Embedding tech to manage a business' risk environment

Vanessa Gomes
Vanessa Gomes5/31/2022 05:15 PM GMT+08  • 8 min read
Embedding tech to manage a business' risk environment
Risk management needs to shift from protective and reactive to proactive and strategic. Here’s how tech can help. Photo: La rel easter/ Unsplash
Font Resizer
Share to WhatsappShare to FacebookShare to LinkedInMore Share
Scroll to top
Follow us on Facebook and join our Telegram channel for the latest updates.

Organisations are facing complex challenges in today’s business risk environment. According to a recent EY survey, 100% of Asia Pacific’s chief risk officers (CROs) believe their talent pool is not equipped to meet the changing needs of the risk management function over the next three years, accelerating the urgency to embed a strong risk-aware culture among employees.

This is an alarming concern, says Gaurav Kapoor, co-founder and chief operating officer of MetricStream. As more employees are becoming the frontline of organisations, they are the ones most likely to identify emerging risks and vulnerabilities.

For example, bank tellers are frontline workers and commonly engage with external stakeholders, customers and partners, among others. Thus, these individuals are in the unique position of being potential sources of risk-related information for their companies. Unless there is a deeply embedded risk culture, the frontliners may not even be aware that they hold critical intelligence as they go about their daily operations.

There needs to be a shift from protective and reactive risk management to a more proactive and strategic stance. Typically, Gaurav says, companies grow through three stages in their risk management strategy: manage, embrace and thrive on risk.

The management process is all about getting the basics right, he says, and this involves abandoning siloed methods and integrating risk functions under one umbrella. This also allows for a strong risk culture to be embedded within the company, where risk professionals come to understand the correlation of threats such as operational, cyber and even third-party risks.

“Consequently, companies will then move on to embracing risk. This is where companies that have employed the right risk management tools start to look at data and connect them from both external and internal systems, giving them an overview of their risk appetite,” he says.

See also: Double-clicking on data literacy with Tableau's chief data officer

“The final stage of risk maturation is thriving on risk, which is characterised by companies that start making strategic decisions based on their risk appetite.”

Awareness of risk management on the rise in Southeast Asia

There are two factors that have typically driven the risk management culture in Southeast Asia. The first is the regulatory landscape, as it drives risk management decisions. Though many may think compliance within governance, risk and compliance (GRC) is primarily to abide by regulations when making risky decisions, Gaurav says it also drives risk awareness thinking within enterprises.

See also: Navigating economic uncertainty with empathy

The disruption of technology over the last few years also plays a role as it has changed the whole approach to risk management dramatically. Events like the pandemic have spurred companies in the region to approach risk management from the outset, implementing risk by design and embedding risk thinking in their processes.

“The pace and velocity of technological change have altered dramatically. Therefore, regions that were behind have catapulted and leapfrogged in terms of how they think about risk. As a testament to this, some of the fastest-growing fintech companies in Southeast Asia are ahead of the curve in comparison to more risk-mature markets such as Europe or the US,” he says.

Having worked in Malaysia for several years now, Gaurav points out that the framework of risk culture is shifting in tandem with the region. The approach to risk management was previously native or siloed. However, the exponential growth of international operations and commerce and the proliferation of technology have made enterprises more risk-aware of external threats such as employee-related and geopolitical risks.

“When dealing with our Malaysian partners, we have learnt that boardrooms want to understand enterprise-wide risk holistically to be able to make valuable decisions. Traditionally, risk management within enterprises has had cyber, legal and policy teams working in silos, feeding information to the boardroom.

“This feedback loop presents a fragmented picture of the threat and becomes a challenge for decision-makers who must act quickly to resolve it. Now, enterprises are at the forefront of tackling this via connected risk management strategies.

“This is even more pronounced in digital companies in Malaysia. With data being their biggest asset, privacy and security have become critically important. The adoption of integrated risk management strategies and digital GRC tools provides them with a holistic view of their threats,” he says.

Private companies and governments need to mitigate risks too

To stay ahead of the latest tech trends, click here for DigitalEdge Section

Across the board, many industries were caught on the back foot and have had to reassess their risk management strategies, owing to the rapid growth of technology and evolving market conditions. Industries such as financial services, oil and gas and aviation are well-positioned to adopt and implement integrated risk management and digital GRC tools because of the data-driven and regulatory requirements of these industries.

