Cyber security, Brexit, geopolitics and financial market fluctuations are among the chief concerns for businesses voiced by some of the UK’s leading risk experts as they look ahead to 2019. Senior members of the Institute of Risk Management (IRM) have identified key risk areas for businesses. A broad range of financial, political and healthcare risks are highlighted. Many of them align with the risks identified in The Global Risks Report 2019 to be issued by the World Economic Forum.
Further areas of risk concern identified by IRM risk experts are the as-yet-unknown effects of Brexit in the UK and the impact of technology-enabled disruptive business models.
“The impact of current macro trends and risks, such as cyber security, Artificial Intelligence and Brexit in the UK will continue to put pressure on, and potentially change, entire business sectors,” forecasts the IRM’s chairman Socrates Coudounaris. “Leaders who think critically about the future and anticipate disruption to their sectors, while also building resilience and agility into their models, will be in a better position to tackle a challenging risk environment in 2019 and thrive.”
Coudounaris added: “This year, the IRM will place significant emphasis on supporting businesses and risk professionals in understanding and managing game-changing risks such as cyber. Through the IRM’s qualifications, training and thought leadership, we’ll actively encourage leaders to think tactically and strategically about change and to question whether and how a threat can be turned into an opportunity. Risk professionals will be key strategic advisors on this journey.”
Banking and Financial Services Sector
Sarah Christman CMIRM, speaking on behalf of the IRM’s Banking and Financial Services Special Interest Group, stated: “Brexit continues to be the headline story for financial services. Uncertainty about the outcomes of the UK leaving the European Union is forcing firms to plan for a range of outcomes. This kind of analysis is within the skill set for the industry. The outcomes of EU-wide stress-testing suggest that the participating banks can withstand severe shocks that could arise from a disorderly Brexit. However, there remain many questions to be answered, disrupting firms’ ability to plan and execute strategy.”
Christman continued: “The adoption of machine learning, distributed ledgers and application programming interfaces is widespread across financial services, in turn providing new and enhanced services and easier access for consumers. Although these technologies are in fact decades old, they’ve dominated operating plans and marketing across the industry for the past few years. With the use cases now more established, we expect these topics to become business as usual components of product and service development.”
In addition, Christman observed: “Open banking is now a reality. Previously, the boundaries of the financial services industry were set by the strength of the customer relationship and possession of the data. Compelling firms to share the data extends those boundaries to many established and start-up software companies. Coupling this shift with changing demographics and income distribution, we expect markets to become ever-more competitive.”
Further, Christman said: “However, the revolution expected to come from open banking now appears to be more about evolution. The slower than expected pace gives traditional financial services firms more time to adapt to new competition. It also allows regulators more time to adapt their regulatory approach and balance the objectives of consumer protection with promoting effective competition. We expect both to make moves to adapt, although change may come too slowly in the face of other pressures.”
For Christman, the interconnectedness from technology and data sharing adds to an already complex cyber security landscape. “Financial services are rich targets for well-funded criminal or state-sponsored hacker attacks, but unauthorised access isn’t the only data threat that firms face. News of inappropriate usage, unethical decision-making and other abuses of the insight from data will become more prevalent. We expect these threats to foster increasing co-operation between security and privacy teams to ensure that controls are aligned to address the breadth of data risk exposures.”
In conclusion, Christman said: “Overriding all of these risks is the imperative to focus on culture, conduct and customer outcomes. This hasn’t changed over the past few years and we expect the standards to continue to rise.”
Alyson Pepperill CFIRM, client projects director for UK Retail at Gallagher and chair of the IRM’s Charities Special Interest Group, told Risk Xtra: “In 2019, we believe there will be an emphasis on creating positive cultures within organisations. Part of this approach may well lead to approaching ‘business as usual’ risks in an orderly fashion, as opposed to leaping from the ‘risk of the moment’ to the next one. Managing regulatory risk will remain a key focus area with the numbers of regulators and the level of scrutiny growing. In a recent KPMG survey of 98 larger charities’ reports and accounts, the number of charities citing managing regulatory risk as a key risk in the trustee statement doubled from the same review undertaken a year earlier.”
