categoryEnterprise Risk Management

Risk Decision Making in an Interconnected World

Globalization and advancements in digital technologies have fundamentally eliminated barriers to doing business. Today, the world has become so interconnected that we are now able to carry out business with any organization across borders anytime of the day.

The opening of global markets which were once impenetrable for individuals, smaller enterprises and organizations is presenting significant growth opportunities to this group. At the same time, threats and complexities abound.

Given this current state of the world, it’s increasingly imperative for business leaders to understand the implications of an interconnected external environment on strategic and operational decision-making, and the achievement of enterprise objectives.

Companies are having to deal with business opportunities and threats that transcend borders. Global volatility is on the rise. From geopolitical tensions, Brexit, US/China trade conflict, rising economic nationalism and xenophobia to epidemic diseases, environmental disasters, and climate change, the world is experiencing significant uncertainty.

Surviving and thriving in this environment requires the organization, through its leaders, to manage for success by making better informed and intelligent risk decisions that drive business performance.

This means looking beyond risk management primarily as a loss prevention process, but rather a key process that supports effective decision-making. Since volatility, uncertainty, complexity and ambiguity have become the norm, it can be tempting for decision makers to entirely focus on the negatives, what might go wrong, and miss on emerging opportunities.

Faced with these uncertainties and not having clarity of their impact on the attainment of stated business objectives, many companies switch into the protective mode.

Although it’s important to be mindful of value preservation, a sole focus on this is not sustainable for the long term success of the business, especially in the current highly competitive environment where innovation is a key driver for rapid and profitable revenue growth.

Business leaders also need to be mindful of how the company will continuously innovate and create unmatched value for all stakeholders. And more often than not, this involves the business entering uncharted territories, and experimenting with new ideas which most of the time is counter to the traditional role of risk management in the business.

As the business ecosystem increasingly gets interconnected, new risks or uncertainties emerge. Thus, a holistic approach to risk and opportunity assessment is critical.

While a number of organizations do spend time analyzing emerging risks or threats to acquire some foresight about their impact on decision making and business performance, not enough is spent on understanding how current risks are intertwined.

Building an integrated view of the different risk factors or sources of uncertainty across the business is therefore critical since a change in one area has cascading effects that impact the entire ecosystem.

Many organizations still rely on the risk register to track and monitor critical risk factors capable of thwarting the successful achievement of enterprise objectives. For the greater part, these risk lists are a product of “top risks” research findings by consulting firms, academic, and other research institutions.

The mere fact that a risk factor has made top ten list of key risks to watch does not necessarily imply that you should attach the same value judgement for your company. Remember, the findings are from a representative sample whose business and operating model are most likely dissimilar to yours.

Should we therefore ignore these findings? Simple answer, no. Rather, we should use these resources as a guide to understand different sources of current and emerging threats and opportunities to the business, including the economy at large, and evaluate the recommendations in the context of the organization’s broader strategy and performance objectives.

For instance, let’s assume the main focus of your existing business strategy is to grow and expand internationally into the USA, Asia Pacific and European markets. Although important and connected, risk factors such as local regulatory changes, rising household debt levels or a slowing down economy will, in this case, likely be of minimal consideration.

What might be of heightened importance is rising nationalism and policies such as “America First,” in the USA, Brexit and the impending new trade policy with the EU, and future US/China trade relations and its impact on the entire Asia Pacific region.

On the reward side, taking Asia Pacific as an example, the region represents the largest e-commerce market and more than half of the world’s mobile subscribers are based here. By 2025 it is estimated there will be 3.9 billion smartphone connections and 11 billion IoT connections in Asia Pacific.

This alone is a huge opportunity for any type of business currently operating or planning to set shop in this region to tap into this large market and meet current and emerging customer needs through digital technologies or solutions.

Thus, relying primarily on outdated risk registers or lists, which in most cases are infrequently reviewed, to support critical business decisions in today’s fast-changing and uncertain environment is insufficient. Just as the internal and external environment continue to change, your business strategy also need to evolve in light of new and emerging opportunities and uncertainties.

Explore different future scenarios and evaluate how your organization is most likely to perform under each possible scenario. Even though it’s not possible to predict the future with certainty, or the timing and severity of any particular event, planning for unpredictable events can be an effective component to your company’s risk decision-making approach.

Effective risk decision-making in an increasingly volatile, uncertain, complex and interconnected world is about considering all scenarios that might play out in the future, good or bad, and proactively making better informed decisions that improve business performance and increase the odds of success.

Reimagining Risk Management in a Constantly Changing Environment

Deloitte has published an interesting and useful piece, Reimagine Risk: Thrive in your Evolving Ecosystem based on its 2019 survey of risk management. The paper makes some good points, including:

In environments of change, professionals in a range of endeavours often fail to understand risks and their roles in managing them.

A lack of awareness of risks, of people’s roles in controlling them, and of ways to use risk data and new technologies and tools increases the challenges of risk management and undermines the achievement of strategic goals.

Companies that view risk management as among the most important factors for achieving strategic goals tend to achieve higher growth.

Organizations that achieve the greatest gains from risk management show a strong tendency to view the function from a more strategic perspective rather than treating it as a compliance and loss prevention function.

An integrated approach to risk eschews siloed solutions and aims to develop both an enterprise wide view of risk tied to the attainment of key corporate objectives.

In leading organizations, risk management now plays an offensive as well as a defensive role.

Risk management should proactively assist the organization in achieving superior strategy, innovation, and resilience, and not focus solely on avoiding losses and protecting assets.

Risk management’s presence at senior-level meetings increases impact. High-level presence of risk management clearly drives leaders’ confidence in risk data.

Risks are now too dynamic and unpredictable for outdated approaches. Be curious about emerging digital solutions.

