Board Discussions - what NEDs have been debating (2019) · 16% since 1995. India’s rise has only been from a 1% to 2% share whilst Brazil has declined and Russia has made little

Contents

Introduction ......................................................................................................................................1

A global and UK economic update ..................................................................................................2

A global political update – top 10 risks for 2019 ..............................................................................7

Climate Governance Initiative ........................................................................................................11

Rebalancing skills in a digital age ..................................................................................................16

Artificial Intelligence – insights to shape business strategy ..........................................................21

Profiting from integrity ....................................................................................................................26

Blockchain and cryptocurrencies – applications and risks ...........................................................31

Cyber security – Stage 1 ................................................................................................................36

Cyber security – Stage 2 ................................................................................................................42

Social media, digital tools and online hygiene for NEDs ...............................................................48

Charities – how to adapt and thrive in the current climate ............................................................56

Executive remuneration .................................................................................................................61

Audit Committee update ................................................................................................................66

Introduction

PwC’s programme for Non-Executive Directors includes a series of briefings, workshops and other events to help address the need to keep up to date with Board level issues. This document summarises the discussions arising from our events over the past six months.

The season began in September 2018 with briefings on Artificial Intelligence (AI) which is beginning to transform the business landscape. The briefings explored the role of AI in business and what Boards should be thinking about in this area.

In the autumn, an early evening panel discussion considered Profiting from integrity, facilitated by the author of a book by this name. The session demonstrated that companies that do the right thing can deliver superior growth.

2019 began with A global and UK economic update given by Andrew Sentance CBE, previously Senior Economic Advisor to PwC and former Monetary Policy Committee member at the Bank of England, and A global political update provided by Sean West, Executive Director of Eurasia Group, the leading political risk research and consulting firm. Despite the significant political upheaval currently being experienced in many parts of the world, the global economy has been performing reasonably well. Although signs of a slowdown are beginning to appear, this is not currently considered to be the precursor to a recession.

Further early evening events this year have explored the Climate Governance Initiative, launched by the World Economic Forum at Davos to help Boards respond appropriately to the climate change issue, and Rebalancing skills in the digital age which explored the impact of technology on talent and the workforce.

Risk remains a constant feature of the Board agenda more broadly and we continue to focus on different aspects of this topic. Our winter workshop season included sessions considering the darker side of technology developments in our two Cyber security workshops. The first covered a broad landscape of cyber security basics – setting context, explaining why this is a Board issue and providing a framework of seven principles for cyber governance to help NEDs think about the key areas. The second included a deeper dive into four key areas – developing a business perspective, assessing current state, improvement recipes and handling incidents and crises.

From an individual perspective, our Social media, digital tools and online hygiene for NEDs workshop helped NEDs determine what type of online profile they might wish to have, since there is no avoiding developing a digital footprint in today’s world. At the same time, the issue of ‘online hygiene’ to reduce exposure to breaches was explored given that NEDs frequently sit on multiple Boards and sometimes work remotely using their own technology.

Another workshop explored the opportunities and risks afforded by Blockchain and cryptocurrencies. Blockchain is the complex technology that underpins cryptocurrencies but it also has many other possible applications with the potential to disrupt numerous aspects of business and impact a whole range of industry sectors.

Our final workshop of the season looked at Charities – how to adapt and thrive in the current climate, given that many NEDs have a charity in their Board portfolio and these organisations are facing unprecedented challenges in terms of both external scrutiny and the pressure to do ever more with fewer resources.

Developments for Audit Committees – which continue to have a full agenda – were not overlooked. A series of update workshops provided a technical accounting update, a look at developments in corporate governance and reporting, as well as sessions exploring fraud and our Global Economic Crime Survey, plus the ongoing debate around the future of audit.

For those on Remuneration Committees there were workshops looking at the continuing focus on executive pay by the Government, the media and the public at large. The new UK Corporate Governance Code recommendations and secondary legislation requirements relating to the extended Remuneration Committee remit, employee voice, new remuneration policies, additional disclosures and pay ratios were all considered.

In all of the workshops and briefings, there was considerable debate, with a sharing of ideas on the topics and discussion around the role NEDs can play in each of these areas. The combination of expert knowledge with the sharing of experiences with peers adds real value to these sessions, and I would like to thank all those NEDs who participated in our various events. We will continue to focus on matters featuring on Board agendas and look forward to further insightful discussions over the next six months of the programme.

Andy KempChair, Non-Executive Director programme

March 2019

PwC | What NEDs have been debating | 1

Global economic contextThe session began with some context-setting around the global economy with three key themes being explored:

• The disconnect that has previously been seen between the turbulent political environment and the economy is beginning to narrow, although it takes some time before the impact is felt.

• The global economy is slowing down and the UK has been growing slowly for some time. This does not mean that the world economy is heading for another recession. It is more likely that there will be mini cycles within a cycle.

• The economic environment presents both risks and opportunities to the business world.

The 21st century is different economically to the 20th century. The global economy continues to expand and world GDP at current prices is forecast to be US$ 103 trillion by 2022, which is roughly 3 times its size in 2000. Even with the global financial crisis, there was underlying growth and momentum from globalisation, particularly from the 1980s onwards. Few countries do not belong to the WTO and many of those that do not are trying to join. The WTO, the European single market, NAFTA and similar developments opened up the world but this globalisation effectively has a one-off effect.

The growth of world trade has now slowed. The ratio of world trade to world GDP was 20% in 1993 and had grown to around 28% by 2006 but has stagnated at similar levels since then. Talk of the growing importance of the BRIC economies has been misleading, as only China has significantly grown its share of world GDP at current

prices and market exchange rates from around 3% to 16% since 1995. India’s rise has only been from a 1% to 2% share whilst Brazil has declined and Russia has made little progress.

The Asia Pacific region is now dominant in the world economy. Although Central and Eastern Europe have done better following their break from the communist system, the massive rebalancing has happened in Asia which will have more than doubled its share of world GDP from around 20% in 1980 to more than 40% anticipated by 2030. Of the 16 £1 trillion economies in 2017, 6 were in Asia. Furthermore, these Asian economies are becoming sustaining – for example, the rise of the middle classes in China.

Since 2016, the global economy has been doing well with growth in world GDP above trend. To some extent, this has supported the UK since it has been embroiled in Brexit. Although stock markets have not been doing as well recently, and are down particularly in China, these are volatile and do not tell the full story of the world economy which is one of a slowdown rather than recession.

It is, however, worth noting that unemployment is at a historic low, not just in the UK. The potential for growth from the labour market has therefore been reduced due to immigration restrictions, demographic trends and, in China, the former one child policy.

Growth drivers are therefore coming to an end and there is limited slack in the labour market to be taken up. This slowing down should not be seen as alarming, however, nor viewed as a lurch into recession which is more often the result of an economic shock.

A ‘weather map’ showing growth in major economies across the world in 2019 and 2020 had no negative numbers, with India and China performing particularly well. The 2019 outlook is not that dissimilar to 2017 and 2018 and anything above 1.5% growth for a mature western economy can be viewed as good. The 2020 figures were slightly weaker in many countries, including the UK, but nothing catastrophic.

Nevertheless, there are some issues shaping the global economy in 2020, namely:

• protectionism/openness of world economy

• growing maturity of emerging economies

• economic cycle and monetary ‘normalisation’.

One scenario is that the world settles down after the current turbulent political period but, even if it does, the economy is still likely to slow as the growth rates of China and possibly India mature. China is forecast to grow at 4% by the end of the 2020s but this is still not overly concerning.

There is, however, a strong chance that there will be an economic cycle in the 2020s, as there was not one in the 2010s. Boards should therefore ensure that their companies are doing some economic modelling to take account of a possible downturn from the mid 2020s. Additionally, a number of economies are not positioned well in terms of their monetary policy and available levers. In the last recession, interest rates were cut but these are still generally at low levels.

Political factors could continue to have an impact in the 2020s and technology, demographic change and the shift to a low-carbon economy could all have an effect, although some of these may be positive. Lapsing into a protectionist world is, however, the most significant issue facing the economy.


Open forum Q&A

How concerned should business be about any downturn in China and is the downturn in Germany China-related?

This is likely to cause a ripple rather than constitute a major issue. Chinese debt is generally held internally and can be sorted by the Chinese government. They also have economic levers such as cutting interest rates or fiscal injections. There is an implicit contract between the people and the government providing living standards continue to rise, along with some understanding that growth rates will slow as the economy matures. China is still a long way from the West in terms of living standards and also has a population 6 times that of the US. It is true that Germany has very good trade links with China. As an example, many of the high speed trains in China are German. China is keen to maintain an open world trading system.

How worried should we be about China colonising Africa or growing closer to Russia?

China should be monitored and encouraged into global structures, although Russia is more of a rogue state. Since the collapse of the British Empire, the UK has been using softer influencing power via organisations such as the WTO, IMF and NATO, and Brexit is the first move away from this. Some of the UK’s influence is likely to go post Brexit but leaders in the West more generally need to take a positive view of international cooperation.

UK economyThe UK has not been helping itself with Brexit but has still performed well since 2000. It is at the top end of G7 average growth in the 21st century and has performed particularly well on a GDP per head basis.

However, the shape of the UK economy has changed significantly. Since the industrial revolution and until the 1960s, 30% of the UK economy was manufacturing. Now this is only 8%, and may fall as low as 5%, since the UK has become a very services oriented economy at around 83%. In the 21st century, the UK has performed below the historic average growth in GDP of 2.12% and this is likely to continue in the 2030s. A service based economy may just not be capable of the same levels of growth.

In addition, the UK has started to fall behind the Eurozone and the US in terms of GDP growth. Previously, the UK had been performing better than the Eurozone and vying with the US but this is no longer the case.

Brexit has had two key impacts on the economy:

• with a falling pound and rising inflation, consumers have been squeezed

• uncertainty has held back investment.

The economic forecasts of the impact of Brexit on UK GDP have not actually been far out – central pre-referendum estimate of a 3% negative impact with latest forecast at –2.5%. Brexit is therefore a definite dampener rather than the catastrophe that some seem to be implying.

The UK has shown a sustained picture of disappointing growth but it is still growing. By 2030 it is likely to be one of the world’s medium sized economies, ranked about 6th/7th in the table and closer to a number of others below it.

Key risks and opportunities for businessThe session finished with a brief look at the key risks and opportunities for business as follows:

Risks

• Brexit and global protectionism – how the world trade environment looks is the biggest issue

• unstable and uncertain political environment

• concerns about rising inequality and social/political divisions

• unanticipated shocks creating an economic cycle

Opportunities

• technological and structural change

• demographic shifts (people living longer and with greater purchasing power)

• transition to a low-carbon economy

• sound business planning to cope with the 'shifts and the shocks'.

NEDs should ensure their Boards are reflecting on the above in their planning/forecasting.

4 | What NEDs have been debating | PwC

Open forum Q&A (Continued)

How much impact is the cutback in quantative easing having?

This has not particularly happened in the UK where it was ratcheted up and then stopped rather than cut back. Europe and the US have cut back more but any effect is more one of confidence. Quantative easing can underpin financial markets but the effect wears off over time. The Fed has taken a fairly sensible approach and central bankers have generally been cautious, possibly over cautious in the UK.

There was mention in the presentation of social and political divisions and yet GDP per head has been going up since the financial crisis. Where has it gone if not to ordinary people?

The increase in GDP per head was previously of the order of 2-3% but is now only 1% so it has slowed. Additionally, the financial crisis damaged the public coffers and some of the increase has been used for this. The level of debt was at 11% of GDP and is now closer to 2%. Rising inequality occurs at different times in different countries and was particularly evident in the UK in the 1980s. However, a slow growth in living standards makes people question their situation more.

With regard to the WTO, how stable is it, does it matter if it isn’t and should we all be looking forward to a WTO world?

The WTO has done a better job of evolving to suit the needs of the modern economy than some other global organisations such as the IMF and the World Bank. Its comprehensive reach is also impressive with 99% of the world’s population in a country that is already in the WTO or that wants to be. However, membership comes at a price and member countries need to follow the WTO rules,

although the WTO does not really have a policing role. If the US pulled out of the WTO, there would probably be a negative impact but Trump is unlikely to have the power to do this. Asia has been a big beneficiary of open world trade and is therefore supportive of the WTO. Whilst Europe is often portrayed as a large protectionist bloc, this is not really the case and other countries have tariffs too.

Given the increase in services, are there some services that are better than others and should MPs look at how different services can be better supported rather than viewing them as a homogeneous block?

There are really 3 main types of service – 1) business and professional services like the City and creative industries which successfully ply their wares in the international market. The UK is the most successful exporter of such services in the G7 at 13%. 2) Local services such as transport, retail, etc which societies need to exist. 3) Public services such as healthcare and education. These are roughly 1/3 each in terms of contribution to GDP, although 50-60% of London’s GDP falls in the first category. If the Government is to develop any specific policies, it should focus on the tradeable services and business may need to help educate the Government on this.

If there is a downturn in the next few years, how well-equipped is the Eurozone to withstand it?

The Eurozone cannot really be viewed as a whole, as how the economy will respond depends on the fundamentals of each individual country. Previously, Andrew has talked about a Club Med/Club Mod split. The countries with a coastline on the Mediterranean Sea plus Portugal, (9 in total), previously had an average unemployment rate of 19%, whereas the Club Mod countries, (19 in total), have

an average unemployment rate of 5%. Some of the Club Med group have improved since, largely due to reforms that have been carried out. The lack of reform in some countries, especially Italy, is the real villain of the piece rather than the Euro.

Will the Euro survive another 20 years?

The death of the Euro has been forecast almost every year but it is likely to survive. Brexit will probably cause the EU to come together more strongly, although it is unlikely to take on new members. Several countries have focused on labour market reform and being business friendly and Spain in particular has been a good turnaround story. The EU has needed to be more flexible to respond to changing circumstances but still needs to get out of the low interest rate trap.

Are exchange controls likely to be introduced?

This is unlikely to happen as they give a very negative signal and actually rarely work.

What would the likely timing and impact of a ‘no deal’ Brexit be?

The short term impact would most likely be fairly short-lived disruption for a couple of quarters. The medium term/longer term impact is harder to predict but, if the UK is viewed as less attractive for investment, may result in a slow-burning drag on the economy. There are definite advantages to a deal and to leaving on good terms with our neighbours. A no deal may affect others’ perception of the UK’s reliability. However, the impact is unlikely to be as extreme as suggested in the recent Bank of England study.


There was mention in the presentation that recessions often come from unanticipated shocks – where are debt levels/asset bubbles of concern currently?

In the West, many of the previous vulnerabilities have been repaired, with the possible exception of a few European countries. Although debt in China is high, as mentioned previously this is all internal and the government has levers to mitigate any risks. The last recession was the first debt-driven recession for some time so it is more likely that any shock will come from something else, e.g. technology. The ‘financial plumbing’ has been repaired following the financial crisis but IT plumbing could perhaps cause an issue.

Why are demographics considered to be an opportunity rather than a risk?

People are living longer and remaining healthier into old age. There is often no longer true ‘retirement’ and 80% of recent employment growth has come from the over 50s. Also, an older population has created a vibrant healthcare economy.

What impact will global warming have on the economy, particularly when countries like Africa are considered?

This will probably not cause a recession and Africa, in particular, is one of the world’s smaller economies. Impacts of global warming are more likely to be experienced in low-lying parts of Asia, susceptible to flooding. However, this is likely to be geographically localised. In addition, countries are coming together to focus on the climate change agenda, (excluding the US led by Trump), and China is particularly focused on this. Nevertheless, we are currently running behind the curve in slowing global warming.

How has technology been taken into account in the economic outlook?

The impact of technology has always been there in one form or another but is a slow burn. The way it feeds into the economy is quite complex but is generally net positive, although often only 20-30 years later. Larry Summers once said that we can see technology everywhere except in the growth figures. The economy needs to be flexible to adapt to the opportunities afforded by technology which more readily results in productivity improvements in manufacturing. However, technology does create opportunities as well as displacing roles.

What would the impact be of a majority-led Corbyn government?

This is unlikely and any kind of minority government with others allows the presence of those others to rein in excesses. Some of labour’s policies are not unprecedented – public ownership existed during Margaret Thatcher’s time in power and the proposed increase in the corporate tax rate would still be lower than when Nigel Lawson was Chancellor. The economy will therefore not fall off a cliff but companies will need to adapt.

2%GDP growth is the 'new normal' benchmark

>40%of world GDP anticipated from Asia Pacific in 2030

#1 economy by 2030 will be China



Global economic contextThe session began with some context-setting around the global political situation. This year it is particularly difficult to identify beacons of good news. The world is in a period of ‘geopolitical recession’. There has been a systemic decline in stability across countries and structures with an absence of global leadership.

The US president no longer supports NATO, the IMF is being challenged by the infrastructure of others and there are concerns about the WTO as an adjudicating body. This retreat of global infrastructure with no obvious successor is what Eurasia Group have previously referred to as ‘G-Zero’ and brings a brittleness and fragility to the political environment. The largest collection of leaders working together to solve problems is around China’s Belt and Road Initiative. Elsewhere, global coordinated action to address issues is hard to imagine.

NEDs should therefore reflect on the profile of the companies on whose Boards they sit and consider whether management are taking appropriate steps to consider and mitigate any political risks arising. Major companies are being disrupted by politics more than was previously the case.

Top 10 risks for 2019The presentation then moved to an analysis of Eurasia Group’s top 10 risks for 2019 as follows:

Bad seeds• Though 2019 may see fewer headline-generating crises

than in recent years, bad seeds are now being planted that will undermine the global order.

• US political institutions will wither as President Donald Trump undermines them.

• Nearly every current trend in Europe will weaken the EU.

• Global alliances will come unglued as the US retrenches.

• Populism will increasingly appeal to those ‘left behind’.

Although 2019 may not be as bad as 2018 in terms of major shocks, seeds are being planted that are undermining the global order. Trump’s declarations are damaging for global institutions and for public trust. Trends in Europe, such as Merkel standing down and Macron being occupied with protests, are underlining the weakness of the EU. US security alliances are being called into question such that it is unclear what any response might be if, for example, North Korea attacks Japan. This situation is likely to get worse before it gets better.

US-China• The bilateral relationship is broken and a trade war

truce alone won’t fix it.

• Trade tensions over structural differences will continue.

• Most importantly, the two sides are embracing an openly confrontational relationship.

There is no single US-China story but many layers of tension, including trade, security, technology and global leadership. Previously, trade tensions were isolated but these have now come to the fore. In addition, technology issues have risen up the agenda and Xi-Jinping is now thinking about global leadership. The current trade war may improve, as China will buy from the US to reduce the latter’s trade deficit and Trump is likely to do a deal. However, from a technology perspective, other countries are being pulled into the fray, such as Canada arresting the daughter of Huawei’s founder and the UK rethinking 5G provision from Huawei. In addition, the security situation is unpredictable. US-China tensions are therefore likely to deteriorate.

Cyber gloves off• In 2019, the US will try to bolster its cyber-deterrence

by projecting cyber-power in more assertive ways. This strategy probably won’t work.

• Russia may think it has superior capabilities, China greatly benefits from cyber intrusions, and smaller states like the 'stealth' of cyber activity.

• Non-state actors would rather use than lose their capabilities.

• New risks will arise.

The cyber security situation has real implications for business and nobody is immune with technology breaches happening at tech companies. The US cyber posture is likely to become more aggressive even though there is no clear retaliation strategy. Opportunities to attack often have to be taken at a particular point in time before the tools expire and unleashing malware can come back to bite the attacker. Cyber attacks could quickly turn into geopolitical incidents.

