Govern Update Newsletter/Journal
Issue: 1/2020
 
 
 
 
 

 
 
 
 
IN THIS UPDATE:
 
 
 
 
 
Yes its true GOVERN for IMPACT is celebrating… why?  At the end of 2019 we achieved 100 affiliates of GOVERN for IMPACT... [Read More]

In a publication titled The Unique Double Servant-Leadership Role of the Board Chairperson, John Carver, the developer of the Policy Governance® model, stated... [Read More]

Every organization who has a group of people working together to achieve a common goal (End), needs to have a way for people to express their concerns when they believe that an injustice...[Read More]
 
 
 
 
 
Time to Celebrate
by Karen Fryday-Field

Yes its true GOVERN for IMPACT is celebrating… why?  At the end of 2019 we achieved 100 affiliates of GOVERN for IMPACT. This is more affiliates than we have ever had over recorded history.  We increased the number from 82 affiliates at the beginning of the year to 100 by Dec 31, 2019!

Our goal at GOVERN for IMPACT is to engage hundreds of affiliates over time to support people’s knowledge and experience in the unique field of governance and to support Board excellence in the world creating more accountable and more impactful Boards and hence organizations.

Thank you for all our new affiliates – you are now on an incredible journey with a caring, learning, committed community of people – those who want to improve our world through effective governance.

To those of you who rejoined in 2019, bravo and thank you!  And to those of you who join every year, we are doing a dance to thank you!

GOVERN recognizes that together we need to add value and make a difference. We can’t do this without you.  If you ever have suggestions on how we can get better, be better, grow our impact, please send me an email and we will explore this together.

Here is to a growing year in 2020.  If you know someone who wants to learn more about governance, contribute to governance research, advocate for better owner-informed, results-focused, accountable and ethical governance – share with them how join as an affiliate.  You will discover committed people, resources, knowledge, insight, exploration, and ‘impact’.

Learn how to join here.
 
 
 

Karen Fryday-Field, MBA, GSP
CEO, GOVERN for IMPACT

 
 
 
 
 

Policy Governance® – “A Technology of Servant-Leadership"

By John P. Bohley, Jr., LISW-S, DPA, GSP

 
 
 
 
In a publication titled The Unique Double Servant-Leadership Role of the Board Chairperson, John Carver, the developer of the Policy Governance® model, stated:  “If the judgment of history is kind, the Policy Governance model may merit being seen as a technology of servant-leadership.” 1
 
 
 
In a publication titled The Unique Double Servant-Leadership Role of the Board Chairperson, John Carver, the developer of the Policy Governance® model, stated:  “If the judgment of history is kind, the Policy Governance model may merit being seen as a technology of servant-leadership.” 1

In exploring the relationship between Policy Governance® and servant-leadership, this article will do the following: 
1. provide a brief overview of the concept of servant-leadership,
2. identify aspects of servant-leadership that are embedded within the Policy Governance® model itself,
3. identify aspects of servant-leadership that support effective practice of the Policy Governance® model, and
4. identify opportunities for Policy Governance® boards that wish to embrace the spirit and ethical imperatives of servant-leadership more fully.

Brief Overview of Servant-Leadership.
On its website, the Robert K. Greenleaf Center for Servant Leadership describes servant-leadership as “a philosophy and set of practices that enriches the lives of individuals, builds better organizations and ultimately creates a more just and caring world.”2  In his 1970 essay that introduced the concept of servant-leadership, Robert K. Greenleaf provided the following Best Test of Servant-Leadership:  “Do those served grow as persons; do they, while being served, become healthier, wiser, freer, more autonomous, more likely themselves to become servants? And, what is the effect on the least privileged in society; will they benefit, or, at least, will they not be further deprived?”3

