April 17, 2018

Dear Facebook, Inc. Shareholders:

We are writing to urge you to vote for Shareholder Proposal 4 on Facebook’s (FB) 2018 proxy statement regarding a Risk Oversight Committee. This document provides a detailed explanation for why we believe shareholders should vote for this proposal, which makes the following request:

Shareholders request Facebook’s Board issue a report discussing the merits of establishing a Risk Oversight Board Committee (at reasonable cost, within a reasonable time, and omit confidential and proprietary information).

Reasons to vote for Proposal 4:

The sheer volume, magnitude, and frequency of Facebook’s controversies strongly suggests that the company’s whack-a-mole approach is insufficient - Facebook needs to institutionalize stronger risk oversight mechanisms.
Existing risk oversight structures appear to lack the dedicated focus Facebook needs.
Facebook can learn from Microsoft’s history of public and government scrutiny and adopt a similar committee structure.
For the reasons provided below, we urge Facebook shareholders to vote FOR Proposal 4 on the Company’s proxy.


The sheer volume, magnitude, and frequency of Facebook’s problems strongly suggests that the company’s whack-a-mole approach is insufficient - Facebook needs stronger governance oversight mechanisms.
The evolution and growth of Facebook has been so rapid that global communities, society at large, and Facebook’s management have been unable to recognize and adapt to the impacts of this growth. While many of these social impacts are beneficial, some of the platform’s two billion users have used Facebook in unintended, even harmful, ways. The result has been that the Company is exposed to significant financial, reputational, and regulatory risk related to the vast amount of personal data Facebook is responsible for, the sheer size of its audience, and its far-reaching impacts. The following is a representative list of the numerous allegations linking Facebook to negative social outcomes, including:

Depression and other mental health issues including stress and addiction.1
Russian meddling in the U.S. 2016 Presidential Election as described in an indictment by Special Counsel Robert Mueller.2
Proliferating “fake news” such as claims that the survivors of the tragic school shooting in Parkland, FL were paid actors;3 spreading misinformation that facilitated the Filipino President's clampdown on critical voices;4 and the Pizzagate conspiracy theory.5
The Cambridge Analytica scandal and the misuse of data to influence elections around the world.6
Facilitating copyright and intellectual property infringement.7
Censorship in China.8
Smugglers using Facebook to broadcast the abuse and torture of migrants to extort ransom money from their families.9
Incitement of terrorism.10
Allowing advertisers to seek out racist audiences.11
Monopoly power over markets.12
Incitement to rape.13
Questions about the negative consequences of the Company’s advertising revenue model.14
1 http://www.bbc.com/future/story/20180104-is-social-media-bad-for-you-the-evidence-and-the-unknowns; https://www.forbes.com/sites/alicegwalton/2017/06/30/a-run-down-of-social-medias-effects-on-our-mental-health/#3f4fae972e5a; and https://www.psychologytoday.com/us/blog/media-spotlight/201505/exploring-facebook-depression
2 https://www.nytimes.com/2018/02/16/us/politics/russians-indicted-mueller-election-interference.html
3 https://www.nytimes.com/2018/02/23/technology/trolls-step-ahead-facebook-youtube-florida-shooting.html; https://www.cnbc.com/2018/01/17/facebook-and-fake-news-controversy-in-philippines-around-rappler.html; and https://www.recode.net/2016/12/9/13898328/pizzagate-poll-trump-voters-clinton-facebook-fake-news
4 https://www.cnbc.com/2018/01/17/facebook-and-fake-news-controversy-in-philippines-around-rappler.html
5 https://www.recode.net/2016/12/9/13898328/pizzagate-poll-trump-voters-clinton-facebook-fake-news
6 https://www.nytimes.com/2018/04/04/technology/mark-zuckerberg-testify-congress.html
7 https://www.theverge.com/2015/8/7/9114149/facebook-freebooting-video-copyright-infringement
8 https://www.nytimes.com/2016/11/22/technology/facebook-censorship-tool-china.html
9 https://af.reuters.com/article/topNews/idAFKBN1961TP-OZATP
10 http://www.timesofisrael.com/20000-israelis-sue-facebook-for-ignoring-palestinian-incitement/
11 https://www.nytimes.com/2017/09/15/business/facebook-advertising-anti-semitism.html
12 https://www.telegraph.co.uk/technology/2017/12/19/facebook-abusing-power-limitless-collection-peoples-data-germany/ and https://www.wired.com/2017/06/ntitrust-watchdogs-eye-big-techs-monopoly-data/
13 https://www.telegraph.co.uk/technology/facebook/8829165/Cyber-anarchists-blamed-for-unleashing-a-series-of-Facebook-rape-pages.html
14 Critics say advertisers will do what they can to get clicks, likes, or attention, even if it’s divisive or unscrupulous. For example, Alex Hardiman, the head of Facebook news products, has been quoted as saying “If we just reward content based on raw clicks and engagement, we might actually see content that is increasingly sensationalist, clickbaity, poliarizing and divisive.” https://www.wired.com/story/inside-facebook-mark-zuckerberg-2-years-of-hell/. See also https://www.washingtonpost.com/news/the-switch/wp/2018/04/05/what-if-we-paid-for-facebook-instead-of-letting-it-spy-on-us-for-free/?utm_term=.9bc9c4740967

