August 2025 Newsletter

Aug 18, 2025

Executive Pay | The Overlooked Elements of Executive Pay: Perquisites, Retirement and Severance

While perquisites, retirement and severance are not ordinarily an annual focus of Compensation Committees, these non-core elements can play a critical role in crafting executive compensation programs that enable companies to achieve their strategic goals and objectives. This issue of the Beacon looks at these non-core elements, outlines important committee considerations and highlights the questions committees should ask when evaluating these non-core elements.

When people think of executive compensation, they naturally think of salaries, annual bonuses, and long-term incentives. While these are the foundational elements of pay that predominantly occupy Compensation Committees’ time and attention. The non-core elements play a material role in retention, motivation and governance.

Perquisites:
Generally, perquisites are provided to executives to enable them to devote more time to the company’s business, protect its operations and/or address risks related to health or security. Understanding the purposes and roles of perquisites is essential in determining which to offer and how they fit into the company’s executive compensation philosophy and program.

There are several lenses through which to consider perquisites:

Often, Compensation Committees focus on particular high-ticket perquisites, such as personal use of company planes or other pivotal arrangements related to executive health and safety. Committees need to understand their perquisite offerings in the context of the above perspectives.

Key Questions When Considering Perquisites

Retirement
Historical Context
The nature of the employment relationship with executives has changed significantly over the past 30 years. Pension plans and supplemental executive retirement plans have been dramatically reduced and, in many cases, have been eliminated entirely. Instead, compensation has become substantially more performance and stock based. Most companies do maintain defined contribution and “restoration” plans to mitigate the statutory limitations of qualified plans. Somewhat ironically, the shift away from pensions has made the retirement provisions of equity awards particularly important and valuable, given the significant portion of total compensation that is comprised of equity awards.

Retirement Plans
Across nearly all industries retirement plans have become overwhelmingly defined contribution (DC) in nature. Defined benefit (DB) plans have largely been phased out or frozen and replaced by DC plans. The cost of DB plans, the volatility they often introduce into company profitability and a workforce with considerably more mobility across employers over a career are the factors which drove this change. Nonetheless, opportunities to accumulate (and move) retirement assets are highly valued. This means the company contribution elements (e.g., match formulas, discretionary contributions, executive restoration elements and investment choices) are an important aspect of executive remuneration. However, retirement arrangements rarely have the value or retention power to materially impact attraction or retention of executives, as they often can get the same offering elsewhere.

Treatment of Equity upon Retirement
For higher-growth companies, the treatment of equity upon retirement often receives less attention as executives are more focused on intermediate time frames. However, for more established companies the treatment of equity on retirement is of high interest and value. A company should balance:

1. Retaining employees/executives with longer service retirement eligibility; against

2. Attracting mid-career talent with more attainable retirement eligibility.

Most companies define retirement eligibility as some combination of age and service. Once attained, outstanding equity awards are eligible for some degree of beneficial treatment (e.g., pro rata and/or full vesting of equity).

Striking the balance outlined above requires defining:

1. The age(s) and/or service that constitutes retirement (there can be more than one);

2. How much an individual is entitled to receive at these milestones; and

3. Other features:

A. Designed to ensure that, as the executive cohort becomes more senior and seasoned, the retention value of equity is not lost through the executive’s right to resign and claim retirement treatment (e.g., a requirement to provide advance notice of retirement).

B. Designed to provide optionality to the company and avoid doubling up (e.g., not permitting an executive to receive both severance on a termination without cause and retirement treatment of equity).

Increasingly, we see companies in the sticky situation of having an age + service equity vesting provision, which eliminates the retention “glue” equity awards are supposed to provide. This also fails to support planful executive retirements and allows for a “double dip” (an executive terminated without cause, but who has met age and service requirements for retirement, receives both severance and equity vesting).

When considering how much equity should vest upon retirement, it boils down to the Board’s take on what is consistent with the company’s compensation philosophy. The alternatives range from losing all unvested awards upon retirement to full vesting. Most companies we work with now tend to fall somewhere in between those extremes and may provide partial or pro-rata vesting of equity awards upon retirement. Investors prefer continued to accelerated vesting of equity on retirement as it maintains a long-term decision-making focus as executives near retirement.

