Last year across the world 4.85 billion pieces of data were accessed through 758 million cyber attacks.
Sony, Adobe, Target and Marriott hotels also suffered reputational damage because of attacks and had to invest several millions of dollars into communications campaigns to revive just some of that good will.
In Australia many in the non profit or local government sectors have looked to consultancies like Clifton for assistance.
This article sponsored by KPMG is timely for any organisation concerned about the affects of cyber attack on its well being.
Not only does the range of risks that the modern company faces get ever broader, risk comes at the modern company fast. And that can become an additional risk in itself.
“The pace of change now has to be a fundamental part of the way that an organisation thinks about risk,” says Grant Murdoch, a non-executive director at ALS Limited, Lynas Corporation Limited, Redbubble Limited and OzForex.
“That’s the additional risk that's in there. A number of risk analyses now are putting velocity in risk philosophy along with consequence and likelihood, because a risk that has a high velocity means that you’re going to have to deal with it very differently to other ones.”
Reputational risk is at the forefront of this change, Murdoch says. “Reputational risk is now much more important because of the pace.
''The pace means that if you’ve got a reputational risk, it's on social media within minutes. And that's something that the organisation’s risk function is going to have to learn how to deal with, as well.”
Matt Tottenham, director, audit, assurance and risk consulting at KPMG, says social media has brought with it the additional risk of losing control over the narrative – unless they are very alert and ready to respond.
“You just have no control over the messaging anymore once it gets into the public domain. And it's there in seconds – potentially very large reputational risk.”
Traditionally, when the risk function has mapped its risks, the two axes have been about likelihood of the risk occurring, and the dollar impact, but preparedness to respond is now a critical element.
“A reputational risk can be only a small financial outcome but a disastrous reputation outcome. These are the things that good risk people are able to bring some clarity to,” says Sally Herman, a non-executive director at Suncorp Group Limited, Breville Group Limited, Premier Investments Limited and Evans Dixon Limited.
Cyber-risk is another new risk that can be on a company before it even knows it. “Take modern financial institutions: how long can they survive without being connected to the internet? Two, three hours? If all of a sudden all your apps stop working and your customers can't get in, it could be a modern-day ‘run’. That is a very big risk,” says Stephen Allen, consultant at KPMG.
Data risk is another risk that has emerged to become a major consideration for the risk function. “One of the most interesting conversations we've had on one of my boards is about data risk: not cyber-risk, but data in its own right,” says Herman.
“Just some key questions along the lines of who owns our data, where is it held, how old is it. There are all sorts of interesting conversations, where people who aren't normally interested in risk say, ‘Oh gosh, I had better get involved in that’,” says Herman.
The rate at which new risks are being added increases the complexity of the risk palette all the time, says Tottenham. “It isn’t only the number of risks, it’s the rate that they're being added is a significant factor. You only have to look at climate risk. Just five years ago, coal was a major employer in Australia, a major export industry.
''Now you've got a situation where financial institutions won't invest in it, and that's come about very, very quickly. And as of this year, modern slavery and the risks in the supply chain is a new risk of which board members, on top of all of their obligations, need to understand the intricacies,” Tottenham says.
Cultural risks are rapidly being reassessed in the hierarchy of risk, particularly in the financial services sector post-royal commission, as the industry grapples with the misconduct and ethical lapses that were laid bare.
“The non-financial risks around conduct and compliance are very much on the minds of boards and management, and they’re looking at things like cyber risk, modern slavery and ESG [environmental, social and governance] risks,” says Anna Hopley, partner, audit assurance and risk consulting at KPMG.
“They’re trying to look 10 years out, and what regulation risk management will look like in response to those non-financial risks, but also in the here and now, trying to refocus their minds to non-financial risk management, and whether to integrate the reporting through to the boards on non-financial risks.”
David Clarke, chief risk officer at Queensland Investment Corporation, says his organisation is continuously categorising risks as operational, strategic, and emerging.
“Cyber-risk is certainly a risk [that] has moved from emerging to operational. There are always new risks. Speaking as an asset owner, things that we've had to deal with this year are things like active shooter risk in our US shopping malls, and terrorism risk in infrastructure assets such as airports and shipping ports.”
Ultimately, Clarke says, companies must be wary about thinking in terms of “non-financial” risk – despite the comfort it might imply – because risk broadly comes back to financial outcomes.
“I think all risks lead into reputational risk, and that in turn has an impact on financial outcomes. So, there's definitely a linkage between the non-financial and ultimate financial risks,” he says.