Chapter 1
Corporate purpose and value statement
Defining the importance of lived purpose to achieve long-term value
Society is increasingly expecting organizations to be part of the solution to health, economic, societal and environmental challenges. This gives organizations an opportunity to put their purpose to work by taking meaningful action. A growing number of customers and employees want to interact with organizations that clearly define and live their purpose, and inspire values in support of these efforts.
According to the EY EMEIA Board Barometer 2022, over four-fifths (81%) of board members believe that purposeful business and long-term value are relevant for today’s organizations. Meanwhile, 66% of European C-suite leaders and board members who responded to the EY Long-Term Value and Corporate Governance Survey believe the pandemic has increased stakeholders’ expectations that companies will drive societal impact, environmental sustainability and inclusive growth.
EY Long-Term Value and Corporate Governance Survey
66%of European C-suite leaders and board members believe the pandemic has increased stakeholders’ expectations that companies will drive societal impact, environmental sustainability and inclusive growth.
So great is the power of purpose that it can be an important market differentiator. Research suggests that consumers are four to six times more likely to buy from companies with a strong purpose.1 Therefore, it is unsurprising that investors are paying increasing attention to ESG factors, including purpose, when evaluating companies as a part of their capital allocation processes.
Initiate real action to deliver on purpose
By being clear about why they exist and how they plan to achieve their goals, organizations are not only safeguarding their reputation, but are positioning themselves for long-term success in a fast-moving business environment. Guided by their purpose, mission and values, organizations will be more effective at navigating change and disruption, and managing risk, while meeting evolving stakeholder expectations.
Boards should be closely involved in the organization’s process for defining and implementing its purpose. This can be based on four pillars:
- Aligning leadership around your purpose
- Engaging employees in your purpose journey
- Embedding purpose in your customer experience
- Anchoring your strategy to your purpose
Also, boards should work with the management to effectively embed these pillars in the organization’s strategic road map to inform decision-making over the long term.
Recommended actions
By setting the right tone from the top, boards can drive comprehensive discussions about their organization’s history, marketplace performance, current culture and future potential. European boards can do this by:
- Scrutinizing outcome measurement and appropriate metrics (such as the World Economic Forum’s Stakeholder Capitalism Metrics) to monitor the organization’s progress against its purpose-driven goals
- Reflecting on the board’s purpose and mission, as well as its stated ESG objectives
- Using purpose to inform decision-making in areas such as culture, investment, external reporting and talent management
- Linking remuneration with executives’ success at achieving ESG objectives and delivering on the organization’s purpose
- Ensuring that purpose is clearly communicated to every employee, with the purpose not presented as a framework to follow, but rather a direction to aspire to
Chapter 2
Culture and integrity
Taking tangible action to shape organizational culture
Organizations are under pressure to deliver more, at a faster rate, to a larger market, in a more sustainable way.
In this scenario, corporate culture — defined as how organizations are operating, creating value, motivating their workforces and making decisions — is attracting key stakeholders’ attention. Aligned with the organization’s purpose and strategy for long-term value creation, culture is of critical importance across four stakeholder groups: employees, customers, shareholders and society.
And with good reason. COVID-19 raised awareness of shifts in the post-pandemic fraud landscape. Research by the Association of Certified Fraud Examiners, published in November 2021, discovered that 51% of anti-fraud professionals had uncovered higher levels of fraud since the start of the pandemic. Alongside culture, the focus of stakeholder attention is on adherence to law and regulation (compliance) and agreed moral standards (integrity).
To address these challenges, organizations need to maintain high behavioral standards to attract and retain customers and employees, as well as investment capital. Having a culture of quality and integrity will also enable organizations to avoid regulatory fines, minimize risks of reputational damage and prevent loss of market share.
Organizations with a culture of quality and honesty will be able to avoid regulatory fines, minimize the risk of reputational damage, and avoid market share loss.
