The podcast and the article are brought to you by The Better Boards Podcast Series.
Recent research revealed that 87% of board members believe market disruptions are becoming increasingly frequent, and 83% say they are increasingly impactful. At the same time, 79% believe risk management will be critical in enabling their organisations to protect and create value in the next five years.
In this podcast, Dr Sabine Dembkowski, Founder and Managing Partner of Better Boards, discusses the risk environment with Zahra Cassim, CEO of Corporate Secretaries International Association (CSIA) and David Samy, Consulting Partner at EY Hong Kong lead a joint project to produce the report “Roles of governance professionals in today’s post-pandemic and dynamically changing risk environment”.
David Samy is a Consulting Partner at EY Hong Kong, with 20+ years of experience in providing governance and risk management transformation, internal audit and controls consulting with EY in Malaysia, Hong Kong, China and the USA. He promotes governance and risk awareness in both the public and business sectors and is responsible for advancing the transformative agenda relating to these areas.
Zahra Cassim is the CEO of CSIA, with over 20 years of experience as an education specialist in the professional body sector and promoting an understanding of the role of the professional body in developing people and recognising specialist skills. She is driving the recognition of the role of the corporate secretary and governance professional, creating an authoritative, global platform for the advocacy and adoption of corporate governance worldwide and the recognition of CSIA as the global voice of corporate secretaries and governance professionals.
“There’s often not enough time on the agenda to deal with what might happen in the future”
Zahra explains that there has previously been a general lack of board focus on risk oversight. Risk has tended to be driven and managed in functional silos, resulting in a lack of a structured approach to collecting and analysing risk information. This has been compounded by the underutilisation of technology and the right tools to analyse those risks. Finally, there can often be poor communication of risk from business units through senior management to board level, so boards are unaware of existing or impending risks. She feels risk management must be integrated into strategic planning and decision-making.
Zahra also identifies a lack of accountability for risk management, citing a survey in Hong Kong where only 42% of companies have clear responsibility lines for managing risk and risk oversight. Of course, the board is ultimately responsible, but there is often just not enough knowledge and experience at the board level about market disruptions such as ESG, technology, governance, and regulatory changes and not enough time on the agenda.
Zahra explained that not many organisations had put processes and tools in place. More than half or respondents in a recent survey are still using traditional risk reporting tools, such as tables and charts, rather than employing technology.
“What the boards need to do is to prepare for a GREATER range of disruption and risk”
David believes that risk fatigue may occur in a lot of organisations. The risks are very clear, but where the board is inexperienced and there is a lack of guidance or stewardship, the board can lose focus, and unable to give long-term risks the attention they deserve. Especially when designing mitigation of those longer-term risks, boards may not be channelling the right level of resources and effort to address them adequately.
David explains that ESG is an excellent recent example of emerging risks but believes boards need to prepare for an even greater range of disruption as risks such as cybersecurity, talent and geopolitical risks are growing in frequency and severity. Preparing for these types of risks is necessary. He expresses concern that once the priority is set on the wrong risk, this could create additional issues as organisations start and continue down a path that may not drive the most value to them, as changing directions takes time to implement.
“Risk management programmes have not caught up and have remained a very high static process”
To put this into context, David uses cybersecurity risk, describing how a 2020 survey of boards’ confidence in their organisations’ ability to counter cybersecurity threats was at around 20%, but by 2021 this had dropped to 9%. He explains that this is an alarming decline and has a lot to do with how risk and risk management programmes are being run at present. Digital modernisation has accelerated within most organisations during the recent past, but risk management programs have not really caught up. Most of the programmes he sees have remained highly static and still primarily driven by disclosure requirements in the jurisdictions of operation.
He points out that the risk management profile or dashboard usually is presented to the board annually, which is not ideal. All this creates a situation where firstly, risks continue to be managed in silos across many different parties within the organization and often duplicating effort. Secondly, this limits the focus on technology governance and prevents the use of data.
