Risk and Opportunities Management by Company Boards
Balancing fiduciary duties with innovative strategies, company boards must address the challenges of disruptive models and digital transformation, while managing cyber risks and regulatory compliances.
When one thinks about board responsibility, being accountable to shareholders and relevant stakeholders and multiple compliances come first to mind. However, there is an equally if not more important primary task of a company board. Its role starts with determining what a company will do and how it will do it. Next is the rudiments of what will be needed to achieve this vision and mission, i.e. determining the strategy and structure to achieve the strategy. Someone has to deliver on this strategy, so the board delegates authority and responsibility to the company’s management. Finally, there’s the accountability to relevant stakeholders and related regulatory compliances.
In each step of the process, board members come face to face with several risks and opportunities. Ignoring risks creates peril; ignoring opportunities reduces value. Additionally, the board also needs to evaluate every opportunity from a risk lens as well. In the 21st century, a key influence over all these tasks is the role of technology, specifically navigating the risks and opportunities of disruptive business models and of ongoing operations to determine the right approach for the business.
N.V. Ramanan, Associate Professor, Accounting, ISB, says, “The board’s core responsibilities are to shape a company’s vision, strategy and structure. This role exposes boards to multifaceted risks and opportunities, particularly in the tech-driven 21st Century. Disruptive forces, like climate shifts and digitisation, present challenges and avenues for innovation. As boards navigate this landscape, ERM emerges as a critical practice, aligning with regulatory obligations and broader fiduciary duties. Beyond compliance, embracing ERM enhances resilience, fosters growth, and ensures the enduring success of businesses in an ever-expanding risk landscape.”
Opportunities abound
Disruptive business models aim to capture unmet demands in the existing market with first-mover advantages. The idea is to capture mind space and market share, while competitors play catch up. Disruption could be about doing something completely new or doing something that exists in a bigger or better way. For example, e-commerce and marketplace models existed before Amazon.com. The disruption Amazon.com wrought was through technology and scale.
The difficulty businesses face is that there are forces constantly at play that are disrupting the status quo. Some of the known forces shaping industries at play currently are climate and energy transition, deglobalisation following the global financial crisis and the COVID-19 pandemic, changing demographics, digitisation and automation, and inflation.
Each of these forces presents risks but also opportunities for creating new business models that serve current and future needs. For example, there is an ongoing push to curtail polluting industries, such as steel and aluminium, in Europe. This forces a rise in imports from other countries, such as India and China, which is a little self-defeating. To counter this, the European Union came up with the carbon border adjustment mechanism, which is simply a carbon tax on imports. Rather than depend on diplomatic channels to resolve the impasse, companies in carbon-intensive sectors, including steel, cement, fertiliser, aluminium, and hydrocarbon products are looking towards innovations such as green hydrogen to mitigate such disruptions.
Several examples of disruptive business models that have evolved to meet consumer needs are all around us. These include marketplaces, the sharing economy, the gig economy, and the on-demand model. Several of these did not exist until a few years ago, and their scale could not have been imagined when they first emerged.
Similarly, the role of digital transformation in business sustainability is another key opportunity for businesses in the modern economy. Digital transformation can drive sustainable investment decisions, develop the required emphasis on ESG-related areas, improve disclosures, and build a differentiation from the competition.
How boards approach and oversee such strategic initiatives is vital to the business's long-term success. The board's context, mandate, and timeframes are different from company management, enabling board members to think beyond quarterly or annual performance. While in practice short-term performance and imperatives do take precedence, longer-term success will always remain the most critical imperative for the board.
The need to scan the horizon for both disruptive opportunities and threats requires board members to keep up with the times. For instance, if AI and Big Data Analysis are critical in driving operational decisions such as customer targeting strategies, they are equally vital in decision-making at the board level.
Building these specific skillsets while having a strategic vision is a balancing act for board members that requires a unique strategic skill set.
Risks abound as well
Here’s the flip side of technology: In February 2021, hackers stole personal information of 4.5 million Air India customers. Rival Akasa Air has also been subjected to a similar data breach. Data theft or other forms of cybercrime are just another modern form of risks faced by organisations. These risks can be of different hues at the individual organisation’s level or could be widespread, like civil unrest, or even global, like the COVID-19 pandemic.
