Directors’ Concerns about Regulatory Risk, Including Dodd-Frank and PPACA, Declining According to 2014 EisnerAmper Survey

Report: “Concerns About Risks Confronting Boards" Survey Provides Perspectives from Public, Private, Not-for-Profit and Private Equity-Owned Company Boards

EisnerAmper today issued its fifth annual Board of Directors Survey, Concerns About Risks Confronting Boards, designed to gain insight into the risks that are top of mind in today’s boardrooms. Other than financial risk, respondents were asked to identify risks of most concern. Seventy-two percent identified reputational risk as their primary concern, following the same trend as in prior years. Cybersecurity/IT risk was second at 62%, rising almost 10% from last year’s survey. Surprisingly, regulatory compliance risk – the third most highly ranked concern – dropped six percentage points to 50% in 2014.

Another finding of note was a lack of interest in leveraging opportunities pertaining to the JOBS Act. This legislation has been portrayed as potentially making a significant impact on an organization’s access to funds, financial strategy and structure, and audience of potential investors. Fewer than 10% of boards responded that they were planning to take advantage of opportunities associated with the existing legislation and pending changes.

View the report and download the PDF here.

“The study found that with regulatory compliance factors such as Dodd-Frank and PPACA having been rolled out, the level of concern about those regulations has actually dropped. “When we take into account additional feedback from the participants, it paints a picture of boards coming to terms with both Dodd-Frank and health care reform.”

The survey measured the opinions of directors serving on the boards of more than 250 publicly traded, private, not-for-profit, and private equity-owned companies across a variety of industries, sourced from both EisnerAmper and NACD Directorship databases. Fifty-three percent of the survey group identified themselves as serving on audit committees.

Cybersecurity Concern, Limited Action

Boards know they need to worry about cybersecurity, but many have not taken action to mitigate the risk or decided who will ultimately direct their organizations’ course of action. The survey’s finding of an increase in concern about cybersecurity/IT risk is not surprising, but when combined with other indicators, it raises many questions about how well-equipped organizations really are to address it. For example, respondents expressed relatively low levels of confidence in management’s knowledge of cybersecurity and related risk.

Strengthening Organizations from Within

When questioned about new investment opportunities to strengthen their organizations, the directors in the survey looked inward, assigning the highest values to strategic planning as well as internal growth and expansion.

Internal Audit Captures Investment

The Survey shows a continuing trend in the use of, and investment in, the internal audit function. The majority of organizations across sectors find internal audit helpful or very helpful in identifying risks. While 46% of boards are not proposing any changes to their internal audit functions, 32% are looking to enhance staff and 24% are looking to increase audit coverage. These results are in-line with last year’s survey.

Growth in ERM Programs Low

There remains a low level of implementation of comprehensive enterprise risk management programs but there is a perceivable trend toward putting such a program into practice. 36% of directors have a comprehensive program and it is fully implemented, as opposed to 33% last year. Breaking down the sectors though, only 55% of public companies, 26% of private companies, and only 20% of not-for-profits have a fully implemented plan.

“Despite strong concerns about reputational risk and cyber and data security, we saw little in the survey showing support for the resources necessary to address it,” said Kreit, summarizing the results from the survey. “With many organizations admitting that they had no plans or relatively unsophisticated plans to address these top rated risks, there is a need for boards to focus some of their strategic planning time on reevaluating how they will effectively handle concerns as they arise.”