A new EY survey of more than 500 global board members reveals that risk management today typically lacks focus on emerging and atypical risks, is not always aligned with business strategy and is too entrenched in the here and now.
Whether it be in relation to reporting, skillsets or the sheer time spent discussing risk, board members acknowledge that their organizations – and boards themselves – need to evolve to keep pace with disruption and maintain their strategic advantage.
The most effective ways for you as a board director to bolster risk management are to:
- Rethink how the board operates, its composition and its role in setting an organizational purpose that extends beyond maximizing returns for shareholders.
- Work with management to define, implement and measure a corporate culture that is inspired by purpose and aligned with the organization’s strategy.
- Ensure that the organization adopts a data- and technology-driven approach to risk management and reports on the threats that matter most.
This article forms part of the EY Board Imperative Series. Its insights can help board members reframe the future of their organizations. It encourages boards to think beyond today’s challenges to understand how they and their organizations can bolster risk management to drive growth and build resilience against future disruption.
The common traits of risk management leaders
Enhanced risk management has become a top priority for boards: 79% believe that improved risk management will be critical in enabling their organizations to protect and build value in the next five years. CEOs share this view. When asked which areas of the enterprise they expect will change most in the next three years, they ranked risk management first.
Why has effective risk management risen up the agenda?
The pandemic has focused minds. COVID-19 is not only a major risk event in itself – but it is also an accelerator of risks that were already omnipresent: cybersecurity attacks, supply chain disruption, geopolitical tension and other external threats.
Illustrating this, the EY Global Board Risk Survey 2021 shows that 83% of board members believe market disruptions have become increasingly impactful and 87% believe they have become increasingly frequent.
But despite the criticality of risk management, many board members lack confidence in their organization’s capabilities. For example, just 18% believe that their organization’s disaster response and contingency planning is highly effective, and only 13% believe that their organization is highly effective at embedding risk and compliance activities.
Three levels of risk management effectiveness
These statistics suggest that there is significant room for improvement. But what exactly does “highly effective” risk management look like? To answer this question, the survey results were analyzed to classify respondents into three groups based on their self-assessment of risk management effectiveness:
- Risk management leaders: Accounting for 16% of the sample, these organizations have highly effective risk management. They have a sound understanding of the interconnected nature of different risks, have defined their risk appetite, and consistently refer to that appetite when evaluating risks and opportunities.
- Risk management improvers: Accounting for 60% of the sample, these organizations have moderately effective risk management. Although they align risk strategy and business strategy, they are much less effective than the leaders at implementing an integrated risk governance model and defining their risk appetite.
- Risk management developers: Accounting for 24% of the sample, these organizations are the least effective risk managers. They are moderately effective at disaster response and contingency planning, but do not leverage data and technology for risk management activities or upskill the risk function as much as they should.
The hallmarks of effective risk management
Examining the common traits of those deemed “risk management leaders” revealed three behaviors that align with more effective risk management:
- Risk, with few exceptions, is viewed through a long-term horizon
- Risk management priorities are aligned with business strategy
- Focus is sharpened on emerging risks, atypical risks and external risks
This article explores these hallmarks of effective risk management in more detail. Read the follow-on articles in the series to explore the practical steps boards can take to guide their organizations toward more effective risk outcomes.
1. Risk is viewed through a long-term lens
Increasingly, it is critical to consider a longer time horizon when assessing strategy and risk – ideally more than five years.
Some 43% of the risk management leaders, for example, look more than five years into the future when scenario planning, compared with just 22% of the risk management developers. And 28% of the risk management leaders look more than five years into the future when setting their organization’s business strategy, compared with just 8% of risk management developers.
A long-term perspective is essential because many risks transcend the next 5-10 years – despite having only a marginal impact today.
Take climate change. Those in the energy and commodities sector may already be significantly impacted by climate change, but many organizations outside of these sectors have felt no or only minimal effects to date. So, although the proportion of boards that expect climate change to more than moderately impact their businesses in the next 12 months has increased from 26% to 33% in the past two years, they still only rank it as their ninth most important risk.
But this will almost certainly change, as the effects of climate change start to cause supply chain disruption, displaced consumers and overwhelming pressure from stakeholders to take action to combat the issue.
Even if boards do not believe that climate change will immediately or directly impact their organization, it deserves their focus because the number of values-driven consumers, who increasingly want to purchase from businesses that have a track record of addressing major societal problems – such as the climate emergency – is growing. These sentiments have only increased during the pandemic. Indeed, boards say that changing customer expectations is their third most important risk category. Two years ago, it ranked sixth.
“Consumer-facing businesses, in particular, are having to contend with risks associated with not acting sustainably,” says Susanne Given, Chairman at Made.com and Non-Executive Director at a number of organizations, including Morrisons. “Millennials and younger generations now account for about half of the customer base, and they definitely expect businesses to have a handle on this topic.”
2. Risk management priorities are aligned with business strategy
While the threats today are significant, the strategic opportunities are even greater. After all, where there is risk, there can often be reward. Illustrating this, boards say that technology disruption and changing customer expectations are not only major risks but are also the top two strategic opportunities for their organizations.
