Boardroom advice for handling disruptive risk

When risks seem to be unmanageable, it may be time to move away from traditional models of risk management.
By Paul L. Walker, CPA, Ph.D., and Thomas L. Barton, CPA, Ph.D.

Boardroom advice for handling disruptive risk
Photo by YiorgosGR/iStock

In the late 1990s, online bookseller Amazon had a very uncertain future. Now its market capitalization is almost $900 billion. And it has revolutionized retailing.

Around the same time, it would have been inconceivable that Apple, a struggling technology company, would almost singlehandedly turn cellphones into miniature computers, capable of delivering high-definition audio and video as well as a multitude of advanced features that people take for granted today. Apple's market capitalization is now almost $1.2 trillion.

Microsoft, Google, and Facebook round out the top five technology companies. And with the exception of Microsoft, these companies have revolutionized their sectors in just a few years. Consumers of the goods and services these companies provide would not think of the whole technology revolution as "disruptive." But competing companies certainly would.

For this reason, it is perhaps not surprising that, historically, relatively little guidance has been available about what organizations can do to anticipate and control disruptive risk, the sort of business development that can put a company out of business, often because of some unseen, outside competitor. Recently, strong board involvement has been emphasized as a key part of efforts to manage disruptive risk.

Until recently, there has not been much discussion of disruptive risks as a separate category of risk. Traditional enterprise risk management (ERM) models did not emphasize disruptive risks and their capabilities. Netscape browser, anyone? Or how about the Altavista search engine?

The real difficulty lies in the truism that disruption emanates quickly and from outside the organization. What chance does an organization have to manage such a potentially ruinous risk? It's no surprise that the risk seems almost unmanageable.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO), the National Association of Corporate Directors (NACD), and other bodies that provide guidance on risk management have focused on board involvement in managing disruptive risk. This approach has much promise since disruptive risk must be addressed at the highest levels of the organization. The approach is clearly sound, but implementation is another matter.

Many board members do not realize how critical the board risk oversight role is in creating, protecting, and enhancing shareholder value. "The pressure on boards of directors to oversee and manage risk is greater than ever before," according to a Diligent Insights blog post, "Board Oversight of Risk Management." One New York Stock Exchange (NYSE) board member once asked about a company that went bankrupt during his oversight, "Could ERM have helped saved the company? Could better ERM or board involvement have helped us see the disruptive risks sooner, assess it better, manage the risk better?"

Recent headlines tend to support these types of questions and the potential game-changing role of boards in this area. Some of the headlines are startling. For example, the former CEO of Cisco recently and famously stated, "40% of companies will be dead in 10 years." Other studies seem to echo the concern with some studies showing the life span of a Fortune 500 company dropping dramatically and some forecasting that half of the S&P 500 will be replaced in 10 years. Additional studies show dramatic shifts in the top 10 companies in the last 25 years, and some studies note that the topple rate of companies (how quickly they fall) is growing dramatically.

There can also be regulatory pressure. Current NYSE requirements state that the audit committee is supposed to discuss policies with respect to risk assessment and risk management and that the CEO and senior management have responsibility to assess and manage risk. The SEC's 33-9089 rule requires that companies disclose the board's role in risk oversight. Interestingly, almost every major economy has moved toward some stronger form of ERM and board risk oversight. A 2019 survey shows that ERM is more understood and valued than it was 10 years ago. Yet, The State of Risk Oversight, an annual survey by the AICPA and North Carolina State University, also shows that robust risk management remains a struggle for many organizations.

In response to this pressure, information and suggestions on how to improve board risk oversight are flowing from organizations and their research. These groups include the NACD and consultancy Protiviti, which publishes an annual survey in collaboration with N.C. State's Enterprise Risk Management Initiative. Below are some of the entities' suggestions, along with how ERM leaders and boards can respond and get more involved.

Question legacy business models

"Allegiance to legacy business models with reluctance to question their future viability" is a red flag, according to board guidance (Adaptive Governance: Board Oversight of Disruptive Risks, NACD, 2018).

ERM reaction: Include business model risk analysis in your risk assessment.

Board member reaction: Don't accept a risk map with a list of top risks. Ask if tools have been applied to examine the risks around the business model — in essence, the heart and soul of the business. Without a grasp of this, you are overseeing the wrong risk. Peter Drucker, a management consultant, educator, and author, wrote in "Theory of the Business" in the Harvard Business Review in 1994 that every three years we should challenge every product, service, policy, etc. — basically, every assumption about the business.

Assess emerging risks

"The board should carry out a robust assessment of the company's emerging and principal risks. The board should confirm in the annual report that it has completed this assessment, including a description of its principal risks, what procedures are in place to identify emerging risks, and an explanation of how these are being managed or mitigated. ... Principal risks should include, but are not necessarily limited to, those that could result in events or circumstances that might threaten the company's business model, future performance, solvency or liquidity and reputation. In deciding which risks are principal risks, companies should consider the potential impact and probability of the related events or circumstances, and the timescale over which they may occur" (UK Corporate Governance Code 2018).

