The role of the board in preparing for extraordinary risk

| Podcast

The pandemic has been a stark reminder for many organizations that they are insufficiently prepared for crises that could not merely destabilize them but put them out of business. In this episode of the Inside the Strategy Room podcast, our board perspective series looks at the board’s role in ensuring readiness for such existential risks. Nora Aufreiter is an experienced director and a McKinsey senior adviser. Celia Huber leads McKinsey’s board services work in North America, and Ophelia Usher works in McKinsey’s global Risk & Resilience practice. She coauthored the article “The disaster you could have stopped: Preparing for extraordinary risk.” This is an edited transcript of the discussion. For more conversations on the strategy issues that matter, follow the series on your preferred podcast platform.

Sean Brown: The pandemic has given many organizations a wake-up call about existential risk. Have boards done a good job of mitigating such risks?

Celia Huber: No. We run an annual global board survey of approximately 1,500 corporate directors, and we found that directors are not pleased with their performance on risk management. In fact, only 7 percent of the respondents believe that over the past year their boards were “most effective”—the highest rating—at risk management, and only 40 percent say their organizations are prepared for the next large crisis. That brings up the question of what boards should be doing now to prepare and how they should approach crisis and risk management.

Sean Brown: How should boards decide which risks to prioritize?

Ophelia Usher: It’s the high-consequence, low-likelihood events, such as the pandemic, that can cause long-term economic impact, significant reputational damage, and leadership changes. But you also want to consider the certainty of that impact [exhibit]. This is not about looking for “black swans” but identifying events that would have significant ramifications for the core of your organization and value proposition. If you provide cybersecurity, for example, a cyberattack will be a core piece of that value proposition. Identifying those predictable surprises is where boards should focus their energy and time.

A goal for corporate boards is to ensure management identifies and addresses predictable surprises that could affect the whole company.

Sean Brown: How can boards identify those “predictable surprises”?

Nora Aufreiter: There is often foreshadowing but it may be only in hindsight that we see the trend or the risk. Cyberattacks and activist investor campaigns are obvious risks, but at a recent hospital board meeting we talked about the nursing shortage. Nurses have been retiring for a long time, but COVID-19 dramatically accelerated those early retirements, and you cannot operate a hospital without nurses. Likewise, the current staffing shortages in many industries are trends that were predictable—the turnover of frontline workers has always been high.

Celia Huber: In addition to labor, we see issues with supply chains. Who would have thought that we couldn’t roll cars off production lines because of a microchip shortage? The inputs core to your ability to deliver your product or service are the types of risks we are talking about. In business school, I was taught to look at the value at risk times the probability of the event, but existential risks like oil spills and chemical disasters that would change the entire business need to be treated as if they could happen rather than adjusting for their probability.

In business school, I was taught to look at the value at risk times the probability of the event, but existential risks that would change the entire business need to be treated as if they could happen rather than adjusting for their probability.

Celia Huber

Sean Brown: How can a board assess how big an impact a given risk could have?

Nora Aufreiter: It is tempting to look at risks individually, but there are benefits to considering scenarios where multiple risks hit at the same time. That’s what COVID represented: we had a health crisis, a financial crisis, and a social crisis. Companies that take on significant financial risk, with high leverage, should consider the operational risk. During the pandemic, retailers with high leverage whose stores suddenly closed faced bankruptcy because of a combination of risks rather than individual risks.

It is tempting to look at risks individually, but there are benefits to considering scenarios where multiple risks hit at the same time. That’s what COVID represented: we had a health crisis, a financial crisis, and a social crisis.

Nora Aufreiter

Celia Huber: The risk of multiple crises is apparent in the public sector as well. I live in California where the combination of COVID and our wildfire season led to a lack of personnel to deploy for things like vaccination clinics because the state was stretched across several crises.

Ophelia Usher: We have seen that scenario with clients. The crisis starts as one issue but becomes broader—financial, reputational. So, while management is thinking about the higher-likelihood, lower-consequence risks, which are important for them to manage, boards should be sifting through those low-likelihood, predictable surprises and identify a handful of high-consequence ones to pressure-test against the operating model and core values.

Boards should be sifting through low-likelihood, predictable surprises and identifying a handful of high-consequence ones to pressure-test against the operating model.

Ophelia Usher

Sean Brown: How should boards tackle this pressure-testing?

Ophelia Usher: One effective approach is what we call a premortem. You step back and allow your imagination to run. You are not looking for unknown unknowns; you are exploring risks the World Economic Forum and other groups of experts have identified, and you play them out. How would they impact your organization? And it’s important to think about the first order of consequences, the second, and the third.