Risk management has too much potential as a value-creating function to be viewed as primarily a compliance activity with no direct linkage to the attainment of enterprise objectives.

Deloitte’s 2019 risk management survey

Failure to understand and address enterprise risks holistically is often a result of inadequate processes, skills, systems and tools that effectively support intelligent and informed risk decision-making.

Often, people and organizations are unyielding of change. The natural tendency is to hold on to what we know best and how we have done things in the past.

As a result, instead of continuously scanning the environment for new risks to the business and its strategy we are tempted to believe that the future will turn out to be exactly the same as the past with similar risk exposures.

Effective risk management or decision making is not about building and maintaining a list of risk exposures identified in isolation to the overall strategy and performance of the business.

When organizations approach risk management from a “risks list” perspective, the focus is mostly on what might go wrong as opposed to the risks the organization should take in order to create value and drive business performance.

A business is an ecosystem of connected functions and other stakeholders working together to achieve the organization’s key objectives. The cause-and-effect relationship between the various stakeholders is significant.

Thus, a single decision made by one function or a group of stakeholders can have serious effects on other functions and stakeholders.

Yet despite this direct and indirect relationship between the different business functions and stakeholders, risk management is not always integrated across the enterprise. Risks are managed in silos often culminating in duplication of effort and unproductive use of resources.

Taking a system’s approach to risk thinking and decision-making is key to unlocking value from risk management processes as opposed to embracing a linear thinking approach.

Understand how the various parts of the business interrelate and work together to produce the desired outcomes.

Although compliance and risk management are closely aligned, there is a big difference between the two.

Compliance-related activities ensure the organization is compliant to established rules and regulations, while risk management helps protect organizations from risks that could lead to non-compliance.

Thus, effective risk management is more than a “box ticking” exercise performed solely to satisfy regulators. Though being compliant to prescribed rules and regulations should not be undervalued, in order to inform decision making risk management should be less reactive and more proactive.

In other words, integrate risk into your business and decision support. For example, facilitate periodic risk discussions in order to understand how business functions or units are integrating risk into their business, any opportunities and potential threats to the achievement of their business goals.

To provide effective decision support, the organization must move from a primarily compliance-based and value-protection approach to risk to an approach that also embraces risk-taking for value creation. It’s all about managing the upside and thriving in a constantly changing environment.

Further, in order to optimize results, organizations should avoid paying lip service to risk management and show commitment to intelligent and informed decision making by ensuring that risk management is represented at senior-level meetings to provide business-focused insight.

This does not necessarily mean someone with a CRO designate, as long there is clarity that the individual appointed is responsible for championing the integration of risk into the business, influence strategy and align risk reporting responsibilities.

As risks evolve, the organization must also evolve into an intelligent risk enterprise and ensure adequate processes, people, systems and tools are in place to provide informed decision support to the right people at the right time.

Talking About the Risks of AI and Cognitive Technologies

According to the recently published PwC’s 22nd Annual Global CEO Survey, 85% of the surveyed CEOs overwhelmingly agree artificial intelligence (AI) will have a significant impact on their business within the next five years. For this reason, they have plans to pursue AI investments.

This is despite the fact that the information gap between the data CEOs are requiring to make informed decisions and what they are getting from their teams has not closed. Lack of analytical talent, data siloing and poor data reliability are the primary reasons the data they receive is inadequate.

Nonetheless, the application of AI and the underlying cognitive technologies such as machine learning, computer vision, natural language processing (NLP), audio and signal processing, speech recognition, predictive systems and robotics are wide-ranging, with the potential to improve performance in nearly any activity that generates large amounts of data.

Highly-powered algorithms which are the basis of these computer systems are presented with large amounts of data and subjected to supervised, semi-supervised, unsupervised, reinforced and deep learning.

The goal is to train the algorithms to identify relationships or patterns between the inputs and the outputs and use those rules to predict future outcomes with input data alone.

For example, in healthcare, AI is being used to study patient clinical data and recommend diagnoses. In finance, machine learning algorithms are being used to analyze transactions and uncover fraud and money laundering.

In the retail industry, predictive algorithms are being trained to automatically group customers into various categories based on their needs or buying patterns. These insights are then used to prioritize sales efforts and tailor promotions.

In other cases, companies have piloted NLP technology to monitor social media sentiment. The technology automatically identifies conspicuous topics of consumer conversations and sentiment surrounding those topics.

The generated insights are being used to influence decisions on improving marketing and customer service.

It is no surprise then that CEOs are now exploring how to implement these new technologies in their business.

Hype-driven or well-informed investments?

As much as AI is a source of significant business opportunities, the same technology is also a source of significant threats that must be evaluated. This is essential for helping leaders make informed and intelligent investment and risk decisions.

It is foolhardy for leaders to jump on the AI bandwagon and expect to capture the promises of AI and cognitive technologies if they lack an understanding of whether, how, and where to invest in applying these technologies.

When almost everyone is talking about the opportunities of AI and cognitive systems, it’s easy to cave in to hype-driven or ill-informed investments and overlook the fact that AI and cognitive technologies are not the solution to every business problem or situation.

That is why it is critical to evaluate the business case for investing in these technologies and assess the potential impact on your company’s business model, culture, strategy and sector.

Take a holistic view of your business processes, products and markets to weigh where the use of AI maybe be practical, profitable and crucial.

Algorithms are only as good as the data they learn from

Given that AI capabilities are data-driven, closing the information and talent gaps is key to unlocking AI’s potential. AI-powered algorithms improve over time through their experience of using data.

They learn relationships between variables in historical data sets and their outcomes. The relationships are used to develop models, which in turn are used to used to predict future outcomes without needing to be explicitly programmed by a programmer.