Pepperill added: “Cyber risks have been cited by our cohort as being the risk ‘stressing’ people most in 2018. Such risk is expected to remain in pole position until at least 2021. This is probably not too surprising given the real push within charities to become more agile in using digital communications with customers and supporters. Part of the issue is the sheer scale of risks that are bunched into ‘cyber’ as well as the increasing sophistication of those looking to commit cyber crime, plus the inevitable accidental and malicious data breaches by employees and volunteers.”
Pepperill also commented: “With all risk, the fear is the subsequent impact on reputation and the knock-on effect for income and sustainability. Particularly so when there remains the need to achieve more with less resources in a thoroughly professional way. In a fast-changing world, some of the donations will inevitably need to be spent to ensure organisational resilience and retention of the best people. That isn’t always accepted. Public and media expectations for the sector remain high, and perhaps unreasonably so, while the need to have a clear and easily deployed crisis management plan is vital.”
Energy, Climate and Politics
Alexander Larsen CFIRM, president of Baldwin Global Risk Services Ltd, an IRM trainer and chair of the Energy Special Interest Group, highlighted: “The energy sector will be interesting to watch in 2019. Oil companies can expect to have an easier year despite the potential oversupply of oil. Restructures are completed, profits are back on track and new projects are being slowly re-introduced. Perhaps the most interesting part of the energy sector to watch out for is renewables.”
On that note, Larsen continued: “Renewable energy could have a big year in 2019 with oil companies and countries heavily reliant on oil, looking to diversify into solar, wind and wave power. Additionally, with cities across the globe attempting to meet climate change targets, we can expect further investment. We can also expect to see a growth in new technology within the renewable energy field, including areas such as energy storage, microgrids, Artificial Intelligence and other technology that will either decrease prices significantly or improve efficiency.”
Larsen added: “While these are all positive developments, there are a number of major risks to meeting our future climate change goals which could play out in 2019. Having watched recent developments in France, and President Macron’s u-turn on climate taxes, along with grumblings across Europe, there’s a growing movement to challenge Government, which could lead to climate change taking a back seat in the face of more pressing and short-term country-centric issues.”
Larsen feels it will be a giant year ahead for the major tech companies which many have considered as being in a bubble with the major players being overpriced. Apple, Amazon, Microsoft, Intel, IBM, Facebook and Alphabet (Google) may be beginning to show signs that they’ve ‘hit a ceiling’ with various scandals, new regulations, stagnant product lines and trade tariffs impacting their share prices significantly over the past quarter.
According to Larsen, 2019 will be the year in which tech companies will either fall short or thrive. Innovation, going hand-in-hand with risk management, will be key to continue the tech dominance in the stock market and continued increases in share prices.
“Companies such as Nvidia have relied heavily on graphics card sales on the back of a strong 2018 cryptocurrency mining trend which has since faded away. New sources of profit, such as Artificial intelligence, are now being focused on. Meanwhile, many companies such as IBM are focused heavily on rolling out their blockchain technology while others including Microsoft are banking on challenging the likes of Nvidia with their own Artificial intelligence and virtual reality offers. Then, of course, we have robotics and Apple’s self-driving cars that Elon Musk has suggested will be Tesla’s major rival over the coming years.”
Larsen went on to state: “The fact that many of the companies in the tech industry need these new technologies to go mainstream in order to maintain performance indicates that we could be closer to the future than we realise. If it doesn’t happen, however, then the tech industry does risk stagnation, loss of confidence and further share price reductions in 2019.”
Last year, Larsen predicted that the ‘Crypto bubble’ would come crashing down. Only a few days later, prices started falling. A few months later and prices were down 50-60%. Now, looking back 12 months, the prices have fallen up to 98% in some cases. While the bubble may have burst, 2019 will (according to Larsen) witness significant progress in blockchain technology as well as cryptocurrency.
