Across sectors, there is an increasing focus by regulators on consumer understanding, as well as preventing harm and confusion by ensuring that key disclosures are made more intelligible. At present, the form and format of disclosures prescribed by law and regulation continue to be the dominant influence on how firms communicate, from pre-sales information, terms and conditions, contractual agreements, to post-sales communications. These rigid disclosure rules often work at odds with the ability of consumers to understand the communications, and we are now seeing regulators focus increasingly on removing prescription to ensure a focus on better outcomes. Ewan Willars from Amplified Global discusses the changes that are taking place.
Read More
Risk Matters: ECCTA – in the Boardroom
By Christopher Burt, Principal, Halex Consulting
The Economic Crime and Corporate Transparency Act (ECCTA) marks one of the most significant shifts in the UK’s corporate governance and enforcement landscape for a generation. At a recent Risk Coalition Risk Matters virtual roundtable, audit and risk committee non-executive directors and senior risk professionals explored what ECCTA really means in practice – not just in legal terms, but in terms of board behaviour, culture and oversight.
We were delighted to welcome Sarah Hawes, Head of Corporate Knowledge at Herbert Smith Freehills Kramer (HSFK), as our expert guest speaker and thank her most sincerely for her valuable contribution. Many thanks also to Rachael Johnson, Head of Risk and Corporate Governance at ACCA, for sharing some of the key outputs in slide format from their recent global Fraud research. Together Sarah and Rachael provided attendees with some stimulating and quality insights.
Three themes stood out clearly: the transformation of Companies House into a regulator with teeth; the arrival of a strict liability “failure to prevent fraud” offence; and the growing recognition that culture, speak-up arrangements and third-party relationships are now central to a credible defence.
From filing cabinet to regulator: Companies House grows up
ECCTA fundamentally redefines the role of Companies House. Historically seen as a passive filing repository, it is being repositioned as an active regulator with powers to query, reject and annotate information on the public register. The roundtable highlighted how this seemingly technical shift has real reputational consequences for boards.
Companies House can now issue civil penalties for failures such as late or inaccurate filings. While individual fines may be modest, the public annotation of enforcement action on the register is not. Participants noted that this creates a new form of “reputational signalling” – visible to investors, counterparties, journalists and regulators alike. Importantly, liability does not sit solely with the corporate entity: any “officer” of the company, executive or non-executive, may be exposed.
Identity verification (IDV) is the most immediate manifestation of this new regime. All directors, people with significant control (PSCs) and, in due course, those filing information with Companies House must verify their identity. Failure to do so is a criminal offence for the individual and the company. While the process itself is relatively straightforward, the discussion surfaced early practical challenges – from overseas appointees without biometric passports to system “gremlins” during rollout. The message for boards was clear: this is operationally mundane but governance-critical, and it needs clear ownership and oversight.
Failure to prevent fraud: a new board-level liability benchmark
The most far-reaching element of ECCTA for boards is the new corporate offence of failure to prevent fraud, which came into force on 1 September 2025. This is a strict liability offence applying to “large organisations”, where an associated person commits a relevant fraud offence intending to benefit the organisation.
For many NEDs, the significance lies not just in the offence itself but in the shift in mindset it demands. Traditional fraud risk assessments have tended to focus on fraud against the organisation – theft, expense fraud, cybercrime or third-party scams. ECCTA turns this on its head. Boards must now ask: where could fraud benefit us?
Examples discussed included mis-selling driven by incentives, misleading statements in financial reporting, and increasingly, ESG-related misrepresentation. As several participants noted, claims made in annual reports, regulatory announcements or on corporate websites could, if false or misleading, fall squarely within the definition of fraud by false representation. “Greenwashing” therefore becomes not just a reputational issue, but potentially a criminal one.
The statutory defence – having “reasonable fraud prevention procedures” in place – will be familiar to those with experience of the Bribery Act or failure-to-prevent tax evasion offences. However, what counts as “reasonable” will be judged in context. Boards were cautioned against seeing this as a one-off compliance exercise. Documentation alone will not suffice; regulators will look for evidence that controls are embedded, tested and taken seriously.
