Managing Technology Risks
By Andrew Koh, Deputy Chief Manager, Risk Management, China Construction Bank
Today’s business landscape is ever evolving, competitive, driven by disruptive technological innovations, all trying to match changing consumers’ demographics and expectations. Enterprise Risk Management (ERM) is in the business of preventing potential major risks from emerging out of these disruptive environments. Using ERM to manage risks, support disruptive technologies and protect innovators’ reputations.
With the exceptions of a few global technology players, ERM in the technology world is severely under-represented. Not surprising, innovation always comes first and well supported by companies as a whole. However, today’s rapidly evolving and highly disruptive business landscape, driven by the need to meet changing demographics with the rise of millennials and new business expectations, should equally make these companies more compelling to learn to use ERM to effectively managing technology risks that serves to protect their businesses and safeguard their own reputation so that they can continue to drive innovation. The fallout of firms as a result of reputational risk often causes the public, governments and regulators to raise issues of questionable internal practices and governance in these affected companies.
ERM in a Technology World
Based on COSO or ISO 31000 standards, ERM relates to managing risks within an organisation in holistic, end-to-end processes that cuts across different business lines within an organisation. In the technology landscape, the closet cousin to ERM is Information Technology (IT) security that contain elements of IT risk management processes, albeit in silo-style way in managing risks within an IT environment.
"Risk assessment serves to identify, quantify, control and review potential major technology risks in both daytoday businesses and also in major projects undertaken by these companies"
Yet one of the greatest challenges remaining today is how to marry ERM and IT security together as these are hired, run by two different and distinct groups of people that shared little in common in terms of working background and experiences, make worse by specialised educational and industry training courses.
ERM expertise tend to be drawn from finance and audit professionals graduate from business schools, while IT security talent pools are more often drawn from IT graduate with computing and information system backgrounds.
Conducting risk training and involving key projects for ERM and IT personnel together has been proven to be the most direct and effective approach to formally address these challenges in bringing the mindsets of the both parties to a common level of understanding threats, vulnerabilities, risks, and structured levels of cooperation, depending on the degree of risk levels. As an ERM thought leader, I am proud to have personally trained technology and risk leaders, involved in major national technology projects, as well as the privileged to be invited to participate in global IT and ERM related events.
Risk Assessment on New Technologies and Innovations
Drawn from personal experiences, engagement with board directors and C-Suite executives, amongst the widely acceptable ERM concepts lie in the risk assessment process. Risk assessment serves to identify, quantify, control, and review potential major technology risks in both day-today businesses and also in major projects undertaken by these companies. Yet many companies struggle to effectively identify and to quantity all key risks arising from technology related activities they are facing and potentially exposing them to uncertainty and future potential losses. The real challenges lie within the capabilities of corporations to effectively identify and to quantify losses from potential risks, because they are often cannot be measured and quantified such as reputational risks and the impact on their profitability and on their own brand valuations.
Risk Leadership in Understanding Disruptive Technology Risks and its Impact
A prominent Board member of a major corporation once said to me to take risk leadership to managing risks is to have a complete understanding of how disruptive technology risks can impact on stakeholders that are embracing these transformative processes. This also meant ERM managers have to understand the fundamental concept of technology itself before further extending to how disruptive technologies can impact on the firms they are working.
Managing reputational risk remains an elusive, moving target across all governmental agencies, corporations and financial institutions. It’s like the gathering of and cumulating to the creation of a perfect storm. Think about how just one client dissatisfaction can snowballed to groups of clients complaining against defective product quality, poor safety records, environmental and health issues on one hand, while the same company may face other issues such as regulatory enquiries to addressing these complaints, legal and other financial liabilities as more information became known both within the affected firm itself and outside the firm.
Selecting the appropriate ERM techniques and working with risk owners to identify potential risks and to quantify them can help companies to internally manage their own reputation and can even prevent reputational risk from escalating towards its full potential by working out how a specific potential threat(s), can lead to a specific risk from occurring and its potential impact across economic costs, regulatory actions, customers’ complaints and ultimately aggregating these impacts on a company’s risk appetite statement. One of the ways to prevent potential reputational risks is to design together with risk owners, a set of key risk indicators (KRIs) and serving as early predictors of risk transformations, to support the monitoring of key performance metrics that may potentially lead to an underlying reputational risk profile changes.
Operating from Singapore, China Construction Bank delivers 24x7 services to its clients and caters accessibility to mobile phone banking, household banking and personal online banking as well.