Risk management that enables resiliency amid new and evolving challenges
▉ Theme 2
Risk and resiliency: 11 questions boards should consider as they oversee risk management in 2022
Climate change and biodiversity loss are threatening the ecosystems on which our economy and humanity depend, calling for a reevaluation of how strategy and risk management mitigate and adapt to these challenges. With climate risks approaching points beyond which it may be impossible to recover, many stakeholders believe it is urgent to act at pace and scale to achieve a low-carbon, nature-positive, sustainable future. With trust in government waning, businesses may have an opportunity to lead on these issues.
The global supply chain, in its current form, is incapable of withstanding the disruptive forces of tomorrow. Fast-changing consumer preferences, environmental disruptions and intrinsic changes to the global order are key drivers of change.
As companies advance technologically and work moves to anywhere, the landscape for cybersecurity threats widens with malware, ransomware and other new sophisticated attacks continuing to cripple companies’ critical infrastructure. And as countries decouple globally through the continued rise of nationalism and populism, geopolitical risks and opportunities are routinely challenging organizations.
This environment calls for enhanced scenario analyses and contingency planning across multiple, extreme scenarios, with a deeper recognition of the external and systemic risks that threaten financial and operational resiliency. As a result, organizations are reinventing their risk management models and processes using technology to enable more timely internal insights across an array of strategic and operational issues further corroborated through third-party external sources of information.
Below, the EY Center for Board Matters provides 11 questions that boards should consider as they oversee risk management in 2022.
▉ Question 1
Do scenario analyses consider an appropriate range of extreme and even improbable scenarios, including existential threats?
Do they incorporate the potential compounding effects of various risks, such as supply chain disruption, talent acquisition and retention, inflation, future interest rates, and an evolving tax landscape?
▉ Question 2
Are contingency and response plans related to material and high-impact risks, such as cybersecurity breaches and natural disasters, periodically simulated and reviewed with the board?
▉ Question 3
How is the company revisiting and adapting its risk management strategy?
How is management adapting its approach to the three lines model in response to potential changes in the external and internal environment, changes in the strategy and risk landscape, and the company’s operating model?
Eighty-four percent of boards do not believe their organizations have a highly effective risk management strategy, and 55% of board members identified that risk management often struggles to keep pace with changes in business strategy. Keep reading.
▉ Question 4
Has the board considered how the organization’s risk assessment capabilities are evolving?
Has it considered how analytics, artificial intelligence and other emerging technologies can be used to review and validate data and information to unearth insights into enterprise risks and opportunities?
The most important thing you can be today is agile. The right mix of scenario planning and collective intelligence allows you to prioritize opportunities, create revival plans and make up-to-the-minute decisions about everything from supply chain to workforce mobilization. Adding AI into the process makes it even more effective. Source.
▉ Question 5
How has the company’s cybersecurity risk management program evolved to address the current environment in which attackers are targeting a larger surface area and using increasingly unpredictable tactics?
How are cybersecurity and data privacy considerations proactively integrated into all major strategy or tactical decisions, such as transactions, alliances, new products or services, and technology upgrades?
▉ Question 6
What types of data is the organization collecting from its customers and other stakeholders to better assess trust, risks and opportunities related to changing preferences and needs? How is the collection occurring?
▉ Question 7
How is the company scanning and assessing geopolitical developments, including a rapidly changing trade and regulatory landscape and governments moving to a more interventionist policy position?
▉ Question 8
What is the company doing to address material social risks across its value chain, including the treatment of employees and suppliers’ human rights practices and impacts on customers and the communities in which it operates?
Every ESG commitment the organization makes should be embedded across the three lines of the business and supported by respective third parties, and leadership should be able to validate that these third parties are aligned with its ESG posture in the market — supporting the organization’s strategic priorities. For example, if the organization commits to reducing its carbon footprint, abiding by global modern slavery acts, or improving diversity and veteran inclusiveness, it is imperative for its third-party ecosystem to be aligned with these principles to manage the respective transition (e.g., brand, regulatory) risks. This will facilitate compliance with applicable laws and regulations, while mitigating the risk to the brand around accusations of “greenwashing,” “social washing” or similar forms of misrepresentation. Keep reading.
▉ Question 9
How is the company assessing the impact of physical and transition climate risks on products and services, supply chains and operations that can materially affect operating costs and revenues across the enterprise?
Because climate-related risks are inherently more complex and long-term than most traditional business risks, scenario analysis is essential for organizations to understand the physical, economic and regulatory connection between future climate impacts and business and supply chain activities. Research shows only 41% of organizations in the sample are conducting scenario analysis — a figure that is concerning. Keep reading.
▉ Question 10
Has the organization’s tax planning strategy been reevaluated to address potential tax policy changes, as well as impacts arising from potential shifts in the supply chain and capitalization?
Has the organization considered growing stakeholder interest in tax transparency and potential related reputational impacts?
▉ Question 11
Does the board understand and approve the company’s data privacy and data usage policy? How is customer and employee data use managed?
Are social surveillance algorithms reviewed for bias? Is data protection considered beyond cybersecurity protection?
Despite an uncertain outlook, the pandemic has cemented consumers’ resolve to have control over their personal data. When we asked them what is most important when they choose to share their personal data with an organization, the majority point to secure collection and storage (63%), control over what data is being shared (57%) and trust in the company collecting their data (51%). Keep reading.