KPMG SURVEY: Risk and strategy are two sides of the same coin but many boards fail to make the link

KPMG SURVEY: Risk and strategy

And despite recognising the need for greater technology expertise at board level, few have the right skillsets, finds KPMG’s Audit Committee Institute.


Also on

Corporate boards are deepening their involvement in company strategy and refining their oversight of the critical risks facing the company – but there is still work to be done if companies are to meet the challenge set by the 2014 UK Corporate Governance Code according to a new survey from KPMG’s Audit Committee Institute. 

Compliance with the Code guidance on risk management and internal control requires inter alia that boards make a robust assessment of the principal risks to the company’s business model and ability to deliver its strategy.  However, while many UK audit committee members said their board had increased its involvement in strategy formulation (67%), monitoring strategy execution (62%) and focus on technology issues including cyber security (51%), only half (51%) were satisfied that risk and strategy were effectively linked in boardroom discussions. 

“The complexity and global volatility that we’re seeing—swings in commodity prices and currencies, a decelerating China, uncertainty in geopolitical hotspots, technology innovation, and disruptive business models—are clearly impacting the board’s involvement in strategy and risk,” said Timothy Copnell, Chair of the UK Audit Committee Institute. “But there is a danger that many boards are seeing risk management as a ‘bolt-on’ exercise which potentially leaves them exposed to the strategic risks that could affect the company as well as its long term viability.” 

Despite the increased focus on cyber security and technology risk as a critical business priority, 39 percent of UK respondents said the full board should be devoting more attention to cyber risk; and the adequacy of cyber and technology expertise – via third parties and/or on the board – continues to be a concern. 

Copnell commented “Unfortunately, there remains a dearth of cyber and wider technology expertise on boards.  50% of UK respondents recognise this need very well, but the risk and opportunities are so large, someone on the board has to know the right questions to ask and be in a position to understand the answers.” 

The survey responses—from more than 100 senior UK audit committee members (and over 1000 directors worldwide)—suggest that while many boards are clearly stepping up their game, significant challenges remain, including linking strategy and risk, more clearly defining risk appetite and addressing the growing risks associated with cyber security and technology. 

Among the key findings: 

  • Boards continue to deepen their involvement in strategy—including execution. Some 88 percent of UK survey respondents said the board has deepened its involvement over the past two to three years—in the formulation of strategy and consideration of strategic alternatives, monitoring execution, devoting more time to technology issues (including cyber security), and recalibrating strategy as needed. 
  • Effectively linking strategy and risk continues to elude many boards. Only 51 percent of UK survey respondents are satisfied that strategy and risk are effectively linked in the boardroom discussions. Risk-related decisions, many said, would be most improved by more closely linking strategy and risk, as well as having a more-clearly defined risk appetite, better assessment of risk culture, and giving greater consideration to the “upside of risk taking” (versus risk avoidance). 
  • Better risk information and access to expertise are (still) top of mind. Many boards have recently taken steps—or at least discussed ways—to strengthen their oversight of risk, mainly by improving risk-related information flowing to the board, but also by hearing more independent views and refreshing the board/recruiting expertise, coordinating (and reallocating) risk oversight responsibilities among the board’s committees, and/or changing the board’s committee structure. Six years after the Walker review into the governance of UK banks, 26 percent of those surveyed are still looking for ways to combat asymmetric information risk – the over reliance on management as the prime source of information. 
  • Cyber security may require deeper expertise, more attention from the full board, and potentially a new committee. Deeper technology expertise on the board and greater use of third-party expertise would most improve the board’s oversight of cyber security, survey respondents said. Also, despite cyber issues rising up the board agenda in recent years, almost 40 percent of UK respondents said cyber security needs even more of the board’s time. 
  • Oversight of key strategic and operational risks could be more-effectively communicated among the board and its committees. Nearly 40 percent of UK survey respondents cite room to improve the communication and coordination among the full board and its committees on oversight of the company’s key strategic and operational risks—e.g., strategy, CEO succession, talent, regulatory compliance, cyber security and emerging technologies, and supply chain issues. 

KPMG’s survey, “Calibrating Strategy and Risk,” is available here.




For press enquiries please contact

Margot Cowhig, KPMG Corporate Communications

T: +44 (0)207 694 4246

M: +44(0)7920 274856


KPMG Press office: +44 (0)207 694 8773

Follow us on twitter: @kpmguk


About KPMG 

KPMG in the United Kingdom, is member of a global network of professional firms providing Audit, Tax and Advisory services. KPMG operates in 155 countries and has more than 162,000 people working in member firms around the world. The independent member firms of the KPMG network are affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. Each KPMG firm is a legally distinct and separate entity and describes itself as such. KPMG’s Audit Committee Institute (ACI) champions outstanding corporate governance to help drive long-term corporate value and enhance investor confidence. ACI engages with directors and business leaders across 35 countries, delivering actionable thought leadership on risk and strategy, talent and technology, financial reporting and audit quality, and more: UK Audit Committee Institute

Connect with us


Request for proposal



KPMG’s new-look website

KPMG has launched a state of the art digital platform that enhances your experience and provides improved access to our content and our people, whatever device you are on.