The business and risk environment has changed dramatically over the past year, with greater geopolitical instability, surging inflation, and the prospect of a global recession added to the mix of macroeconomic risks companies face in 2023. The increasing complexity and fusion of risks unfolding simultaneously, and the increased interconnectedness of these risks up the ante for boards to have holistic risk management and oversight processes.
Drawing on insights from our latest survey work and interactions with directors and business leaders, we highlight nine issues here for boards to keep in mind as they consider and carry out their 2023 agendas.
Download our ‘On the 2023 agenda’ series here:
Heading into 2023, developments in the war in Ukraine, tensions with China, supply chain disruptions, gas shortages in Europe, cybersecurity, inflation, interest rates, market volatility, trade tensions, and the risk of a global recession – combined with the deterioration of international governance – will continue to drive global volatility and uncertainty.
This environment will call for continual updating of the company’s risk profile and more scenario planning, stress testing strategic assumptions, and analysing downside scenarios. Leaders will need to assess the speed at which risks are evolving, their interconnectedness, the potential for multiple crises at the same time, and whether there is flexibility in the company’s strategy to pivot. The proposed Resilience Statement for 750:750 PIEs becomes more relevant than ever.
Oversee management’s reassessment of the company’s processes for identifying and managing these risks and their impact on the company’s strategy and operations.
- Is there an effective process to monitor changes in the external environment and provide early warning that adjustments to strategy might be necessary?
- Is the company prepared to weather an economic downturn? Are stress tests sufficiently severe?
Help management keep sight of how the big picture is changing: connecting dots, thinking differently, and staying agile and alert to what’s happening in the world. Disruption, strategy, and risk should be hardwired together in boardroom discussions.
Challenge and question management’s crisis response plans.
- Are they robust, actively tested or war-gamed, and updated as needed?
- Do they include communications protocols to keep the board apprised of events and the company’s response, as well as to determine when/if to disclose matters internally and/or externally?
Make business continuity and resilience part of the discussion. Resilience is the ability to bounce back when something goes wrong and the ability to stand back up with viable strategic options for staying competitive and on the offense in the event of a crisis, such as ransomware, a cyberattack, or a pandemic.
Companies continue to navigate unprecedented supply chain stresses and strains with the ultimate goal of assuring supply – and survival. Amid ongoing supply chain turmoil, many companies are implementing efforts to address vulnerabilities and improve resilience and sustainability.
Boards should help ensure that management’s initiatives to rethink, rework, or restore critical supply chains are carried out effectively, such as:
- Updating supply chain risk and vulnerability assessments
- Diversifying the supplier base
- Re-examining supply chain structure and footprint
- Developing more local and regional supply chains
- Deploying technology to improve supply chain visibility and risk management
- Improving supply chain cybersecurity to reduce the risk of data breaches, such as SolarWinds and Kaseya
- Developing plans to address future supply chain disruptions.
Importantly, are supply chain initiatives being driven by an overarching vision and strategy? Who is leading the effort, connecting critical dots, and providing accountability?
At the same time, boards need to sharpen their focus on the company’s efforts to manage a broad range of ESG risks in its supply chain. Such risks – particularly climate change and other environmental risks, and important “S” risks such as human rights, forced labor, child labor, worker health and safety, as well as diversity, equity, and inclusion (DEI) in the supply chain – pose significant regulatory and compliance risks as well as critical reputation risks for the company.
The increasing complexity and fusion of risks unfolding simultaneously requires a more holistic approach to risk management and oversight. At the same time, investors, regulators, ESG rating firms, and other stakeholders are demanding higher-quality disclosures – particularly on climate, cybersecurity, and other ESG risks – and about how boards and their committees oversee the management of these risks.
Given this challenging risk environment, many boards are reassessing the risks assigned to each standing committee. In the process, they are considering whether to reduce the major risk categories assigned to the audit committee beyond its core oversight responsibilities (financial reporting and related internal controls, and oversight of internal and external auditors) by transferring certain risks to other committees or potentially creating a new committee.
The challenge for boards is to clearly define the risk oversight responsibilities of each standing committee, identify any overlap, and implement a committee structure and governance processes that facilitate information sharing and coordination among committees. While board committee structure and oversight responsibilities will vary by company and industry, we recommend four areas of focus:
- Recognise that rarely does a risk fit neatly in a single, siloed risk category. While many companies historically managed risk in siloes, that approach is no longer viable and poses its own risks.