Propagating ethnic violence in Sri Lanka, India and South Sudan.15
Accelerating ethnic cleansing in Myanmar.16
Allowing advertisers to exclude black, Hispanic, and other “ethnic affinities” from seeing ads.17
Consequently it appears that Facebook’s executive team has been in an almost perpetual reactive state - issuing papers, making modifications to the platform, providing interviews, etc. all with the apparent goal of putting out the latest fire. It has lead to years of apologies from Mr. Zuckerberg and COO Sandberg with apparently no consequences for the company or leadership.18
The simple fact that so many different and severe controversies keep occurring leads us to believe the underlying issue remains unsolved and a different form of oversight is needed.19 Facebook’s executive team can spend countless hours providing technical solutions to controversies about privacy or mental health or illegal activity, but without additional guidance and strategic vision about the company’s role in society and the risks it creates for people and communities, as well as for itself, we believe it will never truly get past these issues. The Board has had years to demonstrate that it has the governance structures in place to effectively guide the company beyond its first iterations and into the future. Yet, the crises continue to explode and Facebook responds in whack-a-mole fashion. For these reasons, we believe Facebook’s problems are a core governance failure, not a result of poor crisis management. As Mr. Zuckerberg said in his recent testimony before Congress “We didn’t take a broad enough view of our responsibility”. In sum, we believe now is the time to go beyond efforts to put out “fires” and adopt systemic governance changes that will provide Facebook with the big picture risk oversight it needs to ensure that its platforms are used to benefit society, the Company, and its shareholders.
15 https://www.theguardian.com/world/2018/mar/14/facebook-accused-by-sri-lanka-of-failing-to-control-hate-speech and https://www.nytimes.com/2017/10/29/business/facebook-misinformation-abroad.html
16 https://techcrunch.com/2018/03/13/un-says-facebook-is-accelerating-ethnic-violence-in-myanmar/ and https://www.vox.com/2018/4/2/17183836/mark-zuckerberg-facebook-myanmar-rohingya-ethnic-cleansing-genocide
17 https://www.propublica.org/article/facebook-lets-advertisers-exclude-users-by-race
18 https://www.washingtonpost.com/graphics/2018/business/facebook-zuckerberg-apologies/
19 It would be one way to answer the question asked by a recent column in The New York Times DealBook, titled: “Is It Time for More Adult Supervision at Facebook?” https://www.nytimes.com/2018/03/19/business/dealbook/is-it-time-for-more-adult-supervision-at-facebook.html or as Representative Greg Walden, Republican of Oregon and the chairman of the House Energy and Commerce Committee put it, “While Facebook has certainly grown, I worry it has not matured.” https://www.nytimes.com/2018/04/11/business/zuckerberg-facebook-congress.html

Existing risk oversight structures appear to lack the dedicated focus Facebook needs.

