Sound corporate governance is of utmost importance, and Southern Company’s Board of Directors sets high standards for employees, officers and directors. It is the duty of the board to serve as a prudent fiduciary for stockholders and to oversee the management of our business strategies and related risks and opportunities, including Environmental, Social and Governance (ESG) topics.
The board and its committees have both general and specific risk oversight responsibilities. The board is responsible for providing oversight of significant risks through engagement with management and delegation to committees. Any risk oversight that is not allocated to a committee remains with the board. At least once per year, the board reviews Southern Company’s risk profile to ensure oversight of each risk is designated to the appropriate committee or retained by the full board.
Each committee continually oversees the risks designated to it, reports to the board on their related oversight activities and includes the board in risk review as needed. Committees have a designated member of Southern Company’s executive management as the primary responsible party for providing the information and updates on that committee’s risks. These responsible parties ensure all risks identified in our risk profile are regularly reviewed with the board and appropriate committee.
You can find information about how the Board’s committees oversee key ESG topics here.
The board is committed to regular refreshment and believes that a variety of perspectives facilitates effective decision-making, helps drive long-term value, and encourages different views on risk, business strategy and innovation that add value to the company.
The Nominating, Governance and Corporate Responsibility Committee is tasked with focusing on board refreshment to align the board’s long-term composition with Southern Company’s long-term strategy and to affect meaningful board succession planning. To this end, the Nominating, Governance and Corporate Responsibility Committee regularly evaluates the expertise and needs of the board to determine its membership and size. As part of this evaluation, the committee considers aspects of diversity, including race, gender, ethnicity, age, education, industry, business background and experience in the selection of candidates to serve on the board.
The board aims to strike a balance between the knowledge that comes from longer-term service on the board and the new perspectives and ideas that come from adding new Directors to the board. Since March 2018, we have added five new independent Directors to the board. We believe the average Director tenure of about 8 years reflects the right balance between different perspectives brought by longer-serving Directors and new Directors.
Southern Company’s commitment to diversity, equity and inclusion begins with our Board of Directors. Our corporate governance guidelines provide that the board as a whole should be diverse and confirm the board’s commitment to actively seeking out women and candidates of color to include in the pool from which board nominees are chosen.
We aim to further refresh Board membership in the coming years, including a continued focus on diverse candidates.
Cybersecurity is a critical component of Southern Company’s risk management program. Our strong approach to cybersecurity establishes oversight and accountability throughout the organization, and the board dedicates significant time and attention to cyber and information security risk. Specifically, the Business and Resiliency Committee, made up solely of independent directors, is tasked with oversight of risks related to cybersecurity and operational resiliency. This committee is comprised of directors with high-level security clearances and an understanding of modern cyber issues.
We use risk-based, “all threats” and “defense in depth” approaches to managing cyber threats Our strategy is regularly tested through auditing, penetration testing and other exercises designed to assess effectiveness.
Southern Company has implemented a security awareness program designed to educate and train employees about risks inherent to human interaction with information and operational technology. Our cybersecurity program increasingly leverages intelligence sharing capabilities about emerging threats within the energy industry and across other industries. Such intelligence allows us to better detect and prevent emerging cyber threats before they materialize.
Recognizing that no single technology, process or business control can effectively prevent or mitigate all risks, we employ multiple technologies, all working independently but as part of a cohesive strategy to minimize risk.
In addition to the defense efforts within the company, helping our business partners maintain their security is essential to the overall protection of Southern Company. In 2021 we initiated a six-week CAP training program that readies small businesses to seek Cybersecurity Maturity Model Certification (CMMC), a nationally and internationally recognized certification of expertise in lifecycle cybersecurity risk management required to do work with the U.S. government. Upon completion, each company is positioned to make its own determination of whether to earn their CMMC. The CAP training program was devised to combat the increased frequency of targeted and complex cyberattacks on businesses worldwide, against which small businesses struggle to defend themselves in particular. This initiative contributes greatly to Southern Company’s overall level of cybersecurity.