Any conversation of risk right now is understandably dominated by the Covid-19 pandemic. It is unprecedented in nature as an existential threat to companies, perhaps only comparable in its scope to a major war. Boards are working to adapt their strategies and adjust their business models. Given the lockdowns ordered by national governments across the world, the economic and financial implications are huge.
And yet, it is not the only risk on the corporate landscape. Indeed, a recent meeting of the Centre for Audit Committee and Investor Dialogue (CACID) hosted by professional services firm Mazars, concluded that the business world is working on arguably the busiest risk landscape ever for executives and board members. Attendees said their organisations face more risk, and perhaps a more diversified risk register, than at any time in recent years; coronavirus merely presents the latest in a long line, albeit currently the most threatening and urgent.
Matt Dalton, a partner at Mazars in internal audit and risk management, said: “The panoply of risk facing businesses today is unprecedented. Never have audit committees and investors had to grasp the intricacies of so many issues at once.
“Right now Covid-19 is the risk front and centre for all businesses, but once the issue has been resolved companies will have to face a whole range of issues to assess whether they present threats or opportunities.”
The CACID meeting ranged across a number of issues from how the virus is to be managed, to the significance of other risks.
One lesson audit committee chairs noted from the arrival of Covid-19 that will, perhaps, inform risk preparation for some time to come is planning. Preparations for a crisis usually envisage a singular event over a finite period of time. Covid-19 is unlike that. Though government and societal action is now focused and emphatic, there is no real way of knowing when it will end. This is a crisis event unravelling over an indefinable period, in economic as well as health terms.
—Anthony Carey, head of board practice, Mazars
Boards will need to face not only managing their response to the virus but also incorporating a long-run event into their future risk assessments and crisis planning.
There is another key factor the virus brings into play: who is involved in stress testing crisis plans? Audit committee chairs noted that often it remains the exclusive preserve of executive members of the board who report back to chairs and non-executive members.
However, there was some agreement that it would be better to involve all board members, so that non-executives too have been taken through the assumptions and preparations.
Anthony Carey, head of board practice at Mazars, said: “Involving all board members enables the NEDs to offer the right blend of challenge and support and to bring their external perspective and wide expertise to the table leading to a strong united board making the best judgement calls in uncertain and tough times.”
Current risk landscape
It’s worth bearing in mind that despite the magnitude of the coronavirus threat, what also concerns audit committee chairs is risks coming in pairs, or even threes. Plans often prepare effectively for one risk materialising. Where plans often lack credence is confronting multiple risks emerging at once.
For example, an economic shock combined with the arrival of a disruptive competitor. Using scenarios which combine risks could prove more effective than assuming they come along in an orderly fashion, one at a time.
That being said, audit committee chairs were acutely aware that the virus, though an unknown quantity, does not eliminate the need for consideration of other risks as well.
These include issues like cyber crime, a stand-out problem in recent years as companies reformulate their business models to incorporate the use of vast quantities of customer data. Indeed, the issue has risen to prominence, not only because data breaches have become headline news causing reputational damage, but also because governments have moved to impose new regulations.
Even so, data breaches present boards with somewhat familiar issues to contend with, such as security and privacy. Where they may struggle is the underlying technical issues and knowledge. This may affect a board member’s ability to confront the severity of the risk. It may also constrain their ability to imagine, and thus plan for, for the associated risk.
Audit committee chairs are also well aware that this potential for boards to be simply overtaken by the risks they face crops up elsewhere: climate change. Though here, the risk may be multi-faceted. Board members must not only grasp the operational risks they face, for example, the natural resources their business models require, or their energy usage, but also the risk from failing to keep pace with public attitudes.
In short, the sensitivities of corporate leaders and board members to the issue may develop at a slower pace than, say, investors, employees, customers or, more generally, public opinion. This could render a company too slow to adapt to the changing attitudes of stakeholders, attitudes critical to maintaining a healthy business.
—Matt Dalton, partner in internal audit and risk management, Mazars
While climate change is the long-run risk of our age, audit committee chairs were clear that artificial intelligence, or digitalisation of business models, and its ability to create unexpected disruptive competitors, is also an ever-present danger liable to give them sleepless nights. A more effective use of AI by competitors has the potential to end the life of a company.
Matt Dalton said: “Covid-19 is a huge issue. Boards must grapple with the crisis and prepare for the new normal whilst also factoring in the other significant risks of the day—cybersecurity, digitalisation and climate change—that have not gone away and remain crucial to business resilience and performance.”
Risk in business is ever present. The number of risks companies face has, however, expanded, placing greater strains on boards, their skills sets and their ability to think through the problems. Some of them require a positive response: how can they be exploited? Others require a carefully planned response should they turn into a crisis. Either way, risk is about flexibility, preparation and being central to the board agenda.