The systems change and evolve depending on the data that is fed to the algorithms. This therefore requires the data that is fed to the systems to be accurate, complete, diverse, and free from errors and bias. If the data is incomplete, error-prone or contains innate bias, the algorithms are likely to display false patterns as well as magnify the bias leading to misleading outcomes that have far-reaching repercussions.

Since AI and cognitive technologies deliver outcomes based on historical or existing data presented to them, leaders need to acknowledge that these systems will not necessarily provide flawless outcomes.

That is why it is critical to have appropriate data governance structures and talent in place to monitor where and how these technologies are deployed across the organization.

Skilled personnel play the critical role of overseeing biases and risks emanating from algorithms. For example, these people help identify and mitigate risks associated with programming errors.

Understand the black box of AI

As business leaders lay the foundation to pursue AI investments and entrust key decision making processes to intelligent machines, it is worthy to demystify the ‘black box’ of AI.

This is the notion that we can understand the inputs and outputs of an AI-powered system, but don’t understand what happens inside.

Accountability is an important element of decision making, and in order to make AI systems accountable for their decisions, AI-based decisions need to be explainable in order to be trusted.

Rather than blindly entrust machines to make important decisions, leaders therefore need to develop an understanding of how the technology works and how it makes decisions.

Thus, business leaders must be able to identify and explain the layers of decision making which underpin the operation of the systems and influence the final outcomes.

For example, are you able to identify and explain which connections have predictive value in the multilayered deep neural networks? Although it’s impossible to analyze all the connections in a deep neaural network, it’s important to prioritize what you need to know, what you want to understand, and why.

Over time, through testing and measuring, or trial and error, you will be able to understand the thought process behind algorithms, trust the decisions they make and ensure a robust governance structure is in place to monitor these technologies as they mature.

Surge in Cyber Attacks

Big data has been a boon to the development of AI and cognitive technologies. Thanks to advances in technology, our digital lives are producing staggering amounts of data each day.

As a result, interest in AI application is surging as decision makers try to make sense of all the data at their disposal.

Nevertheless, leaders need to be aware that the more data is generated the higher the probability of cyber criminals or hackers targeting the company’s AI systems to steal personal data or business confidential information.

A major data breach can have unintended consequences that can create legal, brand and public relations issues for the business.

Therefore, as leaders seek to capture the opportunities of AI and cognitive technologies, they mustn’t turn a blind eye to the limitations of these systems.

They must also consider the various ethical, moral, and legal issues associated with the AI systems that their organizations deploy.

Thinking About The Upside of Risk

Making intelligent and informed decisions is intrinsic to effective risk management. Many at times risk management decisions are centered around loss events and the negative consequences that might eventuate. The positive aspects of risk taking are hardly noticeable.

Let’s take as an example, a decision by local-based company to build a sales and distribution presence in a new international market. Some of the risks associated with pursuing such a move include:

  • Regulatory or unanticipated government intervention aimed at foreign players.
  • Currency volatility. Shifts in foreign currency values have both positive and negative implications on the company’s costing and selling prices, and ultimately profitability.
  • Political Uncertainty. Increased political tensions between countries often lead to trade wars, supply chain disruptions and minimal trade opportunities.
  • Heightened Corruption. Companies entering certain markets may be confronted with unorthodox ways of doing business. In a number of countries, bribery is required in order to complete trade.

On the other hand, the opportunities of expanding into the new market include:

  • The business is able to keep pace with competitors by pursuing an international business strategy.
  • Potential to serve more customers. A larger consumer market ultimately means enhanced profit margins.
  • Exploring new markets can lead to innovation through external partnerships.
  • Market diversification. Having a presence in more than one market also spreads risk as the business is not completely reliant on one market.

In spite of the opportunities lingering on the horizon, the tendency for decision makers is to fixate on the negative side of risks.

Rather than identify and exploit the upside of risk for value creation, decision makers resort to singing the default anthem ‘No, no, no. It’s too risky.’

Risk taking is strictly eschewed or mitigated – always from the downside. Given today’s surging economic uncertainty and volatility, and the integral role of effective risk management in driving business performance, an unreserved mindset change is necessary.

It’s not about eliminating or even terminating risk as risk will always be present. It’s about mastering what might happen, considering all the potential opportunities, including the potential risks, evaluating whether this is acceptable and then acting as required to effectively pursue set business objectives.

Therefore, instead of always being risk averse, decision makers need to start thinking about the upside of risk and develop an understanding that there is a benefit to taking on more risk, provided this is done in a controlled way and not higgledy-piggledy.

As a strategic advisor to the business, finance can play a critical role in helping management make better informed decisions about uncertainties.

We can achieve this through taking initiative and integrating ourselves in operational and strategic performance discussions, understanding the business and its entire operations, and asking smart questions aimed at helping management perform their jobs better.

Doing so empowers us to provide decision makers with cogent advice that ensures they have solid information about both the upside and downside of the company’s business strategy, and ultimately help them make enlightened decisions.

In other words, the advice we allot to decision makers should not act as an impediment to the achievement of business objectives. Alternatively, it should help them understand the odds of achieving the objectives and business success.

Effective risk management far exceeds risk protection and compliance, loss avoidance or arranging insurance cover to mitigate negative consequences.

Old habits die hard. Nevertheless, growth and progress ensue from challenging the status quo and embracing new habits. Stop paying attention on avoiding loss and start taking a broad, strategic view on the upside and downside of risk.

Resolve how you can literally create value and support the successful execution of business strategy and achievement of objectives.

Third-Party Risk: What You Don’t Know Can Hurt Your Business

Thanks to globalization and advanced technologies, the world economy is increasingly interconnected and a borderless market. Businesses are no longer depending on their own resources and self-developed capabilities in order to achieve operational excellence, fuel growth and drive strategic success.

