Risk management that enables resiliency amid new and evolving challenges

Theme 2

Risk and resiliency: 11 questions boards should consider as they oversee risk management in 2022

Climate change and biodiversity loss are threatening the ecosystems on which our economy and humanity depend, calling for a reevaluation of how strategy and risk management mitigate and adapt to these challenges. With climate risks approaching points beyond which it may be impossible to recover, many stakeholders believe it is urgent to act at pace and scale to achieve a low-carbon, nature-positive, sustainable future. With trust in government waning, businesses may have an opportunity to lead on these issues.

The global supply chain, in its current form, is incapable of withstanding the disruptive forces of tomorrow. Fast-changing consumer preferences, environmental disruptions and intrinsic changes to the global order are key drivers of change.

As companies advance technologically and work moves to anywhere, the landscape for cybersecurity threats widens with malware, ransomware and other new sophisticated attacks continuing to cripple companies’ critical infrastructure. And as countries decouple globally through the continued rise of nationalism and populism, geopolitical risks and opportunities are routinely challenging organizations.

This environment calls for enhanced scenario analyses and contingency planning across multiple, extreme scenarios, with a deeper recognition of the external and systemic risks that threaten financial and operational resiliency. As a result, organizations are reinventing their risk management models and processes using technology to enable more timely internal insights across an array of strategic and operational issues further corroborated through third-party external sources of information.

Below, the EY Center for Board Matters provides 11 questions that boards should consider as they oversee risk management in 2022.

View this resource as PDF

▉ Question 1

Do scenario analyses consider an appropriate range of extreme and even improbable scenarios, including existential threats?

Do they incorporate the potential compounding effects of various risks, such as supply chain disruption, talent acquisition and retention, inflation, future interest rates, and an evolving tax landscape?

 Question 2

Are contingency and response plans related to material and high-impact risks, such as cybersecurity breaches and natural disasters, periodically simulated and reviewed with the board?


  • + Read more#- Read less

    Embracing uncertainty means planning many plausible future scenarios and recovery paths — building the agility to navigate today’s unknown. Source.

 Question 3

How is the company revisiting and adapting its risk management strategy?

How is management adapting its approach to the three lines model in response to potential changes in the external and internal environment, changes in the strategy and risk landscape, and the company’s operating model?


  • + Read more#- Read less

    Eighty-four percent of boards do not believe their organizations have a highly effective risk management strategy, and 55% of board members identified that risk management often struggles to keep pace with changes in business strategy. Keep reading.

    84 percent chart

 Question 4

Has the board considered how the organization’s risk assessment capabilities are evolving?

Has it considered how analytics, artificial intelligence and other emerging technologies can be used to review and validate data and information to unearth insights into enterprise risks and opportunities?

  • + Read more#- Read less

    The most important thing you can be today is agile. The right mix of scenario planning and collective intelligence allows you to prioritize opportunities, create revival plans and make up-to-the-minute decisions about everything from supply chain to workforce mobilization. Adding AI into the process makes it even more effective. Source.

 Question 5

How has the company’s cybersecurity risk management program evolved to address the current environment in which attackers are targeting a larger surface area and using increasingly unpredictable tactics?

How are cybersecurity and data privacy considerations proactively integrated into all major strategy or tactical decisions, such as transactions, alliances, new products or services, and technology upgrades?


 Question 6

What types of data is the organization collecting from its customers and other stakeholders to better assess trust, risks and opportunities related to changing preferences and needs? How is the collection occurring?

 Question 7

How is the company scanning and assessing geopolitical developments, including a rapidly changing trade and regulatory landscape and governments moving to a more interventionist policy position?

 Question 8

What is the company doing to address material social risks across its value chain, including the treatment of employees and suppliers’ human rights practices and impacts on customers and the communities in which it operates?

  • + Read more#- Read less

    Every ESG commitment the organization makes should be embedded across the three lines of the business and supported by respective third parties, and leadership should be able to validate that these third parties are aligned with its ESG posture in the market — supporting the organization’s strategic priorities. For example, if the organization commits to reducing its carbon footprint, abiding by global modern slavery acts, or improving diversity and veteran inclusiveness, it is imperative for its third-party ecosystem to be aligned with these principles to manage the respective transition (e.g., brand, regulatory) risks. This will facilitate compliance with applicable laws and regulations, while mitigating the risk to the brand around accusations of “greenwashing,” “social washing” or similar forms of misrepresentation. Keep reading.

 Question 9

How is the company assessing the impact of physical and transition climate risks on products and services, supply chains and operations that can materially affect operating costs and revenues across the enterprise?

  • + Read more#- Read less

    Because climate-related risks are inherently more complex and long-term than most traditional business risks, scenario analysis is essential for organizations to understand the physical, economic and regulatory connection between future climate impacts and business and supply chain activities. Research shows only 41% of organizations in the sample are conducting scenario analysis — a figure that is concerning. Keep reading.

 Question 10

Has the organization’s tax planning strategy been reevaluated to address potential tax policy changes, as well as impacts arising from potential shifts in the supply chain and capitalization? 

Has the organization considered growing stakeholder interest in tax transparency and potential related reputational impacts?

 Question 11

Does the board understand and approve the company’s data privacy and data usage policy? How is customer and employee data use managed?

Are social surveillance algorithms reviewed for bias? Is data protection considered beyond cybersecurity protection?

  • + Read more#- Read less

    Despite an uncertain outlook, the pandemic has cemented consumers’ resolve to have control over their personal data. When we asked them what is most important when they choose to share their personal data with an organization, the majority point to secure collection and storage (63%), control over what data is being shared (57%) and trust in the company collecting their data (51%). Keep reading.

Go back to introduction

Board priorities for 2022

Go to Theme 1

Strategy and Innovation

Go to Theme 3

Talent oversight

Go to Theme 4

Dynamic governance

Contact us

Get in touch with the EY Center for Board Matters for support in developing an innovative board strategy.