The top risks for 2018 provide interesting insight into changing risk profiles across the globe. Protiviti and North Carolina State University’s Enterprise Risk Management Initiative have completed the latest survey of 728 directors and C-level executives regarding the macroeconomic, strategic, and operational risks their organizations face.
1. The rapid speed of disruptive innovations and new technologies within the industry may outpace the organization’s ability to compete or manage risk appropriately. With advancements in digital technologies and rapidly changing business models, are organizations agile enough to respond to developments that alter customer expectations and require change to their core business models? Disruption of business models by digital innovations is a given in this environment. Even when executives are aware of emerging technologies that obviously have disruptive potential, it is often difficult for them to have the vision to anticipate the nature and extent of change and the decisiveness to act on that vision. In this environment, emotional attachment to the business model can be dangerous because significant adjustments to it are inevitable.
2. Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations. This risk and the risk of disruptive change present a dilemma to companies. On the one hand, there is concern about inevitable disruptive change and, on the other hand, a fear the enterprise will not be agile and resilient enough to adapt to that inevitability. This resistance could lead to failure to innovate and force reactionary responses when it’s far too late.
3. The organization may not be sufficiently prepared to manage cyber threats that could significantly disrupt core operations and damage its brand. To no one’s surprise, this risk is listed among the top five risks in each of the four size categories of organizations we examined. Both directors and CEOs rated this risk as their second highest risk concern. Technological advancement is constantly outpacing the security protections companies have in place.
4. Regulatory changes and scrutiny may heighten, noticeably affecting the manner in which organizations’ products or services will be produced or delivered. Regulatory risk, which has been one of the top two risk concerns in all prior years that we have conducted this survey, has dropped some in 2018. However, it is still a major concern for executives and directors. Sixty-six percent of our respondents rated it as a “Significant Impact” risk.
5. The organization’s culture may not sufficiently encourage timely identification and escalation of significant risk issues that could notably affect core operations and achievement of strategic objectives. This issue, coupled with concerns over resistance to change, can be lethal if it leads to the organization’s leadership losing touch with business realities. If there are emerging risks and the organization’s leaders are not aware of them, the entity has a problem.
6. Succession challenges and the ability to attract and retain top talent may limit the ability to achieve operational targets. Likely triggered by a tightening labor market, this risk is especially prevalent for entities in the consumer products and services, healthcare and life sciences, and energy and utilities industries. To thrive in the digital age, organizations need to think and act digital, requiring a different set of capabilities and strengths. This risk indicates that directors and executives believe their organizations must up their game in acquiring, developing, and retaining the right talent.
7. Privacy, identity management, and information security risks may not be addressed with sufficient resources. Given the high-profile reports of hacking and other forms of cybersecurity intrusion reported in 2017, this risk is somewhat expected. As the digital world evolves and enables individuals to connect and share information, fresh exposures to sensitive customer and personal information and identity theft also spring up.
8. Economic conditions in markets the organization currently serves may significantly restrict growth opportunities. However, the drop in this risk’s ranking from prior years suggests that respondents seem more positive about macroeconomic issues going into 2018.
9. Inability to utilize data analytics to achieve market intelligence and increase productivity and efficiency may significantly affect core operations and strategic plans. Respondent concerns are growing regarding their company’s ability to harness the power of data and advanced analytics to achieve competitive advantage, manage operations, and respond to changing customer preferences. In the digital age, knowledge wins. Advanced analytics are the key to unlocking insights that can differentiate companies in the marketplace.
10. Companies that were not “born digital” face significant operational challenges. Companies that are not steeped in digital operational culture may not be able to meet performance expectations related to quality, time to market, cost, and innovation. Competitors with superior operations—and those digital companies with low operations costs—present notable risk that is only heightened in the digital economy. Hyperscalability of digital business models and lack of entry barriers enable new competitors to emerge and scale redefined customer experiences very quickly, making it difficult for incumbents to see change coming, much less react in a timely manner to preserve customer loyalty.
The overall message of this year’s study is that the rapid pace of change in the global marketplace creates a risky operating environment for entities of all types. The board of directors may want to evaluate its risk oversight focus for the coming year in the context of the nature of the entity’s risks inherent in its operations. If their companies have not identified these issues as risks, directors should consider their relevance and ask why not.
In this digital age, an organization’s ability to collect, analyze, aggregate, associate, and securely share data around the world is mission-critical. However, an increasing number of laws have been adopted across the globe regulating and restricting the transfer of information, ranging in type from data privacy-focused regulations to national security-focused regulations.
Regulatory restrictions can present significant challenges for global organizations, as they could directly impact business transformations (e.g., new cloud sourcing arrangements, the collection of mobile and Internet data, big data analysis projects, and the like) and corporate compliance initiatives (e.g., auditing, monitoring, internal investigations, e-discovery, whistleblower hotlines, and other similar compliance undertakings).
