The results of the 13th annual survey of emerging risks from the Canadian Society of Actuaries, conducted in November 2019, came out in March 2020. The report found that pandemics/ infectious diseases was third in the list of undervalued risks. Climate change was the top risk identified by 16% of the respondents and 8% made cyber the fourth current risk. Mind you these are actuaries and it is their whole entire business to assess risks accurately.
In the UK, an analysis by Mactavish found that of the annual reports of FTSE 100 companies published in the calendar year 2019, only 13 referenced pandemic or epidemic risks as material to their business.
But we are all wiser at the end of 2020, a year of non-stop lessons which finally make us see why hindsight is 2020 (ok, bad joke!).
Aren’t we? Let’s recap.
There is, of course, the continuing Covid19 pandemic. Towards the end of the year the SolarWinds cyber catastrophe took the wind out of many a sail — from government departments to Fortune 500 companies which should all be now asking some questions sharpish. A gargantuan iceberg — about 95 miles long and 30 miles wide at its widest point and 500-600 feet underwater — that had been moving since 2017 threatened to come to a halt in a pristine Antarctic wildlife sanctuary.
While it has not yet come to pass forcefully, the emergence of the so-called new permanent universal owners could change the goalposts on stewardship, early research suggests.
What risk conversations should boards have in 2021?
Based on the lessons I have drawn from 2020 here is what I think boards need to put on their strategic agenda for 2021:
Prioritise wellbeing. Boards’ fiduciary duty of care extends to covering employee, executive and director wellbeing. At the time of writing on 5 January 2021 – the UK is under a fresh lockdown for the next 7 weeks which will further exacerbate mental wellbeing even as we all continue to try and work. It is doubly tricky to seek assurances on wellbeing issues while the organisations we oversee are working in distributed mode under a variety of highly personal stresses. Further the Mental Health (Discrimination) Act 2013 makes it a discriminatory act to remove a director from their job on grounds of mental health. At the same time there may be risks arising from an affected employee or director’s capacity to work or any misconduct arising.
Think compound risk. Risk registers have to change to track risks not as standalone but as compound risks. Risk conversations should consider additional challenges (economic, political, social, natural) that may weaken the organisation, slow the pace of recovery, precipitate other risks, and interact with one another to cause bigger damage than single risk factors let us imagine.
A ripe example is climate change. Melting glaciers may unleash new diseases and, who knows, new pandemics — and ensuing economic and social disruption, if our response to Covid19 is anything to go by. Experts warn us that extreme weather events are occurring more often which will impact sectors such as insurance directly but almost certainly cause economic and social disruption. Other joys of melting arctic ice include release of pollution and nuclear waste.
For any operating business, climate change risk can feel remote but it is also very real and material. Board room discussions need to get wise to compound risk discussions and not just to assess the risks of climate change.
ESG is not a nice-to-have but a need-to-have in how we do business. The investor landscape is changing — from millennial investors — the leading adherents of the sustainable-investing boom that has gripped asset-managers are those aged 24-39 — to the new permanent universal owners (as outlined earlier). Milton Friedman’s fifty-year legacy regarding shareholder capitalism was examined and challenged, and reforms proposed at some length in 2020.
With this trend gaining strength, boards need to get savvy urgently about ESG as the embedded way of doing business — a hygiene factor quite different from the lipstick of CSR which was prevalent some years ago. This requires altogether different questions to be asked of executive teams and of strategic plans.
Prioritise cyber risk conversations and build cyber resilience. One big lesson 2020 left us with was that businesses and organisations that were “online” did much better than those that weren’t. Think ASOS v TopShop. This also meant cybersecurity was revealed as the Achilles’s heel for the very same businesses as the UK higher education sector discovered at the start of the last academic term.
Understanding cyber risk is no longer an optional extra. Cyber risk is not an overhead but a risk threaded throughout our technology-enabled organisations. Building cyber resilience is essential for us to understand how to protect our business models, our customers, crucial business and personal data we may hold, our proprietary information such as source code and other IP, and essential infrastructure (yes, at national level too).
Rethink the composition of your risk committee. There is growing conversation that every board should have a climate change expert on it. While that may seem excessive to some, it is entirely feasible to source good specialist advice, use toolkits such as the one developed by Chapter Zero, and nominate a specialist co-opted member to the risk committee.
Not just with climate change expertise though (see cyber security and wellbeing above, for instance).
Commit to meaningful action on inclusion. Boards cannot afford the dangers of groupthink now, not least because businesses are at risk of losing senior women leaders, the impact of which on board talent pipelines may take a while to emerge, but because of the growing complexity of risk and governance challenges.
Especially if we are to make our way out of the mess created by Covid19 (compounded by Brexit in the UK as succinctly summarised in this quote “The Covid-19 vaccine(s) will prove a shot in the arm for both the UK economy and its peers. But Brexit will be a shot in the foot,“), we need to learn to harness the true value of difference.
Does this look like your boardroom agenda in 2021?
*WWBD is a popular meme on the web and asks the question “what would Beyoncé/ Buddha/ Batman do?” Clearly none of them is applicable here and B stands for Boards.
(Disclaimer: These are my own views and do not reflect the views of the boards of JP Morgan US Smaller Co.s Investment Trust or Temple Bar Investment Trust or London Metropolitan University, where I serve as a non-exec director.)