July 17, 2014
Michael Breit, CPA
Steven Kreit, CPA
Our 5th annual edition of Concerns About Risks Confronting Boards continues EisnerAmper's exploration of the trends, changes, and issues facing American boards today.
Reputation, cybersecurity and social media are largely intertwined and the associated risk has captured the attention of most boards. However, the executives seem to lack significant understanding, and organizations are missing robust plans to address the identified concerns.
In this edition, we review and analyze the general trends of more than 250 boards, through the survey responses of their directors. As we did last year, we contrast the responses of those serving on public, private, not-for-profit and, in some cases, private equity-owned boards. Additionally, we've reviewed the responses of board members based on the organization's revenue.
Our Executive Summary delivers insight based on our data, professional observations and conversations.
We welcome the opportunity to discuss these findings in detail with you.
Michael Breit, CPA
Co-Chair, Audit and Assurance Services
Steven Kreit, CPA
EisnerAmper's Michael Breit explains how this report outlines risk factors for your organization.
EisnerAmper's 5th annual Board of Director's Survey was designed to gain insights into the risks being discussed and addressed in American boardrooms. Directors were polled via a web-based survey sent to select EisnerAmper contacts and members of the NACD Directorship database.
This survey was conducted during January, February, and March 2014. It measures the opinions of directors serving on the boards of more than 250 publicly traded, private, not-for-profit, and private equity-owned companies across a variety of industries. This report focuses primarily on the responses from directors on the boards of public, private and not-for-profit boards.
These directors serve on boards that govern organizations with an average age of 40 years (some just a year old, others 100 years old) and represent a considerable range in revenue size:
More specifically, the largest groups of respondents were from organizations with over $1 billion in revenue (24%) and those that served on public company boards (38%).
As may be expected, the majority of respondents (67%) with revenues over $1 billion served on public company boards, while not-for-profits accounted for the majority of the respondents reporting less than $50 million in revenue. However, there was a wide distribution, and organizations of all types were represented at all revenue levels.
To gain better insight to the concerns facing boards and how they were being addressed, we also wanted to find out about the structure of these boards. Specifically, were there committees relevant to the issues raised in this survey?
THE FOLLOWING IS A LIST OF COMMITTEES. PLEASE INDICATE IF THESE COMMITTEES CURRENTLY EXIST WITHIN YOUR BOARD AND IF SO, IF YOU ARE PART OF THEM.
The majority of committees identified supported the efforts of an organization's operations, including "write-ins" such as finance and executive committees.
The responses reflected a good mix of those who did and did not serve on these committees and those designed to address the issues discussed in this survey.
EisnerAmper Intelligent Data (EisnerAmper ID) uses proprietary market research conducted by EisnerAmper and leading market research firms, along with analysis from EisnerAmper's partners and principals, to produce insightful articles, events and data designed to educate and stimulate discussion on the issues of most interest to business leaders today.
The survey results were prepared by EisnerAmper and are accompanied by EisnerAmper's observations of industry trends and issues. While EisnerAmper believes the information is from reliable sources, it should not be relied upon as, or considered to be, investment or legal advice.
- Percentages throughout this report are rounded to the closest whole number.
- Not all of the survey participants answered all of the questions.
- Select questions provided the opportunity for respondents to choose more than one response.
Reputation Remains the Leading Concern; Cybersecurity a Growing Threat
Reputation is an ever-increasing concern among board members, particularly for public companies and not-for-profit organizations. However, both private companies and organizations with more than $1 billion in revenue felt they were more at risk from cybersecurity/IT than reputation issues.
Since the beginning of the year, organizations ranging from the DMV to banks to technology players have found themselves not only vulnerable, but struck by cybersecurity breaches. These attacks exposed vulnerabilities across what were perceived to be insulated corporate and financial infrastructures — and within apps, routers, hardware, and websites. It proved that cyber thieves target more than financial and banking information; there is a premium on private communications and other stored data. It further demonstrated that social media enable these reputation issues to take on a life of their own, both in terms of viral dispersion as well as an uncontrollable timeline, with a footprint that is almost impossible to erase.
"Reputation is still a company's best calling card, and a board's best armor. In that light, EisnerAmper's survey and report accurately reflects its enduring importance."
