This article first appeared in Digital Edge, The Edge Malaysia Weekly on April 11, 2022 - April 17, 2022

Organisations are facing complex challenges in today’s business risk environment. According to a recent EY survey, 100% of Asia-Pacific’s chief risk officers (CROs) believe their talent pool is not equipped to meet the changing needs of the risk management function over the next three years, accelerating the urgency to embed a strong risk-aware culture among employees. 

This is an alarming concern, says Gaurav Kapoor, co-founder and chief operating officer of MetricStream. As more employees are becoming the frontline of organisations, they are the ones most likely to identify emerging risks and vulnerabilities.

For example, bank tellers are frontline workers and commonly engage with external stakeholders, customers and partners, among others. Thus, these individuals are in the unique position of being potential sources of risk-related information for their companies. Unless there is a deeply embedded risk culture, the frontliners may not even be aware that they hold critical intelligence as they go about their daily operations.

There needs to be a shift from protective and reactive risk management to a more pro­­active and strategic stance. Typically, Gaurav says, companies grow through three stages in their risk management strategy — manage, embrace and thrive on risk.

The management process is all about getting the basics right, he says, and this involves abandoning siloed methods and integrating risk functions under one umbrella. This also allows for a strong risk culture to be embedded within the company, where risk professionals come to understand the correlation of threats such as operational, cyber and even third-party risks.

“Consequently, companies will then move on to embracing risk. This is where companies that have employed the right risk management tools start to look at data and connect them from both external and internal systems, giving them an overview of their risk appetite,” he says.

“The final stage of risk maturation is thriving on risk, which is characterised by companies that start making strategic decisions based on their risk appetite.”

There are two factors that have typically driven the risk management culture in Southeast Asia. The first is the regulatory landscape, as it drives risk management decisions. Though many may think compliance within governance, risk and compliance (GRC) is primarily to abide by regulations when making risky decisions, Gaurav says it also drives risk awareness thinking within enterprises.

The disruption of technology over the last few years also plays a role as it has changed the whole approach to risk management dramatically. Events like the pandemic have spurred companies in the region to approach risk management from the outset, implementing risk by design and embedding risk thinking in their processes.

“The pace and velocity of technological change has altered dramatically. Therefore, regions that were behind have catapulted and leapfrogged in terms of how they think about risk. As a testament to this, some of the fastest-growing fintech companies in Southeast Asia are ahead of the curve in comparison to more risk-mature markets such as Europe or the US,” he says.

Having worked in Malaysia for several years now, Gaurav points out that the framework of risk culture is shifting in tandem with the region. The approach to risk management was previously native or siloed. However, the exponential growth of international operations and commerce and the proliferation of technology have made enterprises more risk aware to external threats such as employee-related and geopolitical risks.

“When dealing with our Malaysian partners, we have learnt that boardrooms want to understand enterprise-wide risk holistically to be able to make valuable decisions. Traditionally, risk management within enterprises has had cyber, legal and policy teams working in silos, feeding information to the boardroom.

“This feedback loop presents a fragmented picture of the threat and becomes a challenge for decision-makers who must act quickly to resolve it. Now, enterprises are at the forefront of tackling this via connected risk management strategies.

“This is even more pronounced in digital companies in Malaysia. With data being their biggest asset, privacy and security have become critically important. The adoption of integrated risk management strategies and digital GRC tools provides them with a holistic view of their threats,” he says.

Across the board, many industries were caught on the back foot and have had to reassess their risk management strategies, owing to the rapid growth of technology and evolving market conditions. Industries such as financial services, oil and gas and aviation are well positioned to adopt and implement integrated risk management and digital GRC tools because of the data-driven and regulatory requirements of these industries. 

The similarities are vast among governments too, considering the data-driven nature of and growing digitalisation in government bodies. Their primary responsibility, apart from driving policy, is to drive the governance of the country and manage the risk of respective industries, he says. 

“Notable examples of this are the frameworks and guidelines developed by the Monetary Authority in Singapore, which has published a paper that highlights possible risks to financial services and suggests risk management actions as well as guidelines to benchmark themselves against,” he says.

