'THE DAILY CORPORATE GOVERNANCE REPORT’ (for public company boards, the C-suite and GCs)
Please see the items below with the related links (NOTE: access to link content may be metered, require a no-charge registration or require a paid digital subscription)
NOTE: This is a significantly longer than usual "catch-up" issue focused almost exclusively on AI and tech governance.
(i) AI/tech press releases/SEC filing of the day:
(a) NYSE/TSX-listed Shopify Inc. announced yesterday in this post on its 'latest news' webpage the appointment of a new Chief Technology Officer, as follows:
"......We’re thrilled to welcome Mikhail Parakhin, one of the finest machine learning (ML) crafters on the planet, as Shopify’s Chief Technology Officer. Mikhail's career is a testament to his ability to build critical infrastructure and invent key technology that has made a significant impact on the broader tech industry. Specifically, he led Microsoft's AI advancement, building consumer and enterprise-facing products like Copilot.....As CTO, Mikhail will oversee our engineering and data organizations and push Shopify to the cutting edge, not just in ML and AI, but in everything we’re building to make commerce better for everyone......"
(b) NYSE-listed, oil service company Haliburton Company disclosed last Friday in this Current Report filed with the SEC that it had experienced a cybersecurity incident, and had activated its cybersecurity response plan, as follows:
"On August 21, 2024, Halliburton Company became aware that an unauthorized third party gained access to certain of its systems. When the Company learned of the issue, the Company activated its cybersecurity response plan and launched an investigation internally with the support of external advisors to assess and remediate the unauthorized activity. The Company’s response efforts included proactively taking certain systems offline to help protect them and notifying law enforcement.
"The Company’s ongoing investigation and response include restoration of its systems and assessment of materiality. The Company is communicating with its customers and other stakeholders. The Company is following its process-based safety standards for ongoing operations under the Halliburton Management System, and is working to identify any effects of the incident."
(c) Wells Fargo & Company announced on July 30 in this press release the appointment of a head of technology, reporting to the CEO, as follows:
"Wells Fargo & Company announced today that Bridget Engle has been named Senior Executive Vice President (SEVP) and Head of Technology, reporting to Wells Fargo CEO Charlie Scharf and joining the company’s Operating Committee, effective August 12, 2024.
"Engle will be responsible for all technology across the Company. She brings more than 30 years of experience managing large, global technology organizations in complex financial institutions. Engle joins Wells Fargo from BNY where she served as SEVP and Chief Information Officer (CIO) from 2017 until earlier this year......The company also announced that Tracy Kerrins will serve as the Head of Consumer Technology and will lead a new Generative AI team, which will be responsible for driving the adoption of Generative AI across Wells Fargo, reporting to Engle......";
(d) NYSE-listed MetLife Inc. announced on July 30, in this press release the appointment of a new Chief Data and Analytics Officer and a new Chief Information Security Officer, as follows:
"MetLife, Inc. today added two accomplished and experienced leaders to their Global Technology and Operations organization. Tamar Shapiro will join MetLife as their Chief Data and Analytics Officer and Dan Antilley becomes the company’s Chief Information Security Officer.
"Shapiro was the Head of Analytics at Instagram where she led a team of data scientists and data engineers responsible for driving growth and engagement of more than one billion users by launching best-in-class products and features. She also worked for more than 10 years at American Express, leading the digital analytics team responsible for analytics, reporting, experiments and customer insights. Shapiro comes to MetLife from TZP Group, a Private Equity firm......
"Antilley brings more than 30 years’ experience in the technology industry, the majority at Bank of America where he led Cybersecurity Operations, Cyber Forensics and the company’s Incident Response Program. He also created and led the company’s Insider Threat program, Application Security program and Third- Party Assessment program. He most recently worked at NCR Atleos, where he was the Chief Security Officer......";
(e) LSE-listed, UK financial services group Lloyds Banking Group PLC announced on Aug.5 in this press release the appointment of a Director of AI, a newly established position, reporting the Chief Data and Analytics Officer, as follows:
"Lloyds Banking Group has appointed Rohit Dhawan as Director of AI (artificial intelligence). He will report to Ranil Boteju, the Group’s Chief Data and Analytics Officer. In this newly established role, Rohit will lead the Group’s AI Centre of Excellence, bringing together experts in Data Science, Behavioral Science, ML Engineering, Advanced Analytics and AI Ethics. He will be responsible for shaping the overall AI, ML and advanced analytics strategy, driving technical excellence, and promoting the adoption of AI enabled products and services to enhance and transform the experience for the Group’s 27 million customers.
"Under Rohit’s leadership, the AI Centre of Excellence will progress our commitment to attracting and retaining leading AI and Ethics talent within the UK,.....An industry veteran, Rohit.....joins from Amazon Web Services, where he served as the Head of Data and AI Strategy across the Asia-Pacific region.....";
(ii) the pros and cons of appointing a chief AI officer (CAIO): A number of prominent companies have recently appointed a CIAO, as discussed in a number of articles this year, such as this Jan./24 NY Times article, "Hottest Job in Corporate America? The Executive in Charge of A.I." (see item (ii) from Feb. 8/24); this March/24 MarketWatch article, "Chief AI officer: A necessity for companies or an expensive impediment? (see item (i) from March 6/24); and this April/24, FT article, "The rise of the chief AI officer", inter alia quoting the CAIOs at Accenture, WPP and Dell (see item (iii) from April 15/24). On Aug.7, the MIT/Sloan Management Review published this report, "Do You Really Need a Chief AI Officer?", and it is discussed in the Aug. 11 Fortune CFO Daily Newsletter, "Is it time to appoint a Chief AI Officer? Not so fast say experts.", inter alia with comments from a co-author of the report. Below are excerpts:
"....(S)ome companies have decided to create a new senior management position with enterprise-wide oversight of AI activities—a chief AI officer (CAIO). Is that necessary? “Do You Really Need a Chief AI Officer?” is the title of an interesting new report in MIT Sloan Management Review that delves into this topic. The authors have experience in analyzing the potential value of CAIOs, and four have been chief digital officers across a variety of industries. Some of the pros of having a CAIO is to steer the AI focus and prioritization companywide, which can centralize management of AI risks, and reduce internal deficiencies.
