Boards can expect their oversight and corporate governance processes to be put to the test by an array of challenges in the year ahead. This includes global economic volatility, the war in Ukraine, supply chain disruptions, cybersecurity risks, ransomware attacks, regulatory and enforcement risks, and social risks such as pay equity and a tight talent marke
The business and risk environment has changed dramatically over the past year, with greater geopolitical instability, surging inflation, and the prospect of a global recession added to the mix of macroeconomic risks companies face in 2023. The increasing complexity and interconnectedness of these risks up the ante for boards to have holistic risk management and oversight processes.
In this volatile operating environment, demands from employees, regulators, investors and other stakeholders for greater disclosure and transparency will continue to intensify.
Drawing on insight from our interactions with directors and business leaders, we have highlighted eight issues to keep in mind as boards carry out their 2023 agendas (click to expand each of the agenda items):
Despite upcoming geopolitical and economic risks such as the war in Ukraine, tensions in China, cybersecurity breaches, recession, inflation, fluctuating interest rates and trade tensions, the UAE economy has seen strong real gross domestic product (GDP) growth in 2022, which is also forecasted to prevail in 2023. Therefore, boards in the UAE governing companies with a regional and global footprint need to be mindful of all the relevant indicators impacting their operations.
Saudi Arabia and Iran have agreed to restore diplomatic ties after a seven-year rift, leading to political stability, direct foreign investment and other investment opportunities in the Middle East and the UAE. This environment will call for continual updating of companies’ risk profiles, more scenario planning, analyzing downside scenarios and stress testing strategic assumptions. Leaders will also need to assess the speed at which risks are evolving, their interconnectedness, the potential for crises simultaneity, and the flexibility of their companies’ strategies.
Boards should therefore oversee management’s reassessment of the company’s processes for identifying and managing these risks and their impact on strategy and operations. This includes ensuring an effective process to monitor changes in the external environment and provide early warning that adjustments to strategy might be necessary. Board leadership should also prepare the company to weather economic downturn by ensuring sufficient stress tests are in place. In addition, boards should help management think strategically and stay alert to changes in the external environment by establishing boardroom discussions around disruption, strategy and risk. Management’s crisis response plans should therefore be:
- Robust, actively tested, and updated as needed
- Inclusive of communication protocols to keep the board apprised of the company’s response to events, as well as to discuss internal and external disclosures
- Resilient in the event of a crisis such as ransomware, a cyberattack or a pandemic
Investors, regulators, ESG rating firms and other stakeholders are demanding higher-quality disclosures, particularly on climate, cybersecurity and other ESG risks. They also want to know how boards and their committees oversee the management of these risks.
Many boards are reassessing the risks assigned to each standing committee and are considering whether to reduce the major risk categories assigned to the audit committee beyond its core oversight responsibilities. This can include transferring certain risks to other committees or potentially creating a new committee.
The challenge for boards is to clearly define the risk oversight responsibilities of each standing committee, identify any overlap, and implement a committee structure and governance processes that facilitate information sharing and coordination among committees. While board committee structure and oversight responsibilities may vary by company and industry, KPMG experts have identified four areas for companies to focus on as they reevaluate their board’s structure and responsibilities:
- Recognizing that rarely does a risk fit neatly in a single, siloed risk category: while many companies historically managed risk in siloes, this approach is no longer viable and poses its own risks
- Ensuring the audit committee has the sufficient time and capabilities to oversee assigned areas of risk that are beyond their core responsibility. This includes cybersecurity, data privacy, supply chain, geopolitical, climate and other ESG-related risks, as well as the adequacy of management’s overall ERM system and processes.
- Assessing the need for an additional committee, such as a technology, sustainability or risk committee, with the right composition and skill set to oversee a particular category of risk
- Engaging new directors with the necessary expertise and experience to help the board oversee specific risks: there has been an increasing trend in the UAE for having ESG board committees
Investors, research and ratings firms, activists, employees, customers and regulators view a company’s approach towards addressing climate change, IDE and other ESG issues as a fundamental aspect to its business, with critical implications for long-term value creation.
As the UAE plans to host the 28th United Nations Conference of the Parties (COP28) Climate Change Conference in November 2023, ESG is increasingly becoming an important topic in the country and region. Many organizations are now striving to demonstrate significant achievements in this area.
In addition to hosting COP 28 this year, the UAE has implemented various initiatives, including the UAE Net Zero by 2050 strategic initiative, which aims to achieve net-zero emissions by 2050 and make the UAE the first Middle East and North Africa (MENA) nation to do so.