Key Questions When Considering Equity Award Retirement Provisions

Severance
Severance is used to facilitate managerial transitions and/or make individuals indifferent to organizational decisions that may be to their detriment, including a reduction in force and a merger or acquisition. Severance can be provided by individual agreement with each executive or through a severance plan. Most companies have migrated toward generalized plans rather than individual agreements. They are simpler, easier to administer and avoids complex, one-off negotiations with each executive.

Most shareholders and their advisors support severance that is not “excessive” and/or reflects market practice. The proxy advisory firms take a dim view of any severance protection that provides for tax gross ups. This has led to a shift in the market towards a “best net” approach for severance related to changes in control, as this avoids a tax gross-up and enables the individual executives to either have their severance capped or paid out in full, depending on which would provide a greater benefit.

Key Questions When Considering Severance

Conclusion
These non-core elements are an important element of an executive compensation program. They are a particularly critical element of executive compensation at the margin – when attracting and retaining executives during critical times. Getting the non-core elements right can pay off by enabling a company to achieve its strategic goals and objectives. Read More.

Board Independence | Liability Of Independent Directors

Corporate governance is based on the principles of conducting business lawfully with high integrity and transparency. It includes addressing related party conflicts, building efficient risk management systems, respect for independence of the board, compliance of laws in letter and spirit, respect for international laws, building a no tolerance zone for corruption including anti-bribery policies, prevention of sexual harassment at the workplace, appropriate policies for safety and environmental control, having a succession planning in place and most importantly, accountability to stake holders.

Several factors may be responsible, individually or collectively, for the failure in corporate governance including.

In modern times, when trade and commerce are being controlled by corporates, there is a huge expectation that these corporates will adhere to the high standards of corporate governance. Under the corporate veil, it is the management team which runs the show. In most cases, companies are run by the promoter family. The companies which are not run by the family as promoters are far and few. It is critical that governance structures are in place for the companies so that the success or failure of the company is not dependent upon the whims and fancies of any individual family member. Key management persons also need to be subjected to regulatory and proper corporate governance structures.

Corporate governance is a global issue and is not restricted to India. There have been several reported cases of corporate fraud worldwide where the lack of sound corporate governance guidelines has led to financial disaster.

In spite of the global awareness and measures taken from time to time to improve the corporate governance framework, the monster continues to grow, and the surprises keep on coming.

Several large companies and their promoters have cases pending before the NCLT filed under the Insolvency and Bankruptcy Code, and /or are being investigated by several investigative agencies like Serious Fraud Investigation Office (SFIO); Central Bureau of Investigations (CBI); Income Tax Investigation office; Enforcement Directorate; Economic Offences Wing (EOW); Securities and Exchange Board of India (SEBI) which has a bearing on the subject.

The most talked about cases in India in the recent past which show a clear and flagrant disregard for corporate governance guidelines include, the Satyam episode; the ILFS case; the MD and CEO of a leading private bank being investigated by CBI; the Nirav Modi and Mehul Choksi scandal which lead to a massive banking scam and the matter of Vijay Mallya.

Corporate governance is required not only in the private sector but also public sector. It is unfortunate that in a welfare state like India, despite over seven decades of independence, the Government of India is the biggest litigator before judicial and quasi-judicial fora. It is high time that even the government introspects how the governance and accountability standards can be improved.

Today, there is a serious reluctance on the part of eminent and experienced persons to join the board of any company. Unfortunately, there are several cases where investigating agencies implicate the independent directors for any wrong committed by the company or the management of the company. Further, there are several cases where any person aggrieved by the company’s acts implicates the independent directors in the judicial proceedings or criminal proceedings, based on which courts and investigating agencies issue show cause notices to the independent directors. There is also a trend in the banking industry, where without any application of mind and without describing the role of the independent director, in cases where the borrower defaults, the lender implicates the independent directors for fraud and wilful default.

Section 149(12) of the Companies Act provides that an independent director or non-executive director shall be held liable, only in respect of such omission or commission by a company which had occurred with his knowledge, attributable through Board process and with his consent, connivance or where he had not acted diligently. Similar provisions are contained in Section 27(2) of the SEBI Act.

