Accounting firm EisnerAmper (EA) has released its sixth annual survey of directors, Concerns About Risks Confronting Boards. The results indicate that, across the public, private, and nonprofit entities EisnerAmper surveyed, directors are most worried about reputational risk, cybersecurity risk, and regulatory compliance risk. For public companies, the top areas of concern were cybersecurity/IT risk (70 percent), reputational risk (66 percent), regulatory compliance risk (64 percent), and senior management succession planning (51 percent). (No other area was cited as a top concern by more than 50 percent of public company director respondents.) These findings are largely consistent with EA’s prior survey (see August 2014 Update), although concern about reputational risk has fallen somewhat this year, with the result that cybersecurity – rather than reputation – is now the most frequently-cited concern of public company respondents.
The survey included the opinions of directors serving on the boards of more than 300 publicly-traded, private, and not-for-profit organizations in a variety of industries. Half of respondents served on the board of an organization with $50 million or more in revenue, while 13 percent were from organizations with over $1 billion in revenue. Fifty-six percent of respondents indicated that they were audit committee members.
On an aggregate basis, the issues cited by respondents of all types as their top concerns (and the percentage of respondents that cited each) were:
- Reputational risk (75 percent). It is not clear how survey defined “reputational risk”, although it appears to refer to an event of any nature that threatens to injure the organization’s public reputation. For example, the survey report refers to the Target Corporation cyber breach as a reputational risk event, although it would appear that the incident could also be viewed as an example of Cybersecurity/IT Risk or of Crisis Management.
- Cybersecurity/IT Risk (61 percent).
- Regulatory Compliance Risk (53 percent).
- Senior Management Succession Planning (51 percent).
- Product Risk (34 percent).
- Crisis Management (32 percent).
- Risk Due to Fraud (27 percent).
- Disaster Recovery (26 percent).
- Tax Strategies (15 percent).
- Outsourcing Risk (15 percent).
- Diversity (12 percent). AE’s survey report states: “Half of the board members agreed with utilizing diversity goals; those who disagreed referenced their belief that ‘experience’ and ‘skills’ should drive board member selections as opposed to diversity factors. Not-for-profits seem to be the most progressive in incorporating limits and quotas into minimizing group think and reducing risk. Interestingly, 23% of board members ranked diversity as an important area of risk management, while only 7% for public and private as well said diversity was a main concern for their boards.”
As to who is addressing risk and how well they are doing so, the following percentages of directors indicated that particular groups were performing “very well” or “well enough” with respect to risk —
- Regular board and committee meetings (92 percent).
- Risk management insurance providers (73 percent).
- External auditors (84 percent).
- Accounting department (86 percent).
- Legal and compliance group (86 percent).
- IT department (75 percent).
Respondents were also asked how helpful internal audit had been in identifying risks. Looking only at public company directors, 71 percent viewed internal audit as either “helpful” or “very helpful” in risk identification, while the remaining 29 percent saw internal audit as either “not helpful” or only “slightly helpful.” As in the prior survey, private company and not-for-profit directors gave internal audit somewhat lower grades.
In the two top risk areas – Cybersecurity and Reputational Risk – views seem somewhat mixed as to how well companies are doing in addressing the problem:
- Over 95 percent of public company respondents indicated that their company uses either internal audit or external auditors/consultants to monitor cybersecurity risk. However, only 24 percent feel their boards are well-versed in the issue.
- Forty-eight percent of board members from all types of organizations stated that their board had a plan in place to address a crisis with potential reputational risk fallout. However, only 20 percent of organizations have provided training to execute the plan. EA states that public company boards “appear to be most diligent in addressing reputational risk: almost 75% have a response plan in place and nearly a quarter have provided training.”
Comment: One of the suggestions in the survey report is that boards hold an annual meeting focused on reputational risk and preparation for an event that threatens the company’s reputation. EA also suggests that the board and management, with CEO involvement, formulate a plan for responding to a reputational crisis. One survey respondent is quoted as having said, “You need to have thought through the challenge and crafted potential responses beforehand so that you can react quickly. There is not sufficient time to only start developing plans once the crisis occurs.”
While the various kinds of reputational risk events that may arise transcend the scope of the audit committee’s responsibilities, the committee may want to consider implementing this advice within its area. This is particularly true as to cybersecurity breach issues, which, despite occasional advice to the contrary (see June 2014 Update), are often assigned to the audit committee.