​Cyber security joins the top table as risk dominates Kiwi director discussions

Cyber security has finally joined the top table in New Zealand, with Kiwi directors now acknowledging that business risk dominates board level discussions across the country.

The second biennial Directors’ Risk Survey by Marsh and the Institute of Directors (IoD), designed to gauge directors’ views on a wide range of risk issues, says technological disruption, reputational risk, and the time spent on risk oversight remain a key focus for directors.

As such, up and down the country most directors (56.1 percent) believe risk is increasing in today’s business environment, with 74.5 percent of directors admitting boards are spending more time discussing risk management than they were two years ago.

IoD Chief Executive Simon Arcus says that while times have changed, it is “encouraging” that risk remains a common conversation at the board table.

“Management of risk - is critical to a board providing strategic leadership and creating value,” Arcus says.

“Risks change and evolve and the need to stay current is emphasised by this report.

“Technology is an integral part of business capability and boards need to take responsibility to be able to lead in this new era.”

Arcus says technological disruption continues to be a prominent business risk, with cyber-risk emerging as a key external risk for the first time.

Most directors are confident that they could handle a major IT disruption with 90.6 percent saying they have a procedure in place to manage, although just 19.4 percent can manage data loss and even more 35.2 percent are not able to keep up with technological advances.

Marsh Executive Director, Steve Walsh, says the ranking of cyber risk in this year’s survey to the second highest organisational risk, shows how things have changed in 24 months.

“Technology is such a critical part of any organisation’s operation that it can be very detrimental if it fails or if you can’t keep up with the competition,” he says.

Walsh says that boards must address technology issues as part of their regular risk reviews.

“Any organisation that doesn’t have strategies in place to deal with these issues, such as cyber, is leaving themselves hugely exposed,” he adds.

For Arcus, cybersecurity and digital strategy were on the minds of directors in an “unprecedented way”.

“Most businesses use or rely on technology to operate - cyber risk is a reality of our times - so the ability of boards to consider it as part of enterprise risk is critical in ensuring directors are confident about business resilience,” he adds.

Directors perception of their own personal risks only decreased slightly on 2013 results with reputational risk 61.3 percent (62 percent in 2013), being held personally liable for a legislative breach at 39.2 percent (42 percent in 2013) and loss of personal assess if called to account at 38.1 percent (42 percent in 2013).

Directors still remained worried Directors’ and Officers’ Liability Insurance may not respond in the event where a claim is needed to be made.

In addition, directors also worry about what’s in a policy and whether they have sufficient cover.

“It is interesting to note that in a two year period these results have only shifted marginally - an individual’s reputation is still considered to be paramount,” Walsh adds.

“I do find this result surprising - especially in light of the incoming health and safety changes.

“The failure of directors to conform to the new legislation could see directors face huge penalties.”

Walsh says that directors also saw corporate governance requirements as the biggest emerging risk over the next 24 months.

Other emerging risks included identify fraud/theft, environmental issues and business continuity.