From risk to resilience: A new paradigm in board risk oversight?

By Regine Slagmulder (IDN alumna & former INSEAD faculty member)

The Covid-19 pandemic has been an unexpected shock that is creating extraordinary challenges for companies and their boards on how to navigate uncertain and turbulent times. Previous viral outbreaks rarely made it onto the busy boardroom agendas, but the sheer scale and impact of this crisis has called for undivided board attention. While high-impact/low-probability events are usually very difficult – if not impossible – to predict, it is never too early to start thinking about how to weather the next storm and come out stronger than before. This article argues that boards must spearhead companies’ transformative change in today’s business environment, which is characterized by high velocity, complexity, ambiguity, and unpredictability.

Risk management as a necessary but insufficient condition

As part of their oversight duties, the board of directors is responsible for making sure the company has put in place the necessary risk management capabilities to deal with the negative consequences of unforeseen events. Many companies have made significant progress in implementing adequate risk management systems and procedures, especially in the aftermath of the 2008 financial crisis. They are now better equipped than before to handle incidents through well-established risk registers for identifying risks, information systems that provide appropriate transparency on the downside impact, and contingency plans ready to be enacted whenever disaster strikes.

However, there is a major difference between risk events with well-known consequences, such as an industrial accident or a cyber-attack, and unprecedented disruptions, such as the Covid-19 pandemic. The former situations, as overwhelming as their occurrence might be, can be expected to return relatively quickly to the “old normal” after proper recovery measures have been taken. In contrast, the latter events typically do not lend themselves to an existing playbook approach to risk management and are likely to have a lasting impact – not only on individual companies but possibly on entire industries and geographies. While there are clear benefits to putting in place formal risk oversight arrangements, such as quantitative risk analysis and risk committees, to handle the “known” risks, these established mechanisms are insufficient in an environment of deep uncertainty characterized by “unknown unknowns”. Boards must, therefore, elevate their risk oversight role from a routine exercise in operational loss prevention and compliance, to acting as an enabler of long-term corporate resilience.

Boards must, therefore, elevate their risk oversight role from a routine exercise in operational loss prevention and compliance, to acting as an enabler of long-term corporate resilience.

Building resilience: from fragile to agile

While most companies suffer considerably from dealing with an external shock such as the pandemic, some organizations appear to come out of the crisis remarkably resilient. To achieve effective governance, the boards of directors must ensure that the necessary “resilience capabilities” are in place that allow the organization not only to bounce back from a high-impact disruption but also adapt to the new reality more quickly than their peers. These capabilities relate to two key aspects of resilience – preparedness and agility.

First, preparedness refers to the pre-crisis arrangements that the company and its board have put in place to anticipate and proactively mitigate the negative impact of risk events. Examples include information systems for monitoring risk indicators, robust business continuity plans, and slack resources. It also involves actively engaging the diverse set of professional experiences and backgrounds present in the board as well as regularly obtaining outside-in views from external experts. The board’s continuous outlook for what may be coming “around the corner” can significantly contribute to sharpening the leadership team’s sensing skills and detecting strategic risks before they spin out of control. Forward-thinking boards also pressure test management’s assumptions about the longer-term consequences of the virus. Combining these insights and foresights in strategic scenario planning exercises enables boards to take precautionary measures already at an early stage, thus making their companies more resilient to shocks.

Second, agility is required because it is impossible to fully prepare and plan for complex and dynamic situations, especially when it is unlikely that the situation will afterwards return to the pre-shock state of normality. Superior levels of in-crisis adaptation enable companies to take decisions quickly and get ahead of the disruption. The first stage in crisis response is usually one of creative, entrepreneurial problem-solving in real time as the events unfold to secure the company’s immediate survival. Then, as soon as the crisis is under control, the board should stimulate the management team to think proactively about introducing new business models in the “new normal”, for example by accelerating investments in digitalization. As such, it is important to make a shift from the classic mindset of mitigating downside risk to becoming more opportunity driven. Board members need to proactively engage with their executives to discuss how even highly adverse events, such as the Covid-19 crisis, might be leveraged into strategic opportunities to be exploited in the longer term. For example, companies might consider acquisitions targeted at growth in previously underdeveloped market segments, such as a specialty chemical company diversifying into the medical hygiene products business. Effective risk oversight in the context of a major disruption thus requires boards to rise above their traditional monitoring role and develop a strategic stance to dealing with risk. Companies whose board members consider risk as an integral part of their business strategy rather than as an after-thought, are bound to have a competitive edge in building resilience for the future.