For a unique company like Facebook, the risks it faces are tremendous. The adverse social impacts discussed above present direct reputational and financial risk for Facebook; the Cambridge Analytica controversy cost Facebook investors $90 billion in market value between March 16th and March 27th.20 This financial risk could also drive advertisers away - a critical risk as Facebook derives substantially all of its revenue from advertisements. For example, Unilever, which is the second largest marketing spender in the world, recently announced it “will not invest in platforms or environments that do not protect our children or which create division in society, and promote anger or hate.”21 The Unilever case underpins the notion that advertising is built on trust – and in Facebook’s case, this trust may be eroding in the public’s eye. A Reuters poll in March 2018 found only 41% of Americans trust Facebook to obey personal information protection laws, significantly lower than the 66%, 62%, and 60% of Americans who trust Amazon, Google and Microsoft respectively.22

At the same time, regulatory risk is mounting. In recent hearings, members of Congress were very interested in the idea of regulating Facebook and other tech companies, and Germany and the EU are already pursuing more stringent regulations around data privacy.23 At those hearings Mr. Zuckerberg conceded that it was “inevitable that there will need to be some regulation.”24

For all intents and purposes, the Board’s Opposition Statement asserts that the existing committee structure is adequate for the job and that the Board is devoting sufficient time to these “big picture” issues. As described above, the evidence runs to the contrary. But even further, it is evident to us that the basic committee structure adopted by Facebook’s Board, no matter how well utilized, is not up to the task. According to an article published by The Conference Board in the Harvard Law School Forum on Corporate Governance and Financial Regulation:

20 https://www.issgovernance.com/library/trouble-in-tech/
21 https://www.theguardian.com/media/2018/feb/12/marmite-unilever-ads-facebook-google
22 https://www.reuters.com/article/us-facebook-cambridge-analytica-apology/americans-less-likely-to-trust-facebook-than-rivals-on-personal-data-idUSKBN1H10AF?elqTrackId=9293e8d3ea264a8f90c1f2c80f5f237f&elq=99cda598eee84b918142cc0d2d9240c9&elqaid=1129&elqat=1&elqCampaignId=
23 https://www.reuters.com/article/us-germany-facebook/german-court-rules-facebook-use-of-personal-data-illegal-idUSKBN1FW1FI
24 https://www.nytimes.com/2018/04/11/business/zuckerberg-facebook-congress.html

A risk committee fosters an integrated, enterprise-wide approach to identifying and managing risk and provides an impetus toward improving the quality of risk reporting and monitoring, both for management and the board. This approach can assist the board in focusing on the “big picture.” A risk committee can also provide greater support for company executives who are given broad risk management responsibilities, resulting in a stronger focus at the board level on the adequacy of resources allocated to risk management. Finally, it allows the audit committee and other board committees to focus on their respective core responsibilities.

In Facebook’s Governance documents, including its audit and compensation & governance committee charters, each committee is responsible for various elements of risk. However, the language in the charters is standard boilerplate and does not reflect the particular challenges faced by Facebook.

Despite the boilerplate language, oversight of most risk elements appears to fall to the audit committee – though it is not the primary responsibility of the committee. Proponents are concerned the board’s existing approach doesn’t place adequate emphasis on risk oversight, especially given the scale and uniqueness of FB’s risk exposure.

The following list provides examples of our concerns with the Company’s current approach:

The purpose of the audit committee as defined in its charter “shall be to oversee the accounting and financial reporting processes of the Company and the audits of the financial statements of the Company, and the independence, qualifications and performance of the independent auditor.” As it should be, the purpose of the audit committee is to focus on financial reporting processes, not risk oversight.
Risk does not appear in the audit committee charter until near the end, where it is described under “Controls and Procedures”; this buried placement makes it seem like risk one of the minor responsibilities of the audit committee.
Risk is not mentioned once on the Company’s Corporate Governance webpage.25
Risk is not mentioned in any form in any of the director’s bios nor does any director have explicit risk management or oversight expertise.
To the best of our knowledge the Company does not have a chief risk officer.26
In a recent research report, Institutional Shareholder Services (ISS) flags data privacy as the most commonly occurring controversy in the tech sector. As a result, ISS suggests investors look for the existence of board-level accountability of data privacy issues and for board composition that includes expertise in cybersecurity risk management (among other factors) as indications of adequate risk management.27

25 https://investor.fb.com/corporate-governance/default.aspx
26 https://investor.fb.com/corporate-governance/?section=management
27 https://www.issgovernance.com/library/trouble-in-tech/

Proponents believe the low-level of dedicated attention to risk oversight is not commensurate with the significant level of financial, reputational, and regulatory risk outlined above. As such, we believe a board level Risk Oversight Committee is an appropriate and important structure for Facebook.

Facebook can learn from Microsoft’s history of public and government scrutiny and adopt a similar committee structure.

