Rather than focussing on technology, boards will do better to use their skills and experience to understand and protect against the underlying risks.
A report published in January from The Chartered Institute of Management Accountants (CIMA) looked at recent changes to the UK Corporate Governance Code (the Code) and set out best practice approaches on the managing and reporting of risk for boards.
In 2014, the Financial Reporting Council (FRC) updated the Code to require listed companies to disclose details of their principle risks in a ‘viability statement’ as part of their strategic report to investors.
The CIMA report noted that the risk landscape is becoming more complex and interconnected in the digital age, with new risks emerging in areas like cyber security.
However, despite increasing levels of awareness, the majority of UK companies are “failing to conduct or estimate the financial impact of a cyber-attack”, according to John Hurrell, Chief Executive of insurance and risk management association Airmic, which contributed to the CIMA report.
Similarly, Sir Roger Carr, Chairman of BAE Systems Plc says in the report that most boards are “ill-equipped” when considering the risk or the consequences of “unknown unknowns”, such as cyber risk.
Focus on what you know
But while a board’s ability to understand cyber risk may be limited, board members can draw on their wider expertise to understand the impact of increasing technology risks.
It will be tempting for boards to try to understand technology and the risks it brings, but they would be advised to take technology out of the equation and concentrate on process and liabilities.
For example, not all technology risks will be cyber risks. And when a company embraces new technology, many of the underlying risks will be familiar, as will be the ways in which they can be managed.
So, rather than getting tripped up on new technologies board members would do well to use their skills and experience to understand what drives the underlying risk.
Boards should also avoid getting side-tracked by their concerns for the reputational risk of cyber risk, at the expense of the financial impact.
Breach response costs, regulatory fines and business interruption (BI) losses can add up to a significant loss. And unlike reputational damage, the potential financial impact is likely to be easier to quantify.
Boards will then be in a much better position to assess the protection options open to them, and to what extent the risks associated with technology can be offset by insurance. The process of purchasing cyber insurance also provides boards with an independent opinion on their cyber security.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org