Knowing what these restrictions are, how they impact the business, and how the organization is addressing compliance are key to the board’s oversight of data management practices, which are an increasingly fundamental business element.
Knowledge is Power
Because regulations are increasingly impacting how information may be collected, used, and transferred, it is essential for directors and executives to understand these regulations and to apply best practices. By doing so, boards can help their organizations mitigate the risk of exposure to regulatory noncompliance, in particular as the potential penalties for noncompliance become increasingly material. To accomplish this, boards must ensure that their organizations are informed of the five W’s of data to stay ahead of the compliance curve:
Who – Who are we, who are our data subjects, and who has access to our data?
Where – Where do we keep our data and where do we transfer our data?
Why – Why do we collect and transfer this data?
When –When are we retaining data and for how long, and when do we share it with others outside the organization?
What – What solutions do we have in place to safeguard regulated data and what elements are in place address any local requirements, including cross-border transfer requirements?
Data Privacy-Related Cross-Border Transfer Restrictions
Outside of the United States, many jurisdictions, including those in the European Union, regulate the collection, processing, and transfer of personal data via comprehensive data protection laws that cover a broad range of personal data and activities related to such information, including its collection, use, and transfer. Considering the ubiquity of data collection for marketing, commerce, and employment purposes, these regulations have significant implications for a broad range of businesses.
Personal data covered by these regulations is often broadly defined to include any information relating to, or that could be linked to, an identified or identifiable individual, including the following:
Email address (including work email address)
Payment card information
These regulations often restrict the transfer of such personal data across international borders unless certain conditions are met. The first question in the analysis is often whether the data is being transferred to a jurisdiction that provides similar or “adequate” protection for personal data.
If the answer is “no,” then investigate whether:
adequate safeguards have been put in place or some other justification for the transfer can be relied upon; and/or
whether a derogation applies (e.g., the data subject has consented to the transfer or the transfer is required for the performance of a contract).
It is important to note that accessing personal data remotely in a different jurisdiction from the one in which it is stored is often viewed by foreign regulators as a transfer to that other jurisdiction (e.g., viewing data stored in Germany from a computer in the U.S.). It is also noteworthy that United States’ legal protections for personal data frequently fail to meet the “adequacy” standards of authorities in more highly regulated jurisdictions, such as those in the European Union.
Data Privacy-Related Cross-Border Transfer Solutions
There are several solutions for organizations that need to transfer personal data across borders to countries that may not be deemed to provide “adequate” protection to personal data by certain foreign authorities, such as the United States. Boards should ask management teams to verify that one or more of the following solutions is in place to comply with applicable cross-border data transfer restrictions:
Consent – Where appropriate, ensure that the data subject has given his/her voluntary and unambiguous consent to the proposed transfer. It is important to note that this option may not be available for employee data in certain jurisdictions in which employees are generally not seen as able to provide voluntary consent to their employers, such as in Germany or France.
Data Transfer Agreements – Review whether or not contractual provisions designed to provide adequate protection to the personal data transferred are utilized by the organization both for internal cross-border transfers between affiliated entities and for transfers to third parties (e.g., the EU Standard Contractual Clauses).
Binding Corporate Rules – Determine whether the organization should adopt enhanced internal personal data protection policies and procedures within the group of companies, referred to as Binding Corporate Rules, and have those approved by the applicable regulators in order to rely on them as a solution.
EU-U.S. Privacy Shield Framework – For transfers of personal data from the European Economic Area to the United States, determine whether the recently approved EU-U.S. Privacy Shield Framework, which provides that organizations self-certified to the Framework are deemed to provide “adequate” protection to personal data by the European Commission, may be an appropriate solution.
These solutions will likely continue to evolve, along with the various regulations that impose the restrictions, in order to address the ever-changing digital marketplace. For example, under the new European General Data Protection Regulation (GDPR), which comes into effect in May of 2018, requirements around what constitutes valid data subject consent will have more prescriptive conditions and any new decisions by the European authorities deeming that a non-EU jurisdiction provides “adequate protection for personal data” will likely be subject to more rigorous requirements (although existing “adequacy” decisions will be grandfathered). The penalties are also increasing, with fines for violating the GDPR going up to EUR 20,000,000, or 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher. Furthermore, beyond data privacy-related cross-border transfer restrictions, boards should also be aware that there may be additional potentially applicable cross-border transfer restrictions on organizations, including those related to national security or state secrets.
Given the significant financial and regulatory burdens for non-compliance, boards need to understand how these cross-border transfer regulations may impact their organization and stay informed of their organization’s compliance position, and any risk decisions made related thereto, when it comes to both current and future data collections and uses.