Effective risk oversight in the context of a major disruption thus requires boards to rise above their traditional monitoring role and develop a strategic stance to dealing with risk.

Adopting a long-term view

While extreme circumstances require that the board’s immediate attention be directed towards ensuring the company’s survival, directors must also adopt a long-term perspective, with a clear focus on strengthening the organization’s resilience in a sustainable and purposeful manner. Maintaining a long-term perspective might entail a delicate balancing act to reconcile the interests of shareholders and other important stakeholders (employees, customers, suppliers and the broader community), as well as responding to calls for greater clarity on the organization’s ultimate purpose. Take, for example, the recent public outrage about several financially strong international groups that (ab)used governments’ emergency response to the Covid-19 crisis to defer rent payments on their shops, with potentially detrimental consequences for small store owners. In times of severe turbulence and existential anxiety, it is particularly important for boards not only to protect their company’s short-term financial and operational performance, but also act as a beacon with a long-term view for the future on corporate purpose, social responsibility, and reputation.

Why boards have a duty to reinforce resilience

By Didier Duret IDP-C, Non-Executive Director and Independent Adviser

Change is risky for firms and boards of directors must see beyond talk of disruption and innovation to ensure companies focus on their essential qualities and a handful of best practices

The current global lockdown, enforced by governments to minimise the Covid-19-led public health emergency, has led to the shelving of many firms’ multi-decade strategies to correctly allocate resources across different regions.

Boards of directors must now re-focus on their organisations’ long-term resilience. This must not be confused with short-term crisis management, which demands quick reactions, analysed relentlessly across digital media.

Prudence and strength

Resilience is a mixture of prudence and strength before a crisis and should be ingrained in firms. It is defined as “the degree of freedom we can deploy to act on events we cannot control”, by Boris Cyrulnik, French psychiatrist, author and Holocaust survivor. For most firms, it derives from a mix of efficient risk management and organisational flexibility. In order to boost resilience, boards must question assumptions, nail down governance principles and adopt sound stewardship.

The idea of resilience in business was popularised by Nassim Taleb in his 2012 best-seller Antifragile: Things That Gain From Disorder, which argued that both humans and organisations are poorly equipped to cope with shocks that accelerate change and have cascading consequences. While hardwiring to think in categories has helped our species survive, most phenomena in nature and society follow non-linear patterns with little respect for categories. Although we can model risk from yesterday’s data, we cannot apply it confidently to tomorrow’s uncertainties.

In modern corporate life, despite a professional culture that has elevated disruption to a virtue, change remains risky and unpredictable. Many start-ups do not survive, and large firms struggle to adapt. Disruptive ideas facilitated by ‘agile management’ have limited impact once they encounter bureaucratic inertia. The board is in a key position to see beyond management techniques and reflect on the essential qualities of a resilient firm.

Focus on what works

Rather than being hypnotised into a reverie of ‘innovation’, it makes sense to focus on a handful of best practices. Of these, financial resilience and access to cash is the most important. Heavy debt and weak solvency ratios undermine resilience. Boards have explicit responsibility for their firm’s capital structure and access to finance, plus oversight of remuneration and dividend and share buyback policies. In a crisis, when survival is at stake, board members may seek access to new capital, renegotiate bank loans or seek being bought out by a larger firm. Board oversight is crucial for the firm to exit a crisis with resilient, if battered, financials.

Diversification of activities, markets, products and suppliers makes good business practice. Diversity of opinions, talents and skills among management, staff and board members also contributes to strategic resilience. A mix of genders, races, cultures, languages and expertise strengthens reliability of operations and leadership competencies. External advisers and independent board members can help identify new trends signifying a paradigm shift. They reduce groupthink and corporate bias, constructing a vision differing from the past. External think-tanks or business school experts can be valuable resources for the board to refocus long-term strategy based on short-term crisis-induced changes.

