Board members at large corporations across the world are still failing to focus on emerging and atypical risks, choosing to focus on immediate threats, as this new report from EY indicates.
EY has released the results of its annual survey of more than 500 global board members which found they acknowledged that their organizations and boards themselves need to evolve to keep pace with disruption and maintain their strategic advantage.
“Enhanced risk management has become a top priority for boards: 79% believe that improved risk management will be critical in enabling their organizations to protect and build value in the next five years,” says EY. “CEOs share this view. When asked which areas of the enterprise they expect will change most in the next three years, they ranked risk management first.”
The report says the pandemic had focused minds. “COVID-19 is not only a major risk event in itself – it is also an accelerator of risks that were already omnipresent: cybersecurity attacks, supply chain disruption, geopolitical tension and other external threats,” it adds.
Of those who took part in the survey 83% of said they believed market disruptions have become increasingly impactful and 87% believe they have become increasingly frequent:
“But despite the criticality of risk management, many board members lack confidence in their organization’s capabilities. For example, just 18% believe that their organization’s disaster response and contingency planning is highly effective, and only 13% believe that their organization is highly effective at embedding risk and compliance activities.”
Room for improvement
According to EY, the statistics suggest that there is significant room for improvement. “But what exactly does ‘highly effective’ risk management look like?”
To answer the question, the survey results were analysed to classify respondents into three groups based on their self-assessment of risk management effectiveness:
- Risk management leaders: Accounting for 16% of the sample, these organizations have highly effective risk management. They have a sound understanding of the interconnected nature of different risks, have defined their risk appetite, and consistently refer to that appetite when evaluating risks and opportunities.
- Risk management improvers: Accounting for 60% of the sample, these organizations have moderately effective risk management. Although they align risk strategy and business strategy, they are much less effective than the leaders at implementing an integrated risk governance model and defining their risk appetite.
- Risk management developers: Accounting for 24% of the sample, these organizations are the least effective risk managers. They are moderately effective at disaster response and contingency planning, but do not leverage data and technology for risk management activities or upskill the risk function as much as they should.
EY says the risk management leaders were defined by their approach to the issue.
For those deemed as leaders, risk, with few exceptions, is viewed through a long-term horizon, and risk management priorities are aligned with business strategy. There was also a clear focus on emerging risks, atypical risks, and external risks.
Longer time horizon
“Increasingly, it is critical to consider a longer time horizon when assessing strategy and risk – ideally more than five years,” said the report. “Some 43% of the risk management leaders, for example, look more than five years into the future when scenario planning, compared with just 22% of the risk management developers. And 28% of the risk management leaders look more than five years into the future when setting their organization’s business strategy, compared with just 8% of risk management developers.”
A long-term perspective is essential because many risks transcend the next 5-10 years – despite having only a marginal impact today, according to the report:
“Take climate change. Those in the energy and commodities sector may already be significantly impacted by climate change, but many organisations outside of these sectors have felt no or only minimal effects to date. So, although the proportion of boards that expect climate change to more than moderately impact their businesses in the next 12 months has increased from 26% to 33% in the past two years, they still only rank it as their ninth most important risk.
“But this will almost certainly change, as the effects of climate change start to cause supply chain disruption, displaced consumers and overwhelming pressure from stakeholders to take action to combat the issue.”
It adds that even if boards do not believe that climate change will immediately or directly impact their organisation, it deserves their focus because the number of values-driven consumers, who increasingly want to purchase from businesses that have a track record of addressing major societal problems – such as the climate emergency – is growing.
“These sentiments have only increased during the pandemic. Indeed, boards say that changing customer expectations is their third most important risk category. Two years ago, it ranked sixth.”
“Consumer-facing businesses in particular are having to contend with risks associated with not acting sustainably,” says Susanne Given, chairman at Made.com and non-executive director at a number of organisations, including Morrisons. “Millennials and younger generations now account for about half of the customer base, and they definitely expect businesses to have a handle on this topic.”
Risk and reward
EY’s report explains that while the threats today are significant, the strategic opportunities are even greater. “After all, where there is risk, there can often be reward. Illustrating this, boards say that technology disruption and changing customer expectations are not only major risks but are also the top two strategic opportunities for their organisations.”
“The uncertainty of the future is very high compared with the recent past, which makes planning much harder,” says Alan Stewart, Audit Committee Chair at Diageo and former CFO of Tesco. “But, of course, inherent in that uncertainty is opportunity.”
The survey found many organisations are investing heavily in technology to make internal processes more efficient and create new experiences for customers. But inherent in these digital transformations is a complex web of risk factors: data breaches can stem from third-party technology providers; artificial intelligence may contain bias; and greater use of online purchasing can heighten instances of fraud. Effective risk management is, therefore, essential to the design and application of transformation initiatives, taking into account the wide range of potential disruptors.
“Our bank has a specialist unit focused on what I call ‘change risk,’ which are risks associated with how the bank transforms,” explains Adnan Q. Khan, CRO and Director of Integrated Risk at Bank Danamon. “Banks have many legacy systems with some manual hand-overs and data quality issues that may create a huge number of risks when you implement new technologies. Risk teams need to focus on understanding and mitigating them.”
The survey found 55% of board members identified that risk management often struggles to keep pace with changes in business strategy. Further illustrating this, Chief Risk Officers (CROs) rank technology disruption as the least important strategic opportunity for their organization – despite boards ranking it first.
“Risk needs to be embedded in strategy conversations at the board level and also in what every business function is doing,” says Nick Allen, a Board Director at Lenovo Group. “You just can’t isolate discussions about risk.”
Sixty-four percent of boards said their organisations could effectively manage traditional risks, which include changes in regulation, drops in demand and increased borrowing costs. But only 39% say their organisations can effectively manage atypical and emerging risks, which might include threats associated with new technology or the impact of the climate emergency. In parallel, 61% of board members said their organisations could manage internal risks effectively, but only 47% said the same of external risks.
“There is a clear distinction between the ability of the risk management leaders and the risk management developers to manage non-traditional risks: 71% of leaders are effective at managing atypical and emerging risks, compared with just 12% of developers,” added EY. “In addition, 82% of risk management leaders are effective at managing external risks, compared with just 20% of developers.”
Follow us on twitter: @RisksEmerging