Despite much public debate, gender inequality persists. It is now time for leaders to make good on their words and act. As a classic armchair tennis fan who engages typically around the grand slam cycle, I couldn’t help but reflect on some of the coverage that followed Andy Murray’s recent emotional announcement of his probable imminent retirement. What was remarkable to me was the almost equal balance between Murray as the ‘tough as teak’ competitor who followed his dream from Dunblane in Scotland to become a multiple grand slam winner and that of Murray as a champion of gender equality. His role in championing female athletes, by forcefully arguing for parity of tennis purses, chiding the authorities at Wimbledon for not playing more women’s matches on centre court and, memorably, for hiring a female coach, Amelie Mauresmo, at the height of his career. Or maybe what is, in fact, remarkable is that such acts or statement of equality appear to be so rare in the sporting arena. The business case In language perhaps more familiar to us as accountants, the business case for gender balance has never been clearer. INSEAD research shows that diverse businesses benefit from higher levels of creativity and innovation, greater customer satisfaction, more informed investment decisions and increased performance. But despite all the talk around gender equality in the workplace, women remain under-represented at all levels of management across all industries. Everyday discrimination continues to be a reality. McKinsey data from 2018 is very stark in this respect. Women have to provide more evidence of their competence than men while having their judgement questioned in their area of expertise. Women are also twice as likely as men to have been mistaken for someone in a more junior position. Being the only woman in the room is still a common experience and, consequently, women are heavily scrutinised and held to higher performance standards. There is no silver bullet that will achieve greater gender diversity. Good intentions are great, but companies must show concrete actions. It is clear from INSEAD’s research that achieving true gender balance requires more than just adding women to your workforce. Companies must increase their total talent pool by actively embracing female return-to-work programmes. Organisations must also acknowledge that there will be varying levels of motivation internally to achieve gender balance. Seeking to engage not just the advocates, but those sitting in the middle is crucial to effective staff engagement. Personal experience All of this might have been something I was vaguely aware of until it became part of my professional life. I am proud of having been part of the diversity and inclusion journey across the Canada Life and Irish Life Groups in Ireland and the UK and, more recently, as part of this Institute’s Diversity & Inclusion Committee. While my initial motivation to step up was probably driven by a personal commitment to ensure a strong leadership voice for LGBTQ+ issues, my learning journey across the wider diversity and inclusion agenda has been profound. We know we are early on our diversity and inclusion journey, but that comes with the advantages of learning from those who are further along the path. Some of the work we are doing in my organisation at a group level include:   The formation of a ‘Women in Leadership Group’ early in 2018 to support and promote existing and aspiring female leaders within the business, running focused development workshops for some of our pipeline of female talent which aims to advance opportunities for women into leadership roles; The overhaul of recruitment policies and practices through a diversity lens; The expansion of maternity and paternity policies to encourage full take-up; and The introduction of unconscious bias training across all management tiers. At board level, diversity is now a key part of the debate related to culture. In my own experience, it drives a much deeper awareness of – and focus on – the people aspect of business strategy. It also drives accountability at executive level; setting targets and measuring progress can be challenging, but it does drive activity. And yet we know we have so much still to do. And sometimes you are pushed into action, as we have seen with legislation across the European Union (EU). In the United Kingdom (UK), the Gender Pay Gap Report was published in April 2018 and momentum has continued around this to address the challenges it highlighted, albeit the data shows the gap only gradually closing between 2012 to 2018 at a national level. Canada Life UK is a signatory to the UK Women in Finance Charter and has committed to having 30% of senior management positions occupied by women by the end of 2020 and 35% of senior management positions occupied by women by the end of 2023. Similar reporting will follow shortly in this country and companies need to prepare for it, but there is an opportunity for some to embrace and lead on the challenge. Turning intentions into reality So, what can leaders do within their own organisations to advance change? Consider some of the actions below: Be a vocal and visible sponsor and advocate for women; Undertake a ‘root and branch’ review of your systems and processes to identify biases; Challenge yourself and your recruitment partners to plan ahead and build a strong pipeline of diverse talent for your business; Invest in the development of your workforce equally with tailored programmes to meet different diverse needs; and Set an objective for senior leaders to keep gender diversity on everyone’s agenda. Good intentions are great, but they are no substitute for on-the-ground activity. As accountants, we are respected voices within our businesses and we have a perspective that can lead or push gender balance as a business priority. With all the momentum around gender diversity, now is the time get off the fence and show your support for this positive wave of change. John McNamara is Managing Director of Canada Life International (Assurance) Ireland and sits on the Institute’s Diversity & Inclusion Committee.

