Kicking off our 16th National Directors Institute (NDI) Executive Exchange conference, our partner and NDI program co-chair Steve Barth challenged the assembled executives and board members to come away from the day with three practical takeaways.

Considering the corporate environment, Barth’s charge seemed appropriate. Whether they’re grappling with the threat of cybersecurity breaches or the complexity of global operations, navigating the shifting political environment or facing the realities of generational succession, boards today face a daunting array of risks and challenges that are as broad as they are deep.

The 300-plus attendees had plenty of sources from which to fulfill Barth’s directive. His opening remarks preceded 20 breakout sessions covering the hottest and most relevant governance issues facing boards. As in past years, the day began with a keynote address by Patrick McGurn, Director of Strategic Research at Institutional Shareholder Services (ISS). Over lunch, attendees heard University of Chicago Provost Daniel Diermeier expound on the board’s role in crisis management.

Following are some of the key themes that emerged from this year’s symposium.

Continued Struggles with Board Refreshment

Institutional investors and shareholders continue to focus on whether boards are assessing their composition and refreshing themselves frequently enough. In his keynote, McGurn cited ISS data showing that a surge of new directors following the financial crisis has pushed the average board tenure down in recent years, dipping to 8.18 years in 2017 for S&P 500 companies. The increase in the average age of board members has also slowed over the past five years due to refreshment and now sits at 62.5 years for S&P 500 companies.

But a study on board refreshment trends at S&P 1500 firms, commissioned by the Investor Responsibility Research Center Institute (IRRCi) and ISS, showed more of a mixed bag. That study found that directors with 10 or more years of tenure make up the largest percentage of board members, and the percentage has actually increased slightly in recent years.

To be prepared to communicate with shareholders on refreshment and address any concerns, it is important for boards to regularly evaluate their composition and consider tools available to facilitate refreshment, including evaluations for individual directors and succession plans.

Some Board Diversity Progress, but Not Enough

Boards are making slow, but steady, progress on gender diversity, McGurn said in his keynote. According to ISS data, companies across the S&P 1500 have seen slight gains in this area over the past five years. Women make up 22.3 percent of S&P 500 board members in 2017, compared with 16.2 percent in 2012. However, these figures are still low and progress has been even more glacial on racial and ethnic diversity. In 2017, 13.9 percent of S&P 500 board members were from minority groups, barely up from 12.2 percent in 2012.

The lack of diversity is becoming an issue for investors faster than it is for companies, and McGurn predicted that the focus on gender diversity will grow in 2018. He pointed to ISS survey data showing that the percentage of investors who consider an all-male public-company board problematic is considerably higher than the corresponding percentage of company executives.

That data reflects a broader trend: investors are increasingly considering environmental, social and governance (ESG) factors, including board diversity, in making investment decisions.

Environmental Issues on the Rise

That shift toward ESG factors is partly driven by an understanding that environmental problems can often lead directly to reputational damage and affect long-term financial prospects.

The focus on these topics will likely continue to build, especially given that public-interest groups like the Sierra Club have recently built formidable war chests for advocacy and environmental litigation that will be aimed at blocking or changing corporate action. But at a breakout session on navigating environmental compliance led by our partner Linda Benfield, the panelists described how engaging with these public-interest groups on the front end of a project can be an effective strategy to try to avoid contentious and expensive lawsuits. The panelists also agreed on the importance of building relationships with state and local regulators, particularly given the increased sophistication of state agencies and the “cooperative federalism” approach championed by Environmental Protection Agency Director Scott Pruitt.

Board’s Role in Risk Oversight and Crisis Management

In the wake of several high-profile corporate scandals and oversight failures, shareholders are increasingly focused on actions taken by boards before, during and after an incident. McGurn noted that investors often give boards the benefit of the doubt if they feel they were truly blindsided and were diligent in preparing before a crisis occurred, moving swiftly when a problem came to light and taking action afterwards – including implementing clawbacks for senior executives and making boardroom leadership changes.

Diermeier, the University of Chicago Provost, also emphasized the importance of moving quickly for organizations in the throes of a crisis, noting that the general public usually only pays attention to a scandal for about 28 hours. “If you don’t respond in that timeframe, people will believe you are guilty or don’t care,” he said. That means organizations very often have to issue a response before they can gather all of the facts. To do this, Diermeier suggested focusing on consumer trust through the four elements of his “Trust Radar” – Transparency (not full disclosure, but ensuring the information provided is easy to understand), Expertise (showing that the company possesses the necessary professional knowledge), Commitment (displaying a sense of responsibility for solving the problem), and Empathy (not necessarily apologizing, but genuinely connecting with the pain people are feeling).

Global Risks Aren’t Going Away

International scale creates another layer of challenges for companies, including supply-chain risk and the potential for corruption or bribery of local officials by foreign employees and contractors.

Avoiding violations of the Foreign Corrupt Practices Act (FCPA) requires a robust compliance program. It also demands an understanding of local norms and culture, according to panelists at a breakout session on anti-corruption and international trade led by our partner Christopher Swift. For instance, in some regions, where managers may consider it a faux pas not to buy lunch for a local politician, company policies forbidding may be seen as impractical. Companies that understand local and cultural nuances can tailor their policies and employee training to these realities. our partner Rohan Virginkar also reminded attendees that FCPA compliance goes far beyond simply creating policies. As a former Department of Justice attorney who investigated FCPA violations, he noted that he rarely looked at compliance policies, but rather focused on how those policies were implemented and enforced.

Global supply chains also open companies and their boards up to new risks. A breakout session led by our partner John Trentacosta discussed, in particular, the risk of both financial and reputational damage for companies that don’t conduct thorough due diligence and monitoring of overseas suppliers. A single instance where a supplier is exposed for using child labor, for example, can bring real damage to a company’s brand. Boards must not only hold management accountable for creating protocols for vetting suppliers, but also probe procurement, legal and other operations staff to ensure compliance with those protocols.

Integrating Cybersecurity into Day-to-Day Operations

Only a few years ago, cybersecurity was largely delegated to the IT department. Not anymore. In today’s world, boards must take an active role in overseeing cybersecurity programs. That was the consensus at a breakout session led by our partners James Kalyvas and Jen Rathburn.

When breaches happens, companies have to show that they took reasonable steps to prevent and mitigate it if they want to stay in the “good actor” category. The panelists all emphasized that preparation is key and that boards should make sure management is not only formulating cyber-response plans, but rehearsing the protocols. When a breach occurs, those organizations won’t be knocked back on their heels, but in position to respond quickly.

Evaluating Acquisitions in the Boardroom

A board’s involvement in acquisitions occurs before, during and after the acquisition. And at a breakout session on M&A, led by our partner Steve Vazquez, the panelists identified five important actions boards must take to run successful transactions:

1. Ensure the company has a strategy and the acquisition is aligned with it

2. Understand how the company is valued and what negotiations are needed

3. Conduct due diligence regarding tax, FCPA, cyber and intellectual property, among other key assets and issues

4. Monitor integration of the acquired company

5. Monitor progress against the planned strategy

And finally, the panelists added a note of realism: because most acquisitions fail, every board should go into transaction talks with a plan covering what to do if the deal falls through.