For example, a retailer headquartered in Toronto, Canada, doesn’t necessarily need to rely on local suppliers to meet its customers demand. A financial services company in London, England can now employ the services of a cyber security expert domiciled in Singapore. Today, businesses are no longer going it alone.

When entering into new lines of business or expanding into new markets, it is common for organizations to leverage third-party knowledge, skills or resources, and form partnerships, alliances, and other business relationships.  These external parties have suppliers, partnerships and alliances of their own too.

Given the interconnection between third-party relationships and the inherent risks, the ability to manage these relationships is critical to success.

Ignorance is no defense

The actions of third-party intermediaries have dire consequences on the business, not just financially but also legally, operationally and reputationally. Moreover, regulators are increasingly policing third-party relationships, and when something goes wrong, the penalties can be hefty.

Think of the U.S Foreign Corruption Practices Act, UK Bribery Act, EU General Data Protection Regulation, or Brazil’s Clean Companies Act. Even if a security breach or risk incident occurs on the other side of the world, entities or individuals found on the wrong side of the law will not escape unpunished.

Activities can be outsourced, but responsibility cant’t. It is therefore imperative that business leaders develop a deeper understanding of third-party relationships including the full spectrum of risks linking in each part of the organization.

You need to adequately examine your clients, vendors, consultants, agents and other business partners, know who they are and how they operate. A basic internet search or third-party website visit doesn’t cut it. A detailed integrity due diligence is required. You need to know your business partners’ qualifications, business history, reputation and their relationship with foreign government officials.

In addition, you also need to understand the business rationale behind including the business partner in the transaction. Failure to do so could expose your organization to reputational damage, operational risk, government inquiry, monetary penalties and even criminal liability. What you don’t know about your business partners can hurt you.

Visibility over third-party business relationships

In a number of organizations, the examination of business relationships and assessment of inherent risks is left in the hands of the procurement function. The function identifies potential savings from outsourcing, the legal team drafts the contract and it’s business as usual. There is no or little follow up on the relationships.

In some cases, external relationships are managed in silos within business units. The business unit that owns the relationship also manages the risk. These individual business units have different ways of tracking their suppliers, vendors or partners, making it difficult to compare and collate them across the entire business. In addition, sometimes there is a duplication of efforts and inconsistent application of risk assessment and management standards.

In other cases, companies adopt a centralized or hybrid approach in order to help overcome the challenges presented by the decentralization model. With the centralized approach, redundancies are reduced, and risk decisions reside with a single group in turn fostering accountability for risk assessment.

However, it is important to note that with this approach tensions can sometimes arise between business units that have a working relationship with the external parties and the centralized team accountable for risk assessments. As a result, some companies pursue a hybrid model in which risk ownership is clearly defined and decision making rights are spread across a number of business functions, such as procurement, finance, compliance and risk management.

As the business is constantly on-boarding or terminating external partnerships and expanding or reducing third-party services, it’s therefore important for business leaders to develop a strategy and road map to systematically identify third parties using an inclusive definition.

For many companies, key data about business relationships resides in multiple procurement systems and in emails, spreadsheets, and text documents. Manually building a complete inventory of current contracts from these multiple sources, and then analyzing and interpreting all the data in order to assess risks and make informed decisions can prove challenging.

New technologies such as robotic process automation and natural language processing can however help obtain visibility over third-party relationships. RPA helps integrate information from disparate sources and systems without manual intervention and embed control mechanisms into an automated process, thus increasing efficiency and streamlining third-party transaction risk management.

On the other hand, natural language processing helps to analyze documents written in plain text and signal critical risks, enabling third-party controls to be automatically reviewed for potential risks emanating from inadequate or unclear contract language.

Strong governance process

Traditionally, risk has been regarded as something to be minimized or avoided, with considerable effort spent on protecting value. However, in today’s global competitive environment, in order to progress and achieve strategic success, a business should develop an appetite for risk taking. A business cannot expect to grow and expand by avoiding risk or hesitating to expand its universe of third-parties.

However, given that today organizations are being held responsible not only for their own actions but also for the actions of customers, suppliers, vendors or partners, it’s critical for company boards to provide oversight to ensure that effective third-party risk management practices are in place.

To avoid confusion, there should be clarification on who owns third-party risk in the organization, including where third-party risk management sits within the organization. It is the board’s responsibility to ensure that management establishes a clear organizational model and process for third-party risk management.

In addition, management should provide a clear line of sight to the organization’s major external-party risks by establishing an effective reporting system and keeping the board informed of how critical risks will be mitigated.

The focus should not only be on achieving cost savings or efficiencies, but also on driving value creation and meeting set objectives of the business. Thus, there should be alignment to the broader strategy of the business.

As the world increasingly becomes digitally interconnected and the extended enterprise grows and gets more complex, third-party risk management should also become a top priority for any business.

Also important to note is that assessing and mitigating third-party risk is an ongoing process. It’s about prevention rather than reaction.

The CFO’s Role in Cyber Security

Artificial Intelligence (AI), Blockchain, Robotics, 3D Printing, Cloud Computing, Internet of Things (IoT), Mobile, Advanced Analytics among others are some of the new technologies making waves in the technology space. The rate at which technology is evolving is alarming to such an extent that if you’re a player in this field you have to constantly be on top of your game otherwise if you sleep you snooze.

Love them or loathe them, technological breakthroughs have created a world that is always connected, continuously innovating and constantly challenging conventional wisdom. For example, new computing power in the form of customer analytics is enabling businesses across all sectors to interact 24/7 with their customers, understand consumer behavior like never before and deliver unique customer experiences that yield results.