Michael J. Walls explains why cyber-security should be a priority for the year ahead. Did you make a New Year’s resolution? I have to admit, I usually don’t bother. As cyber-criminals are utilising increasingly sophisticated techniques, however, digital business owners such as myself need to keep up-to-date with cybersecurity to prevent cyber-criminals hacking sensitive information or falling victim to fraud. Thanks to the advances in cloud computing in recent years, companies and accountancy practices alike have increased their online operations. This comes with many risks and organisations should ensure that robust processes are in place to mitigate the associated risks. There were numerous high-profile cyber-attacks in 2018 involving T-Mobile, Cathay Pacific and MyFitnessPal. These attacks resulted in users’ personal information, including credit card details in some cases, being obtained and exposed to the public. To kick off 2019, I therefore decided to update readers of Accountancy Ireland on the latest cyber-criminal techniques and outline the steps you can take to mitigate the risks to your business. Spear phishing and whaling Chartered Accountants working in a finance function may have encountered an email that appears to be from an organisation’s executive or director requesting a payment. In fact, the email originated from a hacker impersonating the executive or director in question. Hackers have also been spoofing email addresses of employees within organisations to target finance teams with change of bank details requests for payroll purposes. If overlooked, organisations could end up making payments for wages, goods or services to fraudulent bank accounts. So, what should you do? Finance teams should have robust processes and controls in place for change requests relating to bank accounts, and particularly for requests received via email. The simplest and most effective process involves a follow-up call to the supplier or employee in question to verify the change. Should your business fall victim to such a fraud and payment is made to a fraudulent bank account, you should contact your bank immediately to report the transaction and ensure that it is escalated to the bank’s fraud team. This is your best chance of getting the money back, as the bank may be able to freeze the payee’s account before the funds are withdrawn and moved offshore. Credential stuffing In this scenario, log-in credentials obtained from a previously compromised website will be used by hackers in a ‘brute force’ attempt to access a range of other sites or systems. Hackers will automate log-in attempts to various sites using the known log-in credentials and may gain access to your user accounts. If this is a business critical system, the hacker could hold your business to ransom.   So, what should you do? Businesses must ensure that strong password policies that require the use of a unique password for each site or system are in place. To check if your email address has been compromised in a data breach, visit this website:  https://haveibeenpwned.com. If your email address has been subject to a breach, you will see details of the site or sites where your data has been potentially exposed to hackers. If you haven’t already changed your log-in credentials for those sites, you should do so immediately or close the account if it is no longer in use. Invoice fraud Many organisations now send invoices via email but this trend has opened up a whole new field for hackers, who intercept emails containing invoices and change the bank details on the invoice. The invoice is then sent to the customer requesting payment to the new bank account. Customers may then make a payment to the fraudulent account in the false belief that they are paying the invoice correctly. Once the payment has been made, hackers use a money mule (see below) to move the funds offshore. So, what should you do? Ask your customers to verify ‘change of account’ requests by phone or in person, should they ever receive an invoice containing new bank details. Money mules Money mules is a term used to describe innocent victims who have been tricked (or possibly groomed over a long period of time) by fraudsters into laundering stolen or illegal money via their bank account. The money is deposited into the money mule’s account and they must then transfer the money to a foreign account via a financial services company. This is a critical issue for businesses as money mules may become the target of criminal investigation given the fact that they are laundering the proceeds of crime. So, what should you do? As a Chartered Accountant, you should always be mindful of your reporting requirements subject to the relevant anti-money laundering legislation. You should also advise your clients and employees to keep their bank details private unless they are absolutely certain that the details are required for a legitimate purpose. Remain sceptical When it comes to operating a business online and keeping the cyber-criminals at bay, the important thing is to remain sceptical when it comes to emails requesting payment or changes to bank details. Always follow-up with a phone-call and ensure that your customers give you the same courtesy. When it comes to log-in credentials, always have a strong unique password for each service or system you use, especially for business critical systems, and ensure that two-factor authentication is enabled wherever possible.  Top Five Cybersecurity Tips Passwords: It is important to ensure that you have a strong unique password for each online service or system you use. Password managers such as LastPass or 1Password can help generate strong unique passwords and store these in a password vault, so you don’t have to rely on your memory. Two-factor authentication: Nowadays, having a strong password isn’t sufficient to protect sensitive or confidential information, but combining a password with a token that generates a one-time code will provide an extra layer of security. Where a service offers two-factor authentication, this should be enabled. You can then use a SMS text message or Google Authenticator to complete your log-in verification. Lock desktop: Would you leave sensitive documents lying around in the open for anyone to read? Failing to lock the desktop of an unattended laptop or mobile device is a major risk, especially if the device contains sensitive client information. Get in the habit of locking your unattended devices if you want to avoid a potential GDPR breach. Lock the device, or pay the price. Mobile device security: Do you have client information on your mobile device? If so, you should ensure that you have a PIN with more than four digits and that you are able to wipe the device remotely in the event of loss or theft. Privacy screens: If you work in an open plan office with sensitive or client-confidential data, invest in privacy screens to ensure that the data remains confidential. Michael J. Walls is the Founder and CEO of Dappr and the 2018 Young Chartered Star.

