By Lilian Taylor – Lilian.Taylor@EthicalBoardroom.com
Cybersecurity has become a much more frequently used term in the boardroom over the last two years. Historically it has often been referred to as an information technology (IT) risk, and the management and oversight of cybersecurity was down to the chief information or technology officer ultimately and not the board. However, with the rapidly advancing changes in technology over the last few years, cybersecurity has become an increasingly important and challenging risk that board members are being compelled towards addressing. A number of research studies and media disclosed findings into the area of cyber security have revealed that there are a number of significant shortcomings in board oversight in this area. Boards are inadequately addressing the responsibilities of cyber risk management and this poses wider risks for the company reputation and brand management. One of the major difficulties is that board members and other senior management parties at companies lack the understanding and knowledge of this huge area of risk that is only growing in depth and scope as time goes by. It is this gap that is spurring on cybersecurity to be placed at the top of boardroom agendas.
Board members need to fully understand the linkage between IT risks and enterprise risk management so that the risks can be managed and mitigated as required. Boards are not adequately undertaking vital oversight functions which are related to cyber security risks and need to direct their efforts more in this area. Examples of changes that need to be made include reviewing budgets in this area, periodic assessments of security programs, review of top level policies, assigning roles and responsibilities for security and privacy, and receiving reports regularly detailing breaches and IT risks in the company.
The risk of cyber-attacks can directly affect both the operational functions of a business as well as the wider external brand and reputation of an enterprise. These risks can often result in significant financial repercussions which is understandably a major concern for investors. Consequently it has become a top priority in the boardroom. Ultimately, one of the primary responsibilities of the board is to provide risk oversight for the company and advances of technology have led cyber security to now be included in that role.
Reputational risk is also a primary concern for the board. Reputational risk is considered a major strategic risk to a company and is based on the fact that it can be difficult for investors to decide where to invest their capital and reputation can play a large role in this decision making process. Therefore company executives have a duty to control reputational risk to build investor confidence and the basis of this should be strong strategic and corporate stewardship. Board executives need to take action to feed investor confidence and minimise reputational risk and this can be achieved through proper business planning and effective strategy development. A big reason is that strategic risks—those that either affect or are created by business strategy decisions—can strike more quickly than ever before, hastened by rapid-fire business trends and technological innovations such as social media, mobile and big data. And reputational risks can damage the most well-crafted business strategies.
The difficulty is that reputation is shaped outside the organization. This makes it difficult to measure and monitor the associated risks rendering traditional risk management approaches unsuccessful in this area. Reputational risk problems usually involve the media and are based on external opinion of customers, employees and relevant stakeholders. Reputational risk has become a top priority for many board members and increasingly steps are being taken to make the necessary changes happen. Just as technology has led to a growth in cybersecurity risks it has also led to a boom in social media. This has had a huge impact on all organizations over the last few years in terms of brand and reputation management and awareness. Companies want to get hold of information detailing what their customers and competitors are saying about them so that the business may be improved through feedback incorporation. Reputation is now considered the highest impact risk area to business success and strategy. Therefore protecting company reputation is understandably a top issue for companies and their respective C-suite and boards of directors. Traditional risk management methods will be challenged in addressing reputational risk in a number of fundamentally important ways. For example, historically traditional risk management has been inwardly focused, on the operational workings of the firm – to a certain extent these issues are within the organisations control. However, when it comes to external risks such as cyber security threats and reputational risks new and innovative approaches and techniques will be required.