by Dr Janson Yap, Regional Managing Partner, Deloitte Southeast Asia and Asia Pacific Risk Advisory
Most companies’ mission and vision statements are focused largely on growth and profitability on a sustained basis. At the same time, we operate a world where change continues to accelerate at an unprecedented pace.
As the business world continues to evolve with technological advancements and the risks associated with these changes, companies that have not taken steps to address these new and unfamiliar risks may experience disruptions to their business and operating models. Kodak, Compaq, MCI Worldcom, and Eastern Airlines are some well-known examples of companies with historical legacies that fell prey to technological disruptions.
Recent findings further reinforce the view that most companies are not ready to address the risk categories arising from the disruptive challenges and changing competitive environments. As a consequence, the aspirations of value encapsulated in the companies’ missions are compromised and not achieved.
What is risk?
Risks exist in every human endeavour and we are constantly exposed to varying degrees of risks. While some of these risks may seem trivial, others may make a significant difference in the way we live our lives. The ISO 31000 (2009) definition of risk is the ‘effect of uncertainty on objectives’. In this definition, uncertainties include events (which may or may not happen) caused by ambiguity or a lack of information. The common definition is “the possibility that something bad will happen.”
New game rules on the future of risk
While companies recognise the presence of risks, they often choose not to explicitly think about the associated risks and hope that the uncertainty does not happen to them. Most business strategies tend to focus on developing a roadmap and business case towards a positive aspiration, starting from a current baseline and working through a series of iterative steps. Risk assessment and mitigation is either a side conversation or not considered at all in strategy development. However, the good news is that the strategic conversations around risks are changing. Today’s leaders view risk as a possible tool to create value and achieve higher levels of performance.
The ten risk trends
The influx of technology advancements has certainly propelled the world into a great transition from the physical to digital, bringing along a fair share of challenges, threats and risks. Organisations now require a proactive approach towards risks to mitigate their potential and develop a countermeasure strategy.
An overview of the present-age risk landscape indicates 10 risk trends:
1. Innovation paves way for regulations
2. Tech-driven cognitive acumen
3. Extensive and integrated controls
4. Increasing market collaborations and need for mutual risk management
5. Risk transfers and countermeasures expand in application and scope
6. Risk analysis on behavioural factors
7. Recognising disruptions at the C-Suite level
8. Increasing need for periodic risk vigilance
9. Risk as a means to drive performance
10. Amplifying risks to build reputation
The future of risk has arrived
In a Deloitte survey on global risks, companies responded that they are unprepared for risks beyond their control and this includes third party or extended enterprise issues (47 per cent), competitive attacks, hazard or catastrophe (44 per cent). They appear to be more prepared on risks regarding regulatory compliance (69 per cent) and employee / employer misconduct (> 60 per cent). Conduct risks and insider threats are specific use cases on the risk intelligent agenda. Reputation risk is identified as a more important risk than any other risk category by 88 per cent of surveyed executives.
Another survey listed economic conditions, cyber security and increased competition as the top three concerns keeping Asia Pacific risk managers up at night. Conduct risk, which can cause significant damage to the brand and creating reputation risks, occupies the fifth slot in the survey. This finding is consistent with a Deloitte/Forbes Insights 2016 survey which lists economic trends, business model and Reputation/ Competition as the top three risks.
Cyber risk
“Russian spies behind 2014 hacking of Yahoo accounts: US”, “Intelligence agents whose jobs were to catch cyber criminals”, “N.Korean group likely behind cyber attacks: Semantec”, “Cyber thief who broke into Yahoo” are examples of news headlines with a common theme – information theft and abuse of privacy. These hackers are able to penetrate into corporate and governmental systems to hack, steal and abuse the information stored in the servers through sophisticated techniques.
Attacks of cyber nature are real threats to organisations’ integrity. Systems engineers and risk practitioners in the digital economy are working overtime to help their clients secure their infrastructure environments while vigilant in their approach in monitoring cyber threats.
Conduct and reputation risk
Ethical conduct in regulated industries like Banking and Securities, Life Sciences and Healthcare remain a priority and challenge. Unethical collusion between doctors and pharmaceutical companies promoting their drugs has come under scrutiny in recent years. The rigour of compliance in banking is even more stringent after continuous mishaps of financial crime and crises over the years. Although regulators subject banks and financial institutions to vigorous audits, non-compliance and significant breaches still do happen.
Laws, such as Anti-Bribery, Anti-Corruption law (ABAC) and Foreign Corrupt Practices Act (FCPA), are governing the commercial behaviours of organisations to promote free and fair competition. Violations of these Acts lead to conduct violations and reputation risks.
Acts of terror risks
The early recognition of terror risks was the coordinated attacks on 11 September 2001. However, such attacks are changing into multi-faceted ones, some planned and coordinated while others, randomised with individuals who embrace certain ideologies. In essence, these attacks can happen anytime, anywhere. The attackers lie beneath the surface and are difficult to detect. This low frequency and high impact black swan is truly a concern of all governments and security agencies across the globe.
Where to from here?
With risks becoming ever more dynamic, it is evident from the survey that not all companies are ready to deal with the changing nature of these threats. Hence, companies have to take a more measured approach, and avoid being overconfident.
It is about time organisations assess their strategic and operational models and make necessary improvisations. Risk has become inevitable and neither aversion nor taking flight is an option. Therefore, a smart approach to keep up with the trends and adopt a proactive risk management strategy, and hence, formulating the Risk Intelligent agenda, is essential.
In addition, despite the challenges that risk brings, it can also be used as means for groundbreaking innovations, as a performance accelerator, to create USPs and gain a cutting-edge in the pool of competitors. The Strategy Implementation Effectiveness Evaluation (SIEE) framework developed to address strategy implementation failures introduces the notion of continuous scanning and monitoring of risks in the business landscape to ensure strategy fitness during its implementation. It is time to be risk intelligent, get smart in the process and be more successful. Only then will value be realised.
About the Author
Janson is the Regional Managing Partner of Risk Advisory practice in Deloitte Asia Pacific & South East Asia (SEA). He has more than 19 years’ experience providing management consulting and advisory services. In his capacity as management consultant, he has led several Business Transformation programmes, analysing and developing several go-to-market studies, development of new operating models, human capital programmes and technology implementations.