Peter Bible, standing, discusses geopolitical risk.
“I put the future of risk in two buckets,” Bible said. “First, there are black swans. They are things that are embedded [in the business environment and society at large], and when they come to light they are so disruptive they are devastating. Brexit was embedded in the way people felt in the United Kingdom. Our own election was an upheaval of sentiment. The other thing is the butterfly effect where some movement somewhere around the world can disrupt what you’re doing. That’s how you have to think about geopolitical risk.”
Here, strategy and risk oversight can enable a company to better weather disruptions that arise from changes in a country’s leadership or regulatory agenda. As one director observed, part of the trick is to be able to look out on the horizon, realizing that it’s impossible to have the foresight to identify every disruptor that can threaten the business.
“Get to know the business unit heads,” one participant suggested. “It gives you a feel for what they think the strategic risks and opportunities are—it changes how the board is reacting to strategy and risk.”
“When we first approached enterprise risk management,” another participant offered, “the whole board owned risk management and we reached to an outside firm for help. When the firm interviewed management and the board, the risk factors each group identified didn’t match up. People view the world from where they sit. So, we sat down with management and developed a top ten list that we could all bite into. Reconcile the risks as best you can and figure out how to move forward.”
Lacking a well-rounded worldview can be especially damaging for multinational companies, which need to consider risks that are unique to each country in which they operate. “I think we in the United States don’t take time to understand how different countries operate both as a country and as a culture,” one director remarked. “Think about benefits for employees. Most of those countries have national healthcare, so automatically you have a different cost structure of how your business looks in that country. And that can either lower or raise your company’s risk profile. As you get into other parts of the world, the nuances are very different and sometimes we think the rest of the world operates as we do. That’s a part that we as a culture need to understand. Think global act local needs to be implemented more in corporate strategies.”
Bible then refocused the conversation to focus on how the current regulatory environment stands to create both risks and opportunities. “There is a deregulation movement underway and many businesses are hurt by this because they make their money based on current regulations. If 75 percent of the regulations that are currently on the books are going to come off, what does that do to your business model? What regulations do you depend on for progress?”
One participant brought up Uber Technologies as an ideal case in point. The taxi industry is heavily regulated; however, Uber is allowed to follow its own set of rules. Another participant observed that having a Federal Communications Commission chair with an anticompetitive stance is going to be highly disruptive for telecommunications companies. For example, some critics argue that removing some net neutrality protections will lead to companies having to pay fees to broadband providers for faster download speeds to ensure that their goods and services can easily reach consumers. This could be especially detrimental to startup telecommunications companies and smaller Internet service providers which don’t have the financial resources of larger, more established companies.
While regulation compliance can be expensive and time consuming, one attendee noted that not all regulations are bad. “Identify which regulations benefit you and your competitors; it’s a good inventory to have,” Bible said in closing. “A lot of things are on the table right now and the potential to have your business hurt by deregulation is definitely there.
Click here for highlights from the portion of this roundtable discussion that focused on the business implications of social media and artificial intelligence.
The rapid pace of technological advancements is causing tectonic shifts in the business risk landscape. Social media and artificial intelligence (AI) in particular are causing directors to reconsider how they think and talk about risk. Consequently, these topics were the focus of the first part of a roundtable discussion on the next generation of risk hosted by EisnerAmper LLP and the National Association of Corporate Directors (NACD) in New York last week.
There is an abundance of examples of companies that sustained severe reputational damage after being caught in the center of a social media storm. Most recently, credit reporting company Equifax made headlines after the company disclosed that it was the subject of a major data breach that compromised the information of roughly half of the U.S. population. The company’s offering of free credit monitoring to affected customers only made matters worse: several print and digital news outlets, including The New York Times, analyzed the terms of the offer, which suggested that by signing up for the service, a person relinquished his or her right to take legal action against Equifax. While the company later changed the legal language in another effort to assuage public concern, reestablishing its trustworthiness may be more of an uphill battle.
“Some of these things would have always been in the news, but the amount of time and the quickness with which news reaches an audience is unbelievable,” EisnerAmper Audit Partner Steven Kreit observed. “Boards need to make sure there’s a social media strategy throughout the company. Boards need to ask management what it has planned for and make sure they can react to those issues as they come up. It’s also important to have policies around social media. What is the CEO allowed to say? Are they allowed to have personal accounts and use that to disseminate company information?”
When attendees were asked if they knew their company’s social media policy backwards and forwards, few indicated that they did—but there was some debate as to how necessary this is. “I don’t think it’s appropriate for a board member to know the details of what the policy is,” one director opined. “What the board needs to know is that there’s a policy and that employees know what they can and cannot say about the company.”
Kreit agreed. “You don’t want to get too far into the weeds,” he said, “but a CEO may react to something in the middle of the night and that response may harm the company. And board members need to make sure the company doesn’t get hurt.”
While most of the discussion focused on preparing for the worst, one attendee observed that a company response plan that is effectively used to respond to negative feedback on social media can not only curb a damaging situation, but help to restore trust in the company.
Discussion then turned to AI. Here, some companies are ahead of the curve in applying technology that has the power to parse through massive amounts of data to make a determination about something. Take for example, IBM’s Watson, the supercomputer that famously competed on the game show Jeopardy!, facial recognition software and self-driving cars. Here, the risk is that AI is advancing so rapidly as a disruptor across nearly every industry. If a company isn’t paying attention now, the competition will leave it in the dust later. But AI is a broad subject area and identifying the elements that are most relevant to a board agenda—namely the risks—can initially seem daunting.
“These are conversations I rarely hear discussed around the boardroom table,” Kreit remarked. “And these are risks that keep changing.”
“An interesting exercise is to look at risk factors in public disclosures,” one attendee said. “We look at competitors and it’s easy to see what risks they are identifying in the same industry.”
“In the conversations I’ve had, it isn’t so much about whether the machine will do its own thing and crush humans as much as asking what fundamental technology are we not using to help us be more competitive and customer-focused,” one attendee offered. “The other thing is, technologists sometimes rely too much on technology. At some point, a human being has to put subjectivity in the mix to make sure the automated methodology you employed doesn’t come back and bite you. This conversation comes through the CISO [chief information security officer] on my board as well as the CTO [chief technology officer] together.” Another director remarked that these discussions take place on the audit committee level.
“It’s important to not think about technology and risk without it being an integral part of the strategy discussion,” another director piped in. “If it isn’t, I think it becomes an academic conversation and you’re walking ahead with one eye open and one eye closed.”
To this end, and in closing this portion of the roundtable, another attendee remarked on how board composition it critical in positioning the board to oversee this issue in the years ahead. “If you don’t have enough forward-looking people with experience from other industries, you’re doomed. Look at who you’re working with and have some sense of what you are [as an organization], what you want to be, and how you’re going to get there.”
Next week, the NACD Board Leaders’ Blog will feature roundtable discussion highlights that explore geopolitical and regulatory risks.