12 minute read 14 Oct 2020
man mountain biking with a friend in the Alps, Gastein, Salzburg, Austria

Four ways boards can oversee risk management beyond COVID-19

By Sharon Sutherland

EY Global Center for Board Matters Leader and Asia-Pacific Networks Leader

Global mindset. Power through diversity. Art lover. Intellectually curious. Traveler. Legacy matters. Passionate about learning initiatives.

12 minute read 14 Oct 2020

Leading directors offer their insights into why COVID-19 requires a new attitude toward board risk oversight. 

In brief
  • Boards now recognize that sustaining a business for the long term requires focusing on a broad set of stakeholders, with a distinct purpose in mind. 
  • Only by fully understanding major societal, technological and geopolitical changes can boards conduct the future-back planning necessary to mitigate risk. 
  • It is vital for the board to hold management to account on business continuity plans and concentration risk.

A critical function of boards has always been to understand and mitigate business risk – but the pandemic has brought that responsibility into sharp focus. Its unprecedented impact has highlighted the interconnectedness of risks and the velocity at which the risk landscape can change. In this environment, how can boards be sure that risks are managed effectively across the organization? And more fundamentally, how can they prioritize risks when the economic, societal and technological landscape remains so dynamic?

The EY Global Center for Board Matters interviewed seven leading board directors across the globe to understand if and how their attitudes to risk management have changed in light of the pandemic. Four insights emerged into how boards can change their approach to risk management to reframe the future of their organizations:

  1. Protect more than shareholder value 
  2. Enter listening and learning mode
  3. Make risk a mandatory agenda item at every board meeting
  4. Search for hidden concentration risk
Country road-through lavender fields in provence france
(Chapter breaker)

Chapter 1

Protect more than shareholder value

Focusing on a broad set of stakeholders is critical for sustaining businesses for the long term.

Risk has always been tricky. Understanding new and emerging risks to business during a pandemic that impacted the lives of so many globally has added a new layer of complexity. Transitioning entire workforces to remote working, building resilience and business continuity while transforming business models, and solving societal challenges – all pressing matters unearthed by the COVID-19 pandemic – raised the question:

Q: “Have businesses’ responsibilities to society changed – and, what do you see as the role of the board in response to this?”

Robin Stalker, supervisory board member and member of risk and audit committees, including for Commerzbank -

“Boards need to be much more aware of the responsibility we have to society. And if we don't do that practically, society will force us. For example, since the pandemic there’s been an increased recognition of the responsibility that businesses have for not only their direct employees but also those in the supply chain. So, there will be heightened focus on wages and working conditions across businesses’ entire supply chains. Boards can ensure management takes this into account by, for example, making executive bonuses contingent on looking after their global workforce, reducing carbon emissions, or other factors that address society’s challenges and ensure the long-term sustainability of the business.”

Jillian Broadbent, non-executive director of Woolworths Limited and Macquarie Group Limited -

“COVID-19 has made boards recognize what I call true value and the importance of social responsibility. I am the chair of a large supermarket and because everyone had to be fed, they really tried to assist people in meeting their basic needs, while protecting employees at the height of COVID-19. The general public’s understanding of the essential role that companies can and should play in supporting the social structure has increased.”

Francis Small, non-executive director, including for the British Business Bank - 

“Now is a great time for businesses to revisit their purpose. In particular, the importance of looking after employees has risen, as they’ve been hugely affected by COVID-19. Part of this is about basic health and safety, but looking after employees goes much further. It’s about creating a great employee proposition, such as allowing them to work from home for longer periods in the long-term and providing them with adequate training and counseling.”   

Alfonso Gonzalez Migoya, board member, including for Volaris - 

“COVID-19 has made boards realize that they need to do more to look after their employees’ health; and not just their physical health, but their mental health too. This means taking measures to reduce stress and improving peoples’ work-life balance. Employees that are happier in their work more effectively contribute to enriching the business as a whole.” 

Key takeaways

The days are gone of boards thinking about risk purely in relation to shareholder value. Directors today must consider their role in mitigating risks to a broad set of stakeholders, including employees, customers, suppliers and wider society, with a distinct purpose in mind. This is vital because societies demand greater responsibility from the organizations they work for, buy from and invest in. We call this long-term value creation.

Encouragingly, the insights from board directors indicate purpose is now firmly on the boardroom agenda, with COVID-19 bringing into sharp focus the interdependencies between business and society. Any boards previously not paying attention to long-term value must now put it front and center of their discussions, or risk capital and talent shifting towards businesses that do. 

With management likely focused on recovery and survival in these uncertain times, boards have a vital role to play in instigating conversations about long-term value. They should start by working with management to define a purpose that underpins the business. Then they need to establish ways to measure long-term value creation. This, as Robin Stalker mentioned, may include rethinking management KPIs.

person walking across the flooded Bonneville salt flats, Utah, USA
(Chapter breaker)

Chapter 2

Enter listening and learning mode

Staying on top of megatrends can provide a better view of the shifting risk environment.

