How private boards can unlock value by elevating risk management

The private boards’ focus on traditional and compliance-related risks was highlighted again by the 2023 EY GBRS. According to this research, just 33% of private companies felt “very confident” in their ability to respond to unexpected high-impact incidents compared with 41% of publicly owned companies. This focus on managing traditional risks, as highlighted in both surveys, can lead to private companies suffering from significant vulnerabilities when faced with atypical risks.

Even when it comes to compliance-related risks, private companies lag behind public peers: for example the Organization for Economic Co-operation and Development’s (OECD’s) Pillar Two framework, along with other major developments in the tax landscape, is driving new areas of tax risk. Organizations are increasingly strengthening their tax governance frameworks to facilitate robust tax compliance but nonetheless, the increased likelihood of tax audits and greater focus on indirect taxes by authorities could have significant implications for both the operations and reputations of private companies. “Clients are telling us the stakes have never been higher, with disruptions to their day-to-day operations and the implications to the market reputation of the business and its owners,” says Steve Shultz EY Global Private Tax Leader.

Countering cyber threats

Emerging technologies are potentially a major driver of growth for private companies, but they also pose some very specific cyber risks. For example, AI is already being used by bad actors to launch increasingly sophisticated cyberattacks, such as large-scale phishing scams. Additionally, it presents an abundance of other risks, including those associated with bias, copyright, privacy and hallucination (where an AI system presents false or misleading information as fact).

Despite the scale and urgency of cyber threats, many private companies are less prepared to combat risks effectively. Taking into consideration the recent EY 2023 Global Cybersecurity Leadership study, Global EY Private Leader Ryan Burke suggests that privately owned businesses aren’t moving fast enough to outrun cyber threats. The study reveals that more than four-fifths (84%) of private companies take more than a month to detect cybersecurity incidents, while 63% take more than a month to respond. What’s more, 40% of private-company respondents cited an inadequate cybersecurity budget as one of the biggest internal barriers to cybersecurity.

The study also found that just 12% of private companies are very concerned about the impact of physical risks involved with a cyberattack, such as a ransomware attack that can shut down their operations. In contrast, 27% of public company respondents were very worried by this possibility. These findings strongly highlight the urgent need for private companies to re-evaluate their approach to the tangible threats connected with cyberattacks.

Despite having to compete fiercely for talent, private companies are behind public companies in pursuing diversity, equity and inclusion (DE&I) policies. According to the 2023 GBRS survey, over half (59%) of private companies believe they need bold change rather than incremental progress in DE&I vs 71% respondents of publicly owned companies. This indicates that private companies may benefit from adjusting their perspective on DE&I and recognizing it as a critical component of their business strategy going forward.

Lack of investment in DE&I can damage a company’s employer brand, weakening its ability to attract and retain the talent that is critical to future growth. What’s more, companies will be missing out on the innovation opportunities that may be generated by varying perspectives derived from a diverse workforce.

Private companies should also consider how new ways of working — across borders and jurisdictions — can have heightened expectations in relation to workforce flexibility, talent strategy and technological investment. This is against a background of increasingly complex economic, geopolitical and social challenges. To build sustainable value in this climate, business leaders need solutions that address risks and boost reward when it comes to talent strategy.

Organizations need to pinpoint their employees’ locations if they are to effectively initiate responses to potential physical safety or cybersecurity issues, and to gauge the degree to which the organization is exposed to tax, immigration or regulatory risk. According to the 2023 Mobility Reimagined survey, while the majority of mobility professionals indicate their organization has some sort of approach toward hybrid mobility, surprisingly just 37% of employers believe their organization’s hybrid mobility policy adequately addresses the tax and regulatory risks linked to mobility. Due to this discrepancy, there is a pressing need to strengthen hybrid mobility policies so that these risks can be effectively managed according to the survey.

A survey of more than 350 corporate board members for the Americas board priorities 2024 report found that talent is one of the top five priorities for board members across the Americas. To achieve better talent outcomes, private companies need to foster a workplace where employees feel trusted, empowered, connected, well-informed and genuinely cared for by their leaders. They also need to show that they value a diverse workforce and are committed to building an inclusive working environment that enables everyone to succeed.

“Where a board can help is really understanding where the focus areas are,” says a board member for a privately held Americas franchise, “You have to figure out the business problem you’re trying to solve. Is it attraction of diverse talent? Is it retention of diverse talent? Is it development of diverse talent?”

All three are essential tenets of any talent strategy. Nevertheless, different approaches are necessary if private companies are to address them with the same level of effectiveness.

Culture is king

When it comes to implementing effective risk management strategies, it is hard to overstate the importance of culture. A strong risk culture, as defined by the Institute of Risk Management, is a culture where everyone shares the same values, beliefs, knowledge, attitudes and understanding about risk.

All members of the workforce should have an awareness of the broad spectrum of risks that exists in today’s business environment, from traditional through to atypical. The boards of private companies can play a crucial role here by ensuring that a culture of risk awareness is instilled throughout the organization by emphasizing the significance of nontraditional risks with executives.

