The Future of Risk: Tone from the Top

By Gerry Chng, EY Asean Cybersecurity Leader and Singapore Risk Leader, EY

Gerry Chng, EY Asean Cybersecurity Leader and Singapore Risk Leader, EY

Companies today are under tremendous pressure to reinvent themselves as traditional barriers of entries are redefined through innovative use of technology. Businesses – new and old alike – swoop in to fill the gaps in consumer need for accessibility of information, speed of transaction and competitive pricing, sometimes achieved solely through an online presence.

Many established businesses are in a dilemma; there is a huge risk of becoming irrelevant if they do not disrupt themselves to compete with new entrants that are chipping away at their customer base, yet they may not have the necessary skills and agility to review their business critically and rebuild a secure business model as they continue serving their customers.

Traditional point-in-time risk snapshots through quarterly self-assessments or annual audits seem to be in the magnitude of lifetimes compared with the speed at which new entrants are emerging. Essentially, organizations need to embrace and be nimble in managing risks at the same time as they are seizing opportunities and refining plans.

As Prime Minister Lee Hsien Loong described in his keynote speech at GovTech’s Stack Developer Conference 2018, “We do not know if all of our initiatives will go as we plan, but as a GovTech officer said to me recently, we are rebuilding the aeroplane even as it is mid-flight!”

To deal with the future of risks, there are five areas that boards can help in setting the right tone from the top in order to change the organizational culture and DNA.

Responsibility of risk

It is already established that everybody in the organization and its ecosystem of third-parties need to be responsible for risk management. However, beyond the awareness sessions and campaigns that are run, many companies have not been achieving the desired impact. Take for example instances where a potential security breach has been identified, and escalation was not made because it was not deemed to be part of the individual’s job scope to have done so.

A possible, but not immediately obvious approach, is to involve the company’s talent management team to look into culture-building programs that boost staff engagement and belonging so that they feel a sense of ownership of the company issues and concerns. All individuals involved in the business should feel that they have an important part in risk management, and not simply because they have been told to do so and are obliged to.

Risk ownership

Risk ownership is currently centralized at the risk management function and this notion will no longer be as relevant when business units start to disrupt themselves.

When it comes to risk management, there are generally three types of risks: upside risks that offer benefits to the business; downside risks that do not bring about any rewards; and outside risks that offer either negative or positive benefits and are beyond the organization’s controls.

As companies start digitalizing their business, there needs to be more collaboration between the business units and risk functions (and this can be the cybersecurity, risk, or audit functions). The business units enjoying the potential upside risks must also take ownership of any associated downside risks rather than viewing it as the responsibility of someone else.

Scale versus agility

The structures that have served well in providing strong governance over a company’s activities may now be the shackles that prevent it from innovating with speed. Boards should transition from their well-defined governance structures towards greater decentralization through ownership of downside risks, and institute the right culture, environment and tools for business units to identify, own and address risks in their quest for innovation.

This needs to be supported by better use of data platforms and intelligence to speed up the reporting of relevant metrics to the right stakeholders, so as to respond in a timely manner to areas that may be outside the established tolerable risk appetite.

Investing in upskilling human capital

While we often see organizations investing in technology and process changes, many overlook training its employees to understand and leverage new technologies. This either results in a sub-optimal attempt to disrupt the business as the full potential of technological gains are not achieved, or introduces additional cyber risks to the organization as employees and third parties may not fully appreciate the increased surface area of attacks.

The EY Global Information Security Survey 2018-2019found that 34% of organizations see careless and unaware employees as the biggest vulnerability, and 42% of the top cyber threats relate to phishing and malware attacks targeting this group of users.

To remain digitally relevant, there are certain skillsets that should extend beyond the silos of specializations, including cybersecurity, automation, data science and visualization, and design thinking. Boards should drive management to encourage further upskilling of employees in these areas and make these talents accessible to the board committees.

Compliance does not equate to risk management

Boards should take the lead in broadening risk management conversations rather than accepting compliance reporting as the sole indicator of how well the business has identified and managed its risks.

While compliance is an important activity, it has generally been misused as the main indicator of risk, and businesses are often blindsided to other potential hazardous cyber situations that result in hackers laying hands on the organization’s “crown jewels”, or disrupting the means to effectively provide critical services to customers.

The days of monitoring and reacting to threats after they occur are over. A dynamic, predictive and data-driven approach to risk management is now fundamental to surviving and thriving in the transformative age. To prepare for tomorrow, businesses must disrupt themselves and break down structures, if necessary, to compete with greater agility.

The time to act is now – the pace of change is relentless and businesses cannot afford to procrastinate.

Check this out: Top Enterprise Security Startups in APAC

Read Also

China Embracing Connected Health

China Embracing Connected Health

Geoff Feakes, Group CIO, Tunstall Healthcare
The Cloud- First Approach

The Cloud- First Approach

Arjun Chopra, Partner, Floodgate
Identity and Access Management: Leave it to the Experts

Identity and Access Management: Leave it to the Experts

Dr. Manu Kumar, Founder and Chief Firestarter, K9 Ventures
Future-Proofing Your Enterprise for the New ICT: Immersive, Cognitive, and Trusted

Future-Proofing Your Enterprise for the New ICT: Immersive, Cognitive, and Trusted

Scott Snyder, Chief Technology and Innovation Officer, Safeguard Scientifics and Senior Fellow, The Wharton School

Weekly Brief