ERM reaction: First, strengthen your emerging risks process. Second, include business model risk analysis in the process. This reaction captures the growing pressure on boards over emerging risks and business models. Recent work at the Center for Excellence in ERM at St. John's University's Tobin College of Business reveals that U.S. high-performing companies (as compared to those that are not high performers) are more likely to have an emerging risk process.

Board member reaction: There is no reason not to insist that companies push the dial higher than just doing risk identification, risk assessments, and risk ranking. Insist on an analysis of how the emerging and disruptive risks impact the business model. The future of the business could be at stake.

Watch for external risks

"Boards have concerns about less controllable, exogenous risks" (2019 Governance Outlook: Projections of Merging Board Matters, NACD). As an example, Pearson, the British publishing company, discloses in its annual report that it compares strategy to external risk data.

ERM reaction: Convince the board how you've done this. Use black swan or disruptive workshops to attempt to pull out these risks.

Board member reaction: One Fortune 100 company board insists the ERM leader show what external data has been used during the risk assessments. These cannot just be focused on internal surveys and interviews. You must get an external view and external data. Drucker was famous for warning us to study noncustomers instead of just our current customers. Other major organizations conduct black swan or strategic disruption workshops and report those results to the board.

Identify trigger and interconnected risks

Organizations that focus only on risk maps and registers can miss trigger risks or interconnected risks. The 2017 COSO ERM Framework discusses the importance of seeing risks in a portfolio, but it is also important to know which risks occur first and either trigger other risks or create an excessive risk tipping point.

ERM reaction: Identify which risks could be the tipping point or the trigger. Managing/monitoring the nontrigger risk could be futile and result in your getting key risk information too late. Key risk indicators and risk mind maps can be helpful in mapping the path of risks and which risks might be triggers. Research from the Center for Excellence in ERM at St. John's University shows that monitoring of trends related to disruptive risks is the most frequently listed action/response by ERM leaders.

Board member reaction: Insist on an identification of trigger risks. These risks may be smaller and not on the radar screen because of their size. However, they can be the first sign that not all is well. At a minimum, ask what the risk drivers are.

Assess vulnerability to disruptive risks

A recent Gartner survey showed the top-rated risk was the pace of change and a related concern over being vulnerable to disruption. Similarly, at a recent ERM Summit, over 85% of ERM leaders agreed that digital disruption would have a significant impact on their organization, and 55% agreed that it was one of their top risks.

ERM reaction: Just do it. Get board members to schedule time to focus on and discuss disruptive risks arising from a variety of sources. Use data, trends, strategic risk analysis, innovations, or any tool that might help identify disruptive risks.

Board member reaction: Attempt to identify the most disruptive risks. Schemas showing future business growth, current capabilities, and potential "blue oceans" can help identify these. Some are proposing companies stress-test nonfinancial risks. We've seen one major company build risk shock calculators to determine just how much impact a major risk can cause. It helped them make better decisions.

Upskill to navigate disruptive risks

"Boards should invest in the skills — within the organization and on the board itself — needed to navigate disruptive risks" (Adaptive Governance: Board Oversight of Disruptive Risks, NACD, 2018).

ERM reaction: Lead or train your board on how to identify disruptive risks and link them to the business model.

Board member reaction: Board members should consider training on disruption, strategic risk, and its many dimensions (which COSO highlights), and the potential toolset that can be used to uncover such risks.

Maintain adaptive governance and foster challenges

"In the Commission's view, this will require boards to build ... adaptive governance, which we define as ... [a]ctive involvement by directors in setting and maintaining a boardroom culture that is centered on open discussion, constructive challenge ..." (Adaptive Governance: Board Oversight of Disruptive Risks, NACD, 2018).

ERM reaction: Practice a challenge culture or contrarian view when risks are presented. Encourage boards to do the same. The goal is for the greater good of the organization.

Board member reaction: At board meetings, observe how questions are asked, watch for group thinking, watch for thorough and challenging discussion of risks and business models, and insist on adequate time to review major risks and strategy. Ultimately, don't join a board unless it has this type of culture.

About the authors

Paul L. Walker, CPA, Ph.D., is a member of the COSO ERM Advisory Council. He leads the Center for Excellence in ERM at St. John's University's Tobin College of Business and is the James J. Schiro/Zurich Chair in Enterprise Risk Management. Thomas L. Barton, CPA, Ph.D., is the Kip Professor of Accounting at the University of North Florida.

To comment on this article or to suggest an idea for another article, contact Neil Amato, a JofA senior editor, at

AICPA resources


CPE self-study

  • COSO Enterprise Risk Management Certificate Program (#167300, online access)

For more information or to make a purchase, go to or call the Institute at 888-777-7077.

Online resources

  • Cybersecurity and Beyond, online certificate program,
  • "Purpose and Profit" Value of Value: Board-Level Insights,
  • The State of Risk Oversight, 2019 AICPA and N.C. State University Enterprise Risk Management Initiative report,

Where to find May’s flipbook issue

The Journal of Accountancy is now completely digital. 





Leases standard: Tackling implementation — and beyond

The new accounting standard provides greater transparency but requires wide-ranging data gathering. Learn more by downloading this comprehensive report.