Christopher Y. Clark
Publisher, NACD Directorship Magazine
EisnerAmper's Michael Breit explains why this information is important to investors, board members and management.
Inconsistency Remains Consistent
Ironically, despite the material and reasonable concern about reputation, there was little in the survey that showed support for resources to address it.
Many respondents wrote in that they had no plans — or relatively unsophisticated plans — to protect their reputations. Overwhelmingly, C-suite executives and the board were referenced as the go-to resources to execute a plan to preserve a company's reputation during a crisis.
Crisis management, which could include plans on how to avert a substantial impact on an organization's reputation (including social media showdowns developing from any issue and risk listed — and then some), generated concern from only 31% of respondents — garnering a rank even lower than last year, when it included disaster recovery.
And, with plans for the C-suite and/or board members to take the helm during a disaster, the perceived level of knowledge of CEOs and CFOs around cybersecurity — and more importantly, social media — leaves an observer with an uneasy feeling about how a response would effectively factor in the fallout from these facets of any crises. Anecdotally, many executives (and board members) readily admit their lack of understanding of new media and cyber issues — two areas in which mere general knowledge can miss the critical nuances necessary for effective strategic and operational decisions.
With the growing role of social media as a marketing tool — from overall reputation to the interpretation of earnings reports to business transactions and activities — it was surprising that only 30% and 36% of boards of public companies and not-for-profits respectively were focusing on marketing and sales. Private companies did show an increase in attention to marketing and sales efforts.
Despite all of these contradictions, most companies continue to feel they are addressing risk either very well or well enough, from a variety of approaches. Yet less than 40% of respondents indicated their organizations have a comprehensive ERM program that is fully implemented; 22% don't even have a program.
A Lack of Interest in…Money?!
Over the past few years, our survey has included questions pertaining to the JOBS Act. It is a topic — and legislation — that the media and its supporters has portrayed as significantly affecting an organization's access to funds, financial strategy and structure, and audience of potential investors. Despite the media frenzy, less than 10% of boards responded affirmatively to our question about planning to leverage opportunity associated with the existing and pending changes. It may be worth considering: Is the opportunity as significant and/or as far-reaching as the current coverage portrays it to be, or does the remainder of the legislation need to be written prior to the engagement of these organizations?
EisnerAmper's Michael Breit talks about the changing perception of risk on a global basis.
External Investment Opportunities
Commercial real estate as an investment opportunity could not hold the attention of three-quarters of the boards. Social impact/sustainability/triple bottom line investments followed, overall, capturing the interest of less than half the boards. Mergers and acquisitions (and similar asset purchases) were also found to be losing favor.
Of all the organizations surveyed, public companies, generally most sensitive to the market's sense of immediacy and need for "instant gratification," are forced to manage for the short-term. Therefore, of all respondents, directors from those boards keep the greatest focus on M&A, potentially in a bid to stay on top of the next big thing that will satisfy the market.
Overall, boards seem to be favoring looking inward: Strategic planning and internal growth and expansion continue to be viewed as a key opportunity investment. These are followed closely by business process improvement and strategic staffing.
RISKS DRIVING CONCERN
Our first question is based on the most fundamental concept driving this survey: What specific risks are top of mind for boards today? This creates an important lens through which to evaluate how boards are addressing risk: from identifying it to managing it, strategically and operationally.
ASIDE FROM FINANCIAL RISK, WHICH OF THE FOLLOWING AREAS OF RISK MANAGEMENT ARE MOST IMPORTANT TO YOUR BOARD?
Cybersecurity/IT risk has risen almost 10%. It has overtaken regulatory/compliance risk (which also increased 4%) as the second most important concern to all boards.
Crisis management and disaster recovery, now ranked independently, each fell close to 10% from their combined listing.
Breaking out the data according to the type of organization can provide additional insight and benchmarks for your own boards and concerns. The contrasts continue to grow, but tend to align with expectations based on the divergent fundamental goals, needs and operating issues of public, private, and not-for-profit organizations.
"Cybersecurity is a constant and growing concern, increasing with exposure to new technologies and relationships with third parties."