Celia Huber: One board I worked with started by identifying 23 trends that generated risk for the organization, such as labor shortages, inflation, recession, and government regulation. We tried to make them granular so we could play out the compounding of risk, and from those 23, we identified a subset that we felt were existential—they would change the future of the business. When the board met for its annual strategic offsite, those were the risks they discussed and ran premortems on.

Nora Aufreiter: That’s a very helpful thing to do. You need to be looking at what is coming your way. Some boards get into a cadence of management presenting, directors asking three or four challenging questions, and then they think they have done their jobs. But it is the discussion among directors and management that can surface some of the big risks. We often assume that the status quo will remain the status quo, but if you identify external trends and reflect on the core assumptions about your business, all of a sudden a number of implications arise. If the board engages in approving strategy, sometimes it’s helpful to ask, “What would cause this strategy to fail?” Against that, you can then identify some long-term core risks.

New board members are sometimes best at identifying those risks because they can step back and ask simple questions that long-time board members may not think of or assume the organization knows the answer to. Early during the pandemic, one of my retail boards was talking about COVID spread and distribution centers, and someone said, “What would happen if we had a breakout in our distribution centers? Why don’t we take everyone’s temperature on that?” In hindsight, that was an obvious thing to do, but in the very early days, the board had not immediately thought of it.

Sean Brown: How should the board prioritize among the various existential risks to protect against when the cost of mitigation may be high?

Ophelia Usher: Once you have identified the big risks, you need to ensure that the company is investing in resilience. There are two questions around that: do the measures help protect the organization during an incident, and do they preserve its ability to invest coming out of the crisis?

Celia Huber: I work with life insurers and retirement product providers, and when interest rates are very low, that creates a big risk to their business model, particularly if they offer products that depend on interest-rate growth. A resilience mindset for them involves two things: how long can we weather the storm, and do we think interest rates will ever change? One company drew a line in the sand: “We will stay in this business until this point. Past that point, we will change the products we offer because we can no longer manage the risk of the interest-rate environment staying low.”

Nora Aufreiter: Risk appetite is very important to define. Financial institutions are in the risk business, so they have deep discussions about their risk appetite, but I’m not sure whether, outside of financial services, people spend enough time reflecting on how much risk they can afford and what scenarios would take them past that point.

Subscribe to the Inside the Strategy Room podcast

Sean Brown: How do you convince the management and other members of the board that investments in resilience are worthwhile for these low-probability but high-impact events?

Nora Aufreiter: There is baseline investment you need to make just to be prepared, not for a specific crisis but for crises in general. Then, some investments are needed to address long-term trends, digital disruption being one. We always get the timing wrong, but we can predict the trends, so those investments, if they are unaffordable, should make you question whether your fundamental business needs to change. How do you reallocate your capital so you can afford those necessary investments? Those are long-term strategic decisions the boards need to oversee.

Celia Huber: Fundamentally, it’s about alignment. One of the reasons we keep talking about scenarios and training is that the board is a group of people like any other—they have individual viewpoints about what is a necessary investment—so having that debate around a certain set of facts and scenarios that could play out can go a long way to building that alignment.

Ophelia Usher: Just because you have identified some risks and today is not the day to mitigate them does not make the exercise a failure. It is about building that long-term culture of managing risks. It’s a process, not a one-and-done.

Sean Brown: What are some ways for organizations to mitigate the biggest risks?

Nora Aufreiter: There are obvious things like insurance. It may be costly but it’s better to pay that than have the business disappear. During COVID, many organizations drew down their credit lines immediately, even if they didn’t need the money. I’m on an arts board and the only reason that organization survived the pandemic was because it had building insurance for its opera house. If government mandated closure, the insurance kicked in.

Celia Huber: The other element is around operating risk. What is the cost of a chemical spill that forces you to shut down your plant and pollutes the surrounding communities? There is insurance to mitigate that, but you can also make safety or equipment changes and process improvements. If you think about earthquake risk and mitigation, insurance may be too expensive, so you should think about operational changes you can make to withstand, say, a 5.0 earthquake but maybe not go so far as to withstand an 8.0.

Sean Brown: Are there any lower-cost steps that organizations can take to protect against these risks?

Ophelia Usher: One is capturing leading indicators. When a trend is not favorable to your operating model or strategic plan, how can you track leading indicators so you can act when the trend reaches a certain point? Boards should also consider trigger-based actions—for example, planning up front what you would do in a ransomware attack. Having a decision tree of factors that would lead you to pay versus not allows you to take an immediate action during the crisis.