- Does the audit committee have the time and members with the experience and skill sets necessary to oversee areas of risk (beyond the committee’s core responsibility) that the audit committee has been assigned – such as cybersecurity, data privacy, supply chain, geopolitical, climate, and other ESG-related risks – as well as the adequacy of management’s overall ERM system and processes?
- Does another board committee(s) have the time, composition, and skill set to oversee a particular category of risk? Is there a need for an additional committee, such as a technology, sustainability, or risk committee? Is there a need for new directors with skill sets or experience to help the board oversee specific risks? There are now six ESG committees in the FTSE150 plus many other committees described as corporate responsibility, responsible business, sustainability or environments and communities committees.
- Identify risks for which multiple committees have oversight responsibilities, and clearly delineate the responsibilities of each committee. For example, in the oversight of climate and other ESG risks, the nomination, remuneration, and audit committees likely each have some oversight responsibilities. And where cybersecurity oversight resides in a technology committee (or other committee), the audit committee may also have certain responsibilities. To oversee risk effectively when two or three committees are involved, boards need to think differently about how to coordinate committee activities. For example, some boards have established a new board committee composed of a member of each standing committee to oversee management’s preparation of the company’s ESG disclosures – including sustainability reports and other ESG publications – for quality and consistency with strategy, as well as consistency across the company’s various ESG reports and publications. Also see On the 2023 audit committee agenda.
Essential to effectively managing a company’s risks is maintaining critical alignments – of strategy, goals, risks, internal controls, incentives, and performance metrics. Today’s business environment makes the maintenance of these critical alignments particularly challenging. The full board and each standing committee should play a key role in helping to ensure that (from top to bottom) management’s strategy, goals, objectives, and incentives are properly aligned, performance is rigorously monitored, and that the culture the company has is the one it desires.
How companies address climate change, DEI, and other ESG issues is viewed by investors, research and ratings firms, activists, employees, customers, and regulators as fundamental to the business and critical to long-term value creation. At a time of low trust in government and institutions, corporations are being asked to do more to solve societal problems – or run the risk of losing the social license to operate.
While the media has reported that several US states have banned their pension fund managers from incorporating ESG factors into investment decisions, and others have blacklisted asset managers for allegedly boycotting the fossil fuel industry, greater focus on how directors have regard to a wider group of stakeholders is likely here to stay as many investors, research and ratings firms, activists, employees, customers, and regulators will continue to view ESG issues as fundamental to long-term value creation.
The ESG issues of importance will vary by company and industry. For some, it skews towards environmental, climate change, and emission of greenhouse gases. For others, it skews toward DEI and social issues.
- How is the board helping to ensure that these issues are priorities for the company, and that the company is following through on its commitments?
- How is the company embedding these issues into core business activities (strategy, operations, risk management, incentives, and corporate culture) to drive long-term performance?
- Is there a clear commitment and strong leadership from the top, and enterprise-wide buy-in? Are there clear goals and metrics?
- Is management sensitive to the risks posed by greenwashing.
Demands for higher-quality climate and other ESG disclosures should be prompting boards and management teams to reassess and adjust their governance and oversight structure relating to climate and other ESG risks – and to monitor regulatory developments in these areas. In this paper we have outlined five key initiatives and requirements on the horizon, with details on when they are likely to come into force, who’s in scope, what the regulations cover, and what you should do now to prepare.
Social and political issues are moving front and center in the boardroom as employees, customers, investors, and stakeholders sharpen their scrutiny of a company’s public positions – or silence. When should a CEO speak out on controversial issues, if at all, and what are the potential consequences?
Consider what role the board should play in establishing parameters for the CEO as the voice of the company. Some boards have written policies; others have an informal understanding that the CEO will confer with the board chair before speaking on a controversial issue. Some companies have cross-functional management committees to vet issues on a case-by-case basis to determine when speech is appropriate.
Directors and business leaders we spoke with identified a number of criteria or considerations for determining whether or not the CEO should speak out on highly charged social and political issues:
- Is the issue relevant to the company and its strategy? Is it in alignment with the company’s culture, values, and purpose?
- How will speaking out resonate with the company’s employees, investors, customers, and other stakeholders? In a tight labor market, employees often choose where to work based on company values, including its willingness to speak out on certain issues, such as DEI.
