StrategicRISK and insurer CNA Hardy look at some of the most challenging risk areas to face UK multinationals following the Spring ’18 Risk and Confidence Survey

CNA RT May 18

One year on from when the first CNA Hardy Risk and Confidence Survey was published, it remains concerning that supply chain and other corporate risks are failing to fully register with business leaders.

During a roundtable discussion, following the release of CNA Hardy’s Spring 2018 Risk and Confidence Report, participants from across the value chain all agreed supply chain was too far down the priority list.

A year of data, collated by the London market insurer across three surveys (Spring ’17, Autumn ’17 and Spring ’18), demonstrated key decision-makers continuing to focus on headline grabbing issues as they think about the risks their businesses face.

“This isn’t that surprising,” said Dave Brosnan, chief executive of CNA Hardy, leading the discussion, “given the growing complexity of risks business have had to respond to.” He is referring to the impact of economic and political

decisions, such as Brexit; high profile cyber-attacks in 2017, such as the Petya ransomware attack and the NotPetya malware attack; and the General Data Protection Regulation (GDPR) regulation.

“These will naturally grab the attention of any board, right? And while we understand there needs to be a focus on cyber risks and regulation, supply chain and other board room liability risks should not be underestimated, and we’re worried they might,” he continued.

Three major themes emerged from CNA Hardy’s Spring ’18 research: boardroom confidence is staging a weak recovery, but the overall risk environment continues to deteriorate; cyber risk has moved to the top, while corporate and supply chain risks continue to fail to register for the C-Suite; and UK companies are taking a turn away from investment in Europe. Cyber risk was flagged as a priority by 25% of respondents to the insurance firm’s research, with regulation second-placed with 23%.


The survey found that confidence within UK multinationals has crept up from 28% in Autumn ’17 to 42% in Spring ’18. However, a perception – amongst respondents – that the risk landscape has become more threatening has led to a more cautious mindset, with 30% of respondents in the most recent survey stating caution around their ability to grow and prosper, compared to only 10% in the Autumn ’17 survey.

In addition to this, the results of the survey showed that almost one third of UK business leaders are worried about the operating environment – three times more than at any point in the past year, with 80% characterising it as ‘moderate to high’ risk. Over the past six months there have been some dramatic changes in the risk landscape. Cyber and regulatory risk have pushed political and economic risk off the risk radar.

As the frequency and severity of cyber risk increases and oversight steps up, so the threat of substantial fines is commanding C-suite attention. But two elements of boardroom risk are still failing to register – corporate and supply chain risk. Despite all the high-profile failures including most recently Carillion, Weinstein and KFC – these are two risks that still languish on the periphery of boardroom vision. Until business executives can get the balance right across the full range of boardroom threats, CNA Hardy predicts that business leaders will continue to feel that risk is increasing and caution remains essential.

According to the findings, the most confident sectors are technology (52%), healthcare (52%) and life sciences (50%); whereas the most cautious industries were construction (48%), manufacturing (36%) and financial services (32%). So, what is driving this confidence preceding three sectors?

“Starting off with the healthcare sector, a big driver to the sector’s confidence is something we see in the news almost every day, which is the ageing population,” said Rhonda Buege, head of healthcare and technology at CNA Hardy. “There’s a statistic out there which says by 2020, the amount of people over the age of 65 will increase to 8%, so that’s a huge number of consumers of healthcare in that population. In addition to that, there’s a huge increase in the prevalence of chronic disease, and that is largely resulting from lifestyle choices,” she continued.

“I also think there’s a change in patient demands, and what people are expecting. There’s a lot more access to information out there because of technology, so people are now driving what types of healthcare they’re able to get and looking at the most recent and up to date treatments. I would say all of those things are driving the increase in confidence in healthcare.”

The higher levels of confidence in life science are closely linked, Buege explained to the group. “If you look at the life sciences sector, which is supporting the healthcare, diagnostic and treatment of patients, certainly that’s going to grow, and if you look at the technology sector and the life sciences sector combined, we’ve seen an enormous amount of convergence. So, whether it’s healthcare, life sciences, tech or some combination of all of those, certainly there’s growth in the sector.”

Ailsa King, chief client officer at Marsh, concurred, adding: “I think the technology sector is going to be almost welcoming of the cyber risk, and the issues that need that industry to step up and help other industries. The onus on embracing the advancements in technology to aid the way we not only live our lives, but run our businesses is another big growth stream,” she said. “But the other thing that strikes me is just the interconnectedness of the risks we’re talking about and how quickly things can change for sectors,” said King.