Culture, leadership and the speak-up system
A striking contribution to the discussion came from the ACCA’s global fraud research, which shows that lack of ethical leadership and accountability from the top consistently ranks among the strongest drivers of fraud across regions and sectors . Technology and economic pressure matter, but leadership behaviour shapes how effectively organisations close the gap between risk and control.
This finding resonated strongly with participants. Culture is often described as “soft”, yet it underpins whether policies are followed, concerns are raised and misconduct is challenged. Several contributors emphasised that a weak speak-up environment materially undermines a company’s ability to detect fraud early – and may itself weaken the failure-to-prevent defence if employees are deterred from reporting concerns.
Effective whistleblowing arrangements were repeatedly described as a form of governance “insurance”. Boards were encouraged to look beyond headline statistics and consider metrics such as time-to-acknowledge reports, time-to-close cases, substantiation rates and evidence of retaliation monitoring. The absence of issues may indicate not a healthy culture, but fear of speaking up.
The value chain blind spot
Another recurring theme was third-party and value-chain risk. The definition of “associated person” under ECCTA is deliberately broad, encompassing employees, agents, subsidiaries and, in some cases, suppliers and distributors. Participants observed that many organisations over-index on internal controls while underestimating risks arising from outsourced activities, sales intermediaries or complex supply chains.
Boards were urged to resist a “tick-box” approach to third-party due diligence. Questionnaires alone are rarely sufficient. Instead, organisations need to understand where fraud risks actually sit in their operating model, what leverage they have contractually, and how those risks are monitored in practice.
What boards should be asking now
The roundtable closed with a set of practical questions for boards and audit and risk committees. Among the most important:
Have we mapped fraud scenarios where the organisation could benefit, not just where it could lose?
Do we clearly understand who our associated persons are, and what controls apply to them?
Can we evidence that fraud prevention procedures are tested, reviewed and reported with appropriate cadence?
Does our speak-up framework genuinely enable concerns to reach the board?
Are ESG claims and other public statements subject to the same rigour as financial disclosures?
ECCTA raises the bar for boards, but it also provides an opportunity. Organisations that take a thoughtful, integrated approach – combining legal compliance, cultural leadership and practical risk management – will be better placed not only to defend themselves, but to strengthen trust with stakeholders.
As one participant observed, this is not about guaranteeing that fraud never happens. It is about demonstrating that the board has asked the right questions, set the right tone, and put in place reasonable and proportionate measures to prevent harm before it occurs.
Five Board Takeaways from the ECCTA Roundtable
Fraud risk now includes where the organisation benefits, not just where it loses
ECCTA fundamentally reframes fraud risk. Boards must look beyond traditional “fraud against us” scenarios and actively consider where incentives, reporting, ESG claims or commercial practices could result in the organisation benefiting from misrepresentation or misconduct.Reasonable prevention is about evidence, not intention
Having policies on paper is not enough. Boards need confidence that fraud prevention procedures are embedded, tested, and reported with appropriate cadence. Regulators will look for evidence of oversight, challenge and follow-through — not just compliance artefacts.Culture and speak-up arrangements are central to the defence
Weak ethical leadership and ineffective whistleblowing materially increase fraud risk. Boards should scrutinise whether employees feel safe to raise concerns, whether reports reach the right level, and whether retaliation risks are actively monitored.Third-party and value-chain risks are a major blind spot
The definition of “associated persons” is broad. Boards must understand where fraud risks sit across subsidiaries, agents and suppliers — and whether contracts, training, audit rights and termination levers are genuinely effective in practice.Companies House reform creates visible reputational risk
Civil penalties may be small, but public annotation on the register is not. Identity verification, filing accuracy and ownership of Companies House compliance are now board-level governance issues, not administrative afterthoughts.
Christopher Burt is Principal at Halex Consulting, a leading governance consultancy specialising in independent board evaluations and risk advisory. He is co-founder and Executive Chair of the Risk Coalition and principal author of its “Raising the Bar” and “Raising your Game” leading practice guidance for boards and committees.
Halex Consulting is Board Benchmarking’s UK/EU strategic partner.