Risk can thus be quite diverse. In the organisational context, it usually refers to any event or factor that impedes any business objective. Importantly, it needs to be recognised that risk isn’t unidirectional—risk could be an event that creates a downside or one that impedes the upside. By definition, these risks can come from many sources and impact multiple objectives. For ease of management, risks are usually classified into Operational, Strategic, and Financial. A ‘risk organisation’ encompassing multiple levels and teams manages them.
Enterprise risk management, or ERM, is a practice that is receiving belated recognition and importance in organisations and their boardrooms. It consists of developing systems and methodologies to assess how risk affects the organisation and devising plans for avoiding, mitigating, or managing these risks to minimise the downside. On the upside, ERM can also help identify firmwide strategic, operational, or financial opportunities for growth or profit. Its implementation is complex and is an organisation-wide activity involving all functions. While a risk organisation comprising a chief risk officer and various functionaries carries out the day-to-day implementation, the ultimate responsibility rests with the board members.
Recognitions such as the Indian Risk Management Awards, sponsored by ICICI Lombard and CNBC TV18, have also helped popularise the adoption of sound and formal ERM practices in corporate India.
The board’s role in ERM
As per Regulation 17 of the Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations 2015, which details the compliance requirements of listed companies, the board needs to be aware of the entity's risk assessment and minimisation procedures and receive periodic updates on the same. The Indian Companies Act 2013 also has specific risk management compliances for which the board is ultimately responsible. These regulatory requirements are a belated and welcome effort at improving awareness of risk and managing it.
Besides compliance needs, ERM is a formal but natural extension of the board’s fiduciary responsibilities, which includes ensuring the company’s strategy takes cognisance of risk. As a first step, this involves assessing and setting the organisation's risk appetite, considering its overall objectives, operating environment, capitalisation, liquidity, reputation, and any other imperatives vital to its existence. The board’s role is vital in the ERM process since a firm-wide approach is required rather than risk management in silos, given that most key business risks have deep interplay and downstream effects.
Once the risk appetite is gauged, the board steers the ERM process by instituting mechanisms to assess and quantify the probability and impact of key risks across all areas. The idea is to set the direction and tone, remain active in the ERM process, and own it by providing risk governance, and a check on management through independent oversight.
A critical element of the board’s ERM responsibilities is business continuity and crisis management. This involves mapping scenarios for eventualities and designing and implementing mitigation measures. The responsibility for all these elements rests with operational executives and, ultimately, with the CEO and CRO. However, the board has to oversee the plan, be responsible for its adequacy, and ultimately own it.
In this context, a key aspect of ERM in board-level risk management discussions is cybersecurity, where the board should ensure that cyber risk is a key element of the risk framework and that exposures are assessed correctly for probability and impact. While such assessments are based on management inputs, board responsibility for an area that members have limited understanding of remains undisputed. The implications are real—take the example of Target Corp., which lost the personal information of more than 60 million customers in a data breach in 2013. A class action lawsuit charged board directors with failing in their fiduciary duties by not ensuring adequate controls to ensure data security. Such direct assignment of responsibility to board members is becoming increasingly common.
Emerging trends
ERM is now an integral part of preventing fraud, preserving and improving business performance, and protecting stakeholder interests. Besides onerous regulations and a globalised and digitised business environment, the importance of data and technology has expanded the intricacy and breadth of responsibility for company management and directors. Their risk management skill sets must broaden and deepen around best practices, accepted frameworks such as Committee of Sponsoring Organizations, or COSO, accepted principles, and more. While cybersecurity and data breaches are an ever-present threat for a variety of businesses, the pace of change and level of integration and globalisation means that boards need to be in tune with a wide variety of risks.
Then there is the role of technology in ERM that board members need to be on top of. Besides technology-related risks, the utility of data analytics, artificial intelligence, and machine learning as risk management tools is only beginning to be understood. These and other advanced technological tools can enable an enterprise-wide visibility of risks, the lack of which has been a key lacuna in ERM.
The landscape of operational, strategic, and financial risks for a business is only getting wider not narrower. Companies and their boards should welcome regulatory requirements and the establishment of ERM frameworks since these bring a needed focus on risk management.