European populism• The EU will hold parliamentary elections in May and

populists will win more seats than ever before.

• They will have more power in the European Parliament, the European Commission and the European Council.

• These eurosceptics will impair the commission’s ability to function, muddle key EU policies and impair its ability to react to a crisis.

Risk in Europe is quite high. It is possible that the biggest winners in the upcoming EU elections may be those who want to destroy the EU and populism is undoubtedly gaining ground. If populists win a majority in the European parliament, (not considered the most likely outcome), there could be significant issues.


The US at home• Their House majority gives Democrats real power for

the first time since Trump became president.• Trump is unlikely to be removed from office, but

infighting in Washington will be very intense in 2019. • Trump will shoot back – he will test legal norms and his

tweet fury will rattle investors.

• Articles of impeachment may move forward and bring additional market risk.

Eurasia Group have never had a domestic US risk in their top 10 before as any issues previously only really impacted the US but this is not the case now. The Democrats are in control of the House and have 6 investigations running currently. If the circle closes around Trump, he may become increasingly unpredictable. Eurasia Group currently estimate the chance of impeachment at around 40%. The recent government shutdown cost $13 billion and Trump could do this again. He is also likely to tweet against any business leaders who oppose his actions.

Innovation winter• We are heading for a politically driven reduction of

capital available to drive new technologies.

• The biggest problem is US-China: synergies will be disrupted by decoupling and disruption of the talent pipeline.

• The EU and Japan will follow suit, plus data localisation and data protection will also drain resources.

• The tech divorce will be very expensive—firms will relocate to lesser investment climates and 5G development will become more costly.

In the event of a global technology cold war, it is not impossible that two different technology solutions could develop. Countries will have to decide which way they go and this could lead to a lack of interoperability, as initially

existed with mobile phones. GDPR also complicates things in this arena with different rules for different systems. China is catching the US up fast in terms of technology capability and its national strategy is to win at AI which it may then decide to keep to itself.

Coalition of the unwilling• Trump now has imitators. • Italy's Matteo Salvini and Brazil's Jair Bolsonaro used a

playbook like Trump’s to win elections. • Like the US president, Russia’s Vladimir Putin and

Turkey’s Recep Tayyip Erdogan are revisionists. • Saudi Arabia's Mohammed bin Salman and Israel's

Bibi Netanyahu need his support.

• These leaders don’t salute a common flag, but each will bolster Trump’s challenge to the international status quo.

All of the above individuals are a risk in their own right and an increasing number of countries want to ‘go it alone’. Kim Jong-Un is also operating more globally than previously. Each of these leaders is bolstering a sense of needing to challenge the status quo.

Mexico• President Andres Manuel Lopez Obrador is popular

and his party has big congressional majorities but his bid to roll back the opening of Mexico’s economy poses notable risks for markets.

• He will spend money on social and infrastructure programs at the expense of the country’s fiscal position.

• Lopez Obrador’s energy and security policies will not be constructive.

Lopez Obrador and his populist views are popular in Mexico but he has no plan to deal with the drug cartels that are a big issue. If companies are using Mexico as a

‘jump-off’ to the region, then the situation is probably not a big issue. However, companies betting on Mexico may face more of a risk. The US Mexico Canada Agreement which replaced NAFTA has still not been ratified.

Ukraine • Putin will not compromise on Ukraine, Russia’s most

important neighbour. He wants a big say in that country’s future.

• Ukraine will hold a presidential election in March and parliamentary elections in the fall. Russia will interfere.

• Additional US and EU sanctions relating to the elections and other geopolitical issues are likely.

Although pro-Western elements may win the election, there will be meddling from Russia which may lead to sanctions. Russia continues to view the Ukraine as somewhere they should be able to control.

Nigeria• The country faces its most fiercely contested election

since becoming a democracy in 1999. • President Muhammadu Buhari lacks the energy and

skill to address Nigeria’s key needs. A Buhari win would mean Nigeria muddles through the coming term.

• Atiku Abubakar, his opponent, is allegedly prone to corruption and has populist tendencies.

• Wildcard risk: an inconclusive outcome leads to crisis.

In the upcoming election, there is a 60% probability that Buhari will be reelected but he has been largely out of action due to health reasons. An inconclusive outcome to the election may lead to riots which would hurt the economy.

Brexit (not a top 10 risk but warrants a mention)The range of potential outcomes makes it impossible to determine whether Brexit is a risk or a red herring.


Red herringsFinally Eurasia Group discussed a few red herrings as follows:

• Bolsonaro might be a grandiose nationalist but the public, the media, and Brazil’s political institutions won’t allow any dangerous centralisation of power.

• Mohammed bin Salman has made many enemies in recent years but neither he nor Saudi Arabia faces serious risks in 2019.

• Burdened with US sanctions, Iran’s need to protect relations with Europe will limit the aggressiveness of its foreign policy.

• Suspicion and competition between Russia and China will ensure they don’t move toward a genuine anti-Western alliance.

Trump’s attitude to Venezuela seems to be diametrically opposed to his reaction to issues in Asia or the Middle East – is there a reason for this?

It is true that the US has effectively ‘weaponised’ finance with Maduro unable to access funds. As Venezuela is closer to home, the US still feels it is within their sphere of influence unlike other more distant regions.

A view was expressed that Europe is weakening with populism taking charge but could it strengthen it?

Although there seems to be a commitment among the other European territories to make the UK’s departure from the EU painful, there is not much agreement on anything else. Europe is now in a weaker position for having countries whose citizens believe in the EU less/question it more. Some institutions such as the ECB have not been damaged but others definitely have.

Are there likely to be disputes in the South China Sea?

China has a strong shot at winning. Countries in the region do not have the resolve to test China’s military.

What about other countries in south Asia – is all quiet on the Eastern front, particularly thinking about the outcome of the Indian election?

Eurasia Group are reasonably positive about India and Prime Minister Modi. The situation is improving slowly and will probably continue to do so. The only issue would be if Hindu nationalists caused disruption but this is unlikely. Pakistan may be a different issue in that it has turned more towards China and may not be able to pull back if it wants to. Unlike previously, Eurasia Group is not concerned about the possibility of a conflict between India and Pakistan.

Is China the biggest risk, especially if it is on the march while the US is in retreat, Russia a spoiler and Europe a muddle?

In the long term, China taking control will probably have the biggest impact on the global political scene but other issues, such as cyber, may be more immediate.

If there is a downturn in the Eurozone in the short term, how equipped is it to respond to this?

Europe has rebuilt its institutions to withstand shocks but some countries may not sign off on bailouts to perceived ‘rogue’ countries such as Italy. Institutions are standing firm against threats and are no more brittle in any downturn than they were previously, although the German dynamic will change and France is currently preoccupied with protestors.

2019may see fewer shocks but bad seeds are being planted that will undermine the global order

Open forum Q&A


Urgency of the climate change issueThree points were covered to illustrate the urgency of the climate change issue:

• the results of PwC’s annual Low Carbon Economy Index report

• the latest IPCC report on the science of climate change

• the implications for companies.

PwC tracks the progress that G20 countries are making to decarbonise their economies and publishes the results in our Low Carbon Economy Index each year. To some extent, this continues to tell the same story: countries are falling short of their ambition to limit warming to below 2 degrees. Current projections are for 3-4 degrees of warming.

However, the report does show that carbon intensity is being reduced much faster now than it was 20 years ago, with some countries making better progress than others. The UK leads the G20 countries with the fastest decarbonisation rate since 2000, partly due to de-industrialisation of the UK economy but also as a result of the shift to renewable electricity away from coal, energy efficiency, relatively stable climate policies and a highish carbon price. However, not even the UK is on a below 2 degrees pathway.

Globally, the pace of decarbonisation has to double to achieve the Paris Agreement goal. Negotiators at the UN climate talks are making some progress but this is slow.

The Low Carbon Economy Index illustrates that companies need to manage the risks associated with a potentially rapid transition to a low-carbon economy as governments, particularly in Europe, implement much more stringent climate policies. Companies also need to assess the risks of physical impacts of climate change in case those policies are not successful.

The IPCC Report on 1.5 Degrees compares the impacts of 1.5 degrees of warming vs 2 degrees. The report highlights that 2 degrees of warming is substantially worse than 1.5. It describes impacts on food production, health, infrastructure and ecosystems, such as:

• increasing frequency of extreme heatwaves

• cost of flooding due to rising sea levels to increase to over $11trillion annually which does not include costs of other extreme weather events

• impacts of water scarcity on food production in different countries

• the loss of Himalayan glaciers and the death of coral reefs.

Overall, even the implications of 2 degrees of warming look alarming and the report gives limited detail on the impacts of 3 or more degrees of warming which is what the world is currently on course for.

The report also says little about the impact of warming on GDP, technology, prices or jobs which are among the areas of concern for business leaders.

It is challenging for companies to assess the potential impacts of climate change and the low-carbon transition. There are many different examples of implications from the business world:

• PG&E filed for bankruptcy after the wildfires in California

• BASF issued a profits warning partly as a result of a €250 million impact of low water levels in the Rhine which reduced shipping and shut down a chemical plant

• Diageo has explained the implications of water risks on its operations in Africa and Asia

• the loss of market cap at some European utilities struggling with the low-carbon transition

• Dong Energy making the transition from an offshore oil company to an offshore wind company, now called Orsted

• Shell describing the $1 billion sensitivity of pre-tax cashflows to a carbon price.

The issue is complicated but the biggest barrier to taking action may be the timeframe. The management team are typically focused on the next few quarters or years and rarely think beyond a 10 year horizon. With a very short term view, climate change risks and opportunities may not be a priority and, as the latest WEF global risks report says, there is a ‘danger of sleepwalking into crises’.

Board members therefore have an essential role to play and good governance is critical. Boards have the important duty of ensuring the long-term stewardship of the companies they oversee which is why good governance of climate change has to be led from the top.


Background to the Climate Governance Initiative and other regulatory developmentsClimate change needs to be stopped in the next 10-12 years and it is therefore policies in the next few years that will have an impact.

This is what drove the G20 to ask Mark Carney and the Financial Stability Board to set up the TCFD to encourage disclosures and transparency around climate change risks. 50% of global capital market investors have said they will implement the recommendations as a sensible regulatory path to enable the transition to a low-carbon economy.

However, there was still a need to consider in more detail the role of the Board, the role of executive management and how the Board can assess whether management is taking appropriate action. This led to the WEF Climate Governance Initiative project which PwC supported, aiming to provide practical and road-tested guidance for Boards to address the substance of an effective climate transition strategy.

The guidance includes 8 principles:

• climate accountability on Boards

• command of the (climate) subject

• Board structure

• material risk and opportunity assessment

• strategic and organisational integration

• incentivisation

• reporting and disclosure

• exchange (of information, methodologies, regulatory requirements, etc.)

each of which has supporting information and questions.

NEDs wanting to know where to start on this agenda should read the report and reflect, in particular, on Board competence in understanding climate-related threats and opportunities. Climate change is a hugely complex topic involving the interplay of many different areas such as science, technology, policy, etc.

Views of an investorClimate risk is a financial risk and therefore falls within the fiduciary duties of directors.

As trustee of a major pension fund, the issue is considered through the eyes of a young member who may be in the market for many years and who is likely to sympathise with Greta Thunberg’s comments at Davos that ‘Our house is on fire. I want you to panic.’

Currently, climate warming is heading to a 4 degree increase which will lead to a dystopian world which is both unrecognisable and uninsurable. The climate change issue is therefore taken very seriously with conscious decisions made for the pension fund to invest in green companies and not to invest in those in high carbon sectors. There needs to be evidence of Boards responding positively to the climate change agenda to secure investment. Indeed, Legal & General have separately indicated that they would vote against the performance of individual directors if their companies were not performing well in this area. Investors may not be able to move the market by themselves but they can have an impact with the engagement of others.

The TCFD is not just about disclosures. Investors are looking for climate change conversations in the Boardroom and evidence that companies are making climate change a business risk. Capital will support companies who are not silent on this and there will ultimately be rationing of capital to high carbon sectors.

A regulatory perspectiveThere was an explanation of why the Bank of England is interested in this issue and what they expect Boards of Financial Services companies to be doing.

As a regulator, the primary interest is in the safety and soundness. This includes climate change since it is a source of financial risk due to both the physical risks and the transition risks to a low-carbon economy. It is also important to note that climate change risks are arising now and this is therefore not just an issue for 2040 and beyond. For example, weather related insurance losses have already increased by a factor of 5.

However, climate change risks are different and need a different approach because:

• the financial risks from climate change are far-reaching and will affect all sectors and geographies

• the risks are eminently foreseeable – some combination of physical or transition risks will arise and it is incumbent on Boards and companies to manage these

• the size of future risks will be governed by actions taken today (which Mark Carney referred to as ‘the tragedy of the horizon’).

The above means that concerted action is required now from all parties to minimise future financial risks and “it is better to be roughly right now than precisely right in the future”. The Bank of England launched a consultation in October to consider an enhanced approach to managing climate change as a financial risk.


As regards the Board’s role, Board members should:

• recognise that climate change is a risk that affects all aspects of business

• be forward-looking

• be grounded in the long-term financial interests of the organisation

and above all do something.

Boards can start by:

• being clear as to who is accountable – the Bank of England has asked banks and insurers to identify the senior manager responsible for this

• integrate climate change into business as usual risk frameworks and policies, while recognising how the risks are different.

Board level debate is key but not easy as it involves translating climate change science into macro-economic and ultimately financial outcomes. Companies and their Boards may therefore want to pool best practice with others.

Views of a NED (and former investor)Even with a reasonably good grasp of climate change issues, the role of a Board member is hard as the ‘how to’ manual does not exist. Something is needed to plug this gap and the 8 principles plus their supporting questions are a good contribution to this, particularly in helping Boards to go beyond disclosure and form.

Many Boards are crafting climate change ‘ambitions’ or ‘visions’ with a 20-30 year horizon, yet the standard Board meeting agenda often fails to reflect this, leaving decision-making to carry on very much as before. The long-term climate transition strategy needs to underpin near and medium-term planning, and therefore needs to be integrated across most, if not every, aspect of routine Board decision-making.

Further follow-up work will be needed to give Boards the practical tools to implement the 8 principles, particularly as directors need to reconcile their obligation to operate “in the world as it is rather than how they might want it to be” with a growing awareness of the scale and urgency of the climate challenge. However, just as investors have no choice but to work together to lift market practice, so too will companies need to develop new and creative ways of working with peers, stakeholders and policy makers.

Corporate leaders may have to adopt a different stance in running their business. NEDs therefore have the opportunity to support CEOs and executives in pressing for change in the context in which they operate. There are 3 of the principles which touch on the role of Boards in influencing the policy context – policy setting, disclosure and interaction with stakeholders. Just fixing individual companies in isolation will not be enough, firstly because doing so risks putting front-runners at a competitive disadvantage, and second because isolated action by leaders will fail to solve the climate challenge. There needs to be a broad, coordinated effort.

Open forum Q&A

There is no doubting the call for action but, if no single Board/organisation/industry can affect change by itself, is the government doing enough?

Government could set a regulatory context to drive change, e.g. setting the carbon price at $100 rather than $10, but often have a short-term eye on opinion polls. There need to be policies to reward companies who do the right thing. Funds exist for the right investment but the government is not ambitious enough. Providers of capital need to think about the long-term risks to which organisations are exposed as the power of money is immense and there is not enough time to wait for the government to act. The Bank of England is intending to initiate a system wide stress testing of institutions. Government may be falling short, largely because politicians need to get reelected, and like the rest of us, are confronted with the tragedy of the horizon that Governor Carney described. However, business cannot let this be the reason for no action. Business has to show leadership and NEDs have a critical role to play in driving this.

Public reaction appears to be missing – why are people not saying they will not do business with companies that do not embrace and address the climate change agenda?

This may in part be due to information not being shared properly/enough. For example, on the WEF global risks report, climate change is only second to weapons of mass destruction and is ahead of cyber risks but most people will be unaware of this. In developing countries, there is almost no information flow. Part of the thinking behind the TCFD was that if risks are disclosed, investors will make the right decisions. In addition, the generation growing up now does not want profit at all costs. An example was given of an upcoming strike by school children in protest at inaction on the climate change agenda.


3-4degrees = current global warming path

10-12years to affect change in order to limit this to 1.5 degrees


To what extent is it helpful for companies to use a ‘shadow’ carbon price?

There was a sense that using a shadow carbon price in investment decisions does not change those investments sufficiently – particularly when only operational emissions are considered. Regulated compliance carbon pricing systems are more effective at changing investment decisions. Nevertheless, if no carbon price at all is used, it suggests that a company is assuming there is zero impact which is clearly wrong. The problem is often that companies are not doing the analysis in the right way and need to look at the broader impact of a carbon price on the economy. A suggestion was also made that long-term decisions should be viewed in the light of expected policy tightening in this space. Boards need to think creatively about their supply chains in terms of both a realistic carbon price and possible disruption.

If the premise that climate change requires the most radical action Boards have to deal with is accepted, and yet they are not operating in a context that allows them to take radical decisions to move things forward, how do you build the required coalition?

Discussion between Boards and investors is critical to give Boards permission to take the necessary decisions and invest in new technologies that could change things. For a period of time, there will be a disconnect between what is required and current policies but, if Boards understand that there will be a sharp correction at some point, it is possible to get ahead of the curve. Sector based approaches are needed to fill the gap policy makers will leave. Financial risk will be an important driver in taking the conversation to people who will bear the risk. The first step of getting this on the Board

agenda can be difficult but the executive team should be prepared to respond to NEDs challenging on this. Incentives also need to be a combination of short, medium and long term. Pressure is needed from all angles to drive progress.

Often with opportunities there is talk about ‘first mover’ advantage but nobody seems to want to move first on this.

Investors need to be more seriously concerned about this and the 4 degree issue needs to be discussed. The global carbon budget is finite with only about 10-12 years left. Conversations with management need to be about both risk and opportunity. Bringing climate risk within regulatory powers could make a difference and cause a reallocation of capital to those who are responding. Mark Carney recently said that there is more commitment than action and evidence is currently being gathered to demonstrate that more action is needed.


The potential impact of automation on jobsThere are many worrying numbers quoted in the media about robots stealing people’s jobs and PwC’s estimate is that something like 30% of current jobs might be at risk of automation over the next two decades. In addition, it is important to note that being at risk of automation is not the same as being automated. In many cases, it will only be certain tasks within jobs that are automated, rather than the whole role.

In fact, automation may not progress as fast as the technology could permit due to barriers such as cost, legal and regulatory issues, societal acceptance, etc. However, even if it is only 20% of jobs that are affected, that could still be around 7million workers in the UK so it is not an insignificant number.

Nevertheless, we estimate that around the same number of jobs could be created by AI and related technologies over the next two decades, so the net effect on total UK employment may be largely neutral over this period. Around 5% of today’s jobs did not exist at all 20 years ago and although we cannot foresee all the roles that will be needed in future decades, there will certainly be some entirely new jobs created. New technologies will also boost the productivity of existing jobs which has been relatively low in the UK for some time. This could lead to lower prices and so give consumers more money to spend on other goods and services which will in turn create new jobs to produce those things. Profits from the new technologies may also be reinvested which will have a knock-on effect on economic activity and employment. The extra jobs will tend to be in service sectors like health which are in high demand but less easy to automate.

Overall we estimate that AI and related technologies could boost UK productivity by around 10% in the long run. With employment broadly unchanged, GDP could also be boosted by a similar amount.

