The anticipation and mitigation of risk is among the core responsibilities of the board within an organisation, and over the past few years risk management has become increasingly important in the context of an ever more globalised and unstable business landscape. But what are the key areas of risk upon which boards place the greatest of concern? In our latest Breaking down the Bellwether, we examine which risks are given the most attention in boardrooms.
The FTSE 350 Boardroom Bellwether is a yearly survey by the Financial Times and The Chartered Governance Institute UK & Ireland that seeks to gauge the sentiment inside British boardrooms. It canvasses the views of FTSE 100 and FTSE 250 company secretaries to find out how boards are responding to the challenges of the economy, market conditions and the wider business and governance environment.
The recurring boardroom bogeyman
For most of the time that CGIUKI has run the Bellwether survey, one risk above all others is regularly determined to be the biggest risk for boards − cybersecurity. While falling out of the first spot in 2021 and 2022, it has regained the number one spot as the biggest factor contributing to risk. In total 59% of respondents cited cyber risk as a very important factor, with a further 37% ranking it as fairly important. No respondents claimed it was either fairly or very unimportant. Of those surveyed 75% believed cyber risks to rising in 2023.
While it is harder to predict what the fallout of a geopolitical conflict or climate change might be, cyberattacks are increasingly commonplace, with well-established guidelines on both prevention and mitigation. This is potentially why they garner greater attention on the agenda. Guidelines, such as those of the National Cyber Security Centre (NCSC) (which 39% of those surveyed had already reviewed), can play a pivotal role in facilitating a clear-cut risk-management strategy. Due to their technological nature, cyberattacks can rapidly evolve in form and function, necessitating a constant review of policy and procedure. This constant need to monitor the threat landscape and adapt risk-management strategies accordingly ensures that cybersecurity will always have a place on the agenda. The adaptive nature of cyber threats could help to explain as to why 92% of those surveyed plan to invest further in cybersecurity.
The continuous priority given to cyber threats is reflected by the fact that over the past seven years, cybersecurity has been the top risk in five of them. It seems to be that other risks only overtake it when they risks rise to the forefront in the public consciousness. 2021 was dominated by risks surrounding climate change, since 2021 was when Extinction Rebellion’s non-violent protests and resultant media coverage reached their height. Meanwhile, in 2022 global economic risks were the most prevalent due to the war in Ukraine.
A return to normal?
The second biggest factor that contributes to risk in 2023 is the state of the global economy. Unlike in 2022, where this risk rose to first place, global economic conditions have fallen in favour of cybersecurity as mentioned above. It comes as little surprise that global economic factors are one of the biggest contributors to risk; the effects of the war in Ukraine are still being felt across the globe due to the ongoing cost-of-living crisis, higher interest rates and increased energy costs. In 2022, the risk was far more immediate and there was a lot of speculation in discussions at the board level as to what the potential implications of a land-war in Europe could be for organisations. A year later, the results had materialised, and boards had already begun to put in place remedial strategies. Many of the impacts of the war mirror the impacts of the 2008 global recession, which nearly all the FTSE 350 had experience in weathering. Therefore, the biggest risk factor once again defaulted to cybersecurity.
The position of global economic risk mirrors the situations in 2018 and 2019, with cybersecurity being the biggest risk followed in second place by the global economy. What is pertinent during those years was the trade wars and tariff policies of the Trump administration which had led to numerous goods suddenly becoming far more costly to export. While predominantly targeting China, the UK and EU also faced targeted tariffs on certain goods, causing many businesses to suffer in the largest consumer markets in the world. In the background of the trade wars was a poor performance in the US stock market, an unstable Chinese economy and post-Brexit supply chain issues.
However, these concerns possibly did not take centre stage in the risk assessments of FTSE 350 boards due to the trade wars only impacting very specific sectors and the London Stock Exchange posting a stronger performance. Therefore, cybersecurity was once again a more pressing concern. The parallels between 2023 and 2018/19 are once again mirrored with 48% of those surveyed being concerned about the increasing trade protectionism in 2023.
AI risks remain on the horizon
Not appearing in the top three, but an extremely relevant factor for 2023 is artificial intelligence (AI). The beginning of this year marked much more widespread adoption of generative AI, such as ChatGPT. One might expect that artificial intelligence would be one of the biggest risk factors in 2023, although it seems that among boards it is either too early or they have already taken action. 13% of those surveyed had already implemented policies and processes surrounding AI, while 19% had discussed the need to do so in board meetings. 41% had not got round to discussing AI but intended to, potentially demonstrating that despite the hype surrounding generative AI, boards still saw it as a longer-term risk.
Most surprising was that over a quarter of boards (26%) had no intention of discussing AI. Although this figure is large, it represents a staggering drop from last year, when, out of the FTSE 100 respondents, 44% reported not discussing AI, versus 18% in 2023. It demonstrates that many companies did sit up and take notice of the widespread adoption of generative AI at the beginning of the year. Perhaps AI is not yet seen so much as a risk but more something to be discussed and dealt with as a policy and procedure item. Boards are potentially seeing many of the touted risks of AI as a longer-term threat and instead are treating it more like any other business enablement tool.
Other points of consideration
An interesting question could be posed, as to why climate change was ranked higher than geopolitical tensions among the potential biggest risks. At the time that the Boardroom Bellwether survey was being conducted, tensions between China and Taiwan were at an all-time high, with large scale drills and fly-bys being a daily occurrence.
While more data could be required, one of the biggest trends surrounding the assessment of risk by boards are the topics that dominate the news cycle. Each time there has been a risk that has evicted cybersecurity from first place, it is due to that year’s headlines being dominated by a particular topic. Essentially, it takes world-changing events for cybersecurity to be dethroned as the top boardroom bogeyman.
Overall, it seems that in 2023 the biggest risk factors have returned to the status quo of the years before the pandemic. Cybersecurity has long been one of the most prevalent risks for FTSE 350 boards due to its ever-present threat, immediate impacts and tangible effects. Other risks remain highly significant but may be perceived as either too nebulous in impact, too long term or less likely to occur.
You can find out more in the full Boardroom Bellwether Report, or read the last blog in our breaking down the Bellwether series discussing how optimistic boards are towards the UK economy.