How can organisations position themselves to transform a potentially serious business problem into an opportunity? People often ask what white collar crime is, but no single definition of white collar crime exists in Irish law. Indeed, we often hear or see the words “economic crime”, “fraud”, “corporate crime” and “white collar crime” used interchangeably. Taken together, they cover illegal acts committed by an individual or a group of individuals to obtain a financial or professional advantage. Examples include asset misappropriation, bribery and corruption, money laundering, business misconduct fraud, cyber-crime, accounting and tax fraud, false accounting, insider trading, procurement fraud and consumer fraud. Regulatory framework Earlier this year, the Minister for Justice and Equality, Charlie Flanagan TD, received Cabinet approval for the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2019 in order to comply with Ireland’s obligation to implement the EU Anti-Money Laundering Directive (AMLD) into our legal system before the end of 2019. The Minister stated that it will help with Ireland’s plans to build a “very robust legal framework” to tackle white collar crime, building on other measures recently introduced as part of the Irish Government’s ongoing response to the 2008 financial crisis. These measures included the faster-than-anticipated commencement of the Criminal Justice (Corruption Offences) Act 2018 in July 2018, the publication of a report by the Law Reform Commission in November 2018 on Regulatory Powers and Corporate Offences, and the announcement of the Corporate Enforcement Bill in December 2018. In 2019, we are also likely to see the re-naming of the Office of the Director of Corporate Enforcement (ODCE) as the Corporate Enforcement Authority and its establishment as an independent statutory agency to investigate increasingly complex breaches of company law. Management beware For readers, perhaps the most significant provision introduced by the Corruption Offences Act was the introduction of criminal liability for corporate bodies and senior management for offences under the Act. A director, manager, secretary or other company officer who consents to the commission of an offence may be guilty of an offence; and the same office holders may also be guilty of an offence if proved that the offence on the part of the company was attributable to any wilful neglect on the office holder’s part. It is worth nothing that it is not necessary for the body corporate to be convicted of the offence in order for the company officer to be prosecuted. Criminal sanctions include, on conviction on indictment, unlimited fines and/or up to 10 years imprisonment. Irish Economic Crime Survey This demonstrates an increased political focus on ensuring that regulatory and enforcement authorities have fit-for-purpose tool-kits at their disposal. And it is easy to understand why. The PwC 2018 Irish Economic Crime Survey found that white collar crime is now a major business issue. Gone are the days when it was viewed as an isolated incident of bad behaviour, a costly nuisance or a mere compliance issue. That’s because the scale and impact of white collar crime has grown so significantly in today’s digitally enabled world. Indeed, managing its threat can now almost be seen as a business in its own right – one that is tech-enabled, innovative, opportunistic and pervasive. Think of it as the biggest competitor you didn’t know you had. So what did the survey tell us? Reported economic crime and fraud in Ireland has increased significantly. Half of Irish respondents in the survey reported that they were victims of economic crime in the last two years, up from one third of respondents in 2016. This rise can be explained not only because more economic crimes are being detected, but also because more fraud and economic crime is happening. The average financial loss suffered by respondents increased from €1.7 million to €3.1 million in the last two years, with 11% of respondents losing in excess of €4 million (3% in 2016). The survey results also indicated that the non-financial costs (reputation, share price, employee morale, as well as business and regulator relationships) are underestimated by Irish companies. Though many organisations still feel that Ireland is not a target for economic crime, these statistics clearly tell another story. It is worrying that nearly one-fifth of Irish respondents admitted to either not knowing how much the economic crime and fraud had cost them, or said the financial loss was immeasurable. Unsurprisingly, cyber-crime has taken over from asset misappropriation as the most prevalent economic crime. In fact, the incidence of cyber-crime (61%) in Ireland was double that experienced by global companies (31%). Within the last two years, over half of Irish respondents have fallen victim to cyber-crime despite an increased level of awareness and more resources being spent on addressing the risks. This is a concern for Ireland’s digital economy and for investors looking at Ireland as a business destination. Role of technology As companies come to view fraud as first and foremost a business problem that could seriously hamper growth, many will continue to make a strategic shift in their approach to technology. Technology opens up major opportunities to tackle fraud more effectively and efficiently, and growing numbers of Irish organisations are using – and finding value in – technologies like artificial intelligence (AI) and advanced analytics as part of their efforts to combat and monitor fraud. The first step for any organisation in this strategic shift is to access the end-to-end fraud prevention and detection programme that already exists with a view to increasing automation by utilising emerging technologies. Key activities in this assessment may include: The analysis of key fraud performance metrics and the identification of areas for improvement from a client experience, operational efficiency and risk perspective; The review of documentation, listening to calls and conducting interviews to assess the current fraud programme and to identify opportunities for lower friction, efficiency and risk reduction, including the assessment of policies and procedures; the assessment of technology controls; and performing data analytics and data quality assessments, which utilise a recognised fraud analytics framework; The identification