Concerns About Risks Confronting Boards

In EisnerAmper’s 2011 Board of Directors Survey, directors indicated that, together with financial risk, which has been so clearly demonstrated by the Great Recession and the fragile recovery, their company's reputation is paramount and is subject to threats from known and unknown sources. Survey respondents identified key concerns about risks.

The following Executive Summary outlines the results, and MCC readers are invited to read the full report to understand more about the concerns of board members. Trends can be picked up from results, and the report may be useful for readers to benchmark these results against the reality they experience on their own boards. The authors welcome comments, and email contact information is provided below.

Executive Summary

Last year, reputational risk overtook regulatory compliance risk as a primary concern for boards. This year, directors reinforced that belief, with 66 percent stating that reputational risk is most important after financial risk. Regulatory compliance risk was not far behind, and 59 percent cited it as most important. Clearly Dodd-Frank is a major issue.

Although the JOBS Act was not considered by respondents at the time of this survey, its components likely will increase regulatory risk down the road. The Affordable Care Act is another key issue, and healthcare reform risk will persist as a concern no matter how the issue is resolved by the Supreme Court.

However, concerns about reputational risk are placed in proper perspective only when due consideration is given to closely related issues, such as IT risk, product risk, outsourcing risk, privacy and data security, crisis management and risk due to fraud, which all were mentioned as being of significant concern. When viewed as a whole, the concept of reputation is top-of-mind among directors.

Whether the economy is in recession or recovery, the concept of growth is always a concern in the boardroom, as is evidenced by a 20 percent leap from last year’s results in directors citing internal growth and expansion as the number-one opportunity for their companies.

IT alignment to business goals is clearly a C-suite issue. With an increased appetite to invest internally as the recovery picks up speed – and with the advent of new systems' demands springing from risky new ventures into social media, cloud computing and mobile technology – directors not surprisingly identified IT issues as a key concern.

The internal audit (IA) function is receiving significant attention from boards, with almost two-thirds of respondents stating that their companies will consider enhancing their in-house IA staffs and/or increasing audit coverage. What remains to be determined, and what management will have to come to grips with, is the proper mix of IA resources. These complex issues call for skill sets and experience not always found within the company; thus, outsourcing or co-sourcing strategies seem to be an option.

About The Research

EisnerAmper LLP's third annual Board of Directors Survey was designed to gain insight into the risks being discussed in American boardrooms. The directors were polled via a web-based survey, and results were sent to the EisnerAmper database, with related assistance from the National Association of Corporate Directors (NACD).[1]

The survey consisted of a series of open-ended questions and was conducted during the months of October 2011 through February 2012. It measures the opinions of 193 directors serving on the boards of publicly traded and private companies.

Of the respondents surveyed, more than two-thirds serve on audit committees, while half sit on either or both their nominating and compensation committees. Seventy percent serve on public boards, and almost half serve on private or nonprofit boards. Respondents serve on boards across a variety of industries, including 30 percent in the financial sector, 19 percent in the technology sector and 18 percent in the consumer sector.

Readers are directed to the complete report for a detailed presentation of responses. Confirming the trend revealed in last year’s Annual Concerns report, reputational risk was again identified as being of most concern, with regulatory risk again ranked second.

According to EisnerAmper audit partner Steven Kreit:

Directors' views concerning the importance of reputational risk are coming together. What's emerging is a broader view of what reputation risk entails, and it's instructive to consider their opinion of its scope. As a benchmarking exercise, it also might be of real value for readers to think about reputational risk as comprising operational and human elements – as each has its own set of mitigation strategies. In that way, when boards are thinking about reputational risk, they can more easily categorize them as including, on one hand, product liability, outsourced networks, privacy and data security and, on the other hand, fraud, customer relations and crisis management.

How Are Boards Addressing Identified Risks?
A Summary Of Survey Questions

Aside from financial risk, what areas of risk managament are most important to boards? Discussion includes core reputational and regulatory risks, along with associated risks in the areas of CEO succession, IT, crisis management, privacy and data security, fraud, outsourcing and tax strategies.

What are the top three types of reputational risks? Discussion of product quality, liability and customer satisfaction; concerns about integrity, fraud, ethics and the FCPA; IT security; regulatory compliance; public perception; and environmental issues.

In the current risk environment, are boards using internal audit (IA) to address identified risks? Comments are presented on the use and composition of the IA function, including the finding that 80 percent of respondents are turning to their IA departments to help address identified risk.