“Risks are managed in silence, and so very often not communicated to the board”
Zahra explains that one of the critical tasks of the Corporate Secretary is to consolidate information, ensuring that the board is fully aware of all risks when making decisions. But they also need to ensure they integrate risks into strategy. She describes a survey that Hong Kong Chartered Governance Institute conducted, where 85% considered ESG-related risks in their long-term strategies, in line with the trend that ESG is now a major focus for regulators. But despite this, only 18% were fully integrated and 37% were partially integrated into the ERM system. She believes insufficient consideration is given to the risks during the risk management process.
Zahra puts this down to ESG-related risk being an area that is both very new and very complex and feels it is important for the Corporate Secretary to ensure there is an effective enterprise risk management system in place, and that it is implemented across the organisation in order to integrate all risk information.
“The Corporate Secretary can ensure that they are ready to actually deal with emerging risks”
Zahra explains that the Corporate Secretary must identify what critical risks need to be brought to the attention of the Board, and to ensure that the Board responses are aligned with the strategy and comply with regulatory requirements. Board members need to understand the legislative, regulatory, and policy implications of the decisions that they are about to make in order to respond to the risk, – and again, it is the role of the Corporate Secretary to educate and update the board.
In terms of future risks, Corporate Secretaries need to be proactive, and Zahra believes their role is very much anticipating the scenarios that could impact the organisation’s operations, how the strategy will be executed and putting processes in place for regular risk assessments. She relates that some surveys and research quote that over 80 percent of respondents perceived that their organisations were at least adequately effective in taking action on identified key risks and anticipating and managing emerging risk. But 14% of respondents did not even have a risk profile, so could not identify what the critical risks were, and 38% only refreshed the profile or did risk assessments annually. She agrees with David that technology is also a vital area and feels the Corporate Secretary is the link between technology and governance. She also needs to ensure that the board has the skills and knowledge to use the technology to facilitate better decision-making.
“There’s always a solution for every situation”
David offers two tips. First, start with driving awareness at the board level, by identifying a risk steward, a role the governance professional or Corporate Secretary can play. The required traits are the ability to break down silos within an organisation, being knowledgeable about the organisation’s cultural risk appetite, and the ability to motivate leaders in adopting a common definition for risk.
His second tip is unlocking the value of ongoing digital transformation by tapping into Governance Risk and Compliance (GRC) technology to create a single view of risk across all functions, leverage available data sources, and to simplify the process, while enabling a common risk ecosystem and shared focus across the organisation.
“ESG is such a complex issue, and it encompasses many other issues”
Zahra explains that ESG encompasses many issues in each category and how it is managed depends on the jurisdiction, the industry, the size of the organisation, etc so both board and management must have an adequate and common understanding of the impact and relevance of ESG- related issues to the business. The Corporate Secretary must get buy-in and support from the Board to set the tone at the top.
Many organisations have Board members who lack expertise and experience in ESG matters. Zahra suggests that one of the ways for Corporate Secretaries to train board members is to set up committees on ESG matters and partner members with executives leading sustainability initiatives. The Corporate Secretary also needs to ensure that the board engages in ongoing dialogues with key stakeholders to understand their needs and ensure that their interests are accounted for in key business decisions.
“Boards want to spend more time on transformational related discussions”
David shares that recent research shows 59% of boards say allotting more time for an open discussion over emerging trends and potential disruptions would improve risk oversight. Boards want to spend more time on transformation-related discussions, managing emerging risks and scenario planning, but in reality, they spend the most time on financial reporting and traditional risk and compliance matters. Therefore, they are increasingly looking to governance professionals to advise them on potential compliance failures and respond to and mitigate such concerns. This arrangement will allow the board to allocate more time and attention towards risk oversight instead.
The three top takeaways from our conversation are:
- As trusted strategic advisors to the board, governance professionals are uniquely positioned to help the board align strategy to the regulatory landscape, technological advances, and ESG related concerns. They are expected to help establish an effective system to identify and manage risks and opportunities.
- Corporate Secretaries are increasingly approached to facilitate enterprise risk management. Their understanding of business concerns and organisational culture and their ability to be the bridge between board and management is valuable in risk assessment and management.
- To unlock the value of technology while minimizing its risks, governance professionals must successfully build towards a digitally savvy and technologically advanced foundation for corporate governance.
To find out how you can participate in the Better Boards Podcast Series or more information on Better Boards’ solutions, please email us at [email protected].