A recent KPMG global survey, Calibrating strategy and risk: A board’s-eye view shows that corporate boards are deepening their involvement in company strategy and refining their oversight and understanding of the critical risks facing the company.
The survey responses – from more than 1,000 directors and senior executives in 28 countries – suggest that while many boards are deepening their involvement in strategy and risk, significant challenges remain, including linking strategy and risk, and addressing growing cyber security risks.
53% of the directors and executives surveyed said their board has increased its involvement in the formulation of strategy alternatives, and 61% said the board has sharpened its focus on improving risk-related information. Rather than an annual decision by management and the board, strategy is becoming an ongoing discussion, with continual assessment, evaluation, and adjustment as conditions change.
- Boards continue to deepen their involvement in strategy: Some 80% of survey respondents said the board has deepened its involvement over the past 2 to 3 years – in the formulation of strategy and consideration of strategic alternatives, monitoring execution, devoting more time to technology issues (including cyber security), and recalibrating strategy as needed.
- Effectively linking strategy and risk continues to elude many boards: Only half of survey respondents are satisfied that strategy and risk are effectively linked in the boardroom discussions. Risk-related decisions, many said, would be most improved by more closely linking strategy and risk, as well as having a more-clearly defined risk appetite, better assessment of risk culture, and giving greater consideration to the “upside of risk taking” (versus risk avoidance).
- Better risk information and access to expertise are (still) top of mind: Many boards have recently taken steps to strengthen their oversight of risk, mainly by improving risk-related information flowing to the board, but also by hearing more independent views and refreshing the board expertise, coordinating (and reallocating) risk oversight responsibilities among the board’s committees, and/or changing the board’s committee structure.
- Cyber security may require deeper expertise, more attention from the full board, and potentially a new committee: Greater use of third-party expertise and deeper technology expertise on the board would most improve the board’s oversight of cyber security, survey respondents said. Nearly one in three respondents said cyber security needs to have more time on the full board’s agenda, and a quarter said formation of a new committee to address technology/cyber risks would be beneficial.
- Oversight of key strategic and operational risks could be more-effectively communicated among the board and its committees: Nearly half of survey respondents cite room to improve the communication and coordination among the full board and its committees on oversight of the company’s key strategic and operational risks – e.g., strategy, CEO succession, talent, regulatory compliance, cyber security and emerging technologies, and supply chain issues.
- One third of directors and executives in Switzerland said they want to spend more time testing the ongoing validity of underlying assumptions as part of their increasing involvement in strategy.