All Risk and No Action?
January 06, 2017
This podcast is based on EisnerAmper’s annual survey results, Concerns About Risks Confronting Boards, which examines key issues arising in today’s boardrooms. In this segment, EisnerAmper partner and Chief Risk Officer Peter Bible discusses when there’s a disconnect between boards identifying risks and management addressing those risks; how risk management differs among public companies, private companies and not-for-profits; and other key results and trends from this year’s Concerns survey results.
DP: Now, Peter, over the last couple of years EisnerAmper's Concerns About Risk Confronting Board survey has found that there's a disconnect between boards identifying risks and management addressing those risks. Why do you think that's the case?
PB:That's a good question, Dave. Let me start off by saying that boards have, working with management, done a great job addressing risk. There's no doubt about that. What we're seeing in the survey is each company's got a unique culture and actually implementing something in that culture is where the problems arise. The key with boards is to take one more step with management. Just don't identify the risk. Identify how you think it should be. The risk management should be implemented.
DP: It's interesting how culture just keeps coming up time and time again, whether it's with boards or M&As and various other things. Tell us how this dynamic differs among private companies, public companies, and not-for-profits.
PB:This year, it's an interesting trend we're seeing. Clearly risk management is starting to slide down the list a little bit, and succession planning and cybersecurity (or cyber risk) have creeped up. In public companies, succession planning is top of mind for sure. In the private companies, cybersecurity as well as succession planning are there. Not-for-profits are unique because they live and die by by fundraising. So fundraising and the ability to identify additional financial resources are the top concerns there.
DP:What's different between the results from this year's survey compared to previous years?
PB:Well, the big difference is the succession planning and cybersecurity climate. We saw, even up until last year, that risk management or enterprise risk management was a key concern and how companies addressed and implemented it. We saw very little of that this year around succession planning and cybersecurity. Just this last weekend, with the Russians being accused of hacking the elections. It's top of mind. It's in front of everybody, every day.
DP:Yahoo, a billion accounts hacked. PB:Exactly.
DP: Okay. Now Peter, if you could look into your crystal ball a little bit, what about trends that you expect to see continuing over the next year or two?
PB:Succession planning will continue. Succession planning is difficult for a number of reasons. I'll just point to the Jack Welch, three-horse runoff that GE had. People look at that and the two that didn't get in are no longer with GE. There are a lot of dynamics. Someone wanting to step up and take the lead and the board's being unwilling to take a top performer and say ‘you're not in the running’ is very complex and difficult. Second thing about succession planning is generational differences. I sit here as a Baby Boomer and ask who's going to replace me? I have to look at that in the context of they're not my values, but the values they have and what they hold important. It's a very complex, complicated area. I think cybersecurity will be top of mind for a long time to come,
DP: Particularly with the succession of 10,000 Baby Boomers retiring each day. Stay with succession planning for a minute, because this was such a hot topic on the survey. Can you tell us some strategies on how boards and management can work together more effectively to mitigate risk?
PB:Probably the most effective approach I've seen is what I call war gaming. You create a hypothetical, yet inevitable, situation where one day, the CRO's gone and it forces people to start thinking about, okay, Pete's no longer here. How do we deal without Pete being here? So you create hypothetical, yet inevitable, crisis that the CEO, CFO or COO won't be there. That's one way. I'm sure there are others that you can start to at least have a dialogue around.
DP:Peter, as EisnerAmper's Chief Risk Officer, what keeps you up at night?
PB:The speed of change that technology enables. You see companies and organizations go obsolete virtually overnight, and that's something in my role that keeps me up at night.
DP:Peter, thanks for this great insight. And thank you for listening to EisnerAmper's podcast series. Visit EisnerAmper.com to read more about this topic and get other key findings from our 2016 Concerns About Risks Confronting Board Survey.