Risk governance: Pandemic recovery tips for boards

The past year offered boards of directors worldwide an opportunity to update risk management.

Businesses that addressed risk management in a strategic way in 2020 were better able to adapt to the lingering impacts of the coronavirus pandemic and social unrest, according to a white paper and webinar on risk committees by the WomenCorporateDirectors (WCD) Foundation, a global membership organisation and community of women corporate board directors, and The Santa Fe Group, a strategic advisory firm.

A strategic approach to risk management includes board members focusing on new and emerging risks, keeping an eye on potentially existential risks that are currently under control, establishing a strong corporate risk culture, and creating a risk committee separate from the board’s audit committee, the WCD Foundation white paper suggests.

Such a risk committee should recruit and seat members with experience in areas such as cybersecurity, IT, compliance, third-party risk management, privacy, and reputational risk.

Making risk management part of strategy

Strategic risk management doesn’t only mean preventing bad things from happening, according to the WCD Foundation white paper. It also means analysing opportunities to make good things happen. Several businesses found themselves taking advantage of opportunities the pandemic presented them, such as delivering existing products in a new distribution channel or coming up with new products.

Here are more tips the WCD Foundation, The Santa Fe Group, and finance professionals suggested for boards to manage risk strategically:

Learn from mistakes. Few boards braced for a catastrophic event on the scale of the coronavirus pandemic, but all learned valuable lessons on how to insulate or pivot their businesses to cope with the pandemic and remain resilient during and after it.

Now they need to overhaul their plans to ensure successful mitigation steps — from rethinking supply chains to prioritising employee health — are instilled into their day-to-day operations and long-term risk strategies.

“It’s really about learning what’s happened over the past year … but also to think about how the organisation itself has built its own sort of resilience,” said Sarah Ghosh, FCMA, CGMA, co-founder of Onyx AI in the UK. “That’s what boards need to be really focusing on to move to the next stage.”

Take responsibility. Establishing dedicated risk committees can help boards continuously assess, monitor, and address emerging risks after the current crisis starts to fade, said Catherine Allen, founder of The Santa Fe Group.

“You're having to look at new ways to describe your risk appetite, monitor emerging risks, and new ways to structure the board to address those risks,” she said.

The ideal risk committee would have its own chair and include the audit committee chair, board members, the chief executive, the CFO, and the chief risk officer. Staff such as the chief information officer or the chief information security officer should update the committee on the latest issues, she said.

However, not all companies are at the stage where they need specialist committees, according to Cecilia Locati, FCMA, CGMA, vice-president of risk management, audit, and compliance at RHI Magnesita, an Austria-based global supplier of refractory products, systems, and services. They should instead focus on deeply embedding risk management in all areas of their operations.

Don’t devote all attention to today’s headline crisis. Many companies will be struggling with the impact of the pandemic for years to come, but experts warn they need to brace for an endless chain of increasingly interwoven, systemic crises.

“The interrelationship between those risks is very important because the tendency is that in these crises more than one risk crystalises suddenly,” Locati said. “It's ten of them at the same time that creates complexity.”

Ramping up cybersecurity should be high on the list after digital risks soared when millions began working from home and many businesses moved online.

Companies that redrew their supply chains during the pandemic should now be analysing geopolitical risks that could cause massive upheaval down the track.

Increasingly, boards that fail to give climate change adequate consideration face growing operational risks along with the prospect of regulatory and reputational challenges.

Looking up to 30 years out can create opportunities for boards to rethink their businesses in the face of emerging technologies, such as artificial intelligence, that could make many employee positions obsolete. Boards will need to focus on how to reskill and upskill their employees.

Call for help. Boards are increasingly shopping around for outside experts to plug knowledge gaps around issues such as digital transformation and to help them get to grips with future risks, Allen said. These experts could join specialised committees, take up permanent board seats, or act as consultants to bring members up to speed on emerging trends.

Reading up on potential threats, sharing relevant articles, and attending conferences can help keep boards up to date on long-term risks and build an invaluable common knowledge base, she said.

Plan for risk management and review the strategy frequently. More than ever, board members need to think on their feet and swiftly adapt their strategies and models to cope with fast-changing, complex scenarios.

“Agility has been a necessity over the past year to be able to move quickly, pivot, put in the technologies, and really roll things out quickly in order to be able to survive,” Ghosh said.

Boards should look beyond workplace experience for members with strong “soft skills”, such as intuition, empathy, and the ability to deal with ambiguity, that can prove invaluable when it comes to tackling risk, Allen said.

More diverse boards are likely to be more innovative and consider a wider range of risk scenarios and outcomes, while younger, tech-savvy members are often faster to respond, she said.

“The more diversity that you have on a board, the more likely you’re going to think more holistically about risk and set up structures to manage it,” Allen said.

Sophie Hares is a freelance writer based in Mexico. To comment on this article or to suggest an idea for another article, contact Sabine Vollmer, an FM magazine senior editor, at