When asked by Deloitte Private managing director Bob Rosone what was high on the risk priority list for directors, Venita Fields, director of IMA Financial Group Inc. and Superior Group of Companies, had a simple answer: “Everything.”
Luckily, she was willing to elaborate.
“While cybersecurity risk is definitely here to stay, another significant risk is talent acquisition and retention. The power has shifted between labor and management,” says Fields, who also chairs the board of Lifespace Communities Inc. “Labor has a big say in not only compensation, but where they go and how and where they decide to work.”
Also on Fields’ list was supply chain risk, something that is near and dear to the heart of Karen Coombs, who along with being a director of both Southworth International and MassMEP is also VP of supply chain for Freight Farms and former director of supply chain for Amazon Robotics. She mentions our current geopolitical environment as well as our landscape of tariffs and regulations and asks, “How do those impact supply chain? Do you buffer for them? Do you replant? Do you onshore?”
James Mitchell Jr. serves as chair of Fora Financial as well as technology committee chair for the board. So, cybersecurity and technology are high on his list of risks. But the environment around capital allocation is also a major concern. In a time of high interest rates, he wonders about the effects of making poor capital allocation decisions.
“In the easy money days, when interest rates were 3%, you could get money, and if you screwed up, that’s not so bad,” says Mitchell, who is also a director of Horizon Blue Cross Blue Shield of New Jersey and Azuria Water Solutions. “Those easy money days are gone. So you must have a plan, and if senior management doesn’t spend enough time on that plan, and strategically it doesn’t work, the team has wasted corporate assets and a one-shot opportunity to grow the business.”
Mitchell says cybersecurity risk has greatly evolved over the last five years. And part of that evolution has been an increasing number of foreign bad actors and the exponentially rising cost of cyber breaches.
“Five years ago, it was a black swan event if the company lost $10 million. Now, cybersecurity breaches could be $20 million or higher cost to your business and hundreds of hours of management time if they don’t get it right,” says Mitchell. “It’s a big waste of corporate assets, and 25% of corporate boards don’t think it’s their priority.”
With the amount of risk related to cybersecurity, the importance of creating a risk-intelligent culture only becomes more paramount. It’s an effort that Fields says has to begin at the top of the company.
“It has to start at the top and work its way down. Every employee needs to understand how their actions may or may not put the company at risk,” says Fields. “It requires communication and lots of training. Once a year is not enough. Everyone needs frequent training and skin in the game.”
So, clearly there are a number of risks for boards to monitor. But who on the board should be doing the monitoring? Is it the audit committee? Fields says that, yes, it should be part of the audit responsibility’s mandate, but that ultimately it is the job of the entire board to look out for factors that can trip up the company.
“Every member of the board is accountable. When bad things happen and you’re front-page news, nobody asks, ‘Do you know what the audit committee failed to do?,’” says Fields. “They just ask, ‘What did the board fail to do?’ So, ultimately, the entire board is responsible.”
She believes that the responsible committee should report out on prominent and emerging risks at least twice per year if not more frequently. The reporting could come from the audit committee, a specific risk committee or an ad hoc committee.
Fields notes that on the Lifespace board, where she currently serves as chair, she plans to schedule a quarterly or semiannual discussion of various risks and where they fall on a scale of red (indicating a major risk) to green (indicating a more mitigated risk). It’s an approach that Mitchell agrees with, even to the point of being a bit of an annoyance to his management teams.
“They are about completely sick of me. I put cybersecurity risk on the agenda every quarter. We discuss cyber risks and other key risks to the business over and over and over so they understand one or two risks can wreck shareholder value if we don’t get it right,” says Mitchell. “It sends a signal to the C-suite that they have to prepare all the risk heatmaps and they have to think about it. They have to go back to their staff: ‘OK, here comes James again. You know we’re going to talk about cyber and overall enterprise risk.’ So these discussions help define the culture of the firm as well.”
As Coombs says, part of mitigating risk is knowing which ones need to be zeroed in on now and which ones can be addressed later. To do otherwise would risk being overwhelmed by “200 different risks.”
“We’re going to have to say no to some things. We’re going to have to be OK to overlook some risks so that we can focus on those super critical,” says Coombs. “Knowing what those critical risks are and making sure we’re all thinking about them the same way allows us to be really laser-focused. And then when we get solid mitigation in place, perhaps those are the ones that can roll off — and then we can get on to the next one.”