxanne S. AustinNew BoardAbbVie, Inc. ProfileFormer President/CEO, Move Networks, Inc.Other board(s)Ericsson; Teledyne Technologies, Inc.; Abbott Laboratories
Linda B. BammannNew BoardJPMorgan Chase & Co. ProfileDeputy Head, Risk Management, JPMorgan Chase & Co.
Ajaypal (Ajay) S. BangaNew BoardThe Dow Chemical Co. ProfilePresident/CEO, MasterCard International, Inc.Other board(s)MasterCard International, Inc.
Eugene (Gene) L. BatchelderNew BoardOccidental Petroleum Corp. ProfileFormer Senior VP/CAO, ConocoPhillips
Richardson BennettNew BoardHewlett-Packard Co.ProfilePrincipal, First Western Financial, Inc.Other board(s)Liberty Media Corp.; Discovery Communications Inc.; Sprint Corp.
Members of the Class of 2013The following list includes all directors who joined one or more KFMC100
board in 2013. New directors who are also CEO of that company are
marked with an asterisk (*).
35KORN FERRY MARKET CAP 100
Mark A. BlinnNew BoardTexas Instruments, Inc. ProfilePresident/CEO, Flowserve Corp.Other board(s)Flowserve Corp.
Ana BotinNew BoardThe Coca-Cola Co.ProfileCEO/Executive Director, Santander UK plcOther board(s)Banco Santander SA; Santander Investment SA
Gregory (Greg) H. BoyceNew BoardMonsanto Co. ProfileChairman, Peabody Energy Corp.Other board(s)Peabody Energy Corp.; Marathon Oil Corp.
Angela F. BralyNew BoardLowe’s Companies, Inc. ProfileFormer Chairwoman/President/CEO, WellPoint, Inc.Other board(s)Procter & Gamble Co.
Gregory Q. BrownNew BoardCisco Systems, Inc. ProfileChairman/President/CEO, Motorola Solutions, Inc.Other board(s)Motorola Solutions, Inc.
Thomas K. BrownNew Board3M Co. ProfileRetired Group Vice President, Global Purchasing, Ford Motor Co.Other board(s)Conagra Foods, Inc.
Abelardo (Al) E. BruNew BoardDirecTV ProfileFormer President/CEO, Frito Lay North America, Inc.Other board(s)Kraft Foods Group, Inc.; Kimberly-Clark Corp.
William (Willie) H. BurnsideNew BoardAbbVie, Inc. ProfileAdvisor, Boston Consulting Group, Inc.
André Calantzopoulos*New BoardPhilip Morris International, Inc.ProfileCEO, Philip Morris International, Inc.
Kurt M. CampbellNew BoardMetLife, Inc.ProfileChairman/CEO, Asia Group LLCOther board(s)Standard Chartered PLC
William S. Demchak*New BoardPNC Financial Services Group Inc.ProfilePresident/CEO, PNC Financial Services Group Inc.Other board(s)Blackrock, Inc.
Nancy-Ann M. DeParleNew BoardCVS Caremark Corp.ProfileCo-Founding Partner, Consonance Capital Partners, LLC
Susan Desmond-HellmanNew BoardFacebook, Inc. ProfileCEO, Bill and Melinda Gates Foundation; Former Chancellor, University of California, San FranciscoOther board(s)Procter & Gamble Co.
36
Pierre J. P. de WeckNew BoardBank of America Corp. ProfileFormer Chairman/Global Head, Private Wealth Management, Deutsche Bank AGOther board(s)SAL Oppenheim jr. & Cie. AG & Co. KGaA
Nance K. DiccianiNew BoardLyondellBasell Industries ProfileFormer Division President/CEO, Honeywell International, Inc.Other board(s)Halliburton Co.; Praxair, Inc.
Arnold W. DonaldNew BoardBank of America Corp. ProfileFormer Chairman/CEO, Merisant Co.Other board(s)Crown Holdings, Inc.; Carnival Corp.; Laclede Group; Carnival Plc; Oil-Dri Corp. of America
Scott C. DonnellyNew BoardMedtronic, Inc. ProfileCEO/Chairman/President, Textron, Inc.Other board(s)Textron, Inc.
Francisco D’SouzaNew BoardGeneral Electric Co.ProfileCEO, Cognizant Technology Solutions Corp.Other board(s)Cognizant Technology Solutions Corp.
James O. Ellis Jr.New BoardDominion Resources, Inc. ProfileIndependent Chairman, Level 3 Communications, Inc.Other board(s)Level 3 Communications, Inc.; Lockheed Martin Corp.
