Concerns About Risks Confronting Boards - 2015 Survey
- About the Research
- Key Observations and Insights
- Concerns About Risks Confronting Boards
At this year's NACD Global Board Leaders' Summit, EisnerAmper had the opportunity to interview board and audit committee members about issues that are top-of-mind for their boards.
Our 6th edition of Concerns About Risks Confronting Boards continues EisnerAmper's examination of the trends, changes, and issues American boards face today.
With today's media capable of capturing every crisis (big and small) occurring within organizations, it is becoming increasingly evident how connected reputation, cybersecurity and social media are in relation to risk. This time around, we took the opportunity to ask a variety of specific questions to the directors regarding cybersecurity and social media.
In this edition, we review and analyze the general trends of more than 300 boards through the survey responses of their directors. To give our readers a complete and in-depth look at the findings, we contrast the results of those serving on public, private, and not-for-profit boards. Furthermore, we evaluate the responses of board members based on the organization's revenue as well as compare and contrast our past data to better understand the trends that have been developing.
This report delivers insight based on the survey results, professional expertise, current news, first-hand stories from veteran directors and the conversations we have with clients and contacts. As always, we welcome the opportunity to discuss these discoveries in detail with you.
Partner-in-Charge, Audit and Assurance Services
EisnerAmper's 6th Board of Director's Survey was designed to gain insights into the risks being discussed and addressed in American boardrooms. Directors were polled via a web-based survey, sent to select EisnerAmper contacts and members of the NACD Directorship database.
This survey was conducted during 2015. It measures the opinions of directors serving on the boards of more than 300 publicly traded, private, not-for-profit, and private equity-owned companies across a variety of industries. This report focuses primarily on the responses from directors of public, private and not-for-profit boards.
These directors serve on boards that govern organizations ranging from just a year old to 175 years old, with an average age of 41 years. These directors represent a considerable range in organization revenue size:
The majority of respondents (73%) with revenues over $1 billion serve on public company boards, while not-for-profits accounted for the majority of the respondents 61%) reporting less than $50 million in revenue.
This year, respondents were well-mixed amongst board types and revenue size.
To gain better insight to the concerns facing boards and how they are being addressed, we posed questions to find out more about the structure of these boards.
Almost every board has created and maintained the committees listed in the survey, with the respondents again representing an equal mix amongst each committee – as well as finance and executive committees.
EisnerAmper Intelligent Data (EisnerAmper ID) uses proprietary market research conducted by EisnerAmper and leading market research firms, along with analysis from EisnerAmper's partners and principals, to produce insightful articles, events and data designed to educate and stimulate discussion on the issues of most interest to business leaders today.
The survey results were analyzed and presented by EisnerAmper and are accompanied by EisnerAmper's observations of industry trends and issues. While EisnerAmper believes the information is from reliable sources, it should not be relied upon as, or considered to be, investment or legal advice.
- Percentages throughout this report are rounded to the closest whole number.
- Not all of the survey participants answered all of the questions.
- Select questions provided the opportunity for respondents to choose more than one response.
We hope that in addition to the data and information we've obtained through your responses, we're also able to help you see beyond the numbers and form action plans to face the challenges that you yourselves have deemed the most important.
RISK, NO ACTION
This year, we feel obligated to point out an issue that is not linked to one specific concern or trend in board oversight. Rather, picking up on a key mention from our 2014 report, a theme that has resonated even more distinctly this year is "risk, no action." While action may very well fall to those in the day-to-day operational roles, there seems to be little happening at the board level to encourage addressing the risks in a more comprehensive fashion.
SOCIAL MEDIA: THE CURRENT "WILD WEST" FOR BOARDS
Let's face it: Social media is a necessary evil for every company, organization and brand in today's market. It connects companies with their customers and provides an instant and transparent tool for communication that wasn't even a part of reality 15 years ago.
The ever-present trend, over the 6 surveys we've conducted, is that reputational risk ranks as the top concern. Because social media is intrinsically linked to a company's reputation and image, organizations and boards should consider social media as one of the most important risks to manage and monitor (as well as a tool to use to combat the same). With all of the positive results that social media provides an organization, potential reputational risk backlash can (and does) occur.
Shockingly, only 6% of boards feel as though they are well-versed in social media risk, and 67% of organizations are not engaging external consultants to monitor social media.
The results indicate that boards do not feel (or have the depth of understanding of) the potential impact and harm social media can have (quite rapidly) on a company's reputation.
