Image by Lucidchart
These past two years have tested companies’ preparedness and reaction to the pandemic, demonstrating that many organizations were insufficiently prepared for, or unnecessarily slow in responding to risk. For many businesses, the impact of Covid went beyond a mere disruption, putting them out of business permanently. Risks that threaten a company’s existence require a unique set of board skills and experience. The board’s role in ensuring readiness for such risks is critical and moving forward, the pandemic gave many organizations a wake-up call about mitigating risks.
In an annual global board survey of approximately 1,500 corporate directors, McKinsey found that directors are not satisfied with their performance on risk management. In 2021 only 7 percent of the respondents believed that their boards were on track in their risk management effectiveness, and only 40 percent said that their organizations were prepared for the next large crisis.
“It’s the high-consequence, low-likelihood events, such as the pandemic, that can cause long-term economic impact, significant reputational damage, and leadership changes.” wrote Ophelia Usher of McKinsey. Boards need to identify events, decide which risks to prioritize based on those that would have significant impact on the core of their organization and business.
It is now necessary to consider scenarios where multiple risks hit at once, rather than looking at risks individually. The pandemic created the perfect storm of simultaneous risk scenarios: a health crisis, a financial crisis, a social crisis, and (as of this writing) a war in Europe, all at the same time. For example, an all-too-frequent operational risk scenario encountered in retailing during the pandemic was when stores suddenly closed and faced bankruptcy because of a combination of risks rather than individual risks. Cyberattacks and activist investor campaigns are obvious risks, but post-pandemic staffing shortages and supply chain disruption in many industries are risk trends that needs on-going assessment and stress-testing.
A crisis may first be identified as a single issue but as the risk implications mature and develop, they are likely to spread into reputational and financial issues. While management is thinking about the higher-likelihood, lower-consequence risks, which are important for them to manage, boards should be discussing low-likelihood, surprises and identify high-consequence ones that would impact the operating model and core values.
The World Economic Forum and other groups of experts have identified global risks. Boards need to discuss how these might impact their organization. In the past some boards have relied on a set risk assessment format consisting of management presentations of their perceptions of known risks and the respective impact and likelihood of their occurrence, with directors asking a few challenging questions, after which the Board may feel they have done their jobs. However, it is engaged and probing discussion among directors and management that can surface some of the big and otherwise unnoticed risks. New board members are sometimes best at identifying those risks because they can step back and ask the questions that long-time board members may not think of or assume the organization has covered the issue.
Recovery from big risks may include the company’s ability to invest in resilience. “There is baseline investment you need to make just to be prepared for crises in general. Then, some investments are needed to address long-term trends. We may get the timing wrong, but we can predict the trends, so those investments, if they are unaffordable, should make a board question whether their fundamental business needs to change. Those are long-term strategic decisions the boards need to oversee” says Nora Aufreiter, board member at Scotiabank.
Identifying some risks and working today to mitigate them is not the answer. It is about building that long-term culture of managing risks. It’s a strategic process.
For mitigating the biggest risks there are obvious things like insurance. Hand in hand with this is the element of operating risk. An example given by the McKinsey Board team is to balance the cost of a chemical spill that forces a company to shut down their plant if there is the risk of pollution. There is insurance to mitigate this, but the company can also make safety and equipment changes and process improvements. Integrated risk management includes risk identification, policies and procedures for mitigation, and a well-designed insurance program, along with operational changes are steps that organizations can take to protect against these risks.
The traditional board, made up of financial experts now requires the addition of new board members with skills in different areas. Experts in forensic analysis, communications, PR, or legal issues helps support a company’s expertise on the trends in risk areas beyond financial.
It is also important for a board to be aware of industry trends in thinking about particular issues relating to risk. Reviewing the industry, the diverse ways of assessing and mitigating risks can provide examples of different approaches that may better suit a company’s model for addressing a particular predictable risk.
Boards should consider potential members based on their skills to make sure that the organization is as prepared as possible for the next big risk. Post Covid, companies need to rethink the right mix of experience they need now in a very different world. There is opportunity to seize the moment at a board level as well as a management level.