Indeed, in the Autumn ’17 survey, only 2% of construction firms ranked corporate risk as a concern. Given the levels of caution displayed in the Spring ’18 survey, it would suggest this mindset has changed quite considerably.

In January 2018, construction giant Carillion announced it was going into liquidation after its huge financial troubles finally overwhelmed it. The UK’s second-largest construction company buckled under the weight of a whopping £1.5bn debt pile. Some argue that it overreached itself, taking on too many risky contracts that proved unprofitable. It also faced payment delays in the Middle East that hit its accounts.

Last year, it issued three profit warnings in five months and wrote down more than £1bn from the value of contracts. It is unsurprising that in the wake of this massive corporate failing, and the ripple effect on the supply chain, the construction sector is more cautious than before.


At the time the survey was carried out and the ensuing roundtable took place, the looming deadline for GDPR was at the top of everyone’s mind – demonstrated, not only by the results of the survey, with regulation considered the second biggest risk, but also by several comments and observations made during the discussion.

John Ludlow, CEO of UK risk management association Airmic, commented: “GDPR is something that will impact every company, regardless of sector or size, so although we could comment and say the findings suggest regulation is kind of in the reactive piece, GDPR is such a big piece of legislation, it was always going to find itself on near the top of any risk registry,” he said.

The introduction of GDPR in May this year was described as a ‘timebomb’ waiting to explode under UK and European businesses. At the time the survey was carried out, just over half were declaring themselves as ‘not ready’ for the implementation of the new regulation. GDPR will now allow the Information Commissioner’s Office (ICO) to impose fines of up to 4% of turnover (not profit) and it is anticipated the ICO will be looking to make early examples of companies that are not compliant, even where no breach has occurred.

“I think after the date goes live, there will be a lot of complacency, until there are some cases, and I think people will realise there’s probably still a lot more to GDPR compliancy than they originally thought,” said Ludlow. Issues around third-party data ownership were also raised during the discussion, and whether or not the focus on GDPR has been heightened by some of the higher profile

cyber attacks in 2017. “The way I look at cyber risk is pipes and oil,” Ludlow continued. “The pipes are the cyber-attacks, and the GDPR is saying you’ve got to look after the oil as well. I think people are beginning to understand that. If you asked people 12 months ago I think they’d be going, cyber, that’s it, isn’t it? Now at least they’re down to the next level, and they’ve gone, no, there’s a technology and a data aspect in this too.

“But then they need to get down to the next level after that, and the one after that. Companies need to think about who owns this data, because they’re operating in a connected world. Is it your partner’s? Suppliers? Whose data is it? Your customers? Do they know if they have the right permissions?

“This stuff oozes out the corporate systems without people really understanding where it’s gone, where it’s coming from. So, I think a lot of the angst around GDPR has got so much longer to run,” said Ludlow. From a market perspective, “This is a piece of regulation you don’t want to forget about,” said Marsh’s King. “GDPR affects a number of different insurance products, and there has been an army effort in making sure that policies are now going to be compliant with the new regulation, because the data protection needs to be changed in our policies. It’s important that clients know that,” she added.


Airmic’s John Ludlow believes these quite rapid changes in confident and cautious approaches can be attributed to the ‘emotional economy’. “Fundamentally there are some mega trends that are affecting the world, and one of the big changes is just how much we’ve got tied up in a much more ‘emotional economy’,” he said.

“It used to be very physical or commercial, and now it’s all about how people feel and support things. Emotions are very fickle things, and therefore I think that anything can trigger a change in the direction the way people think, so I think as people of risk, we’re having to become much more tactical. The survey says that today, manufacturing is down, and that technology is thinking it’s their day to grow and prosper. Tomorrow it could change again, and I think boards are having to become much more risk-aware now, because it can change quickly. The winds can change daily,” said Ludlow.

He flagged there are also a lot of drivers that could prompt this change. “We talk about governance and corporate risk as one that people aren’t worrying about enough, but tomorrow it could be workplace, or the next day it’s corporate responsibility and the environment, or the next day it’s the products and services that are being caught out. “The board has got to become very capable of dealing with them all to be resilient over the long term, because the winds will change. We’ve seen too many examples to ignore this very simple fact,” said Ludlow.