In the matter of V Selvaraj Vs. The Reserve Bank of India, High Court of Madras, it is clearly held that an independent director shall be held responsible only in respect of such acts of commission or omission by a company which occurred with his knowledge, consent or connivance.

In the matter of Sunil Bharti Mittal v. CBI, the Supreme Court held that an individual can be held liable for an offence by the company (i) if there is sufficient evidence of the individual’s active role coupled with criminal intent; or (ii) where the statute itself stipulates the liability of directors and other officials.

Further, the classification of fraud is now guided by ‘Reserve Bank of India (Fraud Risk Management in Commercial Banks (including Regional Rural Banks) and All India Financial Institutions) Directions, 2024 as issued on July 15, 2024 (“RBI Master Directions 2024”) which clarifies that independent directors are not usually in charge of, or responsible to the company for the conduct of business of the company. Therefore, banks should consider this before taking any action against such directors.

Therefore, it is critical that before any show cause notice is issued to any independent director, it is ascertained whether he had any role to play in the allegation so that the judicial or investigation process is not abused, nor any harassment is caused in the process.

Corporate governance is not an attitude, but a philosophy of the company based on the ethics of the promoters or persons running the business. It’s not transactional, but a way of life. It’s like following a daily routine by the company. It’s a very serious matter and cannot be taken lightly.

On one hand, the lack of corporate governance can bring any company to its knees. On the other hand, sound corporate governance can provide wings to a company towards its unprecedented success. Read More.

Board Composition| Intergenerational Inequality Demands Governance Attention

As a director who has served on several company boards across emerging markets, including in the insurance sector, I’ve always tried to view risk not just as a threat, but as an opportunity for resilience, innovation and long-term value creation. Yet, among the many global risks we discuss around boardroom tables, one keeps me up at night: inequality.

Inequality is not just a driver of social erosion. It accelerates nearly every other systemic risk we face, including climate disruption, political instability, migration and the erosion of institutional trust. Of these, intergenerational inequality has emerged as particularly destabilizing.

In many countries, especially emerging economies, the foundational contract between generations is unraveling. For decades, families operated under a simple understanding: Parents would invest in their children’s education and stability. In return, their children, once economically secure, would care for them in old age. However, many governments, underfunded or ideologically withdrawn, retreated from elder care and leaned on this familial safety net.

That model has now collapsed.

Young adults are entering a labor market far harsher than the one their parents faced. Jobs are informal, wages are stagnant and housing is increasingly unaffordable. Many cannot achieve financial independence, let alone support aging parents. Meanwhile, public elder care remains inadequate. Older generations face rising health needs, limited mobility and shrinking pensions. The result is two economically vulnerable generations, each looking to the other for support, yet neither is capable of offering it.

For boardrooms, this is not an abstract social dilemma. It is a direct challenge to long-term corporate viability. The collapse of generational reciprocity threatens future consumer markets, talent pipelines and social licenses to operate. Sectors such as insurance, real estate, education and consumer finance are already experiencing the effects. Young consumers are underinsured, unable to save and locked out of asset ownership. Older customers require more care but can afford less. Demand is destabilizing.

These effects are not occurring in isolation. They reflect a deeper imbalance in the global economy. Since 2020, the richest 1% have captured nearly twice as much new wealth as the rest of the world combined. Wealth is no longer tied to labor or merit, but increasingly to inheritance and financial gatekeeping. Corporate structures, investment flows and even policy agendas have bent toward this concentration, while economic outcomes for the majority have deteriorated.

Society still expects younger generations to carry responsibility for the old. But that expectation persists in a system that has denied them the tools to succeed. We cannot address care, aging or workforce sustainability without confronting this economic dispossession.

In a well-governed society, care must not depend on private sacrifice. It must be structured as public infrastructure, funded fairly, delivered inclusively and sustained collectively. This is not an issue for policymakers alone. Boards must understand: the fracture between generations is a business risk. And it is already shaping the future.

Rethinking Governance Through the Lens of Intergenerational Risk

Too often, boards treat inequality as a political or philanthropic issue. But intergenerational inequality now poses a clear and material risk to long-term value creation. It reshapes who can participate in markets, who can be hired and retained as well as who can trust institutions. This can no longer afford to be ignored by boards.

