May 07, 2012
Now in its third edition, Concerns About Risks Confronting Boards again explores the issues facing American boards today. Chief among these risks are reputational risk, along with associated risks that impact reputation, followed closely by regulatory compliance risk. Echoing our 2011 Survey, directors are telling us that, together with financial risk, that has been so clearly demonstrated by what many are calling the Great Recession, and the fragile recovery, their company's reputation is paramount and subject to threats from known and still unknown sources.
The Executive Summary outlines the results, but we invite you to read on to understand more about what we are hearing from board members. Trends can be picked up from results over time and it may be useful for readers to benchmark these results against the reality they experience on their own boards. We hope you find this report useful and that you'll share your thoughts and ideas with us.
Our board of directors survey respondents identified their key concerns about risks. Analysis of results and EisnerAmper's assessment of current industry trends result in these key findings, summarized below:
- Last year reputational risk overtook regulatory compliance risk as the primary concern. This year the directors reinforced their belief with 66 percent stating that reputational risk is most important to them (other than financial risk) and ahead of all others. Regulatory compliance risk was not far behind with 59 percent citing it as most important. Clearly Dodd-Frank is rearing its head here; and although the JOBS Bill was not considered by respondents at the time of this survey, it's not unlikely that its components (which some feel will weaken the internal controls set into place under Sarbanes-Oxley) will in turn increase regulatory risk down the road. Without question, directors had the Affordable Health Care Reform Act on their minds at the time of this survey and no matter how the issue is resolved by the Supreme Court, the issue of healthcare reform risk remains of concern to directors. However, what puts the reputational risk figure into proper perspective is the fact that the reputational risk "first cousins" such as IT risk, product risk, outsourcing risk, privacy and data security, crisis management and risk due to fraud were all prominently mentioned as being of significant concern. When viewed as a whole, the concept of reputation is top-of-mind among directors.
- Whether it's recession or recovery, the concepts of growth are never out-of-mind in the boardroom. What stands out in this survey is the 20 percent leap from last year in directors citing internal growth and expansion as the number one opportunity they see for their companies.
- IT alignment to business goals is clearly a C-suite issue. With an increased appetite to invest internally as the recovery picks up speed, and with the advent of new systems' demands springing from risky new ventures into social media, cloud computing and mobile technology, directors not surprisingly identified IT issues as a key concern for their companies.
- The internal audit (IA) function is receiving significant attention from boards with almost twothirds of our respondents stating that their companies will consider enhancing their in-house IA staffs and/or increasing audit coverage. What remains to be seen, and what management will have to come to grips with, is the proper mix of IA resources as the complex issues call for skill sets and experience not always found within the company. An outsourcing or, more likely, a cosourcing strategy seems to be an option.
EisnerAmper LLP's third annual Board of Directors Survey was designed to gain insight into the risks being discussed in American boardrooms. The directors were polled via a web-based survey sent to the EisnerAmper database with related assistance from the National Association of Corporate Directors (NACD). The survey was conducted during the months of October 2011 through February 2012 and measures the opinions of 193 directors serving on the boards of publicly traded and private companies.
Of the respondents surveyed, more than two-thirds serve on audit committees, while half sit on either or both their nominating and compensation committees (see Figure 1).
Figure 1: Respondents' Profile of Committees Served
Seventy percent serve on public boards, and almost half serve on private or not-forprofit boards. Respondents serve on boards across a variety of industries. For example, 30 percent identify themselves as working in the financial sector, 19 percent in the technology sector and 18 percent in the consumer sector.
The survey results were prepared by EisnerAmper, and are accompanied by EisnerAmper's and the NACD's distinct observations of industry trends and issues. While EisnerAmper believes the information is from reliable sources, it should not be relied upon as, or considered to be, investment advice.
EisnerAmper Intelligent Data (EisnerAmper ID) uses proprietary market research conducted by EisnerAmper and leading market research firms, along with analysis from EisnerAmper's partners and principals, to produce insightful articles, events and data designed to educate and stimulate discussion on the issues of most interest to business leaders today.
The respondents were asked the open-ended question "How are your boards addressing identified risk?" See Figure 2. No one means of addressing risk took precedence but their replies indicated that directors were used to receiving reports on risk from executive management (22 percent) and/or regularly discussed issues concerning risk during board meetings (18 percent); 16 percent said they relied on professional support/advice from outside experts or consultants.
