Strengthening the role of the board.
Today, organizations face greater cyber threats than ever before. In 2020, EY teams published research that found 6 in 10 organizations had suffered a material or significant incident in the previous 12 months. Since then, the economic and operational disruption unleashed by the COVID-19 crisis has notably increased both the motivation and opportunity for cyber attackers, who have looked to exploit the large-scale shift to remote working. A remote workforce puts strain on organizational infrastructure and increases the risk that important processes are side-stepped and security controls are not properly applied to new systems and tools. Accordingly, board members participating in the EY EMEIA Board Barometer 2021 consider cybersecurity as a highly relevant issue, with digital threats as the number one challenge.
Information and data security challenges
Key actions to help boards deal with cybersecurity and privacy risk
The oversight role of the board is crucial to ensuring the cyber resilience of organizations through the COVID-19 pandemic and beyond. Boards need to constantly evaluate and take suitable actions to navigate the cyber threat landscape:
- Understand management actions to ensure remote access systems are fully patched, securely configured and able to withstand cyber attacks
- Ensure that the organization adheres to security controls and processes and that employees are not using platforms and tools that pose security risks
- Ensure a cyber incident response plan (a set of guidelines to help staff detect, respond to and recover from an incident) is in place
Boards will need to focus on steps to foresee risks and determine appropriate strategies:
- Regularly evaluate the effectiveness of the cybersecurity function
- Provide the Chief Information Security Officer (CISO) sufficient budget and resources to address any weaknesses identified
- Invest in new tools such as artificial intelligence (AI) applications to prevent and detect cybercrimes
- Ask for and review a set of insightful KPIs, in relation to cybersecurity, and receive regular management reports
- Allow information access on supply chains to understand which suppliers have access to the organization’s systems and what controls and security protocols are in place
- Ensure the organization has adequate insurance to cover a major cybersecurity breach
It is worth noting that board members themselves can be attractive targets for hackers because they have access to commercially sensitive data.
Cybersecurity can be a critical agent of change that helps to drive business transformation and innovation, but only if CISOs collaborate with their colleagues across the business and if cybersecurity is proactively designed into data, processes and systems from the outset.
Five key questions for boards
- What is the board doing to embed a culture of cybersecurity awareness at the heart of the organization?
- How regularly does the board deal with cybersecurity matters, and what metrics does it use to monitor the organization’s cyber resilience?
- What governance structures does your board have in place to provide oversight of cybersecurity, and are those subject to regular effectiveness reviews?
- How can your organization invest more strategically in cybersecurity to counter the risks it faces?
- How is your organization designing cybersecurity into its data, processes and systems from the outset so that it can lead transformational change and innovate with confidence?
Fraud detection and going concern
Reinforcing confidence in corporate reporting.
In today’s challenging economic climate, fraud is a heightened risk for organizations. There are several explanations for the rise in fraud. Individuals may be tempted to misappropriate assets to support their lifestyles or to conceal their organization’s viability challenges. Furthermore, remote working has undermined the effectiveness of controls in some organizations, while pressure to respond fast to events has resulted in greater use of management overrides and workarounds, such as manual payments. Technological advances are also increasing the opportunities for fraud and the speed at which they are taking place.
Countering material fraud risk and enhancing financial reporting
Fraud is not just a priority for boards – it is also attracting the attention of financial regulators and standard-setters. The International Auditing and Assurance Standards Board (IAASB) has been consulting with stakeholders across the financial reporting ecosystem to establish whether the International Standards on Auditing related to fraud and going concern need to be updated. The IAASB’s consultation paper suggested several actions that boards could take to enhance the effectiveness of the financial reporting process:
- Share views on the organization’s financial reporting and fraud risks with their auditors
- Create an environment in which management is not resistant to challenge by the auditor
- Assess how management was challenged by the auditor during the audit, particularly with regard to assessment of fraud risk
How EY can help
The IAASB’s paper highlights the “importance of a culture of honesty and ethical behavior, reinforced by active oversight, as well as management and those charged with governance placing a strong emphasis on fraud prevention and fraud deterrence.” Hence, it is critical the board sets the right tone at the top, supporting a culture of integrity, to deter others within the organization from following unethical practices.