"But there are cons as well. For example, adding the position of CAIO can create tension in the existing C-suite with the CIO, CTO, chief operating officer, or the chief digital or chief data officer, according to the report. Another obstacle: “CAIOs could be tempted to pursue AI for the sake of AI rather than in the service of business objectives,” the authors write. And the additional costs of adding a CAIO position may outweigh the benefits.
"I asked a coauthor of the report, Michael Wade, a professor of strategy and digital at the International Institute for Management Development, how a company can effectively assess the need to create this C-suite role. There are a number of factors, like current AI competence, he said. However, there is one particularly important factor. “In organizations where AI can have a major impact on competitiveness, the scales may be tipped in favor of appointing a CAIO,” Wade said. For example, companies in the tech or financial services sectors, “where data management and insights are key sources of differentiation, may see significant benefits from coordinating AI initiatives centrally,” he said.
"How does he think a CAIO could work in tandem with a CFO to implement AI strategy across the organization? Wade referred to the importance of not getting “caught up in the hype and jumping on AI for the sake of AI.” In terms of ROI expectations, the CAIO should be held to the same standards as other parts of the organization, he said. “CFOs can work with CAIOs to set financial goals for AI projects, and where necessary, hold them accountable,” Wade said......
"Wade doesn’t think the CAIO role will eventually become a mainstay in the C-suite. When appointing a CAIO is advisable, the role should not become a permanent position, the authors state in the report. They advise for it to be a fixed-term appointment building a set of enterprise AI capabilities that will ultimately be handed over to the business or technology organizations......"
(iii) HBR article advocating that companies set up a 'board technology committee' (with reference to tech committees at Johnson & Johnson, Altria and AES)/world's largest sovereign wealth fund on the need for more AI competency on the board:
(a) Interesting article in the Sept/Oct. Issue of the HBR Magazine, "Boards Need a New Approach to Technology", advocating that companies set up a "board technology committee", and providing advice on how to set one up. The article refers to and discusses several technology committees, including in particular those of Johnson & Johnson (its Science &, Technology Committee Charter here); NYSE-listed, tobacco company Altria Group Inc. (its Innovation Committee Charter here); and NYSE-listed, global energy company The AES Corporation (its Innovation and Technology Committee Charter here). Note that each of the article's three authors is a director, or former director, of one of these companies. Below are excerpts from the article:
"How to Set Up a Technology Committee: It’s best to think of the tech committee as an intermediary between the rest of the board and the company at large. Particularly important is the committee’s interface with management..... One executive described this to us by interlacing his fingers: That’s how close the committee must be with C-suite technologists, such as the chief technology officer or the chief strategy officer......
"Composition: The tech committee helps the rest of the board navigate the complexities and contradictions of new technologies. Committee members should be good at explaining the strategic business implications and clarifying the threats and opportunities without being simplistic......The committee should be led by someone who is steeped in science or technology and joined by others who have what we’d call crossover experience...
"Agenda: Tech committees’ agendas will of course be tailored for the needs of each company, but in general they may include a regular review of its R&D strategy and progress toward annual goals. They often also include deep dives into emerging innovation areas and technology development, such as applications of AI and real-world evidence, review of potential acquisitions or divestitures from a science and technology perspective, and annual reviews of the charter, the committee’s performance, and its composition......"
(b) Below is from this Reuters article on Monday, "Companies need more AI competency at board level, Norway's wealth fund says":
"Companies need to do more to get to grips with AI at board level to govern how it is being used and to minimise risks, a top official at Norway's $1.7 trillion sovereign wealth fund, one of the world's largest investors, told Reuters. Norges Bank Investment Fund holds stakes in close to 9,000 companies globally, equivalent to 1.5% of all listed stocks.....
"Last August, it issued guidance to companies it invests in, calling on them to engage with AI as a way to drive profits, but to do so responsibly. A year on, companies generally need to do more, said Carine Smith Ihenacho, the fund's Chief Governance and Compliance Officer. "Overall, a lot of competence building needs to be done at board level," she said in an interview this week.
"It doesn't mean we need one AI person that's an expert on AI ... We need the board to understand, as a group, how AI is being used ... have a policy at board level and whether or not it is being used responsibly or not." "They should know: 'what's our policy on AI? Are we high risk or low risk? Where does AI meet customers? Are we transparent around it?' It's a big picture question they should be able to answer," she added......"
(iv) AI risks that are worrying public company board members/the growing number of Fortune 500 companies disclosing AI 'risk factors' in their annual reports on Form 10-K (with disclosure examples)/MIT AI risk data base/AI regulation risk factor:
(a) Below is from this Aug. 14 WSJ article, "Why AI Risks Are Keeping Board Members Up at Night", inter alia including the comments of Clara Shih, CEO of Salesforce's AI division and with reference to the Salesforce "guidelines for responsible development and use of AI":
".......Public company board members say the swift rise of AI in the workplace is an issue that is keeping them up at night. Some point to recent concerns around employees putting proprietary code into ChatGPT, companies using generative AI to incorrectly source content or worries about so-called hallucinations where generative AI produces false or inaccurate information. Adding to their nightmares, board members worry that they could be held liable in the event AI leads to company problems.......
"Now that AI is front and center, board members are on the front lines of making rules on where and how it should be used—guidelines that could be crucial to the course of the powerful and fast-evolving technology. Clara Shih, CEO of Salesforce's AI division, says she has talked with a couple of dozen board members, whether CEOs or peers who reach out to her for advice, who are trying to better understand AI. Often discussions center on topics including data security and privacy, mitigating AI hallucinations and bias and how AI can be used to drive revenue growth and cut costs.