Current digital capabilities are disrupting traditional business models and presenting valuable opportunities to streamline processes, improve efficiency, free up resources, sharpen data analysis and improve business performance. Taking these benefits into account and others, CFOs are leading their companies on exciting digital transformation journeys.

It is true that technology is empowering us to perform our jobs better and achieve more with less. However, I get concerned when all we talk about is only one side of technology – benefits.

In the midst of all the promises and excitement brought by these “new shiny” tools, we are forgetting the heightened risks that also come along, which if not closely monitored and addressed have increased potential to bring the business down to its knees overnight. As organizations continue to increase their reliance on new technologies to drive strategic performance, new risks to data security and confidentiality are sprouting.

This automatically elevates the need to protect customer and employee data, as well as confidential information from third parties and business partners. The consequences of failing to do so are not only financial but also intangible – lost customer confidence and reputation damage.

CFOs have a critical role to play in enhancing and strengthening their companies cyber security programs. In the past security responsibilities have fallen under the radar of the IT manager. However, an increase in data breaches and cyber attacks are elevating cyber security to the boardroom resulting in the CFO taking over the mandate.

The good thing though is that Finance owns majority of the data generated and used in the business. Secondly, Finance is responsible for performance reporting and analysis and CFOs have a bird’s eye view of the business and the market. Because of these two advantages, CFOs have better knowledge and understanding of where sensitive information is stored at all times, how it is secured, who has access to it, potential perpetrators and how they can get access to the information.

The problem in many companies is that cyber security becomes an imperative only after a breach has occurred. Just because you have not experienced a cyber breach or attack does not necessarily imply that you should give yourself a false sense of security. If you believe that your network is secure or you are a small company therefore immune to cyber breaches, think again.

These days cyber criminals are becoming more and more sophisticated and repeatedly aim to stay a couple of steps ahead of their victims. Most attacks are discovered a couple of months or years later from the date of initial breach. A case in point is the attack on the shipping company Svitzer, which is part of the Maersk Group. Sensitive personal information of around 500 employees in Australia where the attack happened was affected.

Perpetrators got access to email addresses of 3 employees and for 11 months (May 2017 – March 2018) they secretly auto-forwarded between 50 000 and 60 000 emails outside the company. Accounts in Finance, Payroll and Operations were affected. The perpetrators were smart enough to introduce supporting rules that deleted the forwarded emails to prevent the compromised account owners see that their emails were being forwarded.

With the speed and complexity of the threats changing on a daily basis, CFOs must take action and a play leading role in helping their organizations fight against cyber crime. As a CFO:

Acquire knowledge on cyber security. If the CFO is expected to take the lead in assessing and advising the board on cyber security issues, how best is (s)he going to do so if (s)he lacks an understanding of the risks and potential impacts of a breach. Lack of understanding leaves valuable information exposed. It is therefore critical that the CFO acquires knowledge on different types of attacks, impact on brand value, how to prevent the attacks, and also how to respond in the unfortunate event of an attack. Also, when the CFO has detailed knowledge of cyber security, (s)he is able to lead the discussion and provide training to the board so that they get working knowledge and understanding of cyber security to provide appropriate oversight.

Map and classify your organization’s data. In a world where companies are operating more than one financial and operations system, with each system containing sensitive stakeholders and financial performance information, risks abound. You need to understand how your organization’s data supply chain functions as well as how the information flows across your entire network of systems. Developing this understanding will help you take a digital inventory of your data and locate critical information in need of most protection since it is impossible to protect everything.

Carry out regular vulnerability assessments. It is common practice to install antivirus or any other form of software to protect ourselves from an attack. Unfortunately, this is not enough. Cyber security goes beyond installing software hence the need to assess any weaknesses and risks attached to your systems. One way of doing so is employing the services of ethical hackers who will actively try to intrude or penetrate into your systems and recommend effective internal controls. It’s important to be proactive and continuously evaluate current detection tools.

Build cyber security into the culture. One way cyber criminals make their way into company systems is via employees by sending them click bait emails. In the event that an employee lacks knowledge of cyber attacks, by clicking on the link he or she is exposing the entire group to a destructive attack. Educating and training employees on cyber matters helps build awareness. Additionally, employees should be encouraged to share information about a breach, this improves the organization’s ability to detect and respond to attacks of a similar nature. Although the CFO carries the overall responsibility of reporting to the board on cyber security issues and initiatives, it is still everyone’s job to detect and report possible attacks. Thus, cross-functional collaboration is necessary.

Don’t ignore third party risk. Business partners, vendors and other third parties hold important data on behalf of the company. An example would be where your company has outsourced specific Finance functions to a low-cost service provider, or you have engaged a marketing agency to handle your product marketing strategy. If this data is to fall into a wrong pair of hands, your company will have to answer for that. Why? Because the company is accountable not just for data stored in-house but also data held by third parties. CFOs must therefore regularly conduct an assessment of third party risks and evaluate third party’s data management processes. This will shed light on whether the third parties are protecting data with same rigour as their own company.

Develop an incident response plan. Data breaches occur even to the highly secured organizations. What is required is having a response plan developed before the breach takes place to avoid making panicky and bad decisions. The plan should define what is considered a cyber security incident, and provide a clear guide map or process steps to follow when an incident happens. Also, the plan should have clear decision-making guidelines including a robust communication framework. You don’t want to find yourself scrambling to assign roles and responsibilities in the heat of the moment. Regular practice and testing of your response plan is a must. This will inform you in advance if your plan is usable or overly complex.

In conclusion, the mere fact that your organization has not been subjected to an attack doesn’t mean that you should shelve all efforts to secure your systems. As long as you use devices, mobile, social and back-office technologies that are connected to the Internet, you are a perfect candidate for a data breach. Don’t let ignorance act as a catalyst for your downfall.

