Saturday, 27 May 2017

Victoria Tan, Ayala Corporation"We want to be a sustainable and resilient organisation"

Victoria Tan, group head of risk and sustainability, Ayala Corporation

Risk management 4.0

How will risk professionals maintain a leadership role in the Fourth Industrial Revolution?

The developing convergence between digital, biological and physical technologies is creating a Fourth Industrial Revolution – and a fundamental challenge to the risk manager to develop interconnectivity.

We see “a pressing governance challenge”, as the World Economic Forum’s Global Risks Report 2017 described it so strongly, to manage the development and deployment of these fast moving technologies in our organisations. These governance structures must be flexible enough to allow the business to take advantage of Fourth Industrial Revolution opportunities, while remaining within its risk appetite and meeting compliance requirements. This is complex as there are not currently many rules or standards.

We strongly believe that risk managers will have an important role in this Fourth Industrial Revolution environment. Our role will remain one of advocating and working for true enterprise risk management, something which as FERMA we argue should be embedded in the business model and culture of every organisation. The way we do this, however, is likely to change, maybe quite radically, from what it is today. As a European risk management community and as individuals, this is something we need to be thinking about now or we could miss opportunities that are starting to emerge.

We are currently seeing a proliferation of cross-enterprise roles, mandatory or recommended, in response to the challenges of what could be called the digital world, from the internet to Big Data and way beyond. The EU General Data Protection Regulation creates data protection officers, and the World Economic Forum suggests the creation of cyber resilience officers. We already have chief information officers (CIO) and now chief information security officers (CISO). A headline in the US business magazine Fortune in January this year said, yes, “It’s time to hire a chief artificial intelligence officer.”

When it comes to European regulations, FERMA and the European Confederation of Institutes of Internal Auditing (ECIIA) saw a governance hole for cyber risks. We are now working together on practical guidance, which will be published in June, to help the key risk functions work together in a coordinated way as part of the Three Lines of Defence.

Not fit for purpose
The trend of these positions is already an acknowledgement that management in silos is not fit for purpose in the Fourth Industrial Revolution, if it ever was. At the same time, the appointment of multiple new cross-enterprise officers with highly specialised skills is not necessarily going to create enterprise risk management without a coherent governance structure. Instead, we can see the potential for the creation of new barriers between the various specialist functions. They will just be in different places from the old silos! And there will be plenty of potential for gaps in management of the risks in between the various officers’ responsibilities.

The data protection officer, for example, may regard certain aspects of the work of a money laundering officer as their territory. Will each erect a wall to protect that territory? The chief information security officer will be an expert with an understanding of IT security issues across the whole enterprise, but he or she may not know how best to assess the potential loss of business and reputation fall out of a successful breach of security.

The business will need someone to take an overview of risk, particularly with respect to possible interconnections between different exposures, and to ensure the risks that fall outside the responsibility of any specialist are assessed and managed. We encourage companies to consider appointing existing risk management functions take on the role of these officers without creating new appointments that increase the risk of gaps or demarcation issues. This, we believe, is a great opportunity for the risk manager who has the skills and knowledge to work with other technical officers.

New responsibilities
Fast changing technology and very slowly changing governance means there is also a need for someone with an understanding of the whole organisation’s exposure to risk to advise the board. All the various technical officers with a direct reporting line to the board will naturally want their concerns to get attention. Part of the risk manager’s skill is to assess risks by frequency and severity so board members can prioritise their time. Risk managers can help their organisations develop methods for quantifying exposures from these new technologies and establish their risk appetite.

The question arises – how will the risk manager maintain a risk leadership role in these circumstances? What skills and knowledge do they need and where will they come from? Certainly, we will have to be able to speak “digital”. We will need to understand enough about the new technologies of the Fourth Industrial Revolution, especially artificial intelligence, that we can identify the risk issues in a blizzard of technical terms. Our perspective has to be enterprise-wide and not limited by new barriers, just as traditional silos are coming down.

The best way for risk managers to build these skills is something that FERMA, its member associations and education partners in our European professional certification project rimap have on the agenda. We have a master class on big data and risk management information systems, for example, on the programme for the 2017 FERMA Forum on 15-18 October in Monte Carlo.

Finally, we should not forget that although technology is infiltrating the world from every angle, the basic principles of risk management will not change in the Fourth Industrial Revolution. We still need to assess the likely severity and the frequency of threats and consider how best to deal with their potential disruption and cost. We need to disentangle the interconnections between risks across the enterprise. Will our growing dependence on technology mean less frequent business disruption but more severe incidents when they happen? Nor will the human factor disappear. As my predecessor as president of FERMA Julia Graham says, humans will continue to be at the centre of organisations, adding value through creativity and decision making.

The Fourth Industrial Revolution could make our role both very different – and fundamentally the same.

Have your say

Please add your comment. Remember that submission of comments is governed by our Terms and Conditions. You can include links, but HTML is not permitted.

Mandatory
Mandatory
Mandatory
Mandatory
Mandatory
Strategic Risk - Meet the Team