"In the last year, we recognize that generative AI brings new risks,” says Shih, who was on the Starbucks board from 2011 to 2023. An audit or risk committee, for instance, needs to know how a company uses AI, down to an individual employee not leaking confidential information using AI tools, she adds..... AI questions pop up so frequently that Salesforce made public its "guidelines for responsible development and use of AI", Shih says. She has also shared Salesforce’s AI training, called Trailhead, with friends who are public-company board directors. “AI is a moving target,” she says. “Every week there are new models being open sourced, there’s new research papers being published, and the models are getting more powerful.”
"AI’s rapid rise has many boards racing to catch up. In 2023, 95% of directors said they believed the increased adoption of AI tools would affect their businesses, while 28% said it wasn’t yet discussed regularly, according to a survey of 328 public-company board members by the National Association of Corporate Directors, the largest trade group for board members. That is changing as more board members say they are educating themselves on how generative AI can affect a company’s profit—potentially boosting productivity but also bringing risks that will be difficult to assess.....
"The release of ChatGPT in November 2022 sparked a seismic shift in how people use technology, says Nora Denzel, co-head of the NACD commission on board oversight of emerging technology and the lead independent director of the board of chip maker Advanced Micro Devices. “I’ve seen such an uptick in directors coming to anything we offer with AI in the title,” says Denzel, who co-leads the commission with Best Buy board chair David Kenny. 'I’ve never seen such fervor to understand it.'....."
(b) The disclosure of "AI risk factors" that are becoming more common in the annual reports on Form 10-K of public companies is discussed in this Aug. 18 FT article, "Biggest US companies warn of growing AI risk", as well as in last Monday's Fortune CEO Daily Newsletter, "More than half of Fortune 500 companies now cite AI as a business risk", in both cases with reference to this study, "The rise of Generative AI In SEC Filings", by Arise AI (a firm which helps companies better deploy AI). Below is from the FT article:
"More than half of the US’s biggest companies see artificial intelligence as a potential risk to their businesses, according to a new survey of corporate filings that highlights how the emerging technology could bring about sweeping industrial transformation. Overall, 56 per cent of Fortune 500 companies cited AI as a “risk factor” in their most recent annual reports, according to research by Arize AI, a research platform that tracks public disclosures by large businesses. The figure is a striking jump from just 9 per cent in 2022.
"By contrast, only 33 companies of the 108 that specifically discussed generative AI — technology capable of creating humanlike text and realistic imagery — saw it as an opportunity. Potential benefits include cost efficiencies, operational benefits and accelerating innovation, these groups said in their annual reports. More than two-thirds of that group specified generative AI as a risk. The disclosures demonstrate that the impact of generative AI is already being felt across an array of industries and at the majority of the largest listed companies in the US.....
"Among Fortune 500 companies, AI risks mentioned in annual financial reports this year include greater competition, as boardrooms fret they may fail to keep pace with rivals who are better exploiting the technology. Other potential harms include reputational or operational issues, such as becoming ensnared in ethical concerns about AI’s potential impact on human rights, employment and privacy.......
"Netflix, the $290bn streaming service, warned that competitors could gain an advantage over it by deploying AI, which would affect “our ability to compete effectively and our results of operations could be adversely impacted”. Telecoms group Motorola said: “AI may not always operate as intended and data sets may be insufficient or contain illegal, biased, harmful or offensive information, which could negatively impact” its earnings and reputation.
"Some companies cited financial risks related to the evolving use of AI systems, such as mounting and unpredictable costs. Salesforce, a software business valued at $250bn, said its adoption of AI “presents emerging ethical issues” around data collection and privacy. It said its profit margins could be affected by “uncertainty” around emerging AI applications, which meant it would likely have to commit greater investment to develop and test new models. Legal, regulatory and cyber security AI risks were also a common theme among Fortune 500 companies......."
Note that below is the complete "AI risk factor" disclosure in the most recent annual report of NYSE- listed, telecommunications equipment provider Motorola Solutions, Inc., which appears in last Friday's TheCorporateCounsel.net blog post, "Artificial Intelligence: Fortune 500 Risk Factor Disclosure Soars":
"As we increasingly build AI, including generative AI, into our offerings, we may enable or offer solutions that draw controversy due to their actual or perceived impact on social and ethical issues resulting from the use of new and evolving AI in such offerings. AI may not always operate as intended and datasets may be insufficient or contain illegal, biased, harmful or offensive information, which could negatively impact our results of operations, business reputation or customers’ acceptance of our AI offerings. Although we work to responsibly meet our customers’ needs for products and services that use AI, including through AI governance programs and internal technology oversight committees, we may still suffer reputational or competitive damage as a result of any inconsistencies in the application of the technology or ethical concerns, both of which may generate negative publicity.
Below is from the said Fortune CEO Daily Newsletter:
"....(W)hen I read that the number of Fortune 500 companies citing AI as a business risk is up 473.5% since 2022, I was intrigued to learn more. Yes, the study comes from Arize AI, which helps companies better deploy AI, but it accurately notes that 281 companies cited AI as a risk factor in their latest annual reports, up from 49 a year earlier.
"Does that mean C-Suite leaders are more scared than excited by AI? Not necessarily.....When it comes to AI, much is unknown and therefore risky. But I’ve detected an undercurrent of optimism among leaders.....Jason Girzadas, the CEO of Deloitte US......talks to a lot of leaders about AI. While “the hope is far and deep that it creates business value,” he says, there are challenges. What reduces those risks is “strong executive sponsorship and leadership,” he says, as well as a portfolio of investments that marries 'short-term opportunities for automation improvements around productivity and cost takeout, and then longer-term medium-term opportunities for business model innovation that are truly transformational'....."
