EisnerAmper’s Fifth Annual Board Of Directors Survey 2014 on Concerns about Risks Confronting Boards drew responses from more than 250 boards at the helm of public, private, not-for-profit and even a few private-equity owned entities.

The survey by EisnerAmper, an accounting, tax and consulting services firm, sought to gain insights into risk perception, as well as preparedness to address the resulting issues, in American boards.

A key finding of the survey was that though reputation continued to occupy ever increasing mind share amongst directors, larger organisations such as those with more than $ 1 billion in revenues, as well as private companies, now accorded a higher rating to cybersecurity or IT risks rather than reputation damage.

Boards are also aware that social media platforms are now able to quickly disseminate any news affecting the company’s reputation. Any systemic failure of cyber security, or an IT mishap, can instantly impact a company’s reputation, sometimes irredeemably, through negative publicity on social media.

In December 2013, Target Corporation (NYSE:TGT) suffered a Cybersecurity breach of its customer payment systems.

In the 10 days following the news of the incident, Target was cited in 894,000 tweets. This social media ‘buzz’ completely overshadowed the 648,000 tweets generated by Target’s own Christmas holiday shopping campaign.

The company later said in a January statement that it had seen “meaningfully weaker-than-expected sales” since its announcement of the hacking incident. It also warned that costs relating to the breach were as yet undetermined and that “these costs may have a material adverse effect on Target Corporation (NYSE:TGT)’s results of operations in fourth quarter 2013 and/or future periods.”

The company’s CIO Beth Jacob resigned in the aftermath of the data breach.

This incident shows how risks from cyber security, social media and a company’s reputation are inextricably linked together these days.

Reputational risk and Cybersecurity or IT risk were at the top of the list of risks, aside from financial risk, worrying American boards showed the survey.

1-risks-list Cybersecurity

Yet, for all their worries, American boards appeared to show a remarkable lack of interest in allocating resources to handle reputation and IT risks, observes the survey.

“Crisis Management, which could include plans on how to avert a substantial impact on an organisation’s reputation (including social media showdowns developing from any issue and risk listed – and then some), generated concern from only 31% of respondents,” it says.

Corporate functionaries even admit that their expertise surrounding cybersecurity and social media may not be up to scratch, leaving one wondering on their abilities to manage a crisis situation.

The survey also found that there was a low level of implementation of tools such as Enterprise Risk Management (ERM) programs – only 36% of respondents had a full functional ERM program in place.

2a-erm Cybersecurity

The relatively low priority accorded to Crisis Management and Disaster Recovery by the boards is also cause for concern.

National Security agencies recently detected that the NASDAQ’s central servers had been hacked and malicious code implanted with the intention to sabotage trading activities.

“We’ve seen a nation-state gain access to at least one of our stock exchanges, I’ll put it that way, and it’s not crystal clear what their final objective is,” commented Republican House Intelligence Committee Chairman Mike Rogers on the NASDAQ incident. “The bad news of that equation is I’m not sure you will really know until that final trigger is pulled…and you never want to get to that.”

The details of the investigation remain classified, but obviously, the damage to the country’s financial systems would have been incalculable had the hackers succeeded in their objective, stated to be to destroy the NASDAQ’s activities.

Efficient and immediate crisis management and disaster recovery procedures would be essential in such a situation.

Note in the first chart above that Regulatory Compliance Risk now ranks third (50%), below reputational (72%) and cyber security risks (62%). Crisis Management and Disaster Recovery rank even lower.

Heightened perception of Cybersecurity Risks elevated that category by 10% compared to 2013 – on the other hand Regulatory Compliance Risk fell by 6%.

“The study found that with regulatory compliance factors such as Dodd-Frank and PPACA having been rolled out, the level of concern about those regulations has actually dropped,” said Steven Kreit, a partner in EisnerAmper’s Public Companies practice. “When we take into account additional feedback from the participants, it paints a picture of boards coming to terms with both Dodd Frank and healthcare reform.”

This is an interesting finding, showing as it does that directors’ risk perception of regulations diminished once they became a reality (see the highlighted levels of concern in the chart below).

2-reg-risks Cybersecurity

This also raises the question whether boards are getting too sanguine about regulatory risks, and correspondingly, whether this complacence could manifest itself in compliance budget cuts.

Though CFOs may have to push for budgetary support on regulatory compliance, allocations for beefing up the internal audit function would be readily forthcoming.

“With a bit more favor than last year, public companies found internal audit was the most beneficial asset for identifying risk (of course, they are also the most likely to have an internal audit function), observes the survey.

3-internal-audit Cybersecurity

The survey found that while 46% of boards are not thinking of changing their internal audit systems, 32% are looking to enhance staff and 24% would like to increase audit coverage.

“Despite strong concerns about reputational risk and data and cybersecurity, we saw little in the survey showing support for the resources necessary to address it,” said Kreit, summarizing the results from the survey. “With many organizations admitting that they had no plans or relatively unsophisticated plans to address these top rated risks, there is a need for boards to focus some of their strategic planning time on re-evaluating how they will effectively handle concerns as they arise.”

Tags: