On the 2025 board agenda

Geopolitical and economic risks, combined with the potential for political and social disruption posed by disinformation and cyberattacks, will continue to drive volatility and uncertainty.

At the same time, the continuing reconfiguration of supply chains is an indicator of a broader pendulum swing that’s reshaping the full-throttle globalization of recent decades. Shifting from the “cheaper-faster” strategies enabled by highly complex, decentralized supply chains to greater or even hyper localization and control of a company’s networks – suppliers, services, data/information – is clearly about resilience of the company. But concerns about the resilience of national economies – and of the global business arena at large – are also driving the momentum toward more centralized and local supply chains.

National industrial and security policies and “country-first” models are taking center stage, and de-risking and friend-shoring (particularly in strategic sectors like chip technology and critical minerals) are hedges against geopolitical shocks and exposure to arbitrary local rules. As this globalization reset unfolds, companies will face pressing questions. Is the company prepared to operate in a higher-cost (of capital, green tech/energy, labor) environment? What is the right balance between operating efficiently, maximizing growth, and ensuring resilience?

Help management reassess the company’s processes for identifying the risks and opportunities posed by this global disruption – and the impact on the company’s long-term strategy and related capital allocation decisions. Does management have an effective process to monitor changes in the external environment and provide early warning that adjustments to strategy might be necessary? That includes risk management as well as crisis readiness and business continuity and resilience. It calls for frequent updating of the company’s risk profile and more scenario planning, stress testing strategic assumptions, analyzing downside scenarios, considering the interrelationship of risks, and obtaining independent third-party perspectives.

Companies need to think about risk events and how they will impact the company’s operations, business model and strategy; however, it is also critical to understand the underlying structural shifts taking place – geopolitical, demographic, technological, economic, climate, global energy transition, societal, etc. – and the longer-term implications.

As GenAI moves from market buzz toward business value and large-scale rollout, it is critical that boards understand the opportunities and risks posed by the technology, including how GenAI is being used by the company, how it is generating business value, and how the company is managing and mitigating its risks. It is also important to understand how management is balancing the energy usage associated with GenAI with the company’s greenhouse gas emissions reduction goals.

The companies that will excel in using GenAI technology at scale understand that it’s also a leadership journey. Fundamentally changing what people do every day and how they work will require leadership, as well as skills and know-how to assess the company’s processes and workflows and to decide where to deploy GenAI to improve productivity. Successful adoption will also require the refinement of risk management frameworks to mitigate critical risks related to inaccurate data and results, bias and hallucinations, cybersecurity, intellectual property, reputation, talent, and compliance with emerging AI, privacy, and intellectual property regulation globally.

Given the strategic importance of the technology, GenAI will be a critical priority for boards in 2025. We offer the following suggestions to help boards focus and structure their oversight efforts.

Understand the company’s strategy to develop business value with GenAI and monitor the trajectory of deployment. Boards are seeking to understand what this technology means for the company – including its operations, products and services, business model, and strategy. The board should be satisfied that the C-suite can articulate the primary impact they expect GenAI to have on the company – e.g., new business models, new product or revenue streams, and/or increased operating efficiency. The board should also probe management about the expected impact on the company’s revenue and cost over the next one, three, and five years as its customers, competitors, and suppliers roll out GenAI. What revenue is at risk? What new revenue can be generated? What costs will be reduced? What price pressure or opportunity does the company see?