Figure 2: How Are Your Boards Addressing Identified Risks?
Confirming the trend revealed in the 2nd Annual Concerns report (see Figure 3) reputational risk was again identified as being of most concern, with regulatory risk again ranked as the second greatest concern. Both IT risk and privacy risk showed increases from the last survey and both can arguably be linked with reputational risk because breeches in systems security inevitably lead to attacks upon a company's reputation, often by the actions of attorneys general and public opinion. In a similar fashion the newly added category of crisis management, which scored a very strong 47 percent, is itself also an indicator of reputational concern. To this mix might be added succession planning, where the lack of a cogent plan can lead to real difficulties. Several directors cited succession planning as a looming problem with one saying that "(despite talking about it) we have not done it and are now in jeopardy of losing our CEO without a plan in place." The evidence clearly shows that directors are highly concerned with reputational factors that can destroy in days what it took years for their companies to build.
"Director's views concerning the importance of reputational risk are coming together. What's emerging is a broader view of what reputation risk entails and it's instructive to consider their opinion of its scope. As a benchmarking exercise it also might be of real value for readers to think about reputational risk as comprising operational and human elements – as each has its own set of mitigation strategies. In that way when boards are thinking about reputational risk they can more easily categorize them as including, on one hand, product liability, outsourced networks, privacy and data security and, on the other hand, fraud, customer relations and crisis management."
Figure 3: Aside from Financial Risk, which of the Following Areas of Risk Managament Are Most Important to Your Boards?
In an open ended question, when asked to expound further upon reputational risk the directors identified their Top Three areas of most concern (see Figure 4). Areas of product quality, liability and customer satisfaction came first (30 percent of all responses) followed by concerns about integrity, fraud, ethics and specifically the Foreign Corrupt Practices Act, at 24 percent of all responses. The response make sense: Concerns about a company's products as well as its integrity are both entwined with reputational risk. IT security and regulatory compliance were further down the scale – 12 and 10 percent of all responses, respectively; and with regard to IT issues/security the 12 percent ranking seems low especially in light of the highly reported IT systems breeches at major corporations worldwide.
Figure 4: What Are the Top 3 Types of Reputational Risk That Concern Your Boards the Most?
This edition of Concerns About Risk Confronting Boards asked directors questions regarding the use and composition of their firms' Internal Audit function. As Figure 5 shows, almost 80 percent of respondents are turning to their IA departments to help address identified risk.
"What's become increasingly clear is the fact that today's director is being asked to be aware of, and even knowledgeable about, a seemingly endless variety of concerns. Does this become a risk itself? As our survey shows, directors are being asked to deal with financial, operational and strategic matters which are all impacted by the outside forces of regulators along with global, economic and environmental factors. The director's plate is exceedingly full and a useful discussion might be had on whether concerns about risk should be centralized in its own committee."
Partner, Chief Executive Officer
Figure 5: In the Current Risk Environment are your Boards Using Internal Audit to Address Identified Risks?
Publicly traded companies need to describe in their proxies how they are managing risk within their organizations. Often this becomes the stated responsibility of the board, a board committee or a management committee. Given recent news events that have highlighted the need for better control and monitoring, whoever holds the responsibility of risk management, that party wants some independent program in place to provide them a level of comfort. Often that becomes part of the internal audit's plan. We are not surprised that companies are looking more to IA to provide that assurance.
Furthermore, as shown in Figure 6, directors want more out of their IA function. This is a very good sign as IA budgets have been under pressure in recent years.
Figure 6: Are Your Boards Proposing These Types of Changes to the Internal Audit Function?
Having more IA is not the only issue. IA needs to be multi-faceted and have the resources (either internal or co-sourced) to deliver the insights that boards are expecting and requiring. IA needs to be aligned with the corporate objectives. Companies with inhouse IA functions are prone to some of the pitfalls identified by the findings in Figure 6. Almost 65 percent of board respondents propose both enhancing their staffs and increasing their internal audit coverage. Yet the lack of the right skill-set/subject-matter expertise to do certain audits coupled with poor risk assessment can lead to a stagnant IA plan which hinders the ability to focus IA attention on the most important/most risky topics. This inattention, in turn, affects the frequency at which IA invests time and resources looking at a topic. In many cases, mixing in outside resources can augment excellent in-house talent and become a positive step.