“The uncertainty of the future is very high compared with the recent past, which makes planning much harder,” says Alan Stewart, Audit Committee Chair at Diageo and former CFO of Tesco. “But, of course, inherent in that uncertainty is opportunity.
Many organizations are investing heavily in technology to make internal processes more efficient and create new experiences for customers. But inherent in these digital transformations is a complex web of risk factors: data breaches can stem from third-party technology providers; artificial intelligence may contain bias; and greater use of online purchasing can heighten instances of fraud. Effective risk management is, therefore, essential to the design and application of transformation initiatives, taking into account the wide range of potential disruptors.
“Our bank has a specialist unit focused on what I call ‘change risk,’ which are risks associated with how the bank transforms,” explains Adnan Q. Khan, CRO and Director of Integrated Risk at Bank Danamon. “Banks have many legacy systems with some manual hand-overs and data quality issues that may create a huge number of risks when you implement new technologies. Risk teams need to focus on understanding and mitigating them.”
Technology aside, however, boards members today believe that those responsible for risk management are too focused on downside mitigation: 80% say that risk and compliance teams need to find a better balance between mitigating downside risks and driving growth.
In addition, 55% of board members identified that risk management often struggles to keep pace with changes in business strategy. Further illustrating this, chief risk officers (CROs) rank technology disruption as the least important strategic opportunity for their organization – despite boards ranking it first. And CEOs who we surveyed for our CEO Imperative study said that technology and digital disruption is the trend that is having greatest impact on their company, followed by changing customer expectations.
This internal “misalignment” suggests that currently, the prioritization of risk looks different depending on the time horizon and remit of your role.
“Risk needs to be embedded in strategy conversations at the board level and also in what every business function is doing,” says Nick Allen, a Board Director at Lenovo Group. “You just can’t isolate discussions about risk.”
3. Focus is sharpened on emerging, atypical risks and external risks
Sixty-four percent of boards say their organizations can effectively manage traditional risks, which include changes in regulation, drops in demand and increased borrowing costs. But only 39% say their organizations can effectively manage atypical and emerging risks, which might include threats associated with new technology or the impact of the climate emergency. In parallel, 61% of board members say their organizations can manage internal risks effectively, but only 47% say the same of external risks.
There is a clear distinction between the ability of the risk management leaders and the risk management developers to manage non-traditional risks: 71% of leaders are effective at managing atypical and emerging risks, compared with just 12% of developers. In addition, 82% of risk management leaders are effective at managing external risks, compared with just 20% of developers.
“It’s essential to devote enough time at board level to emerging risks,” says Michael Lynch-Bell, non-executive director at a number of organizations including Barloworld. “Our board monitors traditional risks every quarter, but in addition dedicates a large proportion of a strategy day every year to discussing emerging risks.”
Sector and regional focus: Risk priorities diverge
Board members’ prioritization of risks and the extent to which they want to improve risk management within their organizations vary depending on their sector and location.
Take risks associated with climate change and natural resource constraints. Boards across all sectors rank this as the ninth most significant risk to their organization in the next 12 months. But boards in the energy and resources sector rank it a joint first, alongside changes in the regulatory environment.
Cyberattacks and data breaches rank as the fifth most important risk to boards across all sectors, but are ranked first by boards of financial services and technology, media and entertainment, and telecommunications (TMT) businesses.
Finally, geopolitical events are considered the sixth most important risk by boards across all sectors but are ranked as the top risk by those in the real estate, hospitality and construction sectors.
Fifty-two percent of boards of Asia-Pacific-headquartered organizations believe that business model disruption will more than moderately impact their business in the next 12 months, compared with just 32% of those located in EMEIA and 29% of those in the Americas.
And 43% of boards of Asia-Pacific organizations expect climate change and natural resource constraints to more than moderately impact their businesses, compared with only 34% of those in EMEIAand 22% in the Americas.
Interestingly, compared with their counterparts in other regions, boards of Asia-Pacific-based organizations generally expect to feel a greater impact from a variety of risk categories. This could reflect the fact that their businesses are more vulnerable to risks or alternatively that they are simply more aware of the potential threats.
Yet fewer Asia-Pacific boards see the importance of enhancing risk management: 66% say improved risk management will be critical to their organizations in protecting and building value in the next five years, compared with 82% of those in EMEIA and 87% of those in the Americas. This could either stem from the fact that boards in the Asia-Pacific region believe they are already well prepared, or because they underestimate the extent of the changing risk landscape.
What can boards do to drive effective risk management?
We now know how boards would like to see risk management improve, but what can they do to drive these outcomes? This is the focus of the EY Global Board Risk Survey’s associated three articles, which address the following areas:
- Rethink how the board operates
- Work with management to create a corporate culture that is inspired by purpose and aligned with strategy
- Ensure the organization adopts a data and technology-driven approach to risk management
We would like to leave you with this final thought: Board members need to be proactive participants in enhancing risk management. As the risk landscape around their organizations becomes more and more complex, board members need to ensure that their organizations are doing all they can to effectively identify, mitigate, manage and even predict new threats. That means getting proactive.