The following is an excerpt from a conversation that took place at MLR Media's Character of the Corporation conference. 

John Bremen: Have the boards you are associated with changed their overall approach to risk management and resilience in the past three years? 

Michael Montelongo: Certainly. Because of all that has happened in the last two years or so to increase risk intensity and impact, companies are much more sensitive to risk and resiliency with a capital R. In particular, the gray and black swans — or, respectively, predictable and unpredictable, low-likelihood, major-impact, existential risks — are areas that heretofore boards haven’t fully focused on. But while unlikely, we now acknowledge they cannot be overlooked. Overall, I expect more and more boards and their risk or audit committees will expand their risk envelope, increase their attention to this gray/black risk quadrant and take appropriate action to address these risks.

Geopolitical risk, more specifically, is an example of risk that falls into that very disruptive risk quadrant and one that many boards struggle with — much like they did initially with ESG and cyber risks. That’s because, for more than three decades after the end of the Cold War, global companies operated in what they perceived to be a geopolitical risk-free world thanks to globalization. But we’re finding, unfortunately, that was a naïve notion because great power competition and its ability to complicate business strategies never really went away. Having been rudely awakened by events in Ukraine and what may happen with Taiwan and elsewhere, boards and management teams feel ill-equipped now to assess and manage these issues and have mostly been in reactive mode.

But the right adjustments can still be made to build geopolitical resilience. Geopolitical risk as an indispensable component of corporate strategy is now front and center. Like cyber and, most recently, ESG, geopolitical risk will get its proper share of attention and become more mainstream.

Norman Augustine: Today’s board needs to deal with risk in a far broader context than in the past. Geopolitical risk is having more impact today than ever before and is both complex and consequential. The flip side is, of course, that if you don’t take risks you’ll soon be out of business.
 
The basic issue of risk for a board or an individual, is to weigh the upside opportunity against the downside penalty, considering the probability associated with each. But how does one realistically deal with black swans that are highly unlikely but potentially catastrophic? The way I tend to approach this conceptually is to multiply the probability of the risk actually occurring by the consequence if the risk does occur. The result is where I’m going to begin focusing my strategy. But mathematics aside, I’m going to bias my attention toward things that are more likely to actually take place. I’m not going to spend a lot of time worrying about an asteroid hitting our factory, even though there is a finite probability of that happening. Placing too much weight on the highly unlikely tends to paralyze decision-making. 

I used to carry a card in my pocket listing the 10 worst things and 10 best things I could think of that might happen to our company, each in order of priority — as determined above. This was very helpful both in planning and in self-testing our readiness.

But when it comes to geopolitics, the tough part is that you have little to no control over the risks you may confront; only what your preparation and your reaction might be. But even if your forecasts are wrong, the preparations to address them can be helpful in dealing with the inevitable surprises that occur. Who, for example, predicted that Ukraine was going to be invaded by Russia? Or that COVID would strike?

Steven Haas: The big challenge for corporate boards right now is figuring out which risks they need to be spending time on. There’s an infinite number of risks that we can come up with, and we’ve got, say, 10 board meetings per year. There’s the risk of an asteroid hitting the company on one end of the spectrum. That’s a “low probability/catastrophic impact” risk.  There’s also not much you can do about it, so we probably shouldn’t dedicate board time to it. Then you’ve got the known risk, such as cyber. For most companies, the key issue right now is figuring out what the risks are that the board needs to be talking about. This requires identifying risks of sufficient probability and materiality – the “mission critical” risks. That’s really hard in today’s ever-changing environment. 

As for whose job it is to oversee risks, let me say this: We have fretted since 2002, when Sarbanes-Oxley was adopted, that we’re overloading the audit committee with too much responsibility. Are we now adding to the audit committee’s oversight tasks, for example, the risk of a 1980s-style ground war in Western Europe? That’s a lot for the audit committee to handle.  I think there are a lot of material risks that should remain at the board level.