"Developing more comprehensive skills within the internal audit department, with regard to controls and increased audit coverage, represents an opportunity for companies which view enterprise-wide risk assessment as a critical concern. That said, however, it is management's responsibility to ensure that the right set of skills are being brought to bear. In some cases employee training and the hiring of talent will be sufficient but both management and boards need to be cognizant of the values presented by a coherent co-sourcing strategy, as well. In terms of specific skills, timeliness and cost, a combination of in-house and outsourced internal audit capabilities can be advantageous."
Partner, Chair Consulting Services
We asked directors to tell us what they want to learn about the most, and allowed them to provide multiple answers. As shown in Figure 7, almost three-quarters of all replies indicated directors were looking for information on broad-based risk assessment indicating a strong interest in keeping up-to-date on risk holistically. About half of the replies indicated cyber security, protecting reputational risk and being current with regulatory compliance issues as topics they wanted more knowledge about. These findings tie in nicely with those regarding the importance to directors of IT Risk, shown previously in Figure 3, and the perception directors have of the lack of understanding on behalf of their CFOs in cyber-security, shown later in Figure 10. Indeed, it's hard to overstate the importance of IT risk for, as one respondent told us, his public company "is highly regulated and depends 100 percent on its IT systems to process transactions for providers of health services and to customers."
Figure 7: In Which of These Topics do Board Members Have the Most Interest in Gaining More Knowledge?
Speaking of regulatory concerns, for the first time we surveyed director concerns about potential regulatory action (see Figure 8). Based on their level of concern (low/moderate/ high), directors cited mandatory auditor rotation to be of high concern at almost 23 percent (by far the most of any high concern ranking) and almost 59 percent told us that mandatory audit firm rotation was of moderate or high concern; slightly more than half cited financial reform as being of high or moderate concern, and more than onethird said that lease accounting changes were of moderate or high concern. The topic of mandatory audit firm rotation is receiving significant attention, with recent hearings conducted by the PCAOB and the Congress. As was reported from those hearings, major accounting firms, including EisnerAmper, have issued opinions on the issue stating that the risks would include increased costs and reduced audit quality, and that mandating audit firm rotation would actually diminish the power of the audit committees.
As shown in Figure 9 directors were also asked about which areas of regulatory compliance risk were of primary concern to their boards. Interestingly, compared with previous responses in earlier surveys, in three of the categories offered, the directors had less concern than before; indicating, perhaps, that their firms were coming to grips more effectively with the challenges of: Financial Reform (40 vs. 58 percent), Accounting Standards (45 vs. 49 percent) and Sarbanes-Oxley (32 vs. 37 percent). Of significance was the spike in regulatory compliance concern regarding healthcare reform – from 31 to 41 percent. At the time of this survey the Affordable Health Care Act had not yet come before the Supreme Court which was to hear arguments about the compulsory mandate issue as well as complex severability issues. There's little doubt the directors were voicing their concern about the impact of implementing healthcare reform. As of this writing, the Court had heard arguments but had not yet ruled.
Figure 8: Rate Your Concerns About Potential Upcoming Regulatory Actions on:
Figure 9: Which Areas of Regulatory Compliance Risk Are the Primary Concerns of Your Board?
"Boards have an ever increasing demand put upon them to review and take into consideration the effects and ramifications of myriad new rules and regulations. These regulations, including those found in Dodd- Frank, and now the new JOBS Act, are complex and in many cases not yet fully implemented. Add to this mix the requirement to be knowledgeable about international agreements, treaties and tax laws, and it is no wonder directors cite regulatory risk as being of significant concern."
Partner, Co-chair Services to Public Companies
Regulatory risk has an international aspect to it as well. As one respondent told us, "Regulatory risk has become extremely important because governments around the world are changing the rules as they try to address major economic and environmental issues. The regulatory landscape is evolving rapidly in most geographies and industries." One has only to think about Basel III, the Foreign Corrupt Practices Act, Foreign Account Tax Compliance Act, EU monetary policy and myriad foreign trade agreements as evidence of the international financial realities that influence how directors view risk.
One respondent made the connection between reputational risk and regulatory compliance risk this way: "Reputation is the most difficult to re-establish and federal regulations are increasingly easy to violate without the intent to do so."
