As we emerge from the worst of the pandemic, inevitably boards and management will be assessing how their business has fared, alongside standing boardroom issues such as their corporate purpose, strategy, risk management procedures, and their ability to deal with the ever-proliferating number and complexity of business risks and opportunities they must navigate.
Number one on the agenda is likely to be continuity of trading. Crisis management, disruption, and business continuity have long been key elements of risk management and a matter for the board to discuss. However, the meanings of these terms and the severity of the challenges they have posed in recent times mean they have shot up the priority list to become the main subject of discussion. Prior to the pandemic, the issues contemplated by the term “crisis management” have often been short-term, but in contrast, the global COVID-19 pandemic has put us in crisis management mode for almost 18 months.
Both the duration of the pandemic has caused many businesses to suffer downturns and, in some cases, to close. In addition, given the sudden long-term switch to remote work for many firms, businesses are finding they need to review their entire model and ways of working. Boardroom directors will be grappling with issues such as real estate, technology, employees wanting to carry on working remotely, new working patterns, supply chains, online versus offline sales and how the risks facing the business have evolved.
Businesses have also been challenged by ensuring their workplace is safe for employees, with a myriad of changing regulations needing to be understood and implemented. Risk assessments need to be regularly undertaken to check the rules are being compiled with. For more information on risk assessment support click here.
Ways of working and well-being
Maintaining the wellbeing of employees is one of the key considerations for a board. Driven by a number of factors, with the pandemic bringing mental health firmly into focus, and its threat to workplace health and safety, to the growing investor and regulatory focus on employees and fairness in the workplace, workforce plans and employee wellbeing will remain in the spotlight.
Companies have embraced remove working, producing surprisingly positive results. However, remote work during a crisis versus more normal operating environments could deliver different business outcomes. Picking a strategy that aligns with your company’s objectives will produce the best results. Should your business be office-centric – the best fit for firms that believe a strong culture is built and maintained in person. Is the best approach a hybrid model – which works best for companies that are focused on innovation that can only happen in person, while championing flexible lifestyles. Finally should businesses take advantage of the cost savings and go remote, which works best for companies with employees that work independently, focused on cost savings, and with a company culture that champions total flexibility.
And if businesses decide to be office-centric or hybrid, how do you configure the workplace? After months of remote working, we have learnt that the value a workplace offers is not an individual desk or office, but a place to gather for collaboration, which means sweeping changes to the layout of workplaces.
The health and well-being of the workforce, is a relatively new challenge arising from the pandemic. Prolonged uncertainty regarding the effectiveness, safety, and availability of a COVID-19 vaccine, long periods of isolation, the economic downturn and job insecurity, ongoing social unrest continue to test the mental and emotional health and well-being of workers. Ensuring employees wellbeing is looked after both in and out of the workplace, will be key to maintaining a happy and effective workforce. Click here for more information.
Cash is king
Although all the issues above are critical to a firm’s success, ultimately they are more or less meaningless if a company has liquidity issues and is not able to operate profitably. Throughout the pandemic we have endured story after story about businesses being forced to close either permanently or temporarily with sectors such as hospitality, retail and travel faring particularly badly.
The board has needed to understand and act quickly to help conserve cash. In many cases this would be taking advance of the many government support schemes, however these are coming to end as the economy gets back on its feet. Stretching credit lines, renegotiating leases and borrowing arrangements have all been options over the 18 months.
Although life is somewhat getting back to normal, boards are almost certain to remain vigilant about overseeing management actions to preserve and, where possible, increase liquidity.
Inclusion and diversity
Promoting and supporting diversity in the workplace is an important aspect of good management - it’s about valuing everyone in the organisation as an individual. To reap the benefits of a diverse workforce it’s vital to have an inclusive environment where everyone feels able to participate and achieve their potential. While UK legislation – covering age, disability, race, religion, sex and sexual orientation among others – sets minimum standards, an effective inclusion and diversity strategy goes beyond legal compliance and seeks to add value to an organisation.
Board members can help build an ideal culture. The board itself should be diverse, including women, minorities and diverse points of view. Creating an inclusive boardroom environment that fully harnesses the benefits of a diverse board and encouraging all board members to contribute and constructively challenge assumptions and perspective is important. The board can set the tone that I&D is important to the organisation by keeping it on the board agenda, asking the right questions and monitoring the relevant data. Boards should embed I&D into the firm’s strategy and empower the business to prioritize the topic alongside other business KPIs and objectives.
Corporate culture should always be on the boardroom agenda; it impacts all aspects of a business from employee retention through to productivity and customer sales - arguably can be make or break for a firm’s success.