While Microsoft is a different company with a different business model, we believe that its history offers important lessons that can benefit Facebook.28 In 2002, as a part of its anti-trust settlement with the U.S. government, Microsoft established the board-level Antitrust Compliance Committee. This committee was tasked with, amongst other things, providing guidance and oversight of the Company’s compliance with antitrust and competition laws. This came after a decade of government scrutiny and litigation of Microsoft where the fundamental question was whether Microsoft was abusing its role as the dominant player in the most ubiquitous and important technology at the time to the detriment of society.

In 2012, when the settlement agreement came to an end, Microsoft did not disband the Antitrust Compliance Committee. Reflecting upon the lessons learned and the usefulness of a committee which oversaw the Company’s risk exposure, the Board broadened its mandate and formed the “Regulatory and Public Policy Committee”. Although not called a risk committee, the role of this committee is to assist “the Board of Directors in overseeing the Company's policies and programs and related risks that concern certain legal, regulatory and compliance matters, and public policy and corporate social responsibility including public issues of significance to the Company and its stakeholders that may affect the Company’s operations, performance, or reputation.”

The explicit function of this committee is to oversee the various risks Microsoft faces, including those posed by emerging social issues, providing stakeholders with a level of assurance that risk is being adequately considered.

28 At the commencement of the U.S. Senate joint committee hearing for Mr. Zuckerberg on April 10th, Chairman Grassley observed “this is the most intense public scrutiny I've seen for a tech-related hearing since the Microsoft hearing that — that I chaired back in the late 1990s.” https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/?utm_term=.df804317a79e

Proponents believe Microsoft landed at this point after having undergone a similar growth and development process to what Facebook is going through now. This realization, combined with the numerous controversies Facebook has been responding to, lead us to believe that now is an appropriate time for Facebook to consider Microsoft’s experience and establish a committee designed to look specifically at emerging risks.


In light of the numerous adverse events of the past few years, it seems prudent for Facebook to consider the pros and cons of institutionalizing a group whose sole focus would be on risk management. In Mr. Zuckerberg’s Congressional testimony, he states: “I’ve directed our teams to invest so much in security – on top of the other investments we’re making – that it will significantly impact our profitability moving forward.” Facebook’s lack of dedicated attention to risk management has led to this situation where shareholder value is being sacrificed to atone for prior mistakes. While we are encouraged that Facebook is trying to put out fires, proponents believe Facebook owes it to shareholders to at least publicly consider the merits of institutionalizing a committee that provides direct board oversight responsibility for risk management.

Such a committee would also provide support and strategic guidance to risk management personnel, while freeing up the audit committee to go about its other important duties.

Finally, it should be noted that we do not see the creation of a Risk Oversight Committee as the entire solution to these governance failures. Rather it is one important piece of a slate of governance reforms, including changes to the company’s dual class structure and a separation of the roles of chairman of the board and CEO, which are necessary to move forward.


Jonas Kron
Senior Vice President
Allan Pearce
Shareholder Advocate

IMPORTANT NOTICE: The cost of this communication is being borne entirely by Trillium Asset Management, LLC (“Trillium”). The foregoing information may be disseminated to shareholders via telephone, U.S. mail, e-mail, certain websites and certain social media venues, and should not be construed as investment advice or as a solicitation of authority to vote your proxy. The cost of disseminating the foregoing information to shareholders is being borne entirely by Trillium. Proxy cards will not be accepted by Trillium. To vote your proxy, please follow the instructions on your proxy card. These written materials may be submitted pursuant to Rule 14a-6(g)(1) promulgated under the Securities Exchange Act of 1934. Submission is not required of this filer under the terms of the Rule, but is made voluntarily in the interest of public disclosure and consideration of these important issues. The views expressed are those of the authors and Trillium as of the date referenced and are subject to change at any time based on market or other conditions. These views are not intended to be a forecast of future events or a guarantee of future results. These views may not be relied upon as investment advice. The information provided in this material should not be considered a recommendation to buy or sell any of the securities mentioned. It should not be assumed that investments in such securities have been or will be profitable. To the extent specific securities are mentioned, they have been selected by the authors on an objective basis to illustrate views expressed in the commentary and do not represent all of the securities purchased, sold or recommended for advisory clients. The information contained herein has been prepared from sources believed reliable but is not guaranteed by us as to its timeliness or accuracy, and is not a complete summary or statement of all available data. This piece is for informational purposes and should not be construed as a research report.