“The board needs to set the tone for what it expects of the organization, whether it be a broader culture or a risk culture,” says a board member of several public and private entities in Asia-Pacific. “Part of that is about selecting the right team, but something that’s certainly more the case is making sure that you get to see – whether it be through deep dives, presentations or going out in the field – greater visibility of the people within the organization so you get a better read on what’s really going on.” Fostering a culture of visibility and communication within an organization is vital and can be better achieved through a board that straddles both private and public companies, leveraging their broader exposure and diverse insights.

In search of sustainability

The shift to a lower-carbon economy simultaneously presents huge opportunities and substantial risks to private companies. By pursuing a more sustainable business model, private companies can develop more innovative products and services, attract more customers, operate more effectively, enter new markets and appeal to a broader talent pool. On the other hand, companies that fail to adapt could find themselves penalized by policymakers, overlooked by customers and talent, and overtaken by competitors.

The 2023 EY Sustainable Value Study found that private companies have an opportunity to better acknowledge their role in the fight against climate change and bring about sustainability transformation. Sustainability demands a holistic approach that extends beyond carbon emissions to incorporate broader governance and social considerations. The study found that 67% of private companies had made climate change commitments, compared with 86% of public companies. Furthermore, 24% of private companies expected to spend more on addressing climate change over the next 12 months compared with the previous year — in contrast to 39% of public companies that said the same. 

Private companies may find it challenging to provide clear reports on their sustainability commitments. According to the EY Sustainable Value study 2023, 39% of respondents prioritize external reporting over other sustainability initiatives compared with just 29% of public companies. Despite facing different regulatory requirements to public entities, private companies still benefit from developing adequate transparency around sustainability. Besides showing preparedness, high-quality reporting helps to strengthen relationships with key stakeholders, such as investors, customers, employees and suppliers, and can provide the organization with a North star to navigate change more broadly.

Role of the board

Private companies may be under-prioritizing risk management — particularly the management of atypical risks — for several reasons. Often, they will not even be aware that they are substantially behind both publicly listed companies and their privately held peers. If they are particularly fast-growing companies, they are likely to be focused on other drivers of growth, such as talent attraction and retention, operational efficiency and customer centricity. Private companies may also find it difficult to justify the return on investment in risk management.

Yet, failing to invest in risk management is a false economy, as the 2023 GBRS study showed. The research found that the proportion of boards expecting severe impacts from risks had almost doubled since the 2021 study. Furthermore, the current complex risk environment is likely to persist, rather than recede. For that reason, boards should be undertaking scenario or what-if analysis to understand the potential implications of a wide range of potential risks.

A well-run risk function is aligned with business objectives, can proactively identify and manage risks and facilitate cross-functional collaboration. It fosters open communication, leverages technology for improved efficiency and promotes a culture of risk awareness throughout the organization. Constant monitoring, continuous training and adherence to regulatory compliance are also key.

By under-prioritizing risk management, companies could also be missing out on substantial value creation opportunities. Through the process of managing and addressing risks, companies can potentially improve their efficiency, enhance their reputation and boost their competitiveness in the market through innovation and an enhanced talent offering. Furthermore, by taking a proactive strategy to the management of supply chain risk, boards can ensure that they have a flexible and resilient supply chain model that not only insulates the company from potential shocks, but also opens up new sources of supply that might otherwise have been overlooked. The EMEIA board priorities 2024 report highlights that companies can use new technological tools, such as control tower solutions, to improve the performance of their supply chains.

In their strategic advisory role, boards can help private companies to better manage and address their risks, turning those risks into opportunities where possible. For example, by understanding and anticipating future trends, boards will be able to plan more strategically to take advantage of those trends, while developing better oversight of risk management practices within their organization. Additionally, if private boards can recruit members who also serve on public companies, they can learn from public company risk management strategies.

Recommendations: how can boards unlock value by managing and mitigating risk?

To help private companies look at risks more holistically, boards can:

1. Adjust their governance model so that they are better able to respond to new and intensifying risks. Adjustments may include having more frequent meetings, forming specific committees to address certain risks (e.g., sustainability and technology), and engaging more regularly with executives around key risk-related issues.
2. Provide oversight for a broad range of risks, encompassing compliance, financial, geopolitical, operational, sustainability, talent and technology risks. Look at adopting scenario analysis to project threats and identify specific vulnerabilities.
3. Give feedback on their company’s talent proposition, including its employer brand, attraction and retention strategies, as well as approaches to engaging, motivating and remunerating talent.
4. Undertake crisis simulation activities for events such as large-scale ransomware attacks and geopolitical crises. These activities will enable the board to identify and rectify weaknesses in the company’s operations, policies and processes.
5. Review their composition and, if necessary, recruit new board members with specialist knowledge of specific risks, such as cyber, geopolitical or talent-related risks.

Summary 

Private boards cannot afford to treat “the next normal” as a temporary phenomenon since the risk environment will only continue to evolve in future. Instead, boards should challenge their management to develop a proactive strategy for risk management. This strategy should anticipate and adapt to emerging disruptions as they happen, build organizational resilience and unlock value for the business — both today and in the longer term.