Monitor management’s governance structure for the deployment and use of GenAI, including the management and mitigation of GenAI risks. Given the strategic importance of GenAI and the complexities and risks associated with the technology, it is critical that the board focus on management’s policies for the development of a governance structure and processes for the deployment and use of GenAI. Key topics to be addressed in management’s governance structure include:

• How and when a GenAI system or model – including a third-party model – is to be developed and deployed, and who makes that decision.
• How the company’s peers are using the technology.
• How management is mitigating the risks posed by GenAI – including inaccurate data and results, bias, and hallucinations – and ensuring that the use of AI is aligned with the company’s values. What AI risk management framework is used, and what is the company’s policy on employee use of GenAI?
• How management is monitoring evolving AI legislation in the EU and globally – including the European Union (EU) Artificial Intelligence Act and the US Executive Order on Artificial Intelligence – and ensuring compliance. Since AI regulation is still emerging and the laws and regulations are a patchwork, it will be important for boards to be up to date on the implications of the evolving landscape. Regulation could limit where and how AI and AI products are used.
• Whether the organization has the necessary AI-related talent and resources, including in finance and internal audit.

Understand how the company is ensuring the quality and accuracy of GenAI output. Achieving the hoped-for productivity and efficiency improvements with GenAI will depend on the quality of the company’s data and how it is gathered, processed, stored, and protected. Boards need to have insight into how management is ensuring the quality and accuracy of GenAI output, including whether the company is making the right investments in IT infrastructure to help ensure data quality, and whether the company’s data governance framework, processes, and culture are keeping pace with the increasingly sophisticated data-related risks.

Assess board oversight. Many boards are still considering how best to oversee GenAI. For many companies, oversight is largely still at the full board level, where major strategic and/or transformational issues are typically addressed. However, some board committees, such as the audit committee or a technology or risk committee, may already be involved in overseeing specific GenAI issues.

Oversight structures will likely evolve as GenAI programs evolve. Ultimately, oversight of GenAI, like oversight of sustainability, may touch all or most board committees. Another important question for boards is whether they have the knowledge, access to experts, and ongoing education to effectively oversee the company’s use of GenAI. In general, this will require that boards level up their understanding of GenAI so that all directors have a fundamental level of fluency. It is also important for boards to assess their oversight structure and processes for other new technologies – beyond GenAI – such as quantum technology.

The explosive growth in the use of GenAI is also prompting more rigorous assessments of the company’s data governance framework and processes more generally, as well as the steps being taken to help ensure that management’s cybersecurity risk management practices are keeping pace with increasingly sophisticated cyber threats enabled by GenAI. This is a significant undertaking requiring board attention. Below, we highlight three key areas of board focus:

• The adequacy of the company’s data governance framework and processes.
  
  While companies typically develop their data governance framework based on their industry and company-specific facts and circumstances, there are a number of data governance frameworks that they might consider. The frameworks vary in many respects, but generally focus on data quality, data privacy and security, data stewardship, and data management. Data governance includes compliance with privacy laws and regulations, including those that are industry-specific, as well as those that govern how personal data – from customers, employees, or vendors – is processed, stored, collected, and used. Data governance also includes policies and protocols regarding data ethics – in particular, managing the tension between how the company may use customer data in a legally permissible way and customer expectations as to how their data will be used. Managing this tension poses significant reputation and trust risks for companies and represents a critical challenge for leadership.
  
  In its oversight of data governance, the board should insist on a robust data governance framework that (i) makes clear what data is being collected; how it is stored, managed, and used; and who makes decisions regarding these issues; and (ii) identifies which business leaders are responsible for data governance across the enterprise – including the roles of the chief information officer, chief information security officer, and chief compliance officer (or those performing similar functions).

• How management is enhancing cybersecurity risk management processes to address the risks posed by AI and GenAI.
  
  Many companies and their boards have devoted substantial time and resources to understanding cybersecurity risk and making sure the company has the right governance, technology, and leadership in place to manage and mitigate cybersecurity risk. EU regulation, such as the Digital Operational Resilience Act^[iii] and the NIS2 Directive^[iv] impose measures to ensure a high level of cybersecurity in the Union. However, with GenAI developments, the risk of data breaches and malware attacks continues to mount, with GenAI enabling cybercriminals to scale their attacks in terms of speed, volume, variety, and sophistication.
  