- Speaking out can be as powerful as not speaking out on certain issues. How do the CEO and the board come to terms with that ambiguity and risk, and weigh the consequences of speaking out or not?
- As the views of stakeholders are not uniform, how should CEOs and companies manage the inevitable criticism of their choice to speak or not speak? Having felt the backlash of speaking out on social/political issues, some companies have adjusted their approach to take action without trumpeting what they’re doing.
- Make sure that the company’s lobbying is aligned with its speech.
Cybersecurity risk continues to intensify. The acceleration of AI and digital strategies, the increasing sophistication of hacking and ransomware attacks, the war in Ukraine, and ill-defined lines of responsibility – among users, companies, vendors, and government agencies – have elevated cybersecurity risk and its place on board and committee agendas.
Boards have made strides in monitoring management’s cybersecurity effectiveness. For example, some have greater IT expertise on the board and relevant committees (although that expertise is in short supply). Other efforts include company-specific dashboard reporting to show critical risks and vulnerabilities; assessing cybersecurity talent; weighing vulnerabilities and emerging threats; war-gaming breach and response scenarios; and discussions with management on the findings of ongoing third-party risk assessments of the company’s cybersecurity program. Despite these efforts, the growing sophistication of cyber-attacks point to the continued cybersecurity challenge ahead.
Boards should monitor regulatory developments such as the SEC’s proposal on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, as well as management’s preparations to comply. The SEC rule proposal would, among other things, establish a four-business-day deadline for reporting a material cyber breach (before relevant information may be available), would not allow for delayed reporting for incidents subject to law enforcement or national security investigations, and would require disclosure of board’s cybersecurity expertise. Final SEC action on the proposed rule is expected in the spring of 2023.
While data governance overlaps with cybersecurity, it’s broader and includes compliance with industry-specific privacy laws and regulations, as well as privacy laws and regulations that govern how personal data – from customers, employees, or vendors – is processed, stored, collected, and used.
Data governance also includes policies and protocols regarding data ethics – in particular, managing the tension between how the company may use customer data in a legally permissible way and customer expectations as to how their data will be used. Managing this tension poses significant reputation and trust risks for companies and represents a critical challenge for leadership. To oversee cybersecurity and data governance more holistically:
- Insist on a robust data governance framework that makes clear what data is being collected, how it is stored, managed, and used, and who makes decisions regarding these issues.
- Clarify which business leaders are responsible for data governance across the enterprise – including the roles of the chief information officer, chief information security officer, and chief compliance officer.
- Reassess how the board – through its committee structure – assigns and coordinates oversight responsibility for the company’s cybersecurity and data governance frameworks, including privacy, ethics, and hygiene.
An increasingly critical area of data governance is the company’s use of AI to analyse data as part of the company’s decision-making process. Boards should understand the process for how AI is developed and deployed. What are the most critical AI systems and processes the company has deployed? To what extent is bias – conscious or unconscious – built into the strategy, development, algorithms, deployment, and outcomes of AI-enabled processes? What regulatory compliance and reputational risks are posed by the company’s use of AI, particularly given the global regulatory focus on the need for corporate governance processes to address AI-related risks, such as bias and privacy? How is management mitigating these risks?
Many directors may be uncomfortable with responsibility for overseeing AI risk because of their lack of expertise in this area. But, boards need to find a way to exercise their supervision obligations, even in areas that are technical, if those areas present enterprise risk, which is already true for AI at some companies. That does not mean that directors must become AI experts, or that they should be involved in day-to-day AI operations or risk management. But directors at companies with significant AI programs should consider how they will ensure effective board-level oversight with respect to the growing opportunities and risks presented by AI.
Most companies have long said that their employees are their most valuable asset. COVID-19; the difficulty of finding, developing, and retaining talent in the current environment; and an increasingly knowledge-based economy have highlighted the importance of talent and HCM – and generated the phenomenon of employee empowerment – causing many companies and boards to rethink the employee value proposition.
While the most dramatic change in the employee value proposition took place during the pandemic, employee empowerment hasn’t abated, and employees are demanding fair pay and benefits; work-life balance, including flexibility; interesting work, and an opportunity to advance.
They also want to work for a company whose values – including commitment to DEI and a range of ESG issues – align with their own.
