BOARDS OF DIRECTORS are at the forefront of navigating complex and ambiguous risks driven by external factors such as geopolitical unrest, cybercrime, climate change, inflation, and third-party involvements. These unsettled threats often defy crisp delineation, making it difficult for boards to understand their significance and magnitude.

Time is of the essence in mastering these risks. Aside from the potential for onerous impacts to corporate reputation and the bottom line, US regulators have announced revised reporting requirements regarding risk.The new rules are intended to provide investors and stakeholders the data needed for informed assessments of a company’s risk exposure and its ability to mitigate or manage those risks. Defining the materiality of risks and incidents will be a key component in the new rules and guidelines. The consequences of mismanaging these risks can be enormous. Boards, in collaboration with executive management, must take the lead in defining easily applied materiality benchmarks and thresholds for their organizations. The definition and assessment of risk is often delegated to operational, legal, or risk management staff; however, without top-down guidance, these groups can flounder. Assessing complex and ambiguous risks and establishing response plans can be more art than science, but it need not be a mystery. It simply requires a back-to-basics approach.

The Frustration

Management needs to paint a clear picture of complex and ambiguous risks so that the board can take the following actions:

• Evaluate the potential impact and materiality of the risks and determine whether the risks are significant enough to be deemed mission-critical.

• Understand how these risks compare with the company’s overall appetite for risk.

• Assess management’s effectiveness with regard to risk monitoring, measurement, and management.

Many boards have been frustrated with inadequate internal performance in appraising these risks (whether they are significant or not) and in subsequent monitoring and management. Especially exasperating is that outside parties often have better insight into the risks a company faces than the company has itself. Organizations such as Moody’s Investors Service and BitSight Technologies gather and analyze data available (e.g., cybersecurity data), external to a company in question, to generate a credible risk picture of that company’s risks and its ability to weather them. Regulators may also have considerable insight into a company’s risks through the review and assessment of commonly used third-party technologies and business services (e.g., payment processing).

Unfortunately, the board and executive management have often been the source of their own frustration by inappropriately pushing the task of risk definition downward. The delegated departments will perform to the best of their focused abilities, but they lack a big-picture sense of what risks the company can and cannot accept.

The Urgency

Two key factors drive boards’ earnest interest: the enormous potential financial and reputational costs of mismanaging risk, and the growing attention from regulators regarding these risks.

Regulators wish to protect the integrity of capital markets and financial systems. Operational risk—the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events—is viewed as a primary concern.The US Securities and Exchange Commission is proposing rules and guidance affecting risk management and reporting that may lead to increased supervision and public disclosure.

The Office of the Comptroller of the Currency (which oversees US banking and financial institutions) describes today’s risks in its semiannual risk report as “an evolving and increasingly complex operating environment” that includes the following:

• Evolving and increasingly sophisticated cyberattacks that are inflicting damage on the US economy.

• Geopolitical risks (for instance, Russia’s invasion of Ukraine) prompting increased inflation and exacerbating supply chain issues.

• Climate-related effects on companies’ soundness and financial stability the proliferation of organizations’ use of third-party services and technologies.

As for the costs of mishandled risk, consider cybercrime. Worldwide, cybercrime losses are anticipated to reach $10.5 trillion annually by 2025.1 The United Nations Office on Drugs and Crime estimates that 2 percent to 5 percent of global gross domestic product, or as much as $2 trillion, is laundered annually, feeding terrorist and underworld organizations. Individual corporations may feel In Practice 52 Directorship Quarter Two 2023 these effects through direct criminal action (ransomware) or the aftereffects (consumer lawsuits) of a data breach. The impact can be enormous, measured in the millions or even billions of dollars.

