News round-up: May/June 2021

Chartered IIA launches new Community hub for members

Visitors to our website will have noticed that our popular COVID-19 hub has been replaced with a new Community hub. A single area pulling together the numerous activities and sources of information emanating from our regular interactions with members. It also offers an exciting new focus for all our community-focused output and endeavours – from virtual forums and guidance to blog posts and regional networks. Click here to access the hub.


ISO publishes climate change impact standard

A new standard offering guidelines for assessing the risks related to the potential impacts of climate change has been released by the ISO. “ISO 14091:2021 Adaptation to climate change – guidelines on vulnerability, impacts and risk assessment” explains how to understand vulnerability and how to develop and implement a robust risk assessment in the context of climate change.

The standard is designed to be used to assess both present and future climate change risks. The ISO said it provides a basis for climate change adaptation planning, implementation and monitoring and evaluation for any organisation, regardless of its size, type and sector. 


COVID-19 shifts risk predictions 

COVID-19 has made organisations reconsider their predicted emerging risks for this year, according to standard setter BSI’s latest Horizon Scan report.

Respondents identified climate risk as their biggest concern in the medium to long term, while they predicted that IT and telecom disruption will be one of the most enduring risks to arise from the pandemic. Staff illness, as well as mental health problems caused by COVID-19, are also likely to remain key risks for many organisations, they said.

Meanwhile, some risks that have not featured on the index in recent years have re-emerged. For example, political risks and violence have returned to the top ten listed on the risk index for the first time in three years. 


Firms invest in cyber security but neglect IT risk management

IT security and compliance are this year’s main technology investment priorities, according to a survey of security and risk professionals.

When asked about their plans, 38 per cent of respondents to the global IT Risk and Compliance Survey, conducted by IT vendor MetricStream, said they planned to increase their spending on IT risk management this year. However, researchers also found that spreadsheets remain the tool most commonly used for IT risk management, despite frequently repeated concerns that these are unsafe, unreliable and too basic to cope with complexity.

Furthermore, 69 per cent of respondents stated that they do not quantitatively manage their IT risk programmes, while only 15 per cent of respondents reported conducting monthly IT risk assessment reviews.

The survey also found that 70 per cent of respondents agreed that their senior management and leadership help to establish the strategic direction of their IT risk management programme. However, only 29 per cent of respondents said that their IT risk programme is directly overseen by the chief information security officer (CISO). 


Build a “foundation of resilience” to survive future shocks

Businesses must focus on building a “foundation of resilience” if they are to weather whatever challenges come next. All organisations – even those with a well-defined crisis team – need an agile crisis management programme that can adapt to address many different types of disruption, according to professional services firm PwC’s second Global Crisis Survey.

However, only 35 per cent of the organisations surveyed had a crisis response plan that was “very relevant”.  This suggests that most are failing to design their plans to be “crisis-agnostic,” PwC’s researchers warned.

Based on the findings, the firm has identified three ways in which companies can prepare for a crisis.

First, they suggest designing a strategic crisis response plan to mobilise swiftly, stabilise business operations and respond effectively to the shockwaves of disruption.

Second, it is important to break down silos. An integrated programme is essential to executing a successful crisis response and to building resilience during “peacetime”, they advise.

Third, it is essential that companies prioritise and build organisational resilience – not just to succeed, but to survive. 


Cyber policies lag behind changing work norms

Cyber resilience in UK companies has reduced, and fewer businesses are using security monitoring tools to identify abnormal activity that could indicate a breach. According to the UK government’s Cyber Security Breaches Survey 2021, cyber risk has risen as it has become more difficult to secure digital environments because many organisations have diverted resources to facilitate staff homeworking.

It found that employees at nearly half of all businesses now use personal devices for their work, but only 18 per cent of organisations have a cyber security policy that covers how to use these personal devices for work. Fewer than a quarter of businesses in the survey had a cyber security policy that covers home working.  

Meanwhile, the government warned, two out of five UK businesses have reported cyber security breaches or attacks in the past 12 months. 


Proposals signal major shift in audit and governance rules

The UK government has unveiled proposals that will end the Big Four accountancy firms’ dominance of the UK external audit market and make companies and executives more directly accountable – and liable – for corporate reporting failures.

Large companies would be required to use a smaller audit firm to conduct a “meaningful” portion of their annual audit, while the Big Four could face a cap on their market share of FTSE 350 audits.

The proposals are split into those that affect audit firms and those that affect companies. Key issues include new reporting obligations for external auditors and directors around detecting and preventing fraud. Boards would be required to set out the controls they have in place and external auditors expected to look for problems.

The proposals include new directors’ duties relating to internal controls and risk management; more transparency about corporate finances; and a requirement for annual “resilience statements”.

A new, more powerful, regulator would oversee large companies. 


World Economic Forum publishes six “Principles for Board Governance of Cyber Risk”

The World Economic Forum (WEF) has outlined six globally applicable principles intended to help board directors govern cyber risk and security more effectively in their organisations.

The six principles that they advise companies to bear in mind are:

1. Cyber security is a strategic business enabler.

2. Understand the economic drivers and impact of cyber risk.

3. Align cyber risk management with business needs.

4. Ensure organisational design supports cyber security.

5. Incorporate cyber security expertise into board governance.

6. Encourage systemic resilience and collaboration.

The report is the result of a collaboration between the World Economic Forum, National Association of Corporate Directors (NACD), Internet Security Alliance (ISA) and a working group of industry professionals, supported by project adviser PwC. 


Survey reveals full extent of Brexit disruption

Over half (52 per cent) of UK companies have experienced disruption since the beginning of the year as a result of Brexit-related issues, according to a YouGov poll.

It found that 13 per cent of those surveyed reported that their business has experienced a “large amount” of disruption. 

Not surprisingly, large businesses were more likely than small- and medium-sized enterprises to report significant disruption.

When asked about the future, 60 per cent of decision-makers at companies that routinely trade with the EU said that they expected the disruption caused by Brexit to get worse. 

This article was first published in May 2021.