In 2023, we expect continued scrutiny of how companies are adjusting their talent development strategies to meet the challenge of finding, developing, and retaining talent amid a labor-constrained market. Does the board have a good understanding of the company’s talent strategy and its alignment with the company’s broader strategy and forecast needs for the short and long term? What are the challenges in keeping key roles filled with engaged employees? Which talent categories are in short supply and how will the company successfully compete for this talent? Does the talent strategy reflect a commitment to DEI at all levels? As millennials and younger employees join the workforce in large numbers and talent pools become globally diverse, is the company positioned to attract, develop, and retain top talent at all levels?
In addition to monitoring global developments, boards should discuss with management the company’s HCM disclosures in the Annual Report and Accounts – including management’s processes for developing related metrics and controls ensuring data quality – to help ensure that the disclosures demonstrate the company’s commitment to critical HCM issues. HCM will likely be a major area of focus during the 2023 proxy season, given the high level of investor interest in the issue.
Pivotal to all of this is having the right CEO in place to drive culture and strategy, navigate risk, and create long-term value for the enterprise. The board should help ensure that the company is prepared for a CEO change – whether planned or unplanned, on an emergency interim basis or permanent. CEO succession planning is a dynamic, ongoing process, and the board should always be focused on developing a pipeline of C-suite and potential CEO candidates. Succession planning should start the day a new CEO is named.
How robust are the board’s succession planning processes and activities? Has the succession plan been updated to reflect the CEO skills and experience necessary to execute against the company’s long-term strategy? In many cases, those strategies have changed over the last two years. Are succession plans in place for other key executives? How does the board get to know the high-potential leaders two or three levels below the C-suite?
Given the intense investor and stakeholder focus on executive pay and director performance, as well as climate risk, ESG, and DEI, particularly in the context of long-term value creation, engagement with shareholders and stakeholders must remain a priority.
Institutional investors and stakeholders are increasingly holding boards accountable for company performance and are continuing to demand greater transparency, including direct engagement with independent directors on big-picture issues like strategy, ESG, and compensation. Indeed, transparency, authenticity, and trust are not only important to investors, but increasingly to employees, customers, suppliers, and communities – all of whom are holding companies and boards to account.
The board should request periodic updates from management about the company’s engagement activities:
- Does the company know, engage with, and understand the priorities of its largest shareholders and key stakeholders?
- Are the right people engaging with these shareholders and stakeholders – and how is the investor relations (IR) role changing?
- What is the board’s position on meeting with investors and stakeholders? Which independent directors should be involved?
In short: Is the company providing investors and stakeholders with a clear picture of its performance, challenges, and long-term vision – free of greenwashing? Investors, other stakeholders, and regulators are increasingly calling out companies and boards on ESG-related claims and commitments that fall short.
Strategy, executive compensation, management performance, climate risk, other ESG initiatives, DEI, HCM, and board composition and performance will remain squarely on investors’ radar during the 2023 AGM season. We can also expect investors and stakeholders to focus on how companies are adapting their strategies to address the economic and geopolitical uncertainties and dynamics shaping the business and risk environment in 2023. Having an “activist mindset” is as important as ever.
Boards, investors, regulators, and other stakeholders are increasingly focused on the alignment of board composition – particularly director expertise and diversity – with the company’s strategy.
Indeed, the increased level of investor engagement on this issue points to the central challenge with board composition: Having directors with experience in key functional areas critical to the business while also having deep industry experience and an understanding of the company’s strategy and the risks to the strategy. It is important to recognise that many boards will not have “experts” in all the functional areas such as cybersecurity, climate, HCM, etc., and may need to engage outside experts.
Developing and maintaining a high-performing board that adds value requires a proactive approach to board-building and diversity – of skills, experience, thinking, gender, ethnicity and social background. While determining the company’s current and future needs is the starting point for board composition, there is a broad range of board composition issues that require board focus and leadership – including succession planning for directors as well as board leaders (the chair and committee chairs), director recruitment, director tenure, diversity, board and individual director evaluations, and removal of underperforming directors.
Board composition, diversity, and renewal should remain a key area of board focus in 2023, as a topic for communications with the company’s institutional investors and other stakeholders, enhanced disclosure in the Annual Report and Accounts, and most fundamentally, positioning the board strategically for the future.
The KPMG Board Leadership Centre
The KPMG Board Leadership Centre offers support and guidance to non-executive directors, whether managing a portfolio non-executive career or embarking on a first appointment.