  Boards should continue to sharpen their focus on the company’s cybersecurity posture, including periodically reviewing management’s cybersecurity risk assessment; taking a hard look at supply chain and third-party risks; insisting on a cybersecurity scorecard (e.g., volume, nature, and materiality of attacks), and understanding (and periodically reassessing) the company’s cyber incident response plan.

• Structuring board oversight of cybersecurity and data governance.
  
  For many companies, much of the board’s oversight responsibility for cybersecurity and data governance has resided with the audit committee. Many audit committees also have significant oversight responsibilities for legal/regulatory compliance, which includes compliance with evolving data privacy and AI-specific laws and regulations globally. Given the audit committee’s heavy agenda, it may be helpful to have another board committee (such as a risk committee or a technology committee) assume a role in the oversight of data governance and perhaps cybersecurity.

How companies address climate change, human capital management (HCM), diversity, and other ESG issues continues to be viewed by many investors, research and ratings firms, activists, employees, customers, and regulators as fundamental to the business and critical to long-term value creation.

In this environment, several fundamental questions should be front and center in boardroom conversations about climate and ESG, particularly for those companies in scope of the Corporate Sustainability Reporting Directive (CSRD)^[v]:

• Are we (on track to be) compliant with the new rules and requirements related to ESG reporting? How is our ESG governance structured?
• Which ESG issues are material or of strategic significance to the company? Relevant issues may include physical risk associated with climate change; business model risk and opportunity associated with the energy transition; and labor, diversity, and safety issues associated with the workforce and the supply chain.

Companies in scope of the CSRD also need to assess “double materiality,” i.e., material risks to the business and material risks to the community and planet associated with the company’s operations. The board has an important role to play here, as well as in the subsequent revision of sustainability goals and business strategy, and in ensuring the company is prepared for the audit.

The ESG issues of importance will vary by company and industry. For some, it skews toward environmental, climate change, and emission of greenhouse gases (GHG). Others may emphasize diversity and social issues.

• How is the company addressing ESG issues strategically and embedding them into core business activities (strategy, operations, risk management, incentives, and corporate culture) to drive long-term performance?
• Is there a clear commitment from the top and enterprise-wide buy-in?
• In internal and external communications, does the company explain why ESG issues are materially or strategically important? If the company is no longer using the term “ESG,” does the terminology used (e.g., “sustainability”) clearly convey the company’s priorities in this area?

Few board responsibilities are more important than hiring and replacing the CEO – a reality that continues to generate media attention, particularly if the board is caught flat-footed. With the number of CEO changes remaining near an all-time high, a key question for the board is whether its CEO succession planning process is keeping pace and evolving to identify the CEO skills, traits, characteristics, and experiences necessary to drive the development and execution of the company’s long-term strategy and position the company for the future. CEO succession planning should be an ongoing process that involves developing a robust pipeline of talent. Depending on the size and complexity of the company, the succession planning can be extended to other critical managerial functions, e.g. CFO, CRO, CIO.

In our recent conversations with directors, they have emphasized the importance of devoting significant time and attention to identifying “what” the company needs in a future CEO before addressing the “who.” The board should develop a list of the top six or eight – but no more than ten – skills, traits, characteristics, and experiences needed in a new CEO.

Identifying the “what” is a complex and time-consuming process. What will be the impact of new technologies, such as GenAI, on the business and strategy? Will navigating geopolitical turbulence, climate change, and ESG issues become more important to the business? What skills, experiences, and traits will be required of the future CEO and how might they differ from those of the current CEO? What type of culture will the company need going forward and how does this influence the “what” required of the future CEO? What will be nonnegotiable? With clarity on the “what,” the board should identify potential internal and external candidates, recognizing that the list of potential candidates may change over time.

