To: Dara Khosrowshahi, CEO Uber
From: Bob Zukis, CEO DDN and Professor, USC Marshall School of Business
Congratulations on your upcoming IPO. The data in your S-1 is very informative and speaking as an Uber customer, so is your technology. Your innovations in on-demand transportation and food delivery, autonomous driving and logistics clearly demonstrates your mastery and leadership over today’s technologies.
Also impressive and refreshing is your commitment to many transparent and leading practices in corporate governance. These include “one share one vote” to having independent Chair and CEO roles on the Uber board. Alternative practices in both of these areas and others have degraded the trust, integrity and impact of corporate board oversight in some of America’s most well known public companies.
Your leadership in re-establishing a corporate oversight model that has integrity is admirable. America’s public companies are just that, companies that are not just financed by public markets, but supported by customers, employees, suppliers and other stakeholders that have a vested interest in your success.
Your first bullet point in your S-1 under Conduct and Culture states: “We do the right thing. Period.”
This is a powerful message that sets a strong tone at the top to drive Uber’s long term success. This tone also clearly extends to your corporate governance approach when your board Chairperson Dr. Ronald Sugar, states “World-class governance will be our north star…”
You have already made a conscientious effort to establish a more meaningful approach to corporate governance than some of your peers, but there is one vital step still needed to truly be “world-class.” Most of corporate America is also lagging here, yet this is the one area that matters the most for every business in the technology driven world we’ve now created. Corporate America has a technology governance crisis which offers you and Uber a technology governance leadership moment. A moment that you and Uber can step up to, in order to lead the way to the “north star.”
You are clearly leading in how you apply today’s technology to a range of complex problems. But you now have an opportunity to lead the way forward, and set an example for other corporations in how to best oversee the technology future that has yet to come, and the risks that ride along with it.
The future of corporate governance isn’t in its past and corporate America’s approach to corporate oversight is evolving on multiple fronts. While a few others have quietly stepped into this technology governance moment, they don’t have the same permission that you and Uber have to redefine this moment and set the path forward.
This moment is about how America’s companies approach technology and cybersecurity governance and oversight. These issues are squarely in the public interest and the competitiveness of American business is dependent upon most of America’s companies doing this much better than they are.
You’ve structured your board with the typical (for 2003) committee composition of an Audit Committee, Nominating & Governance Committee and Compensation Committee. But you’re missing the most important committee of all, a Technology and Cybersecurity Committee. Uber is a technology company first, second and last. Why do Walmart, American Express, Pfizer, J&J and Proctor & Gamble have board technology committees, but Uber doesn’t?
Board committees offer unique benefits to the firm in corporate oversight, an issue researched at length in 2016 and published by Harvard Business School. Committees do several things, they:
- Bring knowledge specialization and focus to a particular domain,
- Allow for greater task efficiency in that domain,
- Deliver greater board accountability to the firm in that area.
Basically, corporate oversight is better, more focused, efficient and accountable through it’s committees. This makes their companies better, more focused, efficient and accountable to these issues as well. While having the right technology and cybersecurity skills in the boardroom is now table stakes to having an effective board, an issue most American companies also need to improve upon, the committee structure is where it all comes together. This is where you have the opportunity to “do the right thing, period,” now and into the future with your corporate governance model.
Corporate boards are no longer just a check-the-box compliance function, but strategic capabilities that can and should be a source of long-term competitive advantage. So make yours one when it comes to technology and its risks. A Technology and Cybersecurity Committee will effectively interact with your management team to create and preserve the technology fueled value that they are responsible for. You state your committment to “operational excellence” as a pillar of Uber’s platform, your committment to governance excellence also needs to deliver where it counts the most.
You’ve also applied an exceptionally poor, albeit common practice by tasking your board Audit Committee with oversight of cybersecurity risk. While many apply this weak practice, it’s an approach firmly anchored in 2003, not 2020. You can do better and need to.
Your S-1 notably calls out the significant negative impact your business has had due to “adverse publicity events.” While corporate governance doesn’t guarantee adverse events won’t occur, effective corporate governance can significantly improve your overall approach to lowering risk as well as your ability to respond to it.
Cybersecurity is a critical risk factor for your business and to your stakeholders. It deserves the focused attention and effectiveness of a dedicated committee. You make the case yourself in the S-1 when you state:
If we experience security or data privacy breaches or other unauthorized or improper access to, use of, or destruction of our proprietary or confidential data, employee data, or platform user data, we may face loss of revenue, harm to our brand, business disruption, and significant liabilities.
Computer malware, viruses, spamming, and phishing attacks could harm our reputation, business, and operating results.
Sounds to me like Uber would benefit from a focused Technology and Cybersecurity Committee to oversee this significant business risk, along with your technology driven future.
Digital success starts at the top Dara, unfortunately so does digital failure. Do the right thing when it comes to technology and cybersecurity risk oversight. Put a Technology and Cybersecurity Committee onto the Uber board. Lead the way.