Select Page

McKinsey’s annual global board survey of some 1500 corporate directors showed only 7 percent of them believed their boards were “most effective” at risk management and only 40 percent say they are prepared for the next large crisis.

If the largest businesses are not prepared, how resilient is your business, and will it survive the next major crisis?

Risk management is a key function for company boards as I’ve written about before, but how does the board determine risks and what to do about them?

Firstly, a review of your risk register needs to be discussed at every board meeting. Too often, boards meet and focus on looking at past results, rather than forwards – if your board is spending more than 20% of its time looking backwards, it’s almost certain to run into trouble. A clear board calendar for the year is essential, as is a detailed agenda and proper preparation ahead of each board meeting if the time spent is to be both productive and cover all the areas the board needs to. Without these, the board will waste time on less important matters.

Focus is essential.

As historian Roberta Wohlsetter said, “We failed to anticipate Pearl Harbour not for a want of relevant materials, but because of the plethora of irrelevant ones.”

Risks should be categorised along two axes – the scope of impact (in other words, how much impact it would have on the business), and the likelihood of occurring. Clearly, risks identified as having a big potential impact and a high likelihood of occurring are those where strong planning focus is needed.

But it also goes broader than that. If you look at the recent pandemic as an excellent example, it gave rise to multiple issues: a health crisis, a financial crisis and a consequent societal one, too. These, in turn, gave rise to other risk factors, affecting energy, shipping and electronic components, to name just a few. So, when looking at risk factors it’s essential to go deeper than just the high-level risk and try to understand what other areas will be impacted.

One also needs to look at what could happen if several different, unrelated risks occur in the same timeframe. For example, what would happen if supply chain disruptions due to component shortages and shipping delays were then compounded by a period of civil unrest, and/or severe flooding due to extreme weather?

Although a given risk factor on its own might be a relatively low impact event, the compounding effect of other risk factors occurring simultaneously could considerably increase the importance.  

Having determined the risks, their potential impact and likelihood, you should then rank them from most important to least – the core of your risk register which will then be reviewed at each board meeting. The rankings will change over time, as this high-level example from shows – note how IT disruption remained at #1 for this year, from last year, while Information Security dropped from #2 to #5. The “Great Resignation” saw Talent Risk jump to #3 from nowhere, while Geopolitical Risk jumped from #9 to #4 as a result of the Russian invasion of Ukraine.  

Identifying and ranking the risks to your business is the relatively easy part, of course You then need to task the team with producing plans for how the business will respond to these risks, starting with the highest-ranked one, and working down the list. The plans for the low-impact, low-likelihood risks can be less detailed than the higher-ranked ones, but you still want at least an outline in place so you’re not caught completely unprepared if one does occur. Devolve production of elements of the plans to the lowest practical level for each element – involving those who would need to implement elements will have them better prepared, and more likely to respond positively when necessary.

And build your plans bearing in mind the areas of financial, operational, technological, organisational, reputational and business-model resilience. By testing your plans against each of these elements you will be better placed to respond effectively in the event of a crisis.

With most companies doing it poorly, as the McKinsey survey showed, being prepared for potential risks and ensuring resilience is a competitive advantage. Use it.



I work with successful owner-led businesses to enhance their growth, profitability and business value.

If you’d like to have a conversation about your business objectives and concerns, book a free 30-minute call with me here. I’d be delighted to talk with you. 

#BusinessFitness #Boards #Business #CEO #Change #CompetitiveAdvantage #Crisis #CyberCrime #Disruption #Governance #Leadership #Paranoid #Planning #Resilience #Risk #Strategy #Unstoppable #VUCA


P.S. If you’ve enjoyed this post and would like to subscribe to my blog simply enter your details here or drop me a note by pressing here.


And if you’d like to learn more, these articles might be useful:

    %d bloggers like this: