EisnerAmper’s Sixth Concerns About Risks Confronting Boards Report Highlights Threats from Social Media and Cybersecurity
“Risk and No Action” a Troubling Theme
EisnerAmper LLP today released the results from its sixth Concerns About Risks Confronting Boards survey. The consistent trend, over all the surveys, is that reputational risk ranks as the top concern. Seventy-five percent of board members consider it of ‘Most Concern’ – its highest percentage ranking in three years.
However, as Charly Weinstein, EisnerAmper Chief Executive Officer noted, “Because social media and cybersecurity are intrinsically linked to a company’s reputation and image, organizations and boards should consider both as among the most important risks to manage and monitor. With today’s media capable of capturing every crisis occurring within organizations, it is becoming increasingly evident how connected reputation, cybersecurity and social media are in relation to risk.”
Weinstein goes on to state “The findings strongly reflect the accelerating pace of change facing directors. To fulfill their commitments to their stakeholders, board members need to ensure that their organizations are informed, educated and forward-focused.”
A link to the Report is available HERE.
The survey results showed a broad trend of boards that identify risk – but take no action to manage that risk. While action may very well fall to those in the day-to-day operational roles, there seems to be little happening at the board level to encourage addressing the risks in a more comprehensive fashion. “Reputational risk is a severe threat to all companies, yet responses from board members indicate that reputational risk is so broad in scope – highly impacted by other risks like financial, product, cyber and more – that it is difficult to sufficiently address and prepare for the many types of reputational threats,” said Steven Kreit, an audit partner at EisnerAmper who has led the survey project since its inception.
Sample Survey Results
Social media is the current “wild west” of risks for boards. Shockingly, only six percent of boards feel as though they are well-versed in social media risk, and 67 percent of organizations are not engaging external consultants to monitor social media. The results indicate that boards may not fully understand the potential impact and harm social media can have on a company’s reputation.
Cybersecurity is the most recognized specific risk, emerging as a concern for 70 percent of respondents on public company boards. More than 95 percent of public companies either use internal audit or external auditors/consultants to monitor cyber risk. However, only 24 percent feel their boards are well-versed in understanding cybersecurity risk and another 10 percent feel that they are falling short of fully understanding the risk.
What issues cause the most concern today? The top four: Reputational Risk 75%, Cyber Security/IT Risk 61%, Regulatory Compliance Risk 53%, Senior Management Succession Planning 51%, with these rankings remaining generally constant over the past three years across public, private and not-for-profit boards.
Who Manages Risk in Corporate America
The survey addressed how well companies identify and address risk. 78 percent of public company directors said their firms employ personnel in an active internal audit function; and 71 percent say that internal audit have been helpful or very helpful in identifying risk. Further, 92 percent of board members say that regular board meetings address risk well or very well; 84 percent say that external auditors address risk well or very well; and 86 percent say that the legal and compliance group address risk well or very well.
While boards govern an organization and set strategy, management executes the strategy. The survey asked directors if they feel their CEOs have a strong understanding of topics related to risk. For the past three years, cyber and social have been the two areas where boards feel that CEOs are not managing as well as others. The trend continues this year with at least 25 percent of board members feeling that the CEO is not managing these issues well. Yet, they are also the two areas where boards feel CEOs should have more responsibility.
The survey concludes by noting that while companies are beginning to take the proper steps to prepare for a reputational crisis by having plans in place, providing training and employing an internal audit function, fewer than 50 percent of respondents feel they are “well-versed” in the issues.
The survey measures the opinions of directors serving on the boards of more than 300 publicly traded, private, not-for-profit, and private equity-owned companies across a variety of industries. Evaluations of the responses were also based on the organization’s revenue as well as a comparison of past year’s data. Directors were polled via a web-based survey, sent to select EisnerAmper contacts and members of the NACD Directorship database.