Discernment through judgemental resilience is a major governance skill exercised by the board. It can be reinforced to balance quantitative resource optimisation versus qualitative operational resilience. Better data-driven “dashboards” do not mean better resilience, just as last week’s stock price does not tell us what next week’s will be. The board can ask the CEO to review crisis planning and solidity of the strategy though a qualitative-scenario lens differing from traditional quantitative-scenario planning. which, most of the time, is consensual to the industry or macro environment.

ESG goes mainstream

Environmental, social, and governance (ESG) policies have become mainstream, reinforcing resilience by reducing financial, operational, and reputational risks through selecting reputable commodity providers or avoiding financing controversial industries. But ESG-driven governance does not guarantee resilience. Recent 20-year-low oil prices are just as disruptive for power producers using wind farms and solar panels in the transition to renewable energy as for shale oil firms, radically transforming capital spending plans. But today’s unprecedented economic crisis is impacting global social and political dynamics as well as consumers’ visions of the world and leadership expectations. Authentic ESG culture may yet prove a competitive advantage in the post-Covid-19 ‘new normal’.

Humility offers a hidden dimension to resilience, counterbalancing the excessive risk-taking and corporate hubris associated with charismatic CEOs. Would WorldCom have survived with board members questioning its overmighty CEO Bernard Ebbers more explicitly? Good practice involves yearly independent assessment of performance and behaviour of the board chairman, members, CEO and executive committee. Humility does not mean timidity, as it can be courageous. An advisory board I sat on during the early weeks of the Covid-19 crisis pursued investment in strategic areas that had suffered from heavy losses through massive disruptions, but gave the CEO wide latitude to implement high-level decisions.

I believe boards of directors, by focusing more on conditions for resilience, can help firms achieve better financial, ethical and environmental results. Resilience in all its aspects, has become a strategic requirement and unless boards take a more socially-oriented and strategic outlook for their organisations, billions of people will suffer, to the ultimate detriment of these firms.

Didier Duret IDP- C is a non-executive director, an investment committee member, and independent adviser to several private family offices and foundations. 

This article was first published in the Private Wealth Management Magazine from the Financial Times on 23 May 2020, and can be found at https://www.pwmnet.com/Wealth-Management/Business-Models/Private-View-Blog-Why-boards-have-a-duty-to-reinforce-resilience

The Board’s role in Cyber Resilience

Webinar with Katja Severin Danielsson and Dimitri Chichlo – 9 June 2020

On 9 June 2020, IDN members discussed the board’s role in Cyber Resilience with guest speakers, Katja Severin Danielsson, IDP-C, NED and Dimitri Chichlo, IDP-C, NED in a webinar facilitated by Liselotte Engstam, IDN Board Member, and with Q&A support by Hagen Schweinitz, IDN Board Member.

Cyber damage is accelerating

Katja shared that cyber damage has been increasing as companies are becoming more digital and has accelerated dramatically during the COVID-19 crisis. However, according to PwC’s 22nd Annual Global CEO survey, only 15% of CEOs strongly agree that their company can withstand cyberattacks and recover quickly.  Unfortunately, many boards are not engaged enough with cyber resilience, and need to increase their focus on it, and make it a key part of their agendas.  Further, Dimitri added that 76% of security professions are focused on detection and containment and not prevention.  For companies, it is not a case of whether they will be hacked, but when it will be hacked, and how much the magnitude of the impact of attack will be.  Dimitri notes that the 15% from the PwC survey is rather a grim figure, taking into consideration by how much senior managers are prone to overestimate their capacities.

Katja highlighted key messages on current status and what needs to be done of the World Economic Forum on cyber risk, and specifically emphasised that leaders need to create a culture of cybersecurity from entry level to top level of an organisation.

Source – World Economic Forum

Dimitri further noted that leveraging technology is an opportunity, however many companies were not prepared for the pandemic.

Five cyber risk governance principles

Katja shared the five cyber risk governance principles mentioned in the revised 2020 Cyber-Risk Handbook which was released out by the Internet Security Alliance, ecoDA, and AIG and which was supported by PwC Sweden.  This guide was developed for Europe, however, can be used by a global audience.  There are also specific handbooks developed for other markets for example the US and the UK market.

The first three principles are the responsibilities of the board, with principles 4 and 5 noting how the board should work with and expect from management.

