≡ Menu


In our quest to learn and share information relating to governance, strategic planning and facilitation, we hope that you will enjoy and benefit from the ideas, practical tips and general musings offered up in BoardWorks Briefs.

Workplace Mentoring Programs – A Wise Investment

BoardWorks has recently been engaged to support a public sector organization’s development of a formal mentoring program. People are an organization’s most important resource. Workplace mentoring programs offer a cost-efficient way to onboard new talent, develop existing talent and implement seamless leadership succession.

Formal mentoring programs also offer benefits such as:

  • Enhancing employee engagement and retention
  • Enhancing organizational diversity through the retention of women and minority employees
  • Knowledge sharing, and
  • Employer branding.

Elements of a Successful Mentoring Program

In order to be successful, a Mentoring Program needs to:

  • Have effective program leadership
  • Have clear objectives
  • Be well-designed to meet those objectives
  • Include effective program promotion, mentor recruitment and training
  • Have a good process for matching mentors and mentees
  • Support the mentoring relationships through education and helpful resources
  • Evaluate its impact at individual and organizational levels
  • Have strong support from the organization’s leadership and be adequately resourced

Program Leadership

There should be a designated Program Manager for the Mentoring Program who is responsible and accountable for the successful implementation of the Mentoring Program. It is also beneficial to establish a small but representative Steering Committee to help design, champion and evaluate the Program.

Program Objectives

The starting point for any Mentoring Program begins with two important questions:

1. Why are you starting this Program?

2. What does success look like for the participants and the organization?

We facilitate conversations about these questions and help organizations gain clarity on their specific objectives for a formal Mentoring Program. These objectives will provide a critical foundation for the design and evaluation of the Mentoring Program.

Program Design

There are many program design questions to be considered in the development of a mentoring program. They include:

  • Who will be eligible to participate?
  • How do employees gain access to the program?
  • How many mentoring matches can be supported?
  • Will the mentors be internal/external or a combination?
  • How will mentors be recruited/recognized?
  • How will the matching be done?
  • How will mentorship training be delivered – in/house or externally?
  • How long should a mentoring experience be?
  • How can the mentors/mentees be supported during the program?
  • How will the program be celebrated as a means of creating interest?

We work with Program leaders to consider important design questions and then document the answers to those questions in the form of Mentoring Program descriptions, templates and forms.

Program Promotion and Mentor Recruitment

Employees will need to know about the Mentoring Program and how it works. It will be important to “create a buzz” about the Mentoring Program to encourage employees to participate in it. Similarly, potential mentors will also need information about the Program.

There will also need to be a process for selecting mentees, recruiting mentors and then identifying good mentee/mentor matches. We will work with the Mentoring Program leadership to define these important processes.

Mentorship Education and Support

Successful mentorship programs include a good education program for mentees and mentors. They also include access to helpful resources and program peers. BoardWorks helps clients to define the learning needs of mentors/mentees, develop foundational educational content for the Mentoring Program and identify potential resources and program peer interaction opportunities.

Program Evaluation

Finally, mentorship programs are measured and evaluated at two levels: (a) individual participant and (b) organization. We help clients to identify the right metrics and evaluation methods to support the ongoing improvement of the Mentoring Program.

There are many good reasons to establish a formal mentoring program. BoardWorks Consulting Inc. would love to help you design and launch a program for your organization!

Board Oversight of Cybersecurity

Boards are asking for best practices relating to the oversight of cybersecurity risks. Having done some recent research into this question, we thought we would share our findings.

What is ‘Cyber Risk’?

The Institute of Risk Management defines ‘cyber risk’ as ‘any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology systems.’ As noted by Marsh Canada, “while the benefits of utilizing e-business strategies and internet-based technologies are numerous, so are the risks. The internet and other networked operations have created exposures that were unheard of a decade ago. In addition, the wave of privacy related regulation has created an entirely new area of risk, untethered from technology; risk based solely upon the potential mishandling of confidential information.” According to Robert Mueller, former Director of the FBI, “there are only two types of companies – those that have been hacked and those that will be.”