Uphold your organizational culture
Research also shows that organizational culture drives ethical behavior.2 When employees of an organization perceive top managers to be trustworthy and ethical, the better that organization is likely to perform financially and be more attractive to potential recruits.3 Boards that focus insufficiently on culture put the long-term sustainability of their organization at a risk.
As custodians of their organizations’ culture, boards can play a crucial role in shaping and defining the organizational culture. Through individual actions, board members can also personally define what integrity means in practice and set the behavioral standards for their organization.
Recommended actions
Boards need to focus on several areas, such as organizational governance, leadership and management style, existence of a ‘‘speak-up’’ culture, as well as HR life cycle integration. Monitoring all these areas should be underpinned by performance measurement, using quantitative data and KPIs.
According to the EY Board Imperative study, boards can be proactive about governing the culture of the organization in four ways. They can:
Chapter 3
New ways of working
Integrating talent management and new ways of working into board discussions about strategy and risk
The pandemic has only accelerated changes that were in motion even before the advent of COVID-19. Organizations were already enhancing workplace digital capabilities, while engaging skillful independent contractors and gig workers, and offering staff remote and flexible work.
These trends suddenly became normalized by the pandemic. Employees’ expectations have now evolved significantly around when, where and how they work.
Having proven their ability to work effectively remotely, employees increasingly expect their employers to offer flexible working arrangements and supporting technology to help them collaborate effectively.
Additionally, the pandemic-accelerated skills shortage in most European economies has resulted in skills shortages becoming a major challenge to corporate strategy. Businesses are prioritizing talent management strategies by effectively addressing development, recruitment, retention and well-being. They are also considering agile teaming, digitalization and flexibility as competitive factors.
Like employees, boards have also evolved by increasingly meeting via video conferences and web meetings. They have prioritized agility, taking a more flexible approach to agenda setting, and investing in new digital tools that provide real-time information and insights.
Move talent management from strategic asset to strategic imperative
The pivot to hybrid working requires organizations to completely reimagine their approach to work, affecting everything from their leadership and management, technological infrastructure and carbon footprint through to how they recruit, retain and develop their staff.
Organizations need to rethink how they engage with their people to maintain their desired culture and expected behavioral standards. Some of the strategies that boards can adopt are:
- Ensuring that talent management strategies are a key competitive factor and strategic priority for management
- Shifting focus toward the organization’s overall human capital and talent management
- Supporting organizations’ efforts to produce effective external reporting on human capital strategy and stakeholder outcomes delivery
- Enhancing monitoring duties to risk oversight in the technology-intensive new work model
Recommended actions
Moving forward, organizations will need to define and measure talent-management-related metrics, and the impact of human capital in terms of their performance, innovation capabilities and capacity to improve products, services, and customer experience.
To provide effective risk oversight and support talent management transformation, an inclusive board with the right competencies and experiences can support the organization and its human capital as it evolves. This is possible by:
- Including individuals with in-depth knowledge of human resources and talent management, especially in areas such as development, recruitment, retention and well-being
- Focusing on topics such as agile teaming, diversity and inclusion, digitalization and technology, and employment law
- Reviewing the board’s operating model in terms of reporting, risk oversight, management accountability and incentives, and committee delegation
Chapter 4
Cybersecurity and internal controls
Providing effective cybersecurity oversight in an evolving cyber risk landscape
Organizations continue to face the new wave of cyber threats. The EY Global Information Security Survey 2021 found a notable rise in disruptive and sophisticated threats compared with the previous year’s research. Around 58% of cybersecurity leaders who responded to the survey said their organization had experienced at least a 10% rise in disruptive threats over the previous 12 months.
EY Global Information Security Survey 2021
58%of cybersecurity leaders who responded to the survey said their organization had experienced at least a ten percent rise in disruptive threats over the previous 12 months.
One reason could be the pandemic-induced mass shift to remote working, which necessitated teams to adopt new devices, systems and tools without access to sufficient data or cybersecurity — increasing an organization’s vulnerability to cyber threats.
