Why boards must rethink risk and resilience

IN BRIEF:

• Boards face an increasingly interconnected risk environment requiring closer integration of governance, risk, and compliance functions.

• Technology, cybersecurity, sustainability and workforce changes must be aligned with clear business objectives and supported by measurable risk assessment.

• Effective enterprise resilience depends on strong governance culture, qualified decision-making, and open collaboration between boards and management.

Risk has become a constant presence in boardroom discussions. That was evident at the 2025 SGV Knowledge Institute and SGV Consulting forum held in November, titled “Harmony in Action: Navigating Enterprise Resilience through Governance, Risk, and Compliance Synergy.” The discussions reflected how governance, risk, and compliance (GRC), while viewed as separate functions, are also seen as interconnected mechanisms for enterprise resilience.

CHANGING RISK ENVIRONMENT
Boards today are operating in a risk environment that is increasingly non-linear, accelerated, volatile and interconnected. The nature of risk has shifted since the pandemic, when companies and organizations focused mainly on reporting financial risks. Today, boards face multiple, overlapping crises rather than isolated incidents. These crises have implications across supply chains, energy prices, regulatory compliance and geopolitical exposure. As a result, risk, compliance, and internal audit functions are expected to manage several issues simultaneously, often with limited resources.

During the session, a reference was made to a recent study by the EY Center for Board Matters, which identified five agenda items currently top of mind for boards in the Asia-Pacific region: geopolitical volatility and resilience; shaping tomorrow’s workforce; artificial intelligence, cyber security, and digital transformation; sustainability integration into business models; and rethinking the board of the future. The panelists said these themes also strongly resonate with Philippine boards.

Geopolitical volatility was highlighted as a significant concern. Although the Philippines is generally described as a consumption-driven economy, companies here are often deeply connected to global markets. Medel Nera, a director at various Publicly Listed Entities and also either Chairman or a Member of various Audit Committees, cited the example of a Philippine manufacturing-exporting company that sources materials from nearly 60 countries and serves customers in 120 countries. Such companies are directly affected by developments in other parts of the world, including geopolitical tensions, sanctions, and trade disruptions. Boards, therefore, need to recognize geopolitical risk as material and prepare for its potential impact.

Workforce-related risks were also discussed, where fewer professionals and more alternative work arrangements have made the workforce more selective. New generations of employees are more likely to ask for remote work and a better work-life balance. Practices that were effective in the past may no longer be suitable. Organizations need to rethink how they attract, retain, and manage talent as a resilience strategy.

Technology, particularly artificial intelligence (AI) and big data, was featured prominently in panel. There is high interest in AI tools, but daily adoption in operations and production is still low. One reason cited was concern over potential job losses resulting from automation. There are also risks in cybersecurity, data protection and privacy, and technology misuse.

The panelists emphasized that technology initiatives should be aligned with business objectives. Boards and management should first clarify organizational goals, such as revenue growth, brand strength, profitability, or operational efficiency. Then, determine which technology strategies support those goals.

Security controls should be designed around these business-driven technology requirements, rather than implemented as isolated initiatives.

Cybersecurity was described using an analogy: attackers tend to avoid difficult targets and focus on easier ones. Organizations need balanced security measures. Controls cannot be so restrictive or costly else they hinder operations, but at the same time, they must be strong enough to deter intrusion. The aim is to establish security measures appropriate to the organization’s risk exposure and operational needs.

Responsible adoption of AI was also stressed. Panelists noted that employees have to use AI productively, while stopping misuse like plagiarism or security gaps. Clear policies on acceptable use and approved platforms were cited as necessary measures to manage these risks while maximizing potential benefits.

From the public sector perspective, Solicitor General Darlene Berberabe said that the Department of Information and Communications Technology (DICT) has implemented reforms focused on digitalization. These include developing digital infrastructure, with a push to explore blockchain technology, and online portals for government procurement to promote transparency.

SUSTAINABILITY AND ESG INTEGRATION
Sustainability was discussed as an integral component of enterprise resilience. Many companies are implementing sustainability programs in response to requirements set by global parent organizations. These initiatives contribute to environmental stewardship, corporate reputation and long-term economic viability.

Chaye Cabal-Revilla, Executive Director and Chief Finance, Risk, and Sustainability Officer of Metro Pacific Investments Corp. (MPIC) and President and CEO of mWell, said sustainability is embedded across MPIC’s operations. Performance indicators and incentives now include not only financial targets but also environmental, social, and governance (ESG) outcomes. Major investments are mapped against the United Nations Sustainable Development Goals. Responsibility for sustainability initiatives has expanded beyond a dedicated team to include finance, risk officers, and internal auditors, supporting a more integrated approach.

THE BOARD OF THE FUTURE
Though board effectiveness needs improvement, urgent priorities like profitability, compliance, and operations often push long-term development aside. Some organizations have included younger board members and provided board-level training on sustainability, AI, and technology. According to the panelists, a mix of experiences creates balance and supports organizational resilience.

Achieving synergized risk management remains a challenge. Collaboration among governance, risk, compliance and internal audit is widely supported but at times difficult to implement. Organizational culture plays a significant role. In some companies, compliance and internal audit are seen as obligations rather than value-adding functions. Sometimes, board directives are diluted as they pass through management layers, or communication between the board and management is limited.

Ms. Cabal-Revilla noted that one way to enable GRC initiatives is to quantify risks. By assigning financial value to potential risks and losses, organizations can offer clearer business cases to senior management and boards. Tangible, data-driven proposals are more likely to gain approval and support.

From Ms. Berberabe’s experience in the private sector, governance was described as essential to achieving long-term profitability. Organizations that view GRC as strategic assets, rather than regulatory requirements, are better positioned for sustained performance.

All panelists stressed the importance of communication and collaboration between boards and management. Mr. Nera encouraged management not to be intimidated by board members and highlighted the value of upfront communication in areas for improvement. Clear roles, open dialogue and a strong tone from the top were identified as critical factors in building resilient organizations.

THRIVING IN A RAPIDLY CHANGING BUSINESS LANDSCAPE
As organizations navigate overlapping crises and shifting workforce dynamics, the integration of sustainability and technology into strategic planning becomes essential for long-term resilience. The emphasis on clear communication and collaboration between boards and management is also crucial for fostering a culture that views GRC as a strategic asset instead of just an obligation for compliance. By quantifying risks and aligning technology initiatives with business objectives, organizations can better prepare for any challenges ahead.

Ultimately, the future of effective governance lies in the ability to adapt, innovate, and work synergistically across functions, ensuring that enterprises not only survive but thrive in a rapidly changing business landscape.

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the authors and do not necessarily represent the views of SGV & Co.

Ryan Gilbert K. Chua is the consulting leader and Warren R. Bituin is the technology consulting leader of SGV & Co.