Nora Aufreiter: I have experienced at least two simulation trainings on cyberattacks. One of the big lessons for me was that it’s easy to be emotional and say, “I’m not going to pay a ransom.” Someone challenged me on that, pointing out that it’s a business decision. If your whole organization is shut down for X amount of time, what is the business cost? My European colleagues feel differently about these issues than some of my American colleagues, so you need to have those discussions beforehand to avoid getting bogged down in debate during a crisis.

Sean Brown: We all have biases in our assessments of risk, such as the optimism bias. How do you mitigate against these natural biases within a board?

Ophelia Usher: One thing that can help is scenario planning—considering multiple eventualities to open up your imagination, similar to premortems. The important thing is to have an even number of scenarios because otherwise you tend to settle on the middle one. Then force yourselves to imagine what these four or six scenarios would mean for your organization.

Celia Huber: Boards that do this well not only force themselves to think about what could happen/should happen/is likely to happen, but they purposely pick one of the outlier scenarios to go deep on so that they can push their thinking.

Sean Brown: Where do boards typically turn for help in understanding the core business risks?

Nora Aufreiter: You often have experts come to talk to the board to prompt their thinking and lend an external perspective. I have also seen boards put experts in forensic analysis, communications, PR, or legal issues on retainer so they are available in case of a crisis. One board I’m on brings in a law firm and an investment bank every two years. The law firm helps us reflect on the trends and risk areas around corporate governance and the investment bankers come with an activist investor lens to see where our strategy or financial structure may be vulnerable, which stimulates debate around our potential defense.

Celia Huber: Some of the most effective boards I work with bring in outside speakers they know have positions antithetical to the company’s business model decisions, so directors can gain a point of view contrary to what they hear from management. What is most important is that the management team designates someone to pull together material on risk for the board discussion. You can’t just walk in and say, “Today we’ll talk about risk” when no one has done any prereading.

Sean Brown: What about broader existential risk to an industry or a business ecosystem? We saw segments of travel and retail sectors experiencing something along those lines during the height of the pandemic. How does an individual board approach that challenge?

Celia Huber: Many industries, notably financial services, have the dynamic where if one company gets into trouble, it causes a contagion across the industry. In healthcare, we often think about the existential risk of affordability. At some point, will healthcare become so unaffordable for the average family that it doesn’t matter if providers are individually successful? How do we as an industry create innovative ways to reduce costs?

Nora Aufreiter: From an ecosystem standpoint, climate change is an excellent example of people thinking through ways to collaborate to prevent that crisis. It’s hard for any individual to move forward—you have to change the whole ecosystem. Take Mark Carney’s pact with the banks [former Bank of Canada governor Mark Carney recently helped broker an agreement with 450 major financial institutions to combat greenhouse-gas emissions]. Banks [cannot refuse to] finance fossil fuels, because those companies need funding to transform themselves and invest in renewables. You also need governments to interact from a regulatory and carbon-pricing aspect.

Ophelia Usher: It’s important that when you are looking at high-consequence/low-likelihood events and the actions you can take, you don’t think narrowly about your organization. It’s about helping to shape how the industry is thinking about the issue. You also need to question the ecosystem’s operating model and whether there is a different approach that may make you less vulnerable to a particular predictable risk.

Sean Brown: After experiencing a crisis, how can a board make sure that the organization is better prepared for the next one?

Ophelia Usher: Doing a postmortem is key. Many organizations experienced one, if not more, existential crises over the past 18 months. Boards should consider the skills and training they need, ways to adopt agile decision making, and the right operating cadence.

Nora Aufreiter: One thing that comes up in a lot of COVID postmortems on boards is that, just like nurses retiring, directors are retiring. I’m leading an effort on a couple of boards to rethink the right mix of experience and capabilities we need now to relaunch growth in a very different world. Postmortems can be huge opportunities to ask, “Do we need to refresh, restart, rebuild? And how do we seize the moment at a board level as well as a management level?”

Sean Brown: What kind of issues do you find boards are discussing since COVID that might suggest a need for different board composition?

Celia Huber: I would bring up culture. One of the companies I work with realized during a crisis postmortem that they had a bit of a hero culture. No one raised risks as they emerged but would dive in once the crisis happened and the organization rewarded that. The board wanted to assess the company’s risk culture. If we’re monitoring trends, why are those signals not getting up to management, and what do we need to change in the culture to make that happen?

Explore a career with us