Learn more about Halex Consulting’s board performance review services →
Chris Burt
Strengthening risk oversight
Risk governance is an essential element of decision making by organisations, even more so today in a complex, unpredictable and fast-changing business environment. Risk arrangements at board level can miss the point if they focus only on mitigating downside risk - they are in danger of losing sight of new opportunities that are necessarily grasped to ensure long-term sustainability. Hanif Barma summarises a recent roundtable discussion jointly hosted by Diligent and the Risk Coalition. A major conclusion of the discussion, which involved board members and senior risk professionals, was that a change in mindsets and behaviours was needed to drive effective risk governance.
Read MoreTrue, Fair... and Future-Proof: Risk Accounting for a New Era
There’s a quiet reckoning happening in accounting. For generations, the profession has stood by the notion that our reports must present a “true and fair view” of an entity’s financial position. But as we confront climate risk, systemic fragility, and operational volatility, one wonders — is “true and fair” still enough? Or should we be aspiring to something more: a “true, fair and sustainable” view?
This isn’t simply an ethical debate. It’s a technical one too. Sustainability implies the ability to survive — and thrive — over time. And that requires us to engage with risks that haven’t yet struck but loom in plain sight. If a firm is sitting on a mountain of residual non-financial risk — cyber vulnerabilities, conduct exposure, climate liabilities — should its pristine balance sheet lull us into complacency?
Let’s reflect on Silicon Valley Bank. At year-end 2022, its audited financials showed pre-tax profits exceeding $2 billion. Then, within months, it collapsed in spectacular fashion. The failure wasn’t due to some unknown black swan. The bank had concentrated risk, an unbalanced funding profile, and poor hedging — all observables. But not, apparently, ‘accountable’.
And that’s where we hit a deeper problem. Accounting today is based on information provided to the auditor — not all information available. Auditors are not expected to scan the horizon; their duty is narrowly scoped to verifying what’s been placed in front of them. But in the age of real-time data, digital signals, and risk modeling, should that still be the case?
Imagine if auditors had a mandate like Know-Your-Customer in banking — an obligation not to remain willfully blind. When non-financial risk accumulates, and external data shows rising exposure, shouldn’t that prompt scrutiny? After all, we know from Basel’s BCBS 239 principles that aggregating risk data is a supervisory expectation. Shouldn’t it be a professional one too?
This brings us to a concept that might reshape our financial lens: Risk Accounting. At its core is the Risk Unit (RU)— a standardized metric quantifying residual non-financial risk. Think of it as a unit of post-control exposure. By capturing risks such as cyber threats, compliance gaps, or climate vulnerabilities in a quantifiable form, RUs let us translate the abstract into the actionable.
So how does this play out in double-entry terms? Let’s say a firm calculates its residual exposure to conduct risk at £5 million, using a defensible methodology. That amount — an expected future loss — is posted as a provision in the P&L.
Dr Risk Expense
Cr Risk Accrual (Balance Sheet)
Straightforward so far. But here’s where it gets innovative.
That risk accrual can now be tokenized. Tokenization refers to the process of converting a quantified risk exposure into a tradable digital asset — a Tokenized Risk Unit (TRU) — which can then be issued and sold on a regulated exchange. TRUs allow firms to transfer the financial burden of future risks to market participants willing to underwrite them. [More on this can be found in the RASB whitepaper.]
Now observe the double-entry:
Dr Cash
Cr Risk Accrual (Derecognition)
The balance sheet improves, not by hiding the risk, but by externalizing and funding it transparently. This isn’t securitization of fantasy assets; it’s risk transfer rooted in disclosure, standardization, and marketplace pricing. And because TRUs are based on quantified RUs, the pricing reflects actual risk levels — auditable, comparable, and reportable.
Far from conflicting with IFRS, this model enhances its logic:
IFRS 8 encourages segment-level risk disclosures. RUs make that real, aligning residual risk to each operating unit.
IFRS 9 is built on expected credit losses. RUs apply that forward-looking principle to non-financial domains.
IAS 37 allows provisions where loss is probable and measurable. With RUs, both conditions are met.
This isn’t futuristic theory. The Risk Accounting Standards Board (RASB) has published frameworks showing exactly how these accounting treatments can align with international standards. Disclosures include staging models, assumptions, and sensitivity analysis — just as we do for credit loss provisions today.