Whilst automation is unlikely to lead to mass unemployment, it may exacerbate existing large inequalities between highly educated/skilled workers and lower skilled workers doing more routine roles, as well as between London and the regions. In response, we need to be equipping people with the skills to make them complementary to machines, such as emotional intelligence and social empathy.

Business may need to retrain people within industry sectors. For example, a truck driver may need to be trained to work in an operations room, as self-driving trucks take over, or retrain as an engineer to service the trucks. The people who are perhaps the most vulnerable are the younger generation who need the right training to get into the workforce and the older workers who need access to lifelong learning to upgrade and adapt their skills as technology advances. Research for PwC’s Golden Age Index report suggests that, if the UK could match the employment rate of 55-69 year olds in New Zealand, GDP in the UK could increase by around £180 billion in the long run. With an ageing population, this is an increasingly pressing issue.

Individuals need to take personal responsibility for reskilling but this needs to be supported by the government, educational providers and business.

The future of workPeople will still be an important part of the equation. Digital is not just about technology but also humanity. The ‘Future of work’ survey undertaken with CEOs globally found that the skills gap was in their top 3 issues and is important to both the strategy and longevity of a business. Much of this is about having the right mindset, skills and behaviours along with an understanding of the problem that the organisation is trying to solve.

Looking ahead to future possible worlds of works, the PwC view is that automation will eliminate tasks rather than whole jobs. However, the predictability of any 3 year planning horizon is becoming more difficult and there is a need for agility from individuals, leaders and organisations. In thinking about advising children and grandchildren regarding skills that will be useful in the future, it will not just be all about technology. Softer skills such as empathy, emotional intelligence and ethics will all be important.

Making sure there is access to the right skills is not only an organisational issue but is also societal. In Luxembourg, a project has been undertaken whereby individuals are reskilled within a particular organisation in order to be able to move to another company. The research that was performed 12 years ago had similar findings to the refresh 12-18 months ago in that the skills agenda is a critical part of the debate and we all need to be thinking about this issue now.

PwC as an example of an organisation disrupting itselfPwC has created a new role of ‘Head of workforce strategy’ in response to the workforce of the future findings. The key aim of this role is to focus on the future of work within PwC and the interventions that may be needed. There are two main elements to the role:• working with the Executive Board on vision and

strategy for the workforce• the supply side of the HC function with overall

responsibility for sourcing, including student recruitment, experienced hire, contractors, etc.


Technology brings a range of options, from augmenting human skills to replacing them, and the PwC recruitment process seems to be moving more towards replace – what are the results showing to date?

Students like the new process and shortlisted candidates still go through to an Assessment Day where there is human interaction and observation. The first interview is via iPhone but humans are still reviewing this and helping the AI to learn. The AI part of the first interview process will not be switched on until September once it has been though many learning iterations.

In the Luxembourg project, how do you ensure that any ‘dividend’ is not frittered away?

This involves working with large corporations in Luxembourg on strategic planning. The project looks at what is needed now versus in the future and then the reskilling/transfer of skills necessary to fill the gap. It requires organisations to collaborate and government and regulated industries to want to solve a problem. This could also be done on a sector basis.

Can a government with short term views really put together social policies for the future?

The time horizon required is probably 3 electoral cycles. A lot is heard about ‘the race for AI’ and China is investing $150 billion in training 100,000 AI professionals which it is expected will give China a 26% GDP boost. There have been some helpful announcements from the UK Government but it is not yet fully where it needs to be.

Open forum Q&AThere are currently 5 key strategic priorities:

• building a capability for strategic workforce planning to model the ‘what ifs’ and the skills needed as a result

• a sourcing strategy which has a number of elements including a flexible talent network which received a degree of media coverage in terms of the 'name your working hours' initiative, attracting 3,000 applications, and the tech apprenticeship scheme funding people through university to do a STEM degree which also helps to promote social mobility and has attracted double the 15% rate of female applicants for STEM courses nationally

• establishing a contingent workforce, partly using agencies, whilst managing the compliance risks and being conscious of the Taylor review and Inland Revenue implications

• deploying PwC people onto jobs which is a complex exercise given 20,000 people and 25,000 clients and which PwC is using an algorithm to optimise – this has driven up productivity and smoothed utilisation, as well as bringing benefits in terms of giving people choice, dramatically reducing travel time through the incorporation of postcodes, eliminating bias, etc

• technologies used to track, assess and onboard people – student recruitment has moved largely online with matching of capabilities, game-based assessments, online interviews, etc and has seen a rise to 65,000 applicants, possibly partly due to the 24/7 access to the recruitment tools.

Implications of Artificial intelligence (AI)There has been an awakening across business and society and AI is now a hot topic rather than a niche area, as it was previously. However, the portrayal of AI in the media is often not helpful with polarised views. Some see utopian benefits of unleashing the power of AI to solve all the world’s problems whereas others have a dystopian view of AI being the end of the world as we know it.

These extremes do not help with understanding where the risks are. Organisations and their Boards need to think differently and start taking decisions. As AI and other technologies are applied to business use cases, risks start to arise. There may be some areas where a deep understanding of the application does not matter, e.g. Netflix, and others – such as healthcare and the criminal justice system – where knowing the governance that has been applied is really important.

Boards need to hold their executives to account to ensure that technology is applied appropriately. There have already been troubling examples in 2018 where things have started to go wrong due to bias and other issues.

The UK government is very focused on the AI agenda and has £1 billion of funding to develop this area. However, the UK is up against the might of China (in terms of its sheer number of people) and the US (in terms of the concentration and strength of Silicon Valley). The UK’s focus has become one of leading on the ethical stance, putting standards in place, etc.

It has been estimated that AI could boost the UK economy by 10%. AI can undoubtedly build trust and lead to growth but it needs the right controls in place to avoid risks and sanctions. Boards have a role to play in holding their executive team to account and ensuring they are working appropriately with vendors and others.



Does automation drive a productivity gain because machines are cheaper and do not strike or does it create a more virtuous circle?

It is a combination of existing activities being more productive, new goods and services being created and prices being lower which means consumers can buy more.

What should Boards be asking of their executive teams in terms of AI?

In the recent CEO survey, 72% said they think AI will substantially impact their business but only 2% have currently incorporated it so there is a gap between aspiration and reality which businesses need to unpick. An emerging tech savvy Board is becoming increasingly critical. This is not just because of workforce strategy but also due to other aspects such as competition. A good question to consider is what would happen if Google or Amazon moved into your market. AI is not a magic solution for everything and companies need to look at areas where it makes sense. Business also needs to consider other innovative technologies, not just AI. However, this is not being sufficiently debated in Boards and it feels a bit like where cyber security was some time ago. Finding the practical expertise to help Boards discuss this agenda is difficult.

Often in organisations, things still revert to the old world of IT, HR, etc, and the right people are not necessarily in the room to shape the debate.

Jon Andrews, a technology specialist, was put on PwC’s Executive Board for this reason and also put in place a shadow technology Board of ‘bright, young things’ to advise him. Care needs to be taken though, as some that have the technical knowhow do not have the right influencing skills.

Having conducted interviews for selection, the process can be haphazard – presumably AI based on good data can be helpful.

Yes but bias can still be built into AI and organisations need to avoid this by not switching on the full power of AI too soon.

What advice do you have on how organisations can identify the soft skills that will be needed and develop them?

There needs to be somebody with a role accountable for this, along with an understanding of the skills the workforce has currently, including the softer skills. There then needs to be a degree of scenario planning regarding the shape and size of the business and which tasks may be replaced by AI. The issue is that many organisations do not have the base data on skills to do the gap analysis. At PwC, every employee had to profile themselves and this exercise was locked into the annual compliance process. People generally want to realise their potential and will therefore engage.

How can Boards ask the right questions when many entered the workforce in the days of the fax and find it difficult to keep their expertise up to date, plus effort is required to get this on the Board agenda?

In order to drive the Board agenda forward, there is a need to create a degree of excitement around new technologies. NEDs do not need to know all the answers but need to know the initial questions to ask and the follow-up ones. Upward mentoring can also be helpful in this area.

Is there any experience of an Advisory Board of heavyweight technology experts who feed into the main Board working well?

The UK Government has done this to some extent with a Board of AI experts including the founder of Google DeepMind. Not many corporate Boards have done this to date, although some have added a ‘technology’ individual to the Board. A tech Advisory Board would need careful managing but could provide some useful horizon scanning. Some ‘digital individuals’ who have been appointed to Boards have not made a huge contribution as their focus can be very narrow.


There has been plenty of evidence in the past of society bringing something in and then realising the unintended consequences. How can this be done more intelligently for AI?

There is already some work being done around anticipating regulation. The UK Government is bringing in a rich mix of individuals who are asking for regulation to raise standards. Businesses need to engage in this discussion. There is a question as to whether any regulation in this area can work on a territory by territory basis or whether it needs to be ‘supra’ and operate across territories.

Is there any point in the UK pursuing an AI route given the gap that China is likely to open up?

Technology advancements do not always proceed in a linear manner, e.g. Africa leapfrogging developed countries in terms of going straight to mobile technology, including for banking, so there should be opportunities to make progress. The issue is that most Boards in the UK are not asking the initial questions.

In conclusion, one NED noted that there are enough examples of automation across certain industries in the UK for the story to be told to Boards of the risks that had to be overcome. This would help Boards as business is not starting from a base of no knowledge and companies could learn from those that have gone before.

c30%of current jobs may be at risk of automation

14%of global GDP could come from AI, robotics and other ‘smart automation’ by 2030

37%of workers are worried about losing their jobs due to automation



Definition and contextThe session began with some context-setting, explaining what AI is and, also, what it is not. Despite media hype, AI is not about malevolent robots looking to take jobs and ultimately wipe out the human race but rather machines that can perform tasks that would usually be done by humans. AI is a system that can:• sense data (i.e. take in sensory input)• think about the information it has received (using

mathematical processing at high volumes)• act on itwhilst learning as it iterates repeatedly through the process above.

As a simple example, some internet search engines are more effective than others because they have been available for longer and exposed to more training data (search requests) – indicating that first mover advantage in terms of data collection can be powerful in the machine learning space.

In simplistic terms, there are two types of human tasks – thinking and doing. The ‘doing’ tasks (e.g. data transcription, template completion, administration, compliance) can be automated with data engineering tools and Robotic Process Automation (RPA) whilst the more ‘thinking tasks (e.g. knowledge retrieval, diagnosis, anomaly detection, narrative generation etc.) can be augmented with AI. This is potentially more revolutionary but in many cases will continue to need some human intervention in the short to medium term.

AI currently still has shortcomings. As an illustration, Ernest Hemingway was once challenged to write a novel in less than 10 words and came up with ‘For sale, baby shoes, never worn.’ AI would literally translate this as an advert for unworn baby shoes whilst a human would read into this the back story of love and loss. When considering the skills mix in the workforce of the future, it is therefore

important to focus not just on technology skills but also those uniquely human skills that machines find it hard to replicate. Emotional intelligence, creativity, teamwork, ‘common sense’, dilemma resolution etc are not likely to be replaced in the short term and are likely to be in even greater demand as the use of AI increases.

AI can be implemented with different levels of automation:

• Assisted – helps humans perform tasks faster

• Augmented – helps humans do things better but there is still a human in the loop

• Autonomous – replaces humans altogether.

As an example of augmented AI, machines can be trained to spot signs of TB in X-rays. However, this does not currently lead to full automation as there is still a human making the final decision, delivering the diagnosis to the patient and deciding on the appropriate medical intervention.

AI often depends on the availability of vast amounts of data in order to drive meaningful insights. An organisation building and deploying an AI system does not necessarily need to own all of this data, but it is an advantage for organisations to control at least some proprietary datasets that contribute to the accuracy and effectiveness of the AI system (“the secret sauce”). Otherwise competitors will find it easier to replicate the solution.

The scienceAI is all about developing new tools from old building blocks at massive scale. What is ‘under the hood’ includes tools such as:

• basic statistics

• simple regression

• complex regression

• decision trees

• Bayesian algorithms

• deep learning

• clustering

• classification

• natural language processing

• time series modelling

• optimisation

• simulation.

The above are used in conjunction with segmentation, correlation and probability.

The most common business use cases of AI techniques are as follows:

• Machine learning – predict/classify/detect anomalies

• Deep learning – interpret audio, images, video signals

• Natural language processing – reading and writing

• Conversation and logical reasoning – Chatbot, mulit-step logic and diagnosis

• Simulation – complex system scenario analysis

• Optimisation – optimise use of scarce assets.

Machine learning underpins a large proportion of AI currently in production. Machine learning is a broad term which covers a multitude of techniques that use large amounts of historical data to understand the relationship between drivers and outputs. Deep learning is modelled on the human brain using multiple ‘synapses’ and ‘nodes’ to interpret complex sets of input data. It is particularly helpful where there is a need to understand unstructured data such as images or video. Chatbots can be used to create human style interactions around Q&A, for example, in a customer contact centre. Recent improvements in technology have allowed both the accuracy of voice transcription close to human levels, as well as facilitated the introduction of complex, multi-step logic to the ‘conversation’, allowing these systems to deal more effectively with more complicated ‘multi-layer’ questions.


Ethics and regulationMany ethical discussions that come up at AI conferences can be along the lines of:

• Do robots have rights?

• How can machines be taught morality?

Whilst these ethical questions may be important further down the line, there is a more immediate need over the next 5 years to deal with areas such as data rights and privacy, contracts, and standards and regulation. Technology is moving fast in this space and businesses are demanding a reliable framework to manage these systems.

Ethical questions needing a more immediate answer include:

• Does the AI do what it says on the tin?

• Does it give extreme or unexpected outputs?

• Is it transparent and explainable?

• Am I allowed to use this client data?

• Am I using the right technology?

• Is it biased?

The latter is an important consideration as trained systems can assume the biases of the humans who have trained them.

As an illustration, a deep learning system was trained to give an ‘objective’ assessment of human beauty by being shown thousands of pictures rated from a scale of 1-100 of beauty. The system was, however, found to be discriminating on the basis of ethnicity as the team had not been ethnically diverse. (Furthermore, had the team been more gender diverse, they would probably not have decided to build such a system in the first place.)

There is not yet a single generally accepted code of conduct/standards in this area but businesses are beginning to demand guidance. Given the ethical and regulatory issues, PwC has developed a ‘Responsible AI framework’ which

was talked through during the session. It is important that this is not a ‘one-off’ process but includes constant operating and monitoring as the AI system will learn and develop over time.

There are, however, ethical considerations in terms of accuracy, transparency and morality which sometimes involve trade-offs. Much of the early academic and commercial development of AI and machine learning was focused primarily on accuracy, with less attention on transparency and ethics. However, organisations are beginning to become more aware of these trade offs, and in some cases opt to use techniques that may provide slightly lower levels of accuracy but allow a higher level of transparency over how the machine has come to certain decisions. For example, a deep-learning AI system could be used for mortgage approval and may have been proven to be highly accurate at risk scoring over an extensive historical data set. However, when an individual customer applies for a mortgage, it may only be able to tell that person that they were rejected because they scored 7.2 out of 10 and not the > 7.8 or more required, without being able to provide any human-interpretable explanation. This is clearly not beneficial for customer relationships and would be unacceptable under GDPR.

PwC case studiesThree examples were discussed to illustrate how PwC has made use of AI internally.

The first was our staff resourcing system which has all sorts of variables needing to be considered, e.g. experience, continuity, travel time, utilisation, etc, leading to many millions of possible permutations. AI is used to come up with the optimal allocations which are then still reviewed by humans as a sense check. This has led to material efficiency savings in the form of increased utilisation, reduced travel time, fairer allocation of work, etc.

In our Sustainability and Climate Change practice, interrogating a range of documents using natural language

processing has enabled the team to answer the question “To what extent are the world’s largest companies complying with their climate change reporting obligations?”. A task that would previously have taken days to complete with staff going through piles of documents now takes a few minutes to compute.

As a final example, a new product has been developed to automate B2B credit scoring by training a machine learning model to understand how both financial indicators and text based media stories influence corporate ratings. The system then uses a natural language generation engine to process the data into a draft credit report template with a flowing narrative that looks as though it was written by a human being.

Points for NEDs to considerThe session concluded with a number of points NEDs should consider based on our own experience of AI:• Avoid shiny toys – the key question is what is the

business need and is this the right tool?• Understand and control the scarce assets – e.g. the

right data and the right people.• Be clear whether AI is a capability or a product – often

it is a capability that will facilitate the enhancement of existing products or processes.

• Know when to make versus buy – taking into account issues such as credibility, IP ownership, cost of switching provider, speed to market etc.

• Avoid the cost plus trap – in industries like professional services, AI can make many processes more efficient, but it requires up front investment. This changes the business model to one of higher fixed cost and lower variable cost.

• New risks, new governance – as well as huge opportunities, AI creates new risks (model ‘drift’, new avenues for cyber attack, etc.). Like all tech risk, these can be controlled but they require a different governance framework to mitigate the risks.


Open forum Q&A

In the PwC example given of resource allocation, how did customers and employees respond?

Effectively the use of AI in this area has been invisible to our clients. Employees have responded very positively as the system has produced better and fairer outcomes.

What about the matching of personalities with clients?

This is where the human overlay at the end still plays a part. The system does not negate the need for all human intervention.

Is this resourcing tool being used to feed into the recruitment process and has consideration been given to licencing it to others?

In terms of recruitment, there will be future developments to look at areas such as personality characteristics and how these impact subsequent attainment in the business. The optimisation model will likely be deployable with clients but the firm has taken the view that we need to ‘do it to ourselves’ first in order to be able to offer it externally with confidence. After all, you never see a tattoo artist without tattoos!

How can transparency be built into an AI tool measuring credit risk that is built around neural networks?

This is an example of where a degree of accuracy may need to be sacrificed in order to provide greater transparency, e.g. tree algorithms provide a greater

degree of transparency than deep-learning. With deep-learning, there is a considerable degree of academic interest in finding techniques to enhance transparency. It is possible, for example, to look at a range of perturbations in inputs and then observe the impact on outputs, in order to provide a level of transparency and counterfactual comparison.

How can trust and confidence in AI be built?

Track record is important and will build over time. Most passengers don’t really understand how jet engines work but planes are trusted because they have been flying for a long time with very few incidents. With AI, there is probably a need to start with lower impact use cases and then move to higher impact ones as trust develops. There will be a gradual movement up the criticality curve over time but humans will still need to be included in the loop initially.

Will AI ever be perfect?

It is unlikely that perfection will be reached but AI will produce better results than humans. It may, however, only be widely accepted when it has proved significantly better than humans over a period of time. Often public perception of a technological development and the scientific reality can be different.

Organisations often have varying qualities of data – how good does it need to be?

This depends on the use case and issues such as criticality, the need for a high degree of accuracy, etc. 75% of the effort in an AI project is often around the data collection, aggregation and preparation, although machine learning is starting to be used to improve this process too.

Why wouldn’t people want to take advantage of AI in medical uses, cf the example X-ray, when an infinitely greater supply of data can lead to better diagnosis than relying on one GP?

Agreed but not all people are yet on board with this way of thinking. Interestingly, 1000 people within PwC were recently invited to take part in a range of cognitive tests as well as 24/7 monitoring of physiological and biometric indicators of stress. This would be used to measure the relationship between cognitive characteristics, diary events and stress response. We were not sure what the response would be like but the 50 available places ended up being taken within 20 minutes. However, there will probably have been many individuals who would never want to take part in an exercise like this (which is absolutely fine). In many ways this is a societal rather than technological issue. Also, we need to think about AI as being able to perform individual tasks rather than whole jobs. For example, patients may be happy for a highly accurate machine to diagnose an illness but would probably prefer a qualified human being to break the bad news and talk them through options.