The recommended response times for different media reflects varied expectations of the audience for each channel:
- Twitter: minutes up to two hours
- Facebook: up to twelve hours
- Blogs: up to twenty-four hours
- Mainstream media: one to two days1
Placating the social sphere ensures that silence does not exacerbate the issue. Further, timely communication generates trust. Having an effective plan in place (that can be executed immediately) can therefore make all the difference in successfully managing a crisis – particularly those that become viral in new media.
CYBERSECURITY: THE MOST DEVASTATING RISK?
Despite reputational risk's dominance as the overall top concern to boards, cybersecurity emerged as the top concern for public company boards (70%).
Over 95% of public companies either use internal audit or external auditors/consultants to monitor cyber risk. While public companies deserve accolades for their efforts in monitoring cyber risk, is that enough considering merely 24% of board members feel their boards are well-versed in understanding cybersecurity risk and another 10% feel that they are falling short of fully understanding the risk? What's more, is simply monitoring a potential cybersecurity breach enough? Cybersecurity not only should be understood and monitored, but also managed effectively – with pre-attack testing to further help prevent and minimize a future breach.
Recently, we have seen how even some of the largest corporations can fall victim to a cyber breach – Target, Staples, and Home Depot to name a few. Each attack had serious negative fallout – from reputational damage to stock price to forcing a change in the senior management. There is even speculation of the latest in cybersecurity breaches having a significant impact on a planned IPO.2 While this risk is inevitably on the rise with hackers able to directly attack customers through corporate systemic failures, it is difficult to predict the potential (near) future fallout from such crises.
As survey respondents were asked to comment further, the complexity of cybersecurity and cyberattacks emerged, along with the relationship to some of the other concerns identified.
- "Cybersecurity is a complex area with multiple threat vectors that many boards do not have the skills or knowledge to understand, let alone manage."
- "Cybersecurity/IT could effectively cripple the company from the blind side, and implicates all other risks (i.e., fraud, product, reputational, etc.). It is an area that is difficult for non-technical personnel (and board members) to understand, etc."
- "So much information shared online and threats from hacking really make one wonder: Can you ever do enough to protect information and data even with the best plan put in place."
- "Cybersecurity/IT is presently number 1 due to the rapid increase in number and severity of breaches. Combine that with the fact our board has only one person on it with sufficient technology experience makes it a high risk for us. At least we have one person."
We keep asking ourselves – while understanding is the first step, is a monitoring plan sufficient protection?
PLAN TO PROTECT YOUR REPUTATION
Throughout the years, it's become apparent that boards recognize the implications of reputational risk. Almost half (48%) of board members state their boards have a plan in place to address a crisis with potential reputational risk fallout; however, only 20% have provided training to execute the plans. Is merely having a plan on paper enough to sustain reputational risk? Or is training necessary? Further, is the team comprised of the right people to address it – from strategic as well as tactical erspectives? Should there be outside consultants/experts identified as key players in a crisis response plan?
Public company boards appear to be most diligent in addressing reputational risk: almost 75% have a response plan in place and nearly a quarter have provided training. Yet, both private and not-for-profit boards expressed more concern about the impact of reputational risk than public boards. Therefore, two points stand out:
- Of private boards, 37% do not have a solid protection/plan in place for a reputational crisis, yet almost 90% of board members say reputational risk is the most important concern facing their boards.
- Considering the massive financial and reputational implications that have resulted from cybersecurity breaches – the attack on Target cost the company $148 million and an additional $61 million dollars in anti-breach technology3 – public companies should be aware of the connection between a cybersecurity breach, an organization's reputation and the ever-expanding role of social media.
Veteran director Margaret Pederson, President at Amirexx and Director at TextureMedia, Viad and Xamax Industries, said that on the boards she has served at least one in-depth meeting each year is focused exclusively on reputation risk and preparation. "It's so important to have a plan in advance," she said. "You need to have thought through the challenge and crafted potential responses beforehand so that you can react quickly. There is not sufficient time to only start developing plans once the crisis occurs."4 EisnerAmper's Michael Breit added that management—from the CEO on down—should be involved in developing the plan.
ASKING PERSONAL BOARD QUESTIONS
This year, we expanded our focus to include term limits, age limits and diversity quotas. Overwhelmingly, board members agreed with employing these limits (75%), yet 61% do not have term limits and 76% do not have age limits.
Further, half of the board members agreed with utilizing diversity goals; those who disagreed referenced their belief that "experience" and "skills" should drive board member selections as opposed to diversity factors. Not-for-profits seem to be the most progressive in incorporating limits and quotas into minimizing group think and reducing risk. Interestingly, 23% of board members ranked diversity as an important area of risk management, while only 7% for public and private as well said diversity was a main concern for their boards.