What’s more, these practices speak to broader changes in regulation. As ESG mandates tighten — through mechanisms like CSRD in Europe — firms will be held accountable not just for emissions, but for risk readiness. That includes recognizing the cost of failing to address foreseeable risks. If your data privacy practices expose you to a probable fine, or your supply chain is geopolitically fragile, the market deserves to know. Risk Accounting gives you the language — and ledger — to say it.
So what does it mean for ethics? Quite a lot. Ethics in accounting has long centered on independence and integrity — values that remain non-negotiable. But today, ethical reporting also means refusing to ignore what is knowable. A sustainable accounting framework would not only record past performance but also signal looming threats. It would push boards to act before risks crystallize — and empower markets to price those risks intelligently.
Yes, there are complexities. Risk accruals must eventually crystalize or reverse. Tokenization demands governance, liquidity, and investor protections. But the broader arc is clear: when we quantify risk, we can manage it. When we manage it, we can report it. And when we report it, we invite solutions — whether internal mitigation or external transfer.
That is what a “true, fair and sustainable” view could look like.
Not just a snapshot of what was, but a dashboard for what lies ahead. Not just compliance, but foresight. Not just statements, but stewardship.
Maybe it’s time we let the ledger speak not only to profit and loss, but to possibility and preparedness.
Because the future won’t wait until year-end to reveal its risks — and neither should we.
“A sustainable financial view doesn’t distort reality — it reflects it.”
Steve Bailey FCCA, Chairman, Risk Accounting Standards Board
Risk Matters Blog – The Anatomy of a Ransomware Attack
Risk Coalition Virtual Roundtable – 12 September 2025
Authors: Chris Burt, Halex Consulting/Risk Coalition, Vish Nayi, CyberQ Group, Carrie Stephenson, Brave LLP
Ransomware has become one of the most pressing threats to organisational resilience, disrupting critical services, damaging reputations, and testing board decision-making under pressure. At our September Risk Matters roundtable, the Risk Coalition convened non-executive directors, audit and risk committee members, and governance professionals to explore the “anatomy” of a ransomware attack: what happens before, during, and after, and how boards can prepare to respond.
The discussion was led by two subject-matter experts: Vish Nayi, Chief Solutions Architect at CyberQ Group, who brings extensive incident response experience, and Carrie Stephenson, co-founder of Brave LLP, who contributed perspectives on legal, compliance, and governance.
The Current Threat Landscape
Participants were reminded that ransomware is no longer a fringe issue. UK businesses face a cyberattack on average every 44 seconds, with ransomware affecting an estimated 19,000 businesses annually – roughly 52 each day. Phishing remains the dominant entry point, often serving as the precursor to more serious ransomware incidents.
As Vish noted, ransomware groups operate like multinational enterprises. They employ developers, negotiators, and managers; they track performance against KPIs; and they even offer “ransomware-as-a-service” to affiliates. In parallel, geopolitical factors – including state-sponsored activity – continue to fuel the scale and sophistication of attacks.
AI technology is creating new challenges. As Carrie explained, "Criminals are using AI to craft more convincing phishing and automate vulnerability scanning, while businesses rely on it for threat detection – creating a double-edged sword."
The financial impact is stark: the UK economy loses an estimated £27 billion annually to cybercrime. Yet for criminals, ransomware is a multi-billion-pound industry.
Before the Attack: Building Preparedness
The first theme of discussion was preparedness. Boards were urged to ask themselves whether they have:
A clear understanding of their organisation’s “crown jewels” – the data and systems critical to survival.
A defined risk appetite for cyber threats, recognising that “zero risk” is not realistic.
An incident response plan that is not only written but rehearsed. Too often, boards sign off policies they have never read or tested.
Vish highlighted common pitfalls: response plans locked in digital systems that become encrypted during an attack; key roles assigned to a single individual who may be unavailable; and reliance on cyber insurance that may not pay out if the organisation has not maintained promised controls.
Carrie emphasised the governance dimension: “Boards must address cyber resilience before a crisis strikes. Debating whether to pay a ransom should not take place for the first time in the middle of an attack. Businesses must adopt a proportionate and proactive approach to cyber security and assess the risk as part of a larger risk management framework.” Establishing principles in advance – including the legal, regulatory, and ethical implications of ransom payments – enables calmer decision-making under stress.
