Global menu

Our global pages

Print Friendly and PDF


Corporate board directors are working harder than ever before. New regulations, changing business models, rising shareholder activism, and other emerging risks require rapid responses. At the same time, technological innovation offers many companies a chance at digital transformation, adding urgency to the board's strategic mandate.

Our research shows that boards are overwhelmingly confident that they are doing all they can to anticipate and mitigate risks in their businesses. They unanimously agree that both long–term growth and risk management oversight are their top responsibilities. Rather than being paralyzed into inaction by these potentially contradictory remits, they view decisions they make through the lens of risk oversight. This approach helps directors think ahead.

Our survey and interviews show that most boards are adopting sophisticated risk management practices, even as the risk environment becomes more complicated and the stakes grow higher. As one non–executive director put it, companies must “see risk management as more than a tick–the–box exercise.”

Boards see a broad range of threats to their business today. When asked about the top risks to their organization, directors most frequently cited cyber risk; operational or supply chain risk; regulatory risk; financial risk and risks to their business model from digital transformation. Top risks varied slightly by geographic region, but overall were very similar (Fig 1). We also found that most boards are being proactive to protect their businesses from emerging risks. Only 15% of survey respondents report suffering a major internal risk incident over the past three years and several interviewees shared the risk management lessons their organizations learned from such events.

Fig 1: Please identify the top risks to your business today

* Indicative due to relatively low sample size

Board report figure 1

Board members know they cannot rest on their laurels. While our survey results show corporate governance is in fact evolving to meet new challenges, there is always room for improvement. The coming revolution in artificial intelligence and robotics has the potential to mitigate risks or multiply them, depending on how organizations deploy these technologies. Always on the horizon, too, are the “unknown unknowns” that boards must try to identify—even when these risks are unpredictable.

“…Risk means different things, depending on the sector you're in and how heavily you're regulated…”

However, as we shall see, there is no single or infallible way to oversee risk. In heavily regulated industries like finance or pharmaceuticals, compliance forms such a significant part of risk management that board directors need to focus on operational risks. In industries undergoing upheaval because of business model transformation, like retail or media, the board may spend more time on strategic risk.

“Risk means different things, depending on the sector you're in and how heavily you're regulated,” says one UK–based director who sits on boards at both regulated and non–regulated companies.

These differences often determine risk management structures, including whether companies have a chief risk officer (or similar function) and whether they create one or more separate risk committees. Some companies rely heavily on their internal audit function, which may report to the board or to the audit committee. Industry differences can also affect internal board issues, like the audit committee's role. Thus, while board directors bear ultimate responsibility for risk management oversight, they have considerable leeway in how they discharge that responsibility.