Gay H. EvansNew BoardConocoPhillips ProfileFormer Division Vice Chairman, Investment Banking and Investment Management, Barclays PLCOther board(s)Aviva PLC; London Stock Exchange Group PLC
Andrew T. FeldsteinNew BoardPNC Financial Services Group Inc.ProfileCEO/CIO, BlueMountain Capital Management LLC
Helena B. FoulkesNew BoardThe Home Depot, Inc. ProfilePresident, CVS Pharmacy, Inc.
Greg C. GarlandNew BoardAmgen, Inc. ProfileChairman/President/CEO, Phillips 66Other board(s)Phillips 66
Helene D. GayleNew BoardThe Coca-Cola Co.ProfilePresident/CEO, CARE USAOther board(s)Colgate-Palmolive Co.
Thomas (Tom) H. GlocerNew BoardMorgan Stanley ProfileRetired Chief Executive Officer, Thomson Reuters Corp. Other board(s)Merck & Co., Inc.
Lynn J. Good*New BoardDuke Energy Corp. ProfileVice Chairman/President/CEO, Duke Energy Corp.Other board(s)Hubbell, Inc.
37KORN FERRY MARKET CAP 100
William (Bill) D. GreenNew BoardEMC Corp. ProfileFormer Chairman/CEO, AccentureOther board(s)McGraw Hill Financial, Inc.
Jose C. GrubisichNew BoardHalliburton Co. ProfileCEO, Eldorado Brasil Celulose SAOther board(s)Vallourec SA
Carlos M. GutierrezNew BoardsTime Warner, Inc. and MetLife, Inc.ProfilePresident/CEO, Kellogg Canada, Inc.Other board(s)Occidental Petroleum Corp.
James P. HackettNew BoardFord Motor Co.ProfileIndependent Chairman, Fifth Third BancorpOther board(s)Steelcase, Inc.; Fifth Third Bancorp
Kirk S. HachigianNew BoardNextEra Energy, Inc. ProfileFormer Chairman/President/CEO, Cooper Industries PLCOther board(s)Allegion PLC; Paccar, Inc.
Duncan P. HennesNew BoardCitigroup, Inc. ProfileCo-Founder/Partner, Atrevida Partners, LLC
John T. HerronNew BoardDuke Energy Corp.ProfileFormer CEO/President/Chairman, System Energy Resources, Inc.
Benjamin P. Jenkins IIINew BoardCapital One Financial Corp. ProfileFormer Vice Chairman, Wachovia Corp.
William (Jerry) G. JurgensenNew BoardAmerican International Group, Inc. ProfileFormer CEO/Chairman, Nationwide Financial Services, Inc.Other board(s)Conagra Foods, Inc.
Debra J. Kelly-EnnisNew BoardAltria Group, Inc. ProfileFormer Division Manager, General Motors Co.Other board(s)Hertz Global Holdings, Inc.; Carnival Corp.; PulteGroup, Inc.
Muhtar KentNew Board3M Co. ProfileChairman/President/CEO, The Coca-Cola Co.Other board(s)The Coca-Cola Co.
William E. KennardNew BoardMetLife, Inc. ProfileFormer Chairman/General Counsel, Federal Communications Commission (FCC)Other board(s) Duke Energy Corp.
Ronald (Ron) KirkNew BoardTexas Instruments, Inc. ProfileFormer US Trade Representative
William (Bill) R. KlesseNew BoardOccidental Petroleum Corp.ProfileChairman/CEO, Valero Energy Corp.Other board(s)Valero Energy Corp.
38
Brian M. Krzanich*New BoardIntel Corp. ProfileCEO, Intel Corp.
Alan G. Lafley*New BoardProcter & Gamble Co.ProfileChairman/CEO, Procter & Gamble Co.Other board(s)General Electric Co.
Anne LauvergeonNew BoardAmerican Express Co. ProfileFormer Chairman/CEO, Areva SAOther board(s)Vodafone Group PLC; Total SA; Airbus Group NV
John C. LechleiterNew BoardFord Motor Co.ProfileChairman/President/CEO, Eli Lilly & Co.Other board(s)Eli Lilly & Co.; Nike, Inc.
Dawn G. LeporeNew BoardThe TJX Companies, Inc. ProfileFormer Chairman/CEO/President, Drugstore.com, Inc.Other board(s)Coupons.com, Inc.; RealNetworks, Inc.; AOL, Inc.
Edward (Ed) M. LiddyNew BoardAbbVie, Inc. ProfileFormer Chairman/CEO, American International Group, Inc.Other board(s)Abbott Laboratories; Boeing Co.; 3M Co.