She stressed the personal stakes for directors: "If you're a NED, you hold fiduciary duties as a director – this encompasses good cyber security risk management. You have personal liability – do not assume your D&O covers you. It might cover decisions and actions but not wider costs.
Carrie challenged boards to examine their current approach: "Are you following a proven framework like Cyber Essentials? Are you building in cyber resilience and business continuity planning? Is it on the agenda? If not, it should be. Who is the designated lead? If no-one, assign one."
During the Attack: Decisions Under Pressure
When ransomware strikes, pressure mounts rapidly. Data is encrypted, operations stall, and a ransom demand arrives – typically in cryptocurrency.
Key dilemmas for boards include:
Ransom payments – who has authority to decide, and on what basis? While some organisations pragmatically negotiate, government proposals now point towards tighter restrictions and mandatory reporting.
Communications – how to handle regulators, insurers, employees, customers, and the media in the crucial first 24 hours. Misinformation or premature statements can magnify reputational damage.
Law enforcement engagement – while support and guidance are improving, technical interventions are often limited once encryption has occurred.
The discussion also reflected on real-world examples, from large retailers forced to disclose outages, to smaller firms negotiating instalment payments on the dark web. These illustrate both the diversity of responses and the intense moral, legal, and financial pressures boards may face.
After the Attack: Recovery and Learning
Even if ransom is paid, restoration is uncertain. Criminals may not provide decryption keys, or they may strike again. True resilience lies in restoring systems independently and learning from the incident.
Boards should ensure:
Backups are offline, secure, and regularly tested.
Legal obligations – including mandatory reporting under emerging regulation – are understood and actionable.
Lessons learned feed into strategy, culture, and governance.
Carrie noted that new legislation, including the forthcoming Cyber Security and Resilience Bill (CSRB), will require boards to demonstrate more proactive oversight. The Bill is expected to expand regulatory scope into the value chain, impose stricter incident reporting (within 72 hours), and give regulators sharper enforcement powers.
Carrie highlighted the significance of these changes: "We're seeing a step-change in UK cyber regulation with the CSRB. This moves away from voluntary frameworks to encourage a culture of accountability, with compliance obligations that could result in significant penalties."
Policy and Legal Context
The roundtable considered the UK Government’s July 2025 consultation response on ransomware. Key proposals include:
A targeted ban on ransom payments for public bodies and critical national infrastructure (supported by 72% of respondents).
Exploration of an economy-wide prevention regime, though views were mixed.
Introduction of a mandatory reporting regime, strongly backed by respondents, to improve government visibility of ransomware threats.
The reality of ransom restrictions is becoming clearer. As Carrie warned, "Ransom payments may be a thing of the past for CNI providers and public sector organisations. The question becomes: how do you recover in the absence of being able to pay a ransom? We await answers from the government on what happens when there are no technical restoration options.
For boards, the implication is clear: decisions about ransom payments and incident handling are moving from discretion to regulation.
Key Takeaways for Audit and Risk Committees
Several practical actions emerged from the session:
Preparedness and validation – Incident response and continuity plans must be read, rehearsed, and printed. Boards should regularly test them through realistic simulations.
Decision-making clarity – Authority for ransom payments (if legally permitted) should be pre-defined.
Insurance scrutiny – Verify what is actually covered and under what conditions. Cyber insurance transforms operational risk to credit risk, rather than eliminating it.
Supply chain resilience – Critical suppliers, including managed service providers, must be part of the resilience equation.
Legal foresight – Understand the implications of AML, data protection, and emerging cyber legislation before an attack occurs.
Culture of learning – Every incident must inform future governance and risk oversight.
Carrie emphasised the expanded regulatory focus on supply chains: "The CSRB extends due diligence requirements. Businesses that rely on external IT or security providers will be required to conduct due diligence, which means you need to be checking contractual agreements reflect security expectations."
Conclusion
Ransomware is not an IT issue alone – it is a strategic business risk. Boards cannot outsource responsibility; they must understand the threat, set clear principles, and test their organisation’s resilience.
The Risk Matters roundtable underscored that the anatomy of a ransomware attack involves more than encryption and extortion. It is about governance, legal, compliance, financial resilience, and the ability of directors to lead under pressure.
