Governance Challenge: The Board's Role in Crisis and Risk Management

Recent data security breaches at the some of the nation's largest retailers prove that available technology solutions to guard against cyber theft are not keeping pace with the capabilities of the hackers. What's more troubling is that according to the Ponemon Institute, an organization that studies data privacy and security, the probability that an organization will experience a security breach is high. While not all data security breaches are equal in scale, these events raise a larger question on corporate governance and risk.

While a board is not responsible for solving the cyber security crisis, the question of its role in crisis management is timely. According to a 2013 study by McKenzie, nearly 30 percent of board directors said their boards have limited or no understanding of the risks their companies face. In a world in which the speed of risk travels at 140 characters, and with global uncertainty rising in nearly every precinct -- economic, political, climate, distribution of wealth, supply chain, social media and cyber security -- the board's capability to address these dynamic risks is increasingly relevant.

While the risk-management expectations of the board continue to expand rapidly, ignited by Enron and the financial crisis, boards are in fact uniquely positioned to build capability around the particular risks that their companies confront.

Two examples of capacity building come to mind.

First, boards have essentially unlimited spending authority and thus can identify and retain resources to build risk-management capacity. Take cyber security: A board is fully authorized to retain the leading global experts in the field, which include retired CIA, NSA and military experts that represent the best thinking available on guarding against cyber threats. Similarly, boards of extractive industries, including energy and mining, have full authority to hire environmental engineers to guide them through comprehensive assessments of both market and non-market risks.

Second, and a (radical) step further, it would go a long way in addressing the increased expectations of governance and the expanding capability gap if boards diversified to include experts on the systemic and episodic risks their industry sectors confront.

Challenging as it is, unprecedented risk creates a spur for change. With trust in government falling precipitously, and the performance expectations of companies rising, boards have distinct leadership challenges and opportunities. In an age of the highly trusted subject matter expert, boards should re-imagine their role in crisis and risk with an eye toward prevention and mitigation.