Are there legitimacy issues in using data, particularly vis a vis GDPR?

Some people are willing to give data away for free but we cannot assume this will continue for ever and it certainly does not cover everyone. This is where value exchange is likely to become a key issue-‘give-to-get’ and technology may ultimately allow individuals to monetise their own data. In the PwC staff monitoring example above, individuals clearly decided that the value exchange in terms of the detailed personalised report they would subsequently receive was worth signing up to provide their data.



Which companies have organised themselves best in this space?

It tends to be organisations in sectors where there are large amounts of data available and where a small change in the accuracy with which it is interpreted can bring about big improvements, e.g. financial services, large retailers, etc.

How can small organisations dip a toe in this space to build up confidence without incurring huge costs?

The AI field is still in ‘Saville Row’ mode rather than mass production but over time more tools are likely to become available off the shelf, e.g. chat bots for FAQs, customer churn modelling, etc.

Could AI be used to make productivity improvements in the public sector?

Undoubtedly but data quality and availability will be the challenge. There may be a significant amount of unification of existing systems that needs to happen first.

How many jobs will be lost?

In past industrial revolutions, the total level of employment has remained relatively constant but has migrated to different jobs over time. We think this is what will happen with AI. It is always easier to predict the jobs that will be threatened than the jobs that will be created, but there are likely to be many new jobs that we cannot yet envisage. That said, there is always a degree of friction when moving from one paradigm to another, which may lead to material increases in unemployment if the rate of technology disruption is rapid. This also has policy impacts in terms of education, retraining and re-distribution.

How do organisations deal with the fact that there are a limited number of data scientists and they are in huge demand?

In PwC’s case, there has been a recognition that a lot of this expertise is in young people and there is a need to pay well to attract and retain them. Additionally, projects have to fall in the intersection of what is interesting to these individuals to work on and what is profitable for the firm. Training existing people is important but we need to recognise that these skills are not an overnight ‘respray’ job.

Who should regulate this and how?

The regulatory environment is nascent and there are multiple institutions, professional societies and academic networks working together to try and address the issues. Regulation may require scrutiny of people, companies, and software, although we are likely to continue to see industry regulation taking an important role, particularly in safety critical fields. PwC is spending significant amounts of time with the regulators to understand the new opportunities and threats created by the technology, for businesses, consumers and society.

What is the positioning of the UK versus the rest of the world in the AI space?

There is an interesting debate about which economic model is likely to lead to the most successful development of AI – a laissez-faire capitalist environment that allows hundreds of start-ups competing against one another or a centralised economy that can marshal large-scale resources and focus them in one area. In many fields, the

up to 10.3%increase in UK GDP by 2030 as a result of AI.

UK has historically been better at idea generation than subsequently industrialising these ideas. We need to think about the impact of this phenomenon, particularly given the first mover advantage that exists in many areas of machine learning. If the future market landscape is to be characterised by a handful of unassailable behemoths and hundreds of smaller niche organisations, the UK should put some consideration into where and how it will play.


IntroductionProfiting from integrity is growing in relavance as a topic particularly in view of the FRC’s recent pronouncements in the revised UK Corporate Governance Code. This now requires Boards to 'create a culture which aligns company values with strategy' and to have 'greater board engagement with the workforce to understand their views'. The new recommendations are challenging to respond to, particularly in view of the growing disconnect between business and society.

Why is profiting from integrity important?Heightened integrity delivers superior profitability. There is a growing body of empirical evidence to support this. In particular, Edmans's rigorous statistical assessment of the 100 best companies to work for in the US demonstrated that, over a period of 10 years, they delivered stock returns 23%-38% higher than their peers. A number of other business books in this area have also reached similar conclusions. However, the integrity has to be proactive and strong – hence heightened integrity – for superior profitability to be delivered.

What to do in order to profit from integrityIn order to profit from integrity, a company needs to adopt the pro-integrity business model, which is based on the direct experience of senior business executives. It consists of the following six processes:

• Stakeholders – identify and value the specific connection that matters

• Vision – set out an aspirational and motivational vision for staff that also meets a societal need

• Integrity – embody an integrity and compliance ethos in the business

• Leadership – ensure leadership’s moral compass demonstrates the right tone from the top

• Staff – deliver radical staff engagement and communication

• Feedback – proactively close the feedback loop between management and staff.

The key stakeholder in terms of delivery is staff. In addition to an aspirational and motivational vision, employees want an emotional connection and job fulfilment. This requirement is best met by including in the firm's vision the aim to meet a societal need.

Application of pro-integrity business model to case study companyThe case study company, Hamworthy Combustion Group, designed, engineered, assembled, installed and commissioned combustion burners for the downstream oil and gas sector and for hot water and steam raising. The value of individual orders ranged from US$50,000 to US$10,000,000. The company was declining and struggling when Alan was appointed CEO with:• decreasing profits in an expanding market• massive under investment

• a highly dysfunctional culture.

The demonstration of the application of the pro-integrity business model to the case study multinational focussed on three of the six processes – particularly, ensuring leadership’s moral compass demonstrates the right tone from the top, along with delivering radical staff engagement and communication, and proactively closing the feedback loop between management and staff.

As CEO, Alan set out to reset the leadership’s moral compass by demonstrating the right tone from the top. This was delivered through a number of elements:

TransparencyAll Boards want honesty and transparency. The specific challenge faced by Alan was the entrenched disconnected interface between the non-executives, the CEO, other executives and staff, and Board meetings being rehearsed. To foster transparency, typical actions introduced were deep dives with executive teams and strategy away days. For the newly introduced international conference for all senior staff, there was no top table at the conference dinner. Instead, Board members rotated between tables for each course. A more open and transparent culture was thereby being introduced.

Compliance and integrity issuesProclaimed values by leaders are not important to staff. What matters is employees' perception of leaders. To illustrate the ordinal impact on staff of a CEO's actions, four vignettes from situations Alan faced were presented. The first was a case of reactive compliance (i.e. not evading the law) that had negligible impact on staff. The second was proactive compliance, (i.e. not avoiding a future likely change in the law), that had a low impact on staff. The third was a case of reactive integrity (i.e. cancelling an ill-conceived disciplinary process instigated by a manager) that had medium impact on staff and the final instance was an example of proactive integrity (i.e. pre-empting and resolving a situation on a point of integrity) that therefore had a high impact on staff.


EmpowermentEmpowerment involves leaders giving power away for others to act on with the confidence that they will be supported. This was illustrated by a trip, in his first month as CEO, to the large loss-making US country office where the prior country manager had recently resigned and which would have to be closed down, prepared for a ‘fire sale’ or turned around. Alan appointed incumbent executives as general manager and deputy general manager and set them the task of coming up with a business plan, with the requirement that it would result in 'a business they would be proud of'. They did this and were then asked to present it at the first international conference as their own business plan, thereby demonstrating a marked change in empowerment from the prior leadership ethos.

Collaboration/driving work across organisational boundaries The general challenge here for leaders is about delivering decentralisation and a reduced hierarchy for true empowerment and engagement of staff. For the Hamworthy Combustion Group, this need was accentuated with its dysfunctional culture compounded by its international growth from 16 offices across 13 countries to 23 offices across 19 countries. Two tools were developed. An online library provided staff with remote access to more than 80% of all core data and documentation held by the Group (e.g. 200,000 sets of engineer drawings, cost books for contract bids, 3D models, etc).

Its use was illustrated by the example of a customer visit in South Korea. Through consulting the client order and contract via the internet based virtual private network, it quickly became apparent that a reportedly faulty piece of equipment was due to the client's mis-specification of the part number on ordering it. A replacement part was able to be obtained within 24 hours.

The second tool was aimed at country managers 'defining and delivering their own destiny'. A highly specified 'Country Development Route Map' was introduced. Country offices could move up the value chain in structured steps in response to their increased specialised skills and expertise, within the overall strategy of the Group. Underpinning these tools was the introduction of a shift from a project based transactional approach to a relationship based approach between staff in country offices and HQ and between sales and project delivery staff. All now had responsibility and reward based on the output gross margin of sales.

Whistle-blowingAn atmosphere was developed whereby staff felt able to speak up about issues. This was illustrated by examples of management clearly addressing and being seen to discipline whistle-blowing cases, such as a country manager who had stolen a company asset (handled as an example of a compliance-based issue) and a senior manager's crude humour (handled as an example of an integrity-based issue).

Suppliers and customersMost companies would prefer to engender reciprocated honest relationships with their suppliers and customers. Under the Group's prior leadership regime, when there were customer equipment issues (which could be caused by any combination of the equipment, the installer and the operator), there was an adversarial process of determining the fault and allocation of rectification costs in advance of any site visit to solve the problem. This was changed to a model whereby the Group investigated first and then issued a report with any billing being dependent on the findings. When Alan joined the company, a customer satisfaction survey showed that a third of customers were unhappy. Two and a half years later, there were no complaints.

Successful application of the pro-integrity business model to a company requires radical staff engagement and communication that is face to face and interactive for it to have traction. The comprehensive communication programme incrementally introduced to the Group was predominantly delivered face to face, with the interactive element being one of holding open forum Q & A sessions at the end of each session.

Closing the feedback loop between leaders and staff provides the tipping point process for knowing whether leaders and staff are aligned and if staff are empowered. The acid test here is whether staff ask, and continue to ask, management challenging and often difficult questions. Examples of challenging questions by staff to management were provided, including 'If we are so successful and growing, why are you closing some offices


and making redundancies?'. The imperative is that leaders adopt a system whereby the feedback process is independent of management and is transparent to all staff. Otherwise, management can readily frame the presentation of questions and responses in such a way that they shape how they are interpreted by staff and thereby lead to a lack of transparency and trust.

Business results and societal benefitsFinally, Alan presented the financial and societal benefits from operating with heightened integrity. The Group's superior results included an 18% compound growth in profits. In order to add greater veracity to the pro-integrity business model and its application to the case study business, the results were benchmarked against two third party sources. The Big Innovation Centre's report on 'The Purposeful Company', (i.e. those operating with heightened integrity), set out a number of performance metrics that a purposeful company must achieve. Hamworthy Combustion Group delivered on all of them. Additionally, when benchmarked against the behavioural attributes used to identify the 100 best companies to work for in America, Hamworthy’s results were very strong.

Where companies are led and operate with heightened integrity this results in:

• stronger governance

• a fulfilled/empowered workforce

• reduced mismanagement and maladministration

• honest treatment of suppliers and customers

• more ethical behaviour

• reduced corruption

• greater market efficiency.

Business thus becomes a force for good for society.

Such an approach will also help to deliver on the FRC’s management intangibles outlined at the start. NEDs may wish to consider whether a single NED focuses on monitoring this or whether a Board integrity committee is set up to conduct a detailed review of the various areas.

Alan closed with the proverb 'if you think you are too small, try sleeping in a room with a mosquito...' to illustrate that even minor changes can make a difference.

To deliver heightened integrity and hence superior profitability, leaders need to:

• demonstrate the right moral compass

• create the right climate so that staff can take a stance regarding what is acceptable and unacceptable behaviour.

How should a Board set the tone in terms of bullying/harassment?

A prerequisite for successful processes and systems is for staff to have the accountability and responsibility to report bullying/harassment. This can only be in place if leaders themselves continue to demonstrate the right tone from the top. Staff then see what is acceptable and what is not played out, such as an individual being dismissed for poor behaviour or individuals being supported when necessary. Employees need to feel that it is acceptable to speak out.

It is good that staff are viewed as the main stakeholder. How should NEDs get involved if they think there are issues with this?

This can be tricky as the NEDs are non-executive whereas the CEO runs the company. However, the Board as a whole plays a role in setting the tone and NEDs should get out in the company, and also get to know the echelon below Board level, in order to have a feel for what is going on. It is rare to have a dominant CEO and a dominant Chair who could provide a counter-balance at the same organisation, so NEDs should be prepared to step in as advisors if they feel there is a need as regards staff engagement.

Staff are definitely important but how should customer focus best be overlaid?

Undoubtedly colleagues, customers and suppliers all need to be treated as you would wish to be treated but it is staff who are on the frontline in the delivery of customer service. It is therefore difficult to get this right without appropriate staff engagement first.

Open forum Q&A


There was limited mention of business ethics given the many different countries Hamworthy Combustion Group operated in.

Two thirds of the countries the Group operated in were probably in the wrong place on the Transparency International Index of perceived corruption. It was the case that bribes were offered by some suppliers and requested by some customers. This resulted in business being turned down and the Group refusing to operate in certain countries. The position is not helped by differences in US and UK bribery legislation with respect to facilitation payments for customs clearance.

The Group used as a case study was initially in a poor state and was turned into something better. Would a different approach be taken in a good business that starts to do badly due to external factors?

The pro-integrity model still applies in such a situation. Superior business performance would be expected when compared to peer companies in the same industry. This was partially illustrated by the case study company, where office closures and redundancies were made due to cyclical factors.

Given the earlier comment about rarely having a dominant CEO and dominant Chair at the same organisation, can you expand on this as it is not always the case.

Both can be dominant but need to be so in their different roles, i.e. the CEO in leading the company and its employees and the Chair in leading the Board and governance. An example where there were two senior and dominant individuals is Hanson and White, who had clearly pre-defined areas of responsibility.

Most businesses would say that they are running a pro-integrity business model, so how can a NED tell?

The acid test is whether staff are continually asking challenging questions and how management are responding to these. NEDs need to call on the company’s values as a basis for whether behaviours/incidents indicate that values are being lived out in practice.

There is something about a 'sniff test' but isn’t increasing corporate governance getting in the way of this?

Rather than designing and implementing new processes in response to increasing corporate governance requirements, it often makes practical sense to look at what exists already and nudge it in the right direction. It also makes sense to then apply the 'sniff test'.



ContextThe workshop began with a look at the context for blockchain which is the current lack of trust in institutions. The fundamental principle of blockchain technology is trust but the technology will only be of interest if it can be used operationally or to encourage growth.

Change is now constant with various megatrends impacting the world, including:

• demographic shifts

• shifts in global economic power

• rapid urbanisation

• resource scarcity and climate change

• technological development.

Of these, technology is both the most disruptive and moving at the fastest pace, with eight essential technologies emerging ahead of the others – virtual reality, drones, blockchain, robots, augmented reality, 3D printing, artificial intelligence and the internet of things. Of these, blockchain is perhaps the most ephemeral as much of it happens 'under the bonnet' and is less visible that some of the other technologies.

Although blockchain may have started out in the Financial Services/FinTech world, it is now moving beyond this to many other sectors. In addition, although blockchain grew up in the West, its centre of gravity is now in Asia, and particularly in China. There are also more projects in Africa and other developing countries which are often borne out of necessity. Cryptocurrencies are also proliferating, mostly coming out of Asia, and regulation is not keeping up.

TrustTrust is fundamental to people and business and enables the bridging of the gap between the known and unknown. Technology is creating new ways for people to trust others by providing truth and transparency. In days of old, trust was local and based on a person’s reputation. Then trust gradually became institutional to enable global commerce. We are now in a highly connected world where trust has broken down and yet individuals still need to exchange value. Blockchain enables the establishment of trust between people, organisations or machines without trusted intermediaries, which enables value exchange. It therefore allows for more decentralised trust.

An innovation continuum exists from sustaining, (e.g. the incremental changes made to improve the results of the British cycling team), to the truly disruptive, (e.g. the invention of the smart phone). Blockchain has the ability to disrupt all transaction processing systems. It is not just about payments but could also be used for identity checks.

Bitcoin is one application of blockchain. As a network, Bitcoin is completely open around the world with anyone able to join and therefore uses a lot of energy. Other closed networks would use less. Although there has been some discussion about Bitcoin being used for criminal activity, this element is relatively small in absolute terms. Activity is tracked and traced on the network and there is in fact greater traceability than with a banknote. A lot of blockchain solutions are more secure than what exists today.

To join a permissioned network, Know Your Client (KYC) and Anti Money Laundering (AML) approval will be requested and there will still be the need for a governance structure. The difference is that it is the actors on the network who set the rules and validation checks apply at every node on the network. The challenge is around driving consensus on the rules of engagement.

The blockchain lensPut simply, blockchain is:• A ledger – a blockchain is a way of storing and sharing

data between participants• That is shared – everyone participating has an up to

date copy of this ledger

• And where additions are agreed – additions needs to be agreed upon by the majority.

In simple terms, how it works is:• Someone requests a transaction.• The requested transaction is broadcast to a peer-to-

peer network consisting of nodes.• A verified transaction can involve cryptocurrency and

other digital tokens, records (e.g. of ownership/identity) or other information.

• Once verified the transaction is combined with other transactions to create a new block of data for the ledger.

• The new blockchain is then added to the existing blockchain in a way that is permanent and unalterable.

• The transaction is complete.


A transaction between two individuals will be broadcast to all those on the network in an agreed structure. The consent of others is then needed to validate it. The role of intermediaries that may previously have done this can be hardwired into the rules of the network. It is therefore a centralised governance structure with a decentralised technology system. A lot of the technology has been around for decades and it is the consensus governance model that makes it useable.

The difficulties often come in getting the participants to agree the rules up front and the encryption can also be complex. Blockchain may therefore be used more in a B to B context than B to C, except for examples such as cryptocurrencies. Majority rather than unanimous approval is sought for validation to allow for occasional systems issues experienced by individuals, etc. One node going offline will not then take down the whole network.

There are four key characteristics that set blockchain apart from other technologies:• distributed ledger – everybody has a copy• cryptography – fully encrypted to increase security• consensus – replaces need for a third party• smart contracts – set of rules and procedures can be

embedded in the technology which opens up business possibilities.

Bitcoin is a combination of technologies of which blockchain is one element – the distributed ledger – and was created to prove that there is no need for an intermediary, i.e. a central bank. Nobody has successfully hacked Bitcoin to date, although exchanges have been breached.

PwC 2018 global blockchain surveyPwC recently conducted a survey with 600 blockchain-savvy executives in 15 territories. 44% of these were C-Suite and VPs and 31% were with organisations with revenue > $1 bn. Some of the findings included:• 84% of the executives say their organisations have

some involvement with blockchain technology• financial services is seen as the leading industry in

blockchain (46%), followed by industrial products and manufacturing (12%), energy and utilities (12%) and healthcare (11%)

• executives think the US is most advanced in blockchain today but that China will be within 3-5 years

• 45% believe lack of trust among users will be a top barrier to adoption.

Public perception of the technology is important to its development and regulators need to play a key role in providing frameworks that support mainstream adoption. Regulators in Hong Kong, Singapore and Switzerland are beginning to look at this. In fact, regulators could potentially lead on the adoption of blockchain if parties do not have a choice about joining.

A blockchain lensA blockchain lens can be applied in 4 main areas:

Digital currenciesThis is where the blockchain technology was born with Bitcoin being a first generation cryptocurrency, although there are now many others such as Ethereum, Ripple and EOS. Other uses can be foreseen such as Insure coin, used in an insurance claim to ensure, for example, that the money is used to pay a mechanic to fix a car. Some large organisations are also looking at having their own internal currency to eliminate exchange differences between group companies.

Digital assetsHere the participant in a network would be able to understand the movement of an asset. This could be helpful for reasons of provenance, e.g. airplane parts or tracking and tracing in mining. If a regulator had 24/7 access to the network, this would change risk discussions.

