10
Ways Corporate Boards Need to Approach Risk in 2021
WomenCorporateDirectors
Explores Important Changes Required to Meet Increasingly Complex Risk Climate
NEW YORK, NY – January 5, 2021 – As the pandemic crisis and
lingering economic and political volatility increasingly threaten businesses and
recovery globally, WomenCorporateDirectors
Foundation (WCD) is
seeing many companies consider establishing a stand-alone board Risk
committee.
This is just one way
the best-prepared boards are arming themselves in the current climate and as
they look ahead toward 2021, says Susan
C. Keating, CEO of WCD.
“2020 has forced companies to look at risk
in a completely new way,” Keating says. “2021 will be a time for boards to
really integrate risk and strategy on a long-term basis.”
“While risk oversight is the role of the full
board, many companies are now opting to form dedicated committees to drill down
on new risks and make recommendations to the full board on ways to approach a
mitigation strategy,” says Keating. “Risk has become an integral part of
strategy development, as companies have seen what happens when threats come to light.”
WCD recently teamed with risk advisors, C-level
executives, and board members to offer two programs on risk as part of its virtual
WCDirect program series – the first being so popular that members demanded a
second.
Catherine Allen, founder and chairman of The Santa Fe Group and a WCD member, led the panel discussions on board Risk committees
and best practices in approaching risk. Additional panelists included:
·
Christopher
Burt: Co-Founder and Director of the UK Risk
Coalition; Principal, Halex Consulting; Director, Risk Coalition Research
Company
·
Jackie
Daylor: KPMG Audit Partner who formerly served
as National Managing Partner – Audit Quality and Professional Practice
·
Agnes
Bundy Scanlan, Esq., CIPP: President,
The Cambridge Group LLC; Director, Truist Financial Corporation, NewTower Trust
Company, and AppFolio, Inc.; Member, WCD Boston
In their deep dive with the hundreds of WCD
member directors who attended each of the programs, key lessons and best
practices emerged about how boards should approach risk today:
10 Ways Corporate Boards Need to Approach
Risk in 2021
1. Create a Risk committee separate from the
board Audit committee.
“While expert with financials and investments, Audit committee members often do
not have the deep operational expertise required to evaluate risk in a broader
sense,” said Catherine Allen. “A Risk committee needs members with experience
in areas such as cybersecurity, IT, compliance, third-party risk management, privacy,
and reputational risk.” With this knowledge and expertise, the Risk committee
can understand the significance of risk profiles for each business and
establish metrics.
2. Don’t spend too much time on risks you
already know. Boards tend to focus too much on known risks that already
have mitigations in place. “The real value is focusing on new and emerging
risks where you may need to develop a solution or process to reduce or control
a potential threat,” said Chris Burt. “An important quality to look for in a
board Risk committee member or a Chief Risk Officer is imagination.”
3. Keep an eye on what can go very wrong,
very quickly. The
liquidity crisis stemming from the COVID-19 shutdown put many companies in a
dangerous financial position virtually overnight. Many of these businesses had
seen a liquidity crunch just twelve years earlier during the 2008 financial
crisis. These kinds of existential threats are where Risk committees must not
get complacent, said Burt. “Pay attention to risks that are currently under
control but have the potential to go very wrong, very quickly, when cascading
consequences emerge from new risks.”
4. Reputational risk can stem from multiple
other risks. “A Risk
committee often has to handle reputational repercussions that happen as a
result of other matters under their oversight going awry,” said Agnes Bundy Scanlan.
“Everything from regulatory issues, to an ESG failure, to a customer data
breach can carry significant reputational consequences, which require a level
of risk management beyond the initial incident.”
5. Risk management doesn’t mean being
afraid to pull the trigger. There
can be a tendency when making strategic decisions, especially with certain boards
in financial services, to keep asking for more and more data and not move
forward. “Don’t paralyze the organization by always asking for more data and
refusing to act,” said Burt. “At some point, you have to make a decision.”
6. Leverage a strong risk culture. “The institutions that have come into
the events of 2020 – the pandemic, the economic collapse, the social unrest –
with a strong culture are managing better,” said Bundy Scanlan. “Organizations that
have addressed risk in the past, in a strategic way, have been able to tap into
this culture and adapt. These companies are better at working remotely – they aren’t
as disrupted by these kinds of changes that drag down the performance of those
who can’t adapt.
7. Make sure performance isn’t being driven
by bad culture. “What
are the cultural elements – the tone at the top, the incentives, the pressures
– that could create risk in an organization?” asked Jackie Daylor. “It’s
important to look at the behaviors that are driving results and the culture
that’s developing around the bottom line.”
8. Don’t devote all attention to today’s
headline crisis. “Risk
committees tend to focus on the current threat in the news, whether it’s a
cyberattack or COVID,” said Burt. “They always need to look at the risks as a
whole – the ongoing threats that are always there – and not ignore any of
them.”
9. Keep strategic objectives top of mind. “Risk management isn’t just about
preventing bad things from happening, it’s also about analyzing opportunities
to help good things happen,” said Burt. Risk committees should be involved
closely in strategic decisions, and Burt even predicted that one day these
committees will be renamed “Strategy and Risk” committees.
10. Plan for risk management and review the
strategy frequently. “Strategy
and risk are intertwined,” said Daylor. “It’s essential to have a strategic
approach to risk management. Companies need organizational resilience to
withstand black swan events, such as the current pandemic, so that their people
and processes are prepared to respond in the right way.”
“Diversity plays
a huge part in reducing management’s blind spots when it comes to risk,” says Daylor.
“A diversity of experience and social diversity help with problem solving,
whether it’s COVID-related health and safety concerns, managing remote
workforces or the acceleration of digital transformation that comes along with
a remote workforce.
The value of
diversity is especially critical as risks grow in complexity, argues Susan
Keating. “On your Risk committee and for your board as a whole,” she says, “you
want to make sure the diversity of the team is broad enough to address the wide
spectrum of risks that are multiplying quickly each day.”
For more information, please contact
Suzanne Oaks Brownstein or Trang Mar of Temin and Company at [email protected] or 212.588.8788.
About
WomenCorporateDirectors Education and Development Foundation, Inc.
The
WomenCorporateDirectors Education and Development Foundation, Inc. (WCD) is the
only global membership organization and community of women corporate directors.
WCD members serve on numerous boards of large private and family-run companies
globally. A 501(c)(3) not-for-profit organization, WCD has 76 chapters around
the world. The aggregate market capitalization of public companies on whose
boards WCD members serve is over $8 trillion. For more information visit www.womencorporatedirectors.org or follow us on Twitter @WomenCorpDirs, #WCDboards, #WCDGlobal2020.
About
KPMG, WCD’s Global Lead Sponsor
KPMG LLP is the
U.S. firm of the KPMG global organization of independent professional services
firms providing Audit, Tax and Advisory services. The KPMG global organization
operates in 147 countries and territories and has more than 219,000 people
working in member firms around the world. Each KPMG firm is a legally distinct
and separate entity and describes itself as such. KPMG International Limited is
a private English company limited by guarantee. KPMG International Limited and
its related entities do not provide services to clients.
About The
Santa Fe Group
The Santa Fe
Group’s risk management experts work collaboratively with organizations
worldwide to identify meaningful trends, risks, and vulnerabilities, and to
advise, educate, and empower organizations in the areas of cybersecurity, third
party risk, privacy and enterprise risk management programs. The Santa Fe Group
is the managing agent of the membership-based Shared Assessments Program, which
guides many of the world’s leading organizations with the best practices to
manage and protect against third party IT security risks. www.sharedassessments.org.
# # #