Navigating the Pandemic: Risk Oversight Considerations From Fortune 500 Committee Chairs

As companies are still confronting the immediate challenges resulting from the crisis precipitated by COVID-19, boards are beginning to turn their attention to the potential aftershocks of the pandemic to help shape their organizations’ post-crisis strategy amid great uncertainty and continued turbulence. Second- and third-degree risks, such as the credit risks of a customer’s customers or a supplier’s suppliers, are only beginning to emerge, and companies have little time to adapt to this new wave of challenges. At the same time, boards are considering the longer-term implications and opportunities that may result from the pandemic.

NACD, along with PwC and Sidley Austin, recently convened 50 Fortune 500 risk and audit committee chairs for a virtual meeting of the NACD Risk Oversight Advisory Council. With representation across industries, many unique risks were surfaced, but common themes arose throughout the dialogue. And while the threat to employee health and safety and corporate performance remains acute, boards have begun to turn their attention to what comes next.

Deepen Your Understanding of New Ecosystem Risks

One delegate pointed out that now, more than ever, it is important to know and understand your company’s entire ecosystem. When considering supply chains, employees, communities, and customers, boards should ensure that management is thinking not only about direct risks, but also about risks that are two or three degrees removed.

Supply-chain risk received particular focus in the discussion. For example, while a company may have set up a payment structure with a customer, what happens if that customer’s customers stop paying? Is your customer’s risk-management program effective? Is the company prepared for taking on that risk?

While the pandemic crisis remains the major focus of directors, cyber risk has emerged as a prevalent secondary and related risk. Attendees noted that boards must engage with management to understand how the threat landscape has changed, particularly in the unexpected remote work environment that traditional security controls were not designed to protect. Additionally, with increased phishing attempts, schemes around transferring funds, and other risks that arise in the remote work environment, constantly monitoring the threat landscape is key to ensuring that companies can quickly prevent, detect, and mitigate new cyber risks. Management should discuss with the board when it is necessary to escalate cyber-risk threats to the board, as the nature of a remote working environment may require more frequent and active engagement. Similarly, the board should reaffirm which board committee has primary ownership of cyber-risk oversight or if it will be a full-board responsibility, given the heightened nature of the risk today.

It’s no Surprise, but Robust Risk Governance Really Matters

The board should be reevaluating its governance posture, particularly around takeover defenses. The decline in the stock price of many companies has increased the risk of hedge fund activism and unsolicited takeovers. Investors and proxy advisors have indicated that in the current environment, they will overlook the adoption of protective measures like poison pills. Boards should consider whether to adopt such measures and, if so, which measures might be appropriate given the current market volatility.

Strong oversight of the company’s enterprise risk management (ERM) function had proven to be key in helping mitigate risk prior to the coronavirus crisis. One director mentioned that benchmarking their current risks against those of their industry peers ensured that the company remained on top of emerging risks. Another director mentioned that the 2008 financial crisis forced the company to reimagine their ERM program along three main principles:

1. Focus on a finite set of enterprise risks. Broader risks should be managed by individual business functions.

2. Ensure that enterprise risk is integrated into the business process. Risk shouldn’t be the last consideration, but rather a lens for all business processes.

3. Be outcome based. Have management reflect on whether they are simply reporting risk or reporting risks and mitigation strategies.

Boards should ensure that the company has a strong ERM process, and management should have an effective reporting structure in place—one that will bring key emerging and possibly disruptive risks to the board’s attention and facilitate responsive action when appropriate.

At the end of the day, it is during calamities such as the COVID-19 pandemic that the board’s role can come into stark focus. How the board responds can make a significant difference for the company. Tom Kim, a partner with Sidley Austin, said that “The board should ask, ‘Has management thought deeply enough about how they are responding to COVID-19?’ And then the board should itself ask that same question and go through that same exercise. The resulting discussions will inform corporate disclosures and conversations with investors. And those conversations and disclosures will be more effective because of it.”

Address Today’s Risks and Focus on Tomorrow’s Opportunities

As management teams continue to confront the most pressing and immediate impacts of the crisis, including employee health and safety, financial health, and operational risks, boards have an opportunity to start shaping the post-crisis strategy by assessing longer-term opportunities and risks in a much-changed business landscape. Delegates discussed the increased use of scenario and contingency planning to map different paths for the company.

Several delegates spoke positively of the opportunities that exist for those companies able to make the necessary strategic and structural changes. For example, some industries will see regulatory changes that will shape how their businesses function in the years to come. Businesses can have a positive impact on those developments if they work carefully with regulators. Other industries may see opportunities to reorient their capital expenditures to develop certain business lines over others given emerging consumer behaviors.

Delegates discussed the need to consider the potential business implications of supply-chain diversification, US-China decoupling, the repatriation of operations to the United States, more digital and remote work, increased industry concentration, and an amplified role of government in the economy and as a customer. These are all possible trends that could create a starkly different operating reality; boards should begin to anticipate and engage management on these trends. One delegate thoughtfully noted, “As a board, the three things to think about are how do we emerge from this stronger than before, where are there inorganic growth opportunities, and what changes do we need to make to our strategy?”

As companies move to the next phase of the crisis, in what one delegate referred to as the “bridge to recovery,” boards are turning toward taking control of the situation and their own fates. Government policy will significantly influence how and when the economy starts up again. As we enter the next phase of this prolonged crisis, companies can effectively partner with the public sector and share their expertise in a way that creates opportunity and reduces risks for the entire company ecosystem. As one delegate said in closing remarks, “It is times like these when I really love the capitalist system that we are all a part of. There are hundreds of companies right now working toward solutions to this health crisis that will ultimately serve our communities and save lives. And those companies know that if they do it best, they will succeed, too. We have the best minds working on these issues, because the economic system we have encourages and supports them.”

The full brief of the April 2020 meeting of the NACD Risk Oversight Advisory Council can be found here.

Note: The meeting was held using a modified version of the Chatham House Rule, under which participants’ quotes are not attributed to individuals or their organizations, with the exception of cohosts.