Global conflict, bush fires, flooding and political unrest. These are just some of the key issues unearthed as a result of the Institute of Risk Management (IRM) asking its senior members what their risk predictions are for 2020. In Part 2 of Risk Xtra’s comprehensive round-up, practising risk professionals focus on the construction sector, cyber risk and the energy sector.
Vinay Shrivastava CFIRM, director of UK infrastructure risk management at Turner and Townsend and non-executive director at the Institute of Risk Management, commented: “With the recent General Election in the UK, Brexit can now be treated as a certain outcome and therefore maintain its position as a topical concern for the UK construction industry. The reinstatement of border controls will most certainly impede the free flow of construction materials into the UK and disrupt ‘just in time’ deliveries. Further, already constrained ‘mega project’ schedules will have to adopt innovative methods to absorb these delays and maintain expected completion dates. Last year, the UK imported close to £5 billion of construction materials, fixtures and plant from the EU with the most commonly imported items including soft timber, sawn wood, lighting fixtures, boilers, AC units and wiring.”
Tied to this issue and potentially of greater concern is the reliance of the UK construction industry on skilled European trade labour. “While European trades people already in the UK are protected, Brexit will likely have an impact on the willingness of those already resident to remain so and will certainly make living in the UK a less attractive proposition for those considering moving to the UK. Approximately 32% of the construction trade jobs in London, for instance, are held by EU citizens. In addition, once the UK exits the EU, there will probably be less market competition for major construction projects. While this may benefit contractors and workers, clients could begin to incur cost premiums due to this environment of reduced competition.”
In addition, Shrivastava stated: “There are potential upsides to Brexit, though. Now that three years of economic uncertainty is nearing an end, it’s likely that the newly-installed Conservative Government will turn on the infrastructure spend, especially as it’s a prominent manifesto pledge. Sterling is also proving the pundits wrong and holding its value against the Euro which means that cost spikes due to, say, sharp increases in the price of imported material are not likely in the short-to-medium term.”
Mark Clegg SIRM, director of safety, risk and resilience at NG Bailey and an IRM Board member, observed: “Cyber risk has established itself as a key feature of risk in the 21st Century. In its Global Risks Report for 2019, the World Economic Forum listed cyber attacks and data theft/fraud in the Top Five global risks in terms of likelihood. This inclusion signified the second year running for those risks and, given the raft of high-profile data breaches during 2019, they look likely to feature highly for the foreseeable future. In addition to the growing list of legal and regulatory frameworks (ie the General Data Protection Regulation, the Data Protection Act 2018, the NIS, the HIPAA, the CCPA and many more) for organisations to acknowledge as they define their own cyber risk management strategies, there looks set to be a continued threat of cyber attacks against organisations of all types.”
This remains concerning due to the potential impacts including data loss, availability of IT systems and interruption of operations, all of which have undermined reputations and eroded public confidence. In response, an approach which builds the resilience aspects of cyber risk management, acknowledging the frequently used truism that it’s not whether organisations will suffer an attack, but when has gained acceptance.
“One UK Government report in early 2019 examining the cyber governance of FTSE 350 companies highlighted a range of findings including that Boards frequently didn’t understand the potential impact of a cyber attack on their businesses. Further, although incident plans often did exist, they were rarely subjected to rigorous testing. The report highlighted that only ‘around one-in-five Boards of FTSE 350 businesses have undertaken a crisis simulation on cyber risk’ in the previous 12 months.”
Clegg went on to state: “Looking ahead, and if recent high-profile incidents are anything to go by, efforts to prepare for, respond to and recover from cyber incidents are of profound importance and are at the heart of business survival. This should serve as a warning to those businesses that perceive cyber risk as an issue to be solved by IT Departments. It has long been accepted (if not always implemented) that IT Departments cannot manage cyber risk alone. However, building truly cyber resilient organisations requires engagement across the full breadth of enterprises and at all levels of management. Enhancing education and awareness from top to bottom and building ‘muscle memory’ through a range of appropriate training and exercising must be part of cyber risk management strategies for all organisations.”
Having the basics right
When discussing cyber risk, asserts Clegg, conversations can quickly shift towards exciting and novel concepts such as digital transformation, cloud migration, the Internet of Things, Artificial Intelligence, Machine learning, 5G and so on. “As we look to 2020 and beyond, such issues are undeniably worthy of our attention and are often seen as both causes of risk as well as methods of help manage risk. However, businesses do still first need to make sure the basics are right. Basics which, in turn, serve as solid foundations upon which to meet the challenges of such important and contemporary issues.”
Einstein is often quoted as saying that real genius is about making complex ideas simple.. For Clegg, this certainly applies to cyber risk management.
“It’s often the case that technical language can be impenetrable to the non-technical which, in turn, can impact on critical conversations regarding the most important element – communicating the actual business risk. Consequently, as we look ahead, we’ll no doubt see continued focus on new, exciting concepts which will have cyber implications. Yet, in absorbing them into our future plans, one of our most fundamental challenges will be to follow Einstein’s advice in order to translate those complex issues into what they mean to our organisations’ risk profiles.”
In summary, the good news is that, set against a backdrop of high-profile incidents, increased legal and regulatory frameworks and a growing recognition of cyber risk issues within organisations of all types, the basics have not changed. In a sense, the art of managing cyber risk comes down to turning what’s often seen as a complex range of issues into a simple, business-oriented plan; a plan which follows the basic tenets of cyber risk management.
By way of conclusion, Clegg observed: “For its part, the IRM recognises the importance of addressing cyber risk and has long-been engaged in this area, most recently with the relaunch of its own Cyber Special Interest Group as well as the Digital Risk Management Certificate.”
Alex Laursen CFIRM, president/CEO of Baldwin Global Risk Services and chair of the IRM’s Energy and Renewables Special Interest Group, said: “Oil prices have stabilised in the last couple of years following the crash and this trend is set to continue in 2020. Oil prices will either stabilise or increase slightly, allowing companies to complete the recovery process and continue building on new projects and diversification. Nonetheless, the industry could face a very turbulent year in 2020 with the potential further deterioration of US-Iran relations and the threat of major conflicts. This could lead to an increase in regional conflicts in a number of places.”
These regional conflicts could leave oil companies operating in these countries with numerous risks. These may include major security events, the mass exodus of staff, increased costs needed to manage both security as well as staffing levels and, in some cases, a need to abandon projects or leave operational plants as a result of the security situation, profitability or political pressures.
“A consequence of an escalation of US-Iran tensions or regional conflicts would be an increase in oil prices. This increase could potentially be drastic. The majority of oil companies will benefit greatly from this having spent the last few years restructuring, cost-cutting and increasing efficiencies. Expect profits to soar and a potential ramp up of new projects.”
Spurring the renewables sector
According to Laursen, the potential increase in price may also spur the renewable sector, with increased investment activity (as a result of the increased oil prices) by the major oil companies who may be looking to further diversify into the renewable sector.
“The renewable sector may also face a further boost as a result of the devastating forest fires of 2019 in Brazil and Australia, as well as across Europe,” concluded Laursen. “Europe has witnessed a significant increase in both the number of wildfires, hectares of forest damaged and the length of the forest fire season, and few will be unaware of the devastation across Brazil and Australia that has been reported in the media and shared across social media. These fires could spur new regulation and, in some cases at least, an acceleration of green energy programmes. The fires will also set the oil and gas companies in a more negative light, forcing them to diversify into greener technology in order to improve their image.”