The top seven risks – Global Directors’ and Officers’ Survey Report 2024

A change to this year’s top spot

Notably, social risks have climbed the ladder, with health and safety risks being considered a very or extremely important concern for 84% of respondents, up from an average of 45% over the previous three years. It now represents the number one overall concern, up from number five last year, knocking cyber-attacks off the top spot, where it has been for the last three years. It is unclear what the precise reason is for this rise in concern but, certainly in the UK, 2023 saw highly publicised fines levied on major corporations, alongside a noticeable uptick in enforcement notices issued by the Health and Safety Executive (HSE) and reports of the HSE’s impressive 94% conviction rate of individuals.

Cyber risks continue to cause concern

Concern about cyber risks comes in at a close second. Cyber risks are ever-evolving and with the availability of artificial intelligence (AI) tools, cyber threat actors are beginning to integrate AI into their operations, particularly in reconnaissance and social engineering, according to the latest report by the National Cyber Security Centre (NCSC). This, they say, will make such attacks more potent and challenging to detect and, potentially, lowers entry barriers for novice criminals, contributing to the global ransomware threat.

This is a worrying development and adds a further level of pressure on D&Os to implement adequate cybersecurity controls and to react efficiently and effectively in the face of an attack. Cyber risk goes hand in hand with the number four concern – data loss. With the GDPR having been in force for a few years now, plus reformed regimes in many other jurisdictions, companies and D&Os have witnessed the significant fines that can be issued by data protection authorities following a breach and the law is still developing on claims from data subjects. In addition, the first party costs following a breach can be considerable and reputational risk is high.

Systems and controls – A new entry to the rankings

Regulatory actions from financial regulators for cyber systems and controls failures can also be added to the risk landscape. A recent example in the UK is the £11.2m fine imposed on a company for cyber security breaches in 2017, which resulted in unauthorised access to millions of US, UK and Canadian citizens’ personal data. In fact, this is in line with a trend we have witnessed in recent years for financial regulators to impose significant fines for a range of systems and controls failings (indeed, many core failings include a PRIN 3 failure as standard now), demonstrating the importance of such controls in preventing insider trading, money laundering, bribery and fraud, amongst other things.

It is no surprise, therefore, that concerns about systems and controls are a new entry in the top seven risks list (at number five). Boards are expected to be on top of this issue and the Financial Reporting Council’s (FRC) recently revised UK Corporate Governance Code, which will apply to financial years beginning on or after 1 January 2025, focuses significantly on internal controls. The main substantive change is that boards now must explain through a declaration in their annual reports how they have covered all material controls – including financial, operational, reporting and compliance controls – and their conclusions.

Concern about sanctions is a new entry on the top risks list

Effective systems and controls are also vital to prevent and detect breaches of sanctions laws. Our survey shows that concern about sanctions is a new entry on the top risks list, at number seven. In the UK, enforcement of sanctions laws has been bolstered by the introduction of the Economic Crime (Transparency and Enforcement) Act 2022. The Office of Financial Sanctions Implementation (OFSI) can now impose penalties for sanction breaches without needing to prove the individual’s knowledge of the breach, increasing the risk to D&Os. The OFSI can also now publicly report breaches, potentially damaging reputations. Whilst there has not been a stream of enforcement action thus far, exposure may increase as a result of the government’s announcement, on 11 December 2023, of a new unit - the Office of Trade Sanctions Implementation (OTSI) - to clamp down on sanctions evasion. The OTSI is intended to play a pivotal role in assisting businesses in complying with sanctions, investigating potential breaches, issuing civil penalties and referring cases to HMRC for criminal enforcement, where necessary. The OTSI will launch during the course of 2024.

Regulatory risk continues to be a priority

Regulatory risk, more generally, continues to be of concern (here, the number four concern), and with good reason. Whilst there are a host of regulators who are increasingly exercising their supervision and enforcement powers, all contributing to the regulatory space being a difficult one to navigate for D&Os, the largest activity emanates from financial regulators. In the UK, Financial Conduct Authority (FCA) enforcement activity remains a substantial exposure for companies and D&Os and the burden has increased this year with the introduction of the Consumer Duty, which sets higher expectations for the standard of care that firms provide to consumers. The FCA is also paying close attention to non-financial misconduct (aided by its recent consultation on diversity and inclusion), as well as continuing to promote individual accountability. D&Os are expected to lead a healthy culture from the top-down or face the consequences.

The FCA to increase its use of early intervention measures

Whilst enforcement case numbers are not increasing year-on-year, the FCA is upping its use of early intervention measures and the imposition of non-financial sanctions, with the aim of catching breaches/wrongdoing at an early stage. Areas of focus continue to be clamping down on unauthorised business, unsuitable advice, systems and controls failings and tackling anti-money laundering/financial crime and bribery and corruption. This latter risk is at number six on our list overall but climbs to number one for the largest companies (>$5bn), reflecting the increased focus by prosecutors on this area and the internationally coordinated investigations.

A recent example saw the UK’s Serious Fraud Office (SFO) investigating, in collaboration with US, Dutch and Swiss prosecutors, a UK trading and mining company who was recently convicted for bribery under the Bribery Act 2010. The company paid US$29 million in bribes to increase oil trading profits in five African countries from 2011-2016. It was fined £280 million, the largest ever for a corporate bribery conviction, marking the first admission of a principal bribery offence under the Act. In addition to direct prosecutions against D&Os, the ‘failure to prevent’ regime in this Act (plus the Criminal Finances Act 2017 and the Economic Crime and Corporate Transparency Act 2023) could see follow on prosecutions against D&Os following cooperation by the entity to secure a deferred prosecution agreement (DPA). Indeed, the SFO secured its first DPA-related conviction in March 2023 but there are still more instances of cases being dropped.

ESG, a hot topic in the boardroom

Of interest is that despite the global and increasing regulatory focus on Corporate Social Responsibility, and ESG being a hot topic in the boardroom, once again climate change does not feature in the overall top seven risks. No longer featuring at all for Great Britain, despite its number one position last year, but a notable new entry for Asia (number four) and the Middle East (number six). This continues to be a surprise as it is clear any disclosure requirements create liability for companies and their boards and how they tackle the issue of complying with their ESG requirements will be as big a liability as not complying or reaching targets. There are potentially huge knock-on effects to acting in the space not only for the company itself but also in terms of people and economies. Boards will need to fully understand all this before acting or could bear the brunt of claims arising from the mishandling of their ESG polices.

In conclusion…

The list of the top seven risks reveals the various difficulties and challenges that D&Os encounter, which could have serious implications for them. To avoid and reduce these risks, it is essential to have effective risk management and appropriate systems and controls in place. A failure to ensure robustness of these may not only have a material impact on business operations and financials, from large fines and penalties, but there is also the potential for shareholder litigation following stock drops brought about because of the reputational damage to companies caused by such failure.