Before COVID-19, our Global Board Risk Survey revealed businesses were not only failing to pay enough attention to emerging and existential threats, but were not equipped to adequately understand, detect and mitigate certain types of risk. Just 40% of boards said enterprise risk management was effective in managing atypical and emerging risks before COVID-19. And only 21% of boards said their organization was very prepared to respond to an adverse risk event from a planning, communications, recovery, and resilience standpoint. 

Global Board Risk Survey


of boards, before the COVID-19 pandemic, believed enterprise risk management was effective in managing atypical and emerging risks.

The pandemic has made the risk landscape much more volatile. Risks that have long been on the agenda have transformed and intensified, and new risks have emerged that, combined with other threats, can have unforeseen consequences. 

With the external risk landscape changing so rapidly, how can boards stay ahead of new and emerging trends, and how they present risks and opportunities to their organizations?

Q: “How can boards best prepare for the rapidly changing external risk landscape?” 

Diane Smith-Gander, board director, including for AGL Energy and Wesfarmers -

“I don’t want anyone to come and talk to me about risk. That's like having someone come and teach you about finance or IT. Instead I want people to come and talk to me about the business environment, megatrends and about my company's capability. COVID-19 has accelerated and deepened many trends that were already there, so boards have to be really good at learning from outside the business.”

Alfonso Gonzalez Migoya - 

“Boards need to be more aware of the societal and technological changes that are taking place. They should listen more to what a diverse range of experts, including academics, government officials and consultants say about major trends. They can’t just workshop these issues themselves. They should follow the three L’s of listening, learning and then leading management.” 

Francis Small - 

“A two- or three-hour generic board training session on AI, climate change or another topic tends to be ineffective. You might obtain lots of facts and knowledge about the issue at a macro level, but what’s more important, yet never available, is understanding from experts what this actually means at a practical level for your company. You really need insight that is going to help inform decision-making.” 

Jillian Broadbent -

“Everything is changing more quickly today, so you have to be far more alert and open minded to how you keep on top and stay ahead, rather than assuming your current strong position is secure.”

Key takeaways

The message is clear: boards must enter listening-and-learning mode to stay on top of the volatile risk environment. It’s imperative to understand how current external developments are changing the risks their businesses face, and the potential impact of longer-term trends. Only by fully understanding the major societal, technological and geopolitical changes can boards conduct the future-back planning necessary to mitigate risk. 

EY Megatrends

EY Megatrends offers c-suite and board directors a framework for adapting their strategy in response to disruptive changes.

Find out more

COVID-19 has accelerated key megatrends that were in motion before the pandemic struck. As Francis Small points out, now more than ever, it’s imperative for boards to stay up-to-date with changes that may create risks and opportunities by engaging with external experts. Of course, understanding megatrends doesn’t just help boards to oversee risk but also to spot opportunities to seize a competitive advantage.

Jumping from rock by Emerald Pool above Vernal Falls, Yosemite
(Chapter breaker)

Chapter 3

Make risk a mandatory agenda item at every board meeting

It is important to get comfortable with discussing risk more frequently.

Considering that there are only 24 hours in a day, and that the risk landscape is becoming ever more volatile, we asked: 

Q: “How much more time do boards need to devote to risk?” 

Andrew Tivey, non-executive director and audit, risk and compliance committee chair for the UK National Crime Agency -

“It’s become more important for board directors on risk committees to spend the time to build up an understanding of operational risks from the bottom up so that they can have informed conversations with the wider board about how they impact on delivery of strategy. If you don’t spend enough time doing this then corporate risk registers become too top-level and generic. You need to carve out enough time to do some really deep dives into particular risk areas.” 

Dona Young, chair, risk committee, supervisory board of Aegon NV; lead independent director at Foot Locker -

“Risk has to be a continuous discussion in the boardroom. In the past, boards made a strategy document, and a three- to five-year plan, then put it on the shelf. But today's high-performing boards have strategic conversations at every board meeting because the pace of disruption necessitates it. The same needs to happen with risk, because risks have to align to and support strategy. You can’t discuss strategy without discussing risk.” 

Francis Small -

“There was a massive spike in the time boards spent with their companies during the first lockdown and this has subsided. But in the long-term boards will need to keep closer to their companies than they did pre-COVID-19 to ensure it responds swiftly and effectively to the rapidly changing landscape. There are some huge issues such as climate change, inclusivity and inequality that boards need to spend lots of time on.” 

Jillian Broadbent -

“Boards will increasingly need to be there for their companies when they face change and challenge. If decisions need to be made that are very significant to the core of the company, then board directors need to drop everything to make themselves available. You could say this has always been the case but the need for these types of discussions will likely increase.”

