This week I attended the Diligent Elevate annual meeting in Houston, Texas.  For those of you who don’t know Diligent, it is a great event, and you can meet risk and compliance professionals, board members, and lawyers. 

Diligent conducted numerous board education sessions at which board members spoke about new and significant risks; these included increased stakeholder expectations and the burdensome review of education and documentation prior to a board meeting. Everyone seemed in agreement over what the top risks are — cybersecurity, data privacy, artificial intelligence (AI), sanctions enforcement, and fraud and financial reporting. 

In what was perhaps a sign of this turbulent decade, there was a lengthy and fascinating discussion on geopolitical risk: the ongoing wars in Ukraine and Gaza, growing influence of Iran in the Middle East, the threat of fullscale war between Israel and neighboring countries. And this is by no means an exhaustive list! It came as no surprise that global companies have been reading the International section of their morning paper with particular attention.  Many of them are worried about their own operations in these regions (manufacturing plants, distribution centers), or the direct impact on their supply chains by caused by disrupted shipping lanes. The Suez Canal is not the only major choke point in international shipping. 

Risk management is really a balancing act. The key to juggling the risks is understanding them, and prioritizing the company’s mitigation strategies.  As always, you cannot plan for every contingency, but board members want to examine all potential risks and their impact on the company.

On the legal and compliance front, board members spoke about the need to address cybersecurity and AI risks.  Some board members suggested that AI risks have been exaggerated in the short run, but underrated in the long term.  For all the hype these days over AI risks and compliance strategies, the reality is nowhere near the what the alarmists insist.

Several board members suggested that they are at the early stages of considering AI as a tool for its business.  Indeed, many of the larger financial institutions  are using AI already for a variety of functions.  But a greater number of board members explained that their companies are still considering the “business use” case for AI in various activities.  The compliance crowd seems to have overstated its case, at least for now.

Cybersecurity also continues to dominate board concerns.  Several board members complained that they need to increase board training on the topic so that they can have a better understanding of the technical issues.  Chief information security officers (CISOs) play a critical role in educating and informing the board on these risks.  That much was undisputed. But when it came to the question of whether cybersecurity expertise was a mandatory requirement for the board itself, no one answer emerged. It proved, unexpectedly, the most polarizing question of the night.