Frequently, the established internal control environment of organizations has proven to be inadequate for withstanding challenges triggered by virtual and remote working — sometimes even been circumvented altogether, creating opportunities for cyber-breaches. According to the EY Global Information Security Survey 2021, 81% of the executives said the COVID-19 pandemic forced organizations to bypass certain cybersecurity processes or controls.
While the impact of remote working is significant, it is not the only driver of an organization’s heightened exposure to cyber risk. The other factors include:
- Workforce or cost constraints that limit effective response by data and cybersecurity teams
- New and more sophisticated strategies to safeguard against cyber-threats from state-sponsored actors, organized crime groups, political and social activists, and individual opportunists
Related article
Employ effective cybersecurity risk management to map the future
The constant stream of cyber threats makes it challenging and costly for organizations to keep up with technology changes and best practices for protecting their business and its valuable data.
However, boards can accelerate the process of bringing cybersecurity-related skills and experience to the boardroom by nominating new experienced nonexecutive directors to enhance board oversight of cyber risks.
Given the scale of the challenge — with many cybersecurity functions underfunded or under-resourced — boards have increasing concerns about their organizations’ cyber risk management ability. According to the EY Global Information Security Survey 2021, just 9% of boards were extremely confident that the cybersecurity risks and mitigation measures presented could protect the organization from major cyber-threats — down from 20% the previous year.
Therefore, effective cybersecurity oversight will be one of the top board priorities for the coming 12 months, usually effectuated by delegation to the audit committee, risk committee or a technology committee.
One of the main board priorities for the next 12 months will be effective cybersecurity oversight.
Recommended actions
The board plays an important role in overseeing and supporting an organization’s cybersecurity function. This can act as a strategic enabler of growth by helping organizations retain customer and employee trust, fully exploit digital tools, and do business confidently. This can be achieved by:
- Continuous cyber threat awareness training through cyber awareness programs throughout the organization
- Avoiding personal email usage by board members to discuss organizations’ confidential issues and using only cybersecurity team-approved devices
- Conducting comprehensive cyber risk assessment for overview of all cyber-related organizational risks
- Supporting an effective cyber risk management program and corresponding internal controls
- Achieving further enhancement of enterprise resilience by conducting rigorous simulations with third-party specialists
- Improving cybersecurity board oversight by adopting a cybersecurity framework, such as the one created by the US National Institute of Standards and Technology (NIST)
- Ensuring an incident response plan to facilitate quick and effective response if needed
Chapter 5
Beyond sustainability reporting
Embedding climate considerations in governance, strategy and decision-making
The increasing operational risks posed by extreme global weather events in 2021 and the additional political and regulatory momentum building behind the transition to a net-zero economy highlights the need to turn sustainability into a major board agenda priority.
The United Nations Climate Change Conference (COP26), held in November 2021, saw countries pledging to further reduce their greenhouse gas emissions with an agreement to phase down the use of coal. Yet scientists believe the world is falling short of its target to limit global warming this century to 1.5°C, resulting in countries and companies being pushed to do more, faster.
With the European Green Deal, the EU is aiming to be climate-neutral by 2050. The European Commission is seeking to align the EU capital market and financial services sector with sustainability objectives through several initiatives, such as the EU Taxonomy Climate Delegated Act, the Sustainable Finance Disclosure Regulation and the Corporate Sustainability Reporting Directive (CSRD).
The efforts by the European Commission are underpinned by the mandate to the European Financial Reporting Advisory Group (EFRAG) to develop a draft set of European Sustainability Reporting Standards (ESRS) by mid-2022.
The International Financial Reporting Standards (IFRS) Foundation has launched the International Sustainability Standards Board (ISSB). This has ambitions to release the first set of global sustainability draft standards in the first quarter of 2022 and a sustainability-related financial disclosures general requirements standard in the second half of 2022.
Have oversight through the sustainability lens
It is vital that boards and audit committees drive sustainable corporate governance. In its Global Risks Report 2021, the World Economic Forum cites extreme weather, climate change inaction and human environmental damage as being among the most likely risks of the next decade.