Are boards proposing changes to the IA function? Directors want more out of their IA function, which is a good sign as IA budgets have been under pressure in recent years. The IA function needs to be multifaceted, aligned with corporate objectives and endowed with the resources required to deliver the insights that boards demand. Also explored are the pitfalls to which in-house IA functions are prone.

In what topics do board members have the most interest in gaining more knowledge? Directors want to learn about broad-based risk assessment, indicating a strong interest in keeping up-to-date on risk holistically. Regulatory concerns, cybersecurity, protecting reputation and aligning business goals to IT are among the topics covered.

Do CFOs have a strong understanding of these topics? These results are tied to the same topics mentioned in the prior question. Directors felt their CFOs had a stronger understanding of the creation of financial models, broad-based risk assessments and changes in tax compliance from new governmental regulations. The lower percentages assigned to cybersecurity and aligning business goals to IT may reflect the perception that those risks are not associated with CFO responsibilities.

How do boards rate concerns about potential upcoming regulatory actions? Findings regarding financial reform, mandatory audit firm rotation, lease accounting changes and other concerns are reflected by level of importance to boards.

Which areas of regulatory compliance risk are the primary concerns of boards? Results from the 2012 and 2011 surveys are compared on the topics of financial reform, accounting standards, Sarbanes-Oxley, healthcare reform, environmental, tax issues and energy legislation. One respondent made the connection between reputational risk and regulatory compliance risk this way: "Reputation is the most difficult to reestablish, and federal regulations are increasingly easy to violate without the intent to do so."

Does the current economic environment offer companies new investment opportunities versus last year? M&A or other asset acquisition remain viable growth strategies, whether in recessionary or recovering times, and there was a significant increase in respondents who identified other opportunities, including internal growth/expansion and the opportunity to invest in IT infrastructure. The latter particularly applies to the very real reputational risks associated with data breeches or misuse.

Michael Breit, EisnerAmper partner and cochair of Services to Public Companies, commented:

At the time directors were completing this survey, there was clear evidence that an economic recovery was taking hold, along with an anticipation that the currency shocks in Europe and the volatility of the equity markets was abating to some degree. Whether or not the recovery speeds up or remains tepid, it does appear to us that investment, including M&A, is a timely topic at the board level. This is particularly so, we believe, in the arena of reinvestment, where management's attention is being placed squarely on internal growth. Boards should be aware of this trend and become educated on how expanding internal capabilities might be a real momentum builder and an advantage with regard to a highly competitive marketplace for talent.

Risk Minimization Observations

The survey results enable EisnerAmper and its colleagues at the National Association of Corporate Directors to make several observations concerning the risks directors face in the boardroom.

Comments from EisnerAmper

Reputation risk is top-of-mind but is difficult to address because it is so broadly defined. Components include operational issues, such as product liability, succession planning and IT systems as well as issues involving the actions of people, such as fraud or lack of training. Awareness seems to be the key, and vigilance in addressing threats is a constant.

Regulatory compliance risk is local, national and global. Having the necessary resources to keep up with regulations, to understand their impact and timeliness and to create affirmative defenses, is expensive and time-consuming yet absolutely critical.

The requisite skills to avoid or mitigate internal controls risk (including audit and IT, for example) may not adequately reside within many companies. This skills gap can be dangerous and also can be answered by a risk management plan that should include a cost/benefit analysis of outsourcing or co-sourcing.

The nature and composition of boards is changing. Where will the "risk portfolio" reside in tomorrow's boardroom: within the audit committee, among a new risk management committee or as the responsibility of the whole board? One sure thing is that this question will be on the agenda of most boards.

Comments from NACD

NACD's annual surveys of directors show "risk oversight" as a growing concern for directors. In 2011 and 2010, it was the third most important issue after strategy and performance for public company directors. This was up from a number six position in 2009 and a number 18 position in 2006. This highly focused EisnerAmper survey of 2012 sheds light on what risk issues are most important within risk oversight. In our view, the survey brings to light three very significant and positive findings:

First, we learn that reputational risk ranks more highly than regulatory compliance risk. This is good news, because it shows the "value focus" of today's directors. It is well-known that reputation – also known as goodwill in post-merger accounting rules – can account for up to 80 percent of a company's value in the equity marketplace.

Another important finding is the focus on internal growth rather than growth via acquisition, and on internal control as part of that focus. As the survey report wisely notes, "In a recovering economy, repairing the house you live in is timely and prudent." Investment in the internal audit function is money well spent.

Finally, we find it very encouraging to see survey respondents willingly identifying areas where they desire more education, starting with broad-based risk assessment, which was identified by three in four respondents as an area for more learning.