Corporate Boards are deepening their involvement in company strategy and refining their oversight of the critical risks facing the business, but there’s “still work to be done” if organisations are to meet the challenges set by the 2014 UK Corporate Governance Code. That’s according to the outcomes of a new survey conducted by KPMG’s Audit Committee Institute.
Compliance with the Code’s guidance on risk management and internal control requires inter alia that Boards make a robust assessment of the principal risks to the company’s business model and ability to deliver its strategy. However, while many UK audit committee members said their Board had increased its involvement in strategy formulation (67%), monitoring strategy execution (62%) and focus on technology issues including cyber security (51%), only half (51%) were satisfied that risk and strategy were effectively linked in Boardroom discussions.
“The complexity and global volatility that we’re seeing – such as swings in commodity prices and currencies, a decelerating China, uncertainty in geopolitical hotspots, technology innovation and disruptive business models – are clearly impacting the Board’s involvement in strategy and risk,” asserted Timothy Copnell, chairman of the UK Audit Committee Institute. “There’s a very real danger that many Boards are seeing risk management as a ‘bolt-on’ exercise which, potentially at least, leaves them exposed to the strategic risks that could affect the company as well as its longer term viability.”
Despite the increased focus on cyber security and technology risk as a critical business priority, 39% of UK respondents said the full Board should be devoting more attention to cyber risk. In parallel, the adequacy of cyber and technology expertise – via third parties and/or on the Board – continues to be a concern.
Copnell went on to state: “Unfortunately, there remains a dearth of cyber and wider technology expertise on Boards of Directors. 50% of UK respondents recognise this need very well, but the risk and opportunities are so large. Someone on the Board has to know the right questions to ask and be in a position to understand the answers.”
The survey responses, which emanate from more than 100 senior UK audit committee members (and over 1,000 directors worldwide), suggest that while many Boards are clearly stepping up their game, significant challenges remain, including linking strategy and risk, more clearly defining risk appetite and addressing the growing risks associated with cyber security and technology.
Key findings of the research
Boards continue to deepen their involvement in strategy (including execution). Some 88% of UK survey respondents said the Board has deepened its involvement over the past two-to-three years in the formulation of strategy and consideration of strategic alternatives, monitoring execution, devoting more time to technology issues (including cyber security) and recalibrating strategy as needed.
Effectively linking strategy and risk continues to elude many Boards. Only 51% of UK survey respondents are satisfied that strategy and risk are effectively linked in Boardroom discussions.
Risk-related decisions, many respondents said, would be most improved by more closely linking strategy and risk, as well as having a more clearly defined risk appetite, a better assessment of risk culture and affording greater consideration to the “upside of risk taking” (versus risk avoidance).
Better risk information and access to expertise are (still) top of mind. Many Boards have recently taken steps – or at least discussed ways – to strengthen their oversight of risk, mainly by improving risk-related information flowing to the Board, but also by hearing more independent views and refreshing the Board/recruiting expertise, co-ordinating (and reallocating) risk oversight responsibilities among the Board’s committees and/or changing the Board’s committee structure.
Six years after the Walker Review into the governance of UK banks, 26% of those surveyed are still looking for ways in which to combat asymmetric information risk, with an over-reliance on management seen as being the prime source of information.
Cyber security may require deeper expertise, more attention from the full Board and, potentially, a new committee. Deeper technology expertise on the Board and greater use of third party expertise would most improve the Board’s oversight of cyber security. That’s the considered view of survey respondents. Also, despite cyber issues rising up the Board agenda in recent years, almost 40% of UK respondents suggested that cyber security needs even more of the Board’s time.
Oversight of key strategic and operational risks could be more effectively communicated among the Board and its committees. Nearly 40% of UK survey respondents cite room to improve the communication and co-ordination among the full Board and its committees on oversight of the company’s key strategic and operational risks (eg strategy, CEO succession, talent, regulatory compliance, cyber security and emerging technologies in addition to supply chain-related issues).
*Copies of KPMG’s survey, entitled: ‘Calibrating Strategy and Risk’, are available here