We may tend to see effective leaders as those who exert power over others and get others to carry out their dictates.  Servant-leadership, on the other hand, is grounded in putting others first and seeing one’s leadership as a calling to serve those who are being led.  For example, a supervisor that embraces servant-leadership does not so much strive to tell others what to do and make sure they do it but assumes the posture of a coach who supports and guides others to achievement.  The successful supervisor is one whose supervisees are successful in their jobs.  A company espousing servant-leadership values genuinely cares about meeting the needs of customers and employees.  Making an immediate sale to customers is seen as less important than having a truly satisfied customer whose real needs are being met.  Having empowered satisfied employees is seen as more important than forcing compliance on employees.  Organizations embrace servant-leadership because it is seen as the ethical and right thing to do but it is also recognized by them that servant-leadership is good for business.     

Larry Spears, a foremost servant-leadership authority, teacher, and advocate has identified the following ten characteristics of servant-leadership:  listening, empathy, healing, awareness, persuasion, conceptualization, foresight, stewardship, commitment to the growth of people, and building community within organizations.4

Robert K. Greenleaf has written about the critical role of boards of directors in guiding our institutions so that they can realize their potential in caring for all persons impacted by them and thereby making a major contribution to creating a better society.5 

Aspects of Servant-Leadership Embedded within the Policy Governance® Model.
Certain aspects of servant-leadership can be seen to be embedded in the very structure and process of the Policy Governance® model.  For example, in The Unique Double Servant-Leadership Role of the Board Chairperson, John Carver describes the board chairperson as servant-leader of the board and describes the board as servant-leader of the ownership.6  In addition, as mentioned above, engaging in foresight is seen as a key characteristic of the servant-leader.  Accordingly, when asked by Larry Spears about the importance of foresight in the Policy Governance® model, John Carver replied that “it is almost the total engagement of the board.”7

Aspects of Servant-Leadership That Support Effective Use of the Policy Governance® Model.
While some aspects of servant-leadership seem embedded in the Policy Governance® model itself, all of the characteristics of servant-leadership identified by Larry Spears can be seen as supporting effective use of the Policy Governance® model.  For example, when asked by Larry Spears about the importance of listening in the practice of Policy Governance®, John Carver replied that effective listening is especially important in the board’s linkage with ownership and in listening to and learning from staff.8  One may disagree about what specific characteristics of servant-leadership (as listed by Larry Spears above) are intrinsic to the Policy Governance® model and which are not intrinsic but supportive of the Policy Governance® model.  But, the important point is that there is a strong compatibility between and strong complementarity between servant-leadership and Policy Governance®.   Boards of organizations embracing servant-leadership can find in Policy Governance® a technology ideally suited for bringing servant-leadership values to life in boards and in the organizations they govern.  Boards practicing Policy Governance® can see in servant-leadership a value system that is intrinsic to key aspects of the Policy Governance® model and that can provide an inspirational and challenging “service to others” orientation that boards can embrace and operationalize in their governance systems.  

Servant-Leadership Challenges for Policy Governance® Boards.
Finally, Policy Governance® boards that wish to challenge themselves to embrace the spirit and ethical imperatives of servant-leadership more fully may wish to consider doing something like one or more of the following:
1. Ensure that their organizations’ pursuit of revenue and profit does not involve providing products or services that are not needed or not the best fit for their clients or customers.
2. Without prescribing means, not allow their employees to be without resources to assist them during difficult personal times or allow them to be without opportunities for personal and professional development.
3. In addition to ensuring that their organizations provide board-intended benefits for board-intended beneficiaries, embrace corporate social responsibility to make a broader contribution to creating “a more just and caring world.“2

“Life’s most persistent and urgent question is ‘What are you doing for others?’.”9
Martin Luther King, Jr.

Postscript
If you are interested in developing an appreciation for the richness of the servant-leadership concept, I recommend reading Robert K. Greenleaf’s three brief seminal essays on servant-leadership in the order in which they were written:  The Servant as Leader (1970), The Institution as Servant (1972), and Trustees as Servants (1974).  These essays are available as separate booklets from the Robert K. Greenleaf Center for Servant Leadership (www.greenleaf.com) and as the first three chapters of Robert K. Greenleaf’s Servant-Leadership:  A journey into the Nature of Legitimate Power and Greatness (Paulist Press, 1977 and 25th anniversary edition in 2002).  If you would like to delve into John Carver’s thoughts on Policy Governance® in relation to servant-leadership, I recommend the resources mentioned in notes 1 and 7.

Notes
1. John Carver, The Unique Double Servant-Leadership Role of the Board Chairperson.  (Indianapolis, Indiana:  Robert K. Greenleaf Center for Servant Leadership, 1999), p. 4.
2. Robert K. Greenleaf Center for Servant Leadership website:  www.greenleaf.com.
3. Robert K. Greenleaf, The Servant as Leader.  (Atlanta, Georgia:  Robert K. Greenleaf Center for Servant-Leadership, 2008, originally 1970), p. 15.
4. Larry Spears, “Character and Servant-Leadership:  The Ten Characteristics of Effective, Caring Leaders.” The Journal of Virtues and Leadership, Vol. 1, Issue 1.  (Virginia Beach, Virginia:  School of Global Leadership & Entrepreneurship, Regent University, 2010).
5. For example, Robert K. Greenleaf, Trustees as Servants.  (Atlanta, Georgia:  Robert K. Greenleaf Center for Servant-Leadership, 2009, originally 1974).
6. John Carver, The Unique Double Servant-Leadership Role of the Board Chairperson.  (Indianapolis, Indiana:  Robert K. Greenleaf Center for Servant Leadership, 1999).
7. Larry Spears interview with John Carver in Conversations on Servant-Leadership, edited by Shawn Ray Ferch and others.  (Albany, New York:  Albany State University of New York, 2015), chapter 3, p.  58.  Link to this interview which is presented in segments on YouTube:  https://www.youtube.com/playlist?list=PL032BA3BCABEC4C75. (The third character after the equals sign is a zero.)
8. Ibid., pp. 59-60.
9. Martin Luther King, Jr. speaking to an audience in Montgomery, Alabama in 1957.  Referenced at https://huffpost.com/entry/mlk-day-serving-others_n_6489236.

Policy Governance® is the registered service mark of Dr. John Carver.  Registration is only to ensure accurate description of the model rather than for financial gain.  The model is available free to all with no royalties or license fees for its use.  The authoritative website for Policy Governance is www.carvergovernance.com.
 
 
 
 
 
Speaking Up When You're Concerned
Every organization who has a group of people working together to achieve a common goal (End), needs to have a way for people to express their concerns when they believe that an injustice or something imprudent or unethical is going on within the organization. At GOVERN for IMPACT we are creating a robust set of administrative policies and procedures. We are pleased to advise you that we now have a Whistleblower Policy and Procedure in place.  You can find the details on GOVERN’s website below...
 
 
Whistleblower Policy
 
 

If you believe that there is a concern in GOVERN’s ethics or prudence (either by the organization or one of the organization individuals) we encourage you to resolve it directly with the person/people involved and if for some reason you feel you need to move forward anonymously please follow the GOVERN for IMPACT whistleblower process.  We hope this is never necessary but have made provisions for this process as it aligns with our values of ensuring transparency, ethics, and prudence in all of our operations.

 
 
 
 
 
An Interview with Michael Castro, Cyber Security Expert/Consultant

Board Governance of Cyber Security Risk
(Is Your Board on Top of This?)
 
 
 
 

Michael Castro serves across Canada and the United States as a cybersecurity expert at both the Board and operational level (see his bio). Michael met with Karen Fryday-Field, CEO, GOVERN for IMPACT on November 27, 2019 for a brief interview on the Board’s role and interest in cybersecurity risk.


Karen

Michael is an expert on cybersecurity and the connection between cybersecurity and Board governance of risk.  I have asked him to share some of this knowledge and insight today.  Thank you Michael for making time for GOVERN for IMPACT.  I’m so pleased to welcome you to our hot interview seat today.