Board Oversight of Risk

Cyber risk is but one of the many risks that a company faces. It has been well-established that a governing board is not expected to manage risks – that responsibility is delegated to the CEO and management team. The board is, however, expected to understand what the principal risks are facing the company and to ensure that management has good systems in place to identify, evaluate, manage and monitor risks. Applying this principle to cyber risk, a board is expected to understand and monitor:

  • The company’s most critical/sensitive information or data
  • The fast-changing landscape of potential cybersecurity threats
  • The potential implications for the company of cybersecurity breaches
  • The policies and systems that management has put into place to minimize and respond effectively to cyber risks
  • The roles and responsibilities of the various players within the company with cybersecurity as part of their mandate
  • How the company’s cyber risk management stacks up against others
  • What the company is doing to promote a cybersecurity culture in the workplace

Good Oversight Questions to Ask

Some good questions for the Board to ask the Chief Executive Officer (CEO) and the Chief Information Officer (CIO) include:

1. Have we undertaken a cyber-security risk assessment? If so, can management walk us through the results of that assessment?

Such an assessment would involve:

(a) identifying information assets and making a priority list of what needs to be

(b) locating the information assets and listing where they reside within the protected organization (e.g. file servers, workstations, laptops, removable media, PDAs and phones, databases, etc.)

(c) Classifying the sensitivity of information assets according to a rating scale

(d) Conducting a threat modeling exercise to rate the threats that top-rated

(e) Developing a security plan that addresses the areas of highest risk first.

2. How can the security of IT systems be breached and who is typically behind such breaches?

In general terms, the security of IT systems can be threatened when:

  • Unauthorized users gain access to the company’s network – this can occur if employees inappropriately share their confidential logon IDs and passwords, leave their computer workstations unattended, lose technology equipment or mobile storage devices, etc.
  • Opportunistic hackers gain access to corporate networks through weaknesses in the system – this can include phishing emails that populate viruses or spyware across a network if someone opens them, downloaded software that include viruses, etc. These hackers are issuing blanket threats to many organizations and just take advantage of whatever pops up.
  • Criminal hackers who very deliberately target proprietary information assets of specific companies for commercial benefit.

3. What are the potential consequences of a significant cybersecurity breach?

According to KPMG, potential consequences for a company might include:

  • Intellectual property losses including patented information and trademarked material, client lists, and commercially sensitive data
  • Legal expenses including damages for data privacy breaches, compensation for delays, regulatory fines and the cost associated with defence information assets face
  • Reputational loss which may lead to a decline in market value, and loss of goodwill and confidence by customers and suppliers
  • Time lost and distraction due to investigating how the breach occurred and what information (if any) was lost and keeping key stakeholders advised
  • Administrative cost to correct the impact such as restoring client confidence, communications to authorities, replacing property, and restoring the organization’s business to its previous levels.

4. Who is responsible for cybersecurity within the company?

The cybersecurity roles and responsibilities of everyone from the front-line employee to the CEO should be made clear and documented in policy.

5. What policies are in place to provide guidance to our employees and potential third parties relating to cybersecurity?

Our research suggests that cybersecurity-related policies should, at a minimum, give executives and employees the answers to the following basic questions:

  • Who in my organization is responsible for cybersecurity?
  • What are the rules that govern my use of company resources (computers, smartphones, tablets)? How can I be kept aware of updates to these rules?
  • If I suspect that I have a cybersecurity issue (malware, spyware), who should I contact within my organization?
  • Does my organization have a policy on bringing personal devices into the workplace?
  • What am I allowed to connect to my company’s system and could my device infect the system?

A cybersecurity policy should also include:

  • An emphasis on the importance of cyber security
  • Training on effective password management
  • How to detect phishing and other scams
  • The need for regular updates and patches to anti-malware programs, web browsers and other programs
  • The need for secure encrypted file transfer for sensitive information being sent outside the company
  • The expectation that employees will lock and store securely computers and other mobile devices
  • The need to quickly report lost or stolen devices
  • The importance of employees playing an active role in protecting the company’s information assets
  • A strong recommendation that employees apply maximum privacy settings to their social media accounts

The organization’s cybersecurity policy should be incorporated into the employment agreement in some way and regular cybersecurity training should be scheduled to make sure that employees understand the guidelines.

6. What controls and other risk management strategies do we have in place to keep our information assets safe? Are the resources that we allocate to cybersecurity adequate?