Diane Smith-Gander -

“Boards’ tolerance of slipping deliverables on business continuity planning and disaster recovery has gone to zero and will stay at zero. People have learned a lot about what good risk mitigation and scenario planning looks like and those that had good business continuity plans were able to react quicker and more effectively.”  

Key takeaways

We know board directors are already stretched for time, so how do they decide exactly where they should focus their efforts? The answer may lie in enhanced engagement and communication with management. As Andrew Tivey mentioned, board directors that sit on risk and compliance committees must spend adequate time working with management to understand where risk may materialize within the business.

They should also use these meetings to scrutinize management on the effectiveness of risk basics, such as the adequacy of business continuity plans. In the past, boards may have only discussed business continuity plans in passing. But recent events – and the potential for further crises – mean boards must ensure that management has these basics in place, but more importantly has a plan to test and review on a regular basis.

And, as Dona Young rightly says, risk should form part of every strategy discussion – so the full board will need to ensure risk identification and management aligns to and supports this objective. 

Man overlooks Joshua Tree boulders during sunset
(Chapter breaker)

Chapter 4

Risk factors at play – velocity and concentration of risk

Clarity around the shifting nature of risk is imperative for business continuity.

The COVID-19 crisis has highlighted that risks are interconnected, can appear out of nowhere, and can materialize at speed. So, we asked directors:

Q: “Which areas of risk require deeper focus at board level, and what’s the best way to do this?” 

Dona Young -

“Boards and company leadership have to increasingly focus on what I describe as concentration risk, which could be customer or vendor dependency, concentration in one geographic market, or reliance on a particular business unit to drive profitability and growth. Because what happens if that one piece of the jigsaw shuts down?” 

Robin Stalker -

“COVID-19 has raised awareness of the risks of globalization and in particular globalized supply chains. There will need to be increased stress testing of how government friction and protectionism impacts supply chains, especially given that lots of companies have single sources of supply and just-in-time delivery models. Boards will need to hold management to account on whether their supply chains are resilient and whether initiatives such as dual sourcing and nearshoring are necessary.”

Diane Smith-Gander -

“A lot of people understand the networking effect of risks. But the next question is around the velocity of change of the risk. Few people had a pandemic on their risk matrix because it was such a low probability. Understanding both the network and velocity effect of risks can highlight potential disruptions to supply chain, lack of access to key people within the company, all the way through to a potential economic downturn. Understanding the variation and range of individual board member’s perspectives on risks to come to a more considered consensus will be very important.”

Key takeaways

The businesses weathering COVID-19 most effectively are not exposed to concentration risk. They are not reliant on a single-source supplier, nor do they depend on a single customer, product or business unit to drive profitability and growth.  

Take the example of supply chains. Before COVID-19, boards only considered supply chain disruption their 10th most significant business risk. Today, they have been forced to acknowledge supply chain disruption as a major threat and, as such, work with management to remediate any risks created by overreliance on certain suppliers. 

It’s not just the re-emergence of COVID-19 or another pandemic that has the potential to stretch supply chains. Geopolitical tension, climate change and international conflicts can all cause severe interruption. It’s critical for the board to hold management to account on how concentration risk is being managed, both within supply chains and across the entire business.   

Directors must respond to the profound impact of COVID-19 on the business risk landscape.  As a starting point, they must rethink for whom they are mitigating risks. Historically, boards focused on risks to shareholder value. Today, they must focus on risks to a broader set of stakeholders. With risks changing and emerging at speed, it’s also imperative to spend enough time on understanding exactly how the risk landscape is changing. And this can only be done if board directors devote enough time to risk. By doing this, board directors can help their businesses reframe their future and emerge from the crisis more resilient and stronger. 

  • Key questions for boards to consider

    • Has the board defined a business purpose that maximizes value for a broad range of stakeholders? If no, what are its’ plans to address? 
    • Is the board getting the insights it needs from external experts to understand how global megatrends create business risks and opportunities? If yes, how are these insights used in the re-evaluation and management execution of the organization’s strategy? 
    • Are board directors–including those on and outside of risk committees–devoting enough time to risk? If yes, how do you ensure that this practice continues in a COVID normal world? 
    • Has the board tasked management to prioritize the identification and mitigation of concentration risks? 
  • Acknowledgments

    EY would like to give a personal thanks to Jillian Broadbent, Alfonso Gonzalez Migoya, Francis Small, Diane Smith-Gander, Robin Stalker, Andrew Tivey and Dona Young for their time and insights shared for this article.  


There is an increased interconnectedness of risks and fluctuating risk landscape in today’s environment. This requires significant shifts in the board’s approach to enterprise risk management to help their organizations reframe their future for the long-term.

About this article

By Sharon Sutherland

EY Global Center for Board Matters Leader and Asia-Pacific Networks Leader

Global mindset. Power through diversity. Art lover. Intellectually curious. Traveler. Legacy matters. Passionate about learning initiatives.