IdentityThis is possibly the key that unlocks most potential, although the network keepers will still have a role to play. There would need to be verification at the point of entry to allow access to the network but then it would be protected thereafter so, for example, KYC digital identity could be shared with different banks. The UK Government is currently grappling with what a digital identity might mean. It would require trust in both the gatekeepers and the network.


Smart contractsApplications could exist in transfer of ownership, or in mortgages and loans, where there is a single source of the latest version. Once the rules have been articulated, process and logic can be applied to the data.

A number of real life proof of concept cases were explored but this has not yet moved to ‘industrialisation’, although properties are already being exchanged on a blockchain in other parts of the world. As noted earlier, the consensus mechanism for establishing the rules can be difficult to agree and the technology is still in its infancy versus scalability and speed. The sharing of the required information also slows adoption in some instances. In addition, regulatory requirements still need to be met.

As part of the ‘industrialisation’ process of blockchain, it is perhaps more likely that there will be a move from the ‘boil the ocean’ financial services applications to smaller elements in the non-financial services world as experiments to build confidence in the technology.

It is worth noting, however, that the move to execution can be quite simple once the proof of concept has been established and the rules have been set. It took 5-6 weeks to set up a test network for the Bank of England and so the execution period is relatively short once rules have been agreed.

Likely trendsGartner are predicting that, by 2022, at least 5 countries (including one G7) will have issued fiat-backed crypto currency. Trends in this space are likely to be:• increased regulation• regulatory enforcement• more institutional players

• new business models and innovation.

Conditions for blockchain successBlockchain needs the right conditions to be successful as follows:• Multiple parties share data – multiple participants need

a view of common information• Multiple parties insert data – multiple participants take

actions that need to be recorded• Requirement for verification – participants need to trust

that the actions that are recorded are valid• Intermediaries add complexity – removal of

intermediaries can reduce cost and complexity• Interactions are time sensitive – reducing delay has

business benefit

• Transactions interact – transactions created by different participants depend on each other.

NEDs can ask questions around the above to ascertain whether blockchain is the right answer for elements of their business.

There are 4 strategies to navigate the new world and overcome blockchain’s trust paradox:

Make the business case: where and how to start• commit to new ways of working• frame the problem and the solution

• start small and then scale out

Build an ecosystem: new rules for new relationships• focus on a cooperative few• broaden your network

• work across the value chain

Design deliberately: determine the rules of engagement• confront risks early• consider privacy implications

• invest in data and processes

Navigate regulatory uncertainty: watch but don’t wait• shape the trusted tech discussion• monitor evolving regulation

• use existing regulation as a guide.

The technology is still maturing and the business potential of blockchain remains at an exploratory stage. It is, however, likely to be a disruptor to business models and so, whilst it is fine to be anywhere on the spectrum between being sceptical or evangelistic about blockchain, ignoring it is not an option.


$3 trillion a year in business value generated by blockchain in 2030

US$5,961mraised by ICOs in first quarter of 2018

10-20%of the global infrastructure could be running on blockchain-based systems by 2030

By 2022at least 5 countries, including one G7, is likely to have issued fiat-backed cryptocurrency


Context This workshop began with a look at the threat environment. We live in an era of rapid, revolutionary change enabled by technology. There is much greater consumer engagement via online platforms and more complex integrated supply chains with business partners sharing data, often via Cloud models. At the same time, there is rapid global knowledge exchange – innovation sharing and access to rich data sets among both external and internal communities, as well as changes to how we work and live.

Businesses now operate as players in a highly-connected ecosystem. These tight interconnections, with many processes out of an organisation’s direct control, heighten cyber risk.

In many ways this is an exciting time to be a business leader. However, there is a dark side to these exciting times with a dramatic growth in cyber threat over the last few years due to the greater attack surface that increased technology provides. Today there are more potential adversaries with more power, more access, more motivation and more impact. Often there are devices that could provide a route into a company’s systems that are not even considered, such as vending machines in offices. Other attacks can come through networks that individuals might connect to, e.g. breaching the Wi-Fi in hotels.

Managing information risk is critical as failures can lead to economic loss, reputational damage and, in some cases—e.g. industrial control systems—can pose risks to safety. Additional pressures come now that the General Data Protection Regulation (GDPR) is in force and

individuals only have to cite distress, rather than prove financial loss, to claim compensation in cases of data loss/leakage. GDPR provides a good opportunity to invoke a culture change.

A diagram produced by the National Crime Agency showed the cyber crime ecosystem: criminals are increasingly organised and sophisticated, making use of the 'user friendly' tools of the digital world, both legitimate and otherwise, to create new criminal enterprises quickly and successfully. Tools once only available to nation states are often readily available for amateurs to download and, in some cases, even come with a demo and help function.

Current snapshot of cyber threatsThe workshop reviewed current threats as seen by our clients, observed through our Forensic capabilities and reported by UK Government sources. Topical areas of concern include:

• a wide variety of attack vectors are now common worldwide (e.g. password attacks, ransomware, credential stealing, fake software, man-in-the-middle attacks)

• Distributed Denial of Service and credential attacks are relentless

• organised criminal groups adopting a more aggressive posture (extortion, ransomware, etc)

• increasing scale and sophistication of attacks, especially in financial services (exploiting business processes)

• state-related targeting and penetration (destructive attacks/industrial control systems, supply chains and professional service providers)

and this is being enabled by:

• vendors being sluggish to adopt robust controls

• increasing complexity in how we use/store data

• complicated politics, ethics and regulation (including GDPR)

• continued rise of technologies which are outside the reach of law enforcement.

More than 40% of all log-in attempts are malicious and political tensions are now mirrored in cyber space. Many attacks come from countries where there is no legal recourse and there is a large amount of espionage as well as pre-positioning for potential disruption.

The NotPetya attack was discussed as an illustration of particularly ferocious malware. It appears to have arisen through a compromised update to accounting software utilised throughout Ukraine and used unintentionally high access administrator privileges to spread in moments without human intervention. NotPetya rendered all of a company’s IT inoperable within a couple of hours including business systems, emails, company phones, etc. One organisation was run using WhatsApp for several days following the attack.

These newer attacks did not exploit unpatched software but the global architecture of systems and the control frameworks which should have separated parts of the business. Many companies that have grown via acquisitions have simply ‘plugged in’ new systems and so NEDs should query how IT has been integrated in acquisitions and whether organisations in higher-risk locations need access to the entire corporate network or can be ‘ringfenced’. NEDs need to understand what the risk appetite is in relation to bolting on acquisitions, having flat IT structures, etc.


There is also an increasingly hostile climate which encourages data theft. A number of media outlets and others have developed sophisticated tools which assist leakers to deposit large volumes of stolen data for public inspection. This can be helpful (in the case of whistleblowers) yet also damaging (e.g. where collateral damage occurs as a result of bulk exposure of commercially and personally sensitive data). The ethical complexities of cases like ‘LuxLeaks’, the ‘Panama Papers’ and the Wikileaks publication of Sony Pictures’ internal emails were considered.

Companies should look beyond their own systems. Direct attacks on customers, as the weak link in the chain, are increasing via:

• phishing, smishing (often using 'social engineering' or forged sender messages in an SMS thread)

• mobile phone takeover (by SIM swapping or data porting)

• misrepresentation.

Many businesses have a 'fraud' team and a separate 'cyber' team with different reporting lines, different skills, connections into different parts of government and different industry relationships. Government also separates 'fraud' and 'cyber' and manages them separately. There is a need to question whether this is still the right structure in an age where most communication uses sophisticated technologies.

Customer behaviours have also changed and, as they have a shorter expected response time, the conversion from being slightly unhappy to very angry happens more quickly. All of this is amplified in the social media space,

often by influencers not directly affected. Additionally, criminals will rally to attack customers of a consumer-facing business directly at the first sign of a weakness and this can challenge the speed and capacity of any contingency plans. Organisations will have very little factual information about the issue when a breach is initially discovered and may also be having to respond to a long list of regulator’s questions while trying to investigate. How companies can better prepare for this painful simultaneous combination of loss of systems, lack of facts, spiralling reputational crisis, and increased criminal attention was discussed.

Implications for Boards and NEDsThe Board has a significant responsibility – to investors, regulators, insurers, employees, customers and suppliers, amongst others – to protect information assets. This covers everything that might be of value to other parties including:

• intellectual property, inventions

• financial integrity

• supply chain, process integrity

• customer personal data

• supplier commercial data

• market critical data

• pricing, sensitive algorithms

• safety critical systems

• ….and anything else where failure would be embarrassing.

The richer the data, the greater the threat plus social media amplifies the risks. GDPR has been helpful in working out where an organisation’s data is in some instances but this is just a first step in terms of cyber defence. People can also have very different views of the risk involved. With millennials the default position is to share. Part of the issue is that information resides in many places and the sheer volume of data is a real problem.

Cyber security is Board business. There is a close link between digital innovation and cyber risk and this needs to feed into the Board’s overall risk considerations. It is about risk tolerance.

The Board has a role to play in direction setting to:

• establish the risk appetite

• assess (and continually re-assess) the threat and its implications for strategy

• help management set values, behaviours, beliefs, limits and ethical boundaries

• help to solve ‘big’ questions of structure, strategy, pace, disclosure, ethics.

The Board needs to be supported in this by the top executive team – not the IT people – who can assess whether a step change is needed and drive pace, energy and culture. Executive management should:

• deliver a mitigation programme to close any gaps – at the right pace

• define policies and operate controls in line with the Board’s risk appetite

• appoint senior leaders (not just IT) with accountability and influence


• sustain insight and capacity across IT, Commercial and throughout line business

• develop an appropriate culture in line with the Board’s risk appetite.

In terms of the Board’s assurance role, directors should:

• inspect measurement systems for focus on the right outcomes

• assess strength and independence of assurance

• assess (and seek proof of) crisis readiness.

Boards are often at a stage of ‘awareness’ of cyber issues and are ‘updated at’ but need to move at least to a stage of ‘understanding’ where an appropriate risk appetite has been developed with management information that can drive real Boardroom conversations and choices.

A core issue is the skill set of current NEDs and committees, with many NEDs reporting that they feel uncomfortable with 'level 2 and 3' questions about cyber risk. We discussed both how to use existing skills confidently, and how to bring different NED profiles onto the Board to address the full range of digital age issues.

Framework of 7 cyber security governance principlesA discussion then ensued around what NEDs could do in practice to manage cyber risk. Seven principles were suggested to assess how well an enterprise is managing cyber risk leading to a framework for structuring a Board agenda and having a meaningful cyber security conversation with the CEO.

At the heart of this framework sits:

Real understanding of exposureThis is a consistent and constantly changing issue which sits at the heart of cyber security. It needs to be a Board conversation about both threat and vulnerability, including issues such as:

• what data is held

• how likely is it to be of interest to others

• how many places do the organisation’s systems connect with the outside world

• what types of attack are common?

Around this core issue are:

• appropriate capability and resource (going beyond the IT department and also at Board level)

• holistic framework and approach (wider than technical and includes culture plus a real understanding of business processes, measuring cyber risk against standards and baking its assessment into decision-making)

• independent review and test (including outside opinions and the use of ethical hackers)

• considered approach to legal and regulatory environment (which is complex and can be conflicting so the position taken needs to be understood)

• incident preparedness and track record (important for investors as responding well can be brand-enhancing)

• active community contribution (sharing details of attacks with others externally as companies will not be able to defend themselves in isolation).

A simple toolkit for 30 minutes with the CEO was provided around these 7 principles as follows:

Principle 1: Real understanding of exposure

What sort of cyber risk do we face and how did we decide our priorities?

(nature of business and its supplier/partner ecosystem—scope of the data held—current threats—sources of intelligence—map of vulnerabilities and weaknesses in our IT)

Principle 2: Appropriate capability and resource

Are our skills up to the job and at the right scale?

(Board competence—top team taking ownership—CISO strength—Security Operations Centre capacity—security architects with skill and influence)

Principle 3: Holistic framework and approach

How do we assess whether we have 'done enough'—how do we judge our progress and the time it will take to get there?

(standards, frameworks—certification—integrated capability programme—release plan)

Principle 4: Independent review and test

What sources of assurance confirm that we are mitigating risks well and can do so at an appropriate level of pressure/volumes?

(NB not just IT controls: also suppliers/partners, employees, etc)

Principle 5: Incident preparedness

What scale of incident can we handle and what have we learned from previous 'near misses'?


Principle 6: Considered approach to legal/regulatory environment

What issues and business choices have arisen as we work on compliance with legal requirements in each country where we operate?

Principle 7: Active community contribution

When we encounter an incident, do we share that with industry peers, law enforcement and other agencies?

(NB conflict between GDPR/legal vs value from sharing incident data)

All of the above needs to be discussed with the CEO and not the CIO because:

• Cyber is (often) in the top five enterprise risks.

• Cyber involves most of the top team: Operations, Sales, Procurement, Risk, HR, IT, Digital, Commercial/Legal… and the CEO will want to set objectives for each area as well as arbitrate where there are collisions of priority or approach.

• Cyber raises hard strategic, structural and 'tone from the top' questions, e.g. 'Do we trust our staff?', 'How do we verify our suppliers?', 'Should we share data across business entities/offices/service lines/partners…?'

• Cyber mitigation may be expensive, and may require difficult tradeoffs which span the organisation (e.g. slowing new customer offerings).

• The whole top team—not just IT—needs to be 'match fit' to deal with a successful cyber attack.

• The market expects the Chair and CEO to lead any cyber response personally.

Undoubtedly, in many cases, the Board needs to be spending more time on this area. There should be someone with digital age knowledge in the Boardroom and data needs to become a currency around the Board table. However, this cannot just be a ‘visiting expert’ or someone who only does this and cannot contribute to the wider Board agenda.

We also discussed executive responsibilities, especially the role of the CISO which is not just about technical skills but also the ability to influence when necessary.

The second half of the workshop explored a recent cyber attack which has damaged the operational and strategic performance of a major business. Those present discussed, admittedly with the value of hindsight, what questions the NEDs could have asked to fully understand their exposure and risk.

The conversation covered:

• how difficult it can be to foresee some of the risks involved in large technology investments which are often seen by the Board primarily in terms of business opportunity

• Boards sometimes lack the language and skills to dig deeper

• in this particular company, NEDs, and especially members of the Audit Committee, were under the spotlight for the way in which they may have failed to foresee and mitigate digital risks.

The discussion also addressed a second company which unwittingly provided the pathway through which the attack was conducted and discussed what NEDs on this Board should have done to establish a stronger, safer digital environment. It is vital for Boards today to consider any exposure via their extended enterprise of partners, suppliers, contractors, etc.

The NEDs in this situation could have asked questions such as:

• What is the critical data we want to protect?

• Have we done an audit of who has third party access to our systems?

• What are their defences like?

• Where are the firewalls?

• What level of authority allows third party access and where does this reside?

ConclusionThe workshop concluded with some questions it was agreed Boards might want to consider around cyber defence split into the following areas:

• Do we have the right skills?

• Do we have the right fact base?

• Are we making active, well-founded choices from the top?

• Do we measure and improve?

In terms of breach response, Boards should consider:

• Is there a practised plan for breach response that operates at ‘social media’ speed?


68%of large UK businesses have identified at least one cyber security breach over last 12 months

51%of businesses holding electronic personal data on customers are likely to suffer a breach

19 hours = average business down time post attack

• Is the organisation ready to manage the market impact of a failure?

• Is the organisation willing to share intelligence with others?

• Are near misses analysed and lessons learned?

Beyond the basics, Boards should discuss questions such as the following:

• What can we actually control? How do we prioritise/segment?

• How much variation/innovation/flexibility do our people need and what does this do to our risk profile?

• Should we proceed at a slower pace to keep risk under control, especially re digital innovation in an ‘agile’ business methodology?

• How can we control the risks our suppliers expose us to?

• Can we afford to keep up with our customers and manage risk?

• What personal data should we retain? – ethics vs business value

• Do we trust our staff? How do we balance control/monitoring with personal privacy/freedom when lines are blurred between home and work?

Companies are increasingly being encouraged by regulators and others to share information regarding cyber security breaches for the protection of others. Each company will need to steer its own course taking well-reasoned risk choices and executing them well.


Context This workshop began with a recap of the interconnected world in which we live and the consequential heightened risk of cyber attack. Adversaries see organisations as processes spanning the world with connected systems often outside of their control. Companies need to stop thinking of themselves as their own fortress.

A look at the National Crime Agency’s work on cyber crime criminal networks showed, rather alarmingly, the extent to which criminals have organised themselves into a sophisticated marketplace – a comprehensive ecosystem with ready access to assets, tools and techniques for cyber attack. There was also a recap of the latest common cyber security issues and the pain spiral when things go wrong, as well as the Board’s role in setting direction and assuring outcomes – refer to the cyber security stage 1 workshop on pages 36-41.

Boards need to take a thoughtful, holistic view of what’s important to their business. This is a hard debate to have, often due to a lack of skills and time, and the preponderance of technological terminology.

It will also vary from one industry sector to the next. However, the Board has two fundamental roles around executive management’s risk control processes and mitigation plans:• Determining risk appetite – setting the boundaries to

frame executive management’s work to close the gaps• An assurance role – looking at the measurement

systems and assessing the strength and independence of assurance as well as proof of crisis readiness. In particular, Boards need to decide 'what is needed by when', challenging executives to develop clear capability plans.

The important role of Boards in ‘setting the tone’ was discussed, including some of the choices where they need to guide management such as:• speed to market versus risk control• data analytics versus ethics and disclosure• sharing of information versus segmenting the business• everything in house versus alliances

• trusting employees versus surveillance.

In addition, there is a business question up front about whether global organisations should be fully connected across all countries and functions or whether there should be some ring-fencing of riskier territories—for example, using Cloud technologies to make interconnections explicit and well controlled.

There was also a recap of the framework of 7 cyber security governance principles for structuring a Board agenda and having a meaningful cyber security conversation – refer to pages 39-40.

The workshop then moved into detailed debate around 4 key areas where NEDs can focus to get under the skin of cyber security risk. In each area, in addition to discussing the issues, useful frameworks were provided as well as case studies of approaches that have been seen to work.

Developing a business perspectiveBoards need to consider this in 3 areas:

• what kind of organisation is the company

• what data does it hold

• what types of attack might it need to defend against.

It is vital for the Board first to assess what the company is and does and then to determine how cyber affects the sectors in which they (and their customers) work. Characteristics to consider in determining which aspects of the business yield high cyber security risk include:

• Economic sector – risks vary between sectors with some intrinsically higher risk than others

• Geography – defence mechanisms may not be fit for purpose everywhere

• Business change – often not appropriately taken account of in management information

• Business operations – e.g. industrial/supply chain

• Ethics and culture – e.g. how much customer data is held, particularly pertinent with today’s desire for a ‘single customer view’

• Risk appetite – derived after taking account of all of the above.

Consideration of these special characteristics help Boards to make choices and set a vision/strategy for cyber risk.

Bearing in mind that it would be prohibitively expensive to protect everything fully, Boards also need to consider what matters most which is not always an easy exercise but is invaluable in the long run. A collective view is needed as different functions will value different data.


Boards need to ask what types of data they hold, such as:

• personally identifiable information

• financial information

• supply chain information

• pricing/commercial information

• mergers and acquisition information

• Board papers/strategic intentions

and what is the purpose of protecting it:

• regulatory

• stakeholder interest

• sensitivity

• evidence

• reputation

• share price

• trust

• availability.

