5 minute read 23 Apr 2020
Boardwalk stretches off through the long grass

COVID-19: Five ways boards can help businesses improve their resilience

By

Sharon Sutherland

EY Global Center for Board Matters Leader and Area Program Management Leader

Global mindset. Power through diversity. Art lover. Intellectually curious. Traveler. Legacy matters. Passionate about learning initiatives.

5 minute read 23 Apr 2020

Show resources

Boards must consider how they build improved business risk resilience in the evolving risk environment.

According to the EY global board risk survey of 500 board directors and CEOs conducted in late 2019, just 40% said their enterprise risk management (ERM) was effective in managing atypical and emerging risks. This is a stark acknowledgement that pre-COVID-19, boards recognized that ERM at their businesses was not sufficiently geared up to identify and mitigate new threats.

COVID-19 now stretches risk functions’ capabilities even further. The pandemic is not only a major threat in itself, but a force that will reshape and exacerbate new and adjacent risks that organizations struggled to contain even before the outbreak.

Take data privacy. In the EY survey pre-pandemic, boards ranked cyber attacks and data breaches as their second most important business risk. Yet in the space of just a few weeks, where the majority of non-essential workers globally have been working from home, the spike in use of remote access and collaboration tools has made cyber resilience even more difficult to achieve. Similarly, workforces, culture and supply chains to name but a few have also been seriously tested by COVID-19.

As such, we recommend all leaders view their organization’s strategy and actions with three horizons in mind: now, next, and beyond. As we navigate the post COVID-19 landscape, boards should start considering the “next” horizon: how they build improved resilience in the evolving new risk environment.

1. Re-examine board governance and composition

Before the outbreak of COVID-19, just 21% of boards were “very satisfied” with their effectiveness in overseeing changes to the risk landscape and adjusting their organization’s risk appetite accordingly. With the board’s role in overseeing risk management now of heightened importance, they must urgently improve their effectiveness.

From enhancing risk reporting to leveraging external consultants, boards can improve their understanding of the changing risk landscape, and their ability to oversee how their businesses are responding to it. But more fundamentally, they must ensure sufficient time at board meetings is dedicated to discussing emerging and existential risks.

Although seemingly simple, this is often overlooked. The pre-COVID-19 EY survey, found the number one request for enhancing oversight was simply more time to discuss emerging and existential risks, followed closely by setting aside time to discuss scenarios that could threaten the organization’s business model.

How can boards ensure sufficient time is dedicated to emerging and existential risk? Evaluating committee structure is a good starting point. Depending on industry sector, many boards today task the audit committee with overseeing risk. Yet audit committee meeting agendas are already full. One solution is for boards to consider whether a new risk committee (or ad hoc committee) should be given responsibility for risk oversight. Alternatively, these duties could be split, with the full board taking responsibility for strategic risks and the audit committee overseeing the management of financial and compliance risks.

That said, even if boards devote adequate time to discussing new risks, they won’t be able to effectively define, assess and oversee how they are managed without the right cohort of competencies and skills. With issues such as supply chain resiliency, workforce management and business restructuring in mind, boards should review their current composition and understand what new skills will be required.

This goes beyond a simple skill gap assessment and transcends into ensuring that strong diversity of background, opinion, gender and other factors are also taken into consideration.

2. Seek out new types of reporting

Before this pandemic, only 19% of boards were “very satisfied” with the accuracy, completeness and breadth of reports received. And 33% did not receive reports on some risks they considered “significant.”

In times of heightened uncertainty, it is vital boards receive insightful reporting at speed. The difficulty is boards – and CEOs, for that matter – may not fully know the scope, scale and availability of information required to provide insight into a risk they have likely never encountered before. As the COVID-19 outbreak continues, it will be imperative, at a minimum, to monitor case numbers and government measures to tackle its spread in regions where the business, its supply chain, and customer groups are located.

In times of heightened uncertainty, it is vital boards receive insightful reporting at speed.