John Fodera, CPA
Partner, Consulting Services, EisnerAmper LLP
WOULD YOU SHARE WITH US PERTINENT DETAILS BEHIND YOUR SELECTIONS AS TO WHY YOUR BOARD FEELS THESE ARE MOST IMPORTANT?
As might be expected, reputational risk was of paramount concern (82%) to not-forprofit organizations. Organizations with revenue of $1-10 million were least concerned about reputational risk with 60% of directors indicating it was a concern important to their boards.
Cybersecurity was the number one concern for private companies — and a very close second for public companies. Directors serving organizations with revenue over $1 billion also favored cybersecurity (73%) as the top risk, followed immediately by reputational risk (72%).
Though risk due to fraud did not rank in the top third of concerns, 39% of public companyboard members did show concern, making it a significant outlier among other types of organizations.
Concern about CEO succession planning for private companies dropped by 14%, to 34%, bringing it far out of line with public companies (55%) and not-for-profits (50%). This is especially interesting considering the plethora of discussions around global battles for executive talent. However, private company boards are generally 2-3 times more concerned about outsourcing risk as compared to public and not-for-profit boards.
WOULD YOU SHARE WITH US PERTINENT DETAILS BEHIND YOUR SELECTIONS AS TO WHY YOUR BOARD FEELS THESE ARE MOST IMPORTANT?
We asked the directors to detail why their selections were top concerns for their boards. Many of their responses reflected the top-ranked risks:
"IT/Cybersecurity is also tough to understand — but could cause severe damage."
"IT because much of the vital…work the org does depends on reliability and security of IT"
"Cybersecurity risks are increasing and evolving."
"Our reputation is our business."
"Reputational risk impacts everything; our ability to attract and retain talent, customers, shareholders, banking partnerships, etc...."
"…regulatory compliance risk and IT risk being the most discussed as they are rapidly evolving and difficult to mitigate."
EisnerAmper's Steven Kreit discusses expectations that cybersecurity concerns will continue to increase, especially for those responsible for IT.
And, perhaps providing us a better lens for not-for-profits and less financially robust organizations, respondents wrote, "We'd like all of them to be important, but as we are a relatively small nonprofit we don't have the resources to mitigate all the types of risk at the level we'd prefer to."
Only one director indicated that the issues she or he identified were significant because "We have just completed a comprehensive risk assessment and these are areas we identified as needing further improvements."
"As risk management and oversight in the business world become increasingly more difficult to manage, it is imperative that boards understand how technology is used in their companies, the safeguards around data, and the monitoring efforts around these actions."
Michael Breit, CPA
Co-Chair, Audit and Assurance, EisnerAmper LLP
It is somewhat peculiar to see minimal concern for crisis management (31%) when compared to the premium put on reputational risk (72%). Additionally, cybersecurity and IT management would likely drive a crisis (and impact reputation if not managed well). The lack of correlation in the numbers is something our firm anticipates exploring further in future surveys — but it did get addressed in some responses when we asked directors why these issues were of most concern to their boards:
"Reputational and IT risk are tied together to the extent that a response via the internet can be critical, including how quickly you can respond."
"Due to the nature of our business, the potential for massive damage to our brand could be accomplished via cyber attacks and or other IT related issues."
WHEN ADDRESSING REPUTATIONAL RISK, WHAT PROTECTIONS/PLANS DO YOU HAVE IN PLACE?
Given the consistent concern about reputational risk, we asked directors about the protections and plans they had in place to address it. There were a surprising amount — close to a quarter of respondents — who had no plans, and others just informally "doing their best." This lack of formality to address the most significant risk identified existed across all organizations.
When plans existed, they included both everyday operations — such as to keep a positive reputation and reduce the risk — and strategies to address a crisis affecting reputation.
Plans to address reputational risk centered around:
- Response/communication plans
- Relying on culture, ethics, policies
- Leveraging internal controls
- Leveraging specific professionals, primarily PR/marketing and legal counsel
WHO (INTERNALLY AND EXTERNALLY) IS INVOLVED WHEN EXECUTING A PLAN TO RESPOND TO A CRISIS INVOLVING REPUTATIONAL RISK?
We wanted to understand who was going to lead a plan or response to a situation that put an organization's reputation at risk. We extrapolated information from written responses to identify the following categories:
Once again, we find some irony in the response. Considering the minimal plans articulated by the directors responding to this survey, they seem to hold themselves primarily responsible for addressing reputational risk (along with their organization's executives).