Our research indicates that there are basic rules that all companies should follow in practising good cybersecurity include:

  • Every user should have their own account with particular rights and restrictions. These rights should be limited to what the employee needs to perform their job duties.
  • Users should have strong passwords requirements and should be prompted to update those passwords at regular intervals.
  • Employees’ cybersecurity responsibilities should be clearly identified in job descriptions, policy statements, or other company documents (like procedures manuals). Companies should update their employees’ and contractors’ security credentials as they move through the organization. Often, employees will still have access to systems despite moving to new areas that do not require such access or even upon leaving the company. Contractors may retain remote access to systems or sites even after their work is completed; companies should make concerted efforts to limit and prevent this remove access once outside vendors’ contracts are complete.
  • Security patches on software should be updated regularly.
  • Older versions of software should be removed.

There is also a need to be mindful of the company’s physical assets as well. For example, misplaced devices or computers in remote locations without adequate access control and monitoring can present risks.

Finally, a company’s cyber risk management systems need to be the subject of regular training, assessment and system hardening.

According to an August 2014 article in Fast Company entitled “Top 10 Most Effective Cybercrime Policies”, the most effective methods used to fight e-crime are:

  • Engage in internal employee monitoring
  • Have a written inappropriate use policy
  • Require employees and contractors to sign acceptable use policies
  • Monitor Internet connections
  • Require internal reporting to management of insider misuse and abuse
  • Host employee education and awareness programs
  • Develop a corporate security policy
  • Conduct new employee security training
  • Conduct regular security audits

7. Do we allow third parties to connect to our network and if so, what protections do we have in place to minimize the risk of them transferring malware or spyware to our system?

The company’s CIO will be able to identify third parties with access to the company’s network. He/she will also be able to speak to what systems are in place to minimize risks associated with third party access to your network.

8. How do we stay on top of the changing tricks that hackers use to penetrate systems like ours?

Again, the CIO will be in a position to share with the the Board or the Risk Committee how he/she and his/her team stay abreast of and share internally the ever-changing cybersecurity threats facing the company.

9. What cyber attacks have occurred at the company?

The CIO will be able to explain how and when the corporate network was exposed to malware or spyware.

10. How are we set up to respond to potential cybersecurity threats?

The CIO will be able to describe the system security monitoring and testing that is done on a regular basis. He/she can also describe what the process is for employees to report cybersecurity suspicions to the Help Desk and what the escalation process is from there.

The Board will want to know and perhaps set some guidelines regarding who, internally, is to be advised of any cyberattacks. It will also want to know when it would be appropriate to secure external forensic expertise and to contact law enforcement in the event of a significant breach. Finally, it will want to know that the company has a disaster recovery plan and a crisis communications plan in place to address business interruptions due to cyber attacks.

11. Do we need cyber risk insurance? If we have a policy in place, is it adequate?

According to Marsh Canada, “traditional insurance policies do not typically address cyber risks in an effective way and, in fact, internet and network exposures are increasingly subject to exclusion from these policies.” The same firm also describe available coverage as follows: “Cyber and privacy risk insurance provides financial protections for information and technology related risks. “Information risks” extend beyond the risks associated with internet communications or e-commerce transactions. Losses, often arising from lost client data or unauthorized access or use of computer systems, cross every industry and every business that uses computers to communicate/transact business. Coverages are available for direct loss, including: loss of electronic data, business interruption and extra expenses from technology failure/system outage, liability coverage for defense expenses and damages stemming from claims. Coverage also responds to out of pocket expenses included by an insured to comply with privacy regulations, as well as defending the insured in a regulatory action involving a violation of a privacy regulation.”

12. How do we organize ourselves as a Board to provide effective cyber risk oversight?

Risk oversight is an important board responsibility. Some boards delegate specific risk oversight responsibilities to board committees while others prefer to monitor the risk environment at the full board level. Boards should review their organization’s risk management framework and the current structure for risk oversight and consider the following questions:

  • Is cybersecurity currently an explicit risk in the organization’s risk management framework?
  • Will the full board monitor cyber risks along with all of the other risks or will risk oversight (including cyber risks) be delegated to a specific committee?
  • Is risk oversight included on the board’s annual macro agenda? Is there an annual robust discussion of the principal risks facing the company and the policies and systems in place to minimize and manage these risks?
  • If a board committee has responsibility for risk oversight, is time set aside for that topic on the committee’s annual work plan?
  • Has the company reviewed all of its procurement, contractor and visitor documents to make sure that third parties agree to abide by its cybersecurity standards and policies?
  • How do cyber risks factor into the annual internal audit plan?

