KPMG Survey: “Risk and strategy ‘two sides of same coin’ but many Boards failing to make the link”

Despite recognising the need for greater technology expertise at Board level, few have the right skill sets. That’s one key finding of the latest study conducted by KPMG’s Audit Committee Institute

Despite recognising the need for greater technology expertise at Board level, few have the right skill sets. That’s one key finding of the latest study conducted by KPMG’s Audit Committee Institute

Corporate Boards are deepening their involvement in company strategy and refining their oversight of the critical risks facing the business, but there’s “still work to be done” if organisations are to meet the challenges set by the 2014 UK Corporate Governance Code. That’s according to the outcomes of a new survey conducted by KPMG’s Audit Committee Institute.

Compliance with the Code’s guidance on risk management and internal control requires inter alia that Boards make a robust assessment of the principal risks to the company’s business model and ability to deliver its strategy.  However, while many UK audit committee members said their Board had increased its involvement in strategy formulation (67%), monitoring strategy execution (62%) and focus on technology issues including cyber security (51%), only half (51%) were satisfied that risk and strategy were effectively linked in Boardroom discussions.

“The complexity and global volatility that we’re seeing – such as swings in commodity prices and currencies, a decelerating China, uncertainty in geopolitical hotspots, technology innovation and disruptive business models – are clearly impacting the Board’s involvement in strategy and risk,” asserted Timothy Copnell, chairman of the UK Audit Committee Institute. “There’s a very real danger that many Boards are seeing risk management as a ‘bolt-on’ exercise which, potentially at least, leaves them exposed to the strategic risks that could affect the company as well as its longer term viability.”

Despite the increased focus on cyber security and technology risk as a critical business priority, 39% of UK respondents said the full Board should be devoting more attention to cyber risk. In parallel, the adequacy of cyber and technology expertise – via third parties and/or on the Board – continues to be a concern.

Copnell went on to state: “Unfortunately, there remains a dearth of cyber and wider technology expertise on Boards of Directors. 50% of UK respondents recognise this need very well, but the risk and opportunities are so large. Someone on the Board has to know the right questions to ask and be in a position to understand the answers.”

The survey responses, which emanate from more than 100 senior UK audit committee members (and over 1,000 directors worldwide), suggest that while many Boards are clearly stepping up their game, significant challenges remain, including linking strategy and risk, more clearly defining risk appetite and addressing the growing risks associated with cyber security and technology.

Key findings of the research

Boards continue to deepen their involvement in strategy (including execution). Some 88% of UK survey respondents said the Board has deepened its involvement over the past two-to-three years in the formulation of strategy and consideration of strategic alternatives, monitoring execution, devoting more time to technology issues (including cyber security) and recalibrating strategy as needed.

Effectively linking strategy and risk continues to elude many Boards. Only 51% of UK survey respondents are satisfied that strategy and risk are effectively linked in Boardroom discussions.

Risk-related decisions, many respondents said, would be most improved by more closely linking strategy and risk, as well as having a more clearly defined risk appetite, a better assessment of risk culture and affording greater consideration to the “upside of risk taking” (versus risk avoidance).

Better risk information and access to expertise are (still) top of mind. Many Boards have recently taken steps – or at least discussed ways – to strengthen their oversight of risk, mainly by improving risk-related information flowing to the Board, but also by hearing more independent views and refreshing the Board/recruiting expertise, co-ordinating (and reallocating) risk oversight responsibilities among the Board’s committees and/or changing the Board’s committee structure.

Six years after the Walker Review into the governance of UK banks, 26% of those surveyed are still looking for ways in which to combat asymmetric information risk, with an over-reliance on management seen as being the prime source of information.

Cyber security may require deeper expertise, more attention from the full Board and, potentially, a new committee. Deeper technology expertise on the Board and greater use of third party expertise would most improve the Board’s oversight of cyber security. That’s the considered view of survey respondents. Also, despite cyber issues rising up the Board agenda in recent years, almost 40% of UK respondents suggested that cyber security needs even more of the Board’s time.

Oversight of key strategic and operational risks could be more effectively communicated among the Board and its committees. Nearly 40% of UK survey respondents cite room to improve the communication and co-ordination among the full Board and its committees on oversight of the company’s key strategic and operational risks (eg strategy, CEO succession, talent, regulatory compliance, cyber security and emerging technologies in addition to supply chain-related issues). 

*Copies of KPMG’s survey, entitled: ‘Calibrating Strategy and Risk’, are available here

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts