The Board Imperative: How can data and tech turn risk into confidence?

Effective use of data and technology to manage and report on enterprise risks is a top priority that differentiates leading businesses.

Despite its elevated importance, organizations’ risk monitoring and mitigation efforts currently fall short of boards’ expectations. This is the stark finding that emerges from EY’s new survey of more than 500 board directors around the world. 

Why the gap?

• Eight in 10 boards believe improved risk management will be critical for their business to protect and build value in the next five years.
• At the same time, 55% say risk management has difficulty keeping pace with changes in business strategy.
• Fewer than 20% of boards believe their organizations are highly effective in disaster response and contingency planning or their understanding of how risks are interconnected.

How can your organization’s risk management improve? Although there are many ingredients, the EY Global Board Risk Survey 2021 identifies two key drivers of effective risk management: the extent to which technology is used to identify and manage risk and the breadth and depth of risk reporting to the board. In fact, 71% of risk management leaders – those organizations deemed highly effective at risk management based on our analysis of survey data – use data and technology effectively, compared with just 5% of risk management laggards, who might still be developing their approach. 

However, despite their importance, fewer than one in five boards say their organization’s risk management is highly effective at leveraging data and technology or delivering timely, insight-driven reporting to the board. In parallel, just 49% of CEOs say their risk-assessment processes are adequately data-driven.

While it’s outside the board’s remit to decide which technologies are used for risk management and to monitor their use, directors can still catalyze change. Boards can and should require that management has adequate controls and processes in place to monitor and manage risks. As technology plays a critical part in this, encouraging risk-management functions to capitalize on newly available data and technology should be a priority. 

Here are the steps you should take:

1. Drive awareness at board level of the role that technology and data can play in enhancing risk management
2. Allocate sufficient budget to invest in technology and develop or acquire a workforce with the skill sets required to manage it
3. Hold management accountable for their use of data and technology in risk-management activities
4. Require that management have a strategy for leveraging data and technology, with a particular focus on skills
5. Work with management to ensure risk reporting is forward-looking and predictive, covers emerging and atypical risks, and includes internal and external data

In addition, our Board Imperative Series offers a broader set of recommendations to help you reframe the future of your organization. It urges boards to think beyond today’s challenges and develop a vision of the future to understand how they and their organizations should change.

What does this look like in practice? How EY teams collaborated with the US food company Kraft Heinz provides a good example. By automating risk analytics, the company was able to identify that, in a particular business unit, approximately 5% of purchase orders were being raised late. Reporting this insight to the board allowed Kraft Heinz to proactively take corrective action before the risk materialized as negative impact to the business. Automated risk analytics ensure consistency in the risk indicators that are being monitored, without which outliers like the one in the example above might go unnoticed or be acted upon too late.

Artificial intelligence can also assist businesses in modeling and understanding connections between risks, for example, by using it to automate basic risk research; identify important risk statements in unstructured documentation; and undertake casual analysis to identify risk interdependencies. These insights are then presented in easy to comprehend formats via dashboards to senior management and boards. Importantly, an improved understanding of the intricacies of risk helps to develop more effective mitigation measures.

Finally, software platforms can also be utilized for risk-management tasks such as data collection and continuous monitoring. By housing key risk and compliance data from multiple parts of the business in a single source, the data can be made easily accessible for everyone, including boards.  

Tech is a priority, but hurdles remain

Encouragingly, 69% of businesses plan to increase their level of investment in data and technology for risk management in the next 12 months. And, when presented with a series of initiatives that enhance enterprise resilience, boards identify the use of data and technology as their top priority.

As they ramp up investment in technology, businesses will have to address a number of challenges, which are dependent on their level of maturity. For those at the beginning of the journey, our research shows the main obstacle is a lack of the necessary skills to utilize data, technology and analytics effectively. Risk management teams must include data scientists and specialists to determine which technology is needed, implement it effectively and ensure it is used to its maximum potential. Depending on the ability to hire within, organizations may want to outsource this process to businesses with existing expertise in the area.  

