The 2015 survey uncovers the latest issues organizations are facing as they respond to risks, assess the effectiveness of their risk mitigation activities and gain a deeper understanding of what they are doing to address cybersecurity.
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
2015 Corporate general counsel survey results
1. Corporate counsel say regulatory
climate is bad for business
Concerns mount as resources are diverted from regulatory efforts and
core business to address cyberrisks.
For the third consecutive year, Grant Thornton LLP and Corporate Counsel magazine surveyed corporate
counsel to get their views on the key threats to business growth. The objectives of the 2015 survey were to
uncover the latest issues organizations are facing as they respond to risks, assess the effectiveness of their
risk mitigation activities and gain a deeper understanding of what they are doing to address cybersecurity.
Corporate counsel perceive the current regulatory environment as bad for business. When asked,
“Considering your business’s efforts to comply with the current regulatory environment, what has been
the impact on your business?” more than two-thirds (69%) said that the current regulatory environment
made it harder to do business. Almost two in five (39%) believe the current regulatory environment has
diverted resources from the company’s core competencies, and 29% and 21%, respectively, responded that
the current regulatory environment decreased profits or impeded growth. Brad Preber, Grant Thornton’s
national managing partner of Forensic and Valuation Services, suggested: “The sentiment of the corporate
counsel surveyed is consistent with many corporate officers. On the whole, companies have not yet found
the right balance between regulatory compliance, growth and profitability.”
Grant Thornton LLP 2015 Corporate General Counsel Survey
Impact of current regulatory environment
Made it harder to do business 69%
Diverted resources from company’s core competencies 39%
Decreased profits 29%
Impeded growth 21%
Strengthened our competitive position 20%
Created opportunities for growth 19%
Moved resources to company’s core competencies 12%
Weakened our competitive position 10%
Made it easier to do business 7%
Damaged/impeded relations with key stakeholders 5%
Increased profits 2%
Other 5%
Respondents were able to select more than one answer.
70%
60%
50%
40%
30%
20%
10%
0%
2. Companies are taking new steps to manage their regulatory risk. The most frequent changes are
strengthening policies and procedures (70%) and increasing education and training (60%). However, many
are also engaging outside advisers/consultants (41%) and adding internal compliance personnel (36%).
Bill Olsen, Grant Thornton’s principal-in-charge of Global Investigations and Anti-Corruption Services,
agreed that these types of measures “are important parts of an overall program of regulatory compliance.”
He noted, however, that only 28% have implemented software tools and 21% have utilized data analytics,
and that “many companies are moving from manual intervention to technology-driven compliance efforts.”
Perhaps the reason that 91% of companies made changes tothe way theymanage their risk isthat corporate
counselarestillunsurewhethertheirapproachesareeffective.Themanagementofcorruptionandbriberyriskis
agoodexampleofthisregulatorycompliancedilemma:45%respondedthattheywerenotsurethattheircurrent
approachesareeffectivelyreducingcorruptionandbriberyrisk.“Thisistheepicenteroftheissue,”saidOlsen.
“Many corporate board members and executiveshaveno ideawhether the efforts undertakentocontrol risk and
complywithregulationsareactuallyworking,nottomentionwhetherthereisanyreturnonthatinvestment.”
Olsenadded, “Therearerecognized anti-corruptionprograms thatcanbe implemented, monitoredandmeasured
toaddressthesetypesofunknowns.”
Despite the fact that corruption and bribery risk continue at historically high levels — and they are
certainly on the minds of corporate boards and officers — few businesses have increased resources devoted
to managing them. One possible explanation is the explosion in concern over cybersecurity. While only
21% of corporate counsel say their businesses have increased the time and resources devoted to managing
corruption and bribery risk, an overwhelming 69% have increased the time and resources devoted to
managing cybersecurity and data privacy risk since last year.
+4++D
Yes 51%
No 4%
I’m not sure 45%
Effectively managing corruption and risk?
Changes made in managing regulatory risk
Strengthened policies and procedures 70%
Increased education and training 60%
Engaged outside advisers/consultants 41%
Added internal compliance personnel 36%
Subjected vendors and suppliers to monitoring or audit 33%
Conducted more internal investigations 30%
Implemented software tools 28%
Repurposed internal audit toward regulatory matters 21%
Utilized data analytics 21%
Increased actions against violators 9%
Same as last year, nothing different 9%
Other 2%
Respondents were able to select more than one answer.
70%
60%
50%
40%
30%
20%
10%
0%
2
Corruption/bribery Cyber and data privacy risk
Change in time and resources
21%
Increased Stayed
the same
Decreased
68% 1%
Not sure
10%
69% 23% 0%
8%
3. “The courts, public opinion and the federal government have made it clear that cybersecurity and data
privacy are a front-burner issue,” said Skip Westfall, managing director of Forensic Technology Services
and co-leader of Cybersecurity Services for Grant Thornton. “Ignoring this risk is very dangerous and can
be very costly.” In response, more than 90% of corporate counsel say their companies have taken action
to mitigate cyberrisk, most commonly by adding data security measures (67%), preparing policies and
procedures (59%), and conducting training (59%). Westfall agreed that these measures are all “important
steps in a comprehensive cybersecurity and data privacy risk management program.” He also referred to
the National Institute of Science and Technology (NIST) framework for cybersecurity risk management.
“Organizations should be using an established process to assess cybersecurity and data privacy risk, and the
NIST framework is becoming a standard in this space.”
Despite all the efforts on cybersecurity, corporate
counsel remain unconvinced that their companies
are prepared. When asked, “Overall, how prepared
do you believe your organization is to effectively
respond to data breaches?” only 17% responded that
they feel very well-prepared. An overwhelming 58%
responded that their organizations are somewhat
prepared, indicating some question about whether
they were fully primed for these potentially
catastrophic events. “Organizational stakeholders are
demanding an answer to this question,” said Westfall.
“Corporate directors and officers are consistently
asked this question by customers, regulators, banks
and others. In today’s high-risk cybersecurity
environment, preparedness is paramount for
consumer and stakeholder confidence. People will
only do business with organizations they trust with
their personal information.”
One possible reason for the low confidence is a lack of
clarity regarding who has the primary responsibility
for cyberrisk. When asked, corporate counsel cited
more than 10 different titles as having primary
responsibility for responding to data breaches.
Respondents were able to select more than one answer.
Actions taken to mitigate cyber and data privacy risk
Added data security measures 67%
Prepared policies and procedures 59%
Conducted training 59%
Identified sensitive/private data 50%
Employed outside advisers/consultants 45%
Implemented monitoring program 42%
Developed data breach recovery plan 42%
Added cyberbreach insurance 29%
None of these 9%
70%
60%
50%
40%
30%
20%
10%
0%
The totals do not equal 100% due to rounding.
Primary responsibility for responding to data breaches
CIO/CTO 37%
Chief security officer 16%
General counsel 11%
Chief compliance officer 8%
Other management 7%
Chief risk officer 5%
CFO 5%
Other 12%
+++8+7+5+5++D
Current level of preparedness for responding to
data breaches
Very well 17%
Somewhat prepared 58%
Somewhat unprepared 12%
Very unprepared 8%
I’m not sure 6%
+++8+6+DThe totals do not equal 100% due to rounding.
3