Boards must consider how they build improved business risk resilience in the evolving risk environment.
According to the EY global board risk survey of 500 board directors and CEOs conducted in late 2019, just 40% said their enterprise risk management (ERM) was effective in managing atypical and emerging risks. This is a stark acknowledgement that pre-COVID-19, boards recognized that ERM at their businesses was not sufficiently geared up to identify and mitigate new threats.
COVID-19 now stretches risk functions’ capabilities even further. The pandemic is not only a major threat in itself, but a force that will reshape and exacerbate new and adjacent risks that organizations struggled to contain even before the outbreak.
Take data privacy. In the EY survey pre-pandemic, boards ranked cyber attacks and data breaches as their second most important business risk. Yet in the space of just a few weeks, where the majority of non-essential workers globally have been working from home, the spike in use of remote access and collaboration tools has made cyber resilience even more difficult to achieve. Similarly, workforces, culture and supply chains to name but a few have also been seriously tested by COVID-19.
As such, we recommend all leaders view their organization’s strategy and actions with three horizons in mind: now, next, and beyond. As we navigate the post COVID-19 landscape, boards should start considering the “next” horizon: how they build improved resilience in the evolving new risk environment.
1. Re-examine board governance and composition
Before the outbreak of COVID-19, just 21% of boards were “very satisfied” with their effectiveness in overseeing changes to the risk landscape and adjusting their organization’s risk appetite accordingly. With the board’s role in overseeing risk management now of heightened importance, they must urgently improve their effectiveness.
From enhancing risk reporting to leveraging external consultants, boards can improve their understanding of the changing risk landscape, and their ability to oversee how their businesses are responding to it. But more fundamentally, they must ensure sufficient time at board meetings is dedicated to discussing emerging and existential risks.
Although seemingly simple, this is often overlooked. The pre-COVID-19 EY survey, found the number one request for enhancing oversight was simply more time to discuss emerging and existential risks, followed closely by setting aside time to discuss scenarios that could threaten the organization’s business model.
How can boards ensure sufficient time is dedicated to emerging and existential risk? Evaluating committee structure is a good starting point. Depending on industry sector, many boards today task the audit committee with overseeing risk. Yet audit committee meeting agendas are already full. One solution is for boards to consider whether a new risk committee (or ad hoc committee) should be given responsibility for risk oversight. Alternatively, these duties could be split, with the full board taking responsibility for strategic risks and the audit committee overseeing the management of financial and compliance risks.
That said, even if boards devote adequate time to discussing new risks, they won’t be able to effectively define, assess and oversee how they are managed without the right cohort of competencies and skills. With issues such as supply chain resiliency, workforce management and business restructuring in mind, boards should review their current composition and understand what new skills will be required.
This goes beyond a simple skill gap assessment and transcends into ensuring that strong diversity of background, opinion, gender and other factors are also taken into consideration.
2. Seek out new types of reporting
Before this pandemic, only 19% of boards were “very satisfied” with the accuracy, completeness and breadth of reports received. And 33% did not receive reports on some risks they considered “significant.”
In times of heightened uncertainty, it is vital boards receive insightful reporting at speed. The difficulty is boards – and CEOs, for that matter – may not fully know the scope, scale and availability of information required to provide insight into a risk they have likely never encountered before. As the COVID-19 outbreak continues, it will be imperative, at a minimum, to monitor case numbers and government measures to tackle its spread in regions where the business, its supply chain, and customer groups are located.