As a partner at Baker & McKenzie LLP, Michael Egan advises clients across a range of industries regarding the legal aspects of global privacy and data protection, data security, information technology, and related restrictions on data collection and transfer. Joan Meyer chairs the North America Compliance, Investigations & Government Enforcement Practice Group at the firm.
I watched with interest as Senators Jack Reed (D-RI) and Susan Collins (R-ME) advanced bipartisan legislation that would require companies to disclose whether they have a director with cyber expertise on the board, and if not, why. Regardless of whether it passes, The Cybersecurity Disclosure Act of 2015 has apparently widened the door for shareholders and regulators to increase their pressure on boards and hold them more accountable for being proactive about understanding the company’s cybersecurity risk.
As someone who has witnessed the global cybersecurity battlefield at close range for over 14 years, I wholeheartedly agree that boards should increase their knowledge of cyber related risks and engage more proactively with the company’s strategy for mitigating them. Yet for boards to rise to Sen. Reed’s challenge that companies “have the capacity to protect investors and customers from cyber-related attacks,” it’s important to solve for the problem and not just the perception. Electing a cyber-expert to the board could certainly be helpful for companies. However, it may not be practical at this time. Nor does it solve for capacity.
No matter what risks they oversee, from financial to geopolitical, board members have an obligation to avail themselves of the right information to make informed decisions that safeguard shareholder value. This is no less true of cybersecurity risk. In order to empower an effective security program, the board should seek the right information and expertise on which to base its decisions about tolerance, investment, policy, and practice. That information includes but is not limited to: a solid understanding of the threats, the results of a well-prepared cybersecurity risk assessment, a roadmap that articulates desired outcomes and metrics for monitoring effectiveness.
Companies are trying to answer the questions: “How do we know if we’re making a reasonable and appropriate effort to mitigate these risks?” and “How do we measure and rationalize our security investment in the context of corporate strategy and risk tolerance?” I believe boards and their committees should oversee the cyber risk similar to the way the audit process manages financial risk.
Seek a balanced view of Information Technology (IT) security and IT enablement. Give both sides adequate time on the boardroom agenda at each meeting. You’ll gain insights on how strategic initiatives add risk so they are addressed earlier with less disruption, but you’ll also have the added benefit of exploring how security can enable those initiatives.
Ask whether the cybersecurity program has early warning capabilities that reduce time-to-respond. And if not, ask when to expect them. The goal is resilience, not the elimination of risk. Defense is not the endgame. The goal is to reduce the time it takes to detect and respond to the threats targeting your company’s digital assets. Early response is the cornerstone of mitigating risk and damage. Boards should ask if there is a one to three year roadmap for achieving an early warning system that increases visibility and applies threat intelligence to existing solutions, at a minimum, for a more proactive security posture.
Be sure that specific “point solutions” are not confused with the company’s cybersecurity strategy. New technology solutions may be necessary, but being resilient against the threats will depend on how those solutions are integrated, managed and governed as a whole. Ask your cybersecurity officer “what are the desired outcomes?” and “what is the roadmap for getting there?” It’s better to crawl-walk-run toward a well-integrated, manageable program than to jump at every new solution. It’s not about how many “boxes” are deployed to stop the adversary. It’s about how well you’re organized for the fight.
Seek the right threat and risk monitoring dashboard. Security officers with a proactive security program in place should be able to answer: are there threat actors in our systems now? If the answer is no, how can we be sure? and “How do we know they’re there?” Another important metric to monitor is how well the company is improving its “time to respond” to incidents.
And finally, seek third party input and intelligence to aid informed decision-making. Cybersecurity risk is asymmetric, so any security program that provides early warning is going to need threat insights beyond a company’s own experience to date. The right security expertise can help you identify your most likely threats based on global threat intelligence gathered from outside the company’s own limited experience. A third party can also help your security team assess the effectiveness of its current posture against those real-world threats by simulating the attacks. With capabilities in place to anticipate the real threats and prioritize effort, you can greatly expand the security program’s capacity and effectiveness.
It’s inevitable that more and more board members will come to the table with a working knowledge of IT enablement and IT security over time. But for now, boards can take a more proactive and knowledgeable stance by: seeking equal input from IT security and IT enablement leaders; leveraging third party threat intelligence and expertise; and monitoring the company’s progress toward a stronger security posture with “early warning” capabilities that mitigate risk with faster response. These measures go beyond the appearance of “prioritizing” cybersecurity. They add up to tangible improvements in risk mitigation on behalf of all the company’s stakeholders.
Mike Cote is CEO of SecureWorks, a global cybersecurity services firm that provides an early warning system for evolving cyber threats, enabling organizations to prevent, detect, rapidly respond to and predict cyberattacks. SecureWorks minimizes risk and delivers actionable, intelligence-driven security solutions for more than 4,200 clients in 59 countries.