There was some concern among the NEDs that it might be difficult to defend a position of not protecting everything but Boards often need to make such choices. The ‘crown jewels’ need to be identified along with where they are and who can access them.

Boards should also reflect on the types of attacks from which they need to protect the business. A framework was presented to help with this consideration by mapping attacks from low, through to medium, then high and finally

advanced levels of sophistication and split between external and internal threats. For external threats, from low to advanced sophistication, these ranged from:

• opportunistic or non-targeted attack

• targeted, remote attack

• targeted attack with internal assistance

• unconstrained attack.

For internal threats, the spectrum was:

• unknowing insider (human error)

• malicious insider acting within authorisation

• malicious insider acting outside authorisation

• advanced and expert insider.

In relation to the four types of external and internal attacks listed above, organisations are generally able to protect themselves against low sophistication external threats and are aspiring to get to defending themselves against medium sophistication threats. Banks should be able to defend against at least the first three levels of both lists. The fourth level is very advanced but could be relevant for defence organisations or national/global infrastructure where there may be a need, for example, to fully track routers through every stage of their journey.

Rogue employees can be difficult to identify so systems need to be constructed so that any one individual cannot do too much damage. It was noted that the Centre for Protection of the National Infrastructure (CPNI) has issued a paper addressing managing the employee threat. ‘Lifestyle audits’ may need to take place for individuals with high levels of access.

Questions that the Board (or a subsidiary committee) can ask in this area include:

• What data do we capture, create or handle and what are our obligations to protect it?

• What is our appetite for risk and against what type of adversaries?

• What may impact reputational risk?

• How do we apply priorities? What have we decided not to protect?

• How do we set the tone? What questions should we address?

• By when should risks be reduced? What sense of urgency is required?

Developing a business perspective in the ways suggested above can lead to a more meaningful risk appetite.

Assessing current stateThe workshop moved on to discuss how Boards can get beyond narrow presentations from IT and delve into the real state of cyber readiness as a business issue. Cyber security can be a root cause for many other types of risk, such as fraud, reputation, business continuity, etc. The scope of cyber activities pervades all areas and therefore Boards need to probe across:

• Strategy, governance and risk – are there people with the right skills, experience and capabilities, that are ‘future proofed’?

• People and culture – is there training and awareness with focus on key roles from a risk perspective?

• Threat, intelligence and capabilities – including how risks are changing as new technologies are adopted.


• Information discovery and management – what is critical and how well protected is it?

• Connections – which partners does the business share with and are they properly protecting the information?

• Testing and crisis management – how well would the company respond to an incident?

• Business processes – are these appropriate and resilient?

Answering each of the above questions may require significant work led by the CEO/CFO. NEDs need to ensure there are measurement systems in place to ensure the executives are dealing with this appropriately and a Board sub-committee may need to be set up to monitor this, at least initially. Connections with third parties need to be considered as today’s extended enterprise increases risk.

There was a discussion around penetration testing and the fact that this has changed. Traditional penetration testing assesses vulnerabilities and poor configuration within IT systems. However, as the tools, tactics and procedures of attackers have become more sophisticated, their attacks now tend to focus on the end user. A new approach to penetration testing is therefore needed that is intelligence led, value driven and has a strategic focus. NEDs should not take false comfort from penetration testing which is too narrow or too technical. Simulating the most likely attack and seeing how the responses cope can be good practice. Sharing of threats is also valuable and likely to become more developed going forward.

NEDs should seek strong metrics which demonstrate the strength of cyber resilience, not just the volume of attack attempts. Organisations should be encouraged to count

things that make a difference and drive improvements in the metrics. Examples include:

• % of systems accredited to security standards

• % of desktops at target patch level

• % of encrypted laptops

• number of unrecognised assets on local area network

• % of supplier contracts with clauses for information protection

• % of staff with critical access with up-to-date vetting

• number of days between employee role change and systems privilege change

• average time from incident detection to escalation/resolution.

The Configuration Management Database (CMDB) should show what is on the system, when it was last patched, etc. Boards can ask to see where the exceptions are and how they are getting fixed. NEDs recognised that asking for some of these measurements will expose helpful gaps in how well risk is controlled.

Questions the Board may wish to consider when assessing the current state include:

• Do we have adequate breadth (e.g. people, technology, engineering, business process, commercial, legal)?

• How can we confirm that our policies reflect our risk appetite?

• How can we confirm whether our policies are being implemented thoroughly?

• Have we covered the basics sufficiently to preserve our reputation?

• To what extent does a lack of incidents indicate that we are secure?

Getting ‘the basics’ right can reduce the level of ‘noise’ so that it is easier to focus on the more complex areas. However, it needs to be a dynamic process as businesses and therefore risks change. Many of the challenges around cyber security are not IT related but how the organisation is configured.

Improvement recipesRisk mitigation covers a broad scope of activities in terms of the business environment, the security environment and control frameworks. The PwC cyber capability framework was discussed to indicate how companies can identify, protect, detect and respond. If legacy systems make good protection too time-consuming/costly, there may be a need to over-invest in detection. However, this is not just about buying tools but about building a capability that can then invest in the most appropriate tools.

Control frameworks need to be in place to ensure the basics are covered. NIST is becoming a global standard and the UK Government has also produced Cyber Essentials and Cyber Essentials Plus (the accredited version).

A few of the most common risk-reduction activities were considered – asset control, legal policy, employee access, digital user authentication, cyber incident detection and industrial control systems – the message being that this should not all end up with the CIO but ownership should be spread right across the organisation and the CEO needs to take the lead on this.


Questions the Board can ask in this area include:

• Are we seeing the sorts of actions we should expect from management?

• How do we know whether these are sufficiently complete?

• Are the actions progressing fast enough?

• How do we know where we are on the journey?

Handling incidents and crisisThe final section of the session began with a look at a case study showing a typical financial services breach response. The incident involved 500 compromised machines, 35Tb of log data, 1,300 formats and 600 billion events requiring analysis. The attack was 10 months work which ultimately yielded $8m for the fraudsters. As a result, to get the full picture of what had happened took considerable time. The information a company initially has on discovering a breach will be very limited and there is therefore a need to take care with any messages that are communicated to avoid early false conclusions. On the positive side, the level of anomalous activity provides plenty of ‘trip wires’ for detection.

A second incident illustrated that a breach may not always be technology related as it centred around passwords. Some ‘intelligent guessing’ based on a previous LinkedIn breach, permitted the attackers to gain entry after a few attempts. Once in the system, they found individuals emailing passwords to themselves when they were renewed. Eventually, the administrator’s password was located and a more extensive attack became possible. This second case study illustrates the criticality of access controls which are often a point of weakness in organisations.

There was a brief consideration of the different types of crises – classic, rapid onset events, hidden crises, operational disruption, strategic disruption. Major classic crises (e.g. fire, flood) are generally easy to detect but with IT it may not be obvious that a crisis is developing until a significant impact is experienced, although often there are warning signs along the way.

NEDs should agree in what circumstances management need to bring the Board in to help shape the response to a crisis. They should also bear in mind that incident handling requires capabilities to both detect and respond. This is an area that lends itself to scenario planning. Playbooks should be developed for a cyber security breach, taking into account that at the point at which the company becomes aware of a breach, there are likely to be many unknowns in terms of what has happened and what has been impacted. At the same time, customers, regulators and MPs may all be demanding explanations. Capabilities need to be in place in advance of any issues.

Questions the Board can usefully ask are:

• How are investments prioritised between prevention, preparation, response and recovery?

• Has the Board recently practiced its response to a cyber crisis, including with deputies?

• Who has authority (training, decision-making remit) to respond in less than an hour?

• How robustly are minor incidents handled? Are we signalling the Board’s risk appetite and values to employees and suppliers?

• If we discover a long-term penetration, can we determine what data has been accessed, changed or exfiltrated?

• Is the action plan for emergency management thorough, well-rehearsed and effective (including with no IT)?

• At what point would a decision be made to ‘shut the shop’ and who has that authority?

• How effectively does the marketing team operate in the social media space (to address any backlash).

It was noted that under GDPR the regulator now needs to be notified of any breach.

ConclusionWhile NEDs can make great use of existing skills, such as probing gaps in controls and seeking evidence of management’s measurement system, for many businesses it may be time to address any shortfall in digital skills around the Board table. Most Boards need at least one NED who is fluent in digital issues which should span both innovation and cyber risk, and both new and old technologies, in order to lead a business in the digital age. Some Boards would also benefit from a specialist Board committee (e.g. information risk or digital) but this cannot substitute for an adequate understanding and overview by Board members.

In order to move from an awareness of cyber security to an understanding, NEDs should seek to ensure that there is:

• a risk appetite based on a Board grip of what data is held, why, for how long and accessed by whom

• enterprise MI which shows actual risk profile and compliance

• Internal Audit meaningfully assessing the above


• a fact base about how cyber risk is shared with suppliers and business partners

• agreed policies compliant with data protection law

• a practised crisis plan, including with deputies, and MI which shows time from event to detect to act

• a CEO and Chairman who are confident to address shareholder questions.

The concluding questions at the end of the cyber security stage 1 workshop were revisited as a good starting point for NEDs – refer to pages 40-41.

Finally, workshop participants were provided with 3 supplementary papers which are available to NEDs on request as follows:

• a more detailed breakdown of the 7 cyber security governance principles authored by Richard Horne

• a paper describing how Board conversations need to change for the digital age and setting out a role description for a ‘digital/technology NED’ authored by Stephen Page

• a booklet from the CPNI describing how individuals can better control their digital footprint and reduce exposure to cyber attacks led by social engineering.

£6 trillion

estimated cost of cyber security damages by 2021

only 26%of breaches currently lead to information being shared externally other than to a cyber security provider

28%of businesses do not know how many cyber attacks they have had

223 days= typical time between cyber breach and impact


ContextSocial media is a dominant force shaping society. Everybody has a digital footprint whether they want one or not. Events are captured by people present as they happen—and shared—now that the use of smart phones has become all pervasive. Immediacy is vital and video is as important as text. In just a few years, society’s communication model has transformed.

A few interesting metrics illustrating the scale and importance of social media were noted as follows:

• on average, UK citizens spend 56 hours a week online

• c28% of all time online is spent on social media

• engagement via social sharing is 76% higher than by email

• organisations that blog receive 67% more leads than those that don’t

• Facebook with 2 billion active users is now bigger than the entire internet in 2008.

However, there are risks to the huge explosion in social media as PwC has experienced directly. The story of ‘Heelgate’ where a PwC receptionist employed by a contractor was sent home for not wearing high heels was shared 10,000 times in 24 hours. After 36 hours the story had been seen by 30m people. However, PwC employees were able to use social media to respond, creating a positive counterwave in social media by tweeting pictures of what they were wearing.

This social media engagement is now at a level not previously contemplated. However, it is worth noting that people curate what they want to see. Companies or individuals therefore need to be invited into the user’s world by finding ways of making things interesting and relevant to people. Social media is about building trust through listening and engaging and not just about broadcasting. In today’s interconnected world, the use of social media is here to stay, despite the increased recognition of risks, including mental health issues.

Common social media platformsIn the workshop we reviewed the current state of social networking platforms in the UK and elsewhere:

• Twitter is now widely used by business for engagement with journalists, regulators and politicians, as well as by individuals to develop a following. As newsrooms are slimmed down and the focus shifts from traditional journalism to 24-hour feeds, Twitter is often a gateway to get both truths and mistruths into the public eye (via traditional media) very quickly. When an incident occurs, the immediate reporting on Twitter is much faster than verified news channels—both accurate and inaccurate information can spread rapidly. It also has a direct messaging service which can make it surprisingly easy to get to influential individuals.

• Twitter has become a channel for customer care in many companies, with dedicated social media teams responding to issues at a faster pace than traditional channels. Often people will have separate personal and business Twitter accounts, curating different personalities on each account.

• LinkedIn is a business networking site and is extensively used by recruitment consultants. There is no consensus about how LinkedIn should be used, which can be confusing. For example, some users connect with everyone they meet, others have a more closely-curated contact circle. Some users push out (and consume) content while others regard the platform as primarily an address book.

• Facebook started as a platform for sharing with family and friends but is now also used by businesses, particularly in the US and by retail and consumer companies, and this adoption is becoming more widespread. The younger generation are, however, moving away from Facebook which can seem stale in comparison to newer platforms.

• There has been more interest in Facebook by the business community since newsfeeds were introduced. As a result, 'Facebook for Work' has been set up as an information sharing tool and is sometimes used as an internal social media network by some smaller organisations.

The current state of image/video based platforms, which are evolving and changing rapidly was discussed:

• Instagram is used extensively by individuals and has seen huge growth. Photos and very short videos (up to 20 seconds) are posted on personal profiles but it is often quite staged and more about broadcasting than engaging. Very short bits of text can be added and there is the ability to link to other profiles. Social media influencers invest heavily in curating their Instagram persona, filtering/editing photographs, staging lifestyle moments and so on.


• Snapchat is an app for connecting with friends or following famous people. Photos and up to 10 second videos can be posted but disappear once viewed. Following an update in the summer, Snapchat can also identify where your friends are as the default setting is that location is made available. Snapchat is less filtered and more fluid. It has, however, experienced a bit of a decline since the introduction of Instagram stories and following Kylie Jenner asking who still uses it which wiped $1.5bn off the market cap.

It is also worth bearing in mind with all these ‘temporary’ image platforms that somebody could still take a screen grab prior to deletion, although Snapchat will notify the photo originator if it detects that someone has done this.

PwC is using these platforms as follows:

• Instagram – to share events such as Ride the Nation and One Firm One Day and show a more personal side to the firm

• Snapchat – used on campus with a geofilter for recruiting and to distinguish the firm from its competitors.

Snapchat has advertising between stories which is often tailored based on an individual’s internet browsing history. Instagram has no advertising yet, relying primarily on celebrity endorsements.

The current state of common broadcasting/streaming platforms such as You Tube, Periscope and Facebook Live was also discussed. You Tube is now the second biggest search engine after Google reflecting a significant shift in behaviour with users preferring videos to text, particularly among the young.

There is a lot of common ownership of these various social media platforms:• Instagram is owned by Facebook

• You Tube is owned by Google

• Periscope is owned by Twitter.

These owners are therefore extremely powerful in the influence they can exert, enabled and underpinned by their vast repositories of personal data enriched by augmenting social profiles with search history, browsing history, purchasing patterns and email traffic on 'free' services (e.g. gmail). This information power allows platforms to provide 'relevant' advertising but also to shape the content that users see.

There are also some very significant international platforms including:

• VKontakte – Russian language platform, a cross between Facebook and Twitter, with over 400m users

• WeChat – Chinese language platform with around 1bn users, both social and commercial, to message, share and buy

• Tencent – Chinese language Twitter-style app with 800m users

• Weibo – Chinese language Facebook clone with 250m users.

The majority of social media platform use is on smart phones or tablets. Multi-channel delivery is also possible, e.g. a Tweet also updating LinkedIn, WhatsApp, etc. Both companies and individuals will use tools which cycle updates across multiple platforms.

Establishing authorship veracity in social media is very difficult. An official Twitter account will have a blue tick in a circle to differentiate it from any bogus accounts. With Facebook and LinkedIn, official company pages will also have been verified.

LinkedIn is a safe place to start a social media journey and business people should ensure that they have an appropriate and carefully crafted profile. PwC is now often asked for LinkedIn profiles in pitches, rather than CVs, as there is the view that people are more accountable for profiles that are publicly available. LinkedIn can effectively become a ‘black book’ of contacts, even if they move organisation, and there have been some complex legal challenges when individuals have taken their 'personal' LinkedIn contact lists to another employer.

Posting something also has more of an impact on LinkedIn as people do not post extensively on this platform so content tends to stay for longer versus Twitter which updates every few seconds. Only 2% of LinkedIn subscribers are very active users. A number of groups have formed which share useful content, e.g. Boards & Advisors.

With all social media platforms, however, it is worth bearing in mind that linking with like-minded individuals/groups can cause individuals to operate within a bubble and reinforce beliefs. A spectrum of views should therefore be sought.

Social media is changing how trust in people, products, etc is built. Most millennials will seek social consensus rather than expert views, e.g. rating Trip Advisor above a Michelin Guide and a 'much liked' article over the choices of a newspaper editor.


Individuals use social media for:

• news – sharing articles with followers to demonstrate individual is up to date

• marketing – including pre-approved materials

• personal brand – more likely to engage if a message comes from someone you trust

• specialism – demonstrating expertise

because it is:

• free

• easy to access

• an instant communication tool

• a gateway to a huge network

• a direct link to journalists/stakeholders/senior individuals

all of which help with influencing or getting a message out.

Individuals should Google themselves to see what online profile they have. Most are often surprised to find they already have a substantial digital footprint, even if they have not directly created this. It is therefore better to curate this via purposeful intent.

Social media communications are often timed for the morning and evening commutes when people tend to be on their phones and between 10 and 11pm when individuals check their phones before bed.

Language is an important part of social media communications and needs to be appropriate to the platform – generally more casual and less formal. Emojis are used extensively, particularly in Twitter where there are only 280 characters (approx. 30 words) and emojis can help with tone. There are also many abbreviations in text speak but these are generally best avoided. Hash tags are used in text with key words so that content will be visible to those searching by those words. The more hash tags used, the wider the reach.

Within PwC a scheme with millennials 'reverse mentoring' partners has built confidence in how to use social media. One partner who tweeted 30 times in a month (less than 400 words in total) reached 23,000 people which shows the reach possible.

However, with this reach comes risk. Often you may be a first mover which can have inherent risk and sometimes you can feel as if you are waving in a field if content is not picked up. Trolling is always a risk, even with innocuous posts, and it is best not to engage with it. It is also always worth applying ‘The Daily Mail’ test to consider how a post might appear to the man in the street.

There was discussion of the latest developments as governments, business and society have realised that the great benefits of social media also bring the potential for great harm. For example, there is evidence that hostile foreign states are running 'influencing operations', targeted at changing the outcome of elections or simply fuelling dissent, terrorist groups are using social media as

a highly effective recruiting ground and online criminal meeting places often go unchecked.

A socially connected world provides a perfect platform for influencing operations because:

• social media users too often believe what they read especially if it has been 'liked' by others

• attribution is challenging

• social media systems encourage rapid spread before inaccuracies can be corrected

• controls are limited – free speech is valued more highly than safety or security.

The mechanics of a typical influencing operation were considered. These will start with a goal – for example, to manipulate public consciousness. There will then be ‘tasking’, such as recruiting supporters, seeding mistrust and confusion, neutralising opinions, influencing decisions, etc., using ‘actors’ who may be human, automated or funded and ‘amplifiers’ including influencers, the media, social groups, etc. These influencing operations can be hard to resist and social media users should remain alert to this possibility.


Digital communication and collaboration toolsAnother fundamental digital age change is a shift from big company-supported IT systems to a personal 'toolbox'. These tools are often simpler and faster so that even complex business processes can be done quickly, cheaply and efficiently.

To illustrate this new way of building personal and company productivity, some of the most common online communication and collaboration tools were discussed:

• Meetings – webex, Google hangout, Skype

• Messaging – WhatsApp, Telegram, Yo

• Projects – Slack, Trello

• Crowd-sourcing – Doodle, Survey Monkey

• Sharing – OneDrive, Google Drive, Dropbox.

Slack has the advantage of capturing discussions in streams by project so is commonly used by start-ups, particularly during project development. Trello is more of a traditional project management tool for use on mobile devices.

Doodle is a quick scheduling tool for getting people together and comparing calendars while Survey Monkey enables fast sharing of views through simple online polls and surveys.

