Board Members Preparedness for Major Risk Event Like COVID-19

Steve W. Klemash is Americas Leader, Jennifer Lee is Audit and Risk Specialist, both at the EY Americas Center for Board Matters, and Amy Brachio is EY Global Advisory Risk & Performance Improvement Leader. This post is based on their EY memorandum.

The unprecedented scale and pace of disruption in the market today requires a new way of thinking about risk and transformation. Technological advances are blurring industry lines and changing the nature of work. Changing social demographics and an accelerating climate crisis are calling into question how, and for whom, businesses create value. These and other developments, from cybersecurity threats to a volatile geopolitical landscape and pandemics, are putting pressure on organizations to build risk resiliency and create long-term value while sustaining trust across stakeholders—consumers, investors, regulators, employees and third parties.

Embracing the upside of risk and sustaining stakeholder loyalty and trust is fundamental to achieving competitive market advantage in this era of disruption. According to the Embankment Project for Inclusive Capital (EPIC), as little as 20% of a company’s value is now captured on its balance sheet—“a staggering decline” from about 83% in 1975—as real value today is in innovation, culture, corporate governance and trust.

Today’s level of transformation, both within organizations and across global economies, coupled with the uncertain economic environment, requires risk management to be more dynamic. This calls for a new risk mindset that moves from a focus on traditional downside risks to embracing the upside of risk and weaving trust into all facets of the business. At the board level, this translates to adopting a future-fit risk approach that is more attuned to external business trends and one that allows management to focus on identifying and capitalizing on risks that enhance trust and enable innovation, speed and value creation.

We surveyed 500 global board members and CEOs to better understand their perspectives on today’s top risks and what resources they need to better execute risk oversight while sustaining trust in today’s business climate. We learned that whether it be in relation to reporting, skill sets or the sheer time spent discussing risk, board members acknowledge their organizations—and boards themselves—need to evolve to keep pace with disruption and maintain their strategic advantage. To operate in these market conditions, our risk survey indicates that boards can advance their oversight of risk in the following four ways, which will require enhancements to enterprise risk management, insightful risk reporting and new remits between boards and CEOs:

  1. Reprioritize top risks to keep pace with market disruption
  2. Turn risk into strategic value
  3. Redefine risk reporting to reflect the dynamic risk landscape
  4. Evolve the board’s role in enterprise risk management (ERM)

How we see it—the importance of building risk resiliency

The findings in this post are based on surveys conducted prior to the coronavirus (COVID-19) outbreak, which at the time of publication continues to spread globally and has brought increased disruption and uncertainty to businesses and economies. Declared a global emergency by the World Health Organization, COVID-19 has rapidly emerged as a critical outside risk for businesses. Many companies are experiencing vulnerabilities related to quarantined workers/travel restrictions, significant fluctuations in product demand and heavy supply chain disruption from the affected areas. The scope of risks continues to expand and has highlighted critical global interdependencies and the need for heightened crisis management planning, including the ability to quickly execute business continuity plans and deploy a rapid response to mitigate related risks, including medical and security protocols.

Unpredictable events, such as the spread of COVID-19, reinforce our survey findings around the importance of having a robust ERM program and well-honed crisis management plans. While companies cannot predict when a crisis or black swan event may occur, boards that prepare organizations to have the strategic, operational and financial resiliency to recover from emerging global risks will be better positioned to respond and minimize their impact.

Reprioritize top risks to keep pace with market disruption

As market disruption and changing stakeholder expectations rewrite the risk landscape, board oversight priorities need to keep pace. Our survey uncovered today’s top risks from the board and CEO perspective, revealing a need for stronger alignment and more rigorous oversight of key emerging risks.

Today’s top risks from the board perspective: economic headwinds, cyber attacks and technology disruption

Economic cycles are inevitable, with the question being not if, but when and how severe, the next financial downturn will be—and never before have economic signals and indicators been more confusing. Nearly half of board members believe unfavorable economic conditions will have more than a moderate impact on their business in the next 12 months, making it the most important risk category.

Some of those unfavorable economic conditions may result from growing geopolitical risks that are felt acutely in the US. While all surveyed board members rank geopolitical turmoil as the ninth most important risk, those that sit on boards of US companies rank it as their joint-second (along with people issues) most important risk (vs. 36% of board members in Europe, the Middle East and Africa (EMEIA) and 29% of board members in Asia-Pacific).