To ensure that ESG, IDE and climate risk issues are prioritized, it is important for board members to:
- Follow up on the company’s continuous commitment to the ESG agenda
- Embed these issues into core business activities such as strategy, operations, risk management, incentives and corporate culture to drive long-term performance
- Provide clear commitment, goals and metrics, along with strong leadership and enterprise-wide buy-in
- Establish management sensitivity to the risks posed by greenwashing
- Reassess and adjust their governance and oversight structure relating to climate and other ESG risks
- Monitor regulatory developments in these areas
Cybersecurity risk continues to intensify due to factors including the acceleration of AI and digital strategies, the increasing sophistication of hacking and ransomware attacks, the war in Ukraine, and ill-defined lines of responsibility among users, companies, vendors, and government agencies. This has made cybersecurity risk a priority on boards’ agendas, prompting them to make strides in monitoring management’s cybersecurity effectiveness. While some boards may have greater IT expertise (although it is in short supply), others may utilize company-specific dashboard reporting to show critical risks and vulnerabilities. Dashboard reporting can enable companies to assess cybersecurity talent, weigh vulnerabilities and emerging threats, war-game breach and response scenarios, and discuss the findings of ongoing third-party risk assessments of the company’s cybersecurity program with management teams.
The growing sophistication of cyber-attacks point to the continued cybersecurity challenge ahead. While data governance may overlap with cybersecurity, it is a broader concept that includes compliance with industry-specific privacy laws and regulations, as well as guidelines that govern the processing, storage, collection and use of personal data from customers, employees and vendors.
Data governance also encompasses policies and protocols regarding data ethics that manage the tension between a company’s legally permissible use of customer data and customer expectations of how their data will be used. Managing this conflict poses significant reputation and trust risks for companies and represents a critical challenge for leadership. The UAE has therefore issued various regulations to manage data governance such as the new Federal Personal Data Protection (PDP) Law, Consumer Protection Regulation and related standards issued by the Central Bank of the UAE
To oversee cybersecurity and data governance holistically, companies should take the following steps:
- Implementing a robust data governance framework that clarifies what kind of data is being collected, how it is stored, managed and used, and who is responsible for these decisions
- Clarifying the business leaders responsible for data governance across the enterprise, including the chief information officer, chief information security officer and chief compliance officer
- Reassessing the board’s role in assigning and coordinating oversight responsibilities for the company’s cybersecurity and data governance frameworks including privacy, ethics and hygiene
In addition, the company’s use of AI to analyze data as part of the company’s decision-making process is an increasingly critical area of data governance. Boards should understand how AI is developed and deployed, the most critical AI systems and processes the company has installed, and the extent to which conscious or unconscious bias is built into the strategy, development, algorithms, deployment and outcomes of AI-enabled processes. They should also consider the regulatory compliance and reputational risks posed by the company’s use of AI given the global focus on corporate governance processes to address AI-related risks such as bias and privacy.
While some directors may lack the expertise to oversee AI risks, boards need to find a way to exercise their supervision obligations. This involves obtaining support from subject matter experts in technical areas to provide them with the required insight and assurance. This does not mean that directors must become AI experts, or that they should be involved in day-to-day AI operations or risk management, but they should ensure effective board-level oversight of the opportunities and risks presented by AI.
In today’s increasingly knowledge-based economy, talent has become the most valuable asset for companies. Many organizations and boards are rethinking their employee value proposition (EVP) given the difficulty of finding, developing and retaining talent in the current market. This has also highlighted the importance of talent and HCM and generated the phenomenon of employee empowerment.
KPMG’s global survey of over 300 leaders in HCM has revealed that 61% of respondents agree a change in their EVP is necessary in response to the external labor market. HCM leaders also indicate that the most important elements of the EVP are culture, company values, purpose, fair pay and offering flexible working. The survey identified the following six focus areas for HCM in the future:
- Delivering strategic flow
- Integrating digital technologies
- Advancing analytics from insight to action, safely
- Building talent marketplaces to support agile growth
- Making the purpose of the organization real
- Prioritizing the wellbeing of employees
Employees also want to work for a company whose values – including commitment to IDE and a range of ESG issues – align with their own. As millennials and younger employees join the workforce, there has been an increasing demand for talent strategies that reflect companies’ commitment to IDE at all levels. Therefore, it is expected that organizations will face continued scrutiny in their talent development strategies in 2023, particularly in addressing challenges such as finding, developing and retaining talent amid a labor-constrained market. Boards must have a good understanding of the company’s talent strategy and its alignment with the business’s broader strategy and forecast needs for the short and long term. They should also consider factors such as talent shortages and global diversity to ensure the company’s key roles are filled with engaged employees.