Sharing platforms, where information is accessible to those given access, enable a group of colleagues to work on the live version of a document. Dropbox is frequently used by the media where large file sizes are common.

NEDs should have an awareness of these digital tools, (and how quickly they can be deployed), as they may be useful for them as individuals but also employees within their organisations may use them.

Questions to considerThe social media section concluded with a number of questions individuals may wish to consider:

• What do you want to be known for and what are the best channels for this?

• Do your profiles and shared content reflect this?

• Are you listening and learning from what’s going on?

• Have you researched the groups and conversations to join?

• How do you find and connect to influencers on your topics of interest?

• How can you build your influence – answer questions and share compelling content to engage your audiences?

• Is it appropriate? Always review what you propose to say and think about the language you use.

• Do you have a 'digital toolkit' of quick ways to get things done individually or in a group?

Online hygieneThe second half of the workshop focused directly on the digital age risks faced by NEDs, working in a world where data is freely shared and yet NEDs have significant responsibilities for the protection of business information.

Rich data harvesting has become the norm. We started with a case study exploring the number of organisations that track an individual through their digital footprint from the moment they wake until they complete their journey to work. Even more eye-opening was a list of more than 50 trackers, cookies and connections logged by Lightbeam and Ghostery in a freshly-installed browser after opening just the home page and one article in The Guardian.

Although GDPR in theory gives individuals more control over their data, in practice it has exposed data sharing without giving real control. As an illustration, one site presented the user with 300 incomprehensible tick boxes.

Effectively, we are all paying for the use of search engines and 'free' email by revealing a little more personal information each time. It is therefore important that individuals are aware of their digital footprint and choose personal behaviours to match their risk exposure.

While the immediate benefits of digital tools seem alluring, a long-term view should be taken about how the data may be used in the future. For example, what if (in just a few years) a job application or a property rental application were to be screened by reference to prior behavioural indicators (hobbies, friends, parties, reading interests, music, political beliefs, …)? In establishing a personal risk appetite, think about the future more than the present.


Good behaviours and practicesThe workshop then explored how NEDs can protect themselves and their companies, focusing on 8 key areas:

Social engineering and phishing

Psychological manipulation can encourage people to perform actions or divulge confidential information without being conditions of the right to share personal data. Individuals should therefore:

• be suspicious of unsolicited calls or emails from individuals asking about employees or information, even if the caller seems to know a lot about you already

• not reveal personal/financial information by email or respond to email requests for this information and not authorise transactions by email alone

• check emails for odd phrases and word choice based on your knowledge of the sender

• pay attention before you click on anything, even if it claims to be from someone you know.

Social mediaSocial media is useful for staying in touch with friends, family and work colleagues, as well as building a personal brand. However, personal information shared on social media can also help attackers commit identity theft and fraud as they connect data from various sources.

The terms and conditions of some social media platforms will give them the right to share personal data or reuse your content in unhelpful ways. Individuals should also be aware that their own friends/contacts may have uploaded their entire address book to LinkedIn thus indirectly providing their information. It is possible to go into settings and change privacy details but this is often not an opaque process as privacy policies and options are often deliberately complex.

Individuals should therefore:

• review the privacy policy and terms of service before signing up for an account

• set privacy options carefully and revisit them periodically to check for newly-invented settings

• never provide a work-associated email to social media

• not post age, date of birth, address or phone number

• decide what online footprint is appropriate and ensure your friends understand this too, e.g. tagging in images, uploading your personal details from their address book

• be wary of connection requests from strangers or fake friends

• remember anything online might be seen by people not in the intended audience and passed on to others

• think about the consequences of sharing your location.

PasswordsPoor password habits are widespread, allowing attackers to compromise email accounts, business applications, social media profiles and bank accounts. There is a need to find a balance between making passwords hard enough for computers to have difficulty finding them but not too difficult for people to remember.

Strong passwords can include:• length – longer = stronger

• complex or not?

• base passwords on a phrase not a word

• do not re-use passwords on multiple sites

• consider using a password wallet.

There is conflicting guidance on changing passwords regularly due to the behaviours that result. Frequent changing of passwords sometimes causes individuals to make bad choices, (e.g. simple passwords or emailing passwords to themselves), leading to exposure from hacking.

Criminals seeking access to data will exploit the weakest link which may not be the password itself but the password reset mechanism and therefore understanding how lost passwords are reset is also important. Risk aware individuals can mitigate this by giving false answers to set questions when setting up accounts. Using a password wallet is now deemed better practice, even though this concentrates the exposure in one place, as the organisations who offer them are very security conscious.

Two-factor authentication, ('something you have and something you know' – e.g. a password plus a code that is sent by SMS or generated on your personal mobile and valid for a short period only), is powerful and should be used wherever available. NEDs are encouraged to try two-factor authentication on their Amazon and Google accounts, for example.

Face recognition and touch ID are also improving this area and may make passwords obsolete over time.


Handling dataModern technologies such as the Cloud make it easy to store and share data. However, these benefits come with significant risks, including reduced data confidentiality and trusting someone else’s security.

Individuals should:

• only gain access to the data needed and delete it when finished

• use business-approved storage for handling work data

• ensure email recipients are correct (email address auto-complete can create problems)

• avoid sending sensitive, unencrypted data outside the organisation via email or by using public Cloud sites (e.g. Dropbox or Google)

• understand what data is held and where it is stored (e.g. password protected .zip files, on your desktop).

Knowing what data you have and storing it safely in approved ways is a good place to start. Even better is not to hold the data in the first place – leave it in the office whenever possible and do not accept any documents over open email. Diligent is a popular Board paper sharing app used by many companies.

Internet browsingWebsites that appear to be legitimate could contain malicious or harmful links/attachments or be falsified in order to fraudulently collect personal and commercial information.

Individuals should:

• keep their browser and operating system up to date. If practicable, disable Silverlight and Java.

• pay attention to website URLs, reading right to left. Malicious websites often look similar to a legitimate site (e.g. an 'm' instead of 'n') or use subdomains (e.g. barclays.foo.com rather than barclays.com). If in doubt go manually to the company website rather than clicking on a link.

• be suspicious of links to secure content that do not include https (padlock, in some browsers) or appear (pop-up) unexpectedly while using the internet

• not download apps that appear suspicious or have not been developed by a recognised body or organisation

• only use business-approved software to format, translate or send documents both internally and externally.

It is likely that domain names such as .pwc or .barclays (i.e. without the .com) will soon become prevalent.

Working remotelyWorking remotely often requires employees to access confidential commercial and sensitive information, offering additional opportunities to malicious actors.

Individuals should:

• deter shoulder surfing by viewing commercially sensitive data or documents in a secure location

• connect only to Wi-Fi connections that are trusted and password protected. Only use 'https' (SSL-secured) websites and mail when using Wi-Fi in hotels, trains etc.

• use work email accounts only to view sensitive information or data

• not bring work devices or documents to locations (e.g. restaurants) where they could be stolen.

Physical securityPhysical security of devices is important but often overlooked. Poor security puts data and devices at risk of being stolen and can result in identity theft, business disruption or bodily harm.

Individuals should:

• lock devices such as laptops, PCs, and mobile devices automatically when they are unattended. Use a strong (i.e. long) password or PIN to lock them.

• know how to lock your device instantly (button, mouse to corner of screen, etc.) and get into the habit

• know how to wipe your phone/iPad remotely (e.g. set up Find my iPhone, keep a record of the IMEI number)

• immediately notify your security or IT department if your device has been lost or stolen

• discourage tailgating. You are the most effective security measure, and are empowered to challenge unfamiliar faces.

Ensure your devices have working Cloud backups so they can be restored if you need to wipe your phone.

EncryptionAs global commerce expands online, strong encryption is becoming essential. Weak or poorly-implemented encryption leaves personal and corporate data exposed to attackers.

• Strong encryption adds another layer of protection in addition to vigilance and physical security.

• Activate encryption on work and personal devices and only use apps which support secure storage.

• When possible, encrypt data in transit and at rest.

• Use strong passwords to ensure secure encrypted devices (e.g. complex PIN codes for mobile phone).

• Remember to encrypt back-ups too.


2bnactive users on Facebook

28%of all online time is spent on social media

56hours a week = average time spent online by UK citizens

Setting risk appetiteThere was much discussion of the need for every NED to make a well-informed set of choices based on the risks and the data they may hold now and in their future career. This risk appetite will shape the nature of their digital footprint and the level of protection that is necessary. Individuals need to decide personally where they are on the spectrum from ‘totally open and trusting’ to ‘private and paranoid’ and then set their risk appetite accordingly.

We discussed several profiles on this spectrum from a digital native who automatically and freely shares sensitive data to a highly risk-averse NED who operates several online personas choosing what to share and implementing strong protections for sensitive information. It is possible that this risk appetite may be different for different areas, e.g. more risk averse with bank account data than other less sensitive information. Making the right decisions about social participation and information protection is becoming one of the critical choices for NEDs. NEDs need to take a lead on security to set the tone.


ContextThe workshop began with a look at the current state of the charities sector. Recent times have been very challenging due to both the economic environment and, more recently, the reputational impact of certain examples of inappropriate behaviour in the charity sector highlighted by the media. New Philanthropy Capital, a charity focused on promoting good practice around impact and effectiveness, recently conducted a survey on the state of the sector involving more than 400 participants from all areas. A short video was shown to illustrate 3 of the major themes that came out as follows:

• a lack of focus whilst trying to do more with less

• limited understanding of the use of technology and what digital and data can do

• strength of resources needing to be realised via a culture shift.

These themes have been borne out over the 18 months since the launch of the survey. Charity Boards often do not have the same commercial focus as company Boards. In addition, charities are at different stages in their focus on impact, and using this to inform strategy and, potentially, some hard choices.

Although 70% of charity leaders felt they were making the best use of technology, this may not be the case given the speed with which technology is developing.

There is also a need to work collaboratively, think creatively and look again at resources.

Heightened scrutinyIssues that have been widely reported in the media relating to certain well-known charities, as well as questionable fundraising practices, have resulted in the charity sector coming under intense scrutiny from a number of different stakeholders, including:

• beneficiaries

• trustees, staff and volunteers

• funders and partners

• regulators

• the media and the general public.

The last two years have seen significant damage to levels of trust as the public tend to hold charities to a higher threshold of account. A recent people’s panel led by PwC, consisting of members of the general public, found that they would now think twice, and do more research, before giving to a charity. However, the fall in trust does not just impact fundraising but also how a charity engages with its beneficiaries, campaigning and many other areas. The duty of both auditors and trustees to report serious incidents has also increased.

Trustees therefore need to think carefully about the risks on the charity’s risk register and whether these are complete and relevant. Risk/reward decisions are key and trustees might also want to reflect on the questions which they should know the answers to – such as 'how do we ensure compliance with safeguarding risks?' or 'how do we protect vulnerable people from heavy handed fundraising techniques?'. Trustees should ensure they are getting full sight of what is happening on the ground. They also need to understand the views of their supporters in terms of how they should respond to incidents. Engagement with stakeholders is therefore key.

A Code of Fundraising Practice has been issued by the Fundraising Regulator and there are new disclosures required around fundraising activities in trustees’ annual reports. Charities also need to consider the guidance issued by the Information Commissioner’s Office which was recently updated for GDPR requirements and, where relevant, the Care Quality Commission.

The Charity Governance Code was updated by the Charity Commission last summer and trustees should be aware of this. It is on an ‘apply or explain’ basis, and therefore voluntary, but represents best practice in terms of governance. At its foundation are the trustee role and the charity context but it also addresses the following 7 areas:

• organisational purpose

• leadership

• integrity

• decision-making, risk and control

• Board effectiveness

• diversity

• openness and accountability.

A broader debate around good governance included the following observations:

• diversity of thought is important

• appropriate succession planning and skills gap identification is necessary

• the governance code may help with ‘churn’, as time limits do not always exist in a charity’s governing documents

• a good Chair is vital and can make strong governance happen seamlessly


• an appraisal process should be undertaken with rigour

• trustees with the Chair of Audit Committee role can usefully highlight aspects of the governance code that are not being met

• membership charities need to operate for the public benefit whilst also being encouraged to take account of members’ wishes and some independence around the Board table therefore becomes key

• above all, charities need to be clear as to their purpose and make decisions with a focus on the beneficiaries.

Board effectiveness reviews are happening more within charities. These should be encouraged and a sensible way of harnessing them needs to be found.

At the same time, there is recognition that charity Boards need a mix of workers, door openers and fundraisers. It is, however, important that individuals understand what their role is. Involvement of a founder or major contributor can further complicate matters and trustees need to be alert to these nuances. Charity Boards, by their nature, often have people who are not familiar with governance and therefore trustees from a commercial background can be helpful in bringing their experience from the corporate world.

Many charities are now aware of the Charity Governance Code, although few refer to it in their reporting. Over time, funders may drive compliance with the Code by including this in their criteria in awarding grants or commercial contracts.

PurposeA consistent understanding of the charity’s purpose is vital for the Board of trustees as this will help to direct:

• what it does

• how it does it

• how it knows if it is being successful.

Purpose, with corresponding reporting on impact, are gaining momentum in the charity sector. More charities are reporting on how the money was spent and what it achieved rather than simply where it went. There is greater thought going into purpose and impact and how these are being communicated.

Impact can help with key decisions. For example, in social care, there may be instances when a decision needs to be taken between helping a large number of people a small amount or a fewer number but making a real difference. However, it is not just about quantity versus quality but also the broader impact. A charity’s employees also need to understand its impact as it is difficult to tell a coherent story externally unless this is being measured internally, and it can improve productivity.

PwC’s own charitable activities were used as an example. Last year, the firm contributed £7.4m to charity, £1m in cash and the rest in time and support. PwC was described as being a purpose-led, values-driven business that works with purpose in terms of the work we do for clients and our perspectives on the future. It also aims to be a fair and trusted business, and a low-carbon organisation, with empowered people and communities. It was suggested that charities should periodically revisit their purpose to ensure it is still appropriate.

It was also noted that the Sustainable Development Goals (SDGs) can sometimes be a route into support, particularly through charities engaging with corporates that may be struggling with these.

Once purpose has been established, there is a need to consider how to measure and report on impact. As noted above, there is a move from monitoring inputs and outputs to measuring outcomes, i.e. the change or impact that has been delivered, and how much of this is due to the charity’s activities or other external factors.

An impact reporting framework was discussed which involves:

Scoping – clarifying the boundaries of the impact analysis, who will be involved in the process and how

Mapping outcomes – developing an impact map, or theory of change, which shows the relationship between inputs, outputs and outcomes

Evidencing outcomes – collecting data to show whether outcomes have happened and valuing them (if possible)

Establishing impact – eliminating those aspects of change that would have happened anyway or are a result of other factors

Comparing – adding up all the benefits, subtracting any negatives and comparing the results of investments

Communicating and improving – sharing findings with stakeholders and responding to them, embedding good outcomes processes and verification of net benefits.


Internal benefits from adopting this impact approach include:

• understanding which approaches work and those that do not

• improved measurement and evaluation

• tracking performance and making operational changes as necessary

• more effective management of resources.

External benefits include:

• accountability to funders

• increased transparency

• communicating with stakeholders/potential funders• influencing policymakers.

A case study (Street League) was used to illustrate this further. This charity supports young people in regions of deprivation into education, training and employment. Making use of technology, they have developed a regularly updated ‘impact dashboard’ website that shows the young people’s starting point, what barriers they report, where they progress to and whether they are still there after a period of time, with filters allowing the user to follow different stories. To enable this, data had to be collected in a structured way and initially this required a culture shift, persuading front line staff to collate this information which took away some of their time from delivering services. For the charity, there is now a single source of the truth rather than multiple reporting. Going forward, charities in similar sectors may be able to work together to collect the data for ‘live’ dashboards that would work for all or the data may need to be collated/managed in the private sector where greater resources exist.

Another case study (Canal & River Trust) was used to reinforce this journey. The charity has the guardianship of waterways in England and Wales and it has placed an increasing emphasis on how waterways impact the wellbeing of local communities, publishing a report ‘Waterways & Wellbeing, Building the Evidence Base’. This report sets out the charity’s ‘Outcomes Measurement Framework’ which is the charity’s approach to measuring the broad social, economic and environmental impacts that people see in their lives from canals and rivers. This is the start of their journey but, by developing a transparent evidence-based system of outcome reporting, the charity aims to track trends, improve its insight and performance and demonstrate how wellbeing is improved.

Impact reporting gives a charity a focus and a means of making choices. Philanthropists increasingly want to fund tangible impacts and there is greater data availability for proxy measures. Charities may become increasingly out of date and find it harder to attract funding if they do not start to focus on impact.

Delivery of purposeEffective delivery of purpose is dependent on making best use of the charity’s resources. It also requires an awareness of change as what worked previously may no longer be appropriate. The typical corporate life cycle where a company can move from being a mature business to a state of decline, or even collapse, through poor decisions applies just as much in the charitable sector.

Charities should consider a ‘risk-assessed’ reserves policy and should also ensure that their management information will highlight warning signs of developing issues before the charity ends up fighting for its survival. Commercial NEDs on trustee Boards may need to help their lay colleagues in this area. There may also be a need to explain the reserves policy so that stakeholders appreciate the difference between spending money today and being sustainable, whilst understanding why funds still need to be raised despite reserves.

A charity with predictable income flows and a flexible cost base is the most comfortable model whilst one with fixed cost commitments and unreliable income is the most vulnerable. Where there are predictable income flows with fixed cost commitments, there is a need to track trends in income. Where there is unreliable income and a flexible cost base, there is an even greater need to understand the reserves policy. The Charity Commission has recently issued new guidance on reserves.


Over

200,000charities in the UK

There is often a gulf between common practice around risk registers in the commercial world and what exists in this space for a charity. However, it was agreed that the risk management thought process is the fundamental element, rather than necessarily how this is presented if insufficient resource exists for this. Clearly, good risk management needs the charity’s strategy (purpose and impact) set up front to be able to identify the risks to achieving this. It also needs to be a ‘live’ tool for decision making purposes rather than a check box governance process. Disclosing not just the risks but also how they have changed year on year is helpful.

MergersThere is undoubtedly a need for more collaboration and potentially some consolidation within the sector. There are in excess of 200,000 charities in the UK and many operate in a similar space. As more are failing, Boards should give consideration to the possibility of a merger.

Traditionally, the charity sector has tended to view mergers negatively. However, viewing other charities as ‘competition’ may not be the right mindset and the merger that resulted in Cancer Research UK was a huge success. The Royal National Institute of Blind People (RNIB) recently identified that there are c.700 charities focused on the blind and produced ‘Vision 2020: The right to sight’ as a response. As a result, some have merged and others are more actively collaborating.

The question of whether or not to merge to achieve greater impact should be regularly revisited. There may also be triggers that allow for reconsideration of this such as the CEO’s departure or loss of a major income stream.

Where a merger is not the right answer, it may still be possible for there to be greater collaboration. Often there is a willingness to cooperate but a reluctance to take the lead on this so it may be necessary to identify a leader in the sector.

There was a brief discussion of where individuals had seen outsourcing of back office services which in some instances works well. Charities also need to recognise that technology is developing fast and they should therefore have a digital strategy.

The key point is for charities to regularly consider their purpose and the delivery of it, as well as whether doing this on a standalone basis is still the right answer. Trustees should be encouraged to view the wider landscape of which other charities are operating in the same sector and look for potential opportunities to work together rather than just seeing competitive risks. Looking at doing the right thing by beneficiaries can encourage an appropriate mindset.