Current State of Enterprise Risk Oversight

A recent publication, Global Risk Oversight, by North Carolina ERM Initiative, in partnership with the Chartered Global Management Accountant ( CGMA ) provides insights on the current state of enterprise – wide risk oversight, including identified similarities and differences in different parts of the world.

Here are some key findings, with emphasis added:

  • Organizations all around the world perceive an increasingly complex risk environment.
  • Risk management practices appear to be relatively immature cross the globe. Around 30% or less of organizations indicate they have ‘complete’ enterprise risk management ( ERM ) processes in place. Only about 25% of the survey respondents describe their organization’s risk maturity as “mature” or “robust”.
  • Most organizations struggle to integrate their risk management processes with strategic panning. Despite the fact that most strategies maybe impacted by a number of risks, only about 50% of organizations around the world “mostly” or “extensively” consider risk exposures when evaluating new strategic initiatives. 
  • There is a lack of detailed risk oversight infrastructure in most organizations. Only a few organizations have formal risk management policy statements and frequently update risk reports.
  • Around 80% of organizations have not conducted any formal training risk management training for their executives.
  • There is increased pressure on management to strengthen risk oversight. Depending on the geographical location of the organization,  this pressure is coming from either the board of directors, the CEO or the audit committee.
  • Lack of sufficient resources to invest in ERM and the perception that there are more pressing competing priorities have been identified as the biggest barriers impeding the progress of maturing the organization’s risk management processes.

In light of these findings, the authors of the report recommend that:

  • Senior executives and boards of directors honestly and regularly assess their organization’s current approach to risk oversight in the today’s changing risk environment.
  • Management genuinely consider whether the process used to understand and evaluate risks associated with the organization’s strategies actually delivers any unique capabilities to manage and execute their strategies.
  • Organizations appoint a risk champion such as a Chief Risk Officer (CRO) or create a management-level risk committee in order to help strengthen the risk management function and ensure all risk management processes are appropriately designed and implemented.
  • Organizations spend time analyzing the vast amounts of data they have to generate insights about emerging risks that may impact their organizations’ strategic success.

Overall, the report is a good read and a great starting point for improving enterprise-wide risk oversight.

It helps senior executives ask important questions when evaluating their organizations’ overall approach to risk oversight. However:

  • Although the authors mention regular updating of the risk register. I would add risk management is not about list compilation,  otherwise organizations might find themselves building risk lists that lack any insight for effective decision making. It is about identifying and evaluating those key risks with the potential of derailing the organization’s strategic success and finding effective ways of mitigating any losses. Furthermore, intelligent risk decision-making does not look only at the downside of risks but also at the opportunities found in taking calculated risks.
  • There is no mention in the report about offering risk management training to middle-level and lower-level employees, only to senior executives.  The tone at the top and culture will determine if the organization succeeds at maturing risk management processes. Identifying and managing enterprise risks should be everybody’s responsibility within the organization. Thus, I believe there should be a common risk language throughout the organization.
  • Appointing a risk champion to strengthen risk oversight is critical. However, the individual appointed must have a deeper understanding of the business, its critical performance drivers and the ability to partner with the rest of the business. He or she must also be able to deliver the necessary risk training required.
  • Clear communication channels should be established to enable free flow of risk communication from top-down and bottom-up. People should not be scared to raise red flags or emerging risk issues to senior executives. Although the board of directors ultimately holds the risk oversight responsibilities to shareholders and other stakeholders of the business, if they receive inappropriate risk reporting from the bottom, the information they will feed to these interested parties will also be inadequate.
  • Risk management should be ingrained in the DNA of the business. Risk conversations should be about supporting strategic objectives achievement and enhancing business performance, as opposed to being a box-ticking exercise all the time.

Do the survey findings reflect the situation at your organization? If so, what are you doing to improve this situation?

I welcome your comments and views.

 

Defining and Evaluating Business Risks

Having an effective enterprise risk management (ERM) program that helps to measure, monitor and manage risks is no longer a nice to have but a must.

Organizations regardless of which industry they operate in are increasingly facing strong headwinds that are forcing them to rethink the way they run their businesses, build new capabilities, implement agile strategic responses and approach risk management more seriously.

New technologies, increased economic and political uncertainty in emerging markets, slowing global growth, commodities price decline and Brexit are some of the issues posing immense pressures on organizational decision makers and value chains.

In this environment, objectively defining risk and measuring its impact on the business is very imperative. This is critical for designing and implementing effective mitigation plans, creating value and improving business performance.

Benchmarking is not always the answer

Benchmarking is one of the popular tools used by decision makers to improve processes and ultimately business performance. So often business managers make reference to benchmarking information to gauge their organization’s performance against the “so called best” in the industry.

However, the fact that every business and organizational structure is unique in their own special ways, care must be taken when using benchmarking. No two businesses are exactly the same in all aspects.

Data is critical when measuring risk. Without the data, the whole process becomes pure speculation. In today’s digital economy and information age, data collection is dynamic, allowing businesses to continuously evaluate risks. However, the data type, quality, quantity and method of gathering varies by organization, process, and functionality.

Thus, in order to benefit from benchmarking, decision makers need to first clearly understand the methods used to gather the benchmarking information, the integrity of the gathering process, and how this relates to their organization’s specific situation.

Identify the risk

Identifying the risk events is one of the most critical attributes required to perform a successful risk assessment exercise.

The challenge for many people is that they consider the risk identification process as a “listing” exercise of all the things that might go wrong in any given time period.

The objective of enterprise risk assessment is not to maximize the number of key risk indicators (KRIs), but rather to take a holistic view of risk across the enterprise and prioritize resources and efforts on those risks deemed critical to the business.