And from today's Fortune CFO Daily Newsletter, "Nvidia’s CFO says the ‘Enterprise AI wave’ has begun and Fortune 100 companies are leading it":
"....Large enterprises are focusing on AI, according to research. The Rise of Generative AI in SEC Filings, a new report by Arize AI finds that over half (64.6%) of Fortune 500 companies mention AI in their most recent annual report. And more than one in five enterprises specifically reference generative AI. Software and tech industries and financial services companies mention generative AI the most, according to the report. However, more than two-thirds (69.4%) of companies mentioning generative AI do so in the context of risk of disclosures. That can range from risk through the use of emerging technology, or the risk of failing to keep pace with competitors who are using AI, or security risk to the business...."
(c) As reported in last Friday's The CorporateCounsel.net blog post, "Artificial Intelligence: MIT’s 'AI Risk Repository'", MIT has developed a "a comprehensive living database of over 700 AI risks categorized by their cause and risk domain", accessible on this page, "What are the risks from Artificial Intelligence?". Here is how it is described in the said blog post:
"A team of MIT researchers known as the FutureTech Group published the catalog, formally known as the AI Risk Repository, earlier this month. It’s free to all and designed to help a wide range of audiences, from academic researchers to policy makers to, yes, corporate risk managers trying to develop risk assessments for the AI systems running at your company....The 700+ risks are organized into seven primary domains, such as discrimination, privacy, and system safety. Those seven primary domains are then split into 23 more precise sub-domains, which are divided again into even more precise risk categories. The actual repository exists as a Google spreadsheet you can download, with various columns classifying each risk, describing its potential severity, identifying the potential cause (human versus AI itself; accidental versus deliberate action), and otherwise giving you a wealth of context."
(d) And note that according to this WSJ article on Tuesday, "AI Regulation Is Coming. Fortune 500 Companies Are Bracing for Impact", a significant number of Fortune 500 companies are including "AI regulation" as a risk factor in their annual reports on Form 10-K:
"The state of artificial intelligence regulation in the U.S., or the lack of it, is a pressing matter for Fortune 500 companies as they launch AI projects. Roughly 27% cited AI regulation as a risk in recent filings with the Securities and Exchange Commission, one of the clearest signs yet of how AI rules could affect businesses...."
(v) IBM chief privacy and trust officer on the ethics of AI: a case study: Christina Montgomery is VP and chief privacy and trust officer of IBM, and on July 10/24, she met with the Audit Committee Leadership Network (ACLN) in New York convened by Tapestry Networks to discuss, inter alia, the ethics of AI. An overview of the discussion is in this Tapestry Networks "Summary of Themes", and below are excerpts from the section, "The ethics of AI: a case study", with reference, inter alia, to "IBM’s Principles for Trust and Transparency" and this "detailed summary of IBM’s AI governance framework" by technology research and advisory firm, Gartner,"Case Study: An AI Governance Framework for Managing Use Case Ethics":
"What is “AI ethics”? Ms. Montgomery defined it as a set of moral principles guiding organizations in discerning right from wrong. “Each company may have different principles or a unique moral north star. It is about balancing and optimizing benefits while reducing and mitigating the risks,” she said. Examples of ethical issues in AI include data privacy and security risks, large-scale misinformation, and copyright and intellectual property concerns, to name a few.
"IBM’s AI ethics and governance framework: ......Ms. Montgomery summarized IBM’s approach, “We have a governance framework and process that captures the inventory of data, AI models, and AI systems across the company and that framework is embedded into our product development, uses of AI, and procurement. It is largely technology-based, but there is also human involvement.” The AI governance framework includes several key elements:
-- Guiding principles: A clear set of trust and transparency principles serves as a foundation to guide the responsible development and deployment of AI.
– Oversight body: Top management oversight comes through the Policy Advisory Committee, which Ms. Montgomery facilitates. It is comprised of senior leaders and C-suite executives, across the company’s operations. It is the final escalation point for ethical concerns related to AI. Few cases are brought to this committee, which only considers the largest and most fundamental decisions.
– AI Ethics Board: This cross-disciplinary group is comprised of business leaders and co- chaired by IBM’s global AI ethics leader and Ms. Montgomery. “We bring a lot of different pieces and leaders together, such as legal, procurement, ESG, and research,” Ms. Montgomery said. The board is responsible for defining and maintaining IBM’s AI ethicspolicies, practices, and communications, and reviewing use cases escalated to it........
"Principles in practice: .......She highlighted several important aspects of the AI governance framework: .....
-- Ongoing reports to the audit committee and board: Ms. Montgomery reports to the audit committee once or twice per year, providing a holistic view of the AI and privacy programs. Her first presentation to the audit committee focused on data as a source of opportunity and risk. Because investors increasingly ask about AI ethics and data protection and their impact on issues like employment and the environment, she also provides updates to the board to build their awareness of IBM’s integrated approach. “We are very much involved with other functions like ESG, enterprise risk management, and finance. We show directors how we show up in the ESG report and the proxy to ground the board in the overall program and show all of the touchpoints we have,” she said.
– Close collaboration with cybersecurity teams: Effective AI governance requires close collaboration with cybersecurity efforts. At IBM, Ms. Montgomery works closely with the chief information security officer (CISO). “The CISO has an oversight Cybersecurity Advisory Committee, which is a sister body to the Policy Advisory Committee that I run. It is essentially the same membership, and we sit on each other’s committees to ensure overlap,” she explained....."