of gaps in the existing fraud prevention and detection processes; The review of emerging technologies (AI, advanced analytics etc.) to ensure they are appropriate to the business and address the identified gaps; and Presenting recommendations to executives/senior management to address the identified gaps. Companies need to ensure that they are business-focused and have a threat-based perspective when assessing and designing the implementation of technology solutions to enhance their fraud prevention and detection controls. Where to from here? It isn’t hard to see how we got here. On the one hand, technology has advanced in leaps and bounds, helping fraudsters become more strategic in their goals and more sophisticated in their methods. On the other, the regulatory regime is becoming far more robust with enforcement intensifying, often in cross-border cooperation. Moreover, in the face of well-publicised corruption and other corporate scandals, public expectations are converging around common standards of transparency and accountability. In this era of unparalleled public scrutiny, today’s organisations face a perfect storm of fraud-related risks – internal, external, regulatory and reputational. Not only has the threat of economic crime intensified in recent years, the rules and expectations of all stakeholders – from regulators and the public to social media and employees – have also changed irrevocably. Today, transparency and adherence to the rule of law are more critical than they have ever been. But our survey indicates that many companies are under-prepared to face fraud and that too few companies are fully aware of the fraud risks they face. Perhaps the value proposition of an up-to-date fraud programme can be hard to quantify, making it sometimes difficult to secure the investments needed. But the opportunity cost – financial, legal, regulatory and reputational – of failing to establish a culture of compliance and transparency is likely to be far greater. So, the important question is not: is your organisation the victim of fraud? Rather, it is: are you aware of how fraud is touching your organisation? Are you fighting it blindfolded, or with eyes wide open? Role of the accounting profession The accounting profession will play a crucial role in this fight against fraud. For professionals in practice, clients will require support in complying with more robust regulatory requirements, embedding anti-fraud operating models, investigating fraud and adopting new analytical tools and technologies in the areas of detection, monitoring and investigation of fraud. Ongoing assurance is also likely to be required to ensure that anti-fraud programmes remain fit for purpose. For those members of our profession in industry, they are likely to be leading or supporting initiatives within their businesses. These initiatives can be expected to include the introduction of appropriate policies and controls, awareness and education programmes, fraud risk assessments and fraud and cyber incident response programmes. They should also involve board-level support and oversight. It will not be a ‘one size fits all’ approach; the complexity and size of a business, and the partners with whom (as well as the locations from which) it conducts its business will influence the approach. In any event, a systematic approach is required, one that removes silos in functions like compliance, ethics, risk management, internal audit, information security and legal; and enables a culture that is more positive, cohesive and resilient. The imperatives are clear: place transparency at the heart of organisations; use it to unite strategy, governance, risk management, information security and compliance; and find yourself better-positioned to transform a potentially serious business problem into an opportunity to emerge stronger and more resilient as an organisation. William O'Brien is a Director in the PwC Forensics team, specialising in forensic technology.

With GDPR now in effect, employers must focus on a number of critical areas in order to mitigate the risk of litigation. Many accountancy firms closely monitored and prepared for the implementation of GDPR on 25 May 2018. The Data Protection Acts, 1988 to 2018 (the Act) have now come into operation in Ireland and as with many other organisations, part of the GDPR focus in accountancy firms revolve around compliance issues surrounding employee data. At this point, employers should have carried out a detailed analysis of their flow of employee data and where and how they track their employees’ activities, considered what information they control or process, how they collect that information, the purpose for which they hold it, how secure it is, whether it is passed to third parties, and how long they should retain the information. Organisations are also likely to have carried out Data Protection Impact Assessments (DPIAs) to identify and minimise the data protection risks of any ongoing or upcoming projects during the run-up to GDPR implementation. Arising from those considerations, employers will have taken steps to update employee contracts (moving away from a reliance on consent), privacy notices, information and communications (ICT) and data protection policies. Many managers in these organisations are now sitting back, patting themselves on the back for a job well done, assured that they have protected themselves against future claims. But is this true? In this article, the first in a two-part series, we will briefly examine the key obligations of GDPR and highlight the areas we believe employers will need to monitor in the future to minimise litigation risk and costs arising from GDPR.  