Risk awareness and mitigation strategies regularly come to the attention of corporate boards and are now a common part of virtually every meeting agenda.
EisnerAmper LLP’s fourth annual survey of corporate directors’ risk concerns features an interesting wrinkle: a look at how risk management issues differ depending on whether a board of directors oversees a public, private, not-for-profit, or private-equity-owned organization.
It turns out that public companies are better at leveraging strong internal audit functions in their risk management activities. The survey also indicates that directors of public companies could learn a thing or two from their non-public counterparts regarding long-term planning and patience, notes Steven Kreit, partner, audit, with EisnerAmper.
This year’s survey reflects the input of 235 corporate directors. These respondents identify the following non-financial risks (which they were asked to exclude from consideration in this particular survey question) as their top concerns:
1) Reputational risk
2) Regulatory compliance risk
3) Cyber security/IT risk
When asked to flesh out what types of reputational risks keep them awake at night, respondents replied with the following:
1) Product quality/liability/customer satisfaction
2) Public perception/brand
Kreit took time to discuss, via an email chat, the survey’s other findings:
How are board members coping with the increasingly complexity of risk management?
Steven Kreit: Board members deal with issues of risk more now than ever before. Risk awareness and mitigation strategies regularly come to their attention and are now a common part of virtually every meeting agenda. They have to cope with these issues because they are of immediate concern and thus they become part of a director’s personal responsibility – even their liability.
The impact of risk management on board members’ time goes well beyond longer meetings and meeting preparation, though, to include the need to learn and stay current on risk mitigation strategies, ensuring the company has the requisite skills in management to handle risks and to be sure the necessary investment in education is made available to management (and to the board).
What is the significance of social media on risk management and how can boards improve their risk management performance in that area?
Kreit: The viral nature of social media means that information and misinformation become instantly available to customers, competitors, regulators, employees and law enforcement all at once. Social media posts are immediate and, once public, are very difficult to remove.
The risk management performance improvement protocol most called for is to get ahead of an issue by identifying it as early as possible, involving key decision-makers and key spokespeople as quickly as possible to execute a mitigation strategy, and then broadly, truthfully and consistently communicating the steps management will take toward a solution. The key is to “own” the message and the discussion instead of reacting to someone else’s agenda.
If boards are increasingly uncomfortable using the CEO as a sole portal into risks faced by the enterprise, who else would you bring into the room to present and why?
Kreit: If there is lack of comfort in using the CEO, then the board should call upon the next level executive as determined by the nature of the risk (e.g., for financial risk use the CFO, for operational risk use the COO). Bringing in these other executives to explain their risk profiles and risk mitigation strategies should be standard operating procedure for boards at least once a year. Using the increased profile of risk as a board level concern to help develop C-suite risk management communication skills is a side benefit of this necessary preparation.
What can public companies teach private companies about risk management and vice versa?
Kreit: Public companies can teach private, not-for-profit and fund management boards the value of an internal audit function. We see non-public boards not using or underutilizing the internal audit function, whether it is in-house or outsourced. The value of the internal audit findings, when done with proper independence, can’t be overstated and the report, when finished, should always go directly to the private company board or to whoever owns compliance.
Private companies can teach public company boards the value of patience and long-term planning. Don’t treat a risk mitigation program the same as issuing a quarterly filing but, rather, use the necessary time and resources to develop, test and implement a risk program over time that can stand on its own and become part of the corporation’s operating fabric.