5 minute read 20 May 2020
Trieste lightning strikes sea

Building resilience: the role of the board

By Graham Reid

EY Ireland Head of Markets

Passionate about our clients and the collective power of our firm to solve their biggest problems. Growth driver. Relationship builder. Rugby fan.

5 minute read 20 May 2020

Under normal circumstances, a core duty of any board is to insulate the organisation against actual and emerging risks.

It falls with the board to build organisational and business resilience, not just to the current impact of the pandemic, but to secondary risks, such as cyberattacks, people and workforce matters and supply chain disruption, among a long list of others.

According to the EY global board risk survey of 500 board directors and CEOs conducted late last year, far fewer than half (40%) said they were adequately equipped to manage atypical and emerging risks. That is to say that before the current crisis, boards recognised that the risk management capability in their businesses was not sufficiently geared up to identify and mitigate new threats.

Then COVID-19 happened. While a major threat in its own respect, the pandemic will also reshape a raft of additional risks that already existed before the outbreak of the virus. As we look to the next normal, we must not lose sight of the fact that the many challenges we faced before the crisis still exist and will continue to exist when the current crisis ends. However, it is likely those risks will look different.

Pre-March, Irish boards were grappling with major challenges around talent acquisition and retention, growing protectionism in many major markets, data privacy – not to mention Brexit. As we know Brexit is not going away and will likely exacerbate existing risks and bring new ones.

I will use the issue of data privacy and cyber security as an example. In the same survey, cyber-attacks and data breaches were ranked as boards’ second most important business risk globally. Fast forward a couple of short months and most of the world’s office-based workers have moved to remote working, involving an unprecedented spike in remote access, rushed IT fixes and accelerated installations of collaboration tools. How do we think the cyber resilience picture looks now?

As we move on from the initial crisis phase, having hopefully weathered the worst of the storm, boards will now be considering the “next” normal: how they improve the resilience of their business in the face of evolving and emerging risks.

When the research was conducted, just a fifth (21%) of those surveyed were “very satisfied” with their board’s effectiveness in overseeing changes to the risk landscape and adjusting their organisation’s risk appetite.

While there are many mechanisms to support more effective board oversight and understanding of the risk landscape, the single most important action is to ensure that the organisation is allocating sufficient time at board meetings dedicated to discussion around emerging and evolving risks. This has never been more critical. Boards will continue to tackle an ever-growing board agenda as they navigate the next normal. Pre-COVID challenges will need to be addressed, as well as new ones brought about or heightened by the crisis.

While it might seem overly basic, time is a precious commodity often overlooked in its importance when it comes to managing risk and building resilience. The survey found the number one request for enhancing oversight was simply devoting more time to discuss both emerging and existing risks, followed closely by setting aside time to discuss scenarios that could threaten the organisation’s business model.

However, time isn’t the only consideration. To effectively define, assess and oversee how risks are managed, it’s essential to have the right cohort of competencies and skills. With a diverse range of issues including supply chain and enterprise resilience, people and workforce and business restructuring in mind, boards should review their current composition and understand what new skills will be required.  This goes beyond a simple skill gap assessment and rather transcends into ensuring that strong diversity of background, opinion, thinking style, gender and other factors are also taken into consideration.

As boards navigate the new landscape created by the COVID-19 pandemic, they should consider how to build improved resilience into the evolving risk environment. We must all remember that even if it appears that the waters have calmed, the crisis may not be not over. It is important that boards don’t get a false sense of security when indicators begin to point in the right direction. The many impacts of this pandemic will challenge us as leaders for likely years to come but anticipating headwinds in advance will help us weather the storm.

Lead through the COVID-19 crisis

We have a clear view of the critical questions and new answers required for effective business continuity and resilience.

Show me more


Under normal circumstances, every board's central responsibility is to separate the organization from existing and potential risks. It is up to the board to develop organizational and company resilience, not only to the current pandemic effect, but also to secondary threats, such as cyberattacks, issues of people and employees, and supply chain disruption, among a long list of others.

About this article

By Graham Reid

EY Ireland Head of Markets

Passionate about our clients and the collective power of our firm to solve their biggest problems. Growth driver. Relationship builder. Rugby fan.