Subject to the outcome of the IAASB’s consultation, auditors' responsibilities may change in the context of the audit in future. Boards should take steps to have an oversight of the structures and controls in place to minimize risk, and speed up the detection of fraud within their organization:
- Receive regular reporting in relation to the effectiveness of these controls, as well as incidents of fraud or suspected fraud, including claims made via whistleblowing hotlines
- Ensure the organization takes necessary action when an incident has been confirmed
While technology is accelerating the rate at which frauds are taking place, making it difficult to prevent and detect them, it also creates new opportunities to mitigate the risks. Boards can talk to their organization’s auditors and establish techniques to assist with the detection of a material fraud and also consider whether it would be appropriate to ask their auditors to perform a fraud risk assessment to review the effectiveness of the organization’s anti-fraud controls and compliance with laws and regulation.
Five key questions for boards
- Do you understand the breadth of fraud risks that the organization faces and how these have been exacerbated by the COVID-19 pandemic?
- How are you providing effective oversight of the organization’s fraud prevention and detection processes?
- How are you drawing on the skills and technological capabilities of your external auditor to mitigate the risk of material fraud?
- In what ways would the organization benefit from a fraud risk assessment performed by an external auditor?
- What are you doing to help establish an honest and ethical culture within the organization?
Approaching recovery and reinvention.
The short-term enterprise resilience of organizations has been severely tested over the past 12 months. Resilience has also been challenged by ongoing supply chain disruption, threats to financial stability, pressure on business models, cybersecurity threats to critical infrastructure, and issues relating to workforce well-being.
Long-term resilience is an important consideration, especially as organizations plan for a future beyond the pandemic. The economic and financial repercussions of the crisis are likely to persist for some time, making the recovery period a potentially precarious time for businesses. Additional long-term challenges to enterprise resilience include changing consumer behaviors and expectations, the accelerated digitalization of the global economy, and the mounting threat of climate change.
Drawing on COVID-19 lessons to ensure long-term resilience
Boards need to prioritize resilience as they monitor management teams to plan ahead and into the future. Almost three-quarters (73%) of respondents to the EY EMEIA Board Barometer 2021 said that general crisis prevention measures and business continuity management will be extremely relevant to their organization in 2021.
EY EMEIA Board Barometer 202173%
of respondents find general crisis prevention measures and business continuity management as very relevant to their organization in 2021.
In the coming months, boards will need to provide oversight of contingency planning, scenario planning and stress testing. Additionally, they need to focus on assessing the liquidity needs of their organizations, strengthening supply chains and identifying emerging market opportunities and risks created by changing customer expectations, new regulatory developments and the evolving business environment.
The EY enterprise resilience framework highlights nine key areas for boards to focus on as they support their organizations to plan for recovery:
- Employee health and wellbeing – using public health information to educate the workforce and enabling effective remote working
- Talent and workforce – putting people first, fostering diversity and inclusion, workforce planning, as well as sustaining and enhancing remote collaboration
- Consumer and brand – responding to changing consumer behaviors, adopting a credible brand voice, and rethinking customer strategy in line with technological advancements
- Financial and investor – asking the right questions around cashflows, liquidity and short- and long-term debt financing, communicating with investors, and reviewing different financial scenarios to support the organization through economic recovery
- Risk – understanding the broad spectrum of risks that the organization faces over the short-, medium- and long-term (including cyber, geopolitical, regulatory, reputational and third-party risks), adopting new processes and tools, and reviewing existing risk governance and internal controls
- Government and public policy – monitoring new compliance obligations and changes to existing obligations, understanding the impact of policy changes, and communication with stakeholders about changing regulatory requirements
- Technology and information security – investing in infrastructure and tools that support the resilience of business operations, using technology to drive innovation and reinvent the business model, and enhancing cybersecurity
- Insurance and legal disputes – assessing whether the organization holds the right level – and type – of insurance to mitigate the risks it faces today and in future
- Supply chain and global trade – developing a strategy to manage the risk of supply chain disruption, investing in automation to improve the efficiency of the supply chain, and exploring new business models that reduce the organization’s dependencies on vulnerable suppliers
By adapting more responsive enterprise risk management processes and controls, boards can take steps to support their organizations to pivot strategically and build enterprise resilience:
- Assess the effectiveness of the “three lines of defense model” applied within the organization and its response to unexpected challenges
- Discuss ways to optimize the “three lines of defense model” with the management team, based on the model, so it remains efficient and fit for purpose in the new risk environment
- Use data-driven intelligence to help their organization seize the upside of disruption during the recovery era
Boards need to reflect on learnings from the pandemic and ensure that business continuity plans, succession plans and crisis management processes are updated and reviewed annually.
The board can ensure that business continuity plans, succession plans and crisis management processes are updated to reflect the organization’s learnings from the pandemic and reviewed on an annual basis thereafter. These learnings can range from IT infrastructure and human wellbeing through to stakeholder communication and whether the board has provided effective support to the management team.
