Australian execs fear mounting risks in cyber & geopolitics
McGrathNicol Advisory has released a report detailing perceptions and attitudes of Australian business leaders towards various risks.
In partnership with YouGov, the advisory firm surveyed over 300 C-Suite executives and Board-level directors from Australian businesses with a workforce of 50 or more employees.
The findings reveal that a substantial majority of executives, 89 percent, anticipate that risk and security issues will worsen in the next 12 months. This is a sharp increase from the 58 percent who felt this way in 2023. Despite acknowledging the rising risks, many organisations have yet to effectively recognise the interconnections between different risk areas or implement adequate mitigation strategies. Geopolitical threats, though increasingly pressing, are perceived to have fewer immediate impacts by business leaders.
New cyber security obligations have intensified following modifications to the Security of Critical Infrastructure Act 2018 (SOCI Act). Australian companies in critical sectors, including communications, defence, higher education, financial services, healthcare, energy, and transport, now face a deadline to submit a Critical Infrastructure Risk Management Program by 28 September.
Cyber security emerged as the primary concern for Australian businesses, with 68 percent of organisations placing it within their top five risks for 2024. Despite the growing concern, many enterprises neglect adequate vetting of their key suppliers' cyber security practices. About 71 percent of organisations do not conduct such due diligence, and more than three-quarters do not mandate the reporting of any cyber or data breaches affecting their suppliers.
Companies are also underestimating the broader effects of geopolitical events on their overall risk profiles. For example, the Russian invasion of Ukraine and the Israel-Hamas conflict highlight the potential for significant disruptions. A potential second Trump administration could escalate trade disputes, particularly with proposed tariffs targeting Chinese-made goods, thereby directly impacting Australian businesses.
Insider risk management appears to be another area needing improvement. Despite 87 percent of organisations expressing confidence in their insider risk management programs, less than a third have implemented fundamental controls. Only 28 percent use a risk-based vetting and due diligence framework for employees and suppliers, 27 percent have ongoing education and awareness initiatives, and just 18 percent have appointed an authority responsible for insider risk.
Supply chain risks make up a substantial component of enterprise risk management programs, with 80 percent of organisations considering it a core pillar. Internal challenges remain significant, though, with 74 percent of businesses citing issues such as a lack of expertise, insufficient data visibility tools, budget constraints, and competing priorities contributing to persistent supply chain vulnerabilities.
Legal and regulatory complexities are adding another layer of pressure on businesses. Regulatory bodies have moved from awareness campaigns to enforcement, introducing new legislation around payment times reporting, wage underpayments, modifications to the Privacy Act, and the SOCI Act. As a result, 55 percent of surveyed leaders view legal and regulatory risks as a top concern, and 27 percent expect these issues to intensify.
Financial pressures are also mounting, driven by high inflation, rising wages, increased interest rates, and higher energy costs. The financial risk was ranked as a top five concern by 66 percent of organisations, only second to cyber risk.
Matt Fehon, Head of Advisory at McGrathNicol Advisory, emphasised the importance of proactive risk management. "As the SOCI reporting deadline approaches, many Australian organisations will be required to submit Risk Management Programs addressing areas like cyber, geopolitical, regulatory, and supply chain risks for the first time," he commented. "Too often, we see organisations react only once a risk event has occurred. But this can be costly due to the interconnected nature of risk areas. We would prefer to arm businesses with the tools to face the changing landscape of business risk head on."