As new legislation reshapes the regulatory landscape, the imperative for boards is clear: move beyond compliance and embed cyber resilience at the heart of risk oversight.
Useful links:
National Cyber Security Centre – a great source of advice and guidance National Cyber Security Centre - NCSC.GOV.UK
NCSC Cyber Governance for Boards – board focused cyber resources Cyber Governance for Boards - NCSC.GOV.UK
NHS Cyber Security Guide for NEDs Cyber security guide for non-executive directors - NHS England Digital
UK Government Cyber Governance Code of Practice Cyber Governance Code of Practice - GOV.UK
📅 The next Risk Matters roundtable will be held at 9am (UK) on Friday 12 December 2025. We encourage audit and risk committee members to join the discussion.
The future of ESG: navigating a fragmented landscape
The business world has long wrestled with the question of purpose beyond profit. But in the era of ESG (Environmental, Social and Governance), this debate has become more than philosophical – it’s a battleground where culture wars, regulatory demands and investor expectations collide. In this Risk Coalition blog, Vera Cherepanova looks ahead and considers the evolution and challenges of the ESG landscape, and discusses how this might evolve in future.
Read More
Internal audit and risk management must work together to navigate uncertainty
Heightened economic volatility, technological disruption and geopolitical tensions impact all organisations today - whatever their sector. This means that internal audit and risk professionals are under more pressure than ever to help their organisations remain resilient. The Chartered Institute of Internal Auditors (Chartered IIA)’s new Internal Audit Code of Practice - now in force - designed to strengthen internal audit functions and support organisations in tackling these emerging risks head-on, raising the bar for the profession across financial services, private, and third sectors. Mo Warsame from the Chartered IIA explains why internal audit and risk management need to work together to navigate these ever-increasingly challenging risks.
Read More
Three key threats of phishing to be aware of
Phishing is a significant IT risk and this risk is largely a behavioural one. It is estimated that 90% of cyber attacks originate with a phishing attack so, with cyber regularly identified by boards as one of the biggest risks their businesses faces, it is useful to be reminded what the warning signs are, and how to best prepare and respond. Polly Williams tells us how to avoid the common pitfalls.
Read More
Principles versus rules in data and corporate governance
In the world of corporate governance, the question of whether a principles-based approach or a rules-based approach is the most effective is often a matter of debate. Different jurisdictions and different regulators take alternative approaches and, indeed, different approaches may be followed at different times. Felix Ritchie considers these two alternative approaches in his blog for the Risk Coalition. He looks at the cross-sector consultation document, Raising Your Game from the Risk Coalition and he draws on this to provides him with some lessons for data governance.
Read More
How can you maintain high standards in your business without suffering burnout?
People risk is nowadays recognised as a very wide-ranging concept, in its many dimensions. Gone are the days when this focused solely on headcount (we haven’t got enough people! or, we can’t afford the people we have!) and their capability (we haven’t got the right skill sets!). Wellbeing is now recognised as a key part of people risk, and an important aspect of this is burnout. Burnout is a state of complete mental and physical exhaustion, where we become so overwhelmed that our performance at work can suffer, while physical and mental health issues can also affect us outside of the work environment. If not addressed and adequately managed, it can easily become a feature of high perfoming businesses. Jane Hunter discusses how to maintain high standards and high levels of performance without suffering burnout.
Read More
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
Increasing personal accountability was the focus of the Senior Managers and Certification Regime (SMCR), introduced by the financial regulators following the 2008 financial crisis. However, has individual accountability really resulted since the introduction of SMCR, have behaviours changed and has governance and risk culture improved? These are questions that Afshan Moeed considered in her now-completed PhD project, and she discusses this in her blog.
Read More
Three exciting new developments for AI in 2024 that you need to know about
Robotics and artificial intelligence have been in the public consciousness for decades, but only in recent years have we really started to comprehend the technology’s sheer potential. Businesses of any size now have the chance to leverage AI to keep up with the competition, to make better informed decisions, and to improve operational efficiency. Craig Morris discusses the key developments to watch out for in three critical sectors: healthcare, environmental sustainability and cyber security.