The new status quo When discussing GDPR, the most important thing to point out is that a new standard has been established in relation to the controlling and processing of data. The Data Protection Commissioner (DPC) has made it clear that companies must develop a GDPR mindset and culture to ensure that breaches do not occur. As we know, new cultures take time to bed down. They also require vigorous training and monitoring of staff in the short-term, with ongoing training in the medium- to long-term to be successful. The steps taken by companies up to 25 May 2018 merely represent the compliance side of the equation. Companies have carried out risk analysis and put policies and processes in place in an attempt to protect themselves against prospective future claims. However, the reality is that companies need to continue that evaluation in the short- to medium-term. At this point, companies should be in a position to re-evaluate the impact of GDPR on their business and assess the ‘real’ litigation risk to determine whether they need to adapt their processes to minimise those risks going forward. Sanctions Data Protection Commissioner Before discussing the prospective risks and claims that may arise because of GDPR, it is important to review the sanctions or penalties contained in the Act. Traditionally, only the courts could levy fines against companies. In practice, this meant that the DPC would always have to issue legal proceedings incurring costs and delaying enforcement. With the introduction of GDPR, the DPC can directly impose fines on companies. This is likely to increase the number and level of fines imposed in the future. With the implementation of the Act, sanctions have increased and administrative fines have been introduced. For the most serious infringements, organisations can be fined up to 4% of their annual global turnover or €20 million, whichever is greater. For example, a serious breach for employers would include not having sufficient consent to process data. For lesser breaches, organisations can be fined up to 2% of their annual global turnover or €10 million, whichever is greater. Examples of lesser breaches include not having records in order, not notifying the supervisory authority and data subject about a breach or not conducting impact assessments. The level of fines are measured against the “nature, gravity and duration of the infringement”. With the appointment of two additional commissioners, the DPC will likely have the resources to carry out significantly more investigations on an annual basis. The office of the DPC has helpfully provided guidance on its website as to the approach it intends to take to enforce GDPR. It has confirmed that no compliance grace period will apply. Factors that will be taken into consideration are whether the company can demonstrate a genuine commitment to meeting their GDPR obligations through their GDPR compliance programme, the scale of the infringement, whether the breach is negligent or wilful and their readiness to engage with the DPC. The DPC’s focus will be on ensuring that companies comply with the rights of data subjects, that data protection principles are respected, that organisations are transparent in relation to the data they collect and process and the basis upon which the data is being processed. Unlike the UK, the Irish DPC has been particularly proactive in focusing on the issue of transparency and has regularly flagged the requirement for privacy notices to be issued or updated in advance of GDPR implementation. In simple terms, companies must ensure that data subjects understand what, how and why their data is being processed. Individual claims and the new ‘Data Protection Actions’ The most notable change in the Act is that actions can now be taken by individuals for material or non-material damage. GDPR provides for joint and several liability, so both the controller and processor can be held fully liable for any damage caused. The Act does not define non-material damage. As with many civil actions, proving loss can be a hurdle to claimants. With the removal of the material loss requirement, the prospect of cases being taken by individual claimants becomes a real threat for companies. Individuals and employees can now sue for stress and emotional damage allegedly suffered because of breaches of GDPR obligations. There has also been a huge public media campaign surrounding the introduction of GDPR, making private individuals far more aware of their data protection rights. Luckily, class actions are not a feature of litigation in Ireland. However, it is easy to see how well-publicised data breaches could invite a flood of claims against companies by individual data subjects. Litigation risks A review of the Act makes it obvious that increased litigation will be an inevitable result of the implementation of GDPR. Some risks have been heavily ‘red flagged’ while others are less obvious. Consent – personal data With the implementation of GDPR, there has been a lot of discussion around the issue of consent to process personal data. Personal data falls under two categories: personal data and sensitive personal data. Given the inequality between an employer and an employee, consent to process personal data may not be “freely given” by employees.  As a result, employers are recommended to rely on other grounds to justify processing; for example, a necessity for the performance of a contract or a necessity to comply with a legal obligation that allows the employer to process the data. This approach should have been reflected by the updated data protection policy and privacy notices rolled out within organisations prior to 25 May 2018.  The DPC has imposed strict criteria for drafting privacy notices in this jurisdiction. Companies are obliged to include a list of the personal data they hold, how they collect it, and how they use and share information during an employee’s employment and after it ends. During the course of the employment relationship, for example, it could be necessary to provide information to a variety of external contractors for a variety of issues including wage function, legal advice, the potential sale of the business or to comply with the law.  