It is clear from the EY EMEIA Board Barometer 2022 that boards recognize the need to focus on sustainability. The overwhelming majority (93%) thought the sustainability of their organization’s business model was a relevant concern, while 86% emphasized the importance of long-term value creation and measurement, and 81% prioritized operational and strategic ESG integration.
Therefore, boards must effectively support and provide oversight for their organizations around decarbonization, key ESG metrics reporting, managing associated ESG risk factors, circular economy action and other considerations, that will impact the long-term value of their organization.
Yet, boards must go further than simply overseeing sustainability-related risks and recognize their responsibility to ensure their organization fully integrates sustainability into its strategy and business model. This can be achieved by accelerating innovation, improving capital access, better employee and customer engagement, and enhancing market reputation, sometimes requiring a complete transformation of an organization’s traditional operating model.
Along with effective ESG reporting, the concept of double materiality —ESG issues that create risks and opportunities that are material from a financial or nonfinancial perspective — will reflect not just how ESG issues affect the business, but also how the business itself impacts society and environment.
Recommended actions
ESG disclosures and integrating sustainability-related factors into their investment and stewardship decisions are becoming increasingly important for mainstream investors. Hence, boards need to have robust procedures to facilitate both internal and external reporting. Boards can drive long-term value by:
- Recognizing and combining major ESG trends, and evolving consumer behavior and stakeholder expectations
- Reviewing their composition and skills to enhance competencies, including additional ESG competencies
- Bringing external insights to the boardroom to boost understanding of ESG-related trends
- Shifting to a more strategic mindset for a deeper understanding of the ESG issues
- Considering delegating ESG responsibilities to a dedicated sustainability or audit committee
- Reviewing feasibility of any priorities set, and overseeing delivery on targets in practice
- Transforming ESG-related metrics to measurable KPI’s, and integrating into management priorities and executive compensation
Related article
Chapter 6
GRC transformation
Delivering effective GRC leadership to achieve objectives, while addressing uncertainty
The pandemic has demonstrated the importance of GRC systems to address critical situations, including health risks, business interruptions, supply chain breakdowns and financial losses. At the same time, organizations had to demonstrate agility in response to the challenges they faced.
They also needed to swiftly rethink their approach to operational resilience. Despite organizations increasing their expenditure on cybersecurity, around 77% of the respondents to the EY Global Information Security Survey 2021 said their organization had experienced a rise in disruptive threats over the previous 12 months.
Data breaches pose regulatory and reputational risks to European organizations in light of the General Data Protection Regulation. Organizations with insufficient security solutions to protect their systems, networks and data can potentially be fined up to €20m or 4% of their annual global turnover.
Hence, the need for organizations to adopt integrated GRC systems. This requires reshaping of the board’s role in monitoring the adequacy and effectiveness of GRC transformation. Adopting integrated GRC systems can help organizations recover effectively from crises and transform potential problems into business advantages.
Strive for effective GRC integration harmony
The use of different and isolated approaches for GRC systems can undermine the board’s ability to provide effective risk and controls oversight, and lead to potential risk exposures. When IT solutions are used, the tools may suffer from incompatible interfaces when it comes to data exchange and matching.
To support efficient prevention, detection and response around risk, it is key to have a harmonized and integrated approach for compliance, risk management, internal controls and internal audit, supported by an effective exchange of GRC-related information. Today, however, just 54% of board members believe that that the board currently plays an active role in the risk identification process and continuous improvement of GRC systems, according to the EY EMEIA Board Barometer 2022.
EY EMEIA Board Barometer 2022
54%of respondents to the survey believe that that the board currently plays an active role in the risk identification process and continuous improvement of GRC systems.
Updates of well-known international GRC frameworks, such as the ISO 37301,4 the COSO Enterprise Risk Management Framework,5 and national guidelines and audit standards, provide orientation to boards on the management’s and board’s oversight responsibilities. These frameworks also provide organizations an opportunity to transform their GRC systems.