Read More
The stuff of nightmares: risk management is shut down, and nobody notices
Do a firm’s risk management activities actually create value? Companies increasingly spend time and money implementing a range of risk norms and frameworks whose focus is often on risk identification, analysis, and risk reporting; these are risk process activities that do not create value for decision-makers argues Stefan Hunziker. He say that, typically, nothing has been managed and no decision has been made better by these processes. In this blog, he gets to the heart of risk management - explaining that its single purpose is increasing decision quality.
Read More
What should boards know about digital technology?
Digital technology drives immense business opportunity explains Neill Tinegate, adding that this comes with an ever-increasing need for boards to understand and mitigate significant risks. In this blog, he considers cyber security, data governance and privacy, emerging technology as well as digital transformation - and he discusses some vital considerations for board members in each of these areas.
Read More
The insolvency risk for company directors - are you swimming naked?
The standards of diligence and care expected of non-executive directors in the oversight of a company are extremely high and, as Francis Kean explains, often become the subject of intense scrutiny and controversy in protracted and expensive investigations and proceedings following collapse. He discusses the potential coverage issues under D&O liability insurance policies and argues that non-executive directors should take an active and personal interest in the insurance protections which may be available to them in the event the worst happens.
Read More
Are you sitting comfortably? Cyber risk, board attestations and the implications for NEDs
Cyber risk remains one of the most challenging risks facing many organisations. Regulations in the US, EU and UK in relation to cyber risk disclosure requirements are making these risk ever increasingly prominent for business and challenging for their non-executive board members. Andy Watkin-Child discussed the complexities of cyber risk and the various regulatory responses emanating from the UK, US, and EU at December’s Risk Committee Chairs Forum hosted by the Risk Coalition, highlighting the challenges for non-executives and risk committee members.
Read More
Risk management and internal audit should collaborate to navigate the poly-crisis of risk
The global risk landscape has become increasingly complex to navigate, and the multitude of risks that organisations face has become ever more interconnected, says Mamun Madaser. He explains that the risk of a polycrisis – defined as a cluster of related global risks with compounding effects, such that the overall impact exceeds the sum of each part – has now become a very real threat. Risk in Focus 2024, a Europe-wide annual research project analysing the top risks faced by businesses, identifies cybersecurity as remaining the biggest threat to organisations. Human capital, diversity, and talent management as the second biggest risk, followed by macroeconomic and geopolitical uncertainty which is ranked jointly with changes in laws and regulations as the third most significant risk. To tackle this, he says internal audit and risk management should work together to build their organisation’s resilience to support them to successfully navigate the more risky, uncertain, and volatile times we face.
Read More
How to mitigate the risk of cyber security breaches – part 2
Organisations need to implement a comprehensive set of security tools that are appropriate to their businesses, says Jim Watson, and they also need to identify their most valuable and confidential data, ensuring that appropriate security tools and controls are used to minimise the risks involved. Building on his earlier blog which discussed the role of organisational culture in mitigating cyber risks, he discusses the key requirements of IT security tools and controls. He also explains the role that second-line risk management and compliance functions need to play in monitoring the security first-line controls, and the need for regular third-line internal audits to evaluate the effectiveness of governance, risk management and control processes.
Read More
Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code
One of the key proposed change under the UK Corporate Governance Code would require Boards to conclude on the effectiveness and material weaknesses regarding their risk management and internal controls relating to operations, reporting and compliance. Nisha Sanghani, summarising discussions at a recent Risk Coalition Risk Committee Chairs Forum, explains that the main aspect of the discussion focused on whether organisations have the right risk management framework in place to be able to confidently meet the requirements of the proposed Code revisions. The view generally, however, was there is much work to be done by organisations to be able to do this. However, if done properly, she says that UK companies can avoid firefighting when caught out by risk, and perhaps can even start to think about making commercial risk-based decisions.
Read More
How to mitigate the risk of cyber security breaches – part 1
Cyber security breaches regularly hit the headlines these days, and the fact of the matter is that we only hear about a fraction of the incidents that happen. The threat of these incidents is a significant risk for organisations and breaches can have devastating results for the companies and people involved. They can result in serious financial impact, lost customers and reputational damage to companies - even risk to health and life. In this blog, Jim Watson explains that people are often the weakest part of an organisation’s cyber defence, so organisations need to embed security within their culture and governance, ensuring that all levels of the organisation understand the importance and value of security.
Read More