Five risk issues for 2016

United Kingdom

This article was produced by Nabarro LLP, which joined CMS on 1 May 2017.

Summary and implications

NEDs are under more pressure to be accountable for the companies that they represent. This comes at a time when companies are facing greater economic uncertainty and political instability, as well as increased regulation and vulnerability from technological advances.

To help guide NEDs through this difficult landscape, we discuss five things which all NEDs should be thinking about in 2016.

1. How will the "Brexit" vote impact the company?

With the “Brexit” vote finally fixed for 23 June, it would be remiss for any board not to have at least considered what it might mean for their company. However, at this stage, there is a limited amount of contingency planning that companies can sensibly do – for the simple reason that no one can say what will happen if the decision is to leave the EU. All we know for certain at the moment is that if the vote is to leave, once the UK notifies the EU of its decision to leave, the departure will occur 24 months later (unless all 28 EU member states manage to agree to an extension of that period). Beyond that, we are in the realms of speculation as no one can truly say what will be the position afterwards. We know that the UK would need to negotiate a new relationship with not just the EU but also all the other countries where we benefit from EU-led treaties. How long it will take to negotiate these or, indeed, what they would look like comes down to a combination of commercial and, most importantly, political speculation.

For the moment, boards should be considering two immediate questions:

  • In the event of a “leave” vote, is our business going to be affected by the immediate aftermath and the uncertainty that may arise?
  • In the event of a “leave” vote, in the extreme case where we have to relocate or rebase some or all of our operations in an EU jurisdiction, is two years a long enough period to plan and execute this?

For most businesses, the answer to the second question will be “yes”, and that is probably the most extreme outcome for any business. The former will depend very much on the nature of any particular business and how its customer base will react.

2. Is the company ready for a cyber attack?

A high-profile cyber attack can have a significant impact on a company’s reputation and the confidence of its customers and investors, resulting in long-term loss of revenue and shareholder value, as well as loss of confidential information, legal claims by affected parties and regulatory fines. There is little doubt that some businesses would fail to recover from a cyber attack.

Cyber security is now recognised as a board-level issue, not solely an IT issue. It depends on effective corporate governance and risk management as well as robust IT security, and the starting point for any cyber security strategy is for the board to understand the company’s risk profile and vulnerabilities.

Some cyber threats, such as extortion and fraud, can affect any organisation. Others will depend on the nature of the business. Companies that process large volumes of sensitive customer data will have different vulnerabilities to those which hold no personal data but put great value on their IP. Some companies may be dependent on the security of other organisations, for example they could be severely affected by a security breach in their supply chain or outsourced service provider.

A cyber security strategy must anticipate the potential points of failure, respond to and manage the risks. It should include policies and procedure concerning all aspect of IT usage and data management, training and monitoring of employees to ensure compliance and an incident management plan enabling the company to act swiftly if it is the victim of a cyber attack. Prevention is better than cure, but however robust a company’s cyber security there is always a risk of breach and having a plan in place to manage an incident, including communicating with the media, will be of enormous benefit in the event of a breach.

NEDs are ideally placed to promote cyber security as a part of a structured risk management programme. Their independence gives them opportunity and licence to challenge the existing security arrangements and the assumptions that underlie those arrangements and to ask questions of the CIO, CISO, audit committee and other stakeholders. They can hold the board to account for the implementation of the strategy and promotion of a culture of compliance throughout the organisation.

Cyber security is a big challenge, but guidance is available, including HM Government guidance specifically for NEDs here. Like all risks, it cannot be eradicated, but it can be effectively managed and NEDs have a large part to play in that process.

3. How effective is the company's health and safety management?

Health and safety risks are well known and any business needs to manage them. Proper controls contribute to a healthy and productive workforce. From the outset it is important to note that good health and safety management reduces accidents and therefore the risk of adverse impact on your reputation, costs of regulatory enforcement, fines if convicted, and personal liability.

It can also lead to better productivity and reduce absences when occupational health is included in an effective management system. It is worth keeping in mind that the number of people who were impacted by or who died of occupation-related illnesses such as cancer dwarfs the number of people that died in work-related accidents. The case for including occupational health and not just accident prevention in your health and safety thinking is therefore compelling.

So what does good health and safety management look like and what specifically should the board think about? Guidance is available and many studies have been published, but our view is that the best starting point is the IOD / HSE guidance on "Leading health and safety at work" published by the Health and Safety Executive: www.hse.gov.uk/pubns/indg417.pdf. The guidance sets out the essential principles for the board to consider in planning, implementing, reviewing and improving safety performance.

Practically, it is suggested that health and safety is discussed at board level and that questions are asked to ensure that the system is robust and resources are available to manage the risks.

4. Is the company in breach of any competition law?

A topic moving ever-higher up board agendas is competition law compliance. The UK’s Competition and Markets Authority (CMA) has announced that it will “step up the pace, scale and impact” of its activity, following stinging criticism from the National Audit Office in February that the number of investigations the CMA carries out (and the value of resulting fines) lags far behind their counterparts in France and Germany. The organisation has also struggled in the past to bring criminal cartel prosecutions against inpiduals (often directors). Perhaps also as a sign of intent to change, the CMA recently secured a high-profile criminal conviction (and a six-month suspended prison sentence) with respect to a cartel in galvanised steel tanks. Private damages actions for cartel infringements are yet another area of potential concern.

What can NEDs do to steer boards away from these troubled waters? The CMA is clear that it expects NEDs to scrutinise effectively the actions of their executive counterparts to assist in uncovering, handling and preventing competition law breaches. If they are not already doing so, NEDs should protect businesses by making reasonable enquiries to determine that executive directors have:

  • demonstrated a company-wide commitment to competition law compliance;
  • taken appropriate steps to identify and assess competition law risks;
  • appropriately acted to mitigate those risks, for example, by instigating training; and
  • regularly reviewed their actions.

The CMA does, of course, recognise that NEDs cannot have in-depth knowledge of the daily activities and transactions that can lead to these risks – and fortunately will take account of this in determining any penalties applied.

5. Does the company embrace persity issues?

Mental health costs employers in the UK over £30bn each year due to sickness absence, reduced productivity and staff turnover. The significant cost to business, together with the potential reputational damage, means mental health is a boardroom issue.

Government policy is increasingly expecting employers to deal with mental health issues. However, most business do not know what action to take. We believe that putting a mental health framework in place with the support and buy-in from senior members of the business is essential.

This gives a clear signal from the top that inpiduals can be open about mental health and access support at an early stage, increasing employee engagement and reducing absences.

Gender pay reporting

The government is implementing mandatory gender pay reporting on 1 October 2016. This will require all private and voluntary sector employers with 250 or more employees to publish annually certain information relating to their gender pay gap.

The figures only need to be first published by April 2018, but employers need to start preparing now to collate data and work out their figures (under legal privilege) to highlight whether pay gaps exist in order to address them before mandatory reporting comes into force.

Whilst there will be no financial sanction, we anticipate that failing to report or revealing large pay gaps without a legitimate explanation will pose a serious reputational risk and threaten employee retention and recruitment. It may also highlight issues for employees resulting in employment litigation.

Gender persity on boards

Diversity on the board continues to capture media attention with the government calling for an end to all-male boards and targeting 33% female representation on all FTSE 350 boards by 2020.

A recent government review has recommended that financial services firms:

  • set internal targets for gender persity in their senior management;
  • connect parts of their remuneration package for their executive teams to gender balance targets;
  • publish progress reports annually against these targets; and
  • appoint an executive solely responsible for persity.

A number of banks have already pledged their support by signing the Women in Finance Charter.