START TO TAKE ACTION: OPERATIONAL AUDIT
A heat map that illustrates enterprise risk specific to a company and its activities is a useful practice, advised Mary R. Henderson, Director at CNO Financial Group, Regus plc and Walter Energy. "The heat map is a living document that receives ongoing review and is adjusted as conditions change," she explained. "While a designated committee may provide in-depth oversight, enterprise risk is a full-board matter…. One can never predict what may happen…. Practice is always a good idea. Create a faux problem, test your list and approach, and evaluate the outcome," she said.5
With regulations requiring more public companies to address financial internal control concerns, only 22% of the board members surveyed indicated they do not have an internal audit function. However, almost half of private companies and not-for-profits do not have an internal audit function.
Despite these numbers, many associate audit with a more traditional financial audit (akin to the requirements of section 404 of the Sarbanes-Oxley Act). There are growing issues and concerns, however, with risk inherent to a company's operations. Yet, there are few, if any, regulatory controls in place to ensure the fervent and effective employment of operational audits.
An operational internal control function is robust and can cover significantly more risks than a financial audit. The process may include a full risk assessment of the business, including everything from manufacturing to cybersecurity to foreign operations to financial reporting, rating each of the risks and developing testing plans to verify controls to mitigate the risks. Cybersecurity may be prominently featured, considering everything from Ashley Madison and the IRS to credit card exposures at Target, Home Depot and Staples – as it dominates the news. Though less commonly reported types of security flaws, such as the ability to control a Jeep remotely, how the breadth of issues simply with technology…many of which may be moderated with effective testing.
While financial regulation may have dominated many companies' audit concerns for the past decade or two, stemming from headline news like Enron and Madoff, growing operational risk should evolve boardroom discussions to consider the scope of their organizational audits and the need to review operations. The new generation of crises may impact financials, but they will likely not originate in"the books."
1. Sandra Fathi, "Social Media Crisis Response Times – How long do you have before the @#&% hits the fans?," Tech Affect blog (May 17, 2012)
2. Alastair Sharp and Euan Rocha, "Bankers: Hacked infidelity website Ashley Madison 'can kiss goodbye' plans for an IPO," Business Insider online (July 22, 2015)
3. Sharone Tobias, "2014: The Year in Cyberattacks," Newsweek online (December 31, 2014)
4. Judy Warner, "From Empathy to Heat Maps, Advice for Managing Reputation," NACD Directorship Magazine (July/August 2015): 56-57
5. Warner, "From Empathy to Heat Maps, Advice for Managing Reputation," 57
RISKS DRIVING CONCERN
This report is driven by one of the most fundamental questions facing board members: What issues cause you the most concern today?
"Boards are more focused than ever on risk management. As our survey notes, we have seen growth in almost all risk management areas with reputation and cyber risk leading the way and regulatory and compliance risk closing the gap."
MICHAEL BREIT, CPA
Partner-in-Charge, Audit and Assurance Services, EisnerAmper LLP
Our survey results create an important lens through which to evaluate how boards are addressing risk: identifying it and managing it, strategically and operationally. Therefore, it is crucial to begin by understanding the risks at the top of directors' minds.
Since the inception of the Risks Confronting Boards survey, the top 3 areas of concern for boards – excluding financial risk – have been and continue to be reputation, cybersecurity/IT and regulatory compliance. Meanwhile, outsourcing risk and succession planning have gained momentum in certain types of organizations over the past few years.
THE HOT TOPICS: REPUTATIONAL RISK AND CYBERSECURITY
For private and not-for-profit company boards, reputational risk is top of mind while for public companies it has dropped to second place at 66%, behind cybersecurity, where it was in 2013. Despite the survey asking participants to rank the top three concerns, there was no obvious"third" after the top 2 concerns.
These areas have been identified year after year as the "most popular" topics boards address in terms of risk management. When the range of options are weighted, we confirmed they are the top-of-mind, across the "boards."
Public company board members focus their concern on a different issue – cybersecurity. While cybersecurity is one of the top 3 concerns for private and not-for-profit boards, it beat out reputational risk by 4% for public company board members as the top concern.
THE ISSUE REMAINS: SO WHAT?
What are boards doing about the issues identified as key risks?
QUIETLY OF CONCERN: SUCCESSION PLANNING
Last year, we evaluated the importance of CEO succession planning; this year we broadened succession planning to include all senior management. Private company boards reported the most drastic increase in the importance of succession planning from 2014 to 2015 with a 15% increase to 49%. Succession planning is also a top concern for not-for-profit organizations; it is the second most important risk after reputational risk, reflecting a 6% increase from 2014. This year, we expanded on the central question of the Concerns Report: we asked survey participants to rank their top two areas of concern.