A strategy that overlooks generational exclusion is not a neutral oversight. It is a failure of risk management. Boards must move beyond acknowledgment and toward action. This begins with asking: What lies within our remit?

The answer is: More than we think.

Boards must move beyond generic commitments to inclusion and recognize intergenerational inequality as a material and compounding threat to institutional resilience. The first responsibility is protective: identifying how a company is already exposed. This means pressing management to deliver visibility on where younger generations are disengaging from the firm’s value chain. Boards should demand cohort analysis of customers and employees — especially those under 35 — noting how affordability, indebtedness or disillusionment may be eroding long-term loyalty or demand. They should commission scenario analyses that treat demographic inequality not as background noise, but as a primary risk vector. What happens when your youngest customers can no longer form households, accumulate savings or insure their futures? What is the cost of a workforce increasingly dependent on family subsidies, second jobs or shared housing just to participate?

This is not theoretical. Companies in sectors as varied as insurance, retail, mobility and real estate are already encountering a generational disconnect between what they offer and what younger populations can access. Boards have a duty to surface this gap. Risk registers and strategy reviews must reflect it explicitly. Even automation and digital transformation strategies, while efficient, often carry hidden generational consequences — displacing early-career roles or consolidating power in ways that exclude new entrants. Boards must require mitigation plans that go beyond reskilling headlines.

Protecting against intergenerational risk is only one side of the equation. Boards also have a role in addressing it. Governance itself must evolve. Rather than treating generational equity as an abstract aspiration, it must be translated into concrete mechanisms. This means embedding intergenerational questions into the logic of capital allocation and executive incentives. Boards should request business units to articulate not only revenue projections, but long-term affordability and accessibility across income cohorts. They should challenge management to invest, either directly or through fund vehicles, in infrastructure that supports generational resilience: affordable housing, accessible care, education pathways and local employment ecosystems.

Executive compensation can be partially linked to resilience metrics that reflect not just returns, but value creation that endures across generations. Succession planning and board refresh cycles should prioritize the inclusion of directors with lived experience of financial exclusion, platform-based labor or generational volatility. Boards might even institutionalize a “next generation advisory council” to bring structured, recurring insight from those furthest from the boardroom, but closest to the future.

Above all, governance must resist the temptation to extract from the future to serve the present. Long-termism should not be a branding device, but a structural discipline. Boards can require multi-decade planning horizons, legacy-value narratives and long-view scenario testing. They can and should commission third-party audits of the organization’s exposure to generational collapse, not as reputation management, but as a core fiduciary tool.

Ultimately, the board’s role is not to solve intergenerational inequality, but to ensure their institutions remain resilient in the face of it. This means confronting hard truths, questioning inherited assumptions and governing with a horizon that extends beyond electoral or quarterly cycles. In an era where demographic and economic divides are reshaping who works, who buys, who trusts and who builds the future, the boards that will thrive are those willing to evolve. They will not only safeguard long-term value but also help restore the bridge between generations that healthy societies and lasting enterprises depend on.

“But Isn’t Addressing Inequality the States’s Job?”

It’s a fair question and one boards should ask. After all, inequality, social protection and generational opportunity have long been seen as the domain of the state.

But companies do not operate in sealed markets. When intergenerational inequality begins to shape labor availability, demand patterns, home ownership, savings capacity and community trust, it becomes a direct threat to long-term enterprise value.

Directors are not being asked to replace the state. They are being asked to govern in full view of how demographic and economic shifts are reshaping the foundations of their markets and workforces.

Boards already oversee climate, cyber and geopolitical risk — not because they can solve them, but because they must anticipate and adapt to their consequences. The same logic applies here.

For decades, the engine of market economies rested on a shared expectation: that if people worked hard, they could build a better future. Today, that contract is breaking down. Social mobility has stalled or reversed in many countries. Talent is not flowing upward. It is stalling, opting out or being priced out. Read More.

