ISS-Corporate, a Maryland-based company that offers corporate structure solutions for everything from executive compensation to cyber risk programs, has a compelling thought leadership library. We stumbled upon it through a post from Subodh Mishra, Global Head of Communications at ISS STOXX, on The Harvard Law School Forum on Corporate Governance entitled AI Governance Appears on Corporate Radar.  Mishra’s summary post is based on an ISS-Corporate memorandum  – AI and Board Of Directors Oversight: AI Governance Appears on Corporate Radar – authored by Veronica Nikitas, a robust quantitative framing of the core issues surrounding this topic.  In this post, you will find the key takeaways and excerpts from the report and a forward-thinking conclusion by the author.    

AI and Board Of Directors Oversight: AI Governance Appears on Corporate Radar

Key Takeaways

As AI becomes a material factor for many companies, investors may demand that companies disclose relevant board skills and oversight responsibilities and enhance disclosure on AI.

• Only about 15% of companies in the S&P 500 provide some disclosure in proxy statements about board oversight of AI.
• Disclosure of board oversight of AI and directors’ AI expertise is primarily found in the information technology sector, with 38% of companies providing some board oversight disclosure.
• 13% of S&P 500 companies have at least one director with AI-related expertise.

Excerpts from the Memorandum 

Introduction

• Reflecting the rising importance of AI’s impact on businesses, some companies recruit directors with AI expertise and establish board-level oversight. To assess how boards may evolve to manage and oversee this new area of potential risks and opportunities, ISS-Corporate examined S&P 500 company DEF 14As filed from September 2022 through September 2023 for mentions of board oversight and director skills related to AI.

Board Oversight of AI

“…over 15% of the S&P 500 disclosed board oversight of AI, including specific committee oversight responsibility, director(s) with AI expertise, and/or an AI ethics board…”

• Board oversight of AI can take on many forms as it has varying degrees of relation to a company’s overall business strategy. For this evaluation, a company was determined to have oversight of AI if it disclosed in the proxy statement that:
  • (1) the entire board or a specific committee either has oversight responsibility of AI or AI was mentioned as one of the topics evaluated by the board or the committee during the year,
  • (2) at least one director has expertise in the field of AI, or
  • (3) the company has established an AI ethics board or a governing body overseeing AI-related topics.

The assessment process did not include references to AI in business strategy or executive officer expertise.

• “From September 2022 to September 2023, over 15% of the S&P 500 disclosed board oversight of AI, including specific committee oversight responsibility, director(s) with AI expertise, and/or an AI ethics board. Most disclosure of board AI oversight was concentrated in the Information Technology 2-digit GICS code, with 38% of companies disclosing some board oversight or expertise. Health Care is the sector with the second most prevalent disclosure, with 18% of companies providing disclosure. Communication Services and Consumer Discretionary sectors were tied for third, with 15%. 

NOTE:  In our OODA Loop editorial review of the report, while leadership in board-level AI governance by the IT sector was not surprising, consistent with the way the healthcare sector is the tip of the spear in AI innovation and early adopter implementation of AI solutions (as well as unfortunately, a prime target in the current ransomware scourge) we were not surprised to see that the report also identified the sector as an early adopter in AI governance and disclosure efforts.    

Source: ISS-Corporate Analysis

Given the business functions of these four sectors (i.e., Information Technology, Health Care, Communication Services, and Consumer Discretionary), explicit disclosure of oversight responsibilities may become more prevalent in the coming years as AI gains adoption.

Committee or Full Board Oversight

• Explicit disclosure of full board or committee of AI oversight is still rare, with just 1.6% of the S&P 500 providing specific disclosure. 
• A handful of companies disclosed that the committee responsible for privacy oversight and risk management has been expanded to include AI-related risks and trends. Other companies included a discussion of non-financial regulatory risks, which include responsible AI use.
• Overall, most company disclosures regarding specific board committee oversight state that the board is responsible for constantly evaluating the competitive landscape and keeping pace with investments in the company’s business offerings and technology, which include AI.

