Construction of a mass rail transit line in progress

How private boards can unlock value by elevating risk management

To build resilience and create value, private boards should guide their companies to develop proactive risk management strategies.


In brief

  • Boards of private businesses tend to focus on traditional and compliance-related risks, but may be overlooking atypical risks. 
  • Less than half of private companies believe they are well-positioned to counter the cyber threats of tomorrow. 
  • Private company boards can use a proactive risk strategy to identify new growth opportunities.

Private companies are operating in a complex and expansive risk environment that threatens their ability to thrive, but this also presents new opportunities to create value. The long list of risks currently being faced by private companies and their boards mirrors those risks faced by public companies. It includes heightened geopolitical tensions, increasing regulatory scrutiny, economic uncertainty, ongoing supply chain disruption, climate change, talent shortages and rapid technological advances, particularly the rise of generative AI (GenAI). The difference lies in how private and public companies are responding to these risks.

By drawing on recent EY board surveys and reports, we gain insight into private companies' exposure to risk and management strategies, while highlighting opportunities for their growth. These findings should help to inform the strategic discussions of private company boards and management teams.

“Overlooking risk management likely means missing out on creating substantial value,” says Ryan Burke, EY Global Private Leader. “Let's view risk management not as a threat, but as an opportunity for purposeful growth.”

The reality is that private companies are navigating what the International Monetary Fund has described as a “next normal for turbulence”.1 In other words, disruption should be considered a standard element of day-to-day operations. Private companies must, therefore, be resilient and ready to adapt, both to the challenges and opportunities they face now, as well as what comes next.

“When you’re talking about risk, it’s normally about the negative impact of the different risk factors,” says a board member for an EMEIA-based financial services company and several other public and private companies. “But you can also see it from a positive side and say that a rapid change in the business environment brings a lot of possibilities.” Agile companies that proactively address risk have a tendency to grow and capture value faster than their peers.

It's not only underestimating the risk environment that may jeopardize private company success, but also understating the potential of new growth opportunities is a threat as well. A good example is AI, which creates a host of new risks for private companies, but also presents them with enormous potential for unlocking value.

Private companies should not view risk management as a threat, but as an opportunity for purposeful growth.

Lack of resilience to risk

Private companies are generally renowned for their agility and resilience, as well as their strong sense of purpose that guides their approach to innovation. “They tend to be adept at pivoting at speed, serving their customers, retaining the loyalty of their people and taking a long-term perspective to value creation,” says Peter Bos, Global EY Private Markets Leader and Global EY 7 Drivers of Growth Leader. “Yet this famed agility and resilience is not so evident when it comes to risk management, which is not always as high as it should be on the priority list of private companies.”

 

The EY organization has tracked private companies’ approach to risk management since the second edition of the Global Board Risk Survey (GBRS) in 2021. This survey found that 66% of private companies believed that they effectively managed traditional risks, such as operational outage, fall-away in customer demand or increased borrowing costs. Yet, just 33% were confident about their ability to manage atypical risks, such as the risk of being disrupted by new technology, the impact of climate emergency or a major geopolitical event.

Traditional risks
of private companies believe they manage traditional risks effectively.
Atypical risks
of private companies were confident about their ability to manage atypical risks.

The private boards’ focus on traditional and compliance-related risks was highlighted again by the 2023 EY GBRS. According to this research, just 33% of private companies felt “very confident” in their ability to respond to unexpected high-impact incidents compared with 41% of publicly owned companies. This focus on managing traditional risks, as highlighted in both surveys, can lead to private companies suffering from significant vulnerabilities when faced with atypical risks.

Even when it comes to compliance-related risks, private companies lag behind public peers: for example the Organization for Economic Co-operation and Development’s (OECD’s) Pillar Two framework, along with other major developments in the tax landscape, is driving new areas of tax risk. Organizations are increasingly strengthening their tax governance frameworks to facilitate robust tax compliance but nonetheless, the increased likelihood of tax audits and greater focus on indirect taxes by authorities could have significant implications for both the operations and reputations of private companies. “Clients are telling us the stakes have never been higher, with disruptions to their day-to-day operations and the implications to the market reputation of the business and its owners,” says Steve Shultz EY Global Private Tax Leader.

Clients are telling us the stakes have never been higher, with disruptions to their day-to-day operations and the implications to the market reputation of the business and its owners

Countering cyber threats

Emerging technologies are potentially a major driver of growth for private companies, but they also pose some very specific cyber risks. For example, AI is already being used by bad actors to launch increasingly sophisticated cyberattacks, such as large-scale phishing scams. Additionally, it presents an abundance of other risks, including those associated with bias, copyright, privacy and hallucination (where an AI system presents false or misleading information as fact).

Despite the scale and urgency of cyber threats, many private companies are less prepared to combat risks effectively. Taking into consideration the recent EY 2023 Global Cybersecurity Leadership study, Global EY Private Leader Ryan Burke suggests that privately owned businesses aren’t moving fast enough to outrun cyber threats. The study reveals that more than four-fifths (84%) of private companies take more than a month to detect cybersecurity incidents, while 63% take more than a month to respond. What’s more, 40% of private-company respondents cited an inadequate cybersecurity budget as one of the biggest internal barriers to cybersecurity.

