Risk? What Risk?

A new study shows that boards overestimate their organizations’ ability to manage risk—in every category.

There’s a fine line between confidence and overconfidence, and based on a new study, board members may have crossed it when it comes to understanding risk management.

Indeed, the report, from the Institute of Internal Auditors, found that directors missed the mark in a sweeping set of categories, including cybersecurity, data protection, and crisis response. In all, the report looked at 11 categories—and found that directors judged their organizations better equipped than management did to handle risk in all of them.

“You would think there would be some areas where boards would be inherently skeptical of their organizations’ readiness,” says Richard Chambers, president and CEO of the institute. “The results suggest they are a little more trusting of management than perhaps they should be.”

The importance of this disconnect is hard to downplay, especially in today’s age when a single privacy breach can unhinge an entire Fortune 500 firm. But CEO tenure these days is dropping, and experts say boards tend to trust CEOs they hire more than those they inherit. Relatedly, since CEOs tend to favor optimism over transparency when reporting a situation to the board, directors may be taking them at their word instead of digging deeper. “When talking to the boss, you paint the best picture,” Chambers notes.

Amelia Stubbs, a senior client partner who leads Korn Ferry’s Global Risk and Control practice, says another factor is that many boards still lack the breadth and depth of expertise to adequately address the increasingly complex risks their organizations face. She says boards are still too dependent on management to distill strategic and operational risks to the business. “Directors need the ability to engage, but very few boards have someone sitting on it that grew up in risk”; instead, risk assessment is outsourced to either a consultancy or an executive with a business background hired into a risk-officer-type role.

That’s particularly true when it comes to more abstract risks, like talent management, that aren’t imminent threats but can develop into major issues over time. As Chambers says, talent management and retention are at the center of future concerns, but boards tend not to hold management accountable for long-term risks. To be sure, the same can be said for risks related to the environment and social impact. The overarching business lesson of 2019 was that consumers, employees, and investors are now holding organizations accountable for their values and purpose as much as for their financial performance.

The report’s most concerning finding, however, is that boards consider a degree of misalignment with management around risk to be both natural and acceptable. While a majority of respondents said that misalignment on risk perception should be expected, Chambers calls it a serious concern that could create weaknesses in an organization.

Misalignment goes hand in hand with misinformation, and inevitably leads to finger-pointing when things go wrong. Michael Franzino, president of Korn Ferry’s Global Financial Services practice and a member of the firm’s Global Operating Committee, says that boards need to ensure they are getting a holistic view of risk so that they can provide management with the right guidance to make decisions. He says boards need to evolve their makeup to address gaps in knowledge and competency related to the business so that directors can not only provide insight but also challenge management on decisions related to particular functions. Risk committees should be independent and given proper resources to conduct strategic due diligence when necessary, he adds.

In the event that something goes wrong, Franzino says, “where was the board?” is a question you don’t want asked.