Board Effectiveness | Corporate Boardrooms: Skills For Board Of Directors By Assessing Fortune 100 Boards

From technology disruptions to shifting regulation priorities, corporate boardrooms are navigating a rapidly changing business environment. Against this backdrop, a recent analysis of Fortune 100 companies reveals distinct patterns in current board skills and backgrounds.

Globalized leadership
Almost all directors have leadership experience (90%), and the majority (63%) have skills in international business.

Potential skill gaps
The least common skills are related to mergers and acquisitions (31%) and information security (20%).

Risk skill premiums
Directors who are new to the board are more likely to have risk management skills (70%) compared to incumbents (60%).

This edition of On the Board’s Agenda explores how board director skills vary, and considers how trends in leadership skills across the Fortune 100 could be shaping board refreshment strategies:

Overall most and least prevalent director skills
Differences by leadership role, professional background, board committee
How skill mixes are different for those who are new to the board
Refreshment strategy considerations

The patterns underscore how skill composition variations could improve the board’s ability to steer the organization. Read the full article for an in-depth look at how companies can leverage the skills of board directors to navigate an ever-evolving business environment.

There are distinct patterns in the skill profiles and professional backgrounds of Fortune 100 directors. Those with
additional leadership responsibilities are more likely to have finance skills and prior CEO experience. And when
these boards add members, they are disproportionately more likely to have acumen in risk management and
international business. From technological disruptions to shifting regulatory priorities, it seems likely that the risk landscape for boards may continue growing in complexity. To navigate such volatility, it’s worth considering how the board’s competencies align with the organization’s long-term oversight needs. If a skill set assessment reveals gaps, boards could consider prioritizing high-need competencies in new director searches. More immediate deficits could be addressed through adjustments to the board’s professional development efforts.
From a governance perspective, these findings underscore the potential value of a balanced board composition. They also echo other research linking business performance with presence of varied director skill sets.
At the very least, the patterns outlined here suggest taking a deliberate approach to composition could improve the board’s ability to steer the organization. And as the list of topics on the board’s agenda grows ever longer, that might be a competitive advantage. Read More.

Corporate Governance Trends | 12 Tips and Trends For Enterprise Risk Management

Enterprise risk management has increasingly taken center stage in organizations, as they grapple with business uncertainties driven by issues ranging from geopolitical conflicts and volatile trade tariffs to the rapid pace of technology change.

Forward-looking corporate executives recognize that stronger risk management programs are required to remain competitive in today’s business world. For example, one aspect of the current enterprise risk management (ERM) landscape that companies must contend with is the connectivity of risks between different organizations.

Businesses are increasingly interconnected with partners, vendors and suppliers across global markets, complicating various types of risks they face, explained Alla Valente, principal analyst on Forrester’s security and risk team covering ERM.

“We find that when there is significantly more risk in one of those categories, it can have a ripple effect that impacts other categories,” she said. The business impact of a local natural disaster, wars, higher interest rates or other developments can cascade across an entire supply chain worldwide. Along with other factors, that makes effective risk management a prerequisite for continued business success.

1. Risk maturity models consolidate workflows
More enterprises are considering a risk maturity model as a way to manage the growing interconnectedness of risk vulnerabilities. This method mirrors other frameworks like the capability maturity model widely used in software development. Adopting a risk maturity model requires addressing risk management processes and technologies that can support them.

On the process side, risk management leaders must put together a team of risk stakeholders. This team should combine the technical and business expertise necessary to make fast and intelligent risk-based decisions, establish ERM policies and procedures, and implement the proper controls. Risk managers also need to establish processes for consolidating ERM workflows across disparate entities.

The technology side includes the IT infrastructure for centralizing and contextualizing information about risk management and automating risk policy enforcement.

2. ERM technology stacks expand into GRC
Enterprise risk management has expanded beyond financial issues to include cybersecurity, IT, third-party relationships, and governance, risk and compliance (GRC) procedures. A comprehensive GRC platform can be a critical integration tier for all types of risk management activities. An organization can use one to create and manage policies, conduct risk assessments, understand its risk posture, identify gaps in regulatory compliance, manage and respond to incidents, and automate the internal audit process.

