Cyber security

24/7 Media

John Denton “When we’re talking about media, we’re talking about external engagement where, in a way, your reputation is set by other people. This is a real challenge in an organisation’s engagement. In many respects, the organisation is still operating on 20th-century principles, but we’ve given everyone 21st-century tools. How do we grow up and get maturity on risk?”

Dr Keith Suter “How it’s going to look in the media tomorrow is something you have to factor in with every decision. People get scared at the mention of media, but boards need to avoid panic and people must have training in this.”

Ian Saines “You are now living the front-page test in real time. On social media, it happens without you even being aware of it.”

Dr Abby Bloom “If it’s in the media, you have to deal with it. But how does a board maintain appropriate balance? What about the opportunity side of risk?”

IS “It’s not just that technology has changed; you’re dealing with people who come from a different value system. You work on the basis that the facts will persuade the argument, then some of the scandals that are prominent at the moment arise in, and are actually promoted by, the media. The issues at the heart might previously have been seen by the business community as perfectly acceptable. In deciding what conduct and product design is appropriate and how products and services are put to market, boards and management almost have to extrapolate what community standards will be in 10 to 15 years. We need to address those standards instead of what’s appropriate now.”

JD “The reality is that risk isn’t static.”

Penny Bingham-Hall “You don’t have to look too far back and think, ‘How many people sitting around the boardroom table have had to deal with things like cyber risk and social media in their career?’ It’s all changing and boards have to be across so many different aspects these days.”

Cybersecurity

AB “Cybersecurity should be a standing item. One of my concerns is that cybersecurity is the 800-pound gorilla. It’s important for all board members to be familiar with it, but not to let it push out the other aspects of risk: the business-as-usual risk, the innovation-as-opportunity risk.”

IS “There is increased focus on it because there’s a slope to be walked up for boards to get to a basic level of comfort that the executive has a way of dealing with it and reporting to them.”

AB “One major risk area to be aware of is suppliers. They’re the weakest link and can provide access to the organisation.”

Board response

AB “The leadership of the risk and audit committee, and its capacity to deal with broader issues of culture and risk — performance, risk and opportunity — are important. We need to look at what the balance is in risk. Are you spending too much time on operational risk? Are you adequately looking at strategic risk?”

PBH “You see it also in the people and remuneration side of board committees when you’re talking about culture. You can’t have all the systems and processes to manage risk; a lot of it has to be driven through the leadership and culture. For example, issues around whistleblowing. I’ve seen where it has been useful to shine a light where the culture isn’t good — particularly a long way from head office, where it’s harder to keep an eye on it. You manage it as an organisation with leaders who know how to get onto issues quickly — or hose them down if that’s the appropriate strategy. Usually, there isn’t time for it to come back to the board.”

IS “Different boards have different appetites for delving below the CEO and the next layer of management. The picture painted can be quite different from what might be happening elsewhere. An organisation’s appetite to have board contact with lower executive levels is critical. Executive-board relations show the real state of an organisation.”

AB “The most valuable approach is having an organised program of deep dives into risk that relates back to your risk register and risk appetite, which should be flexible. You’re constantly making sure it is appropriate and periodically under review.”

”Who is responsible for this risk around reputation? You must drill down to where this is actually being led.” – John Denton AO

Reputation

JD “We can consider reputation in a strategic context. What is our [actual] reputation and what’s the character of our organisation? If your character and the way you operate don’t reflect your reputation — your reputation doesn’t reflect what you stand for — that becomes a strategic risk. That’s where a board can add value by prompting a discussion, because most executives will speak up and push the reputation. So, who is responsible for this risk around reputation? You must drill down to where this is actually being led. You can sleepwalk into a reputational crisis, because you might see an isolated problem while something else is happening elsewhere. Suddenly, it’s all connected.”

PBH “It’s how you manage your reputation. It can take years to build but one moment to tear down.”

Community expectations

PBH “No matter what board you’re on, you need to be aware of community expectations. It’s one thing on the public-policy front. There’s also a groundswell on issues around what big business is all about. We need to play devil’s advocate with management about whether they’ve thought of it.”

KS “Board members can add value by thinking about the unthinkable. The problem for management is that they live in an epistemic community — they all think in the same way. If you’re in management, uncomfortable questions can be career-limiting, whereas on a board, particularly if you have an independent mindset, it’s an important role to think about the unthinkable. Otherwise, you can get blindsided by things that weren’t part of your collective vision. Change happens at the margins and CEOs are often the last to learn.”

Diversity

IS “Boards of companies experiencing reputational issues need to look at the composition of the board. Is there enough diversity and challenge?”

KS “You need to read widely, get out of your comfort zone and mix with a variety of people — be subject to other mindsets. That’s why I support boards having a diversity of viewpoints; not just stale, pale male, but opening their minds to new ideas and willing to learn.”

PBH “Having a diverse portfolio of boards helps. Something that happens on one board can trigger questions on another. My experience in high-risk industries with a strong safety culture has given me a different mentality. On construction sites, I see things that other directors don’t.”