The principles are:

  • Principle 1 – Directors need to understand and approach cybersecurity as an enterprise-wide risk management and strategy issue, not just an IT issue. Katja mentioned that cybersecurity should be integrated with business decisions, its assessment should be comprehensive, and it should consider the ecosystem of organisations (including third parties such as vendors and customers) which the company deals with.  Directors not only need to understand the technical IT matters but also operational matters which impact critical components of the business.
  • Principle 2 – Directors should understand the reputational and legal implications of cyber risks as they relate to their company’s specific circumstances. Katja noted that directors need to consider the industry that the company operates in and the type of company they have. They should note that the type of company impacts the standards which the company needs to comply with; some types of companies may need to maintain certain levels of security and comply with more transparency requirements, else face sanctions if they don’t comply with regulations.
  • Principle 3 – Boards should ensure adequate access to cybersecurity expertise, with appropriate reporting, at both Board and Committee level. Board members should be fully engaged, make enquiries and challenge management.  They also ensure that they have access to the right reporting, at an appropriate level of detail, in plain English which is understandable and easy to use.  Dashboards are often useful to follow trends.  They should integrate experts/competence into the board room for training.
  • Principle 4 – Board directors should ensure that management establishes an enterprise-wide cyber-risk management framework which encompasses culture, preventive, detective, and response capabilities, monitoring and communication at all levels.  Resources should be adequate and allocated appropriately by the strategies adopted. Katja stated that the cyber-risk management framework should be aligned to the organisation’s strategy.  Further, the risk management of cyber is an iterative process, whereby companies need to continuously update understand and act on the  changes in their threat profile and current risk position.  She highlighted the importance of understanding the company’s crown jewel assets, understand the current security posture – capture strengths and deal with the vulnerabilities, and ensuring that the controls and investment plans protect the right assets.
  • Principle 5 – Board-management discussions about cyber risk should include strategies on their management (mitigation, transfer through insurance or partnerships, acceptance, etc). Katja highlighted the importance of good reporting to allow directors to challenge management, and of the need to understand strategies that management plans to use to reduce/mitigate or avoid risk, considering the cost/benefit of the strategies. This to ensure investments in cyber security targets the company’s threat profile and contributes to the company being more secure. Ask the question to management “are we spending our money wisely”?

The guide has five tool kits which directors/management can use to benchmark their cyber risk governance.

Participants then engaged in a lively Q&A session which covered a broad number of topics including aligning the cyber strategy to the broader company strategy and day to day operations; how directors and their companies can improve their cyber resilience; whether boards should participate in crisis exercises; the benefits of having a cyber resilience committee; that cyber resilience is as much a HR/people and process issue than a technical risk; the importance of focusing on all stakeholders and dimensions when looking at the risks of a cyber attack (including financial, customer, reputational/media, shareholders, third parties/ecosystem partners); understanding the crown jewels of the company; and how to have the right knowledge of cyber at the board level, and across the three lines of defence.

Summary

In her closing comments, Katja noted that cyber resilience is a board responsibility, and

  • Cybersecurity is one of the fastest growing threats to organisations
  • Cybersecurity is an enterprise wide risk management topic not an IT issue
  • The board needs to increase insights and guide their organisation
  • Boards need to ensure the investments are targeted to company context
  • Boards are responsible to address these threats

Finally, Dimitri concluded by stressing the necessity to have technology and cybersecurity experts in boards, and not only business experts and leaders.

 

Recommended reading

Cyber Risk-Oversight 2020 Handbook – https://ecoda.org/wp-content/uploads/2019/08/ecoDa-cyber-handbook-Final-15.4.20.pdf

Impact of COVID-19 on Cybersecurity (PwC) – https://www.pwc.co.uk/cyber-security/pdf/impact-of-covid-19-on-cyber-security.pdf

CEOs face test of resilience in 2019 (PwC) – https://www.pwc.com/us/en/services/consulting/cybersecurity/PwC_CEOs-face-test-of-resilience-in-2019.pdf

Cyber Handbook 2020 (NACD ISA) – http://isalliance.org/wp-content/uploads/2020/02/RD-3-2020_NACD_Cyber_Handbook__WEB_022020.pdf

WEF Cybersecurity Platform – https://www.weforum.org/platforms/shaping-the-future-of-cybersecurity-and-digital-trust

Cyberattack Map – https://cybermap.kaspersky.com