Identified risks must be those significant to the business and have the potential of adversely derailing successful strategy execution. Thus, it is imperative that risks and strategic planning are clearly linked with some type of appropriate risk response.

What is the probability of occurrence?

The probability of occurrence should determine whether the identified risk(s) is/are worthy of management, control, or not. Determining this probability is not a subjective or guessing exercise.

Instead, data analysis is a critical part of the process as this provides factual information to base upon. Data is one of the most valuable assets for an organization today. Businesses that are able to leverage data and analytics in their risk assessments are uniquely positioned to better run their operations and achieve strategic, operational and financial success.

Make sure the data used in the analysis is accurate, reliable and real-time as this is critical for both performing an objective/fact-based risk assessment and presenting a truer reflection of the situation.

In today’s data and analytics world, organizations can take advantage of new technologies and incorporate predictive analysis in their data-based risk assessment models. Making strategic decisions based on information provided by backward-looking and reactive models will lead you and your business to unwanted territories.

Predictive models are forward-looking and allow business managers to be proactive. They help you identify trends and patterns, plan for the future with greater certainty and implement agile responses.

Consider the impact of the risk event(s) on the business

Unfortunately, for many organizations, risk management is a box-ticking exercise with little emphasis placed on overall impact on the business. People do not understand the impact of identified risks on the overall achievement of objectives and business performance.

Furthermore, risks today are interconnected. One risk event can lead to a chain of risk events, and if not properly mitigated, the exposure to the business is big. It is therefore imperative that you clearly understand the impact of aligned risks that occur as a result of the original risk event taking place on the achievement of objectives.

Being knowledgeable about these risks helps design and implement an effective ERM program that prioritizes identification, assessment and management of those risks considered significant to cause havoc to the business and negatively affect performance.

Build a good foundation

Designing and implementing a successful ERM program is not once-off or short term business objective. Instead, it is a continuous strategic initiative for the long-term success of the organization.

Laying up a good foundation starts with the organization clearly defining its ERM strategy, identifying key risks to the business and utilizing an effective set of KRIs.

If properly designed, these KRIs will help you to calculate the probability and also evaluate the impact of more than one risk across different aspects of your business. The focus is not on managing individual risks, but rather,  taking a holistic view of risks across the enterprise to ensure success.

Senior management commitment towards ERM is also required to ensure middle and lower level employees continuously recognise risk management an important strategic imperative critical for driving performance.

I welcome your thoughts and comments.

The Basics of Cyber Risk Management

New technologies, increasing digitization and globalization are transforming customer behaviors, operations and business models, presenting huge opportunities for business success, at the same time driving up cyber incidents .As organizations embark on their digital transformation journeys, it is imperative that they also assess possible threats presented by these new technologies.

Traditionally, the focus for risk management has exclusively been on protecting value. However, in today’s digital economy, there has to be a shift from value protection to value creation. How best can you leverage risk management to benefit from new technologies and digital innovation?

Companies that are placing a higher emphasis on value protection and risk avoidance are most likely to find themselves behind the packing order. On the contrary, those organizations that are approaching risk management the appropriate way and establishing better ways to address cyber risk are in a unique position to achieve greater competitive advantage and superior business performance.

Cyber Risk Should Become a Strategic Imperative

As the number of reported cyber incidents continue to escalate, it shows that cyber risk is now a top tier business risk. This means cyber risk management must become a strategic priority. The challenge for many C-suite executives and boards is that they lack a deeper understanding of cyber risk and its implications on the business.

This lack of deeper knowledge and an understanding of the cyber threat landscape is making it difficult for many executives to make meaning conversations around the topic.

Although cyber risk is everyone’s responsibility within the organization, boards and C-suite executives play the ultimate oversight role. They have to make sure the organization has a functioning cyber program that is aligned with risk appetite and threshold.

As one of the members of the C-suite, in partnership with the CEO, the CFO can play a critical role in ensuring that there are frequent discussions around the strategy table concerning cyber risk.

Risk and performance are interrelated, and since the CFO is mainly responsible for organizational performance improvement, s/he possesses the business acumen and analytical capabilities to create awareness of cyber risks and provide regular reporting to the CEO and the board.

The business environment is increasingly complex and so is the enterprise risk landscape. Successfully driving performance in this environment therefore, demands the board and C-suite level to have a deeper understanding of risks capable of derailing strategic execution.

In other words, these senior personnel must develop a positive risk mindset and as well as the ability to ask the key performance questions. This is necessary to gauge the organization’s cyber risk exposure and build cyber resilience.

It is therefore, critical that boards and C-suite executives stay informed about cyber threats and their potential impact on the organization’s strategy execution, reputation, financial and operational performance.

Understand the Nature of Cyber Threats and Attacks

In order to effectively manage cyber risk, it is important for senior executives and their teams to have thorough knowledge and full awareness of the different types of cyber incidents. Over the past few years, cyber crime has grown from simple cases of theft and fraud. Cyber threat has grown to include digital terrorism, government sponsored hacks, disruption of services, corruption of data, Man in the Middle (MITM) attacks, malvertising, rogue software, ransomware and advanced persistent threats.

The above cyber incidents can all result in the organization incurring huge tangible and intangible costs. Organizations that have fallen victim to cyber criminals can attest that the aftermath cost are detrimental to the long-term survival of the business. Costs incurred by these organizations include regulatory penalties, legal damages, financial compensation to affected parties, loss of competitive advantage, loss of customer and business partner trust and ultimate damage to the organization’s reputation and brand image.

How is your organization’s track record in terms of documented cyber attacks and data breaches?

Having an experienced and knowledgeable leader surrounded by a capable team is key to ensuring that the organization has the traits to detect, monitor and proactively respond to cyber threats and attacks.