Back to Basics

We recommend that boards and executive management return to basics regarding the monitoring, measurement, and management of any type of complex and ambiguous risk. Boards should be taking fundamental steps and asking basic questions to determine the nature of the risk and the company’s ability to manage it. In addition, boards and management cannot rely solely on subordinate departments to manage the whole show and must instead collaborate with those departments to create bounds and guidelines regarding risk management. Outlined below are four basic steps:

1. Establish the decision-making framework. The board and management should ask, What is our organization’s definition of risk? How are risks interconnected? Do we have consistent guidelines to measure the materiality of risk? And have we defined the level of risk (risk appetite) the organization can tolerate?

The board and management must agree on what the particular risks are and which types of risk warrant the most attention. Those risks needing board-level attention often can be spotted in a topdown view, focusing on core assets or key company values.

In collaboration with (but not through delegation to) company experts, the board and management should establish guidance on easily understood materiality thresholds in terms of income, liquidity, earnings per share, stakeholders, and more. Anchoring the process with a consistent set of metrics can simplify the process of understanding the materiality of a particular issue.

They should also define the company’s risk appetite in terms of absolute financial exposure. Measuring this against the approach of competitors may help set standards that do not shoot too high or too low for the current business environment.

2. Evaluate the materiality of specific risks. What is the potential impact of this risk, including the most material effects, on the organization and its strategy? What benchmarks and thresholds are in place to measure and manage the risk? Where does this risk fall regarding the organization’s materiality thresholds?

Each new risk must be assessed to determine its potential impact and likelihood of occurrence. Impacts must be viewed qualitatively and quantitatively and from long- and short-term perspectives. Credible worst-case outcomes should be identified.

Risk assessment is often best accomplished through the objective, unemotional, and rational development and analysis of scenarios. These scenarios form a basis for numerical estimates of impact and probability and may provide points of comparison with industry metrics. With assessments complete, the risk can be gauged against materiality thresholds established by the board and executive management team.

3. Monitor and manage the situation. How is the organization monitoring a specific risk against board-established benchmarks and thresholds? Are there circumstances that require the board to be alerted to the risk? What are management’s plans to address the risk? Do we have the right talent in place to manage the risk?

Once a risk is deemed material, monitoring becomes essential. This might be as simple as staying abreast of the news, but it often involves the creation of metrics based on the results of scenario analyses. This information is critical to response preparedness and plans especially as risks evolve.

The appropriate response options may be selected through cost-benefit comparisons. These might include accepting the risk (tolerating the negative consequences), offsetting or sharing the risk (obtaining insurance), avoiding the risk (moving the business away from the domain the risk inhabits), or mitigating the risk (reducing the likelihood of occurrence). It’s necessary to remain flexible and adaptable and to be prepared to reassess how to manage a risk.

Many organizations are geared more toward maintaining compliance than managing risk. Staffing may need to be reviewed to verify that the right people are available to monitor risk and can be held accountable to follow through on management’s plans for risk management.

4. Check for understanding. The board is responsible for collaborating with management to develop a framework for understanding the materiality of risks. Management needs to report to the board in ways that allow the board to understand and evaluate the management of a particular risk. If at any time the board does not understand the management of a risk or feels that data are lacking, then management hasn’t done a proper job explaining the risk.

Monitor, Measure, and Manage

Complex and ambiguous risks are evolving and volatile, affecting processes and activities across the entire organization. The board of directors must be informed of new risks, especially those that cross the threshold for materiality or affect core assets or key company values.

Without this information, the board cannot effectively monitor, measure, and help manage crucial risks. Mounting scrutiny from regulators and the potential for substantial monetary impact compel boards to ensure that satisfactory materiality benchmarks are established and that internal processes are in place.

Author’s Note

VISHAL CHAWLA, a cybersecurity and risk management expert, serves as the founder and CEO of BluOcean Digital, a company dedicated to providing cybersecurity solutions. SHARI DAW, an enterprise risk management expert, has a proven track record as a senior executive in large, complex financial institutions and with their boards of directors.

Endnotes

1 Steve Morgan, “Cybercrime To Cost The World $10.5 Trillion Annually By 2025,” Cybercrime Magazine, Nov. 13, 2020, https://cybersecurityventures.com/ cybercrime-damage-costs-10-trillion-by-2025.