(vi) EY on how boards can embrace AI/10 takeaways for boards: On July 29, EY posted on its Center for Board Matters webpage this report, "How boards can embrace and oversee AI with curiosity and care", based on the recently held "2024 EY Board Strategy Summit" at which "distinguished business and academic leaders (spoke) about how boards are governing for a future that includes artificial intelligence (AI) and other emerging technologies. Topics explored effective oversight of AI and how boards can support innovation and strategy for the future." Among the participants was Rob Beard, Chief Legal Officer, General Counsel and Head of Global Policy at Mastercard, and below are some of his observations:
"....... AI is in fact a 50-year-old concept that is finally matched with our computational capacities to make it work. This unleashes a wide variety of risks and opportunities that directors — and their companies — will need to balance. What’s new about it is its disruptive potential. That’s the cool thing about AI, said Rob Beard, Chief Legal Officer, General Counsel and Head of Global Policy at Mastercard — it can short-cut lots of different challenges. But boards also need to be mindful not to short-cut basic legal requirements. That means laying the legal groundwork for AI and AI-generated content: putting in place proper duty of care, meeting the minimum standards for legal readiness and preparing the right materials for the right stakeholders on time while upholding the client‑attorney privilege.
"What Beard calls the “legal stuff” of AI, while necessary, is only part of the larger, more complicated ethical and governance landscape in which digital systems can advance into decision-making roles. The “Oversight of ethical AI” panel took the questions to the next level: Who are the guardians of AI? What are the costs of using AI to influence consumer behavior? What role should governments play?......
The report includes the following "10 takeaways for boards as they govern for a tech-enabled future":
"1. AI is a boardroom priority, and directors should gauge their readiness for transformation. Boards should review their composition, skill sets and structure, then align to the needs of their long-term strategy.
2. AI is a game changer, but boards must find actual use cases that generate revenue, increase efficiency and minimize risk. They should work with management to envision the next big thing, build a solid business case, then get to work.
3. AI isn’t a brand-new concept, but now that we have the computing capacities to optimize AI algorithms, boards should guide management in creating a broader strategic framework for technology enablement, data accuracy, security testing, rollouts and risk management oversight.
4. Consider how innovation can help your board work more efficiently......AI will....soon transform board meeting preparation.
5. As technology continues to evolve, international cooperation and consistent frameworks are needed to address the challenges posed by AI and social networks.
6. Boards must consider the legal and moral aspects of AI, including duty of care and the importance of ethical disclosure protecting broad sets of stakeholders.
7. Boards can imagine future trends by mapping prospective outcomes of different scenarios using future-back exercises that aim not to solve immediate problems but to identify second, third and even fourth level implications of new technologies.
8. The best sign that people start trusting new technology is when they stop talking about it. Boards should consider their role in guardianship, consumer influence and the lag of regulations behind technology, with a focus on elemental ethics and societal trust, instead of waiting on governments.
9. Boards have navigated through a variety of disruptions, and now, with the rapidly changing world of AI, leading boards must remain focused on good governance to help their companies succeed.
10. Emerging technology will continue to evolve, and companies and boards that embrace it with curiosity and care will reap the rewards. Those that don’t will lag behind."
(vii) KPMG on board oversight of GenAI: KPMG's July issue of Directors Quarterly posted on its Board Leadership Center webpage contains this section (at pp.4-5), "Board oversight of GenAI", in which it advises boards to ask these two questions for effective board oversight, "Are we moving fast enough?", and "Are we going slowly enough to manage the potential risks?". Below are excerpts:
"......First, boards should ask, "Are we moving fast enough?" The answers to the following questions can provide the board with a good sense of the here and now, as well as a picture of the near and longer-term future.
"To the chief operating officer, chief technology officer, and chief information officer: How many of our employees can safely access GenAl tools at work, and how many are actively using them to be more productive? Have we connected these tools to our own proprietary data? By the end of the year, what measurable productivity improvements should this translate into? While many executives will struggle to answer these questions now, they should be able to at some point this year.
"To the chief security officer, chief revenue officer, and chief marketing officer: How are we using GenAl to sell and deliver our products and services more efficiently and effectively? Are we embedding GenAl into our products and services to make them more attractive to customers? What new offerings are we planning to take to market? Do we need to change our price levels or structure to capitalize on these changes? If customer-facing executives are not thinking about these issues now, the company could lose competitive advantage.
"To the chief financial officer or chief strategy officer: If you assume that our customers, competitors, and suppliers are also rolling out GenAl, what might that do to the company's revenue and cost over the next one, three, and five years? What revenue is at risk? What new revenue can be generated? What costs will be reduced? What price pressure or opportunity does the company see? How much has the company invested in GenAl this fiscal year, and how much will be budgeted for next year?
"To the CEO or chief operating officer: Who in management is on point for driving and coordinating the GenAl transformation, and how is the work being distributed and orchestrated across multiple C-suite executives? Has management considered appointing a chief Al officer to spearhead the change?
"While very few executives can answer these questions right now, it is important that they start thinking ahead to be able to do so by the end of this fiscal year.
"Second, boards should ask, "Are we going slowly enough to manage the potential risks?" One critical area for board focus is the adequacy of management's policies for the development, deployment, and use of GenAl. Key topics include the following:
– How and when a GenAl system or model—including a third-party model—is developed and deployed, and who makes that decision.
– An inventory of where GenAl is being used.
– Designating a management point person and a cross-functional team with responsibilities for GenAl.
– Responsible GenAl use policies that align with the company's values and address ethical issues and legal compliance.
-- GenAl risk management, mitigation, monitoring, and reporting, including a GenAl risk management framework
– Staying apprised of the rapidly evolving regulatory landscape and ensuring compliance.
– The quality of the GenAl data (inputs and results)."
(viii) Center for Audit Quality (CAQ) with guidance for audit committee oversight of GenAI: In July, the CAQ published this "resource for audit committee oversight of generative artificial intelligence (GenAI), including questions to ask management and guidance for overseeing GenAI-related risks", Audit Committee Oversight in the Age of Generative AI. Below is from the subsection "Governance", at pp.8-9:
"Establishing strong oversight and governance around the use of genAI is foundational to successfully deploying genAI technologies throughout the organization and will likely be a focus of the audit committee’s oversight. Key considerations include:
– People responsible for oversight and use – Who within the organization (individual or group) will be responsible for the oversight of the use of genAI.