Overall, risk may be addressed by different sources both inside and outside an organization. Performance of these sources may drive the success of risk mitigation.
HOW IS YOUR BOARD ADDRESSING IDENTIFIED RISKS?
HOW IS YOUR BOARD ADDRESSING IDENTIFIED RISKS?
Overall, the trends show improving confidence in regular board and committee meetings, external auditors and accounting departments. In addition, legal/compliance and IT, both new areas, have garnered a great deal of confidence from the board members. (There is slightly less confidence in risk management insurance providers.)
This supports the general consensus that the boards are addressing risk "well enough." It also shows that there is a basis for reliance on these approaches.
HOW HELPFUL HAS INTERNAL AUDIT BEEN IN IDENTIFYING RISKS?
With a bit more favor than last year, public companies found internal audit was the most beneficial asset for identifying risk (of course, they are also the most likely to have an internal audit function). The majority of private companies also found value in internal audit for identifying risk. However, slightly less than half of not-for-profit organizations found internal audit helpful or very helpful in this role.
However, when broken down by revenue, it becomes clear that the majority of organizations find internal audit helpful, if not very helpful.
While 46% of boards are not proposing any changes, 32% are looking to enhance staff and 24% are looking to increase audit coverage. Overall, these responses are similar to last year's survey and indicate the positive impact of the internal audit function and reliance on it for protection.
A more detailed analysis shows that directors of public companies, the group rating internal audit most favorably in identifying risk, continue to invest the most in its growth.
WHAT TYPES OF CHANGES ARE YOUR BOARD(S) PROPOSING TO THE INTERNAL AUDIT FUNCTIONS?
"The confluence of the time required releasing financial results and the complexity of financial reporting is driving analysts and investors to request, and companies to release, information that may not be subject to internal controls over financial reporting."
Peter Bible, CPA
Chief Risk Officer, EisnerAmper LLP
Risk is managed differently by every company. One of the more widely discussed, commonly accepted tools is an ERM program. While there remains a low level of implementation, there seems to be a perceivable trend in moving towards implementing this tool.
DO THE COMPANIES FOR WHICH YOU SERVE AS DIRECTOR HAVE/FOLLOW A COMPREHENSIVE ERM PROGRAM?
More significant is the breakdown:
- 55% of public companies have a program that is fully implemented.
- More than 50% of private companies have a program, but only 26% have a comprehensive, fully implemented one.
- Only 20% of not-for-profits have a fully implemented program; 38% of not-for-profits did not even have an ERM program.
The disparity is also evident by revenue, on the extremes:
- 57% of companies with more than $1 billion in revenue have a fully implemented, comprehensive program — compared to only 16% of companies with less than $1 million.
- 53% of companies with less than $1 million do not have an ERM program — compared to 4% of companies with revenues over $1 billion.
However, there was less disparity among companies that fell between the two extremes.
Issues in regulatory compliance continue to change and steal the spotlight, be it through media attention, scandals, indictments, investigations and/or new or changing rules.
WHAT LEVEL OF CONCERN DOES YOUR BOARD HAVE REGARDING THESE AREAS OF REGULATORY COMPLIANCE RISK?
Overall, there were few significant changes of those issues for which boards had notable or negligible concern. General accounting standards and taxes garnered the most attention (and are of most concern for public and private companies.) Overall, board member concerns about Dodd-Frank and health care reform are not as prominent; however, energy legislation remains of least concern. When asked about other government intervention that concerns them, the most common answer was the Foreign Corrupt Practices Act.
The JOBS Act, which has garnered a significant amount of regulatory and media attention (and its own separate questions in our survey) does not seem to have the attention of the board for any type of organization. More than 90% of respondents did not anticipate leveraging the Act's opportunities, at all.
The minimal interest was shared across organization-type. However, 30% of companies under $1 million planned to leverage opportunities, followed, surprisingly, by 14% of companies with more than $1 billion in revenue.
"Technology continues to open new avenues for companies from an operational standpoint and in go-to-market and delivery strategies and processes. Board members must recognize the opportunities—and risks—inherent in our new environment and drive the changes that will help their organizations succeed."