Cyber attacks/data breaches and the pace of technology change also appear to be creating a complex set of pressures for boards. Forty-eight percent of board members overall (and 69% of board members of financial services companies) believe cyber attacks/data breaches will more than moderately impact their business over the next 12 months, and 46% believe the same for the pace of technology changes. Of course, these risks go hand in hand.

Organizations today must harness technological innovations to survive as well as to self-disrupt and transform, which board members clearly acknowledge. Nearly 40% of them rank technology disruption among the greatest strategic opportunities for their organizations. At the same time, introducing new technologies also introduces new cyber and data privacy vulnerabilities, creating an increasingly complex cybersecurity landscape.

The reason why cybersecurity risk is ranked as one of the top risks may be due in part to board members lacking confidence in their organizations’ cyber attack mitigation measures. Half of board members say they are, at best, somewhat confident that the cybersecurity risks and mitigation measures presented to them can protect the organization from major cyber attacks.

In our 2020 Global Information Security Survey (GISS) report, 25% of respondents say they can quantify, in financial terms, the effectiveness of their cybersecurity spending in addressing the risks faced by the business, and only 7% of security leaders are able to financially quantify the impact of breaches.

Around 40% of board members say that cybersecurity is not a regular discussion item on their full board agenda, revealing an opportunity for many boards to strengthen oversight of this existential threat. Many CISOs are concerned that their boards do not have a structured way to review cyber risk. This could be a symptom of the way the function chooses to communicate with the board—the emphasis is typically on current-state security and audit results rather than performance or innovation.

People issues, supply chain disruption and geopolitical turmoil are top-of-mind issues for CEOs, revealing the need for better alignment with board risk priorities

In contrast to non-executive directors (NEDs), CEOs are more concerned about people issues, such as talent shortages or a failure to upskill, supply chain disruption and geopolitical turmoil.

CEOs understand that when it comes to growth and innovation, the risks and rewards associated with an organization’s talent may be the most critical area of all. From building a culture where innovation thrives, to defining the company’s purpose, to investing in retraining workers to meet the demands of evolving business models, a company’s people strategy is increasingly emerging as critical to competitive strength and long-term value creation.

Most CEOs believe people issues will have more than a moderate impact on their organization during the next 12 months vs. just 40% of directors. This difference may stem from the two groups’ different experiences and traditional areas of focus. For example, talent continues to gain momentum in the boardroom as human capital and culture comprise a growing share of market value and are recognized as key strategic enablers and competitive differentiators in today’s information age.

Traditionally, boards focused on talent development and succession planning for the C-suite without the deeper view into talent risks and opportunities across the workforce.

The overlapping nature of so many of these risks may also complicate insights into how the two are ranking different risks. For example, people issues are closely linked to the pace of technology change, because the need to upskill, retain and recruit top talent is critical to drive technological transformation in today’s business environment.


Forty percent of CEOs ranked both supply chain disruption and geopolitical turmoil as significant risks that will moderately impact their organizations in the coming year vs. only approximately a third of NEDs. Rising channel complexity, increasing volatility and the growth of emerging markets require new levels of agility and responsiveness, while pressure on costs and overcapacity drive the need for increased efficiency. These pressures are also driving CEOs and organizations to reinvent supply chains to drive more competitive advantage while also introducing new risks (such as additional cybersecurity-related risks from digitized smart factories or robotic process automation) to the organization.

Geopolitical pressures are also growing increasingly complex and volatile, introducing new and evolving risks (including supply chain disruption) to strategy and operations that CEOs must navigate. The impact of some of the related risks is often diffused and hard to discern, such as the changing roles of China, Russia and the US, or the rise of populism across democracies. Others are more palpable, such as trade wars, nation-state cyber warfare or the impact of Brexit. In today’s changing geopolitical environment, risks need consistent monitoring and dynamic incorporation into strategy and operations.

Whatever nuances are shaping the gap between directors’ and CEOs’ risk priorities, it is critical that boards and executive leadership achieve alignment on the risks considered most material to the business over the short and long terms. Misalignment and the lack of a clear, united tone from the top on risk priorities can lead to mismanaged risks and expose the organization to more vulnerabilities.