COVID-19 aside, and as evidenced by the EY survey results, boards must work with management to consider new reporting metric needs in relation to talent, culture, climate change, supply chain, cyberattacks and data breaches, in addition to strengthening their financial reporting around adequate liquidity measures.

This will require sourcing data and insights from parts of the organization that do not traditionally report to the board. For example, the chief human resources officer or its equivalent may need to be called on to report on how COVID-19 has affected company culture, and in turn what measures are in place to effectively address.

To supplement this, boards should ensure more external data is included in the reporting they receive to gain a wider perspective on new and emerging threats and traditional risks. As a starting point, boards should ensure that risk reporting covers how customer preferences, expectations and behaviors might change as a result of COVID-19. Failure to understand this, and more importantly quickly address changing preferences in products and services, will leave their businesses vulnerable to a loss of market share post COVID-19.

3. Build resilience through technology

CEOs say a lack of effective technology is a significant obstacle to managing existential threats. There’s a huge opportunity for risk teams to use technology such as automation and artificial intelligence (AI) to improve the identification, response and management of new and external threats.

For example, technologies are already used by some businesses to trawl IT networks to identify abnormal behavior indicating potential cyber breaches. AI-powered tools can detect patterns of behavior indicating potential fraud or compliance breaches. Boards should challenge whether risk teams effectively use AI in a similar way to draw real-time insights from data that can aid crisis-response decision-making.

In parallel, use of workflow automation technology could streamline manual risk-management tasks such as data collection and processing, thus allowing risk professionals to spend more time on analysis and impact assessments to counter new risks.

4. Hone the skills required to mitigate new risks

Both boards and CEOs state that a lack of talent and appropriate skills are the top organizational obstacles to managing strategic and existential threats. The board and C-suite must now, more than ever, ensure they develop their workforce and pipeline within the risk function, capable of adapting to a post COVID-19 risk world.

This will demand capabilities that are very different from those required to combat traditional threats. For example, a deep understanding may be needed of epidemiology, sophisticated digital technology, geopolitics, talent issues, data and cybersecurity.

In parallel, risk functions will increasingly need the skills required to get the most out of new automation and analytics technologies that will increasingly be deployed within their function.

5. Clarify the risk operating model

CEOs rank an ineffective or poorly defined risk operating model as a major organizational obstacle to managing external risks. Boards and the C-suite must now frequently review whether the risk operating model is fit for purpose and whether it is capable of identifying and mitigating new and emerging threats effectively. This involves clarifying where responsibility ultimately lies across business managers, the risk and compliance function and independent assurance. Any gaps in responsibility can lead to potentially important new risks being overlooked.

  • Key questions for boards to ask management

    • Is your current risk reporting to the board being reviewed to ensure it has improved inputs to better consider emerging and atypical risks? Is it underpinned by new and external data sources?
    • Is there a new cadence and frequency of risk reporting and financial reporting to the audit committee that needs to be considered to enable effective oversight and decision-making?
    • Is the risk function effectively utilizing technology such as automation, AI and machine learning to foster risk resilience?
    • Has management re-simulated their crisis response plans and re-run stress testing? What changes must be prioritised in order to build greater resilience?
    • Are the C-suite and risk function adequately equipped to identify, analyze and mitigate new threats? If not, what is being done to resolve this?
    • With the risk landscape shifting rapidly, is the board’s composition and governance structure fit for purpose? What aspects require immediate attention?
    • What needs to change in the current risk operating model to reflect the shifting landscape?

Summary

As companies navigate the new landscape created by the COVID-19 pandemic, they must consider how to build improved resilience into the evolving risk environment. Boards should be front and center working with the C-suite to guide this transformation.

About this article

By

Sharon Sutherland

EY Global Center for Board Matters Leader and Area Program Management Leader

Global mindset. Power through diversity. Art lover. Intellectually curious. Traveler. Legacy matters. Passionate about learning initiatives.