Corporate governance and the global risk landscape
OPINION: A big challenge is looming for New Zealand boards concerning the interconnectedness of risks that geopolitical instability and emerging technologies brings.
"The world is undergoing multiple complex transitions: towards a lower carbon future; towards technological change of unprecedented depth and speed; towards new global economic and geopolitical balances," says the World Economic Forum: The Global Risks Report 2017, 12th Edition.
In our most recent survey of members from the New Zealand Institute of Directors (IoD), nearly two-thirds (65 per cent) of all respondents anticipate an increase in risk levels in 2017.
Whilst technology related risks, most prominently cyber-attacks, are of most concern, there is another emerging risk that has reached our shores – increased regulation. PwC's most recent survey of New Zealand chief executives found "69 per cent said that over-regulation was keeping them awake at night". The reality is that emerging global technology risks and increased regulation are interconnected and they are already on most progressive boards' agendas.
Heavy handed cyber-related regulatory laws have been quietly making their way around the developed world. In the United States more than 50 federal, state and local laws mandate disclosure of cyber breaches. In Europe the recent passage of the European Union's General Data Protection Regulation (GDPR) carry significant fines of up to 4 per cent of global revenues.
On February 13, 2017 the Australian Federal Parliament passed the Privacy Amendment (Notification Data Breaches) Bill 2016 into law with fines for breaches of up to $360,000 for individuals and $1.8 million for organisations. It should come as no surprise then that the Privacy Commissioner for New Zealand issued a media release on February 3 detailing its plans to reform the Privacy Act "in light of rapid changes in information technology, data science and significant developments in international frameworks".
So why all the fuss? Surely imposing overly strict regulations is at odds with the entrepreneurial spirit of all New Zealanders and will cause delays and impose costs on businesses?
The answer is of course yes, but there are legitimate concerns about security, privacy and the potential for the cyber related incidents to broaden to industrial controls and critical infrastructure and that is exactly what is happening overseas.
In late 2014, the German Federal Office for Information Security reported that a cyber-attack had caused "massive damage" to an iron plant after hackers disabled shut off values to blast furnaces. In 2015 hackers shut off the power to hundreds of thousands of residents in the Ukraine.
New Zealand's national governing body for infrastructure, the New Zealand Infrastructure Unit addresses these concerns in its most recent planning report: "Our increasing reliance on networked technology and information communication systems poses a cyber security threat."
So what can boards do to prepare for this new environment?
Checklist for NZ boards to govern global risks
1. Do we have a framework of decision-making and risk oversight that fully incorporates evaluation and management of global risks?
2. Does the board devote sufficient time and resources to the evaluation of global risks?
3. Should we appoint a chief risk officer or form a dedicated risk committee?
4. Have we evaluated the potential impact of today's global risks and drawn up a risk register?
5. What can we do to instil a culture of risk awareness and build resilience into our business model and operational processes?
(Governing the Global Company, March & McLennan, 2015)
Marcus Pearson is the New Zealand country head for Marsh, a global leader in insurance broking and risk management.
- Sponsored content