All well-drafted privacy notices should clearly set out a company’s obligations to employees in respect of their personal data and should be shared with staff to ensure transparency. The notices should also set out the company’s other data protection obligations such as proportionality, ensuring information is secure and putting employees on notice of their rights to access, correct or erase that information. The availability of this information to employees makes it more likely that employees could query the data being held and the basis on which data is processed in the future. As a direct result, the number of complaints to the DPC regarding consent are likely to increase. Sensitive personal data The issue of sensitive personal data often arises in the context of employee data; for example, when employers are dealing with an employee’s medical information. Employers can be left in difficulty when investigating an employee’s absence from work, as it is open to an employee to provide medical certification but no details of their illness. An employer is entitled to certification and confirmation of return to work assuming these are required by their absence policy. However, the employer may not be entitled to specific details of the employee’s illness. With the spotlight on GDPR, employees are much more likely to refuse to furnish such information to employers, making it extremely difficult to manage absenteeism and provide cover for absent staff. It has also become increasingly common for employees to go on sick leave in the midst of a disciplinary process in an attempt to frustrate that process. If an employee refuses to furnish details of their illness, the question will arise as to whether the absence is linked to workplace stress or something entirely unrelated. A recent Workplace Relations Commission (WRC) decision in relation to furnishing medical data confirmed that the employer was entitled to ask the claimant for the details of a family illness. This suggests that the WRC may take a common-sense approach when disputes come before it relating to employees being required to furnish sensitive data to employers. Despite this helpful decision, given the difficulties in holding and processing sensitive data it is inevitable that organisations will simply be forced to hold less sensitive data in the future. Security An employer’s obligation to keep employees’ personal data secure has not increased because of GDPR. What has changed is the level of the transparency employers need to demonstrate to employees in relation to that data. Employers’ privacy notices should confirm that the information is held securely and that there are procedures in place to deal with a suspected data security breach. This includes an obligation to notify the regulator and the data subject of any breach. It should also confirm that the employer will limit access to personal information to those who have a genuine business need to know. The transparency of this arrangement will increase the likelihood of employees making subject access requests (SARs). Sinead Morgan is a Senior Associate at DWF Solicitors in Dublin specialising in employment law.

Planning is the best insurance policy for protecting a company’s most valuable asset – its brand and reputation. Building insurance, disaster recovery centres on standby, business continuity planning, product liability insurance, public liability cover and professional indemnity insurance are all costs that Chartered Accountants are familiar with. While businesses would obviously prefer to be able to dispense with the need for such overheads, they are accepted as a necessary investment in business to mitigate costly eventualities that could erode a company’s value and shareholders’ interests should an adverse event occur. Indeed, in an assessment of an organisation, the absence of any of these line items in a set of accounts is likely to raise red flags. Yet the nature of such insurance and contingencies tends to be focused on the fixed assets of a business or on maintaining the entity’s ability to continue operations in the event of a major disruptive event. However, both research and experience shows that significantly less attention is paid to how organisational leaders focus resources on appropriate crisis communications planning to help mitigate the risk of damage to their company’s brand or reputation in the event of a substantial issue or crisis. The priority given to protecting fixed assets is, most likely, an overhang from an era when such assets were the primary focus of an enterprise’s value. Some 30 years ago, company valuations were almost entirely reliant on fixed assets with almost 80% of business worth tied up in tangible assets. Fast-forward to today and the reverse is now commonplace with the significant portions of company valuations accounted for in brand, reputation and goodwill. This fundamental shift provides a real challenge for businesses in that, while critical incidents that impact on fixed assets can be localised in many cases, the nature of brand and reputation is ultimately universal. This makes isolating issues and limiting damage much more difficult.  Despite the growing importance of the value of intangible assets, surveys both in Ireland and internationally have found – on a pretty consistent basis – that only half of organisations have crisis communications plans in place. More worryingly still, few of those organisations with plans in place actually test their effectiveness. This situation may be troubling enough but when it is taken in tandem with a paradigm shift in the media landscape, the true challenge for companies to manage communications around an issue or crisis quickly becomes apparent. Traditional media’s omnipresent 24-hour news cycle can be sufficiently testing to deal with alone but when this is combined with the capability of any one individual with a mobile device, a Twitter account and a network connection, you then have the potential for a perfect storm. Role of governance  Those charged with organisational oversight need to satisfy themselves that management teams have given due attention to this crucial area. In considering whether executives’ efforts in ensuring preparedness have been sufficient, this can be addressed with a series of questions to assess whether an adequate plan exists and whether appropriate and trained resources are in place. The plan Although having a plan is an important starting point, its effectiveness is eroded if it is not reviewed periodically in a systematic way and updated to reflect the challenges the business is facing. These challenges can come in the form of the nature of the business itself, changes to personnel, risk or other internal and external considerations. Five key questions Those in governance functions can, with five key questions, examine management’s readiness to react. The first area of focus is establishing who within the company has ownership of the plan; without a custodian, there will be no driving force to ensure that crisis communications planning remains a key priority. And as an added protection, an alternate is essential. Second, directors need to establish when the plan was updated last and consider whether a review is necessary, mindful of the passage of time and extent of changes to the business within that time-frame. The third key question is