Phishing is a significant IT risk and this risk is largely a behavioural one. It is estimated that 90% of cyber attacks originate with a phishing attack so, with cyber regularly identified by boards as one of the biggest risks their businesses faces, it is useful to be reminded what the warning signs are, and how to best prepare and respond. Polly Williams tells us how to avoid the common pitfalls.
Read More
Principles versus rules in data and corporate governance
In the world of corporate governance, the question of whether a principles-based approach or a rules-based approach is the most effective is often a matter of debate. Different jurisdictions and different regulators take alternative approaches and, indeed, different approaches may be followed at different times. Felix Ritchie considers these two alternative approaches in his blog for the Risk Coalition. He looks at the cross-sector consultation document, Raising Your Game from the Risk Coalition and he draws on this to provides him with some lessons for data governance.
Read More
How can you maintain high standards in your business without suffering burnout?
People risk is nowadays recognised as a very wide-ranging concept, in its many dimensions. Gone are the days when this focused solely on headcount (we haven’t got enough people! or, we can’t afford the people we have!) and their capability (we haven’t got the right skill sets!). Wellbeing is now recognised as a key part of people risk, and an important aspect of this is burnout. Burnout is a state of complete mental and physical exhaustion, where we become so overwhelmed that our performance at work can suffer, while physical and mental health issues can also affect us outside of the work environment. If not addressed and adequately managed, it can easily become a feature of high perfoming businesses. Jane Hunter discusses how to maintain high standards and high levels of performance without suffering burnout.
Read More
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
Increasing personal accountability was the focus of the Senior Managers and Certification Regime (SMCR), introduced by the financial regulators following the 2008 financial crisis. However, has individual accountability really resulted since the introduction of SMCR, have behaviours changed and has governance and risk culture improved? These are questions that Afshan Moeed considered in her now-completed PhD project, and she discusses this in her blog.
Read More
Three exciting new developments for AI in 2024 that you need to know about
Robotics and artificial intelligence have been in the public consciousness for decades, but only in recent years have we really started to comprehend the technology’s sheer potential. Businesses of any size now have the chance to leverage AI to keep up with the competition, to make better informed decisions, and to improve operational efficiency. Craig Morris discusses the key developments to watch out for in three critical sectors: healthcare, environmental sustainability and cyber security.
Read More
The stuff of nightmares: risk management is shut down, and nobody notices
Do a firm’s risk management activities actually create value? Companies increasingly spend time and money implementing a range of risk norms and frameworks whose focus is often on risk identification, analysis, and risk reporting; these are risk process activities that do not create value for decision-makers argues Stefan Hunziker. He say that, typically, nothing has been managed and no decision has been made better by these processes. In this blog, he gets to the heart of risk management - explaining that its single purpose is increasing decision quality.
Read More
What should boards know about digital technology?
Digital technology drives immense business opportunity explains Neill Tinegate, adding that this comes with an ever-increasing need for boards to understand and mitigate significant risks. In this blog, he considers cyber security, data governance and privacy, emerging technology as well as digital transformation - and he discusses some vital considerations for board members in each of these areas.
Read More
The insolvency risk for company directors - are you swimming naked?
The standards of diligence and care expected of non-executive directors in the oversight of a company are extremely high and, as Francis Kean explains, often become the subject of intense scrutiny and controversy in protracted and expensive investigations and proceedings following collapse. He discusses the potential coverage issues under D&O liability insurance policies and argues that non-executive directors should take an active and personal interest in the insurance protections which may be available to them in the event the worst happens.
Read More
Are you sitting comfortably? Cyber risk, board attestations and the implications for NEDs
Cyber risk remains one of the most challenging risks facing many organisations. Regulations in the US, EU and UK in relation to cyber risk disclosure requirements are making these risk ever increasingly prominent for business and challenging for their non-executive board members. Andy Watkin-Child discussed the complexities of cyber risk and the various regulatory responses emanating from the UK, US, and EU at December’s Risk Committee Chairs Forum hosted by the Risk Coalition, highlighting the challenges for non-executives and risk committee members.
Read More
Risk management and internal audit should collaborate to navigate the poly-crisis of risk
The global risk landscape has become increasingly complex to navigate, and the multitude of risks that organisations face has become ever more interconnected, says Mamun Madaser. He explains that the risk of a polycrisis – defined as a cluster of related global risks with compounding effects, such that the overall impact exceeds the sum of each part – has now become a very real threat. Risk in Focus 2024, a Europe-wide annual research project analysing the top risks faced by businesses, identifies cybersecurity as remaining the biggest threat to organisations. Human capital, diversity, and talent management as the second biggest risk, followed by macroeconomic and geopolitical uncertainty which is ranked jointly with changes in laws and regulations as the third most significant risk. To tackle this, he says internal audit and risk management should work together to build their organisation’s resilience to support them to successfully navigate the more risky, uncertain, and volatile times we face.