Clearly linked to the importance of having the right CEO is having the talent required – from the top of the organization down through the ranks – to execute the company’s strategy and keep it on track. As companies gear up to deploy GenAI at scale, there will be increased demand for technology professionals with AI-related skills such as model development, algorithmic development, and ensuring data quality. At the same time, companies may need ESG, climate, and sustainability expertise to manage those risks and opportunities; to gather, organize, calculate, assure, and report the necessary ESG, climate, sustainability and GHG emissions data; and to develop the necessary internal controls.

Institutional investors have been vocal about the importance of human capital and talent development programs and their link to strategy. We expect companies will face an increasingly difficult challenge in finding, developing, and retaining the talent required at all levels of the organization. Does management’s talent plan align with its strategy and forecast needs for the short and long term? Which talent categories are in short supply and how will the company successfully compete for this talent? More broadly, as younger employees join the workforce in large numbers and talent pools become globally diverse, is the company positioned to attract, develop, and retain top talent at all levels?

Does the company make it safe for people to do the right thing? Headlines of sexual harassment, price gouging, aggressive sales practices, and other wrongdoing continue to keep corporate culture front and center for companies, shareholders, regulators, employees, and customers. Boards themselves are also making headlines, with investors, regulators, and others asking, “Where was the board?” – particularly in cases of self-inflicted corporate crises.

As noted above, recognize that the deployment of GenAI may pose significant reputation risks – including bias in algorithms, privacy issues, etc. – which must be considered when deciding how to develop and deploy AI at scale. Has the company developed a responsible use policy to manage risks that GenAI may pose to individuals, organizations, and society? A responsible use policy may be critical in maintaining customer and stakeholder trust and confidence.

Given the critical role that corporate culture plays in driving a company’s performance and reputation, we see boards taking a more proactive approach to understanding, shaping, and assessing corporate culture.

Have a laser-like focus on the tone set by senior management and zero tolerance for conduct that is inconsistent with the company’s values and ethical standards, including any “code of silence” around such conduct. Be sensitive to early warning signs and verify that the company has robust whistleblower and other reporting mechanisms in place and that employees are not afraid to use them.

Understand the company’s actual culture (the unwritten rules versus those posted on the breakroom wall); use a variety of tools – surveys, internal audit, hotlines, social media, walking the halls, and visiting facilities – to monitor the culture and see it in action. Recognize that the tone at the top is easier to gauge than the mood in the middle and the buzz at the bottom – a challenge that is further complicated by the prevalence of remote work. How does the board gain visibility into the middle and bottom levels of the organization? Make sure that incentive structures align with strategy and encourage the right behaviors and take a hard look at the board’s own culture for signs of groupthink or discussions that lack independence or contrarian voices. Focus not only on results, but the behaviors driving results.

The growing prevalence of misinformation should be on the board’s radar given the significant reputational risks it poses. Inaccurate information – no matter the type, source, or motive – continues to undermine trust and exacerbate polarization. GenAI technology gives the purveyors of misinformation the ability to understand what resonates with their target audience and provides the tools to generate content – including deep-fake images, narratives, and voices – that is convincing enough to damage corporate reputations.

To get ahead of misinformation, a company should understand what disinformation narratives can materially impact the business and who likely purveyors of misinformation might be. What will cause investors, employees, or customers to lose trust in the company or its products and services? What capabilities and processes does the company have in place (risk management, corporate communications, investor relations, corporate counsel) to prevent or counter disinformation? Having a clear narrative for the marketplace – and building a surplus of trust with customers – are essentials.

The increasing complexity and fusion of risks unfolding simultaneously requires a more holistic approach to risk management and oversight. At the same time, investors, regulators, rating firms, and other stakeholders are demanding higher-quality disclosures – particularly on climate, GenAI, cybersecurity, and other ESG risks – and about how boards and their committees oversee the management of these risks.

Given this challenging environment, many boards are delegating certain risk oversight responsibilities to standing committees for a more intensive review than the full board could undertake, but with the full board sometimes retaining primary oversight responsibility.