Privately owned businesses aren’t moving fast enough to outrun cyber threats

The study also found that just 12% of private companies are very concerned about the impact of physical risks involved with a cyberattack, such as a ransomware attack that can shut down their operations. In contrast, 27% of public company respondents were very worried by this possibility. These findings strongly highlight the urgent need for private companies to re-evaluate their approach to the tangible threats connected with cyberattacks.

Private companies
are concerned about the impact of physical risks involved with a cyberattack.
Public companies
are concerned about the impact of physical risks involved with a cyberattack.

Overall, private companies were far less likely than public companies to agree with the statement “Our organization is well-positioned to take on the cyber threats of tomorrow” (38% private vs 50% public) according to the 2023 Global Cybersecurity Leadership Insights study. Nevertheless, concerns around a lack of cyber readiness help to explain why boards are stepping up their efforts in this area. In fact, according to the Asia-Pacific 2024 board priorities report, cybersecurity and data privacy is the fourth most important priority for boards in Asia-Pacific in 2024, after economic conditions, capital allocation and talent. The reality is that private companies have a opportunity to boost their resilience to disruption and gain an operational edge over rivals by strengthening their cyber defenses.

“I am seeing more boards establishing some sort of technology committee,” says a board member for a privately held multidisciplinary services firm in Asia-Pacific. “Not necessarily a cyber committee, but a technology committee that would consider cyber among other technology matters.”

Dedicated technology committees can be a good way for boards to ensure that cyber threats are sufficiently monitored and understood. Recruiting a board member with advanced knowledge in cybersecurity can also be invaluable for augmenting the skills base of the board.

Tapping the talent pool

Attracting and retaining talent are top concerns for employers around the world, whether they are private or public companies. According to the 2023 Work Reimagined survey, 35% of employees are likely to quit their job in the next 12 months, with Gen Z (38%) and millennials (37%) the most likely to leave. Talent disruption, therefore, remains a significant strategic risk for private companies, especially with labor markets remaining tight in many countries.

Talent disruption
of employees are likely to quit their job in the next 12 months.

Despite having to compete fiercely for talent, private companies are behind public companies in pursuing diversity, equity and inclusion (DE&I) policies. According to the 2023 GBRS survey, over half (59%) of private companies believe they need bold change rather than incremental progress in DE&I vs 71% respondents of publicly owned companies. This indicates that private companies may benefit from adjusting their perspective on DE&I and recognizing it as a critical component of their business strategy going forward.

Lack of investment in DE&I can damage a company’s employer brand, weakening its ability to attract and retain the talent that is critical to future growth. What’s more, companies will be missing out on the innovation opportunities that may be generated by varying perspectives derived from a diverse workforce.

Private companies should also consider how new ways of working — across borders and jurisdictions — can have heightened expectations in relation to workforce flexibility, talent strategy and technological investment. This is against a background of increasingly complex economic, geopolitical and social challenges. To build sustainable value in this climate, business leaders need solutions that address risks and boost reward when it comes to talent strategy.

Organizations need to pinpoint their employees’ locations if they are to effectively initiate responses to potential physical safety or cybersecurity issues, and to gauge the degree to which the organization is exposed to tax, immigration or regulatory risk. According to the 2023 Mobility Reimagined survey, while the majority of mobility professionals indicate their organization has some sort of approach toward hybrid mobility, surprisingly just 37% of employers believe their organization’s hybrid mobility policy adequately addresses the tax and regulatory risks linked to mobility. Due to this discrepancy, there is a pressing need to strengthen hybrid mobility policies so that these risks can be effectively managed according to the survey.

A survey of more than 350 corporate board members for the Americas board priorities 2024 report found that talent is one of the top five priorities for board members across the Americas. To achieve better talent outcomes, private companies need to foster a workplace where employees feel trusted, empowered, connected, well-informed and genuinely cared for by their leaders. They also need to show that they value a diverse workforce and are committed to building an inclusive working environment that enables everyone to succeed.

“Where a board can help is really understanding where the focus areas are,” says a board member for a privately held Americas franchise, “You have to figure out the business problem you’re trying to solve. Is it attraction of diverse talent? Is it retention of diverse talent? Is it development of diverse talent?”

All three are essential tenets of any talent strategy. Nevertheless, different approaches are necessary if private companies are to address them with the same level of effectiveness.

Culture is king

When it comes to implementing effective risk management strategies, it is hard to overstate the importance of culture. A strong risk culture, as defined by the Institute of Risk Management, is a culture where everyone shares the same values, beliefs, knowledge, attitudes and understanding about risk.

All members of the workforce should have an awareness of the broad spectrum of risks that exists in today’s business environment, from traditional through to atypical. The boards of private companies can play a crucial role here by ensuring that a culture of risk awareness is instilled throughout the organization by emphasizing the significance of nontraditional risks with executives.