around objective assessment. Business leaders will always see value in a third-party expert view on important organisational functions, so the same level of impartial external review needs to be applied to a process as important as crisis communications planning. The nature of major issues and crises is that they expose weaknesses ruthlessly and unless the plan and the team are put through their paces, management will not know how effective (or ineffective) the preparations will be in the event of a crisis. As a fourth area of focus, those responsible for governance must ask whether a simulation exercise in a controlled environment has been undertaken and assess what learnings were derived and whether corrective action was taken to overcome shortcomings. A further step is to assess whether the simulation was planned or unplanned – a combination of both will provide a true test of capability. As a final consideration, the experience of every seasoned crisis communications practitioner is that when it comes to major issues, they will strike not only when least expected but also at the most inconvenient time. The nature of the issue or crisis may mean that normal business operations are disrupted or the team may be in different locations, so it is important to consider whether the content of any crisis communications plan is accessible, both physically and virtually. The team From a resource perspective, a primary consideration is the composition of the crisis communications team. For example, is its membership representative of key business functions and does it include those with responsibility for key risk areas?  In addition to assessing the allocation of roles and responsibilities, management should also enquire as to whether alternates are in place for each team member in the likely eventuality of holidays, sick leave or unavailability. Organisations also need capable spokespeople to communicate in a way that provides reassurance to the public and other stakeholders that the organisation is in control of the situation. This involves both the selection and training of nominated executives. Contrary to popular myth, media training is not about orchestrating obfuscation, but equipping those in a spokesperson role with the skills necessary to deliver messages succinctly and credibly in a calm and controlled manner. Any sense of nervousness can erode confidence at time when an organisation can least afford it. Are you ready? Here are 10 key governance questions to assess your organisation’s crisis communications readiness: Who has ultimate responsibility for crisis communications planning? Who comprises the crisis communications team? What are their roles and responsibilities? Who is back-up for each? Who are the nominated spokespeople? Are spokespeople trained regularly? When was the last time the crisis communications plan was updated? Has the plan been assessed objectively by a third party? Has a crisis simulation exercise been undertaken to test the adequacy of the plan? Is the content of the plan accessible virtually? Niall Quinn is Deputy Managing Director and Head of the Corporate Advisory Practice at The Reputations Agency.

IFRS 16, the new international accounting standard on accounting for leases, will change many companies’ balance sheet metrics – but will it change behaviour as well?   When the IASB issued IFRS 16, the new accounting standard on lease accounting, in early 2016, its chair Hans Hoogervorst went to the trouble of asserting that the new standard would not put the leasing industry out of business and that leasing would remain attractive as a flexible form of finance. This was an unusual and, indeed, sympathetic statement for an IASB chair to make. It contrasted with the often-quoted statement by former chair of IASB, Sir David Tweedie, that he wished to fly on an airplane that was on an airline’s balance sheet before he died. Mr Hoogervorst’s statement was also considerably more sympathetic than the IASB’s attitude to concerns expressed some years ago that the revised rules on accounting for defined benefit pension schemes in IAS 19 would threaten the popularity of those schemes. The IASB noted at the time that it was not its problem if changing IAS 19, in the interests of better financial reporting, had such consequences. The IASB was equally unsympathetic to the concern that bringing a pension liability onto the balance sheet would cause difficulties with debt covenants, pointing out that it was up to companies to take action, such as renegotiating covenants, in these circumstances. What is the concern? So why did Mr Hoogervorst feel it necessary to address the question of whether IFRS 16 would affect the attractiveness of leasing as a form of finance? To understand this, let us recall some of the main changes in lease accounting brought about by IFRS 16 as compared to the previous standard, IAS 17. Under IAS 17, leases were classified as either operating leases or finance leases. Finance leases were recognised on the balance sheet as an asset and liability, with depreciation and interest in the income statement. Operating leases were not recognised on the balance sheet, giving rise to their being referred to as off-balance sheet finance, with the lease rental expense being recognised on a straight line basis in the income statement. The distinction between finance and operating hinged on whether substantially all the risks and rewards of ownership of the asset had transferred to the lessee. IFRS 16 represents a fundamental change to this approach. Under IFRS 16, all lease obligations are recognised on the balance sheet as a right-of-use asset and a lease liability (except for low value and very short leases). Depreciation on the asset and interest on the lease liability is recognised in the income statement, as with finance leases under IAS 17. IFRS 16 also sets out rules on how to determine the discount rate to apply to the lease payments when bringing the asset and liability onto the balance sheet, as well as how to determine the length of the lease term and how to deal with variable lease payments. So, how do these accounting changes affect financial metrics that are calculated on the basis of IFRS accounts? The most obvious one is that it will increase the amount of liabilities that are recognised on the balance sheet, as well as the amount of assets. Allied to this is the effect on the key financial metric of gearing because of the change in the relationship between the amount of liabilities recognised on the balance sheet and the amount of balance sheet equity.  