– Policies to support oversight and use – Whether the company has developed a framework for responsible use of genAI and established policies regarding the acceptable and ethical use of genAI and how the company monitors compliance with such policies.
– Population of uses that are subject to the people and policies – It is also important for companies to track and monitor the use of genAI throughout the company, including use by third-party service providers, in order to understand the impact of those technologies on processes and to identify, assess, and mange risks arising from their use.
"Governance considerations will also likely include understanding the regulatory environment and any contractual agreements, laws, or regulations that impact how the company may use genAI. Audit committees may find the following questions useful to discuss with management and the auditor: ......."
(ix) beware: large companies are being targeted with AI 'deepfakes' impersonating the CEO (at Ferrari and WPP): As reported in this July 26, Bloomberg article, "‘I Need to Identify You': How One Question Saved Ferrari From a Deepfake Scam", NYSE-listed Ferrari NV was recently the target of an AI 'deepfake' impersonation of the CEO. Here's what happened, as recounted in the Bloomberg article:
"It was mid-morning on a Tuesday this month when a Ferrari NV executive started receiving a bunch of unexpected messages, seemingly from the CEO. “Hey, did you hear about the big acquisition we’re planning? I could need your help,” one of the messages purporting to be from Chief Executive Officer Benedetto Vigna read. The WhatsApp messages seen by Bloomberg didn’t come from Vigna’s usual business mobile number. The profile picture also was different, though it was an image of the bespectacled CEO posing in suit and tie, arms folded, in front of Ferrari’s prancing-horse logo.
"Be ready to sign the Non-Disclosure Agreement our lawyer is set to send you asap,” another message from the Vigna impersonator read. “Italy’s market regulator and Milan stock-exchange have been already informed. Stay ready and please utmost discretion.” What happened next, according to people familiar with the episode, was one of the latest uses of deepfake tools to carry out a live phone conversation aimed at infiltrating an internationally recognized business. The Italian supercar manufacturer emerged unscathed after the executive who received the call realized something wasn’t right, said the people, who asked not to be identified because of the sensitivity of the matter.
"The voice impersonating Vigna was convincing — a spot-on imitation of the southern Italian accent. The Vigna deepfaker began explaining that he was calling from a different mobile phone number because he needed to discuss something confidential — a deal that could face some China-related snags and required an unspecified currency-hedge transaction to be carried out. The executive was shocked and started to have suspicions, according to the people. He began to pick up on the slightest of mechanical intonations that only deepened his suspicious. “Sorry, Benedetto, but I need to identify you,” the executive said. He posed a question: What was the title of the book Vigna had just recommended to him a few days earlier......With that, the call abruptly ended. Ferrari opened an internal investigation, the people said.
"It’s not the first such attempt to impersonate a high-profile executive. In May, it was reported that Mark Read, the CEO of advertising giant WPP plc was also the target of an ultimately unsuccessful but similarly elaborate deepfake scam that imitated him on a Teams call. “This year we’re seeing an increase in criminals attempting to voice clone using AI,” Rachel Tobac, CEO of cybersecurity training company SocialProof Security, said in an interview......."
(x) interview with the CEO of one of the world's leading cybersecurity firms/IBM report on data breaches in Canada:
(a) Nikesh Arora is chairman and CEO of Nasdaq-listed Palo Alto Networks, one of the world’s best-known cybersecurity firms, and he spoke earlier this month with Fortune in the latest episode of its 'Leadership Next' podcasts, as reported in this Aug. 7 Fortune article, "The business world is obsessed with AI but company leaders ignore cybersecurity at their peril." Below are excerpts:
"Nikesh Arora: ....(C)yber security has been sort of a quasi-ignored sector in technology for many years. But every second day we hear about a ransomware attack. So what is becoming apparent is that the old way of doing things hasn’t worked so well. The question becomes what is the new way need to be? It’s really two very fundamental things. One is the attacks are getting faster. People are getting to infrastructure much faster and they have economic reasons now with ransomware to get there. So you have to be able to detect and stop bad guys as quickly as you can. And secondly, the approach of having 40 different suppliers or vendors or partners — however you want to describe us — hasn’t worked.....
"Fortune: ....... Give me a sense as to what are they thinking about and how is the threat environment changing? Because we’re right in the middle of this obsession with digital transition. What are you hearing?
Nikesh Arora: Well, as you know, we can’t seem to buy and ingest and deploy enough technology today. I mean, you look at what’s going on with AI, people are buying GPUs. They’re trying to put up AI data centers. Everybody’s in a frenzy. So, you think you’ve just sort of just sat down and settled down and say, Thank God we’ve moved the public cloud and then you say, Oh my God, look what’s next? AI. So, I think every CEO has some sort of large technology project on their agenda. And if you look at the enterprise risk management efforts or audit committees of CEOs, the number one risk now slowly and steadily continues to be cyber [attacks]. And that’s because of what we talked about, the sort of explosion of attack surface, explosion of our connectivity to our customers, that’s causing that to become a large risk. So it’s kind of impossible to get away from a conversation around cybersecurity at your board or your management team. It’s a bit of a black box, to be honest.....It’s like, I know I have a problem. I don’t know how to solve it, but I know I have a problem. I need to pay attention. So, I think we’re at that phase where CEOs are aware this is a problem. Some of them are hoping it doesn’t happen to them because it happened to somebody else in their industry. But they call the CIO and technology guys and say, Hey, do we have a solution for this? And, you know, like most in life, we always say, Yes, we’ve got this covered. But the question is how well do you have it covered? And how well are you protected against the bad guys? And in defense of technologists, CIOs, and chief security officers, this is a hard problem, because it depends on how big a battering ram do I show up with? If I show up with a very large one, you’re not going to be able to stop me. So it all depends on how do you strike the balance between having robust cybersecurity, being prepared for anything, and being able to repel or protect yourself against extremely well-equipped, sometimes nation-state hackers?......"