A cybersecurity threat is inherently linked to an organization's reputation. The potential for fallout for any company should be of concern.
"Given the complexity of cybersecurity and its ever changinglandscape, boards are challengedto stay visible and take actionwhere necessary. They need to take practical steps to protect thecompany from threats, and ensurethere's a plan in place to address acyber breach when it occurs."
JERRY RAVI, CPA
Partner, Consulting Services Group, EisnerAmper LLP
Seventy-five percent of respondents highlighted reputational risk as the top concern to their board. Sixty-eight percent say a response or communication plan is in place to counter reputation crises and their organization has provided training on executing those plans; while 48% have a response plan in place yet have provided no training as of the survey date. Public companies are most diligent when addressing reputational risk: Almost 75% of the board members indicated their companies have a response plan and training in place.
While preparedness percentages continue to rise modestly, boards may want to consider if having a plan on paper is sufficient to sustain a reputational crisis. Is training (or other action) necessary?
While the amount of private companies and not-for-profit organizations with a plan in place has increased (as has training on those plans), these organizations continue to lag behind public companies. True, public companies trade on public confidence, but many not-for-profits rely on the public's support as well.
A crisis, like the one shouldered by Susan G. Komen for the Cure in January 20126, demonstrated the link of reputation and social media and the combined impact on once significant financial coffers and donations. In this case, whether the organization had a plan in place or not, its execution did not take place in a timely manner, nor provide appropriate attention to the proper media sources.
IDENTIFYING AND ADDRESSING RISK
Customarily, risk may be identified and then addressed through various resources both inside and outside an organization. Performance of these resources serve, ideally, to minimize (or eliminate) risk – and can, in the event of an emergent issue, drive the success of crisis relief.
The chart below details a variety of resources employed by organizations to address risk. The board members identified how well they believe these resources are addressing the issues.
Seventy-eight percent of public companies employ personnel in an active internal audit function, whereas just over 50% of private and not-for-profit boards do so. Further, boards that had an internal audit function ranged in size from 1 to 450 people, with an average of 14. Take out the 2 largest outliers as well as the few with no internal audit function and the average drops to 6 people.
Some of the bias of public companies towards internal audit may be attributed to the Sarbanes-Oxley Act (requiring public companies to conclude whether their internal controls around financial reporting are operating effectively).
However, it should be noted that "internal audit" can refer to financial audit and/or operational audit functions. The financial audit function can be effective in identifying and mitigating risks around financial reporting. However, for purposes of the risks discussed in our survey, an operational audit function is able to address significantly more of these specific risks.
There have been too many examples of cyber breaches and social media debacles leading to vast reputational fallout for a brand and/or organization in the past few years. The recent Jeep incident,7 in which it was discovered that the widely sold SUVs could be individually remote-controlled by anyone, anywhere who could hack into the vehicle's software, is an example of a cybersecurity issue that affected a product – and, ultimately, reputation – while being reported and discussed heavily on social media (as well as traditional media). With the growth of "connected" products, there is a new, growing relationship between cybersecurity and product risk. This may begin to impact the composition and background of operational audit personnel, increasing the need to hire hackers.
More recently, a breach was recently uncovered when a New York insurance company performed an internal operational audit (in 2015) and discovered that the information of over 10 million members was possibly hacked back in December 2013.8
With even more favor than 2014, public companies continue to find internal audit the most helpful (34%) when identifying risks. Not-for-profit boards have followed suit and increasingly found internal audit to be either very helpful or helpful with a combined 17% increase.
There seems to be some recognition and movement around the risk associated with cybersecurity/IT. With 61% of respondents ranking this as a top concern to their board, we found 67% of respondents indicated that their boards have engaged internal or external auditors to monitor or address cybersecurity risk. This is one area that real action seems to be emerging, however, it is not equally so across all types of companies.
Public companies identify cybersecurity as the top risk to their boards; this aligns well with over 90% indicating they employ (external or internal) auditors to address cyber risk. Conversely, not-for-profit boards demonstrated less concern for cyber and IT risk than public and private companies (just under 50% ranked cyber as a top concern to their board); less than a quarter engage internal or external auditors to address cyber risk.
Eighty-nine percent of respondents ranked reputational risk as a top concern. Specifically, for not-for-profit organizations, it is the top concern. Yet more than half of not-for-profit boards lack auditors to monitor or assess social media and cybersecurity risks.
Taking cyber, IT, and reputational risks into consideration, it may seem at first glance not-for-profits show the greatest inaction to counter perceived risks. Yet, the audit resources associated with a not-for-profit tend to be far less robust than most public companies. That being said, the next section demonstrates that not-for-profits are the only segment of companies with a growing number of boards looking to increase both audit frequency and coverage.
