Chapter 1
Board-CRO collaboration is vital
As the risk environment continues to increase in complexity, it has never been more crucial for boards and CROs to closely collaborate.
The risk landscape has become more complex
New threats and risks are materializing rapidly, many of which are interconnected. The early months of 2022 have already highlighted the extent to which businesses are exposed to geopolitics, new COVID-19 variants and supply chain issues. Then there are the longer-term risks associated with the shift to stakeholder capitalism, securing and retaining talent, climate change and cybersecurity. In addition, new regulation, including in relation to ESG, will require boards to bolster their support for their business’ approach to risk.
To remain resilient, boards need to first understand the full spectrum of threats that could undermine value and imperil transformation. Importantly, this includes both current and emerging risks. Boards must have sufficient perspective of C-suite priorities and might look for this collective view from the CRO.
Views will no doubt differ. For example, according to an EY survey of more than 600 board directors and risk leaders, 62% of risk leaders identify changing customer demands and expectations as a significant risk, compared with just 48% of boards.
Global Board Risk Survey
62%of risk leaders identify changing customer demands and expectations as a significant risk.
Global Board Risk Survey
48%of boards identify changing customer demands and expectations as a significant risk.
Aligning on strategic opportunities is critical
Business opportunities lie in what is often referred to as “upside risk”. However, according to the survey data, consistent with their roles, boards and risk leaders frequently have diverse views on their business’ greatest strategic opportunities.
Boards rank technology disruption as the number one strategic opportunity for their business. In contrast, risk leaders rank this least important and instead rank changing consumer demands and preferences as the greatest strategic opportunity.
Whatever the cause, for these divergent views, boards and CROs have an opportunity to better communicate and constructively challenge each other’s views, highlighting potential blind spots that may represent upside opportunities. Furthermore, considering CEOs rank risk management as the number one area of the enterprise they wish to make the most change, it is also an opportune time to consider the board’s role in bridging this divide.
Related article
Chapter 2
Three ways boards can enable CROs
With demand for robust risk management and enterprise resilience intensifying, boards must equip and further empower CROs to succeed.
1. Crystalize risk management expectations
To propel the CRO, it is important to outline the board’s risk management expectations. The survey data outlines four key areas where there is significant opportunity for improvement, which require the following actions:
Take a holistic approach to risk management
Boards want a holistic approach to risk management that incorporates both emerging and traditional risks. However, just 39% of boards today believe their organization’s risk management capabilities are more than moderately effective at managing both atypical and emerging risks.
Identify opportunities in risk
Boards require executive management to better identify opportunities that lie in risk. For example, if a new competitor emerges and secures a new venture funding round, this development might be included as part of the wider reporting on competitive risk.
However, in this example, this business also presents an opportunity from the board’s perspective, as an acquisition target or a potential strategic partner. Therefore, boards must adequately challenge executives, including the CRO, to identify these “upside risks”, and consider how they might be reframed as opportunities.
Interlink risks with secondary impacts
Boards want CROs to better assist executive management in considering how risks are interlinked and identify potential second-order impacts. For example, climate change presents interconnected risks for businesses related to operations, supply chain, customer base displacement and reputation, assuming limited action.
Boards identify this as a key area for improvement. However, only just over half (52%) say their risk management capabilities are more than moderately effective at understanding how different risks are interconnected.
Consider a wide range of stakeholders
Boards expect executives, including CROs, to consider the objectives of a broad set of internal and external stakeholders when assessing risks as part of business decision-making. Through doing so, the outcome expected is the elevation of the importance of risks like climate change and ESG factors, therefore enabling boards to challenge management on key topics, such as how supply chain partners are decarbonizing their operations.
In the financial services sector, there is already evidence that ESG risk factors are increasingly considered in business decisions. For example, 48% of CROs within banks say ESG is embedded in their loan decisioning processes.
In addition, boards should also ensure that CROs (or their equivalent) are fully aware and are kept updated of the business’ strategy and long-term ambitions, sharing any insight about emerging megatrends that might impact the business. This is a crucial input to assist executive management to mitigate downside risk and capture “upside” opportunities.
Related article
Despite this, 55% of board members feel their organization’s risk management capability currently falls short of keeping pace with changes in business strategy.
2. Encourage a digital-first approach to risk management
According to the EY Global Board Risk Survey 2021, the extent to which technology is used to identify and manage risk is the most important factor that determines effective risk management.
Boards can help by advocating through the approval of strategic capital and finance plans for the resources CROs need to deploy adequate technologies that support executive management in their risk decision-making process.
Technology helps in many ways:
- Automation technology can be used to process low-value manual tasks, such as risk-model verification and simple data processing, freeing up management time to focus on exploring the implications and impacts of emerging risks.
- Data collection and monitoring can also be automated, to occur in real time, thus flagging potential issues to risk and business teams much earlier than would be achievable with a less sophisticated approach.
- Cloud and AI-based technologies can also be deployed to execute complex scenario analyses and unearth previously unattainable insights in risk interdependencies.
3. Champion the CRO
Many businesses in non-regulated sectors do not have a formal CRO as part of their C-suite. As the demands on risk leaders intensify and the need for collaboration with executive management and the board grows, boards might challenge businesses that do not currently have a CRO to consider formalizing the role in their C-suite.
However, just as important is the mandate and responsibility that this individual is given. Boards should ensure through their executive management teams that the CRO is sufficiently empowered within the organization and connected with other senior executives through clear and open channels of communication.
For example, instead of communicating risk exposures separately during scheduled board meetings, the board should insist that risk and opportunity assessments are integrated into regular management reporting vehicles. These can be strategies, business plans, operational performance reports and investment proposals.
Robust governance in the form of a risk sub-committee (where not already mandated) may also be necessary to align and calibrate expectations and progress in line with the organizations risk management framework; thus helping to build risk management capabilities. Importantly, these committees should ensure their composition is adequate to cover a wide range of newer risk topics such as technology, sustainability and talent.
Key questions for boards to consider
Boards have an important role to play in onboarding a CRO or enhancing board-CRO relations in order to support their business’ new growth and transformation agendas. With that context, here are some key questions that should be front of mind:
- If you don’t already have a CRO in the C-suite, given the increasing complexities of risks, should you revisit the need with the CEO? If you do have one, are you doing enough to empower and embolden them in your discussions and interactions with the executive management teams?
- Have you been clear with your executive management team what you expect from your CRO when it comes to challenging them? Have their responsibilities been clearly communicated? Do they have enough exposure to and a sound understanding of the business strategy to be asking the right questions?
- How do you ensure that the CRO does not dilute executive management accountability for all aspects of doing business, including monitoring risk exposures, effectiveness of controls and reporting relevant outcomes to the board?
- Are you regularly consulting with your CRO on how executive management can be better equipped and informed to take advantage of new technology, data and managed services to improve their risk-based decision-making processes?
Related articles
Summary
Increased collaboration with the CRO (or equivalent) is crucial to help set boards up for success in mitigating increasingly complex risks and staying ahead of the competitive landscape. Boards can achieve this by clarifying their expectations, encouraging a digital-first approach to risk management, and formalizing and empowering the role of the CRO as a key C-suite contributor.
