The New Riskonomy

Section 4:
Macro risk

Technology at a macro scale presents a number of risks to businesses, but adopting digital advancements can also mitigate external risks and empower business leaders to seize opportunities that fast-track goals and boost productivity.

Riskonomy radar reading

Our Riskonomy Radar supports C-suite and GCs’ belief that external factors present the biggest exposure to tech risk for organisations, with just 8% of responses falling into the low risk range.

8%

High
risk range

75%

Moderate
risk range

17%

Low
risk range

Navigating global uncertainty across the board

International politics is a critical piece of the cyber risk equation, as conflict can trigger increased cyberattacks to steal data, disrupt operations and inflict economic damage. Businesses are sensitive to this:

three in five (61%) of organisations say their business model has changed to some extent over the last three years as a result of geopolitical and economic events.

Geopolitical tensions, such as those between the US and China, have created uncertainty about the direction of restrictions in areas like direct investments, or the sale and development of technology. A lot of companies that have previously operated on a fully integrated basis across their supply chains are now separating, which impacts internal organisational structures as well.

Kelly Ann Shaw, Partner, Global Regulatory

This can manifest in many ways; half (50%) of business leaders have invested in more innovation and technology, and 43% have enhanced their risk management and scenario planning. Over a third (36%) have diversified their supply chain.

But are businesses playing their best hand, or could more be done to protect organisational stability and build resilience in the new riskonomy? Just 15% of organisations have responded to geopolitical and economic events by increasing their outsourcing of resources, and even fewer (13%) have formed more strategic partnerships – key mechanisms that can be used to increase corporate performance. Withdrawing from volatile markets can also reduce exposure to multi-layered legal and tech risks, but only 9% of business leaders say their organisation has done so.

%

My organisation has changed its business model to some extent over the last three years as a result of geopolitical and economic events.

Expert perspectives

Geopolitical tensions play out in the legal realm in several ways, which can shift on a day-to-day basis. Most multinational organisations already see the writing on the wall and are hoping for the best but planning for the worst. To respond to this, organisations are, and should be, doubling down on compliance.

Calvin Ding
Partner, Disputes

As a result of geopolitics macro trends, we have seen a growth politically charged legislative agenda that has driven more complex regulatory frameworks. Organisations need more guidance to be able to properly adhere to these changes and understand how they are reflected in certain jurisdictions. Ultimately, this is what will build resilience and protect business stability.

Aline Doussin
Partner, Global Regulatory

Innovating by the rules

Regulation is a key aspect of external tech risk – particularly when an organisation is operating across jurisdictions with inconsistent or conflicting requirements. Ambiguity in any legislation can create confusion over legal obligations, and the rapidly developing rules and restrictions surrounding tech carry heightened risks of non-compliance.

Surprisingly, only 66% of business leaders believe that navigating different, and conflicting, industry regulations heighten the risk of technology use within their organisation. And just 44% are concerned about inconsistent regulations having a significant impact on potential litigation disputes and investigations over the next three years. Just over a quarter (27%) believe it will have no impact or very little impact.

Expert perspectives

As tech regulation expands, many more businesses are now at risk of being sucked into being regulated as a “tech business” in one way or another, on top of all the other regulation to which they are already subject. We are working with many of the largest household names to help them to shape their increasingly complex regulatory environments through effective engagement with governments and regulators.

Julia Marlow
Partner, Global Regulatory

Tech and financial services are a good example of where sectors cross over. Financial institutions are innovative in their use of tech and tech firms are branching out into financial services. These clients need to understand the regulations across both sectors – what they are, what the scope is, and how they differ in the jurisdictions in which they operate. This is where we can support: we have the expertise and span to help clients compare regulations across all the different markets and jurisdictions they work in, and provide the local advice as well as a global joined up view.