The similarities are vast among governments too, considering the data-driven nature of and growing digitalisation in government bodies. Their primary responsibility, apart from driving policy, is to drive the governance of the country and manage the risk of respective industries, he says.

“Notable examples of this are the frameworks and guidelines developed by the Monetary Authority of Singapore, which has published a paper that highlights possible risks to financial services and suggests risk management actions as well as guidelines to benchmark themselves against,” he says.

Accelerated digital transformation has also led to increased opportunities for cyber criminals to manipulate vulnerabilities in the enterprise architecture of many organisations, says Gaurav.

According to Cybersecurity Ventures, the cost of ransomware cases will reach US$265 billion ($364 billion) annually by 2031. Companies that have pivoted to a remote or hybrid workforce have exposed themselves to digital operational risk as employees access data from their homes and remote environments.

“To mitigate these potential threats, organisations must implement risk management measures that effectively identify, assess, manage and reduce digital operational risk.”

Focusing on frontline risk management

Historically, GRC has been centred on the second and third lines of defence, but events such as the Covid-19 pandemic have spurred the thinking that risk knowledge is sitting with employees on the frontlines.

Gaurav says this transition from the traditional office-based method to the hybrid or remote workforce has effectively transformed every employee into a frontline worker and, by extension, a risk manager who will have to be equipped with the right training and behaviour to help them identify and report suspicious attacks.

“For example, dnata (Dubai National Air Travel Agency), [an] aviation services company operating in more than 100 airports globally, aimed to achieve a holistic view of its risk and incident scenarios across global operations so that decision-makers could assess and respond to the dynamics of its business operations.

“As a result, they adopted our GRC tools for frontline engagement across the web and mobile. So far, the enablement through the mobile app recorded close to 50,000 observations (preventive measures), 5,000 incidents (for corrective measures) and an additional 30,000 attestations.”

However, it is not just employees at the frontline who are exposed, says Gaurav. Large organisations employ a plethora of policies and controls, which frequently confuse employees.

“When they face an issue, they often turn to the quickest source of information, such as chatbots or digital AI tools. These touchpoints are also considered frontline vulnerabilities for organisations as they contain risk-related information,” he says.

“To generate quick query results through predictive modelling, these tools would need to run anomaly detection, risk assessment exercises and search for relevant historical data. The multitude of risk factors is evident so organisations must not limit their risks to just the frontline, but also the tools they use daily.”

Gaurav says leaders must have a distinct understanding of their organisation’s risk appetite. For instance, a disruptor in the transport industry is likely to take much greater risks as opposed to a company in the agriculture sector, which is more conservative by nature.

He adds that business leaders have to be clear on how they define their risk appetite as this drives the risk culture in the company. “Companies must have a mechanism that can support their employees in real-time. Using tools that provide actionable insights [whenever] an employee crosses the risk appetite threshold or, conversely, is taking too little risk allows the company to instil a deeply embedded risk culture.”

To empower employees, enterprises must overcome an unsupportive culture towards risk awareness. This means overcoming the lack of reporting tools and insights and instilling an adequate timely reporting structure.

“This would make employees more self-aware, thus creating good habits with the right proactive behaviour. This risk culture allows employees to interact and provide feedback enabled by the effective use of technology such as AI and machine learning to simplify reporting of observations, issues or any anomalies,” he says.

Looking ahead, Gaurav believes risk management will be a lot more about predicting rather than preventing risk. “Organisations can actually thrive on risk, enabled by strategic risk decisions. Equipped with advanced risk management tools, leaders will be able to not just understand but prioritise risks while driving stronger alignment between business priorities such as sustainability concerns and cyber investments,” he says.

This article first appeared in The Edge Malaysia and has been edited for length

×
Loading next article...
The Edge Singapore
Download The Edge Singapore App
Google playApple store play
Keep updated
Follow our social media
Subscribe to The Edge Singapore
Get credible investing ideas from our in-depth stock analysis, interviews with key executives, corporate movements coverage and their impact on the market.
© 2022 The Edge Publishing Pte Ltd. All rights reserved.