Read More
How to mitigate the risk of cyber security breaches – part 2
Organisations need to implement a comprehensive set of security tools that are appropriate to their businesses, says Jim Watson, and they also need to identify their most valuable and confidential data, ensuring that appropriate security tools and controls are used to minimise the risks involved. Building on his earlier blog which discussed the role of organisational culture in mitigating cyber risks, he discusses the key requirements of IT security tools and controls. He also explains the role that second-line risk management and compliance functions need to play in monitoring the security first-line controls, and the need for regular third-line internal audits to evaluate the effectiveness of governance, risk management and control processes.
Read More
Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code
One of the key proposed change under the UK Corporate Governance Code would require Boards to conclude on the effectiveness and material weaknesses regarding their risk management and internal controls relating to operations, reporting and compliance. Nisha Sanghani, summarising discussions at a recent Risk Coalition Risk Committee Chairs Forum, explains that the main aspect of the discussion focused on whether organisations have the right risk management framework in place to be able to confidently meet the requirements of the proposed Code revisions. The view generally, however, was there is much work to be done by organisations to be able to do this. However, if done properly, she says that UK companies can avoid firefighting when caught out by risk, and perhaps can even start to think about making commercial risk-based decisions.
Read More
How to mitigate the risk of cyber security breaches – part 1
Cyber security breaches regularly hit the headlines these days, and the fact of the matter is that we only hear about a fraction of the incidents that happen. The threat of these incidents is a significant risk for organisations and breaches can have devastating results for the companies and people involved. They can result in serious financial impact, lost customers and reputational damage to companies - even risk to health and life. In this blog, Jim Watson explains that people are often the weakest part of an organisation’s cyber defence, so organisations need to embed security within their culture and governance, ensuring that all levels of the organisation understand the importance and value of security.
Read More
The implications of the revised UK Corporate Governance Code
The latest of the Risk Coalition’s CRO Forum roundtable discussions held this month considered the implications of the proposed revisions to the UK Corporate Governance Code for senior risk professionals. The discussion highlighted several challenges that organisations might face if the revised Code is implemented as proposed. These challenges mainly relate to: the expansion in the Code’s scope beyond financial risks and controls, the need for organisations to identify and prioritise material controls, the requirement to report material weaknesses and the need for expertise and resource to handle the proposed changes effectively. This blog summarises the roundtable discussions and highlights key planning considerations.
Read More
Financial regulators take aim at crypto-finance
Recently, the Bank for International Settlements (BIS) and the Financial Stability Board (FSB) published important reports about the risks inherent in crypto-finance. They make unpleasant reading for some. The BIS concludes that crypto’s inherent structural flaws make it unsuitable to play a significant role in the monetary system, whilst the FSB proceeds to list series of major risks arising from crypto-assets. Andrew Cunningham sets out how board directors and risk professionals should respond to the latest work from the BIS and the FSB.
Read More
Opening our eyes to the risks in our hands
Some risks we cannot do anything about, some we choose not to do anything about, and others prompt us to take action. According to Emma Martins, Data Protection Commissioner at the Office of the Data Protection Authority in the Bailiwick of Guernsey, it is much easier to respond to risks when we are clear about what they are. When the harms are less visible, or hard to imagine, we tend not to be very good at ‘risk engagement’. One such area is data, which is often thought be an ephemeral concept, but she says we could not be more wrong. The risks are very real and - for example in relation to data protection and privacy - and could potentially be significant. She explains why it is essential to be laser focused on harm prevention when it comes to data and the risks faced.
Read More
Adapting to economic uncertainty
Nowadays, the state of the economy seems to perpetually be in the media headlines, and businesses continue to grapple with an uncertain, challenging and volatile economic backdrop. A new survey by the Chartered Institute of Internal Auditors finds that six in ten internal audit executives now regard the risk level posed by economic uncertainty to their organisation to be either high or very high. Gavin Hayes explains that, to navigate these risky and challenging times, collaboration between risk management and internal audit has never been more vital.
Read More
Boards need to set their own agenda if they are to be effective
There are a wide range of topics hitting the headlines when it comes to board effectiveness and what boards need to focus on. Diversity and inclusion, climate risk, artificial intelligence - the list goes on. The boardroom agenda is ever increasing, and understandably so given the environment businesses today find themselves in. These issues have tended to eclipse core questions related to the conduct of board meetings and Andrew Cunningham provides us with a useful reminder of the key areas boards should remember to focus on, including the importance of agenda setting.
Read More
How to survive a world of uncertainty
We are living in a world of uncertainty and the ranges of possible outcomes of many of the events we are facing are not known. What will the impact of generative artificial intelligence on society be, for example? Historical data and statistics cannot help us determine the likelihood of any particular outcome occurring when we are faced with uncertainty, so traditional risk management techniques such as stress testing will be of limited use in the circumstances; stress testing relies on the notion that we know the range of potential outcomes. Kathryn Kerle advocates storytelling and supplementing traditional approaches with reverse stress testing as useful techniques that can help us manage risk more effectively when dealing with uncertainty.
Read More
The value of risk management - where is the evidence?
Is there really any evidence suggesting that mature, more successful organisations tend to operate more mature risk management frameworks? A recent Risk Coalition Risk Committee Chairs Forum (RCCF) discussion explored this question. The discussion highlighted the crucial role boards play in setting the right tone at the top, as well as the importance of fostering a risk-aware culture, where challenging assumptions and discussing risks openly are encouraged.
Read More