Board Risk Oversight in the Age of Disruption

In these disruptive times, how should boards discharge their duty of care and duty of oversight with respect to risk when the models to follow aren’t clear? Is the board’s risk oversight process fit for purpose in today’s dynamic environment?

Board engagement with risk and how it is managed has been a topic of interest for many years. While risk has always been present in every business, the velocity of disruption has increased in recent years. New technologies emerging at a rapid pace, geopolitical shifts, regional conflicts, catastrophic events, economic uncertainty and, of course, the recent pandemic and its pervasive impact on demand, supply chains, the workplace and mental health, have combined to create a new norm.

Bottom line: The check-the-box approach of providing risk lists to boards along with summaries of who is responsible for managing the risks and what they do seems sorely wanting in today’s dynamic environment.

A recent National Association of Corporate Directors (NACD) webinar hosted by Protiviti with James Lam, a noted author, board member and keynote speaker in the risk management space, offered a discussion of the board’s and the executive team’s related risk oversight roles in today’s interesting times. With enterprise risk management (ERM) evolving over the years and today’s risk environment portending significant change to come, proficiency at playing the game of resilience is essential.

The webinar focused on the following seven questions:

How do the board’s fiduciary duties impact its risk oversight? Despite the unstructured nature of the risk oversight discussion in these dynamic times, the fiduciary duties of the board remain constant. Directors’ duty of care and duty of loyalty, as well as the business judgment rule, have provided a long-standing framework for how boards engage management on important matters. More recently, case law has provided more specificity regarding the board’s fiduciary duties with respect to risk and compliance oversight. The webinar provided examples of these points.

How does the board organise itself for risk oversight? Risk oversight is not just a committee responsibility but is a full board responsibility. The webinar covered several points to keep in mind.

How are strategy and risk integrated? There was a discussion of five key points to integrate risk with strategy.

How can the board’s risk oversight be better informed through scenario analysis? There was a discussion on deploying scenario analysis to better inform the C-suite and the board on potentially disruptive risks. Scenario analysis is a versatile tool. For example, the webinar attendees noted that scenario analysis is best applied to explore alternative futures and the impact of alternative strategies (48%), identify soft spots and opportunities in business plans (43%) and identify early warning indicators (40%). In disruptive times, organisations using it become savvier about the disruptive risks they face.

The attendees also commented on how their organisations applied scenario analysis: 29% focus on plausible scenarios and 29% on extreme, worst-case scenarios. Just over one in five report that their companies do not do scenario analysis at all, with the balance focusing primarily on cyber threats. Unfortunately, there are many high-impact, low-likelihood risks — the so-called “known unknowns” or “gray rhinos.” These are the known risk events that loom on the horizon, and it is just a matter of time before they manifest themselves — a matter of “when,” not “if.” Scenario analysis should be applied to these risks to fully understand their impact and the variables driving them.

What’s the point? Effective scenario analysis provides significant input into response planning and the formulation of early-warning systems and action triggers and decisions. It points to the information decision-makers can use to better manage the business and keep the strategy on track as the market evolves.

Can our company pivot when facing disruptive events? Disruption presents an opportunity to take a business to another level if management is sufficiently anticipatory and acts before the wave of disruption crests. This means acting on market opportunities and emerging risks before they become common knowledge. Conversely, it can be a sign of the beginning of the end if a company is caught in a reactive mode. It all depends on which side of the change curve management and the board find themselves. This is where scenario analysis plays an important role.

When integrating strategy and risk and applying scenario analysis to recognise market shifts affecting the validity of an enterprise’s critical strategic assumptions, the ultimate question is this: Can the company make conscious decisions on whether to act on its knowledge promptly? Why did some banks choose to avoid or exit the subprime market that precipitated the financial crisis while other banks partied on? The stakes of being an “early mover” when the fundamentals are changing can be as high as preserving the company’s right to play. The discussion outlined attributes of an early mover.

How do we deploy data, information and insights to become more anticipatory? An organisation becomes more anticipatory and less reactive as it establishes KPIs based on expected performance; identifies risks that drive variability in performance through risk assessments; establishes KRIs, risk appetite and key controls for the critical risks; and provides integrated reporting and management strategies. These capabilities generate the data, information and insights essential to thriving in the age of disruption. They start asking different questions, such as are we riskier today than we were yesterday, are we entering a riskier time, and why? These questions are more fitting in the age of disruption, and they underpin what defines an early mover.



How does the board know if ERM is working? This question speaks to the board’s fiduciary responsibilities, as discussed earlier (e.g., are the appropriate systems in place, and are they operating effectively?). Progress toward integrating strategy and risk while increasing the value contributed through the board’s dashboard reports also provides insights. While the ideal set of metrics depends on the scope of the business, an illustrative scorecard of board-level metrics should address enterprise, financial, strategic, operational and reputational risks.

A strong customer focus, staying in touch with market realities, embracing the tailwind of external trends, emphasising high-velocity quality decision making and inculcating an innovative culture that functions at market speed help companies stay ahead of the change curve. While the responses to the seven questions above do not provide all of the answers, they nonetheless provide takeaways for directors to consider in their efforts to sustaining the business in the age of disruption.

Go deeper: Read more here.

(Board Perspectives — Issue 169)

Listen to our Board's Perspectives podcasts, which provide practical insights and guidance for new and experienced board members alike.

We want to hear from you!

What topics would you like to read about in the coming months?

Let us know

Für Weiteres hier klicken

Lern mehr