What is topping the risk list for companies?

News of cyber attacks and data breaches are hitting the headlines week after week.

News of cyber attacks and data breaches are hitting the headlines week after week. The most recent involving British Airways being just another example in a long list of high-profile attacks on both the private and public sectors.

Given this latest attack, fresh questions will inevitably be asked by senior management about whether their organisation needs to refocus how it is managing and mitigating its cyber security, data protection and compliance risks. Yet with the cost of damage from cyber attacks expected to rise to $6 trillion by 2021, for many organisations it is a case of preparing for when, not if, an attack will occur.

Breaking down silos

The more positive news is that new research, based on a survey of over 300 internal audit chiefs working across Europe, has revealed that cyber security, compliance and data security are now all right at the top of organisation’s risk lists.

“A major obstacle to mitigating cyber risk has been the piecemeal approach to IT infrastructure planning and development”

Given the frequency of cyber attacks shows no sign of abating, and particularly in light of the number of attacks being regularly reported in the media, it is perhaps not surprising that organisations ranked cyber security as the number one risk – over two-thirds (66%) of internal audit chiefs said cyber security was now one of their top-five risks. This may provide some assurance to senior management that these risks are being taken seriously.

A major obstacle to mitigating cyber risk has been the piecemeal approach organisations have taken to their IT infrastructure planning and development over past decades. Poor governance and oversight of IT functions has meant businesses have gradually built siloed systems and bolted on parts of their network over a period when cyber risk was low.

As the number of cyber attacks on supply chains and cloud-based software providers continues to rise it is imperative that organisations now turn to looking at outsourced or third-party supply chains to ensure they are not vulnerable to cyber attacks.

A post-GDPR world

The full survey results are published in our latest annual risk report ‘Risk in Focus’. This report assists organisations in better understanding how new and emerging risks may affect their day-to-day operations and has been produced by seven European institutes of internal auditors, covering eight countries: France, Germany, Italy, the Netherlands, Spain, Sweden, the UK and Ireland. Along with the survey, the research also involved in-depth interviews with 42 heads of internal audit.

Both data protection and compliance ranked highly in the wider survey, polling neck and neck with 58% of respondents saying each of these was a top-five risk. Compliance was also raised time and again throughout the interviews conducted. This is not surprising as the repercussions for regulatory non-compliance can have a substantial impact on an organisation’s financial success, damage trust and therefore have a negative reputational impact.

“It is notable that one month after the deadline, only 27% of businesses reported that they were compliant with GDPR”

All organisations collect some form of personal data, whether it is on their customers or staff, and on the 25 May, the date the European Union’s General Data Protection Regulation (GDPR) came into force, many organisations risked potentially large fines for non-compliance.

It is notable that one month after the deadline, only 27% of businesses reported that they were compliant with GDPR – clearly a cause for concern. Despite this, compliance with GDPR is improving rapidly and is expected to rise to 74% by the end of this year and to 93% by the end of 2019.

Yet it is simply not enough to reach full compliance with the law and then ignore it. The ways in which businesses collect and harness data is continuously changing, which means that GDPR compliance is a moving target that will need to be revisited as new applications and uses of personal data emerge.

The ability to manage and model these torrents of information is critical to a company’s success. Ensuring this occurs requires the compliance function to work in close communication with the data-management function so that the former is aware of how any company changes may impact upon GDPR compliance.

Anti-bribery and corruption

The World Bank notes that businesses and individuals pay an estimated $1.5 trillion in bribes each year – around 2% of global GDP. Therefore, it is clear that complying with anti-bribery and anti-corruption (ABC) laws can be an important issue for organisations.

Currently, a number of jurisdictions are in the process of, or have recently reformed their ABC laws. Generally these are being brought in line with the UK Bribery Act, which prohibits both private-to-public and private-to-private bribery, and the involvement of agents and other third parties.

France has had a significant clampdown, with the introduction of its anti-corruption law, Sapin II.

This applies to all companies with more than 500 employees operating in the country. In the US, the Foreign Corrupt Practices Act is being fervently enforced – despite fewer actions than average being taken in the beginning of 2018 and with lower penalties, the number of investigations has increased above the historical average.

One way in which organisations can protect themselves against ABC penalties is to develop and implement an anti-bribery and corruption programme that demonstrates its ethical values and commitment to combating bribery.

“Businesses and individuals pay an estimated $1.5 trillion in bribes each year – around 2% of global GDP”

An effective anti-bribery and corruption programme highlights that the organisation is taking reasonable efforts to minimise non-compliance. Regulators will take this into account when investigating corruption. Senior management also should also ensure that their staff awareness and training programmes on ABC and whistleblowing are sound and that an anti-bribery culture permeates the organisation.

A new era of trade

Adhering to new trade sanctions and avoiding associated penalties can be defined as a regulatory and/or compliance risk for many multinational organisations, with a breach creating meaningful impact on profitability.

The recent rise of protectionist trade policies also poses a significant risk. The US has engaged in a tit-for-tat with China over imports and, despite since backing down, President Trump has indicated an intention to impose significant import taxes on EU goods, while temporarily waiving a tariff hike on steel from Europe, the US’s biggest trading partner.

Added to these protectionist challenges are complications surrounding trade and economic sanctions, again stemming from the US. The US introduced a round of sanctions on key Russian oligarchs and oligarch-owned companies, among others. However, these sanctions not only affect the individuals and go further than fines for non-compliance by organisations. For example, in April sanctions against Russian aluminium producer Rusal was meant to punish the company’s owner, oligarch Oleg Deripaska. However, the move disrupted the market, sending aluminium prices higher and hurting carmakers and other manufacturers.

Ensuring that the organisation has established if the compliance and procurement functions are continuously updating the trade sanctions register and ensuring that it is being complied with across the organisation is vital to providing assurance that these trade risks are being managed effectively.

The key risks mentioned here are not exhaustive and all organisations should take a sound and through risk-based approach to organisational risk; however, hopefully these points provided some food for thought for you, your board and audit committee.

Gavin Hayes is head of policy and external affairs at the Chartered Institute of Internal Auditors

Search CGI