Steven Kreit, CPA
Audit Partner, EisnerAmper LLP
Overall, strategic direction remains the most important issue addressed by boards, followed by finance and operations.
WHAT ARE THE MOST IMPORTANT STRATEGIC TOPICS BEING ADDRESSED BY YOUR BOARD?
There were few areas skewed heavily by revenue. However, finance was most important (74%) to boards of companies with less than $1 million. Companies in the $10-50 million range also focused heavily on finance, marketing and sales (in addition to strategic direction).
Boards of companies with more than $1 billion in revenue saw the greatest interest in leveraging international opportunities. Yet, it did not gain traction with more than 50% of those respondents.
More than half of the respondents on boards of private and not-for-profit companies spend their time discussing finance. This could simply be a reflection of their day-today concerns or an indication of the information readily available in different types of companies.
The responses regarding investment opportunities also offer insight, painting a picture of companies looking to strengthen themselves internally — and furthering the board's interest in strategic planning. Internal growth and expansion, specifically, have continued to remain strong. Strategic staffing almost doubled in identified opportunity. Far less attention is being paid to external opportunities — from commercial real estate and M&A to social impact.
DOES THE COMPANY YOU SERVE SEE NEW INVESTMENT OPPORTUNITIES IN THESE AREAS IN 2014?
While the board may govern an organization and set strategy, management is running its operations. Ultimately, management determines how to execute the strategy. Therefore, it is paramount for CEOs and CFOs to understand the issues that will impact operations — and their organizations (perhaps even more so than the board members).
So, we asked the directors if they felt their CEOs and CFOs have a strong understanding of topics related to risk.
EisnerAmper's Steven Kreit highlights the dichotomy of what organizations are discussing vs. what they're doing.
In the past year, the changes in the perception of the CEOs' and CFOs' knowledge of these topics were all less than 10%; many showing 3% or less. The outliers included:
- A 6% increase in those who felt the CFOs were knowledgeable around broad-based risk assessment and a 5% increase for those reviewing the CEO.
- A 6% decrease in respondents who expected the CFO had the ability to prepare for IFRS (CEOs improved in this area, but the majority of respondents still felt they did not understand it.)
- 7% more respondents felt the CEOs had a solid understanding of changes to tax from new government regulations, yet there were also 6% more respondents who had the perception that CEOs lack knowledge of regulatory compliance changes.
We continue to posit: Who is taking ownership of these issues on a daily basis — and are they really suited to do so? Last year, one director stated: "…most fellow directors cannot spell IT." Considering the growth of concern for cybersecurity, unless an organization is relying heavily on its board leadership for direction, it's underwhelming to see confidence levels below 60% for both the CEO and CFO in their knowledge of this topic. (That being said, this survey has not considered (or questioned) the role of the CIO and/or CTO in these organizations.)
EisnerAmper's Steven Kreit talks about how reputation and cybersecurity are of utmost importance for organizations of all types and sizes.
We also continue to be puzzled by results such as board members showing little concern about the JOBS Act. If they feel the majority of CEOs and CFOs don't understand it, based on the response to an earlier question, why aren't boards more concerned?
It's understandable, especially in larger organizations, that the people running the show don't need to memorize the entire script. However, if you take a good look at these numbers, many directors are saying that perhaps management doesn't understand the plot.
Public company board members had far more confidence in their management teams (CEO, CFO), followed by private companies. Not-for-profits lagged significantly — though, this may certainly be due to resources available to attract the right people for the job. Additionally, not-for-profit leaders, many times, lead out of concern for the constituency and growing the impact and programming — failing to as eagerly address the health of the business.
There is a general gap between the issues important to the board and the competencies of leadership. Overall, the most confidence is shown in the most general/vague topics — and in some critical areas, a pronounced and definitive lack of confidence.
EisnerAmper's CEO Charly Weinstein comments on the scope of risk addressed by this survey and report.
"Given the results of the survey, we have a concern that boards need to have deeper intelligence about issues that might create reputational harm in their companies and must be better prepared to move quickly in the event of a problem. Boards recognize the potential harm, but they have yet to plan accordingly."
Charles Weinstein, CPA
Chief Executive Officer, EisnerAmper LLP