“2019 will almost certainly see an end to ICO scams. Not only is regulation slowly being put in place by the authorities, but investors are growing wiser. ICOs will need to value their business more realistically, meet regulation and safeguards and have a more solid business plan with a product that’s both achievable and realistic. Regulation also ensures that hacking incidents will be fewer and have less of an impact in 2019, while also adding legitimacy to the exchanges which should see an increase in sensible investors.”
Larsen concluded: “Blockchain technology itself should also see more mainstream acceptance in 2019. Companies such as IBM are already implementing the technology in the shipping supply chain industry. Such initiatives will help bring it to the mainstream. It’s important to note that this will also help to kill the hype that many of the cryptocurrency companies have been pushing. Many investors of 2018, who lost a lot of money in the crash, had bought into a dream thought up by ICOs of a technology that would change the world. Seeing real use cases for blockchain technology in select areas of traditional industries should help people realise that. while it’s a great technology, it’s also a rather boring and straightforward technology that’s unlikely to change the world.”
Ethics and Complacency
Ray Flynn CMIRM, IRM Board member and a specialist risk management consultant, said: “There has been a growing mountain of prosecutions and allegations of misconduct over the last few years at both an individual and organisation-wide level, ranging from corrupt practices to inadvertent involvement in modern slavery, sanctions busting, sexual harassment, anti-competitive behaviour and the misuse of personal data. Despite nearly all of these being covered by recent legislation in a number of countries, this trend is likely to continue in 2019. Why? The fact is that organisations tend to be a lot better at addressing external than internal risks, and risks involving unethical or illegal behaviour, in particular, are either overlooked or considered to be more remote than they should be.”
Flynn added: “There’s a reluctance to entertain the prospect of fellow workers, or even business partners, suppliers or sub-contractors being capable of underhand practices. ‘That sort of thing would never happen here’ is often the sum total of any risk assessment carried out on unethical or illegal behaviour before proceeding to the development of policies and procedures. This complacency, which can border on arrogance, leaves those entities affected unprepared, resulting in a much heavier price in remediation than they would have forked out in mitigation had the right approach been put in place before an ‘incident’ occurs.”
Further, Flynn commented: “The risk of exposure is also increasing. There’s an element of iconoclasm and bloodletting involved as the gap between the ‘haves’ and ‘have nots’ increases, which supports whistleblowing and puts pressure on regulatory bodies to act.”
The good news is that there are plenty of resources out there to reverse this trend. Both the Bribery Act here in the UK and the US FCPA guidelines urge organisations to undertake bribery risk assessments and suggest that “…organisations might wish to consider seeking some form of external verification or assurance of the effectiveness of anti-bribery procedures.”
There’s remarkable similarity between the advice given in legislative guidelines to combat bribery and in those designed to stamp out data breaches, unfair competition and modern slavery, with organisations being required to complete certain actions to address the risks involved.
Flood Risk and Climate Change
Paul May FIRM, chairman of the Concordia Consultancy Ltd, commented: “Although there’s a lot of discussion about the extent and effects of global warming, it’s likely that neither insurers nor risk managers will commit to research at the level and depth required to reach a clear consensus as to the problem and the short and medium term solutions needed to protect assets and businesses. Nature, as affected by the commercial, industrial and agricultural activities of the human race, will therefore continue to generate adverse weather events of varying and often unpredictable scale which will cause loss of life, property damage and dislocation of communities.”
Prince Charles has been quoted as linking global warming with the increase in the devastating effects of recent hurricanes in the Caribbean. However, a significant extent of the property that has been damaged was in any event of lightweight construction not designed or built to withstand hurricane force winds. May feels it’s likely that this reluctance to require property to be built to standards adequate to withstand winds and floods will continue in 2019.
