Is your board risk strategy today fit for the risks of tomorrow?

Boards need to reframe their organizations’ risk management approach for long-term resilience amid an uncertain risk landscape.

In brief

• Companies must adopt a better risk management approach to effectively build enterprise resilience and value in the long term.
• A key step is for the board and management to focus more on emerging and atypical risks.
• The board should also drive widespread use of technology to address risks and alignment of the company’s culture to its strategy for better risk mitigation.

The COVID-19 pandemic has heightened risks that are already omnipresent, including cybersecurity attacks, supply chain disruption and other external threats. In this uncertain environment, robust risk management is essential for enterprise resilience — a key priority on board agendas. According to the EY Global Board Risk Survey 2021, nearly 8 in 10 board directors believe that better risk management will be crucial in enabling their organizations to protect and build value in the next five years.

Even then, many board members lack confidence in their organization’s capabilities in managing risks. Just 18% of the survey respondents believe that their organization’s disaster response and contingency planning are highly effective, while only 13% believe that their organization is highly effective in embedding risk and compliance activities.

Clearly, there is significant room for improvement. Boards have an opportunity to reframe their company’s risk management approach for a post-pandemic world. They can exert successful risk oversight and drive more effective risk outcomes in three key ways. 

Focus more on emerging and atypical risks 

The board and management may be regularly monitoring and addressing traditional risks, such as regulatory changes, a drop in demand and increased borrowing costs, but they need to pay greater attention to atypical and emerging risks. Only 39% in the abovementioned survey say that their company can manage such risks effectively, which may include threats relating to new technology or climate risks.

To deal more effectively with emerging risks, boards should view risks through a long-term lens — ideally considering a time horizon of more than five years. A long-term perspective is essential because many risks may only have a marginal impact today but could escalate in the next 5-10 years. Boards today spend little time looking at such long-term strategic risks due to time constraints and a lack of expertise. They therefore need to refocus their time and look at diversifying their members’ expertise as well as leverage technology to increase efficiency in time spent on routine tasks.

Take climate change for example. Only a third of respondents expect a more than moderate impact from climate change on their business in the next 12 months. But this will almost certainly change, as climate change triggers supply chain disruption and stakeholders pressure businesses to do more to combat the issue. 

Leverage data and technology to manage enterprise risks

The extensive use of technology to identify and manage risks is a key driver of risk management. Automation technology, for example, can be used to handle manual tasks, allowing risk professionals to focus on more value-adding priorities. Data collection and monitoring can be automated to occur in real time, allowing potential risks to be flagged much sooner than using a purely manual approach. In addition to automation, leveraging artificial intelligence (AI) can help read, review and validate financial reporting. AI can also help establish trends and patterns by analyzing voluminous data in a much shorter time. 

Yet despite the importance of technology, fewer than one in five boards say their organization’s risk management is highly effective in leveraging data and technology or delivering timely and insight-driven reporting. Indeed, boards can help drive greater awareness of the role that technology and data can play in enhancing risk management.

Boards should mandate the risk function to capitalize on new automation, AI and reporting tools to monitor and manage risks. Having a sufficient budget allocated to investment in technology for this aspect as well as alignment to the overall technology and data strategy of the organization is another imperative.

The board should also direct the management to improve the breadth and depth of risk reporting. Effective risk reporting is forward-looking and predictive, and covers emerging and atypical risks, among others. When done right, it can be a powerful driver of effective risk management. 

Align corporate culture to strategy

When aligned with the organization’s purpose, a company’s culture is pivotal to protecting and creating value. When it isn’t, risks increase and potential value is unrealized. In fact, misalignment between culture and strategy is the greatest workforce-related challenge in risk management. Culture is also crucial in enterprise risk management, impacting how an organization identifies and manages risks. 

Clearly, it is important to allocate sufficient time to discuss culture at the board level. Yet the survey found that 27% of boards never or rarely discuss the culture needed to support their organization’s strategy. This needs to change. The boards can govern culture and work with the management to define, implement and measure a corporate culture that is aligned with the organization’s strategy, thereby reinforcing risk management.

To achieve this, the board should review how the management articulates the organization’s desired culture and works on closing existing gaps. It should also consider aligning executive compensation to the desired behaviors and culture of the company and assess if there are clear links between rewards and desired behaviors.

Boards can also leverage analytics of cultural trends, benchmarking with others, surveys of risk attitudes and risk awareness. Regular reviews of culture metrics within the organization, such as employee pulse surveys, employee onboarding and exit interviews as well as other relevant surveys, should be conducted.

As the risk environment for businesses becomes increasingly complex, boards need to drive their organizations to pull out all the stops to identify, mitigate, manage and even preempt new threats. Boards can reframe their organization’s approach to risk management by catalyzing change through an emphasis on culture and technology, while adopting a long-term lens in managing risks. 

 Boards should consider the following questions:

• Has the board re-evaluated its risk oversight practices to assess whether there are changes that can be made to strengthen oversight?
  
• Has the board allocated a sufficient budget to invest in technology for risk management as well as develop a workforce with the skill set to manage it?
  
• Has the board directed the management to devise a strategy for using data and technology in risk management activities?
• How thoroughly has the board discussed the impact of culture on risk management and the internal control environment?
• Does the board regularly review culture metrics, such as employee pulse surveys, employee onboarding and exit interviews as well as customer surveys?

This article was written by former EY Partner Alexandra Gradehand.