Michael could you just share with us a little about your background in cybersecurity?


Michael

Absolutely and good morning Karen. I am part of RiskAware which you mentioned is a cybersecurity boutique firm in the Toronto area. We specialize in helping Boards through advisory services and cyber awareness as well as small and medium businesses throughout their cyber journey, to build out a cyber resilient platform. I have 20 plus years cybersecurity experience heading up cyber for organizations such as Loblaw, Suncor Energy, and a few financial and retail organizations throughout my years.


Karen

Please share with our readers the major risks facing organizations with regard to cybersecurity?  What do we actually face?


Michael

So organizations, whether they are large or small really all face very similar threats and when we really look at the impact of cybersecurity on organization you can really break it down into 3 big buckets.


1. What is the financial impact and the financial risk?

There is no doubt that any cyber attack or breach that can fall on an organization will have some financial impact.  If you look at the actual numbers over the last couple of years we are seeing that an actual cyber attack costs an organization well over $4M per attack. Those kinds of costs of course involve recuperation, legal fees, penalties all put together. Overall organizations globally are spending well over $90 billion in cyber protection.


The impact to an individual organization is quite large.  We look at direct losses through theft, extortion, through business interruption due to cyber disruption and really all of those can amount to a lot of dollars and a lot of hardship for organizations depending on the size of the company. This challenge affects large and small organizations.


2. The other thing that we look at is regulatory impact.

Regulatory impact can be a big piece too.  The change in Canada especially, and in other countries, around privacy required (GPDR, PCI for retailers as examples) is significant. All of those really can have an impact as to whether the challenge will be through fines or the capabilities to deal with regulators and everything surrounding the impact that regulators can have on organizations and the way they operate them.


3. The last bucket is reputational impact.

Really reputational impact has to do with how is a cyber breach going to affect the organization in what they do and their customers.  Such a breach, could have large impacts toward shareholder value. If it is a publicly traded company, negative impact on the value of their stock is key. Really the customer trust and how the customer is able to continue to do business with an organization that has a cyber breach is critical. 


Karen

Thanks Michael for sharing with us those 3 big buckets of risk that are connected to cyber risk and the significant challenge that organizations have when they face some kind of cyber attack.


I’d like to take this conversation up now to the Board level.  What do you believe are some of the major issues that Boards of Directors need to address with regard to the subject of cyber risk? Where does the Board fit into this?


Michael

Traditionally Boards have had a very small piece when it comes to cybersecurity.  Even now, I believe that less than 10% of Boards today really have an active role in the cybersecurity or cyber risk profile of their organizations.  Boards have to realize that there is risk involved with cyber and that they need to be able to put that into a platform just as they do for other risks that they deal with in their organizations.


Environmental risk, competitors, regulatory risks – all the areas of risk that Boards govern. Cyber is starting to creep up and find its way into the top 3 risks that Boards need to address. For some organizations, it really has become number 2 for them. 


So why do Boards need to be involved with cyber risk?  We look to some very large organizations that have suffered very large breaches that really then end up in front of the Board.  We look at Equifax, the largest a couple of years ago and the impact to them. Marriott hotels and their impact on their acquisition of Starwood Group.  And even years ago when Target had their very large consumer breach with credit cards.  In all of these, we really shift from an operational model to a Board accountability and the need for governance policy decisions and monitoring.


So how do Boards handle this challenge? Really what is it they need to do?  First off, Boards really have to understand the role of where cyber sits within their organization, understand that cyber needs to be a part of their organization, and recognize substantial risk is involved. The Board needs to determine its risk appetite for dealing with the potential of cyber threats.  And of course, if there happens to be, or ends up being something like a breach – what is their role in dealing with a reactive situation?



The Board needs to look to its own responsibility. Did it have in place appropriate policy to govern and hence mitigate the risk?