Jennifer Dickey
Partner, Disputes

Globally, different jurisdictions are struggling to align on regulatory frameworks, but from a US perspective this has always been the case, as each US state has its own laws and not all of them are consistent with the laws of the US federal government or their sister states. When US federal and state regulatory regimes conflict, the conflicting state regimes can be pre-empted, leaving the federal regimes intact. This can be helpful to companies seeking to operate in every state, provided that the federal rules are less restrictive. Aligning to the different jurisdictions in which you operate is a challenge of doing business on a global scale, but addressing that challenge will be easier with the global regulatory platform of a trusted adviser such as Hogan Lovells at your disposal.

Ari Q. Fitzgerald
Partner, Global Regulatory

The digital defence

Vigilant cybersecurity is more important as the digital environment becomes more complex. Larger organisations can face hundreds of cyber security attacks a day, targeting personal or financial data, trade secrets, or business operational information (confidential or otherwise). Data is the prize asset for all organisations.

A cybersecurity breach – resulting in information theft, unauthorised network access, malware attacks etc. – can result in operational disruption and dire financial, reputational and legal consequences. Penalties include fines, enforcement notices or an investigation from regulators, and breaches can easily lead to litigation or class action.

An effective response to a cyberattack requires identifying its source, containing the damage, recovering the affected systems and then reporting and responding to the damage according to the relevant legislation. Ultimately, prevention is the best strategy, making robust cybersecurity an important element of sustainable business growth.

Business leaders cite cyber security as their second-highest concern when it comes to potential litigation disputes and investigations, but this isn’t translating into action.

Overall

Over a third (36%) of C-suite and GCs identify their organisation’s cyber security strategy as being in its infancy, and consider their organisation to have a high level of exposure to cyber security threats. Just 12% of GCs say their organisation has a mature and sophisticated cyber security strategy and is proactive in safeguarding against cyber security threats.

Cyber risk management relies on up-to-date security protocols, employee training and incident response plans. But most business leaders are working in organisations that are leaving themselves exposed to rapidly evolving technology risks. Regarding cyber defence strategies, almost half (47%) of C-suite and GCs admit their organisation only undertakes a review of relevant policies and procedures annually – and a further 7% do not perform one regularly. Similarly, 49% of C-suite and GCs say their organisation only undertakes an internal audit and assessment annually (and a further 6% do not perform internal audits regularly.

And buy-in is inconsistent. Despite the majority (74%) of GCs and C-suite leaders claiming that their board is fully engaged in their cyber risk management, three in five (61%) admit there are cyber security vulnerabilities in their organisation due to poor alignment and collaboration across functions.

For example, 31% reveal that their legal team is not involved in the creation of their incident response plan, withholding valuable expertise from their cyber security strategy.

Although cybersecurity is a priority for all industries, financial institutions are most likely to see cybersecurity as the most impactful risk (23%) – with automotive coming a close second (22%). This is in contrast with the consumer sector, where only 12% see it as their most impactful risk. Instead, an above average number of business leaders from the consumer sector see data management as the most impactful risk.

Sector spotlight

Cyber and data

Expert perspectives

The involvement of your legal team can be the key to success to cyber readiness and response in a cyber response incident. As with anything, practice makes progress, and organisations need to carry out a dry run of what would happen in a cyber incident before one actually happens. At a time of crisis everybody needs to clearly understand their roles and responsibilities ahead of time. The legal team has a central role to play.

Cyber awareness also needs to be widespread within the company, which is where a cyber health check can be really valuable to help understand the current status and identify steps for enhancement. It is key to have discussed your cyber response and defence strategies upfront, so for example, you have identified regulatory and contractual obligations and established whether as an organisation you would pay a ransom or not? Developing a point of view on these topics will make it easier to have the discussions during a heightened situation – you will also be in a better position when it comes to litigation if you have determined these elements before.

Joke Bodewits
Partner, Privacy & Cyber Security

Next chapter

Conclusion and
recommendations

Read now

Chapters

Executive
summary

Read now

The Riskonomy Radar

Read now

Section 1:
Navigating the new risk economy

Read now

Section 2:
Organisational vulnerabilities

Read now

Section 3:
Risk openings in the supply network

Read now

Section 4:
Macro risk

Read now

Conclusion and recommendations

Read now

About this report

Read now