Cybersecurity is a significant risk for most organizations. Asking good questions about cybersecurity and getting organized to provide effective risk oversight are ways in which boards can add value.

The Board’s Role in Corporate Social Responsibility

What is Corporate Social Responsibility (CSR) and what is a board’s role in the governance of CSR?  There is no standard definition of Corporate Social Responsibility.  Typical definitions provide that CSR is:

  • “a company’s environmental, social and economic performance and the impacts of the company on its internal and external stakeholders”.[1. CSR Guidelines, Canadian Business for Social Responsibility,  p.2]
  • ‘the way firms integrate social, environmental, and economic concerns into their values, culture, decision making, strategy and operations in a transparent and accountable manner and thereby establish better practices within the firm, create wealth and improve society’.[2. Corporate Social Responsibility, An Implementation Guide for Business, 2007, p. 4 available at www.iisd.org/pdf/2007/csr_guide.pdf]

Securities regulators are placing more emphasis on the environmental and social disclosure requirements for listed companies.  Institutional investors are also indicating that they intend to incorporate environmental, social and governance issues into investment analysis and decision-making processes.  It’s becoming increasingly clear that companies that embrace their role as good corporate citizens can enhance their reputation with investors, customers, employees, government and the general public, thereby increasing shareholder value.   Companies that do not live up to their societal and legal obligations face significant legal, financial and reputation risks.  Boards have been referred to as the “guardians of their organization’s ethics”.  They set an important “tone at the top” and are expected to ensure that the corporation’s values and ethics are clear, broadly understood and demonstrated throughout the organization and beyond.

Given the significant opportunities and risks presented by CSR, what is a board’s role in relation to this important area?  In our view, they may be summarized as follows:

  • Understand the concept of corporate social responsibility and monitor best practices for the governance of CSR.   The field of corporate social responsibility is relatively new and constantly evolving.  Directors should monitor CSR trends and best practices in order to periodically evaluate whether the board’s governance of CSR needs to be strengthened in some way.  Periodic board education sessions on CSR may be helpful in this regard.
  • Understand their company’s definition of and approach towards CSR.  Directors will want to ask the CEO and Senior Management team to explain how they interpret the concept of CSR and where it fits into the company’s strategy and risk portfolio.  Directors will also want to understand whether the company prefers to treat each CSR element separately, such as community relations, employee relations and environmental stewardship, or whether the company prefers a more integrated or holistic CSR approach.  This organizational philosophy may impact how the board wishes to organize itself in relation to the governance of CSR.
  • Determine how the board will organize itself to fulfill its CSR stewardship responsibilities.  Some boards assign various aspects of CSR to existing committees such as Audit and Risk, Human Resources and Governance.  Other boards, particularly where CSR is a significant component of the corporate strategy and risk portfolio, establish dedicated CSR Committees.  The manner in which a board decides to address CSR should be reflected in clear Terms of Reference for its committees.  Another issue for the board is the type and frequency of information that it requires in order to provide effective CSR oversight.  This issue should be discussed with the CEO in order to reach agreement on the Board’s CSR-related information requirements.  Finally, boards should review their composition to ensure that they have CSR expertise or diverse stakeholder perspectives represented on the board.
  • Approve a corporate CSR policy or framework.  Many companies are adopting a CSR policy or framework to guide the development and implementation of CSR plans and strategies.  Such CSR policies are within the purview of the Board to approve and should provide a decision-making framework for the company to make fair, ethically just and defensible decisions when faced with difficult trade-offs.
  • Ensure that CSR opportunities and risks are considered as part of the company’s strategic and annual business planning process and risk management systems.  Given the importance that regulators, investors and the general public are placing on CSR, directors should be carefully considering whether CSR is given sufficient priority in the company’s strategy, planning and risk management processes.  The Board will also want to ensure that the company is seeking out, listening to and thoughtfully considering the perspectives of diverse stakeholders in the development of its CSR and business strategies and risk profiles.
  • Emphasize the need for consistency in the company’s CSR values in its relationship with employees and external stakeholders.  This component is very important to employees – they expect to be treated with the same fairness and given the same support as external stakeholders.  If they see a double standard emerge, it can lead to poor employee morale.
  • Monitor the company’s progress in relation to CSR.  What does success look like for the company in relation to CSR?  What are the desired outcomes of the company’s CSR strategies?  How will the company know whether or not it is moving towards those desired outcomes?  What information can and will be shared with the Board in this regard?  These are some of the questions that a Board will want to ask the CEO and Senior Management team.  The Board should then expect regular CSR progress updates.
  • Monitor the adequacy of the company’s CSR disclosure practices.  For publicly-traded companies, securities regulators have prescribed mandatory disclosure requirements.   In addition, a number of TSX listed issuers have voluntarily published CSR or sustainability reports.  Different initiatives are underway to encourage corporate reporting of this kind including the Global Reporting Initiative (www.globalreporting.org) and others.  Boards and management teams will want to monitor evolving disclosure standards and determine where their company should be on the continuum.

