Strategic risk oversight and the board’s expanding role and responsibilities
By Maureen Bujno, Managing Director, Audit & Assurance Governance Leader and Governance Services Leader, Center for Board Effectiveness, Deloitte & Touche LLP
Talking points
- The number and types of risks today’s boards oversee are expanding, as is the board’s role as a strategic differentiator.
- To keep pace with rising expectations, boards should play a more active role in strategic risk oversight.
- The Center for Board Effectiveness helps directors fulfill their oversight responsibility to the organizations they serve throughout their board service.
We’re not imagining it; rapid change and disruption are still on the rise—a trend observed in board thought leadership pieces over the past decade. However, the reasons for today’s business landscape disruptions are evolving and increasing. They include technology (such as AI and cyber), new regulatory requirements, changing customer preferences, activist investors demanding performance, and a new level of geopolitical uncertainty.
What does this mean for boards?
It’s easy to see from this list of disruptive changes that the number and types of risks boards should be prepared to oversee in 2024 and beyond have increased. In addition to a widening risk lens, boards are being called on to be a strategic differentiator for their companies and play a more active role in strategic risk oversight. Here are a few considerations for boards in their quest to keep pace with rising oversight expectations.
Balancing value creation and protection
Still number one on the board’s list of responsibilities is collaborating with management in overseeing the creation of long-term shareholder value. Strategic resiliency is the key to this and designed to strike the right balance between value creation and value protection. How? By anticipating and acting on risks when introducing or executing new strategies—thereby increasing the chances of success despite uncertainty. Scenario planning can also be effective. It allows the board to explore different scenarios of a strategic objective and potentially different risk tolerance levels, which it can accept or challenge.
"Given rapid changes in the marketplace, the audit or risk committee should also oversee the risk matrix—a list of the most significant risks. ...As part of this process, the responsible committee should constructively challenge management each quarter to make sure any new risks are added and any shifts in potential impacts of previously identified risks are being managed effectively."
— Maureen Bujno, Managing Director, Audit & Assurance Governance Leader and Governance Services Leader, Center for Board Effectiveness, Deloitte & Touche LLP
The importance of enterprise risk management
How can boards help the companies they serve achieve strategic resiliency? For starters, they can verify that the enterprise risk management (ERM) program connects risk and strategy functions. A host of research studies demonstrate that organizations engaging in proactive risk management through a strategically focused ERM program see numerous benefits. They may avoid costly missteps, increase the probability of success with business strategies, perform better against goals, and recover more quickly from adverse events.
An effective risk program includes continually identifying and assessing emerging risks and related strategic impact. It is important to note that the audit committee (or risk committee, if one exists) of the board oversees this process. Given rapid changes in the marketplace, the audit or risk committee should also oversee the risk matrix—a list of the most significant risks. Furthermore, this committee works with management to allocate where each key risk on the risk matrix is overseen across the governance structure and makes sure the board or respective committee is hearing from the respective risk owner. Risks of and to the strategy should be discussed by the full board.
As part of this process, the responsible committee should constructively challenge management each quarter to make sure any new risks are added and any shifts in potential impacts of previously identified risks are being managed effectively.
Staying ahead of the next crisis
An effective risk management program still may not identify the next global crisis. But it can help uncover disruptive competitors, environmental and social challenges, technology shifts, geopolitical risks, economic uncertainties, regulatory changes, and other critical strategic risks—as well as potential opportunities. Leading company risk programs identify some of these risks through an effective “sensing” program, which tracks risks external to the company (those that may not have company controls to allow for mitigation). Sensing allows the company to be better prepared in the event one of these risks were to come to fruition. A robust risk management program also provides a framework for the board to ascertain that management has current and comprehensive crisis management guidelines or playbooks in place.
Transparency and accountability in managing activism
Setting the company’s tone on transparency and accountability is another responsibility that typically falls on the board’s plate. This means dealing in a forthright manner with another strategic risk area: heightened activist investor activity. Boards must be transparent yet vigilant about areas that may potentially trigger activist interest—from high cash balances to dividend policies to stagnant earnings per share. By regularly reviewing short- and long-term strategic plans and risks through an activist lens, the board can challenge management to evaluate where vulnerabilities exist and put a plan in place to guard against them.
What role can Deloitte play?
Deloitte’s Center for Board Effectiveness can provide additional insights and leading practices to advise boards on how to enhance their strategic risk oversight and potentially create greater value for the company and shareholders. I encourage you to visit our website and reach out with any questions.
The services described herein are illustrative in nature and are intended to demonstrate our experience and capabilities in these areas; however, due to independence restrictions that may apply to audit clients (including affiliates) of Deloitte & Touche LLP, we may be unable to provide certain services based on individual facts and circumstances.
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.
Copyright © 2024 Deloitte Development LLC. All rights reserved.
