Creating a business risk plan fit for the future
Business risk plans have changed significantly, moving from basic disaster recovery strategies focused predominantly on IT or property risk to more complex and longer-term resilience planning.
This change in thinking has been a response to corporate evolution more broadly. Developments in technology have transformed distribution, product sets, customer service and global reach, while changing recruitment policies have broadened personnel skillsets in organisations.
Business risk expert James Doggett, who has worked as chief risk officer for some of the largest companies in the world, including AIG and J.P. Morgan Chase, and is now chief information security officer at cybersecurity group Panaseer, warns of cyber-risks.
“Over the past decade, cyber-risks have moved from an area IT deals with alone to one of primary concern for most company boards,” he says. “It isn’t surprising, given the frequency and severity of major corporate breaches and the resulting damages.”
As major businesses have become more complex, so too have the risks. In a poll for a 2018 Risk in Review Study by PwC, business risk managers were asked to identify the increased risks emerging from three critical areas.
Over the past decade, cyber-risks have moved from an area IT deals with alone to one of primary concern for most company boardsJames Doggett, Panaseer
The first considered risks emerging from companies improving their existing products or services through new technologies. In this category, 75 per cent of respondents said they thought cybersecurity or privacy threats were a major risk, while 69 per cent cited the technology itself and 53 per cent said operational risk was a factor.
The second question related to risks coming from introducing new technology to deliver new products or to target new customers. Again, 75 per cent of those polled feared risks from cybersecurity or privacy issues, while 73 per cent said technology risk was a consideration. Regulatory or compliance risks were cited by 61 per cent of respondents.
In the third category, when respondents were asked about the potential for increased business risks from changes to their talent model, cybersecurity and privacy threats were a concern for 63 per cent, while human capital risk was cited by 57 per cent. More than half (52 per cent) feared business risks would increase as a result of changes to the corporate culture
The dominant presence of technology in all three critical risk areas underscores the attention that businesses are now paying to risks from the adoption of new technologies such as smart analytics and blockchain.
Mr Doggett explains boards are increasingly requiring feedback on the risks from adopting new approaches and stressed that staff working in risk teams are being held accountable for cyber-risks which is stimulating closer working relationships with staff in IT security.
“Each group needs timely and accurate data to measure and control cyber-risks. And each needs the data in slightly different formats,” he adds.
Interestingly, the risk focus on cyber has not purely centred on the day-to-day operations of businesses, with companies also becoming more aware of such risks during corporate mergers or acquisitions. The Wall Street Journal reported on the US Securities and Exchange Commission’s plans to conduct more robust investigations into corporate disclosure policies with respect to cyber-risk.
A Bloomberg BNA survey for law firm Freshfields Bruckhaus Deringer found that 90 per cent of people consider cyber-breaches to be a potential threat to the value of an acquisition.
“There has also been a particular focus on how this has spilled into mergers and acquisitions,” Jake Olcott, vice president of strategic partnerships at BitSight, confirms. “Cybersecurity has become a main priority during due diligence, with many deals not going through because of the standard of an organisation’s IT security.”
While the past decade has seen huge leaps in how business risk is co-ordinated throughout organisations, there is still widespread recognition that many approaches are insufficient to prevent businesses from disruption.
The legacy starting point of business risk or disaster recovery, focused on property or IT, can often lead to gaps in organisation-wide business risk assessments. This is one reason why businesses still face major incidents or outages, despite the amount of money invested in this area growing significantly over the past 20 years.
Subharun Mukherjee, former business risk consultant at Deloitte, who now works as a director of business risk group MetricStream, says that organisations are waking up to the fact their resilience polices need to be more holistic and integrated into the firm, to serve the changing needs of the business.
“Organisations will look at their processes, technology, market and customers as a single interconnected engine, which drives a common purpose by mapping the known and unknown relationships between each in a shared information network,” he explains.
“They will identify the possible points of failure and prioritise them based on organisational, customer and market impact. Business resilience of tomorrow will be built on the basis that disruptions are inevitable.”
Beyond the immediate
Risk managers will increasingly need to go beyond the immediate risk challenges when building their resilience plans, according to experts, who say longer-term risk awareness will come from a shift in the corporate culture.
Organisations are waking up to the fact their resilience polices need to be more holistic and integrated into the firm, to serve the changing needs of the business
Mr Mukherjee explains that securing buy-in from employees across the organisation about the value of business risk policies can only happen if individuals see the value in investing time in doing so, which means risk managers must educate colleagues if they are to succeed.
“Value is gained by putting effort into building a business context to the risks faced by a given business operator in his or her day-to-day tasks,” he says. “Business employees need to be incentivised to make risk-aware decisions.”
Howard Dickel, who founded risk consultancy Step5 in 2014 after a career managing business risk issues for global brands including BT and United Utilities, says for those companies willing to invest the time and effort into building a consensus, the rewards can be substantial. He notes that these businesses will protect against regulatory fines, harm to their profitability and share price as well as damage to their brand.
“Any activities to identify risk and agree responses ahead of the risks impacting the organisation will have a very real benefit,” he concludes. “Increasingly, businesses are mandating evidence of a robust risk management and business resilience model that has been regularly and rigorously tested across the supply chain. The lack of a robust model will preclude many businesses from bidding for and winning new business.”