This year, despite the growing risks from more prominent concerns, boards do not appear to be interested in making significant changes to their internal audit function. In fact, more than 50% of the board members surveyed, and within every type of organization, are not proposing changes. Further, of those proposing changes, the appetite for each type of change has decreased, in many cases significantly. The outstanding increase, despite a minimal internal audit function, is not-for-profit organizations increasing their audit coverage.
"With the increasing impact of technology on a company's reputation and bottom line, boards may want to steer executives to expand the way they leverage internal auditors – such as operational audits to assess an organization and its products and services to vulnerabilities from emerging risks and concerns – much like they have started to do with social media."
ERIC DIAMOND, CPA
Audit Partner, EisnerAmper LLP
For the second consecutive year, strategic direction is, overwhelmingly, the highest ranked strategic topic being addressed by all types of boards. It is followed once more by finance and operations.
Although strategic direction is being addressed by the most boards and has increased in visibility by more than 10% for both not-for-profit and private company boards, it has become a less-pressing topic for public company boards (down 7% since 2014). Finance has increased in popularity by 15% since last year.
There have not been significant changes in the other topics boards are addressing for 2015.
Similar to last year, internal growth/expansion and business process improvement remain the favorite areas of new investment opportunities.
To further understand the focus of boards, we polled board members about the topics their boards currently focus most on as well as what they believe they need to focus more on. Well over half of boards focus most on strategy (57%); even so, 84% of board members responded that more time needs to be allocated to the topic.
At the other end of the spectrum, 45% of boards focus most on operations, while only 20% of board members feel they need to focus on the topic.
While the board may govern an organization and set strategy, management is running its operations and ultimately controls the day-to-day aspects of leading an organization. In other words, management determines how to execute the strategy. With this taken into account, it is paramount for CEOs and CFOs to understand the issues that will impact operations. This is why we ask directors if they feel their CEOs and CFOs have a strong understanding of topics related to risk.
For the past 3 years, cyber and social have been the 2 areas where boards feel that CEOs are not managing as well as others. The trend continues this year: At least 25% of board members feel that the CEO is not managing these issues well. Yet, they are also the 2 areas where boards feel CEOs should have more responsibility.
Creating financial models for strategic direction and aligning business goals to IT are 2 other areas board members identified that CEOs are not managing well. This presents the question: Who really should hold the responsibility for these issues/topics?
"When evaluating risks, remember the three Ds: diversity of thought, distribution of capital and disruption of your business. Social media has served as an agent to consolidate all risk into one category."
PETER BIBLE, CPA
Chief Risk Officer, EisnerAmper LLP
This year our survey delved deeper into the disposition of the boards on which the respondents serve.
Overall, the boards represented do not employ term limits. However, 75% of directors support employing this measure. Not-for-profits seem to be the most progressive incorporating limits and quotas to minimize group think and reduce risk.
The board members seem to understand the potential risks of not using limits, yet many seem to be hesitant to address this concern. Christopher Clark with the National Association of Corporate Directors says, "The board needs first to understand and subsequently to be a driving force regarding the myriad distinctions among people in the workplace and the mechanics of unconscious bias. Keying the c-suite and all employees in to how people think results in more egalitarian behaviors across the entire enterprise; thus mitigating risk to varying degrees."
We queried the respondents about other approaches that have been utilized by boards to reduce risk through the director profile, and the majority of respondents cited "experience."
Reputational risk is a severe threat to all companies: large and small; public, private and not-for-profit. Yet, time and time again, responses from board members indicate that reputational risk is so broad in scope – highly impacted by other risks like financial, product, cyber and more – it is difficult to sufficiently address and prepare for types of reputational threats. While companies are beginning to take the proper steps to prepare for a reputational crisis by having plans in place, providing training and employing an internal audit function, less than 50% of respondents feel they are "well-versed" in the issues.
"Board members have once again clearly identified many of their continuing concerns – cyber, reputation, strategy to name just a few. It is interesting to note that each of their concerns is impacted in a major way by the accelerating pace of change that all companies are experiencing. To fulfill their commitments to their stakeholders, board members need to understand this accelerating pace of change and ensure that their organizations are informed, educated and forward focused."
CHARLES WEINSTEIN, CPA
Chief Executive Officer, EisnerAmper LLP
6. Lessons from the Susan G Komen Planned Parenthood
8. Bill Berkrot, "New York health insurer hacked, over 10 million members possibly affected," Venture Beat online (September 9, 2015)