In summary, clarity of purpose, direction and role will enable effective CSR stewardship on the part of governing boards.

In Camera Board Meetings

In addition to regular Board meetings, current governance norms recommend the regular use of in camera meetings, also referred to as executive sessions, by governing boards. When used properly, in camera sessions can be very helpful to a Board’s effective functioning. However, when used improperly, they can damage the Board’s relationship with senior management and the integrity of the Board’s decision-making.

In camera sessions are normally only attended by directors but may involve others (e.g. CEO, external advisors, etc.) by invitation. They provide an opportunity for directors to raise and discuss with each other any concerns that they may have. Through discussion, the concerns may be alleviated or validated; in the latter case, the Board will formulate specific follow-up requests of management. In camera sessions promote Board independence and also serve as a helpful “early warning system” for the Board Chair and the CEO.

Typically, the CEO is invited to join the Board for the first segment of the in camera session. The Chair will invite directors to ask any questions of the CEO that they may have been reluctant to ask in the regular Board meeting. Once any discussion between the Board and CEO is concluded, the CEO leaves the in camera session. The Chair asks the directors if anyone has anything that they would like to discuss in camera. In some instances, there will be nothing identified. In other instances, a director or directors may identify questions or concerns relating to such areas as:

  • Ask questions of clarification of other directors that they might feel reluctant to ask management
  • The Board’s own functioning
  • The quality and timeliness of information provided to the Board
  • The organization’s direction or performance
  • The organization’s relationship with key stakeholders.

An in camera session is not an appropriate forum for:

  • Micromanaging – talking too much about operational issues that fall within the CEO’s purview
  • Dealing with issues that the Board should have the courage and capacity to deal with in regular Board meetings
  • Drawing conclusions without providing management with the opportunity to respond to any questions or concerns.

Immediately following in camera sessions, the Board Chair should meet with the CEO to share with him/her, on a non-attribution basis, a summary of all matters discussed during the in camera session and any specific requests for research, further discussion or formal follow-up from the Board flowing from the in camera discussion. In camera sessions are not “secret” sessions; rather, they are simply an opportunity for some Board-only discussion of matters relating to the Board’s work. The CEO is made aware of the matters discussed in his/her absence. Normal rules relating to Board confidentiality apply to in camera sessions.

It is important to properly manage the Board’s or committees’ use of in camera sessions. Suggestions for “doing it right” include:

  • Treat in camera sessions like a normal part of the Board’s work – no “big deal”
  • Share, through the Board Chair, the key points of discussion with the CEO immediately following the session – there should be “no surprises”;
  • Consider including the CEO in the initial part of the in camera sessions unless they concern his/her performance evaluation or compensation
  • Bear the notion of “walking a mile in the CEO’s shoes” in mind
  • Invite a focus on current issues or concerns – in camera sessions are not intended to rehash ancient history or chronic pet peeves
  • Allow a sufficiently full discussion of issues or concerns to either dispel the concerns or develop the Board’s next steps in dealing with them (which would typically involve seeking more information and analysis from management).

The Chair’s ability to facilitate and manage the executive sessions is an important factor. The success of executive sessions often depends upon the trust relationship between the Chair and the CEO – where there is a healthy, trusting relationship, the CEO will have confidence that the Chair will ensure a fair and honest discussion and will bring back all the issues to the CEO.

We recommend that boards adopt a policy on in camera sessions so that the rules of engagement are clear for both directors and senior management. The policy should describe the purpose of executive sessions as well as the process to be followed. It should also provide guidance on the types of topics that are appropriate (or not) for in camera sessions.

BoardWorks Consulting Inc. > Governance and Strategic Planning

We invite you to find out more about our approach and our services by exploring this site or by contacting us. We would love to hear from you.

951 Ivanhoe Street, Halifax, NS B3H 2X2