In the income statement, while earnings before interest, tax, depreciation and amortisation (EBITDA) will increase, as will operating profit, the interest expense will increase with consequences for debt covenants with interest cover requirements. Where the lease obligation is in a foreign currency, exchange gains and losses will arise on the full amount of the lease liability as exchange rates change. As we will see later, this can be particularly significant in some industries. Compared to the straight line operating lease expense under IAS 17, recognising interest on the lease liability will tend to front-load the total expense, with dramatic effects for companies that are financing their growth through leasing. Although the mandatory commencement of IFRS 16 is for years commencing 1 January 2019, accounting regulators such as IAASA (the Irish Auditing and Accounting Supervisory Authority) have reminded listed companies that IFRS requires this year’s accounts to provide information about the impact that IFRS 16 is expected to have when it is implemented. Indeed, IAASA published a survey in 2016 of Irish listed companies’ operating lease commitments to provide a possible indication of the scale of lease commitments that will be recognised under IFRS 16. Industries affected by IFRS 16 While the IFRS accounts of all lessee companies with operating leases obligations will be affected by IFRS 16, it is generally recognised that the retail, airline and telecoms industries are likely to be particularly affected. This is because of the scale of property leases in retail, aircraft leases among airlines and equipment and network asset leases in telecoms. In each of these industries, leasing offers the key benefit of flexibility in relation to how long and at what cost the lessee wishes to be committed to the use and cost of the property, aircraft or equipment involved. Under IAS 17, there was also the additional perceived benefit that operating leases represented off-balance sheet finance. Under IFRS 16, some lessee companies may consider shortening the duration of their leases so that the amount of the lease liability and asset to be recognised on the balance sheet is reduced. Alternatively, options in leases to extend or renew the lease term that give rise to further liability where they are reasonably certain to be exercised may be renegotiated or eliminated. In the airline industry in particular, where leases are often denominated in US dollars, euro companies are exposed to exchange losses on the whole lease liability under IFRS 16. Lessees may consider seeking to alter the currency of the lease or, more realistically, hedging the accounting exposure by using derivatives. In telecoms, where lease arrangements may include access to an asset together with the receipt of other services from the lessor, the expense for the access to the asset may be separated from the service element in order to restrict the amount to be recognised on the balance sheet to the amount relating to the lease rental for the asset. As IFRS 16 applies where the lessee controls the use of a specific asset for a period, some lessees may be content to leave control over the choice of asset to the lessor in order to avoid being scoped into IFRS 16. Recognising right-of-use assets on the balance sheet under IFRS 16 will expose those assets to the risk of becoming impaired for accounting purposes, with the resulting charge against profit being recognised perhaps earlier than an onerous lease charge would have been recognised before IFRS 16. This is likely to be particularly relevant in industries where technological obsolescence is a feature of the industry. Practical challenges for companies affected by IFRS 16 include the cost and effort of developing systems to capture the detailed data about their operating leases that they need to bring these leases onto the balance sheet, communicating the accounting impact to stakeholders and considering whether compensation arrangements need to be amended in order to accommodate the revised numbers. Under UK and Irish GAAP, operating leases remain off-balance sheet. Some companies that had adopted IFRS may consider whether IFRS continues to be the appropriate accounting framework to use where they believe the negative accounting effects of IFRS 16 are very serious. While some lessee companies may see fit to consider one or more of the avenues referred to above to minimise or reduce the negative accounting effect of IFRS 16, there remains the larger question of whether some companies will conclude that those negative effects would justify a fundamental change in their lease or buy decisions. This may be more likely where the benefits of leasing are marginal and do not outweigh the negative effects of worsened financial metrics. Clearly, a key factor in all of this is whether lenders and investors are likely to change their attitudes to lessee companies solely because of this accounting change. So, the follow-on question is whether this is likely to occur. Conclusion As Mr Hoogervorst noted in a speech on IFRS 16, it is a well-known practice of lenders and investors to adjust the balance sheet borrowing numbers of companies for the effect of off-balance sheet leasing when establishing the real gearing position. Given this well-established practice, together with the degree of publicity that the change in lease accounting under IFRS 16 has received, I think it would be disappointing if lenders and investors were to change their behaviour based on an accounting change that reflects no change in commercial reality. Such a change in behaviour might indicate that lenders and investors had not already been seeking out and utilising the relevant information on companies’ leasing arrangements. Even if the negative effects of IFRS 16 on balance sheet metrics, such as gearing, and on the volatility of profit do alter the behaviour of certain lenders and investors, lessee companies that are convinced that leasing is the right commercial decision may well stick to their guns and maintain their leasing strategy. After all, it would be a pity if the accounting tail were to wag the commercial dog now, wouldn’t it? Terry O'Rourke is Chairperson of the Accounting Committee of Chartered Accountants Ireland.