“Expansion of housing construction in the UK, often in low-lying areas prone to flooding, will continue due to pressures on local authorities, the profit expectations of land owners and demands to provide housing to target levels set by Government. Construction in low-lying areas could probably take place with less exposure to damage if house design were to be altered by planners and builders. Many countries build houses with raised ground floor levels to protect them from potential flood. Existing properties that are becoming more exposed to flood in the UK could be better protected by physical changes such as raising door step thresholds and closing air vents at low level, ideally supported by grants or similar incentives.”
Investment fund managers (often managing funds for insurers) and insurers are beginning to avoid investing and refusing to insure industries and practices that are considered to be contributors to global warming (such as the mining and burning of coal). The trend to desert such industries is likely to continue to increase, but it’s not proven whether that retreat would be likely to lead to their closure. “While the rationale may be ethical and provide a ‘feel-good’ PR feeling, such investors and insurers will lose any opportunity to influence improvements and change.”
Although the start of a ‘joined-up’ and well-funded global insurance and risk community research project into causes and remedies of global warming would be great to see, May predicts that it will not happen.
Steve Treece CFIRM, head of corporate risk at the Corporate Portfolio Office for NHS Digital and chair of the IRM’s Health Special Interest Group, said: “Brexit looms ever larger on the horizon, with continuing uncertainty about the terms under which the UK will leave the EU and, potentially, when this will happen. This makes planning for the consequences of Brexit for any organisation more difficult, but also emphasises the importance of risk management and contingency planning for a range of outcomes. In the health sector, this planning needs to consider the entire supply chain to ensure the continuing supply of essential medicines and other critical items. Other significant sources of Brexit-related risks are likely to include retention of key workforce (and supplier) skills and the likelihood of increased costs of imports, whatever the terms of our exit.”
Treece continued: “There is, however, a risk (if you will pardon the pun) that a focus on Brexit risks will blind us to other risks, which may coincide with or indeed exacerbate Brexit impacts. As a significant example, there’s the continuing threats of cyber attacks where we must continue to learn the lessons of the Wannacry ransomware attack of 2017 which caused significant disruption to the health sector, even though the attack wasn’t directly aimed at the sector. The risks of data loss and a subsequent erosion of public trust in data sharing (which is an issue across the private and public sector spectrum) is also a major area of concern.”
Also, Treece stated: “The health sector remains exposed to risks of ever-increasing demand, workforce shortfalls and the adequacy of funding (and the deployment of any additional funding). These are coupled with the need to transform and modernise services, including through the better use of data and technology in the improvement of care and whether there’s sufficient capacity and capability to manage all of these risks simultaneously.”
Treece concluded: “If I wanted to promote one motto for 2019 it would be ‘Resilience and Preparedness’.”
Martha Phillips MIRM, head of IT risk and assurance at AVIVA, outlined: “The main risks currently facing the insurance industry can be grouped into three main areas – strategic change, financial uncertainty and data security and management. The insurance industry, like all sectors, is facing a potentially turbulent macro-economic environment in 2019. Uncertainty surrounds the post-Brexit economy, including interest rate and currency fluctuation, which may impact revenue and profitability. The macro environment may also restrict or provide opportunities for M&A activity, deal volumes and the management of capital-intensive portfolios. Political and environmental risks (weather, civil unrest and unstable Governments, etc) may increase further and have the potential to erode profits as well as the predictability of operations.”
In addition, insurers are increasingly facing new and emerging competition in the form of new market entrants and start-ups, including ‘FinTech’ and ‘InsureTech’. Insurers have historically been slow to invest in their digital propositions and, indeed, the infrastructure necessary to support them.
“Today, consumers expect financial products to be increasingly simple, flexible and accessible, as well as serviced seamlessly across digital and offline channels. Indeed, there are also huge opportunities to serve consumers if established insurers can adapt their strategy and operating model – and attract innovative talent – in the face of new competition. Critical to achieving an agile and innovative digital ‘InsureTech’ or ‘FinTech’ business is striking the right balance in culture and being able to manage within risk tolerance, while at the same time not stifling innovative thinking and swift delivery.”