CIOs need to confirm that their risk management technology stack is adequate for each task and used proactively, not just reactively, Valente said. Consider integrating the following functions into a more comprehensive technology stack:

Risk intelligence tools to analyze geopolitical risks, natural disasters and other incidents.
Third-party risk assessment tools to track sanctions, security incidents and financial health in other organizations.
Cybersecurity systems to assess the potential impact of cyber-risks, such as security vulnerabilities, data breaches and cyberattacks.
Social media monitoring capabilities to identify sudden changes in brand reputation.

3. ERM seen as a competitive advantage
Organizations now often view risk management as a way to increase their competitive advantage instead of simply a risk avoidance exercise, a trend that stood out during the lockdown period of COVID-19.

“Although many companies suffered economic losses during the pandemic,” Valente noted, “we also saw many companies pivoting to new opportunities that did not exist before.”

Valente’s research team has described the differences between traditional chief risk officers who are laser-focused on minimizing risk and what Forrester calls transformational CROs. The latter see risk management as a competitive differentiator that can prevent risks from interfering with business strategy and limiting revenue streams.

“Companies with a transformational approach to risk can mobilize their teams and business leaders quickly to jump on a new gap in the market,” Valente explained. Transformational CROs, for example, are actively helping their companies ascertain how to use AI to benefit customers and employees, while also evaluating AI risks.

4. Wider use of risk appetite statements
Risk appetite statements emerged in the financial industry to improve communication with employees, investors and regulators. Some risk is required to expand a pool of loans, but if too many customers default, a bank needs a program in place to trigger decisive action. For example, banks might establish a safety baseline for mortgage defaults or fraudulent transactions that still lets them turn a profit.

Risk appetite statements have now also gained popularity in other industries to replace rudimentary “check the box” exercises with a process that more definitively guides day-to-day risk management decisions, observed Chris Matlock, vice president and research leader for risk and corporate strategy at Gartner. There’s a caveat, though.

“It is difficult to do,” Matlock warned, but “the payoff for organizations that do it is extremely high.”

He explained that companies face numerous challenges in creating an effective risk appetite statement. Some executives believe it could limit their ability to pursue new business opportunities, while others are concerned that a poorly worded statement might be misinterpreted as condoning unacceptable practices.

5. Subject matter experts expedite risk assessment and response
Bringing all the risk information together is important, but experts are also required to make sense of it. Enterprises are increasingly using their GRC platform to create an informed network of subject matter experts for critical projects, Matlock said. When issues spanning multiple departments emerge, such as a security incident involving IT, legal and HR, an appropriate panel of experts in those areas can quickly assess the risk and take required actions.

Risk assessment at the beginning of a new project is table stakes now. Devising the best plan and creating a process that supports a timely risk response yields the best results. “It is the maintenance of risk and the timely response to risk throughout a project’s lifespan that has the biggest impact on success,” Matlock said.

6. Risk mitigation and measurement tools multiply
Tools for actively measuring and mitigating risks are getting better, said Keri Calagna, a principal at Deloitte in the firm’s risk and financial advisory practice. Among the improvements are internal and external risk-sensing tools that help generate the risk intelligence needed to detect trending and emerging risks.

In addition, Calagna reported that enterprises are turning to integrated tools that do the following:

Present a holistic view of risks across the organization.
Capture key risk indicators to show how a risk is trending.
Promote accountability for the actions taken to mitigate risk.
Provide real-time risk reporting to aid in management decisions.

Scenario planning and assumption testing capabilities are on the rise as well, Calagna said. Companies are also using simulations, war games, tabletop exercises and other interactive workshops to promote more cross-functional thinking about risk management and help assess the likely impact of future events on corporate business plans and strategies.

7. GRC meets ESG
Another enterprise risk management trend is connecting the dots between business risk and environmental, social and governance (ESG) agendas.

“As companies begin their ESG risk planning, they should ensure that the actions they are taking are significant and genuine,” cautioned Cliff Huntington, senior vice president, global sales and presales at privacy management and GRC software vendor OneTrust. Organizations need to demonstrate that they aren’t just greenwashing and are instead making measurable progress as part of their ESG strategies and programs, according to Huntington.

“Business leaders,” he said, “are realizing that ESG risk is a business risk and are taking steps to mitigate it in conjunction with their enterprise risk initiatives.”

8. Extreme weather risks grow in importance
With hurricanes, wildfires and other extreme weather events growing in both impact and frequency, CEOs and boards of directors are being called on to implement risk management strategies that help to mitigate the consequences for employees and business operations.

In 2024, the U.S. experienced 27 weather and climate disasters with losses exceeding $1 billion, totaling $182.7 billion in damages, according to the National Oceanic and Atmospheric Administration. With climate change helping to make high counts of weather-related crises the norm, organizations must put risk mitigation measures in place to protect their assets and avoid business disruptions.

9. Integrating risk management with digital transformation
As business operations go digital and IT environments grow more and more complex, enterprises are increasingly adopting an integrated GRC, or IGRC, program to unify and simplify their risk management activities, said Elizabeth McNichol, a partner at PwC and enterprise technology leader in its U.S. cyber, risk and regulatory consulting practice.

“Due to decentralized, overly complex systems, many companies are not aware of all the kinds of data they have, how it is organized or even if it may be noncompliant with the law,” she said. Rules for how organizations handle data and comply with regulations should be clear, straightforward, universal and grounded in a risk-based approach, McNichol added.

IT plays a critical role as both a driver and enabler of IGRC. CIOs and other IT leaders must work with business managers to identify, assess and mitigate risks in accordance with a company’s risk appetite. An integrated governance model can help by coordinating strategy, people, process and technology objectives across the enterprise. These steps are crucial for ensuring the risk management component is successfully integrated into broader digital transformation plans.

10. Enhanced and contextualized risk monitoring
Kumar Avijit, vice president and head of the cloud and infrastructure practice at technology research firm Everest Group, is seeing increased demand for risk management monitoring tools tailored for various roles and personas, such as CIOs, CISOs and business managers. This is because various executives and business users are defining new risk management priorities and mandates. These tools enhance traditional risk analysis with drill-down views that provide the right level of granularity.

Examples of some of the growing risk priorities for different roles include the following:

CEOs want to drive secure business transformation.
CFOs want to reduce business risks and the cost of data breaches.
COOs want to run resilient business operations.
CIOs want to make security a foundational element of IT strategy.
CISOs want to quantify cybersecurity risks to aid in decision-making.

11. AI augments risk management initiatives
AI is playing a growing role in risk management initiatives. For example, AI tools are being deployed to support risk management and mitigation efforts for use cases such as fraud detection, threat intelligence and classification of sensitive data. The following are some other common manifestations of this trend:

12. AI introduces new risks that need to be managed
On the flip side, the surge in interest in AI — being driven partly by the emergence of generative AI (GenAI) technologies — creates various new risks that enterprises haven’t had to widely consider before now. Examples include bias in AI algorithms and models, the AI hallucinations often produced by GenAI tools, ethical issues related to AI use and a lack of explainability in the results of AI applications.

Organizations can adopt the following measures to help manage those and other AI risks:

AI risk management frameworks. If new AI risk management frameworks, such as the ones developed by NIST, are effective, that would remove a big impediment for organizations in getting started on managing AI risks.
Responsible AI programs. A cohesive responsible AI strategy will be an important component of AI risk management. But some companies likely will struggle to balance idealistic commitments to responsible AI principles with the level of resources required to support and sustain a program. Organizations will need to think seriously about how to achieve that balance.

AI governance policies. This involves establishing guidelines that align the governance of AI systems with an organization’s values and objectives. Without such alignment, the implementation of an AI governance policy could fail due to internal friction, resulting in limited adoption and an inability to effectively manage AI risks across the organization.

Management of third-party AI risks. Organizations also must address risks stemming from the use of externally developed AI tools. Incorporating these third-party AI risks into existing risk management strategies will separate companies that are successful in their approaches from those that aren’t. Read More.

Featured Blog

The Increasing Focus Of Organizations On Sustainability And Long-term Value Creation

In recent years, there has been an increasing focus on sustainability and long-term value creation in the corporate world. This shift in focus is driven by a growing awareness of the impact that businesses have on the environment, society, and the economy, as well as a desire to create more resilient and sustainable companies. Read More.