Five key questions for boards
- What are the main lessons the organization learned about its own resilience following the COVID-19 crisis?
- How has the organization reviewed and updated its business continuity plan in response to the lessons learned from the pandemic?
- What are the greatest threats and opportunities facing the organization in the short, medium and long term – and how is it planning to address them?
- How is the board adapting the organization’s enterprise risk management processes and controls to be more responsive to change?
- To what extent is the organization resilient enough to withstand another sudden and pervasive shock?
Sustainability and nonfinancial reporting
Responding to the impetus for change.
The huge environmental and social challenges we face today make sustainability a critical issue for organizations. Business stakeholders – including customers, employees, investors and regulators – are all demanding that organizations play their part in addressing these challenges. As a result, organizations are expected to consider their long-term impacts on the environment and society as part of their business strategies.
At the same time, political developments are creating new sustainability-related risks and opportunities for organizations to manage. For example, the European Green Deal, combined with a €1.8 trillion stimulus package, aims to “lay the foundations for a modern and more sustainable Europe” post-COVID-19. It is likely to result in new rules and targets for organizations to comply with, as well as opportunities to gain market share through sustainable innovation.
Making a highly integrated approach to sustainability a board priority
Boards need to take an integrated approach to sustainability, considering the impacts of a wide range of environmental, social and governance (ESG) issues, including climate change, environmental degradation, social inequality and talent shortages, and follow ongoing developments in the sustainability space. Reporting is key to ensuring that organizations set sustainability goals and measure their progress toward meeting them by equipping boards and management teams with invaluable insights to shape business strategy and providing transparency around sustainability to the organization’s external stakeholders, including investors.
Correspondingly, the EY EMEIA Board Barometer 2021 highlights nonfinancial reporting as one of the top five challenges for audit committees in 2021.
One of the top five challenges for audit committees in 2021, according to the EY EMEIA Board Barometer 2021, is nonfinancial reporting.
Boards can help their organizations reassess both their purpose and their operational practices in light of the social, economic and environmental changes taking place through these steps:
- Rework new approaches to product innovation – for example, capitalizing on the circular economy or even switching to a new business model.
- Challenge management teams to understand and evaluate the broader value that the organization generates – beyond financial results.
- Rethink how boards and compensation committees design and evaluate compensation plans so that remuneration is linked to meeting sustainability goals.
As the results of the EMEIA Board Barometer 2021 illustrate, it is a particular challenge for boards to integrate sustainability-related risks and opportunities within overall strategy, so that later operational decisions are taken with sustainability considerations in mind.
How boards are integrating sustainability-related risks and opportunities within overall strategy
Therefore, the appointment of a chief sustainability officer (CSO), who reports to the CEO, can help in this respect. The CSO’s responsibilities can include:
- Set and measure progress toward sustainability goals
- Conceive non-financial performance indicators
- Ensure compliance with standards and regulations
- Contribute to product innovation and supply chain resilience
- Build trusted relationships with the organization’s internal and external stakeholders
Boards also need to ask how their organization can meet investor demand for reporting on nonfinancial information. For example, they could use the metrics and disclosures developed by the World Economic Forum’s International Business Council (EY is a member). This comprehensive set of ESG metrics (pdf) aims to showcase how organizations generate both long-term financial and nonfinancial value for their stakeholders.
Integrating sustainability into business strategy and enterprise risk management must be a priority for boards to differentiate themselves, strengthen their business model, and navigate ESG-related risks and strategic opportunities to create as well as protect long-term value for all their stakeholders.
The integration of sustainability – and broader ESG factors – into business strategy and enterprise risk management must be a board priority, both today and going forward. This will allow the organization to differentiate itself from its competitors, strengthen its business model and navigate ESG-related risks and strategic opportunities so that it creates and protects long-term value for all its stakeholders.
Five key questions for boards
- Do the board and management team have a good understanding of the organization’s strategic ESG risks and opportunities?
- Should the organization appoint a chief sustainability officer, and how could the board tap into the insights and expertise that a CSO can provide?
- How is the board supporting and monitoring ESG strategy development, as well as related goals and metrics, including the identification and integration of nonfinancial key performance and management indicators?
- How could the organization’s executive remuneration strategy be revised to encourage a focus on sustainability and long-term value generation?
- How is the organization using nonfinancial reporting to report on generating long-term value for stakeholders – and does that ESG reporting meet stakeholders’ expectations?
Culture and societal change
Accelerating organizational transformation.