(b) Some data by IBM on data breaches in Canada in this July 31 Globe and Mail article, "Average data breach costs Canadian organizations $6.32-million, IBM study shows":
"Canadian organizations embroiled in data breaches wind up paying an average $6.32-million to resolve the incidents, a new study from IBM says. That total is down from 2023, when Canadian organizations were paying an average $6.94-million, and from 2022, when the average was $7.05-million, said the study, which was released Tuesday.
“There’s 27,000 breaches [a year] in Canada alone, an all-time high. … That’s almost 75 breaches a day,” said Daina Proctor, IBM Canada’s security services leader. “When I start looking at 75 breaches a day at an average $6.3-million per breach, that’s when I start saying this is staggering.” IBM’s report comes as Canadians are routinely told of cyberattacks and other breaches that put their data at risk of falling into unauthorized hands. In the past year alone, Ticketmaster, AT&T, Giant Tiger, London Drugs and more have been victims of such attack.
"IBM sought to quantify not just the extent of attacks but also their cost – a figure that can include what organizations pay for detection and legal services, crisis management, regulatory fines, consumer reparations and lost business. Its report was based on an analysis of data breaches experienced by 604 organizations globally between March, 2023, and February, 2024......
"When IBM combined the data from all of the countries it looked at, it found the most common forms of attack involved phishing or stolen or compromised credentials. Phishing attacks see scammers impersonate trusted people or website login forms to get victims to input or reveal sensitive information such as passwords or credit-card numbers. Stolen or compromised credentials figured into 16 per cent of the attacks studied and, on average, took the longest to identify and contain at nearly 10 months. Phishing came in a close second, at 15 per cent of attacks, but ultimately carried even higher costs.......
"When it comes to coping with the breaches, organizations are typically told to involve law enforcement, inform customers and avoid paying ransoms, which can encourage bad actors to carry out further attacks. Some of these steps have likely led to the reduction in costs linked to breaches, Ms. Proctor said......."
(xi) Goldman Sachs CIO (and others) on how the CIO/CTO job is evolving 'in the age of AI': Marco Argenti is Goldman Sachs' chief information officer; Andrew Chin is the chief AI officer at NYSE-listed, global investment management firm, AllianceBernstein; and Umesh Subramanian is chief technology officer at privately-owned hedge fund and financial services company, Citadel Group. Each is quoted in this Aug.2 Business Insider article, "Why CTOs have the biggest job on Wall Street right now. Tech leaders from Goldman and Citadel open up about how the job is evolving in the age of AI":
"When Ken Griffin, the billionaire CEO of the hedge fund Citadel, took to the stage at the biggest financial conference of the year in May, he threw a spotlight on a mostly behind-the-scenes figure on Wall Street. "The most powerful part of the AI story thus far is the chief technology officer, chief information officer," Griffin said at the Milken Global Institute. That person "now has a very important seat at the table. They've got the attention of the CEO," he said.
"At (Citadel)....that person is Umesh Subramanian, Citadel's chief technology officer.....(I)n the age of generative AI, the role of the CTO has evolved into something that reaches far beyond the back office. A CTO or CIO used to be focused on "raw technology" like data, compute, databases, and software, Subramanian told Business Insider. But now, the role is evolving into "one where the CTO is heavily integrated into the commerce of the firm," he said.....
"A lot of this is going to be about cultural change, transformation around culture" Andrew Chin, the recently named chief AI officer at the $704 billion money manager AllianceBernstein, told BI. "How can we reimagine how we do things differently going forward?" The importance of that transformation can be seen in the appointment of tech leaders to higher management positions. Though "it's not obvious for engineering" to have a seat on strategic leadership committees, noted Goldman Sachs' chief information officer, Marco Argenti, he, Chin, and Subramanian all do.....
"Compared with past technology waves, like the internet, mobile phones, and the cloud, generative AI "has become front and center from a strategic and also an investment perspective in a year and a half or so, almost from zero," Argenti, told BI. "That's why people are feeling a sort of urge to catch up to first understand, then to try and strategize around it," the Goldman Sachs CIO said.....
"The level of investment right now in AI, trickling down the whole value chain, is no longer only a technology investment," Argenti said. Cutting across sectors, including energy, real estate, and infrastructure, "there is almost like an AI economy that is shaping up, of which the fundamental nucleus is a strong technology component," he added......
"In addition to more conversations with clients and business leaders, Argenti is meeting more regularly with the head of HR. That's because a "fundamentally important" piece of the puzzle will be getting workers up to speed, Argenti said. In some cases, that'll mean teaching employees new skills like asking the AI questions in a specific way to yield the best response. Other times, it'll mean coming up with new processes for routine tasks, like catching up on long email threads or making pitch books and presentations, Argenti said......"
(xii) HBR post on taking a global approach to AI ethics (with an HPE case study): As noted in this Aug. 5 HBR post, "How Companies Can Take a Global Approach to AI Ethics":
".......organizations are increasingly creating dedicated structures and processes to inculcate AI ethics proactively. Some companies have moved further along this road, creating institutional frameworks for AI ethics. Many efforts, however, miss an important fact: ethics differ from one cultural context to the next......Right now, emerging global standards around AI ethics are largely built around a Western perspective. For example, the AI Ethics Guidelines Global Inventory(AEGGA), a centralized database of reports, frameworks, and recommendations......As AI gains ground and dictates business operations, an unchecked lack of variety in ethical considerations may harm companies and their customers. To address this problem, companies need to develop a contextual global AI ethics model that prioritizes collaboration with local teams and stakeholders and devolves decision-making authority to those local teams. This is particularly necessary if their operations span several geographies......"
