Can boards more effectively link strategy and risk?

Friday, 09 October 2015


    While boards are devoting more time to risk management and taking a more active role in strategy, they still face significant challenges in effectively linking the two together.

    2015 Annual Corporate Directors Survey: Strategy and Risk

    PricewaterhouseCoopers, October 2015 

    There’s no risk without reward: global governance, risk and compliance survey

    Ernst & Young, July 2015 

    2015 Report on the Current State of Enterprise Risk Oversight

    North Carolina State University on behalf of AICPA, February 2015

    Recent global surveys suggest that while boards are devoting more time to risk management and taking a more active role in strategy, they still face significant challenges in effectively linking the two together.

    A significant number of respondents to KPMG’s global, “Calibrating Strategy & Risk: A Board’s Eye View” (a survey of 1,135 directors and senior executives from 28 countries), considered that their boards had deepened their involvement in strategy. For example, 53% of respondents considered that their organisations’ boards had increased their involvement in the formulation and consideration of strategic alternatives. Additionally, 35% of respondents considered that their boards had increased their involvement in recalibrating strategy.

    However, only 44% were satisfied that strategy and risk were being effectively linked in boardroom discussions. Further, more than half (53%) of respondents considered that “closer linkage of strategy and risk” was key to improving the company’s risk-related decision making.

    Ernst & Young (EY) also recently surveyed 1,196 respondents from 63 countries – including C-suite executives, board audit committee members and various assurance and/or compliance executives – in relation to governance, risk and compliance.

    The survey revealed that the majority (85%) of respondents considered that opportunities existed for their companies to further improve the linkage between risk and business performance. While 97% of respondents considered their organisations had made progress in linking their risk management objectives and business objectives, only 16% of respondents considered that both of these objectives were “closely linked”.

    Another survey, conducted by North Carolina State University on behalf of the American Institute of CPAs (AICPA) surveyed 1,093 directors and executives on enterprise risk management. It revealed that only 27% of organisations had boards that “mostly” or “extensively” reviewed their organisations’ “top risk exposures” at the same time as discussing their organisation’s strategic plan.

    PricewaterhouseCoopers’s (PwC) recent Annual Corporate Directors Survey, however, produced different results. PwC’s survey (which included the responses of 783 US-based public company directors) found that 85% of directors felt comfortable with their board’s ability to integrate discussions of risk with strategy. The survey also found that 91% of respondents were confident in their board’s ability to quantify risks, as well as management’s ability to communicate risk concerns to their respective boards.

    The different survey results may reflect, in part, differences in the respondents to the survey and the sizes of their respective organisations. For example, the PwC only surveyed directors of US public companies, whereas the KPMG, EY and AICPA surveys included directors and non-directors of public, private and not-for-profit companies. In addition, 74% of respondents surveyed by PwC worked for organisations that generated revenues over $1 billion (US), whereas 24% of those surveyed by AICPA and 50% of those surveyed by EY worked for organisations which generated revenues over $1 billion (US). 

    What implication do these surveys have for Australian boards and directors?

    It is likely that the experiences of Australian directors and boards would reflect the findings of the above surveys (albeit the KPMG and EY global surveys involve less than 20 and 80 Australian respondents respectively, and PwC’s and AICPA’s surveys involve only US-based participants).

    “Organizations appear to be struggling to integrate their risk oversight with their strategy development and execution”, suggests the AICPA survey. “There appears to be a disconnect between the recognition of today’s high risk business environment and the decision to invest in more structured risk oversight”.

    One way boards may be better able to respond to this challenge is through more effective use of audit and risk committees, as well as the creation of risk-specific roles that directly report to the board or management.

    For example, the EY survey reveals that almost half (44%) of organisations do not have a Chief Risk Officer to provide oversight of risk management activities. The AICPA survey similarly reveals that two thirds (68%) of the respondent organisations did not have a designated Chief Risk Officer. It also shows that less than one third of directors on boards (29%) delegate their responsibilities to a risk committee, and less than half (45%) had a management-level risk committee that meets at least quarterly.

    Enterprise Risk Management (ERM), internal audits, and Governance, Risk and Compliance (GRC) tools are increasingly being used by boards and directors to more effectively integrate risk and strategy.

    For example, EY has recently introduced its own Risk Enabled Performance Management tool. Deloitte has also introduced a Risk Appetite Framework to assist boards in understanding their aggregate level and type of risks, and in clarifying how management should identify risks in their business strategy.

    A recent article in the Company Director Magazine suggests that boards may benefit from having both an audit committee and a risk committee, in order to reduce the audit committee’s work load and ensure that risk gets appropriate coverage at board level.

    The article also suggests that linking strategic risks with operational risks, as well as a combination of a “shallow dive” (scanning the horizon for emerging risks) and “deep dive” (acquiring more detailed information) can be useful strategies in order for boards to better integrate risk and strategy.

    As part of the “Directing Growth Program”, KPMG and the AICD will be hosting a workshop in December 2015 titled “Setting your strategic direction”, in order to provide directors with strategy planning and analysis tools.

    Strategy and risk are “two sides of the same coin,” suggests Lindsay Maxsted FAICD, who was interviewed by KPMG as part of its survey. “Any discussion on strategy can be turned into a risk discussion, and vice versa”.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.