“The board needs to set the tone for what it expects of the organization, whether it be a broader culture or a risk culture,” says a board member of several public and private entities in Asia-Pacific. “Part of that is about selecting the right team, but something that’s certainly more the case is making sure that you get to see – whether it be through deep dives, presentations or going out in the field – greater visibility of the people within the organization so you get a better read on what’s really going on.” Fostering a culture of visibility and communication within an organization is vital and can be better achieved through a board that straddles both private and public companies, leveraging their broader exposure and diverse insights.

In search of sustainability

The shift to a lower-carbon economy simultaneously presents huge opportunities and substantial risks to private companies. By pursuing a more sustainable business model, private companies can develop more innovative products and services, attract more customers, operate more effectively, enter new markets and appeal to a broader talent pool. On the other hand, companies that fail to adapt could find themselves penalized by policymakers, overlooked by customers and talent, and overtaken by competitors.

The 2023 EY Sustainable Value Study found that private companies have an opportunity to better acknowledge their role in the fight against climate change and bring about sustainability transformation. Sustainability demands a holistic approach that extends beyond carbon emissions to incorporate broader governance and social considerations. The study found that 67% of private companies had made climate change commitments, compared with 86% of public companies. Furthermore, 24% of private companies expected to spend more on addressing climate change over the next 12 months compared with the previous year — in contrast to 39% of public companies that said the same. 


Private companies may find it challenging to provide clear reports on their sustainability commitments. According to the EY Sustainable Value study 2023, 39% of respondents prioritize external reporting over other sustainability initiatives compared with just 29% of public companies. Despite facing different regulatory requirements to public entities, private companies still benefit from developing adequate transparency around sustainability. Besides showing preparedness, high-quality reporting helps to strengthen relationships with key stakeholders, such as investors, customers, employees and suppliers, and can provide the organization with a North star to navigate change more broadly.

Role of the board

Private companies may be under-prioritizing risk management — particularly the management of atypical risks — for several reasons. Often, they will not even be aware that they are substantially behind both publicly listed companies and their privately held peers. If they are particularly fast-growing companies, they are likely to be focused on other drivers of growth, such as talent attraction and retention, operational efficiency and customer centricity. Private companies may also find it difficult to justify the return on investment in risk management.

Yet, failing to invest in risk management is a false economy, as the 2023 GBRS study showed. The research found that the proportion of boards expecting severe impacts from risks had almost doubled since the 2021 study. Furthermore, the current complex risk environment is likely to persist, rather than recede. For that reason, boards should be undertaking scenario or what-if analysis to understand the potential implications of a wide range of potential risks.

A well-run risk function is aligned with business objectives, can proactively identify and manage risks and facilitate cross-functional collaboration. It fosters open communication, leverages technology for improved efficiency and promotes a culture of risk awareness throughout the organization. Constant monitoring, continuous training and adherence to regulatory compliance are also key.

By under-prioritizing risk management, companies could also be missing out on substantial value creation opportunities. Through the process of managing and addressing risks, companies can potentially improve their efficiency, enhance their reputation and boost their competitiveness in the market through innovation and an enhanced talent offering. Furthermore, by taking a proactive strategy to the management of supply chain risk, boards can ensure that they have a flexible and resilient supply chain model that not only insulates the company from potential shocks, but also opens up new sources of supply that might otherwise have been overlooked. The EMEIA board priorities 2024 report highlights that companies can use new technological tools, such as control tower solutions, to improve the performance of their supply chains.

In their strategic advisory role, boards can help private companies to better manage and address their risks, turning those risks into opportunities where possible. For example, by understanding and anticipating future trends, boards will be able to plan more strategically to take advantage of those trends, while developing better oversight of risk management practices within their organization. Additionally, if private boards can recruit members who also serve on public companies, they can learn from public company risk management strategies.

Recommendations: how can boards unlock value by managing and mitigating risk?

To help private companies look at risks more holistically, boards can:

  1. Adjust their governance model so that they are better able to respond to new and intensifying risks. Adjustments may include having more frequent meetings, forming specific committees to address certain risks (e.g., sustainability and technology), and engaging more regularly with executives around key risk-related issues.
  2. Provide oversight for a broad range of risks, encompassing compliance, financial, geopolitical, operational, sustainability, talent and technology risks. Look at adopting scenario analysis to project threats and identify specific vulnerabilities.
  3. Give feedback on their company’s talent proposition, including its employer brand, attraction and retention strategies, as well as approaches to engaging, motivating and remunerating talent.
  4. Undertake crisis simulation activities for events such as large-scale ransomware attacks and geopolitical crises. These activities will enable the board to identify and rectify weaknesses in the company’s operations, policies and processes.
  5. Review their composition and, if necessary, recruit new board members with specialist knowledge of specific risks, such as cyber, geopolitical or talent-related risks.

Summary 

Private boards cannot afford to treat “the next normal” as a temporary phenomenon since the risk environment will only continue to evolve in future. Instead, boards should challenge their management to develop a proactive strategy for risk management. This strategy should anticipate and adapt to emerging disruptions as they happen, build organizational resilience and unlock value for the business — both today and in the longer term. 

Related articles

    About this article

    Contributors