Is Your Board of Directors Doing Enough to Protect Your Organization Against Risk?
Risk management is a common boardroom discussion topic in many organizations these days. But what types of risks are board members most concerned about? According to leading accounting and advisory firm EisnerAmper’s fifth annual Concerns About Risks Confronting Boards survey, reputational and cybersecurity risks are the two areas that worry board members the most. The survey, conducted during the first quarter of 2014, captured the thoughts of directors from more than 250 public, private, and not-for-profit organizations with annual revenues ranging from less than $1 million to more than $1 billion.
Damage to reputation Is the top concern of board members
The pervasiveness of social media has had an increasingly significant impact on an organization’s ability to protect and preserve its good name. News of even the smallest misstep can quickly and easily spread, which is clearly reflected in the survey results. When asked to identify the areas of risk they viewed as most important (apart from financial risk), 72 percent of respondents identified reputational risk. Worries about damage to reputation were the highest for directors in not-for-profit operations, with a response rate of 82 percent.
Concerns about cybersecurity breaches ranked second
As organizations continue to rely heavily on Internet-based technologies to perform critical business operations, they also face an enhanced risk of a potentially devastating cybersecurity breach. Board members are acutely aware of this disturbing fact; 62 percent of all survey respondents identified cybersecurity risks as a primary area of concern, an increase of nine percent from the previous year’s survey.
Cybersecurity actually rated higher than reputational risk as the primary area of concern for board members of private companies, as well as all companies with annual revenues exceeding $1 billion. Cybersecurity is often linked with reputational risk, as a cybersecurity breach that exposes sensitive personal data can cause extensive, sometimes irreparable, damage to an organization’s reputation.
Regulatory/compliance risk
While cybersecurity surpassed regulatory/compliance to become the second leading area of concern in 2014, the latter remains a key point of focus for directors. Fifty percent of all survey respondents listed regulatory/compliance as a potential area of vulnerability. Sixty percent of public companies considered regulatory/compliance as a principal risk area, compared to only 38 percent of not-for-profit organizations.
Organizations are in no hurry to create a plan to combat risk
Interestingly, the heightened concern about reputational and cybersecurity risk has not necessarily motivated board members to develop an organizational contingency plan to address these risks if and when they occur. Only 31 percent of survey respondents listed crisis management as an area that warrants their attention, down from 39 percent in 2013. Disaster recovery was also not a primary focus, as this was viewed as important by only 30 percent of the 2014 respondents, compared to 39 percent in 2013.
Even more surprising, 22 percent of the survey respondents indicated that their organization had no formalized, proactive plan to address reputational risk, and only 36 percent said they have a comprehensive enterprise risk management program fully in place. This raises an important question: If, as the survey point out, so many board members believe their organizations are exposed to certain risks, why aren’t they doing more about it?
Perhaps the reason why board members don’t feel a sense of urgency to address risk is that they already believe that they are doing so successfully. Eighty percent of respondents indicated that they are addressing identified risks either “well” or “very well” through vehicles such as regular board and committee meetings. They also feel that most of the other risk management methods being deployed within the organization are achieving the desired results. The old adage, “if it isn’t broken, don’t fix it” appears to be the driving force behind the board’s lack of action in most cases.
Developing a plan for addressing risk in your organization
An important conclusion that can be drawn from this survey is that the majority of organizations need their boards to become more proactive in confronting the various risks, particularly reputational risks that pose an ever-increasing threat to their operation. Key elements of any well-developed plan to address reputational risk should include:
- Response and communication plans
- Ongoing training and education
- Consistent monitoring
- Effective leveraging of internal controls
- Leveraging the expertise of professionals within the organization, particularly public relations, marketing, and legal personnel
Establishing and enforcing ethics policies and procedures can also go a long way toward preventing inappropriate behavior that could result in reputational damage. The Lighthouse Services white paper Developing a Code of Conduct: A Step-by Step Guide can serve as a useful tool for creating a comprehensive Code of Conduct that can help to build a solid ethical foundation for your organization.