First published in the March 2015 UK edition of Accounting and Business magazine.

The hacking of Sony Pictures Entertainment at the end of last year in which more than 100 terabytes of data were stolen, including personal information on Sony Pictures’ employees and internal emails, illustrates vividly the scale of technology-based risks that companies face in the modern world. Sony has never skimped on its technology spend - its systems and processes are, by any barometer, excellent - yet it was still hacked by a group that had targeted it specifically and that was intent on doing harm.

The external estimates of the losses suffered by Sony in this latest hacking range from $44m to over $100m, although Michael Lynton, CEO of Sony Pictures Entertainment, was quoted by Reuters as saying that the cost would be ‘far less than anyone is imagining’ and ‘well within the bounds of insurance’. Sony has admitted previously that the 2011 hacking of its PlayStation network, in which customer data was stolen, cost the corporation $171m.

Technological transformation and the interconnectedness of the modern business world has brought with it many opportunities, but also a far greater potential for disaster, mistakes and losses. The world moves much more quickly and the connections between consumers, suppliers, other third parties and companies are closer than ever - in risk terms, a vast interconnecting network of dominos, vulnerable to a topple anywhere along the line.

"Technological transformation and the interconnectedness of the modern business world has brought with it many opportunities, but also a far greater potential for disaster, mistakes and losses."

The extent of the risks faced by multinationals in the modern world was discussed in a recent study by Deloitte. The Value Killers Revisited: A risk management study looked at the 1,000 largest global public corporations and assessed the financial losses suffered by them as a result of four broad categories of risk (strategic, financial, operational and external risks). The report focused on events that have caused losses in value of 20 per cent or more in a company within a one-month period (relative to a broad market index).

Taking a fall

The report, published in 2014, found that in the preceding 10 years, 38 per cent of the 1,000 largest companies in the world had suffered a fall in their share price of more than 20 per cent. Almost one in five of these companies had waited for more than a year before their share price had recovered, and one company had lost as much as 81 per cent of its value.

Deloitte analysed 142 of the most serious loss events, and found that almost 90 per cent of the companies were hurt by several risks working together, even if triggered by a specific single event. ‘Most often, a low-frequency risk acted in conjunction with another risk the company did not anticipate, with loss-creating events spreading from one part of a company to another,’ said the report.

In other words, a ‘black swan’ event that was industry- or even economy-wide exposed the weaknesses of individual companies. ‘An isolated risk may be manageable,’ said the report, ‘but the biggest losses were the result of contagion, when weaknesses in one part of a company almost always triggered problems elsewhere’.

Growth business

This partly helps to explain why one of the fastest-growing lines of business offered by the large accountancy firms these days is assurance services. Some of the more familiar services, such as internal audit, are fast being supplemented by less recognisable options including: 

  • cloud assurance
  • cyber security assurance
  • third-party assurance
  • reputation assurance. 

These fill a market need, but have the added benefit of being a non-restricted service that can be offered to audit as well as non-audit clients. At a time when mandatory audit rotation will inevitably hit audit revenues, these new services are a boon. 

Marco Amitrano, head of PwC’s risk assurance business in the UK, says that its assurance business has quadrupled in size in the past six years. PwC’s 2014 annual review showed that worldwide revenues from its assurance business increased by 3 per cent over the year to $15.1bn - the UK’s assurance business increased its revenues by 6 per cent to just over £1bn, and the risk assurance business recorded double-digit growth for the fifth consecutive year. 

‘There are three main macro drivers behind the market increase,’ says Amitrano. ‘One is technological transformation, one is the increase in regulation, particularly in financial services, and the third is business transformation - companies are having to change their business models because of shifting consumer behaviour and so on. The result is a great deal of uncertainty for management.’

PwC’s answer is to offer assurance services based around what it calls ‘the six gamechangers’ that boards are facing. These include:

  • ‘digital trust’ (otherwise known as cyber security)
  • ‘regulatory response’ and ‘transformation confidence’ (generally meaning major projects assurance), but also services centred around ‘enterprise resilience’ (which Amitrano likens to looking after the corporate immune system)
  • ‘third-party trust’ (mainly covering assurance of contractual arrangements)
  • ‘culture and behaviours’ (essentially making sure that the corporate culture does not encourage risky or potentially damaging behaviour).