Why culture and climate risk warrant more rigorous oversight

Only around a quarter of board members believe climate change and natural resource constraints will have more than a moderate impact on their organization during the next 12 months, making it the lowest priority on the board’s risk agenda. Misaligned culture came in only slightly higher, with 31% of board members viewing it as a significant near-term risk. Board members’ perception of the impact of these risks was low but may likely shift, particularly given the increasing focus on these risks by shareholders and other key stakeholders.

With the manifestation of physical climate risks accelerating at a rapid rate, many investors recognize it as a key threat. For example, in the EY investor outreach leading up to the 2020 proxy season, which included conversations with more than 60 institutional investors representing more than US$35 trillion in assets under management, around half of the investors identified environmental issues and climate risk as among the biggest threats to their portfolio companies’ strategic success in the next three to five years, making it the second biggest threat identified. Climate risk also emerged as the top investor engagement priority for 2020, with almost 60% of investors telling us they will engage companies on climate risk this year.

In his 2020 letter to CEOs, BlackRock chairman and CEO Larry Fink put climate change front and center, noting that it has become “a defining factor in companies’ long-term prospects” and shared his belief that “we are on the edge of a fundamental reshaping of finance” as we better understand the impacts climate risk will have on the physical world and global financial markets. As BlackRock seeks to make sustainability integral to its portfolio construction, a company’s demonstration of how it is managing climate risk and accelerating the transition to a low-carbon economy may inform its access to capital. And it is not just shareholders that care about a company’s approach to climate risk.

More than ever, consumers and employees seek to support companies creating long-term environmental value, and climate change is rising on public and political agendas.

Culture is similarly an increasing area of focus for investors and other stakeholders. Nearly 40% of the investors we spoke with in our outreach identified corporate culture as a key enabler of strategic success, making it the third-highest factor identified. Talent management ranked as the highest strategic enabler, and many of the investors spoke about culture and talent management in tandem, stressing that the right culture is needed to attract, engage, motivate and retain the right talent. This investor focus reflects broader recognition that culture is critical to achieving the level of transformation needed in today’s market.

Further, culture is the foundation for behaviors that support appropriate, balanced and informed risk-taking and, where necessary, escalation.

While there may be reasonable explanations for climate risk and misaligned culture appearing to be lower on the boards’ risk agenda (e.g., the question specified a 12-month time frame, and boards may consider these to be longer-term risks), how companies manage and govern these risks and seize related opportunities are coming under increasing scrutiny from key stakeholders. Boards should deepen their understanding of the fast-evolving significance of these factors to investors, employees, customers and other key stakeholders and set the tone at the top for addressing and prioritizing these risks accordingly.

Key board takeaways:

Reprioritize top risks to keep pace with market disruption

  • Address today’s top threats and align on the top risks. Make sure your board and the organization have the skills and competencies needed to oversee today’s most pressing risks. Align with management to create a dedicated and dynamic focus on emerging risks given the faster pace of change today.
  • Listen to stakeholders. Consider the views of and engage with key stakeholders, including shareholders, to broaden the board’s perspective on risk.
  • Analyze megatrends and outside data sources to develop an informed point of view on the risk landscape. The board should verify that the organization is incorporating both internal and external data points in its risk identification process as well as continuously monitoring risks and trends for any material changes.
  • Develop a strong pulse on culture. Oversee how culture is defined and aligned to strategy, assign responsibility and accountability for culture, monitor internal culture metrics and constructively challenge the culture of the board itself.
  • Maintain robust cybersecurity risk oversight. Challenge whether sufficient time is spent discussing cybersecurity and data privacy risks and consider whether business model and cyber vulnerabilities necessitate additional oversight measures, such as leveraging outside cybersecurity experts to fill knowledge gaps or reevaluating the board’s committee structure so that appropriate time and focus is given to cybersecurity risk.
  • Prioritize oversight of climate and sustainability risk management. Understand the company’s exposure to climate impacts, how it is strategically addressing related risks, and how it is positioning itself for long-term sustainability and success in a carbon-constrained environment.

Evolve the board’s role in ERM

Most boards believe they are well equipped to effectively oversee risk management, but there is no room for complacency. To make sure they stay effective, they need a dedicated focus on emerging and existential risks on the board agenda. Boards should also utilize external experts to upskill the board, advise on specialized risks and stay on top of megatrends to identify risks and uncover opportunities.