Terry LundgrenNew BoardProcter & Gamble Co.ProfilePresident/CEO, Macy’s, Inc.Other board(s)Macy’s, Inc.; Kraft Foods Group, Inc.
Mike McCallisterNew BoardAT&T, Inc. ProfileChairman/CEO, Humana, Inc.Other board(s)Zoetis, Inc.; Humana, Inc.; Fifth Third Bancorp
Mark. B. McClellanNew BoardJohnson & Johnson ProfileFormer Commissioner, US Food and Drug Administration (FDA); Former Administrator, Centers for Medicare & Medicaid Services, US Department of Health and Human Services Other board(s)AVIV Reit, Inc.
Peter J. McDonnellNew BoardAllergan, Inc. ProfileDirector/Professor, Wilmer Eye Institute, Johns Hopkins University School of Medicine
Beth E. MooneyNew BoardAT&T, Inc. ProfileChairman/CEO, KeyCorpOther board(s)KeyCorp
Michael (Mike) G. MullenNew BoardGeneral Motors Co.ProfileRetired US Navy Admiral; Former Chairman, Joint Chiefs of StaffOther board(s)Discovery Air, Inc.; Sprint Corp.
Shantanu NarayenNew BoardPfizer, Inc. ProfilePresident /CEO/Director, Adobe Systems, Inc.Other board(s)Adobe Systems, Inc.; Dell, Inc.
39KORN FERRY MARKET CAP 100
Jacques A. NasserNew BoardTwenty-First Century Fox, Inc. ProfileChairman, BHP Billiton Ltd.Other board(s)BHP Billiton Ltd.
Lionel L. Nowell IIINew BoardBank of America Corp. ProfileFormer Senior Vice President/Treasurer, PepsiCo, Inc.Other board(s)Reynolds American, Inc.; American Electric Power Co., Inc.
Raymond E. OzzieNew BoardHewlett-Packard Co.ProfileCEO/Founder, Talko, Inc.
D. C. PaliwalNew BoardBristol-Myers Squibb Co.ProfileChairman/President/CEO, Harman International Industries, Inc.Other board(s)Harman International Industries, Inc.; ADT Corp.
Samuel J. PalmisanoNew BoardAmerican Express Co.ProfileFormer Chairman/President/CEO, International Business Machines Corp.Other board(s)Exxon Mobil Corp.
Timothy (Tim) D. ProctorNew BoardAllergan, Inc. ProfileFormer General Counsel, Diageo PLC
James H. QuigleyNew BoardWells Fargo & Co.ProfileRetired CEO, Deloitte Touche Tohmatsu LimitedOther board(s)Hess Corp.; Merrimack Pharmaceuticals, Inc.
Clark T. RandtNew BoardQUALCOMM, Inc.ProfileFormer US Ambassador to ChinaOther board(s)United Parcel Service, Inc.; Valmont Industries, Inc.
Edward (Ed) J. RappNew BoardAbbVie, Inc. ProfileGroup President/Former CFO, Caterpillar, Inc.
Gary M. ReinerNew BoardCitigroup, Inc. ProfileOperating Partner, General Atlantic LLC; Former Chief Information Officer, General Electric Co.Other board(s)Hewlett-Packard Co.
Howard V. RichardsonNew BoardWells Fargo & Co.ProfileFormer Partner, PricewaterhouseCoopers LLP
Roy S. RobertsNew BoardAbbVie, Inc. ProfileFormer Group Vice President, General Motors Co.
James E. RohrNew BoardGeneral Electric Co. ProfileChairman/CEO, PNC Financial Services Group Inc.Other board(s)Marathon Petroleum Corp.; EQT Corp.; Allegheny Technologies; Blackrock, Inc.; PNC Financial Services Group Inc.
40
Clayton S. RoseNew BoardBank of America Corp. ProfileProfessor, Management Practice, Harvard Business SchoolOther board(s) XL Group PLC
Thomas E. RothmanNew Boardpriceline.com, Inc.ProfileFormer Co-Chairman/Co-CEO, Fox Filmed Entertainment, Inc.
Pamela (Pam) J. RoyalNew BoardDominion Resources, Inc. ProfileDermatologist/President/Owner, Royal Dermatology and Aesthetic Skin Care, Inc.
Jonathan J. RubinsteinNew BoardQUALCOMM, Inc.ProfileRetired Chairman/President/CEO, Palm, Inc.Other board(s)Amazon.com, Inc.
