Global menu

Our global pages

Close
Print Friendly and PDF

Board confidence is high—and so is risk awareness

We asked survey respondents to rank, in order of importance, the top risks to their business out of a long list of 20 options—ranging from cyber risk and Brexit to catastrophic climate events. Of those, seven floated to the top, with remarkably similar response rates. Board members chose cyber risk most often (42%); operational and supply chain risks are joint second (39%); and regulatory risks (36%) come in third, closely followed by financial risk (35%) (Fig. 2).

It is no accident that risk areas where the board has a measure of control—CEO succession, key person risk, shareholder activism—rank far lower on directors' list of concerns. For example, only 4% of survey respondents mention CEO succession and key person risk among their top three concerns and just 6% cite shareholder activism. On the other hand, areas where risk events cannot be predicted or controlled, like cyber, rank much higher.

“[Our company] does worry about cyber risk and puts a lot of effort into systems,” says the CFO of a UK food services company who serves on its board. “However, we do get attacked on a regular basis. The challenges for the IT security plan are how to defend the perimeter and how to protect internal contamination.”

…The board needs to understand the guts of the business…

The chairman of a UK financial services company says that corporate directors can reduce operational risks by engaging with the business. “The real risk of a business doesn't derive from board process, requirements to report, or its composition,” he says. “It derives from the board's lack of engagement with, and understanding of, how the underlying business actually operates. The board needs to understand the guts of the business.”

Not surprisingly, top risks cited by board members reflect their industry and geographic market. Whereas only 12% of survey respondents overall cite Brexit as a top risk to the business today, 60% of UK–based directors do. Meanwhile, 80% of directors at financial services firms say cyber risk is a top concern and 75% at food or consumer products companies cite supply–chain risks. (For more geographic and sector insights, please see the Appendix.)

Yet it would be dangerous to tie a company's risk vulnerability too closely to its region or industry. For example, although few of our survey respondents in the chemical and energy sectors named cyber as a top risk, a cyber attack on a utility or chemical plant could have catastrophic results. Furthermore, risks can have spillover effects: Some board directors noted in interviews that their companies' supply–chain and operational risks were related to Brexit uncertainty. This may explain why relatively few respondents globally cite Brexit as a top risk—for some companies, it translates directly into other types of risk.

Fig 2: Cyber emerges as a top business risk, while issues under the board's control rank lower

* Indicative due to relatively low sample size

Board report figure 2

Many boards are addressing these risks proactively. A majority of survey respondents, as well as many interviewees, say they have adopted new risk management practices in response to emerging cyber risk (65%) and regulatory risk (55%). Nearly all financial services respondents (93%) say they have updated cyber risk management practices. In addition, at companies that manage supply chains, procurement executives brief the board on a variety of topics—from corruption and bribery risks to supplier concentration and creditworthiness. About half of our survey respondents receive these briefings biannually and a fifth receive them quarterly. However, there is room for boards to be better informed. Half of respondents never receive briefings on geopolitical risks and 43% never receive briefings on IP theft.

On the whole, our survey respondents are extremely confident in their risk management practices. Overall, 99% of respondents say their board is doing all that it can to identify and anticipate risks within their business, a number that is remarkably consistent across geographic locations, industry sectors and company sizes.

For example, to get ahead of cyber risk, the finance director of one UK industrial manufacturing firm says: “We have external support looking at our IT security infrastructure. Our financial teams are also running risk seminars internally every six months to highlight cyber risk and security issues.”

Such approaches appear to be paying off. Only 15% of our survey respondents reported suffering a major internal risk incident in the past three years. It is clear from our survey that boards are adopting new practices to address certain risks. This indicates a shift is under way in how companies take on emerging risks and potential “unknown unknowns.”

The majority of survey respondents and interviewees say they have changed their risk management practices in response to emerging risk, especially cyber