A culture that does not encourage agility, adaptability, and resilience may make it much harder for a company to rebound from a disruption than a culture that fosters those qualities. Culture has been heavily tested over the last 18 months – and businesses who have managed to keep a strong culture when its employees aren’t even having any personal contact are well placed to continue to thrive. The challenge for the board director today is how to understand the sentiment of the workforce, how it may have changed, and what opportunities lie ahead for further embedding an effective culture. For more information on creating a great workplace click here.
Environmental, Social and Governance (ESG)
ESG has been a boardroom issue for many years but its importance has escalated over the last five years. ESG is a broad concept with no standard definition, but most can agree on the scope of the issues it covers; how a company performs as a steward of nature, how a company manages relationships where it operates, its impact on society and ultimately, how ethically it acts.
The change from a voluntary regime for companies around related topics to a more regulated and compulsory one involving transparency, disclosure and reporting is well underway.
As decisions made by businesses are increasingly influenced by ESG factors, so too will be the role of risk management and in particular that of the board of directors. Directors’ duties are already under growing scrutiny and this will only deepen given tightening regulatory frameworks. Questions about who is responsible for ESG on the company board will not just be a matter of “nice to have” but essential if the duties of directors are considered to be adequately fulfilled in future. Such topics need to be right at the heart of company decision-making.
Multi Factor Authentication – what is it and why is it so important?
In today’s rapidly changing cyber insurance market, insurers are increasingly asking in-depth questions about how businesses are protecting themselves from cyber threats, particularly with respect to ransomware prevention.
Why? Well the answer to that is simple. There has been a notable rise in cyber-driven claims in recent years, driven by the growth of the cyber insurance market but also by the rise in incidents such as data breaches, distributed denial of service attacks, phishing campaigns, and increasingly ransomware events which are becoming the dominant cause of losses, with 85% of all losses between 2015 and 2020 coming from ransom or other external hacks.1
Most insurers who underwrite cyber insurance are now requesting that businesses have Multi-Factor Authentication (MFA) for all remote access of their systems.
At Gallagher, we are seeing an increase in the number of businesses that are being refused cyber insurance cover due to a lack of MFA, leaving them exposed to significant losses.
What is Multi-Factor Authentication (MFA)?
Multi-factor authentication (MFA) adds a layer of protection to the sign-in process. It strengthens security by requiring that users provide at least two pieces of evidence, or authentication factors, to prove their identity. By requiring multiple authentication factors, MFA provides a higher level of assurance about the user’s identity. Even if one of the factors has been compromised, the chances that all of the factors have been compromised are low.
MFA is enabled when at least two of the following categories of identification are used in order to successfully verify a user’s identity prior to granting access.
- Something You Know (A password)
- Something You Have (A mobile phone or a username)
- Something You Are (A device, biometric identification through a fingerprint or retina scan)
What should be protected with MFA?
Remote Network Access
MFA for remote network access is an important security control that can help reduce the potential for a network compromise caused by lost or stolen passwords. Without this control an intruder can gain access to a business network in a similar manner to an authorised user.
MFA for both remote and internal access to administrative accounts helps to prevent intruders that have compromised an internal system from elevating privileges and obtaining broader access to a compromised network. This can prevent an intruder from gaining the level of access necessary to successfully deploy ransomware across the network, erase activity logs, and create bogus user accounts or even turn off anti-malware protection.
Remote Access to Email
When accessing e-mail through a website or cloud-based service on non-corporate devices, MFA can help reduce an intruder’s ability to gain access to a user’s corporate email account. Threat actors often use email access to perpetrate various cybercrime schemes against businesses, as well as the businesses’ clients and customers.
For MFA to be fully effective, protection should extend to all employees, regardless of role.
Next Steps for Businesses
Providers in the MFA space are continually making the process easier, less expensive and more flexible for businesses to implement and users to access. Whilst MFA can be easy to use, applications that sit behind MFA are generally “cloud” based, so a lot will depend on the type of software and applications a business has and they should talk to their IT provider to have a holistic approach across their IT estate to implement MFA.
How Gallagher Can Support
Our dedicated Cyber Risk Management team can help you face the future with confidence by not only aiding you with reducing the likelihood of a breach, but also by giving you the tools you need to get back up and running with minimal damage if one does occur.
Our aim is to improve your cyber strategy, defences and ability to recover. We do this through the implementation of processes and procedures, such as the design of board level reporting templates.
We also help organisations gain information security standards such as Cyber Essentials, Cyber Essentials Plus and IASME Governance.
Why not request a 30 minute, free cyber risk management consultation? To find out more view our Cyber Risk Management page or speak to your Gallagher representative.
1. Managing the impact of increasing interconnectivity: trends in cyber risk allianz global corporate & specialty october 2020