Marschall S. RungeNew BoardEli Lilly & Co.ProfileDean, University of North Carolina, Chapel Hill
Mary L. SchapiroNew BoardGeneral Electric Co. ProfileFormer Chairwoman, US Securities and Exchange Commission (SEC)
Robert S. SilbermanNew BoardTwenty-First Century Fox, Inc.ProfileChairman, Strayer Education, Inc.Other board(s)Strayer Education, Inc.; Covanta Holding Corp.
James A. SkinnerNew BoardHewlett-Packard Co.ProfileIndependent Chairman, Walgreen Co.Other board(s)Walgreen Co.; Illinois Tool Works, Inc.
Theresa M. StoneNew BoardAmerican International Group, Inc. ProfileFormer Vice Chairman, Federal Reserve Bank of Richmond
Jackson P. TaiNew BoardEli Lilly & Co.ProfileChairman, OSIM Brookstone Holdings LPOther board(s)Singapore Airlines Ltd.; Koninklijke NV; Bank of China; MasterCard International, Inc.
Ratan N. TataNew BoardMondelez International, Inc. ProfileChairman, Tata Industries Ltd.Other board(s)Alcoa, Inc.
Cynthia B. TaylorNew BoardAT&T, Inc. ProfilePresident/CEO, Oil States International, Inc.Other board(s)Tidewater, Inc.; Oil States International, Inc.
William (Bill) R. Thomas*New BoardEOG Resources ProfilePresident/CEO, EOG Resources
Glenn F. TiltonNew BoardAbbVie, Inc. ProfileFormer Chairman/President/CEO, United Continental Holdings, Inc.Other board(s)Phillips 66; Abbott Laboratories
41KORN FERRY MARKET CAP 100
James (Jim) S. TurleyNew BoardsCitigroup, Inc.; Emerson Electric Co.ProfileRetired Chairman/CEO, Ernst & Young Global Ltd.Other board(s)Intrexon Corp.
Anthony (Tony) J. VinciquerraNew BoardDirecTV ProfileFormer Chairman/President/CEO, Fox Networks Group
David A. ViniarNew BoardThe Goldman Sachs Group, Inc. ProfileFormer CFO/Executive Vice President, The Goldman Sachs Group, Inc.
Frederick (Rick) H. WaddellNew BoardAbbVie, Inc. ProfileChairman/CEO, Northern Trust Corp.Other board(s)Northern Trust Corp.
Pat WardNew BoardE.I. DuPont de Nemours & Co.ProfileVice President/CFO, Cummins, Inc.
Greg D. WassonNew BoardVerizon Communications, Inc. ProfilePresident/CEO, Walgreen Co.Other board(s)Walgreen Co.
Robin L. WashingtonNew BoardHoneywell International, Inc. ProfileSenior Vice President/CFO, Gilead Sciences, Inc.Other board(s)Salesforce.com, Inc.; MIPS Technologies, Inc.
William C. WeldonNew BoardsExxon Mobil Corp.; CVS Caremark Corp.ProfileFormer Chairman/CEO, Johnson & JohnsonOther board(s)Chubb Corp.; JPMorgan Chase & Co.
Catherine G. WestNew BoardCapital One Financial Corp. ProfileFormer COO, Consumer Financial Protection Bureau
Rayford Wilkins Jr.New BoardMorgan Stanley ProfileFormer President/CEO, Southwestern Bell Telephone Co.Other board(s) Valero Energy Corp.
42
Appendix C: The KFMC100 boards
Number of directors on the board.
The median size for a KFMC100 board was 12 directors and 82% of boards had
between 10 and 15 directors.
Board independence.
In the KFMC100, 90% of boards had one or two executive directors. The rest
were independent directors.
Figure 13
Figure 14
6% 16 to 18 directors
24% 13 to 15 directors
58% 10 to 12 directors
12% 7 to 9 directors
68% 1 executive director
22% 2 executive directors
7% 3 executive directors
3% 4 to 5 executive directors
43KORN FERRY MARKET CAP 100
Who is chairman of the board?
The company CEO chaired the board of directors at 66 of the KFMC100
companies in 2013. An additional 18 had chairmen or executive chairmen
leading the board, 14 of whom were the former CEO of the company.
Compensation and retainers for directors.
The median total compensation for KFMC100 directors rose slightly to
$288,000 according to figures reported in company proxy statements, and
the median cash retainer was $100,000, up from $85,000 the previous year.
Two companies stated that they offered no cash retainer to directors.
Figure 15
Figure 16
6%
7%
15%
41%
16%
11%
2%
2%
66% CEO is also chairman of the board
16% Non-executive chairman
18% Chairman or executive chairman
>$150,000
$125,001 to $150,000
$100,001 to $125,000
$75,001 to $100,000
$50,001 to $75,000
$25,001 to $50,000
$1 to $25,000
$0
Cash Retainers
44
One or more directors with work experience anywhere
outside the US
Frequency of board meetings.
