Boards should view risks from a long-term perspective — ideally considering a time horizon of more than five years — to address emerging risks more effectively. This is crucial as many risks could impact the business significantly in the next 5-10 years despite having only a marginal impact today.
Leverage data and technology to manage enterprise risks
The extensive use of technology to identify and manage risks is a key driver of risk management. Automation technology, for example, can be used to handle manual tasks, allowing risk professionals to focus on more value-adding priorities. Data collection and monitoring can be automated to occur in real time, allowing potential risks to be flagged much sooner than using a purely manual approach. In addition to automation, leveraging artificial intelligence (AI) can help read, review and validate financial reporting. AI can also help establish trends and patterns by analyzing voluminous data in a much shorter time.
Yet despite the importance of technology, fewer than one in five boards say their organization’s risk management is highly effective in leveraging data and technology or delivering timely and insight-driven reporting. Indeed, boards can help drive greater awareness of the role that technology and data can play in enhancing risk management.
Boards should mandate the risk function to capitalize on new automation, AI and reporting tools to monitor and manage risks. Having a sufficient budget allocated to investment in technology for this aspect as well as alignment to the overall technology and data strategy of the organization is another imperative.
The board should also direct the management to improve the breadth and depth of risk reporting. Effective risk reporting is forward-looking and predictive, and covers emerging and atypical risks, among others. When done right, it can be a powerful driver of effective risk management.
Align corporate culture to strategy
When aligned with the organization’s purpose, a company’s culture is pivotal to protecting and creating value. When it isn’t, risks increase and potential value is unrealized. In fact, misalignment between culture and strategy is the greatest workforce-related challenge in risk management. Culture is also crucial in enterprise risk management, impacting how an organization identifies and manages risks.
Clearly, it is important to allocate sufficient time to discuss culture at the board level. Yet the survey found that 27% of boards never or rarely discuss the culture needed to support their organization’s strategy. This needs to change. The boards can govern culture and work with the management to define, implement and measure a corporate culture that is aligned with the organization’s strategy, thereby reinforcing risk management.
To achieve this, the board should review how the management articulates the organization’s desired culture and works on closing existing gaps. It should also consider aligning executive compensation to the desired behaviors and culture of the company and assess if there are clear links between rewards and desired behaviors.
Boards can also leverage analytics of cultural trends, benchmarking with others, surveys of risk attitudes and risk awareness. Regular reviews of culture metrics within the organization, such as employee pulse surveys, employee onboarding and exit interviews as well as other relevant surveys, should be conducted.
As the risk environment for businesses becomes increasingly complex, boards need to drive their organizations to pull out all the stops to identify, mitigate, manage and even preempt new threats. Boards can reframe their organization’s approach to risk management by catalyzing change through an emphasis on culture and technology, while adopting a long-term lens in managing risks.
Boards should consider the following questions:
- Has the board re-evaluated its risk oversight practices to assess whether there are changes that can be made to strengthen oversight?
- Has the board allocated a sufficient budget to invest in technology for risk management as well as develop a workforce with the skill set to manage it?
- Has the board directed the management to devise a strategy for using data and technology in risk management activities?
- How thoroughly has the board discussed the impact of culture on risk management and the internal control environment?
- Does the board regularly review culture metrics, such as employee pulse surveys, employee onboarding and exit interviews as well as customer surveys?
This article was written by former EY Partner Alexandra Gradehand.
Summary
With the pandemic heightening risks, boards need to reframe their organizations’ risk management approach for greater enterprise resilience. This involves focusing more on emerging and atypical risks from a long-term perspective and driving the extensive use of technology to manage risks. There is also a need to align the organization’s culture with its strategy for effective risk management.