Karen

Once the Board has a governance of risk cybersecurity policy in place, how can the Board know or monitor that the organization is actually managing the risk around cybersecurity?  What kinds of things do you think the Board needs to know about or be advised about in Monitoring Reports from the CEO that would give the Board confidence that its policy on cybersecurity is in fact being complied with?


Michael

Excellent question. So again Boards were traditionally often inundated with security reports that would come from the CIO or the CEO and it really laid out a lot of measurements and metrics and technical measurements that were put to the Board to try to explain what cybersecurity was all about. Really those statistics aren’t effective in helping a Board Member understand risk and understand what they need to know and therefore what they need to decide upon. There have come over the last couple of years some new key performance indictors or key risk indicators, KPIs/KRIs. These build out some more measurements or more qualitative or quantifiable pieces to help paint that picture, one that provides the bigger picture evidence.


I am often being asked a very simple question: “Are we at risk?” Really, that is far to qualitative and subjective a type of question.  It really is not a question that can help the Board. Instead the questions and information should really be around, compliance and how an organization is being compliant to their cybersecurity policies and their governance measurements.


So when we look at compliance we really want to look at:

- Is the organization holding true to their cybersecurity policy direction from the Boards
- Is there a road map for what the organization wants to do in the security space and does the CEO have a plan to move forward to be able to keep up with the ongoing threats and the ever changing threats that might happen to an organization?
- Is the CEO demonstrating compliance on the ability of the people within the organization to not get stale and to not be blind or lack awareness to make sure that systems are being held to their most secured position?


When we look to the operational value and instead of showing the statistics on how many systems might be patched within an organization or how many attacks happened it really becomes more useful for the Board to learning about the impact of those operational breaches.


So for instance,

- What is the true threat environment for the organization?
- Is the Board clear about the risk boundaries its places on the CEO?
- Do they have unique applications that pose a threat or increased risk to the organization by having a web application or a mobile application for instance, or e-commerce, or other areas that generate more risk or attract more attention to them than other traditional models might do?
- The Board should look as to whether there are independent reviews being done on the threat model. That is, do third parties come in and test the security measures that the organization is using internally to make sure they are actually achieving the cybersecurity goals and that they are as secure as they are saying that they should be (external monitoring).
- And finally, Boards need to be provided with true quantifiable measurements against their policy – one example is “the time to live” – when they talk about breaches; its about the length of time that a threat is within an organization and how long it has taken for the threat to become found within an organization.  For instance, a virus or malware can enter an organization and it could be months before an organization finds it.
- Another example is the “time to react” – that is if a virus is found, if malware happens, if there has been an exfiltration for instance of data from the organization – how long did it take for the company to react?  What was their reaction position and how quickly were they able to mitigate or deal with the threat that was found and then removed from that organization?


These are the type of measurements I think Boards need to hear.


Karen

You are speaking to the fact that Boards need to understand a little bit more about the nature of the risk in order to be able to effectively articulate what kind of risk boundary or executive boundary they want to create around the whole cyber space within their organization.  I hear in what you are saying that there is an element of education for Boards, not the details of operations, but the nature of the kind of risk so that they can then be articulate enough or specific enough in their policy that the true risks can be governed.  It is also then important to have metrics that speak to those elements of risk.


As we close, if you could give Boards one piece of advice, what would that be about cybersecurity?


Michael

Absolutely.  I think its very important for Boards to realize that data is the new gold when it comes to what is valuable within an organization.  All organizations big or small, whether their primary product is data or not – every organization has data and that data has value to someone to infiltrate or steal.


Either it’s the loss of that data that can impact your organization or it’s the loss of access to that data that really can put an organization at risk.  And because of that Boards really need to get more involved. Today less than 10% of Boards/Directors for organizations are truly speaking to cybersecurity.  Many truly believe that it is just an operational piece but really it isn’t and more attention really needs to be paid by Boards. 


Karen

Thank you Michael! 