The post then describes how companies can develop and implement such a "contextual AI ethics policy", with particular reference to how HPE is accomplishing this:
".....Based on our work, as well as interviews with relevant stakeholders representing AI users and developers from different geographies, developing and implementing a contextual AI ethics policy for the organization requires three steps.....For an example of how this works, consider Hewlett Packard Enterprise (HPE). At HPE, the Chief Compliance Officer partnered with their AI research lab to write global AI principles, pulling in representation from every function and product division. With the geographical diversity built into the team, the ethical considerations under consideration were more likely to be representative of the places where the company operates. HPE’s compliance team, for example, created a globe-spanning matrix of principles and geographically specific regulations and governmental frameworks, ensuring that HPE’s global principles were filtered through a local lens......
"Beyond enhancing the awareness of the local context, continuous engagement can also help global leadership strike a delicate balance of deferring to local teams in some cases but overruling them in others. HPE approached this problem by building automated processes. When starting a new initiative or bidding process that involves AI, their compliance software automatically schedules a meeting between team personnel and members of the local AI governance group. The local team provides context for the conversation, while the global team provides more high-level expertise on HPE’s principles and AI governance framework. Over time, this has built up a “case law” within HPE of how to approach different AI ethics issues.
"HPE was dealing with the challenge of the inherent unknowability of exceptions and local questions that are unknown at the global level. Rather than attempting to create an AI ethics policy that exhaustively lists out different scenarios, which would inherently leave out something, HPE built a general framework and process that allows specific questions to be answered and build up a track record over time......
"HPE originally planned to develop its AI ethics principles over a 6-week period. This task expended an over one year exercise to develop a framework that was authentic to HPE and created processes to enable local adaptation. Much of this time was devoted to resolving thorny issues around seemingly simple statements — “We obey the law” might seem trivial, for example, but as one considers the statement, innumerable questions arise. Which law? How do we weigh local laws against global human rights principles? What stakeholders need to be consulted on these decisions? Companies that aren’t prepared to seriously engage in these discussions will inevitably under-invest in the initiative and instead create an ineffective, check-box framework that will hamper time to market, lead to inferior products, and ultimately not mitigate the liability issues that many companies are concerned with......
"HPE’s approach, while possibly less “cutting edge” on the tech side, nonetheless employs algorithms and automated processes to proactively engage frontline developers and salespeople in asking ethical questions, determining if their use case is already covered by existing case law, and tracking the results. Companies should emulate this example — focusing on using technology in ways that accentuate their own AI ethics processes instead of jamming in technologies with vague promises of plausible automation.....
"As AI gains traction rapidly, organizations will face the question of how to formulate and operate contextually sensitive AI ethics policies. One answer to these questions is forming and continuously engaging with local AI ethics teams. To this end, we offer three recommendations. First, a company should engage with local employees to frame its AI ethics narrative. HPE embarking on an exhaustive review of different regional approaches to AI ethics and governance, combined with their continued interaction with local teams, is an excellent example of this......"
(xiii) (other) press releases of the day:
(a) Salesforce, Inc. announced yesterday in its Q2/25 earnings press release a "CFO transition", as follows:
"Chief Financial Officer Transition: Amy Weaver has made the decision to step down from her role as President and Chief Financial Officer at Salesforce. She will remain CFO until a successor is appointed. After that time, Amy will be an advisor to the company......."
(b) On July 9/24, Chipotle Mexican Grill, Inc. announced in this press release that Jack Hartung, its CFO since 2002, had decided to retire effective March 31, 2025, and that Adam Rymer, who currently serves as VP, Finance, would assume the role of CFO beginning January 1, 2025 (see item (iii)(b) from July 10/24); and then on Aug. 13, it announced in this press release the appointment of its Chief Operating Officer as interim CEO, with the current Chairman and CEO having accepted to become the CEO of of Starbucks (see item (viii)(b) from Monday).Yesterday, Chipotle announced in this press release that it was accelerating the appointment of Adam Rymer to CFO, and that the Board of Directors had "put retention plans in place for its entire executive leadership team to ensure continuity through this transitional time", as follows:
"Chipotle Mexican Grill today announced that it has accelerated the appointment of Adam Rymer to Chief Financial Officer, beginning October 1, 2024. Rymer will serve on Chipotle's executive leadership team and report to Scott Boatwright, Interim Chief Executive Officer. Former Chief Financial and Administrative Officer, Jack Hartung, will serve in his new role indefinitely as President and Chief Strategy Officer beginning October 1, 2024, supporting the company's Interim CEO. A 15-year Chipotle veteran, Rymer previously served as Vice President of Finance, overseeing Corporate Finance, Field Finance and Investor Relations functions.
"Jamie McConnell, who has been with the organization since 2018, will assume the role of Chief Accounting and Administrative Officer, reporting to Rymer and transitioning roles on the same date. McConnell previously served as Vice President, Controller, with responsibility for the Corporate Accounting, Financial Reporting, Tax, Internal Audit, Accounting Shared Services, Licensing and Payroll functions......
"In addition to accelerating these executive appointments, Chipotle's Board of Directors has put retention plans in place for its entire executive leadership team to ensure continuity through this transitional time. With the exception of one officer hired in 2023 and Jack Hartung's two and half decades with the company, Chipotle's bench of esteemed Executive Officers have an average tenure of approximately seven years with the organization."
Retention awards are disclosed in the related Current Report filed with the SEC, as are compensation arrangements with the interim CEO, the new CFO and the new Chief Accounting and Administrative Officer.
-----------------------------------------------------
Please contact me if you would like to be on the distribution list and receive every issue of this newsletter directly in your inbox.