The UAE government is currently concentrating on Emiratization. The Cabinet raised the approved Emiratization rates to 2% annually for skilled jobs in private sector organizations with 50 or more employees. This will enable the UAE to achieve an overall increase of 10% by 2026. The Ministry of Human Resources and Emiratization along with the Cabinet Secretariat are also working to measure indicators that monitor the implementation of the Emiratization agenda. Accordingly, boards should ensure that adequate strategies and initiatives are taken by their organizations to enhance Emiratization targets.
To ensure their annual report demonstrates the company’s commitment to critical HCM issues, boards should also discuss the company’s HCM disclosures with management teams. This includes management processes for developing related metrics and controls ensuring data quality. Moreover, having the right CEO to drive culture and strategy, navigate risk and create long-term value for the business is pivotal. The board should therefore ensure that the company is prepared for a CEO change on an emergency interim basis or permanently. CEO succession planning is a dynamic, ongoing process, and the board should be focused on developing a pipeline of C-suite and potential CEO candidates.
This can be achieved by establishing robust succession planning processes and activities and ensuring that the succession plan is updated to reflect the necessary CEO skills and experience for executing the company’s long-term strategy. Additionally, the board should have their plans in place for other key executives and be acquainted with high-potential leaders two or three levels below the C-suite.
Engagement with shareholders and stakeholders remains a priority for businesses given the intense investor and stakeholder focus on executive pay, director performance and ESG and IDE issues, particularly in the context of long-term value creation. Institutional investors and stakeholders are increasingly holding boards accountable for company performance and demanding greater transparency, including direct engagement with independent directors on big-picture issues like strategy, ESG and compensation.
Transparency, authenticity and trust are important to investors, employees, customers, suppliers and communities who are holding companies and boards accountable. Therefore, the board should request periodic updates from management regarding the company’s engagement activities, including:
- Identifying the priorities of its largest shareholders and key stakeholders
- Determining the right people to engage with these shareholders and stakeholders
- Understanding how the investor relations (IR) role is changing
- Considering which independent directors should be involved in meeting with investors and stakeholders
- Providing investors and stakeholders with a clear picture of the company’s performance, challenges and long-term vision
Globally, investors, stakeholders and regulators are increasingly calling out companies and boards on ESG-related claims and commitments that fall short. During the 2023 Annual General Meeting (AGM) season, investors will focus on strategy, executive compensation, management performance, climate risk and other ESG initiatives, IDE, HCM, and board composition and performance.
Boards, investors, regulators and other stakeholders are placing more emphasis on the alignment of board composition, particularly director expertise and diversity, with the company’s strategy. The increased level of investor engagement on this issue highlights the main challenge of board composition: finding directors with experience in key functional areas, deep industry knowledge, and an understanding of the company’s strategy and its associated risks. It is important to recognize that many boards may not have experts in areas such as cybersecurity, climate or HCM, and may need to engage with external experts.
Developing and maintaining a high-performing board that adds value requires a proactive approach to board-building and diversity. This includes diversity in skills, experience, thinking, gender, ethnicity and social background. While determining the company’s current and future needs is the starting point for board composition, there are several issues that require board focus and leadership including succession planning for directors and board leaders (the chair and committee chairs), director recruitment, director tenure, diversity, board and individual director evaluations, and removal of underperforming directors.
Board composition, diversity and renewal should remain a key area of focus for boards in 2023. It is fundamental to communicate with the company’s institutional investors and other stakeholders on this topic, enhance disclosure in the Annual Report and Accounts and, most importantly, position the board strategically for the future.
Many companies are continuously navigating unprecedented supply chain stresses and strains to assure supply and survival. They are implementing efforts to address vulnerabilities and improve resilience and sustainability.
It is important that boards ensure management teams are effectively rethinking, reworking and restoring critical supply chains, this includes:
- Updating supply chain risk and vulnerability assessments
- Diversifying the supplier base
- Re-examining the supply chain structure and footprint
- Developing more local and regional supply chains
- Deploying technology to improve supply chain visibility and risk management
- Improving supply chain cybersecurity to reduce the risk of data breaches
- Developing plans to address future supply chain disruptions
Finally, supply chain initiatives should be driven by an overarching vision and strategy, led by experts who can guide the efforts, connect critical dots and provide accountability. Boards also need to sharpen their focus on managing a broad range of ESG risks in the company’s supply chain. These risks include climate change and other environmental and social issues that can pose significant regulatory and compliance challenges, as well as critical reputational threats for the company.