The other large firms offer similar or variations of the same services, although organised differently. In fact, these newer assurance services seem to have blurred the line between assurance and consulting - some, particularly cyber security, are offered under the ‘risk consulting’ banner in some firms, and under ‘risk assurance’ in others. 

‘I’ve always argued that risk assurance is a business that is on the audit end of consulting and the consulting end of audit,’ says Amitrano. The distinction, he argues, is that consulting offers solutions from within the client walls, while assurance offers independent reassurance.

‘By offering reassurance we have to offer a level of independence or the value of it diminishes, so we never go to the client side. We all advise clients but it’s the context that is important - you are either on the inside, or you are trusted but on the outside.’ 

Assurance or insurance?

There are two other reasons raised for the increased demand for risk assurance services. The more controversial one is the inability of many companies to obtain insurance for modern business risks, particularly cyber security risks.

A report by London Market Group and the Boston Consulting Group, London Matters: The competitive position of the London insurance market, states that perhaps the biggest challenge for the insurance sector ‘lies in finding solutions for new types of corporate risks’, including reputation risk and cyber risk.

‘The insurance industry,’ it adds, ‘has failed to keep up with changing business needs and some chief executives say that as much as 90 per cent of their corporate risks are currently not insurable, because nobody has come up with the right products’.

The report continues: ‘At the heart of the challenge is the fact that a large proportion of the risks faced by companies today are intangible and often linked to soft assets like brand and reputation. These risks are hard to measure and quantify, both in terms of severity and likelihood, which, coupled with the strong regulatory and commercial imperative only to accept risks that can be reliably quantified, creates a conundrum for insurers and their customers.

The global insurance industry has recently made efforts to provide products for some of these risks, but the take up has been relatively low. This is partly because customers’ needs are evolving rapidly… and partly because, in an effort to limit the downside represented by a hard-to-quantify risk, many policies are too inflexible and have too many exclusions and limits.’

EY has identified cyber risk as one of the biggest challenges to the insurance market in 2015, mainly because it is so difficult to quantify the risks involved. Shaun Crawford, global head of insurance at EY, says: ‘It will only be a matter of time before insurers simply refuse to accept the undefined transfer of risks.

But in the short term, it is likely that they will start to demand evidence of adequate cyber risk controls from businesses that demonstrates that they are taking cyber crime seriously and are taking the necessary steps to avoid opening themselves up to attack.’ Cyber risk assurance services could provide the documented evidence that insurers are looking for.

This brings us to the wider issue of risk management and reporting. The quantity (but not necessarily quality) of risk reporting by organisations has increased since the financial crisis, prompted partly by increased regulation (particularly in the financial sector) around risk disclosure. It is also widely accepted that generally, risk management has improved since the crisis. As business risks have increased, companies are becoming better prepared to tackle them.

"As business risks have increased, companies are becoming better prepared to tackle them."

The impact of better risk management is hinted at in Deloitte’s Value Killers report. The firm carried out an identical study in 2005, when it found that 48 per cent of the world’s largest companies had encountered a ‘value-killer risk’, 10 per cent more than in the 2014 study.

‘We can hypothesise that this is due to the improved and expanded use of risk management,’ says Deloitte in its 2014 report, ‘but we cannot be certain.’ (Another possibility, it acknowledges, is that the global financial crisis had generated such unprecedented stock market drops over recent years that this obscured or distorted what in other circumstances would be recognised as a value-killer loss.)

Beyond auditing

The expected growth in assurance services raises the question of how firms will make sure that they have the skills to cope with the demand. In the January A&B, IFAC president Olivia Kirtley said that making sure that they had the right people in place was one of the major challenges for finance heads - in particular, whether they had people with the right skills for areas such as cyber security. 

PwC’s Amitrano says this is something that is consistently on his agenda: ‘We have 6,000 people in our assurance practice, most of whom are auditing. A big question for us is how we can make sure that we increase the agility of that group while we develop these other risk assurance services.

"Auditing as the boring option? Not any more."

It raises real questions for career development. It’s important to keep moving people around, but also to make sure that we have the technical specialists we need in key areas such as cyber security.’ Auditing as the boring option? Not any more.