Since early 2020, there has been a widespread transformation in working practices with millions of people shifting globally to virtual working, making greater use of digital communication tools and collaboration platforms. This has changed cultural ideas around work – with work increasingly regarded as something that is done rather than a place that someone goes to. Going forward, many employees will therefore demand ever-greater flexibility around where, when and how they do their work – and organizations will need to have policies and tools to accommodate this.
EY Future Consumer Index survey50%
of respondents say their values have changed and that they are looking at life differently as a result of the pandemic.
The EY Future Consumer Index found that the COVID-19 crisis transformed the lives of consumers, with 50% saying that their values have changed and they are looking at life differently as a result of the pandemic with an invariable impact on the goods and services they choose to buy, and who they choose to buy from. Organizations will need to adapt their own cultures and behaviors if they are to capitalize on these market shifts.
How is your board monitoring the organization’s culture?
Today, there is arguably greater scrutiny of corporate culture than ever before, with a wide range of stakeholders – including employees, customers, regulators, investors and the media – paying close attention to the issue. Culture is increasingly viewed as a key indicator of both an organization’s short-term performance and long-term sustainability; hence, the challenge for boards is not only to provide robust oversight around organizational culture in an era of rapid change, but also to communicate an accurate picture of that culture to stakeholders.
As culture is increasingly viewed as a key indicator of both an organization’s short-term performance and long-term sustainability, the challenge for boards is to provide robust oversight around organizational culture in an age of disruption and communicate an accurate picture of that culture to stakeholders.
At the same time, the culture of the organization – and the culture of the board itself – needs to evolve in ways that reflect the broader evolution happening within society. Boards should recognize that while virtual working creates some challenges, it also presents some significant opportunities in areas such as:
- Pipeline development and succession planning
- Recruiting and onboarding
- Employee engagement
- Culture development
Technology can also be used as a way to build the workforce of the future through the upskilling and reskilling of people. Changing consumer expectations and behaviors are an opportunity for the organization to grow market share and relies on a corporate culture that facilitates agility, innovation and productivity.
The board sets the tone at the top when it comes to corporate culture through its values, actions and communications, supplemented by factors such as its composition, structure and processes.
Boards should be composed of a diverse range of people, with a broad base of skills and from a variety of backgrounds. Here are some steps boards can take:
- Review the composition of people to reflect changing expectations of their stakeholders
- Oversee the strategic opportunities facing the organization
- Demonstrate leadership in areas such as diversity and inclusion
Given the ongoing requirement for virtual remote working, boards’ communication and security practices should be agile and effective, and they should also reassess committee structures and agendas to optimize effectiveness and increase accountability.
Boards need to take steps to play an active role in communicating and monitoring their organization’s culture to ensure it stays aligned with its purpose as well as with broader societal trends:
- Have regular conversations with the Chief HR Officer (CHRO) around human capital and talent management
- Request metrics relating to employee development, engagement, wellbeing, attraction, retention, and diversity and inclusion
- Evaluate the extent to which the CEO and other executives are acting as role models for the organizational culture to other members of the workforce
An effective board recognizes that a healthy culture empowers employees to make autonomous decisions that are in line with the organization’s purpose and values, and plays a central role in reducing risk and delivering long-term sustainable growth.
Five key questions for boards
- How should the organization’s culture adapt in response to the transformative cultural and societal shifts taking place today?
- What can the board do to improve its own culture – for example, through composition, structure or processes?
- How is the board monitoring the organization’s culture on an ongoing basis and ensuring continued alignment with its purpose?
- Is the board receiving sufficient information from the CHRO in relation to culture-related metrics, and does it understand how that information is being collected, measured and controlled?
- What measures is the board taking to ensure that management decision-making and corporate strategy are in line with the organizational purpose, culture and values?
Boards may be compelled to re-examine their governance principles and recalibrate their steering and oversight role, while they navigate the impact of the global pandemic against a backdrop of environmental, social, economic and regulatory and technological innovations. The board priorities outlined above are by no means the only priorities for boards today. Boards will have various other focus areas depending on the nature of their organization. Nevertheless, the outlined themes merit special consideration on the board agenda and the reset effort of organizations’ strategies and governance, to keep pace with ever-growing stakeholder demands and ensure long -term value creation.
In 2021 boards should keep a sharp focus on the key priorities to help organizations recalibrate their strategy on emerging challenges driven by socioeconomic, climate, regulatory and technology trends, as well as evolving stakeholder and investor expectations, while not losing sight of organization risk, sustainability and resilience.