Businesses are concerned about the low quality of information they are being given about cyber security risks, according to a new report by an accountancy firm.
KPMG said that 45% of approximately 1,800 audit committee members they surveyed between August and October last year had said that their firms’ risk management programme required “substantial work”, with only one in four confident that their companies are looking “far enough into the horizon” to identify risk.
Of the 280 UK respondents, 56% identified Government regulation or the impact of public policy initiatives as the greatest risk challenges, other than financial reporting risk, facing their companies. A further 12% said that cyber security, including data privacy and protection of intellectual property, posed the greatest risk challenges.
However, 22% of all respondents said they were not satisfied at all with the quality of the information they receive about cyber security risk – the lowest level of satisfaction recorded for the quality of information in any category of risk listed in KPMG’s survey, according to the report (36-page / 2.33MB PDF).
“The quality of risk-related information – particularly about cyber risk, global systemic risk, and the pace of technology change – as well as hearing dissenting views from middle management and others about critical risks facing the company continue to be areas of concern,” it said.
Just over a third (34%) of respondents to the survey felt satisfied with the way management listens to middle management or others with “dissenting views … regarding the company’s risks and control environment”. In addition, just over half (52%) of respondents said they were fully satisfied that management within their firms have identified the significant risks to their business or growth plans.
According to the KPMG report, 64% of survey respondents said audit committees would be more effective if members of the committees had “additional expertise” on areas such as IT and risk, whilst half said there should be a “greater diversity of thinking, background, perspectives, and experiences” represented on the committees.
“While there is a high degree of satisfaction in many areas, the percentages are not comfortably strong and highlight some unsettling truths – such as the 71% of respondents that aren’t wholly convinced that dissenting views on risk and control are actually heard,” Timothy Copnell, chairman of KPMG’s UK Audit Committee Institute, said in a statement.
“A committee is only as good as the people on it. Whilst committees are generally satisfied that they are doing a good job, the challenges produced by the prolonged downturn and the difficulty of keeping up to speed with a whole range of new developments and technologies means that a committee with greater diversity of thinking, background, perspective and experience is likely to be best equipped for the future. We could see a war for talent emerging,” he said.
The report also said that 76% of UK firms’ audit committees have given at least a somewhat increased focus to assessing whether their organisations’ “global compliance efforts” are sufficient to address risks posed by the increased enforcement of anti-bribery laws such as the UK’s Bribery Act and US Foreign Corrupt Practices Act.