We see boards delegating to various committees the responsibility to support the board’s oversight of mission-critical risks, as well as other risk categories such as climate, ESG, HCM, cybersecurity, data governance, legal and regulatory compliance, supply chains, M&A, and more.

The challenge for boards is to clearly define the risk oversight responsibilities of each standing committee, identify any overlap, and implement a committee structure and governance processes that facilitate information sharing and coordination among committees and with the full board. While board committee structure and oversight responsibilities will vary by company and industry, we recommend boards consider the following:

• As the risks that boards oversee grow in volume and complexity, evaluate whether committee scope creep is a concern and consider whether any oversight responsibilities could/should be transferred or assigned to another or new committee. Does another board committee(s) have the time, composition, and skill set to oversee a particular category of risk? Is there a need for an additional committee, such as a technology, sustainability, or risk committee? Is there a need for new directors with skill sets or experience to help the board oversee specific risks?
• Recognize that risk rarely fits neatly in a single, siloed risk category. While many companies historically managed risk in siloes, that approach is no longer viable and poses its own risks.
• Identify risks for which multiple committees have oversight responsibilities, and clearly delineate the responsibilities of each committee. For example, in the oversight of climate and other ESG risks, the nomination (or sustainability), compensation, and audit committees likely each have some oversight responsibilities. And where cybersecurity and AI oversight resides in a technology committee (or other committee), the audit committee may also have certain responsibilities. To oversee risk effectively when two or three committees are involved, boards need to think differently about how to coordinate committee activities. For example, some boards have established a new board committee composed of a member of each standing committee to oversee management’s preparation of the company’s ESG disclosures – including sustainability reports and other ESG publications – for quality and consistency with strategy, as well as consistency across the company’s various ESG reports and publications. Other techniques include periodic joint meetings of certain committees, having some overlap between committees (e.g., audit and risk), and in all cases, ensuring robust reporting out by committees to the full board.

Essential to effectively managing a company’s risks is maintaining critical alignments – of strategy, goals, risks, internal controls, incentives, and performance metrics. Today’s business environment makes the maintenance of these critical alignments particularly challenging. The full board and each standing committee should play a key role in helping to ensure that – from top to bottom – management’s strategy, goals, objectives, and incentives are properly aligned; performance is rigorously monitored; and the culture that the company has is the one it desires.  

Boards, investors, regulators, and other stakeholders are increasingly focused on the alignment of board composition – particularly director expertise and diversity – with the company’s strategy.

Indeed, the increased level of investor engagement on this issue points to the central challenge with board composition: Having directors with experience in key functional areas critical to the business while also having deep industry experience and an understanding of the company’s strategy and the risks to

the strategy. It is important to recognize that many boards will not have “experts” in all the functional areas such as cybersecurity, climate, GenAI, ESG, etc., and may need to engage outside experts or consider the use of an advisory board.

Developing and maintaining a high-performing board that adds value requires a proactive approach to board-building and diversity – of skills, experience, thinking, gender, and race/ethnicity. While determining the company’s current and future needs – the “what,” as discussed previously in CEO succession planning – is the starting point for board composition, a broad range of board composition issues require proactive board focus and leadership, including succession planning for directors as well as board leaders (the lead director and committee chairs), director recruitment, director tenure, diversity, board and individual director evaluations, and removal of underperforming directors. Boards need to “tell their story” about the composition, skill sets, leadership, and functioning of the board and its committees.

According to the 2023 Spencer Stuart Belgian Board Index^[vi], 37% of all directors are women, 55% are independent NEDs, 39% are foreign directors and 40% are foreign CEOs (among the 59 companies that comprise the Bel 20 and Bel Mid indices).

Board composition, diversity, and renewal should remain a key area of board focus in 2025, as a topic for communications with the company’s institutional investors and other stakeholders, enhanced disclosure in the company’s proxy, and most fundamentally positioning the board strategically for the future.