We look forward to working with you at the GOVERN for IMPACT Advanced Practice Webinar on March 10, 2020 from 11:00-2:00 p.m. EST. 


Click here for more information or to register.

 
 
 
 
 
 
BOARDS AND GOVERNING CYBER SECURITY RISK
Online | March 10, 2020 - 11am-2pm EST
 
 
 
 
This session is a must for Board Chairs, Board Members, CEOs, Board Administrators, and Vice Presidents, Finance.

More information will be available on the website soon.

Affiliate Fee: $120
Non-Affiliate Fee: $150
 
 
Register Here
 
 
 

Session Presenter: Michael Castro, Founder, RiskAware. Read his full bio here.
 
 
 
 
 

Session Moderator: Karen Fryday-Field, Senior Governance Consultant and GOVERN for IMPACT CEO.
 
 
 
 
 
 
2020 GOVERN FOR IMPACT FACE-TO-FACE ADVANCED PRACTICE FORUM
February 21 & 22, 2020
Orlando, Florida
 
 
 
 
 
GOVERN FOR IMPACT will host their annual F2F Advanced Practice Forum in Orlando, Florida on February 21 and 22, 2020. This year, Govern for Impact invites all Academy-trained and experienced consultants, advanced Policy Governance® users, graduates of Govern for Impact's Policy Governance Proficiency program, all designated governance systems professionals, and all people with an interest in advanced skills in governance.

This is the major opportunity GOVERN for IMPACT provides each year for governance coaches, consultants, academics, and experienced users (e.g. board members, board chairs, board committee chairs, board administrators) to get together in person for in-depth learning and networking with expert presentations and lively discussion of common challenges.


For more information and complete forum pricing, click below.
 
 
More Information
 
 
Rosen Plaza Hotel
9700 International Drive, Orlando, FL 32819

Click here to make your reservation, or you may call reservations at 800-627-8258.

The Face-to-Face Advanced Practice Forum rate is US$149/night.
 
 
 
 
 
 
REGISTRATION NOW OPEN
2020 GOVERN FOR IMPACT CONFERENCE
Fort Worth, Texas | June 18 to June 20, 2020
 
 
 
 
 
AnchorThe Annual Conference for Boards, CEO’s, Administrators Using the Policy Governance® System; and… Young Governance Professionals and others exploring good governance.

The 2020 Govern for Impact Annual Conference offers the opportunity to boost the sustainability of your community, your organization and your leadership. Join us for rich discussion and networking, plus engaging workshops.


To register visit the link below and choose the appropriate type of registration. 
 
 
Register Here
 
 
 
Hotel Information
The Worthington Renaissance Fort Worth Hotel, 200 Main Street, Fort Worth, Texas 76102, USA

Use the button below to make your reservation, or you may call reservations at 800-443-5677. The Govern for Impact Conference rate is USA$179/night. 
 
 
Hotel Registration
 
 
 

Did you know you can interact with us on social media?! To keep informed on the latest news about conferences, forums and other events consider following Govern on Facebook or joining our group on LinkedIn below.
 
 
 
 



Govern is on Facebook, follow us HERE or by clicking on the image above!
 
 
 
 



Govern is on Twitter follow us HERE or by clicking on the image above!
 
 
 
 



Govern is on LinkedIn, join our group HERE or by clicking on the image above!
 
 
 
 
Don't forget to check out the Govern Blog... click the button below.
 
 
Govern Blog
 
 
 
GOVERN Address Change

Govern has transitioned their mailing address. The new address is as follows:

2206 Village West Drive South
Lapeer, MI 48446
USA
 
 
 
 
 
Policy Governance® is an internationally registered service mark of John Carver. The model is available free to all with no royalties or license fees for its use. The authoritative website for Policy Governance is www.carvergovernance.com.
 
 
 
 
 
2206 Village West Drive South
Lapeer, MI 48446
+734 239 8002  
 
 
        
Footer-logo