Recommended actions
Recent challenges to risk management and internal controls have tested corporate resilience and should be viewed as opportunities to drive further integration toward a holistic GRC system environment. Failure in addressing these challenges carries enormous consequences for company stability, reputation and finances. Boards can demonstrate their commitment through:
- Monitoring management’s performance against organization’s strategic objectives
- Regular, timely and comprehensive management reporting
- Active involvement by the board or audit committee in internal audit plan finalization and monitoring follow-up measures on identified deficiencies
- Investing in resources and technological tools to improve shared risk intelligence
Chapter 7
The audit committee of the future
Evolving the audit committee’s role in monitoring corporate governance practices
Most boards delegate a substantial portion of their enterprise risk management oversight to their audit committees. Along with oversight of financial reporting, audit committees of today are increasingly charged with expanding requirements on an organization’s GRC systems, as well as the oversight of nonfinancial reporting.
This growing nonfinancial reporting requirement for accurate and comparable ESG reporting results from investors, policymakers and other stakeholders demanding greater transparency around organizations’ objectives and operations, and their ESG risk management.
Hence, audit committees need to constantly monitor new and unexpected risks, and ensure understanding of management processes to assess all strategic risks facing the organization.
These risks range from geopolitical tensions, market trends and regulatory shifts to cultural issues, fraud, skills shortages, supply chain disruption and digital transformation pressures. Audit committees need to pay even greater attention to liquidity and cyber-risks during the pandemic, and more closely monitor their organization’s GRC systems.
Audit committees are increasingly being tasked with growing requirements of an organization's GRC systems, as well as monitoring of nonfinancial reporting, in addition to financial reporting oversight.
Take a proactive approach to meet enhanced expectations
Understandably, boards and audit committees have many competing demands on their time. They must balance long-term strategy-setting with short-term, but often urgent, challenges and ongoing compliance obligations. The audit committee is critical to board effectiveness since it bears key responsibilities on the board’s behalf. To effectively fulfill their role, the audit committee requires to:
- Ensure at least one audit committee member has accounting or auditing competency
- Have members with corporate reporting expertise in the future
- Monitor their organization’s performance against its ESG metrics
- Work closely with remuneration committees to ensure executive remuneration packages support long-term sustainability of organizations, as outlined in this report on driving the evolution of sustainable corporate governance (pdf)
- Extend current monitoring efforts to include company’s risk appetite determination, individual risk interactions and proper risk analysis
Recommended actions
The audit committee could commission an external review of their effectiveness, using third parties, to get an objective view on the committee’s work and dynamics, with a benchmark comparison. These are some of the actions the committee can take:
- Ensure diverse group of individuals with broad collective and specialist knowledge
- Benefit from training and continuous professional development
- Ensure the audit committee chair has specialist knowledge and is an excellent facilitator with strong leadership skills
- Build strong relationships with management and key function holders, and provide comprehensive reporting back to the main board
- Hold regular risk conversations and review organization’s risk map to understand full spectrum of organization risks
- Perform standalone risk assessments on high-risk topics
- Foster more robust communication and engagement, both internally and externally
- Improve organization’s transparency with investors and stakeholders by increasing voluntary audit committee disclosures
Related article
Board action can help businesses gain traction
While the priorities listed are by no means the only board priorities, they merit special consideration for the 2022 EMEIA board agenda.
Technology infusion through the business remains a top priority. The disruption caused by economic uncertainty, ever-present cyber risks, regulatory scrutiny, shifting ESG trends, and enhanced stakeholder and workforce expectations have necessitated boards to revisit their processes, frameworks and structures. European boards are now transforming to become more flexible in their agenda setting process and focusing on corporate resilience, sustainability and strategy to drive positive economic and social outcomes for the organization.
Related articles
Summary
As global volatility exacerbates existing challenges and creates new ones, the resilience of the board will be the biggest competitive differentiator. European boards will need to reimagine, reframe and rethink challenges and risks. They also need to turn challenges into opportunities to build resilience through organizational, societal, cultural and technological facets, all while reinforcing the purpose of the organization in a sustainable manner.