Source: ISS-Corporate Analysis

Among S&P 500 companies that disclose full board or specific committee-level oversight of AI, companies in the Financials sector show the highest prevalence at 4.2%. These companies describe AI oversight responsibility as falling under the full board and a specific committee such as audit technology.

AI Ethics and Review Board

• Some companies have elected to designate AI’s responsibility to an ethics or review board comprised of multidisciplinary teams. While not necessarily a board-level entity, the presence of an AI ethics board indicates a systemic and organizational oversight mechanism relating to this emerging technology.
• Among the companies that disclosed an AI ethics board, the common element was the presence of a multi-disciplinary group to ensure an ethical approach to AI.
• More specifically, disclosure for the AI ethics board was part of a risk assessment framework for communication services, similar to disclosures for board audit committees.

Source: ISS-Corporate Analysis

To download the full memorandum, go to  AI and Board Of Directors Oversight: AI Governance Appears on Corporate Radar

What Next? 

Kudos to ISS Corporate and the author for this accessible, actionable report.  Nikitas concludes the report with the following insights: 

• AI has the potential for significant value creation but could also pose significant risks for companies.
• As AI becomes a material factor, investors may begin to expect that companies, at least those in industries more heavily impacted by AI, start disclosing relevant board skills and oversight responsibilities.
• Some investors have already submitted shareholder proposals demanding greater transparency on the use and impact of AI technology.
• As of this writing, at least four such proposals were submitted for 2024 shareholder meetings. It is too early to tell whether there will be any imminent material changes in disclosure requirements or institutional investors’ voting policies relating to AI oversight.
• However, as the technology accelerates, institutional investors likely will expect companies to establish proper oversight processes to effectively manage and respond to evolving risks and opportunities related to AI. The percentage of companies disclosing AI oversight is expected to accelerate as well.

Your organization should be able to incorporate and compare its own Board of Directors AI governance and disclosure efforts and metrics into the framing of this report  – and move forward based on insights garnered through such an internal exercise.    

Further OODA Loop Resources

Cyber Risks

Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has caused regional issues that affect global cyberspace. Every significant event has cyber implications, so leaders must recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic’s reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.

Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat

Recommendations for Action

Decision Intelligence for Optimal Choices: Numerous disruptions complicate situational awareness and can inhibit effective decision-making. Every enterprise should evaluate its data collection methods, assessment, and decision-making processes  – for more insights: Decision Intelligence.

Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the IT department’s or the CISO’s responsibility – it’s a collective effort involving the entire leadership. Relying solely on governmental actions isn’t advised, given its inconsistent approach toward aiding industries in risk reduction. See: Cyber Defenses

The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance

Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront unpredictable external threats. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. Regardless of their size, all organizations should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning

Track Technology-Driven Disruption: Businesses should examine technological drivers and future customer demands. A multidisciplinary knowledge of tech domains is essential for effective foresight. See Disruptive and Exponential Technologies.

Planning for a Continuous Pandemic Landscape: COVID-19’s geopolitical repercussions are evident, with recent assessments pointing to China’s role in its spread. Regardless of the exact origins, the conditions that allowed COVID-19 to become a pandemic persist today. Therefore, businesses must be prepared for consistent health disruptions, implying that a substantial portion of the workforce might always operate remotely, even though face-to-face interactions remain vital for critical decisions. See: COVID Sensemaking

The Inevitable Acceleration of Reshoring and its Challenges: The momentum towards reshoring, nearshoring, and friendshoring signals a global shift towards regional self-reliance. Each region will emphasize local manufacturing, food production, energy generation, defense, and automation. Reshoring is a complex process, with numerous examples of failures stemming from underestimating intricacies. Comprehensive analyses encompassing various facets, from engineering to finance, are essential for successful reshoring endeavors. See: Opportunities for Advantage