Cyber risk is the highest ‘fear factor’ for c-suites - how businesses should respond

With the implications of the updated UK Corporate Governance code being considered ahead of it becoming effective at the start of 2025, the changes seek to ensure that UK business remains at the vanguard of best business practice globally, while remaining competitive.

In order to support this, and hold executive and non-executive leadership to account, the Chartered Governance Institute’s annual Boardroom Bellwether report provides a thorough and representative view of the governance conversations that are currently happening across the UK’s FTSE 350 boardrooms.

Across the metrics that are assessed, cyber risk is the highest ‘fear factor’ for c-suites. Doubtless this will remain a significant concern as the world becomes ever more digital and needs to combat increasingly sophisticated technological challenges.

The challenge for boards is to ensure they have access to sufficiently expert cyber and digital knowledge in meetings and related discussions/deep dives outside of the formal board cycle. Only if people who genuinely understand cyber matters and related risks have meaningful contributions to the relevant mitigation planning, will governance around digital threats be informed and relevant.

Concerningly, climate change has significantly slipped down boards’ agendas, with only 29% considering it a very important driver of risk, down from 45% last year. Additionally, a remarkable quarter of board members don’t see climate change as a risk at all.

This could very well be because 94% of boards believe they are either very or fairly well prepared to understand, oversee and act on ESG-related issues. And over half (51%) of boards have discussed issues relating to climate change more than four times in the last year; and for 15% of boards, this topic has arisen eight times or more.

This should not however lead to complacency, and the realities of climate impact and the day-to-day operations need to remain highly connected.

The following three mind-sets will assist boards in upholding excellent standards of governance around cyber and ESG related risks:

● Continuous education and engagement with relevant experts is needed to ensure boards understand how non-tangible or future risks can have very real consequences for a company’s performance and competitiveness and are therefore crucial to governance decision making. ESG and cyber cannot simply be outsourced to a committee - they must be an inherent part of every conversation happening at the highest tier of business.

● Overall for a board to be effective in managing cyber and ESG risks, there must be real clarity around a company’s strategy to understand the related threats, and effective scenario planning processes to identify and mitigate established, evolving and new risks in real time.

● Governance decision making processes can only be accountable if a variety of knowledge, skills, and experience is represented in the conversation and related feedback processes are allowed to flow. Boards managing these conversations and feedback loops sometimes have a real challenge on their hands, but this is where their skills sustain rounded and informed decision making. Ensuring that an ongoing, healthy dialogue is maintained between the board, the executive team and the rest of business will ensure that decisions are relevant for the business and consistent with strategic objectives.