Welcome to 2020 – the year of digital risk

March 2020  |  SPECIAL REPORT: MANAGING RISK

Financier Worldwide Magazine

March 2020 Issue


With holiday season a distant memory, most of us are currently either in annual planning mode or in the early days of executing risk plans. This year feels different – and it is not simply because of current events affecting the UK, including Brexit.

2020 has been capturing people’s imagination for years, as evidenced in sci-fi novels. Yet, contrary to some predictions, we do not yet have a base on planet Mars, there are no starships taking us to the other end of the galaxy and no flying cars. Nevertheless, technology-driven changes are cataclysmic, impacting the way we do business and our daily lives.

Change is happening, and happening fast. Virtual branches, robo advisors, artificial intelligence (AI), cloud and blockchain are becoming a more visible and dominant everyday reality. The number of customers doing business online has outpaced conventional service delivery channels. A customer-facing incident could impair brand equity more than ever before.

With these changes come new challenges, ranging from ethical dilemmas for using AI, to gearing organisations for operational resilience. As a result, digital risk becomes important enough for governments to notice and take action, mostly in the form of new regulation. In light of these developments, it should not come as a surprise that executive management has also increased its focus on digital risk management. The changing landscape and widening emerging risk spectrum can be daunting. Where should one start when managing digital risk? What areas should be prioritised? Below are a few ideas from the trenches.

First, communicating the risk magnitude to executive management is key. Digital risk regardless of the trigger will continue to exist, evolve and threaten organisational resilience. Disruption due to cyber threats will also continue to rise. Nothing suggests, from published reports to empirical data, that the level of cyber threat will reduce any time soon. Regulators, such as the Financial Conduct Authority (FCA), have identified cyber attacks as one of the most common sources of operational resilience incidents.

Executive management needs to come to terms with and prepare to accept this reality. Investment and executive sponsorship will need to be continuous, keeping on par with evolving disruption factors. Further to managing stakeholder expectations, companies should not underestimate the benefits of getting the basics right. A number of risks materialise due to poor controls ‘hygiene’. Ensuring ongoing control monitoring reinforces credibility with senior management and secures further support. Effective residual risk assessment and comprehensive governance, risk management and compliance (GRC) solutions could supplement continuous oversight of controls monitoring. Risk intelligence provides proactive insights to senior management and builds confidence in the abilities of the digital risk function.

Second, it is important to stay close to your regulators more broadly, not only when it comes to acknowledging new compliance requirements. Regulatory updates should be used as insights that help manage risks. Regulators have been actively meeting with various organisations. Their position often represents cross-industry views and best practices. In this regard, regulators are valuable allies for organisations striving to manage digital risk.

Papers such as the Treasury Committee report on IT failures in financial services should be a mandatory read for all executives and digital risks practitioners. This paper highlights the impact of significant IT failures, such as that experienced by TSB in 2018. Change management, legacy systems, dependency on third parties and cyber are seen as key drivers for incidents in the financial services sector. According to the same report, governments may need to treat ‘systemic’ third party and cloud providers as critical infrastructure.

Another key area highlighted in UK, European and other regulatory requirements is maintaining a strong understanding of risks in a business. Operational resilience papers worldwide talk about maintaining an end-to-end view of risk at a product and service level, while considering the customer impact. The European Banking Authority (EBA)’s guidelines on information and communication technology (ICT) and security risk management also require organisations to maintain a deep understanding of their risks as they apply to their critical assets, projects and infrastructure changes. It is hard to argue against the validity and value of these assertions. Why would a company choose to ignore these insights and not consider them as part of their risk assessments?

Finally, no organisation, regardless of its size, has unlimited resources. Digital risk magnitude and complexity requires out of the box thinking and innovation. Striking a balance between managing risk and saving intellectual capacity for problem solving and idea generation is key.

Socrates used to say strong minds discuss ideas, medium minds discuss events. Digital risk is not the prerogative of an ‘elite’. Opening communication channels and leveraging viewpoints across corporates and the industry could produce faster returns. Such ‘crowdsourcing’ is not applicable solely to sharing ideas; equally important is creating communities of practice which think, live and breathe digital risk. Be prepared to share knowledge and best practice. Any knowledge not shared is ‘dead’.

Another key consideration is remaining relevant, both as a risk leader but also for the team around you. Investing time in understanding new technologies and experimenting with new capabilities is key. Fail fast, test fast and learn even faster.

Nassos Oikonomopoulos is the head of technology controls for regions at HSBC.

© Financier Worldwide


BY

Nassos Oikonomopoulos

HSBC


©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.