AI Content Chat (Beta) logo

60 ITV plc Annual Report and Accounts 2023 ITV plc Annual Report and Accounts 2023 61 S RISKS AND UNCERTAINTIES CONTINUED T R A T E G I 7. Data 9. Corporate Compliance C R E P O Link to MB Sponsor: General Counsel and Company Secretary Link to MB Sponsor: General Counsel and Company Secretary R strategy E S O strategy E S O T Description What this risk category covers: Some of the things we do to manage it: Description What this risk category covers: Some of the things we do to manage it: Failure to ensure • How we create value and enable efficiency while providing a • We structure our approach to data use and management We seek to remain • Breaches of corporate compliance could lead to prosecution, • Through our Code of Ethics & Conduct, we foster a culture appropriate access robust framework for data governance around three pillars – Privacy by design, Security by design compliant with all fines, litigation or a regulator stepping in, which might impact where colleagues know the standards expected of them and to consistent and • How we identify the data we have, who is responsible for and Value by design. substantive laws. our reputation and our ability to operate if it resulted in the can speak up if something’s not right trustworthy data and looking after it, how it moves around ITV, who is using it and • Continue to use the OneTrust privacy compliance Key areas of loss of licenses • We Implement a robust tailored compliance programme remaining compliant how is it being used/what is it being used for management tool to determine whether a Data Protection compliance activity • How we set the expectations of our people and develop the based on our risk assessment, including undertaking with our regulatory • How we remain vigilant in protecting our corporate data and Impact Assessment (DPIA) is required in respect of relevant operational infrastructure and tools to drive and make compliance monitoring and effectiveness reviews obligations. We must the personal data we are entrusted with whilst following • Data privacy lawyers and data governance experts are laws, for example, compliance easy for the business • Promote good compliance behaviour in our colleagues, ensure the whole of ITV today’s global data regulations and anticipating and preparing embedded within each of the business areas to act as those relating to through awareness and mandatory training follows the applicable for tomorrow’s partners, monitor data activity and usage, and educate the anti-bribery & data regulations while corruption, modern • Work with the business to support the adoption and anticipating and business on their data obligations slavery, anti- implementation of compliance policies and standards adequately preparing • We have established policies and procedures which set out competitive behaviour, • Conduct due diligence on potential third parties for future ones. what is expected of people across ITV with respect to data competition, trade • Horizon scan to prepare for legislative changes and Link to Viability • We provide mandatory data privacy and data governance sanctions and developing policies to address them Scenarios: 4 training and promote good data behaviour through awareness Speaking Up campaigns Link to Viability Examples risks in this category: Some of the metrics we track: • We perform due diligence on our third parties prior to Scenarios: N/A onboarding • Being exposed to third parties or colleagues engaging in • Speaking Up • AI SteerCo was established to provide oversight of the use unlawful or non-compliant activities on ITV’s behalf • Mandatory training and implications of AI for ITV • Inadequate operational infrastructure to drive and support Risk direction: the execution of a strong third party risk management Examples risks in this category: Some of the metrics we track: 2023 2022 process • Lack of clear infrastructure and appropriate culture for • Using data to inform decision making without understanding • Mandatory Training compliance matters in the business its quality, accuracy, validity, ownership or legality • Data Subject Requests • Failing to comply with data protection laws or regulations that • Total investigated incidents apply to ITV • High Risk DPIA’s • Unintentional data exposure (corporate or personal) as a OPERATIONAL RISKS Risk direction: result of insufficient employee awareness of data governance 2023 2022 and data privacy • Cyber-attacks from well organised threat groups targeting ITV resulting in a data breach 10. Cyber Security Link to E S O MB Sponsor: Chief Technology Officer strategy COMPLIANCE RISKS Description What this risk category covers: Some of the things we do to manage it: We aim to protect ITV, • A successful cyber-attack could lead to ‘black screens’ and • Implement a robust cyber security risk management (NIST) 8. Policy & Regulation our content, our result in a commercial impact due to operational disruption or framework to protect our applications, systems and networks colleagues, our viewers critical system outage • Monitor external threats and gather intelligence on evolving and our partners from • A catastrophic data breach could result in ITV receiving a fine cyber techniques, tactics, capabilities and the threat Link to S O MB Sponsor: Group Director of Strategy, Policy & Regulation harm and financial from the Information Commissioner’s Office (ICO) of up to 4% landscape strategy loss caused by cyber of worldwide turnover security events. • Maintaining a vigilant security setup to quickly detect and Description What this risk category covers: Some of the things we do to manage it: We adapt our controls • Failure to maintain trust and live up to regulatory, viewer, respond to cyber risks before they become incidents, whilst accordingly to detect partner and other stakeholder expectations related to cyber continuing to invest in new and emerging cyber defence and We engage with • The impact the new Media Bill will have on the visibility and • Continue to monitor potential policy, legal and regulatory security could weaken our reputation security tooling regulators and viability of our content distribution and advertising developments and respond to the governments to put businesses evolving threat • Promote good security behaviour in our colleagues, through • Analyse the impact of potential changes and proactively put awareness campaigns and mandatory training our case to shape the • The impact changes in advertising regulation may have on our forward our position during the development of new policies, Link to Viability future regulation that Total Advertising Revenue (TAR) legislation and regulations. Scenarios: 4 • Perform due diligence on our third parties and monitor our protects viewers whilst online applications and technical validation ensuring PSBs can • The impact of emerging regulations and policy on our • Continue to engage with the government and regulators on • Model a severe but plausible hypothetical cyber-attack compete fairly and business (e.g. sustainability and child protection) the PSB regime and other topics relevant to our industry scenario annually and facilitate cyber exercises with the deliver their remits. • How unfavourable changes to European Works quotas could • Actively participating in consultations on areas which may Management Board to simulate an attack to rehearse how We must then be in impact the demand for UK content impact ITV and collaborating with other organisations in the ITV would respond and identify and implement improvement compliance with these • How we continue to meet the expected requirements of a industry, where appropriate in line with our competition law areas regulations whilst Public Service Broadcaster (PSB) obligations. e.g. with pan-European report on possible • Continue to focus on ITV’s recovery capability and minimal maintaining trust and European Works quota changes viable company delivering our strategy • Horizon scanning to identify future changes, analysing the Link to Viability impact this would have on ITV and agreeing our position (e.g. Examples risks in this category: Some of the metrics we track: Scenarios: 1 | 2 | 6 medium to long term future of DTT) • Cyber-attacks from organised threat groups targeting ITV • Attack path stats (by severity) Examples risks in this category: Some of the metrics we track: • Being exposed to third parties with vulnerabilities that can • Endpoint-related incidents (No. per quarter & trends) Risk direction: access our systems • Regulation not keeping pace with the market • Regulatory outlook 2023 2022 • ITVX Bot Attacks • Keeping up with evolving regulation • End of life legacy IT estate vulnerabilities • Minimum Viable Company (MVC) Recovery Capability • Failing to comply with standards, rules, requirements and • Labels IT infrastructure Independent to Group • Third party assessment (critical suppliers) Risk direction: obligations 2023 2022 • Continuing to fulfil the requirements of being a Public Service Broadcaster (PSB) • Renewal of Channel 3 nations, regions and breakfast licenses

ITV Annual Report & Accounts - Page 62 ITV Annual Report & Accounts Page 61 Page 63