But recruiting for the right skills is just half the battle. Businesses will also need to upskill non-technical roles to help these workers take advantage of emerging tools and data. They will also need to think carefully about how humans and technologies, such as artificial intelligence, can work together effectively.

For more mature companies, who today already effectively leverage data and technology, one of the top challenges our research found is integrating multiple datasets from disparate sources, so that risk analytics and reporting form a cohesive and comprehensive picture.

Forward-looking and focused on new threats: how risk reporting needs to improve

In fact, risk reporting to boards – identified by our analysis of over 20 factors as the second-most important determinant of effective risk management – also has much room for improvement. Fewer than 20% of boards are extremely confident in risk reporting on a number of specific areas.

According to our survey, boards’ top priorities are that reporting:

• Is forward-looking and predictive
• Covers emerging and atypical risks
• Includes external and internal data
• Covers risk-mitigation initiatives and processes
• Includes competitive intelligence and peer benchmarks

Alejandra Martínez S., a member of Mexico’s Board of Directors Leadership Network and board member at various financial sector entities, provides a concrete example. “Risk reporting is very static and historic and not forward-looking, so I’ve asked management to engage with the wider business about trying to figure out potential new risks that may arise and then report on those,” she says. “One early finding is that ESG reporting is just focused on governance. So, they are evaluating how they can improve identification, reporting and mitigation of environmental and societal risks.” 

Yet boards must resist the temptation simply to ask for more and more reporting. After all, if it is not properly ordered and prioritized, an abundance of information can sometimes muddy, rather than clarify, the picture. As Charlie Bancroft, a board member at GSK, says: “When you have so much information, can you really see the trees as you see the entirety of the forest?” Therefore, boards must work closely with those reporting risk to determine what they should and should not include.

Questions for the board to consider

The board has a vital role to play in ensuring that data and technology are employed to facilitate risk management. Here are some questions to ask yourselves:

1. Does your board understand the role that technology and data can play in enhancing risk management? As covered in our first article in this series, this can be achieved by expert training, internal coaching, and considering the need for this expertise when filling future board vacancies. “You need to make sure that the board has one or two people who know their stuff on technology,” confirms Brendan McDonagh, Deputy Chair at AIB. “They don't necessarily have to be an ex-senior executive of a major technology company. They just have to have had solid technology experience and operations experience. Because at the board level you want them to look at the big picture.”

2. Have you allocated sufficient resources for risk management technology? Significant expenditure will likely require board approval. Boards must, therefore, allocate sufficient budget for investments in technology and the required skill sets.

3. Are you holding management to account on how they use data and technology for risk management? “Boards definitely need to buy into new technology and question whether it’s being used, but it’s more important to know how these technologies are being used by the business to get insights about risk,” explains Craig Jackson, board director and Audit Committee Chair, Paloma Rheem Global. “Whether it’s machine learning or artificial intelligence, there are some powerful tools emerging that can be used for risk management. But are they really being used for risk management at the moment? It’s up to the board to find out and make sure that they are.”

4. Is there a strategy in place to overcome the expected obstacles? There are some significant challenges to implementing a data and technology-driven approach to risk management. Boards must ensure that management has a strategy for overcoming the obstacles, with a particular focus on skills. And as with any data and technology-driven transformation strategy, cybersecurity and data privacy considerations should be integral from the get-go, so that new risks aren’t introduced as a result.

5. Has the board clearly defined what is required of management in terms of risk reporting? Boards must work with management to ensure that risk reporting is forward-looking and predictive; covers emerging and atypical risks; and includes internal and external data.

Boards may think that they can leave management to develop a strategy for employing technology to monitor and mitigate risk; however, they do need to oversee that it’s used to its full potential. This may require boards themselves to move up the learning curve in terms of understanding all the benefits that technology can deliver.