Strategic risk oversight and the board’s expanding role and responsibilities

By Maureen Bujno, Managing Director, Audit & Assurance Governance Leader and Governance Services Leader, Center for Board Effectiveness, Deloitte & Touche LLP

Talking points

• The number and types of risks today’s boards oversee are expanding, as is the board’s role as a strategic differentiator.
• To keep pace with rising expectations, boards should play a more active role in strategic risk oversight.
• The Center for Board Effectiveness helps directors fulfill their oversight responsibility to the organizations they serve throughout their board service.

We’re not imagining it; rapid change and disruption are still on the rise—a trend observed in board thought leadership pieces over the past decade. However, the reasons for today’s business landscape disruptions are evolving and increasing. They include technology (such as AI and cyber), new regulatory requirements, changing customer preferences, activist investors demanding performance, and a new level of geopolitical uncertainty.

What does this mean for boards?

It’s easy to see from this list of disruptive changes that the number and types of risks boards should be prepared to oversee in 2024 and beyond have increased. In addition to a widening risk lens, boards are being called on to be a strategic differentiator for their companies and play a more active role in strategic risk oversight. Here are a few considerations for boards in their quest to keep pace with rising oversight expectations.

Balancing value creation and protection

Still number one on the board’s list of responsibilities is collaborating with management in overseeing the creation of long-term shareholder value. Strategic resiliency is the key to this and designed to strike the right balance between value creation and value protection. How? By anticipating and acting on risks when introducing or executing new strategies—thereby increasing the chances of success despite uncertainty. Scenario planning can also be effective. It allows the board to explore different scenarios of a strategic objective and potentially different risk tolerance levels, which it can accept or challenge.

The importance of enterprise risk management

How can boards help the companies they serve achieve strategic resiliency? For starters, they can verify that the enterprise risk management (ERM) program connects risk and strategy functions. A host of research studies demonstrate that organizations engaging in proactive risk management through a strategically focused ERM program see numerous benefits. They may avoid costly missteps, increase the probability of success with business strategies, perform better against goals, and recover more quickly from adverse events.

An effective risk program includes continually identifying and assessing emerging risks and related strategic impact. It is important to note that the audit committee (or risk committee, if one exists) of the board oversees this process. Given rapid changes in the marketplace, the audit or risk committee should also oversee the risk matrix—a list of the most significant risks. Furthermore, this committee works with management to allocate where each key risk on the risk matrix is overseen across the governance structure and makes sure the board or respective committee is hearing from the respective risk owner. Risks of and to the strategy should be discussed by the full board.

As part of this process, the responsible committee should constructively challenge management each quarter to make sure any new risks are added and any shifts in potential impacts of previously identified risks are being managed effectively.

Staying ahead of the next crisis

An effective risk management program still may not identify the next global crisis. But it can help uncover disruptive competitors, environmental and social challenges, technology shifts, geopolitical risks, economic uncertainties, regulatory changes, and other critical strategic risks—as well as potential opportunities. Leading company risk programs identify some of these risks through an effective “sensing” program, which tracks risks external to the company (those that may not have company controls to allow for mitigation). Sensing allows the company to be better prepared in the event one of these risks were to come to fruition. A robust risk management program also provides a framework for the board to ascertain that management has current and comprehensive crisis management guidelines or playbooks in place.

Transparency and accountability in managing activism

Setting the company’s tone on transparency and accountability is another responsibility that typically falls on the board’s plate. This means dealing in a forthright manner with another strategic risk area: heightened activist investor activity. Boards must be transparent yet vigilant about areas that may potentially trigger activist interest—from high cash balances to dividend policies to stagnant earnings per share. By regularly reviewing short- and long-term strategic plans and risks through an activist lens, the board can challenge management to evaluate where vulnerabilities exist and put a plan in place to guard against them.

What role can Deloitte play?

Deloitte’s Center for Board Effectiveness can provide additional insights and leading practices to advise boards on how to enhance their strategic risk oversight and potentially create greater value for the company and shareholders. I encourage you to visit our website and reach out with any questions.