At the heart of the insurance industry is data. “Data security and management will feature on an insurer’s list of top risks long as the threat environment and regulation continues to rapidly evolve. The financial services sector as a whole must continually invest in maintaining secure and resilient operations complemented by a security-aware culture. Media headlines show that data security and resilience is increasingly becoming an issue of public trust. Interest in how consumer data is being used is also likely to continue in a post-GDPR environment.”
Reputation, Brand and Crisis Management
Victoria Robinson MA, head of marketing and communications at the IRM, commented: “Reputations can take years to build and be lost in a day. With the prevalence of consumers airing complaints and displeasure on social media 24/7 for the whole world to see, companies have never been under such scrutiny to delight the customer and go the extra mile.”
Robinson added: “The introduction of the GDPR in the UK has meant that marketers need to tighten policies and procedures around the way in which customer data is held, stored and managed. We’ve seen huge, well-known global corporations including airlines, hotel chains, banks and online retailers suffer at the hands of hackers. The 2017 Cost of Data Breaches Study from The Ponemon Institute, sponsored by IBM, puts the global average cost at $3.6 million per incident, or $141 per data record. That’s a reduction on the average cost in 2016, but the average size of data breaches has increased.”
An important part of any risk management plan should incorporate crisis management planning, including the responses that an organisation pushes out to its public and stakeholders should something go wrong. Detailed plans should include robust responses for scenarios ranging from loss-of-life (such as airlines) to loss of data/personal records. The key risks will vary depending on the nature of the business. Sometimes, it’s as much to do with what’s said post-event as the actual event itself that can help manage reputation.
According to Marketing Week, consumers’ trust in brands is failing. Everyone thinks they’re a marketer and are more willing to put pressure on organisations online or via the press. Brands should have a Corporate Social Responsibility (CSR) agenda embedded. Consumers are much more easily able to switch their brand allegiance and vote with their feet.
“Consumers are becoming more discerning and aware of protecting the planet and about the provenance of goods. Transparency is key. An example of this would be retailer Iceland’s recent cause-related campaigning around palm oil and deforestation. Climate change is one of the biggest risks facing the planet. In summary, brand and reputation should be taken into account on any organisations’ Risk Register and horizon scanning employed to mitigate risks as well as seek out opportunities.”
Carolyn Williams, director of corporate relations at the IRM, commented: “It’s become almost compulsory when providing comments like this to start with something ominous along the lines of ‘risk has never been so risky’ or similar statements of the obvious. We can probably find something similar to say about 2019. Whether it’s trade battles between the US and China, tensions in the EuroZone, Brexit chaos, fuel prices, exchange rates or natural disasters like wildfires or floods, maintaining the smooth flow of goods and services will always present significant challenges.”
Williams continued: “It’s a tribute to those concerned that, in general, in much of the world, shops, warehouses and factories are well stocked and services are delivered without any great drama. Looking to the future, there are growing examples of the use of technology, combined with new business models, to improve supply chains even further. Ten years ago, concepts like Amazon Prime, Deliveroo, warehouse robotics and real-time tracking were in their infancy but are now becoming widely used. Autonomous trucks, drone deliveries and digital freight matching technologies may still be at the pilot stage, but do promise further opportunities – and risks.”
Williams went on to comment: “Organisations are also taking CSR more seriously. Not so much a compliance issue today, but more an opportunity to protect reputation and build customer and employee loyalty. So, in 2019, we predict that some stuff will happen, some organisations will find their supply chains are affected, some will have anticipated it in advance, perhaps built up their skills and understanding, completed some risk analyses, scenario planning and stress-testing in order to cover their extended enterprise and put controls in place. Others will discover that their strategy of just hoping for the best hasn’t quite worked out.”