Today, stakeholders are placing higher confidence in leaders who are exhibiting greater risk awareness and have sound strategies in place to protect business assets against unknown threats.

Important to note though is that cyber risk management goes beyond technical. Not everyone needs to be an IT Security specialist.

Having business acumen and enough appropriate knowledge to engage in intelligent conversations concerning cyber security and risk is key to grasping the fundamentals of cyber risk.

Embed Cyber Risk into the ERM Framework

Having an enterprise-wide cyber risk policy that is approved by the by the board and embedded into businesses’ ERM framework. The cyber risk program must take into account all the aspects of the business that are susceptible to attacks and data breaches. Are there adequate security controls in place? Does the organization have capabilities to detect and monitor vulnerabilities?

Moreover, KRIs and KPIs must be developed and monitored regularly. This will help immediately identify any threshold and performance breaches, and in turn, escalate such breaches to senior management.

When cyber risk is part of the ERM framework a cyber-aware culture is promoted, which means cyber risk management becomes an everyday part of the business. People will take own responsibility for the management of risk and proactively involve others when needed.

The board and C-suite should set the right tone at the top in order to ensure there is a buy-in at the lower levels. If the top level is not concerned and ignorant of cyber risk, it is extremely difficult for the lower levels to prioritize cyber risk management.

Thus, it is important that when executives talk about cyber risk, they do so openly and honestly using common language that promotes shared understanding throughout the organization.

I welcome your thoughts and comments.

Finance’s Role in Managing Enterprise Risks

The risk landscape is changing fast. Risks are multiplying at an alarming rate threatening to cause both financial and reputation ruin to the business. Because of this increasing risk complexity, there is a heightened focus on effective risk management.

Senior management and board members are consistently looking for a deeper understanding of the organization’s risk profile and how various risks to the business are managed.

Risk management is an enabler of higher level performance.

Without taking risks, organizations cannot grow and achieve strategic success. Risk is no longer something to only dread, minimize and avoid. Instead, leading organizations are using risk management activities to create value and help them improve their businesses.

It is therefore critical to ensure that efforts to mitigate the downside impact of risks are coordinated with efforts to manage risks that support business growth.

As a strategic thinker, the CFO should play an important role in helping other executives and the board get a deeper understanding of the organization’s key risks and risk management capabilities. He or she can help build an ERM framework that is entrenched in the organization’s management processes and functions.

A well-structured and coordinated ERM framework provides support and guidance on risk management activities, helps identify and manage enterprise risks holistically and makes risk consideration an inherent part of key decision-making processes. On the contrary, a siloed approach to managing risks exposes the business to significant risks and value erosion.

Unfortunately, in most organizations, risk management is a disjointed process. Multiple functions are managing one or more aspects of the company’s risk profile, and there is minimal coordination with each other. For instance, each function carries out its own risk assessment process using different risk terminologies, methodologies and reporting practices. Decision makers are overwhelmed with more than one versions of the truth.

The problem with this approach is that it often leads to confusion on the true meaning of risk, duplication of efforts, unnecessary bureaucracy and costs and poor risk decision-making processes.

When there is a common risk language across the enterprise better decisions are made, for example, concerning market entry, new products and acquisitions. This often leads to reduced earnings fluctuations and increased stakeholder confidence.

Build a clear picture of significant risks.

As the role of the CFO continues to evolve into a more business-partnering one, it is imperative that the finance organization is rightly equipped to proactively identify all the potential risks and defend their businesses.

What are the key risks to the achievement of your business objectives? Do you have the required risk management capabilities to address this risk profile? Who is responsible for monitoring and reporting risk information to decision makers?

Thus, the CFO and his team need to consistently assess, improve and monitor the way the organization manages its evolving risk profile. The risk assessment process must provide actionable and real-time insights on inherent risks and link them to the organization’s objectives, initiatives and business processes.

A thorough risk assessment process helps identify and prioritize risks that require urgent monitoring and mitigation. It also allows for the testing of existing internal controls and identification of opportunities for improving controls and risk mitigation strategies.

On the other hand, insufficient risk management processes can lead to costly lawsuits, significant financial losses, massive reputational damage and fly-by-night financial reporting, which can raise fundamental questions about the business as whole, its management team and viability.

An effective continuous risk assessment and management system therefore requires the team given the responsibility to do so to develop thorough knowledge of the company’s strategic objectives, operations, products, services, risk history, internal environment and its external environment.

Some organizations are leveraging data analytics tools to access forward-looking data from a range of sources, generate insights about changing market conditions and behavioural changes, evaluate metrics and integrate this real-time information to build risk models and forecasts as well as comprehensive risk strategies.

Coordinate and align business processes.

Risk management activities should be a key element of normal business operations. For this to happen, there must be top management buy-in to the business case for embedding risk strategy into the day-to-day running of the business as well as enhancing risk management performance.

It is therefore important to receive clear communication, proper oversight and accountability from senior management and the board concerning risk and governance. This will ensure that a common risk framework and universe is embraced and implemented across the organization.

Maturity models and benchmarks of leading practices can be used to help management determine the existing state of their organization’s risk management capabilities and define the desired state.

As one of the organization’s senior executives, the CFO should play a leading role in defining risk management objectives and embedding risk principles into the business processes. They can leverage their analytical and communication skills to broadcast to the business the benefits of risk management and the disadvantages of inadequate risk management processes.

The CFO plays a critical role in establishing the organization’s risk appetite, determining how the business will measure risk and ensures risk taking is within the acceptable risk thresholds of the organization.

By regularly reporting risk information and coverage to business unit managers, a risk aware culture is embedded in everyday business practices, and this in turn will help business managers understand the implications of their decisions on business performance.

I welcome your thoughts and comments.

© 2021 ERPM Insights

Theme by Anders NorénUp ↑