Half of the KFMC100 boards met eight or more times in 2013, and the average
number of meetings was 8.2.
Global business experience on KFMC100 boards.
Although 88% of KFMC100 boards included at least one director who had
held a significant work assignment outside the United States, only 28% had
members with experience in Brazil, Russia, India, or China. About 9% of
directors joining boards in 2013 were born, educated, or worked in one of
those markets.
Figure 17
Figure 18
88%
28%
12% 0 to 5 meetings
38% 6 to 7 meetings
24% 8 to 9 meetings
17% 10 to 12 meetings
9% 13 to 19 meetings
One or more directors with work experience specifically
in BRIC countries
45KORN FERRY MARKET CAP 100
1
2
3
4
5
Gender balance on KFMC100 boards.
Only 21% of all KFMC100 board seats were held by women, and 95% of those
were independent directorships.
Distribution of female directors among KFMC100 boards.
There was at least one women on every board in the KFMC100; as recently as
2011, there were four companies with all-male boards. The average number
of women on a KFMC100 board was 2.5.
Figure 19
Figure 20
Number of female directors
21% Female
79% Male
13 companies
42 companies
26 companies
15 companies
4 companies
46
Age of KFMC100 directors.
Excluding CEOs, there were 1,108 individual directors in the KFMC100, half
of whom were between the ages of 60 and 69. The median age was 65.
Compared with the previous year, there were slightly fewer directors under
age 50, and a few more over age 75.
KFMC100 retirement age policies.
There was an established retirement age for directors at 79 of the KFMC100,
with an average mandatory retirement age of 72. The policies seemed to
make little difference: 19 companies made exceptions in 2013, and companies
with no stated age limit had an average age that was only slightly higher. The
average age of a departing director was 68.
Retirement policy Companies Exceptions Average director age
Mandatory retirement age 46 9 63.1
Policy explicitly allows exceptions 33 10 63
No retirement age policy 21 -- 63.3
Figure 21
Figure 22
3% 49 or younger
7% 50 to 54
18% 55 to 59
21% 60 to 64
29% 65 to 69
17% 70 to 74
5% 75 and over
47KORN FERRY MARKET CAP 100
Duration of directorships.
Directors in the KFMC100 tend to serve a long time on boards. Among the 73
directors who left or retired in 2013, the average tenure was 10 years. The
current average tenure is 7.9 years, and 26% of directors have been in their
seats a decade or longer.
Individual director review policy.
Board renewal and improvement were sometimes approached by a vigorous
annual review of each individual director. In their 2013 proxy statement, 44
KFMC100 companies indicated that individual reviews were their policy.
Figure 23
Figure 24
Board seats held for
12 years or more
9 years or more
6 years or more
3 years or more
16%
27%
45%
66%
56% Boards with no stated individual review policy
44% Boards that perform individual reviews of directors
48
Korn Ferry has recruited CEOs and board directors for more than 40 years. Our
dedicated Board & CEO Services practice is committed to improving governance
practices worldwide. Our approach includes Board Director and CEO Search and
Selection, CEO Succession Planning and Assessment, Board Effectiveness, and
Director/Executive Compensation Consulting.
Visit www.kornferry.com/BoardCEOServices for more information.
Key contacts:
© 2014 The Korn Ferry Institute
About Korn Ferry’s Board & CEO Services Practice
Joe GriesedieckVice Chairman and Co-Leader,
Board & CEO Services
+1 415.288.5367
Jane StevensonVice Chairman & Global Leader
for CEO Succession
+1 404.577.7542
Robert HallaganVice Chairman
+1 617.790.5790
Dennis Carey Vice Chairman
+1 215.656.5348
Nels OlsonVice Chairman and Co-Leader,
Board & CEO Services
+1 202.955.0926
Stephen MaderVice Chairman
+1 617.790.5700
About Korn Ferry
At Korn Ferry, we design, build, attract
and ignite talent. Since our inception,
clients have trusted us to help recruit
world-class leadership. Today, we
are a single source for leadership and
talent consulting services to empower
businesses and leaders to reach their
goals. Our solutions range from executive
recruitment and leadership development
programs, to enterprise learning,
succession planning and recruitment
process outsourcing (RPO).
Visit www.kornferry.com for more
information on our services, and
www.kornferryinstitute.com for
more articles, research and insights.
2014 KFMC
KO
RN
FE
RR
Y
KF
MC
100
20
14