It’s time for more time: key risks must be incorporated into the board agenda time

Board members are requesting more time to effectively oversee risk. Board members said making more time available on the agenda for open discussion on emerging risks and trends and setting time aside to discuss scenarios that could threaten the organization’s business model are the two most effective measures that would improve their risk oversight capabilities.

Survey suggests need to upskill boards

Sixty-four percent of board members believe their composition and the represented skill sets are adequate for overseeing their organization’s risk management. This finding reveals significant opportunity to strengthen board oversight through challenging current board competencies, assessing the need for board refreshment, enhancing diversity on the board for broader perspectives and experiences, and upskilling the full board through continuing training and education.

As business environments change, so too must the board competencies and practices that drive board effectiveness. While boards do not need to be experts in all the risks that might impact their business, they need to be sufficiently aware so that they can constructively challenge and question management. Board members should adopt a mindset of continuous learning and performance improvement and regularly participate in education programs that are tailored to the company’s business and industry as well as the skill set of the board itself.

External advice is key to staying on top of megatrends to identify risks and uncover opportunities

Boards must proactively take steps to keep updated on technology, economic and geopolitical developments so that they can effectively oversee risk management. Briefings from external advisors, industry analysts and independent subject-matter professionals are the most effective way of doing this. More than 40% of board members said such external advice is key to staying up to date on megatrends, emerging risks and potential strategic inflection points.

External advice is also key to avoiding groupthink and mitigating internal bias. Boards should more regularly complement management’s information with data and insights provided by independent sources so that they understand the latest developments and progressive oversight practices to prevent blind spots. As noted earlier, boards cannot be passive in waiting for this kind of information to come to them—they must actively seek out and obtain information, new learning and independent external perspectives.

Key board takeaways:

Evolve the board’s role in ERM

  • Include sufficient agenda time. Make sure there is enough time on the agenda to fully consider emerging risks. Reevaluate risk oversight practices and related structures to assess whether committee oversight changes would enhance oversight.
  • Seek outside expertise and incorporate external data. Seek external expertise from advisors, analysts and professionals, and incorporate external third-party data to gain the knowledge necessary to effectively oversee risk management.
  • Assess and enhance board competency and diversity. Conduct competency assessments to determine where there are skills and competency gaps that need to be filled.


Investors, regulators, consumers and other key stakeholders expect boards and risk functions to take responsibility for the expanded range of issues that are now an inescapable part of their environment, particularly emerging risks presented by technology advances, globalization and market disruption.

Boards and management teams need to find the right balance between managing legacy risks and the fresh challenges arising from embracing disruption to maintain their competitive advantage. This search for balance is further complicated by the need to update compliance and risk management models to incorporate a much more dynamic and interrelated risk landscape, as well as to meet enhanced stakeholder expectations for transparency and accountability.

The world of governance and risk management will continue to transform. There’s no off-the-shelf playbook to manage many of the complex and major risks identified in this post. For boards, their work should be to remain vigilant, increase their own fluency around emerging risks and external trends, and continually challenge and strengthen their oversight practices to enhance the organization’s agility and ability to survive and thrive.

Questions for the board to consider:

  • Does the organization take into consideration the full view of risks—upside, downside and outside—when developing its strategic blueprint?
  • How frequently does the organization test its strategy for resilience?
  • Is the organization’s risk function an intrinsic part of the organization’s strategic planning and decision-making process? To what extent does it leverage risk to benefit from the upside of disruption?
  • How effectively does the organization leverage risk intelligence to gather foresights, make better decisions, and increase internal and external agility?
  • Is the board using external perspectives and independent data to identify and monitor emerging risks?
  • Does the organization conduct risk assessments frequently enough to capture new risks and adjust its risk appetite accordingly?
  • Does the board allocate enough time on the agenda for open discussion and brainstorming on emerging risks and trends?
  • How can the organization improve its ERM practices and processes with the use of scenario planning, stress testing, and technology-enabled risk analytics and continuous monitoring?
  • How can the board better instill a risk mindset and culture that drives trust with the organization’s stakeholders?

The complete publication, including footnotes, is available here.

Both comments and trackbacks are currently closed.