Finally, there was a brief discussion around executive remuneration as charities need strong management but are often ‘on the back foot’ in the debate around pay. This needs to be discussed more openly as people are more likely to accept salaries if they have a better understanding of the responsibilities and risks.

Hallmarks of a successful charityThe workshop concluded with a brief look at the hallmarks of a successful charity, many of which had been touched on during the discussions:

• clarity of strategy

• operational efficiency

• risk management, reserves management and investment policy

• governance and management

• demonstrating social impact

• accurate management information and reporting

• competitive landscape/fragmenting market

• income generation/fundraising

• increased scrutiny.

The first three of these are internal choices, the middle three essential enablers and the final three external influences. A publication was provided which expanded on these in more detail.

Several times throughout the workshop there was discussion around the need for a credible organisation to support charity trustees given the many complexities existing in this sector. This could also act as a lobbying body for the charitable sector to government.


ContextThe key changes to the Code and via legislation for reward fall into four areas:

• The extended Remuneration Committee remit – the Remuneration Committee is to have more of a view of pay further down the organisation below the executive directors and should feed back to the Board whether pay across the business aligns with culture

• Employee voice – a Board requirement to engage with employees and take the interests of major stakeholders into account in discussions and decision-making

• Other remuneration items – other requirements for director remuneration policies and pay

• Remuneration disclosure requirements – secondary legislation changes re CEO pay ratios, single figure and scenario disclosures.

Of the above, the alignment with culture point is causing considerable discussion.

There is a focus on the new Code representing a step change in governance, moving away from a tick box approach. Although the Code requirement is for companies to comply with effect from 1 January 2019 and therefore report in 2020, the expectation of shareholders is that companies will comply early in some areas (e.g. CEO:employee pay ratios) and should at least be disclosing what they are doing about the Code changes in 2018/2019 reports.

PwC had conducted a recent pulse survey of FTSE 350 Heads of Reward to determine what companies were doing about each of the areas and the results were discussed as the workshop progressed – see further below.

Extended Remuneration Committee remitProvision 33 of the Code states that:

• 'The remuneration committee should have delegated responsibility for determining the policy for executive director remuneration and setting remuneration for the chair, executive directors and senior management. It should review workforce remuneration and related policies and the alignment of incentives and rewards with culture, taking these into account when setting the policy for executive director remuneration.'

• Senior management is explicitly defined as 'the executive committee or the first layer of management below board level, including the company secretary'. Many FTSE 350 company HRDs felt that senior management were generally already in the Remuneration Committee remit, although it may have been more in terms of noting their pay rather than setting it. In addition, senior management may not have previously included the Company Secretary.

In setting remuneration for senior management, Remuneration Committees should take into consideration:

• market benchmarking data – which should be robust, repeatable and discourage 'cherry picking'

• internal relativities – where the company is as a business and the transparency of pay

• personal objective information – set in light of what the individual should be aiming to achieve

• performance outcomes – how it worked out in practice.

In terms of reviewing workforce remuneration and related policies, this can be viewed as a subset of the broader Board requirement to ensure workforce policies and practices are in line with the company’s purpose and values. Committee members need to satisfy themselves that they have enough of an overview. It is clearly helpful in this context not to have too many different plans and policies. Much of the information needed for the Remuneration Committee to be able to review workforce remuneration and related policies, such as:

• group wide remuneration policies

• incentive structures across the company

• incentive outcomes across the company

• base pay awards

• pay mix and structures

• pension and benefits provision across the company

is already available but may need to be packaged differently to be easily digestible by the Remuneration Committee.

A suggested example of an employee remuneration report summarising key information across different divisions was discussed and it was agreed that this would be a helpful starter, although more detail may be needed in some areas. There is a need to think up front about what the critical areas might be, i.e. where inconsistent practice with others might be challenged. There should be sufficient information for the Remuneration Committee to be able to satisfy the Code recommendation but not to start performing the executives’ role.


This recommendation can be difficult in a large organisation with international operations and it is then helpful to have a broad philosophy on how the company wants to position itself in terms of market rates, i.e. at market rate or above, etc.

Reviewing the alignment of incentives and reward with culture is not easy but one way of gaining some evidence may be to extend employee survey questions. Companies may also provide data including:

• pay outcomes for high risk categories of employees, e.g. high earners

• information from the risk/audit committee providing assurance on the quality of the financial results

• information on individual performance management processes and outcomes

• information on particular areas of incentive plans that are viewed as higher risk

• information on sales compensation arrangements.

A suite of information is likely to be needed rather than just 1 or 2 metrics and the review should be qualitative as well as quantitative.

In terms of reporting on all of the above, it may be appropriate to build a section of the Remuneration Committee report that is employee focused around pay elements. It is more about having appropriate narrative around the required disclosures. Investors are likely to demand this in any case and will not want to see boiler plate statements.

The employee report and how culture is considered both need to be drawn on to feed into policy reviews. In a multinational organisation, there will be a need to rely to some extent on information provided by territories.

Employee voiceBased on PwC’s pulse survey, a designated NED is likely to be the most common approach to accessing employees’ views but the companies taking this route recognise that this NED is likely to need some kind of panel mechanism to achieve this. Information needs to be fed into the Board but it will also be important to explain what the Board did with it. Some companies have started holding an employee AGM post the shareholder AGM which can be a successful forum.

According to the survey, the following mechanisms may be used to engage with the workforce:

• surveys

• meeting groups of elected workforce representatives

• visiting regional and overseas sites

• focus or consultative groups

• hosting town halls/open door days

• social media updates

• meeting future leaders without senior management present.

Based on the workshop attendees, there was a mix between companies who were using the Remuneration Committee Chair to engage with the employee voice and those who were using another NED. Not using the Remuneration Committee Chair would perhaps make the conversation less about pay and enable broader discussions. Whoever does it, there is a question around whether there needs to be an additional fee for the increased time commitment.

Other remuneration itemsProvision 36 of the Code contains the recommendations that:

• Remuneration schemes should promote long-term shareholdings by executive directors that support alignment with long-term shareholder interests.

• Share awards granted for this purpose should be released for sale on a phased basis and be subject to a total vesting and holding period of five years or more.

In fact, 86% of FTSE 350 companies are already compliant with this as most have 3 year vesting and 2 year holding periods for their incentive schemes. The phased release seeks to avoid a cliff edge release of lots of shares into the market at a point in time.

A bigger issue with Provision 36 is the recommendation that the Committee should develop a formal policy for post-employment shareholding requirements encompassing both unvested and vested shares. Related guidance talks about packages that are structured to ensure exposure to the long-term share value for two to three years after leaving the company.

Only around 10 FTSE 100 companies currently do anything in this space and the IA’s recent guidance of 100% holding for 2 years post cessation is more onerous than current practice which is more commonly 50% holding for 2 years or 100% holding for 1 year and 50% for a further year.

Whilst the rationale for post cessation holding is that some problems can take a while to manifest themselves, CEOs are not in favour of this as they have no control over


the actions of their successor. There has been some talk of transferring shares into an Employee Based Trust but it may not be easy to get CEOs to agree to this. Companies are only just starting to think about how to address this post cessation holding requirement and it is likely that this will be implemented at the time of the next policy review as opposed to any earlier.

Another new recommendation that is causing concern is provision 38 which states that pension commitments for executive directors, or payments in lieu, should be aligned with those available to the workforce. Further guidance notes that while it may not be practical to alter existing contractual commitments in this regard, Remuneration Committees will need to ensure future contractual arrangements take heed of this.

Most companies have been looking at aligning pensions in relation to the level of management below the executive committee but still above the majority of the workforce. However, investors are saying that this should be about the majority of the workforce and they are not expecting the loss of pension to be compensated for by other remuneration elements.

To date companies have mostly been addressing this issue where new executives are coming on board but have not been doing so for existing executives. It is possible that investors will target those with pensions of 25-30% of salary initially and focus on lower bands later. There was some feeling that this may have become less of an issue with lifetime maximum allowances and tax implications.

Remuneration disclosure requirementsThe new Code disclosure requirements contained in provision 41 are that there should be a description of the work of the Remuneration Committee in the annual report including:

• an explanation of the strategic rationale for executive directors’ remuneration policies, structures and any performance metrics

• reasons why the remuneration is appropriate using internal and external measures, including pay ratios and pay gaps

• a description, with examples, of how the Remuneration Committee has addressed the factors in Provision 40

• whether the remuneration policy operated as intended in terms of company performance and quantum, and, if not, what changes are necessary

• what engagement has taken place with shareholders and the impact this has had on remuneration policy and outcomes

• what engagement with the workforce has taken place to explain how executive remuneration aligns with wider company pay policy

• to what extent discretion has been applied to remuneration outcomes and the reasons why.

A lot of this is already in remuneration reports but the intent is that it should be more meaningful and less boiler plate. Talking about engagement with the workforce and executive remuneration in relation to wider pay policies will however be new reporting.

Within secondary legislation, the CEO:employee pay ratio disclosure applies to listed companies for financial years on or after 1 January 2019. This requires:

• CEO pay as disclosed in the single total figure table

• employee pay calculated in line with the single figure methodology

• based on employee y at median, lower quartile and upper quartile of UK employee population.

There is pressure for early adoption and some companies have already done this, although not always in line with one of the required methodologies which are:

• Option A – companies to identify the UK employees receiving remuneration at the median, lower quartile and upper quartile of the UK employee population which is then compared against the CEO single figure

• Option B – companies may adopt an alternative methodology, using gender pay data, provided it relates to the relevant financial year

• Option C – companies may adopt an alternative methodology, using other data, providing it relates to a period no earlier than the previous financial year.

Option A compares apples with apples and is therefore recommended and likely to be the most common approach. Whichever option is used, the CEO:employee pay ratio disclosure is likely to need context and narrative around it. It will vary depending on the nature of the company and its industry, and may also be volatile due to CEO pay varying when incentives vest. The long term trend will be more meaningful and therefore it may be appropriate to add the data for previous years when it is first disclosed.


38%of survey participants are planning to use a designated NED to gather employee views

42%are planning to introduce post cessation holding requirements in 2019

50%are making no change to current executive directors’ pension entitlements

42%are planning to early adopt pay ratio disclosures

In the US, where this ratio has existed for a year, it has not particularly had an impact on AGM voting. However, ISS may comment on it in their summary and ratios may also be picked up by the media. At this stage it is hard to predict how the data will be used once in the public domain but it is likely to increase the overall focus on fairness within business and broader society.

Other disclosures that are coming in through secondary legislation are:

• explanation of any exercise of discretion in relation to awards of remuneration in the Chairman’s Annual Statement.

• identification of the element of multi-period incentive remuneration in the single total figure resulting from share price appreciation. Statement of any discretion exercised in arriving at the value emanating from a multi-period incentive by reason of share price movement.

• inclusion of a performance scenario in remuneration policy that reflects a 50% share price increase over the life of the policy.

The scenario charts only need to be done when the policy is renewed, not every year.


Accounting updateThe session began with the Financial Reporting Council’s (FRC) annual review of corporate reporting and year-end reminders. In the FRC’s letter to Finance Directors and Audit Committee Chairs ahead of the reporting season, they identified several areas where they believe improvements should be made. These should be considered by companies for year-end reporting. The most important areas are listed below:

Judgements and estimates This is an area that the FRC continues to focus on and is the most common area of challenge. In particular, the FRC’s Corporate Reporting Review Team (the CRRT) is looking for accounting judgements to be distinguished from estimates and is pushing much harder where there is no disclosure of sensitivity or a range of possible outcomes in cases of estimation uncertainty (especially tax).

Alternative Performance Measures (APMs)The CRRT has seen some improvement this year but it expects to see:

• definitions for all APMs used• good explanations for their use• reconciliations to IFRS amounts appearing in the

financial statements• no greater prominence for APMs than measures

directly stemming from the financial statements and

• explanations for changes in APMs to be provided, which may include how they are defined or calculated.

Strategic reportThe CRRT feels that strategic reports do not include adequate commentary on material items, such as:

• decreases in profit (for example where the narrative concentrated on an increase in adjusted profit)

• increase in working capital

• impact of foreign exchange movements in year

• recognition of deferred tax assets in the context of loss making businesses

• loss on disposal of business• change in KPIs.

TaxationThe CRRT is continuing to monitor disclosures around tax, particularly deferred tax, including the reasons for and recovery of deferred tax assets.

Supplier financingThe CRRT is encouraging good disclosure from companies using supplier financing.

Unlawful dividendsThe CRRT continues to be concerned about the frequency of companies paying unlawful dividends. This may also be impacted by Brexit and the potential impact on solvency in the period after a dividend is declared.

Brexit disclosureThe CRRT continues to have expectations of good disclosure of Brexit risk and discourages blanket, boilerplate disclosure.

New StandardsThe FRC has been focussing on the impact of IFRS 9 and 15 in interim reports. There were two thematic reviews on each of the standards which looked at what companies had disclosed. They found that:

IFRS 15

• Poor explanation of changes/generic disclosures

• Poor linkage between transition adjustments and accounting policy changes

• No update to APM comparatives• Lack of disclosures on significant judgements

IFRS 9

• Poor/generic disclosures

• Explanation of the differences between IAS 39 and IFRS 9 were generally poor

• Lack of disclosures on significant judgments.


For future reporting of the adoption of new standards (e.g. IFRS 16 in 2019), the FRC expects:

• compliance with IAS 34 on explanations of the nature and effect of changes

• consideration of IAS 8’s disclosure requirements for standards with a significant future impact (e.g. IFRS 16 in December 2018 financial statements)

• sufficient disclosures to allow users to understand the extent of impact of the new Standards on the business (e.g. IFRS 9 & 15 for December 2018 financial statements including any significant judgments).

There will be some accounting implications based on Brexit scenarios. Listed below are some areas that should be taken into consideration when planning for Brexit and in Brexit disclosures:

• financial risk disclosures (IFRS 7)

• impairment and valuation of non-financial and financial assets

• hedge accounting and whether transactions can still be considered highly probable

• restructuring and personnel, including pension payments

• foreign exchange

• changes to company law and whether IFRS should still be implemented

• recoverability of deferred tax assets

• narrative reporting (the impact on the business model, viability statement, risk disclosures).

Corporate Governance/Reporting updateThe next session was a corporate reporting and governance update.

Interpreting the new CodeA new UK Corporate Governance Code was released by the FRC in summer 2018 and is applicable for periods beginning on or after 1 January 2019.

Whilst this was a fundamental review of the Code, the headline changes are arguably less fundamental than they might have been. They include:

• a shorter and sharper Code, but not an easier one – there are more elements to consider, including the accompanying ‘Guidance on board effectiveness’

• a new emphasis on stakeholders and the impact of business on society

• more focus on the nature and quality of governance reporting

• a new context created by re-ordering, re-drafting, changes of emphasis and language – and Section 1 content in particular.

To respond to the new Code fully, companies and Boards will need to step back and think about how the principles are applied and how the Board establishes and drives the purpose, culture and values of the organisation.

Some key messagesWhat the Code IS NOT about:• turning all businesses into social enterprises• social engineering

• bringing back 1970s style industrial relations.

What the Code IS about:

• refocusing corporate governance on promoting the long-term success of companies – creating healthy companies that will prosper in the long run

• recognising the role that ‘stakeholders’ play in this.

Especially for those who are lagging behind, it will:

• challenge Boards as to whether they are sufficiently involved and informed with this agenda

• create more accountability and transparency around it.

New Companies Act reporting requirementsSection 172 of the Companies Act is specifically referred to in the new Code, and is also the subject of new reporting requirements under the Companies Act, applying at the same time as the new Code. Section 172 states that a director must ‘act in the way he considers, in good faith, would be most likely to promote the success of the company for the benefit of its members as a whole’, while also having regard to the interests of other stakeholders. The balance between the interests of shareholders and those of other stakeholders has remained at the centre of the governance reform debate.

There are also new Companies Act requirements to include a statement in the Directors’ Report summarising how the directors have engaged with/fostered business relationships with key stakeholders (including employees, customers, suppliers and others).


Reporting points in 2018 Code, provision 41

Strategic rationaleFor exec policies, structures and metrics

Shareholder engagementWhat has been done and its impact

Why pay is appropriateUsing measures such as ratios and gaps

Workforce engagementOn how exec pay aligns with wider pay policies

Whether outcomes as intendedIn terms of company performance and quantum

DiscretionHow used and why

Reporting practices in the FTSE 350The session also set out some high-level observations on the status of reporting in the FTSE 350, based on our annual review published back in September 2018.

Key findings:

Some anticipation of the stakeholder agenda:

• 62% of companies at least mentioning stakeholder engagement

• 21% do more than just mention it

• 40% include a reference to stakeholder engagement in both their strategic and governance reports.

More clarity (though still limited) on time horizons when discussing strategy:

• 18% increase in companies giving at least a 1 year outlook

• 5% increase in those going for over 1 year

• 35% of market disclosures including forward looking information.

More recognition of a number of significant emerging risks (though again, still limited):

Mentions of Brexit will inevitably increase in the current reporting season.

Key risk Acknowledged Discussed

Brexit 20% 12%

GDPR 23% 6%

Climate change 2% 6%

Practical implementation of the new CodeThe session focused on how Boards are implementing the main aspects of the revised Code. Workforce engagement has been a particular area of debate in many Boardrooms and a number of different methods are likely to be used, as the Code allows. There are signs that a ‘hybrid’ approach involving interaction between a designated NED and a workforce forum of some kind is emerging as the most popular choice.

Other guidanceThe GC100 has also published guidance on stakeholder considerations and focuses on how Boards can become compliant and confirm in their annual report how they have met their duty under section 172.

The Governance Institute (ICSA) and Investment Association (IA) jointly published guidance back in 2017 on how companies can make sure that the stakeholder voice is heard in the Boardroom.

Emphasis on quality of reportingA new section in the introduction to the new Code calls on companies to move away from ‘box-ticking’ and towards showing how the principles of the Code have been applied. This will mean a change in approach to governance reporting for some companies, especially when they are addressing the Principles and Provisions in section 1 of the new Code.

There is also a continuing emphasis on making a better connection between remuneration reporting and the rest of the annual report – especially on how remuneration is aligned with the desired culture and how it drives the delivery of strategic objectives. For the first time there is a specific Code provision on matters that should be covered in the remuneration report:


Recommendations and questions to ask at the Board:Invest in a robust Anti-Bribery and Corruption (ABC) programme

Key questions to ask:

• Does the organisation understand the bribery risks it faces in sufficient detail?

• Is the organisation’s programme of ‘adequate procedures’ linked to these risks?

• Is the ethical due diligence on those the organisation does business with sufficient?

Use technology to combat fraud


• Is the organisation taking steps to manage the risks posed by cyber threats and GDPR?

• Is the organisation investing in the right anti-fraud technology?

• Does the organisation’s data analysis focus on specific fraud risks e.g. bribery?

Know your risk – Fraud Risk Assessments


• Is the organisation maintaining a view of its evolving risks – including fraud, cyber and bribery?

• Is this sufficiently detailed and tailored to the organisation and how it operates?

• Are each of the risks identified covered by appropriate antifraud measures?

Future of the audit professionAttendees were also given an update on developments relating to the future of the audit profession, including the Competition and Markets Authority (CMA) review, the Kingman review and the Select Committee review.


This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

© 2019 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

190208-123521-LS-OS

Documents

Board Discussions - what NEDs have been debating (2019) · 16% since 1995. India’s rise has only been from a 1% to 2% share whilst Brazil has declined and Russia has made little