In this edition of Concerns, directors were asked whether their CFOs had a strong understanding of a number of risk management issues. Directors could offer multiple responses and slightly more than 70 percent of the responses indicated that directors felt their CFOs had a strong understanding of the creation of financial models (see Figure 10). Around 60 percent of the replies indicate that directors felt CFOs had a strong understanding of broad-based risk assessments and of changes in tax compliance from new governmental regulations. The relatively low percentages they assign to cyber security and aligning business goals to IT can, perhaps, be attributed to directors not associating those risks to be within the scope of CFO responsibilities.
Figure 10: In Your Opinion, do you Feel that CFOs Have a Strong Understanding of These Topics?
On a forward-looking basis (see Figure 11), directors were asked to identify new investment opportunities. Echoing previous results, directors cited M&A or other asset acquisition as an important investment opportunity for their companies (though less so than in our earlier report: 68 vs. 73 percent). It would appear that M&A remains a viable growth strategy for boards to consider whether in recessionary or recovering times. A significantly larger number identified internal growth and expansion as an investment opportunity than in our earlier report (71 vs. 51 percent); again supporting the observation that in a recovering economy repairing the house you live in is timely and prudent. The strikingly large increase in the perceived opportunity to invest in IT infrastructure (14 to 42 percent) speaks volumes about the board's interest in updating old systems with new and in keeping up with the times which certainly include the systems revolutions surrounding social media, cloud computing and mobile applications. All of which, not incidentally, carry very real reputational risks in cases of breech or misuse.
Figure 11: Does the Current Economic Environment Offer the Companies You Serve New Investment Opportunities vs. Last Year?
% Responded Yes*
|New Investment Opportunities
|Internal Growth & Expansion
|Commercial Real Estate
Note: Respondents could choose multiple answers
"At the time directors were completing this survey there was clear evidence that an economic recovery was taking hold, along with an anticipation that the currency shocks in Europe and the volatility of the equity markets was abating to some degree. Whether or not the recovery speeds up or remains tepid it does appear to us that investment, including M&A, is a timely topic at the board level. This is particularly so, we believe, in the arena of re-investment where management's attention is being placed squarely on internal growth. Boards should be aware of this trend and become educated on how expanding internal capabilities might be a real momentum builder and an advantage with regard to a highly competitive marketplace for talent."
Partner, Co-chair Services to Public Companies
The survey results enable EisnerAmper and our colleagues at the National Association of Corporate Directors to make several observations concerning the risks directors face in the boardroom.
- Reputation risk is top-of-mind but is difficult to address because it is so broadly defined. Components include operational issues such as product liability, succession planning and IT systems as well as issues involving the actions of people such as fraud or lack of training. Awareness seems to be the key and vigilance in addressing threats is a constant.
- Regulatory compliance risk is local, national and global. Having the necessary resources to keep up with regulations, to understand their impact and timeliness and to create affirmative defenses is expensive and time consuming yet absolutely critical.
- The requisite skills to avoid or mitigate internal controls risk (including audit and IT for example) may not adequately reside within many companies. This skills gap can be dangerous and can also be answered by a risk management plan that should include a cost/benefit analysis of outsourcing or co-sourcing.
- The nature and compositions of boards is changing. Where will the "risk portfolio" reside in tomorrow's boardroom: within the audit committee, among a new risk management committee, or as the responsibility of the whole board? One sure thing is that this question will be on the agenda of most boards.
NACD annual surveys of directors show "risk oversight" as a growing concern for directors.
In 2011 and 2010, it was the third most important issue after strategy and performance for public company directors. This was up from a number six position in 2009, and a number 18 position in 2006. This highly focused EisnerAmper survey of 2012 sheds light on what risk issues are most important within risk oversight. In our view, the survey brings to light three very significant and positive findings:
- First, we learn from the EisnerAmper survey that reputational risk ranks more highly than regulatory compliance risk. This is good news, because it shows the "value focus" of today's directors. It is well known that reputation—also known as goodwill in post-merger accounting rules—can account for up to 80 percent of a company's value in the equity marketplace.
- Another important finding from the EisnerAmper survey is the focus on internal growth rather than growth via acquisition, and on internal control as part of that focus. As the survey report wisely notes, "In a recovering economy, repairing the house you live in is timely and prudent." Investment in the internal audit function is money well spent.
- Finally, we find it very encouraging to see respondents to the EisnerAmper survey willingly identifying areas where they desire more education, starting with broad-based risk assessment, identified by three in four respondents to the EisnerAmper survey as an area for more learning.
To close, as a premier provider of director education and research, NACD will continue to address the subjects of reputation, internal controls, and risk oversight, among other emerging concerns.