Private company board members are currently dealing with more risk than at any time in the history of the business landscape. That is a sentence that could be considered hyperbole, so if you don’t want to take it as face value, take it from Sue Buchanan, director of Kingsbury Inc., Neuco Inc. and ThermFlo|Zonatherm, who, when asked about some of the most prominent emerging risks currently facing boards, had a list at the ready.
“There’s operational risk, whether it’s sourcing or commercialization. There’s financial risk, whether it’s debt or liquidity. People and talent is a huge risk across all of our businesses. There’s external risk, whether geopolitical, inflation or recession issues. There’s strategic risk, with acquisitions and divestitures. And now there’s technology risk, such as cyber data governance, AI or ChatGPT. There are also critical regulatory compliance risks for private companies and private family companies.”

Where to start when dealing with such a laundry list of emerging risks? Well, to Guillermo Christensen, who serves as a partner in the national security practice of global law firm K&L Gates, and is also copresident and cofounder of the Private Directors Association D.C. Metro Chapter, the key is to have board members with the ability to break down the risks and opportunities for their counterparts in management.
“I’ve been on a couple sides of these risks and opportunities – and every risk is an opportunity. This is the yin and the yang of all these things,” says Christensen. Relating the communication between directors and management to his time as an intelligence officer explaining risk to U.S. policymakers, he says, “We have to try and anticipate risks to that we can provide as much time as possible to make reasoned judgments. You have to contextualize the risk to be useful to the audience.”
One of the most valuable roles of a director is their ability to anticipate and predict the risks that may affect their companies. In her time as a director and as a CFO for companies such as Carus Group and Nalco Water, Buchanan established a risk management process for monitoring issues that could have a deleterious impact. The process focused on understanding the strategy and value of the company, identifying the relevant risks related to those factors, assessing which risks are most likely to happen and then determining what your response would be should the worst-case scenario take place.
“What’s the mitigation actions for those risks? Can you avoid them? Can you accept them? Can you insure against certain things? But understand what those risks are and how you are going to take responsive action.”
Traditionally, perhaps, private companies have been a bit more insulated from international goings-on than public companies, but, according to Christensen, one of the most prominent risks facing private companies today stems from the world stage.
“When I think of the emerging risks that most of us need to worry about today, I’m thinking about geopolitical risks and then regulatory risks. They are very poorly controlled risks. There’s not a whole lot you can do. But what you have to do is figure out whether they have an impact on your business and what’s the narrative on that. For instance, how many of us have thought about what happens if tomorrow or next week the United States and China grossly miscalculate and begin a small war in the Pacific that happens to take out most of the chip production in Taiwan?”
“Same thing with Russia,” continues Christensen. “There are many scenarios that can spin out of Russia, and if they have an impact on your business you need to know exit points. You need to think through what those impacts are. And for most of us, that’s not something you can do just by reading the newspaper.”
Another risk that rises to the top for Christensen is cybercrime, with the increasingly digital economy putting many private companies in danger. He recommends that private company boards be in discussions on the risks of reducing or elevating their level of cybersecurity as well as figuring out the likely sources of the threats.
“From the perspective of figuring out how those risks should be handled, understanding how those risks have manifested themselves in your competitors is very important. You want to learn from someone else’s bad experience as much as you can.”
One of those lessons learned, as Christensen found out when consulting with a client on a simulated cyberattack, is making sure that you keep your cybersecurity instant response plan in an accessible place.
When role-playing a crisis for training, Christensen noted that he and his team “try to prepare people some surprises, so we say ‘Okay, this is started. Your systems are down. What do you do?’ And someone from the client says, ‘We’ve got an instant response plan.’ And I say, ‘Good, where is it?’ And they say, ‘It’s on my computer.’”