Charlotte Gribben, Digital Risk lead partner, Deloitte
Emily Jenner, Board member at Airmic, Managing director, global head of risk strategy and appetite Standard Chartered Bank
Jason Crabtree, Chief executive officer, QOMPLX
Romaney O’Malley, Chief financial officer, AIG UK
How do digital business models enhance and reduce risk? And what do business leaders need to consider as their companies become more digital?
EJ: There is a meaningful opportunity for us to retool our businesses and equip them with real-time risk information. Previously risk managers needed to focus more on tangible risks than the intangible. As we adopt these data-driven business models, we need to carefully consider the emerging risks we face as a consequence. Trust, confidentiality and security are key.
JC: One of the challenges is that risk is fundamentally a consequence of dependence. Companies would like to be more dynamic: they would like to be able to have a living, breathing way of interacting with the underlying relationship of the supporting technological processes systems with the company or client. But this connection is a bit tenuous and abstract because most lack a common language to be able to actually describe it in a way that allows for both qualitative and quantitative reasoning. Establishing this is a key executive responsibility.
CG: What we’re finding is that organisations are looking at specific digital technology risk. So with the risk of disruptive tech, they’re thinking, “What is the risk of this robot?” What we’re trying to do is help them see the bigger picture and understand that, a bit like digital, the risk is organisation and society-wide. In order to turn digital risk into digital advantage, they need to consider it at a much higher level than just that specific robot or technology.
Risk has historically meant waiting for something bad to happen, and then indemnify that company for whatever they’ve lost as a result of the risk crystallising
RO: One of the shifts we see with a lot of our corporate clients is a move towards strategic partnerships. So recognition that this is not something you’re going to be able to address as a standalone company. Does it actually make more sense to be connecting through a trade or industry organisation to better understand or come up with solutions to mitigating a specific risk? It might also be a case of working with organisations like the National Cyber Security Centre or government bodies, which have capabilities and competencies and data insights that can help you make better decisions.
As companies change from selling product to service, how can they start thinking about their new risks?
CG: We’re seeing a lot of traditionally B2B organisations using technology to allow them to change their business model to B2C and they’re starting with the legal risks. They’ll go down the regulatory route first and where they’re struggling is to understand how digital will impact their regulatory risk. Digital allows you to cross borders, but with that comes the need for different legal requirements in different countries. Then there’s trust and ethics, which is how do you behave in those countries to get people to buy into you? In the UK, for example, we’re very digital savvy as consumers. We love using apps and we have very short attention spans and expect immediate delivery. Whereas in other countries, things like click and collect just don’t work.
RO: CFOs have a really big role. It’s not enough to focus on the economics and the profitability of the various strategies you might pursue. Part of your responsibility as CFO is to ensure you have a sustainable, resilient business over the longer term. We know regulation will not keep up, particularly with the speed of innovation in the digital space. The role of CFOs is increasingly going towards taking on a level of accountability with the values, ethics and culture of your organisation to ensure you are doing what is right for the long term.
What changes are you seeing in risk management?
RO: There has been a move from insuring risks in the really traditional sense, which has historically meant waiting for something bad to happen, and then indemnify that company for whatever they’ve lost as a result of the risk crystallising. Whereas now, data is used to really understand what is actually driving some of those losses, and then get much more into risk mitigation and prevention mode.
EJ: Not only does data and the way in which we’re harnessing it help us take a more forward-looking view, it also helps us quantify the risk a lot more easily. In my experience, thinking through and quantifying our risks in an informed way allows us to better understand the uncertainty we face, and helps us make good risk-informed decisions.
Is there a risk that CFOs will be seen as old fashioned?
RO: Not necessarily old fashioned, but I think CFOs always have to be comfortable being the challenger. Unfortunately, it might mean you’re not the most popular person in the room, but good businesses have a really healthy level of challenge and debate. Historically, this has tended to be the role of the CFO. It may have been more around the economics than it is the behavioural side, but someone has to be the bad guy.
We need to think about our succession plans and building the right skillset around us to get there
JC: What it comes down to is that resourcing is strategy manifest. You can have great plans and publish all kinds of wonderful thoughts, but ultimately your strategy is manifested by the resources committed. When you start to see resourcing for risk mitigation or risk-taking based on the actual linkages between dependence and the underlying issues, and you start to see this actually being able to be substantiated to the point where you can responsibly apply money to the problem, that’s actually where we start to see organisations really get leverage.
Something that I’ve been asking myself recently is, “What does my future team look like?” We need to think about our succession plans and building the right skillset around us to get there.
Does risk reduction have a bad image?
EJ: It’s unfortunate that risk is, as often as not, seen as a negative. Risk is about opportunity too.
JC: Risk reduction and careful risk management is really about understanding the baseline operational case and then being able to help express how to achieve the ability to maintain freedom of action in the future, despite the fact that Murphy’s law will still apply. That ability to say, “Hey, I’m going to help you, the CEO, chart a path through these uncertain waters.” That’s actually what the role of the CFO and other risk professionals ultimately comes down to.
How important is a culture of openness for risk reduction?
RO: You already see this in high-performing or outperforming companies, but they typically have a culture of transparent and open debate not just in the boardroom, but actually across their organisations. Ultimately, what you want is every person in your organisation as an ambassador for the organisation, particularly people at the grassroots level or those who deal directly with clients or customers every day. They are the ones who are going to be the richest source of ideas and potential innovation.
How do businesses put a value on risk reduction?
EJ: By harnessing the data that is becoming evermore so readily available you can use a series of ‘what-ifs’. This shows you how you can measure the value of risk management by comparing return of investment under different ‘what-if’ scenarios, systematically testing the value of strategies to manage risk.
CG: Many companies will implement a new technology or go down a new business model with a digital aspect without considering risk or control. We’re finding we’re actually being called in by a number of organisations that have done this and are now trying to forensically undo what they have done. The impact is about three to four times more expensive than embedding the controls as you go and considering the risk as you go and considering the risk, control and compliance up front.
RO: I think it’s both sides. It’s about measuring the opportunity and being able to really quantify the business case for the opportunity a particular risk might give a business. Then it’s also being able to quantify the value of offloading or mitigating certain risks. This is where companies probably need to look more broadly for support. Insurers can help with this.
JC: When we assess the basic risk profile an organisation maintains, regardless of the type of institution, you have to make sure that mitigation strategies relate to the actual underlying dependencies you have, as well as capital requirements and control or transfer options. And it has to be the CFO who is thinking about this and tying it all together.