How boards calibrate strategy and risk
Corporate boards are deepening their involvement in company strategy and refining their oversight of the critical risks facing the company, according to a recent global survey from KPMG.
“The complexity and global volatility that we’re seeing—swings in commodity prices and currencies, a decelerating China, uncertainty in geopolitical hotspots, technology innovation, and disruptive business models—are clearly causing boards to sharpen their focus on strategy and risk,” said Dennis T. Whalen, Leader of KPMG’s Board Leadership Center. “The competitive landscape and risk environment demand it, investors increasingly expect it, and bringing value to the boardroom dialogue requires it.”
Fifty-three percent of the directors and executives surveyed said their board has increased its involvement in the formulation of strategy alternatives, and 61 percent said the board has sharpened its focus on improving risk-related information. “Rather than an annual decision by management and the board, strategy is becoming an ongoing discussion, with continual assessment, evaluation, and adjustment as conditions change,” noted Whalen.
The survey responses—from more than 1,000 directors and senior executives in 28 countries— suggest that while many boards are deepening their involvement in strategy and risk, significant challenges remain, including linking strategy and risk, and addressing growing cyber security risks.
Among the key findings:
Boards continue to deepen their involvement in strategy – including execution. Some 80 percent of survey respondents said the board has deepened its involvement over the past 2 to 3 years—in the formulation of strategy and consideration of strategic alternatives, monitoring execution, devoting more time to technology issues (including cyber security), and recalibrating strategy as needed.
Effectively linking strategy and risk continues to elude many boards. Only half of survey respondents are satisfied that strategy and risk are effectively linked in the boardroom discussions. Risk-related decisions, many said, would be most improved by more closely linking strategy and risk, as well as having a more-clearly defined risk appetite, better assessment of risk culture, and giving greater consideration to the “upside of risk taking” (versus risk avoidance).
Better risk information and access to expertise are (still) top of mind. The survey found that many boards have recently taken steps—or at least discussed ways—to strengthen their oversight of risk, mainly by improving risk-related information flowing to the board, but also by hearing more independent views and refreshing the board/recruiting expertise, coordinating (and reallocating) risk oversight responsibilities among the board’s committees, and/or changing the board’s committee structure.
Cyber security may require deeper expertise, more attention from the full board, and potentially a new committee. Greater use of third-party expertise and deeper technology expertise on the board would most improve the board’s oversight of cyber security, survey respondents said. Nearly one in three respondents said cyber security needs to have more time on the full board’s agenda, and a quarter said formation of a new committee to address technology/cyber risks would be beneficial.
Oversight of key strategic and operational risks could be more-effectively communicated among the board and its committees. Nearly half of survey respondents cite room to improve the communication and coordination among the full board and its committees on oversight of the company’s key strategic and operational risks—e.g., strategy, CEO succession, talent, regulatory compliance, cyber security and emerging technologies, and supply chain issues.
Among other country and industry variations regarding the board’s involvement in strategy and risk:
- Respondents from Indonesia, Japan, Korea, and Singapore cited the greatest need for deeper board involvement in strategy.
- Directors and executives in India, Singapore, Switzerland, and UK, said they want to spend more time testing the ongoing validity of underlying assumptions.
- Financial services, insurance, health care, and communications/media sector respondents are devoting notably more time to technology issues, including cyber risks.