In New Report, Boards Voice Concerns Over Risks
This Contributed Column is brought to you by the International Economic Development Council's 2015 Annual Conference. Join the largest international gathering of economic development professionals in the world. Click here to learn more about this important event.
Posted by Heidi Schwartz
EisnerAmper has issued its fifth annual Board of Directors Survey, Concerns About Risks Confronting Boards, designed to gain insight into the risks that are top of mind in today’s boardrooms. Other than financial risk, respondents were asked to identify risks of most concern. Seventy-two percent identified reputational risk as their primary concern, following the same trend as in prior years. Cybersecurity/IT risk was second at 62%, rising almost 10% from last year’s survey. Surprisingly, regulatory compliance risk—the third most highly ranked concern—dropped six percentage points to 50% in 2014.
“The study found that with regulatory compliance factors such as Dodd-Frank and PPACA having been rolled out, the level of concern about those regulations has actually dropped,” said Steven Kreit, a partner in EisnerAmper’s Public Companies practice. “When we take into account additional feedback from the participants, it paints a picture of boards coming to terms with both Dodd-Frank and health care reform.”
The survey measured the opinions of directors serving on the boards of more than 250 publicly traded, private, not-for-profit, and private equity-owned companies across a variety of industries, sourced from both EisnerAmper and NACD Directorship databases. Fifty-three percent of the survey group identified themselves as serving on audit committees.
Cybersecurity Concern, Limited Action
Boards know they need to worry about cybersecurity, but many have not taken action to mitigate the risk or decided who will ultimately direct their organizations’ course of action. The survey’s finding of an increase in concern about cybersecurity/IT risk is not surprising, but when combined with other indicators, it raises many questions about how well equipped organizations really are to address it. For example, respondents expressed relatively low levels of confidence in management’s knowledge of cybersecurity and related risk.
Strengthening Organizations from Within
When questioned about new investment opportunities to strengthen their organizations, the directors in the survey looked inward, assigning the highest values to strategic planning as well as internal growth and expansion.
Internal Audit Captures Investment
The survey shows a continuing trend in the use of, and investment in, the internal audit function. The majority of organizations across sectors find internal audit helpful or very helpful in identifying risks. While 46% of boards are not proposing any changes to their internal audit functions, 32% are looking to enhance staff and 24% are looking to increase audit coverage. These results are in-line with last year’s survey.
Growth in ERM Programs Low
There remains a low level of implementation of comprehensive enterprise risk management programs, but there is a perceivable trend toward putting such a program into practice. Thirty-six percent of directors have a comprehensive program and it is fully implemented, as opposed to 33% last year. Breaking down the sectors though, only 55% of public companies, 26% of private companies, and only 20% of not-for-profits have a fully implemented plan.
“Despite strong concerns about reputational risk and cyber and data security, we saw little in the survey showing support for the resources necessary to address it,” said Kreit, summarizing the results from the survey. “With many organizations admitting that they had no plans or relatively unsophisticated plans to address these top rated risks, there is a need for boards to focus some of their strategic planning time on reevaluating how they will effectively handle concerns as they arise.”
View the report and download the PDF here.