“Regulatory bodies such as the Hong Kong Monetary Authority (HKMA) recognised the urgent need for operational resilience among businesses and, thus, developed the principles for operational resilience within the banking sector.

“In addition, the Securities and Futures Commission in Hong Kong published an operational resilience standards and framework measure to supplement existing guidance for issuance of licences for corporations and the introduction of new regulations. This can be achieved only by having an integrated risk management strategy in play.”

Accelerated digital transformation has also led to increased opportunities for cyber criminals to manipulate vulnerabilities in the enterprise architecture of many organisations, says Gaurav. 

According to Cybersecurity Ventures, the cost of ransomware cases will reach US$265 billion (RM1.1 trillion) annually by 2031. Companies that have pivoted to a remote or hybrid workforce have exposed themselves to digital operational risk, as employees access data from their homes and remote environments.

“To mitigate these potential threats, organisations must implement risk management measures that effectively identify, assess, manage and reduce digital operational risk.”

Historically, GRC has been centred on the second and third lines of defence, but events such as the Covid-19 pandemic have spurred the thinking that risk knowledge is sitting with employees on the frontlines. 

Gaurav says this transition from the traditional office-based method to the hybrid or remote workforce has effectively transformed every employee into a frontline worker and, by extension, a risk manager who will have to be equipped with the right training and behaviour to help them identify and report suspicious attacks.

“For example, dnata (Dubai National Air Travel Agency), one of the world’s largest aviation services companies that operates more than 100 airports globally, aimed to achieve a holistic view of its risk and incident scenarios across global operations, so that decision-makers could assess and respond to the dynamics of its business operations.

“As a result, they adopted our GRC tools for frontline engagement across the web and mobile. So far, the enablement through the mobile app recorded close to 50,000 observations (preventive measures), 5,000 incidents (for corrective measures) and an additional 30,000 attestations.”

However, it is not just employees at the frontline who are exposed, says Gaurav. Large organisations employ a plethora of policies and controls, which frequently confuse employees.

“When they face an issue, they often turn to the quickest source of information, such as ChatBots or digital AI tools. These touchpoints are also considered frontline vulnerabilities for organisations as they contain risk-related information,” he says.

“To generate quick query results through predictive modelling, these tools would need to run anomaly detection, risk assessment exercises as well as search for relevant historical data. The multitude of risk factors is evident, so organisations must not limit their risks to just the frontline, but also the tools they use daily.”

Gaurav says leaders must have a distinct understanding of their organisation’s risk appetite. For instance, a disruptor in the transport industry is likely to be taking much greater risks as opposed to a company in the agriculture sector, which is more conservative by nature.

He adds that business leaders have to be clear on how they define their risk appetite as this drives down the risk culture in the company.

“In addition, companies must have a mechanism that can support their employees in real time. Using tools that provide actionable insights that trigger when an employee crosses the risk appetite threshold or, conversely, is taking too little risk allows the company to instil a deeply embedded risk culture.”

To empower employees, enterprises must overcome an unsupportive culture towards risk awareness. This means overcoming the lack of reporting tools and insights and instilling an adequate timely reporting structure.

“This would make employees more self-aware, thus creating good habits with the right proactive behaviour. This risk culture allows employees to interact and provide feedback enabled by the effective use of technology such as artificial intelligence and machine learning to simplify reporting of observations, issues or any anomalies,” he says.

“Essentially, leveraging the right tools and technologies can play a key role in equipping the frontline — leading to the building of a strong risk culture across the organisation. This structure further supports an organisation’s risk management strategy and works to strengthen the core of an organisation’s operations.”

Looking ahead, Gaurav believes risk management will be a lot more about predicting rather than preventing risk. 

“Organisations can do better than that and actually thrive on risk, enabled by strategic risk decisions. Equipped with advanced risk management tools, leaders will be able to not just understand but prioritise risks while driving stronger alignment between business priorities such as sustainability concerns and cyber investments,” he says.

He adds that sustainability has also prompted awareness of the risk management landscape. An EY survey found a staggering 100% of Asia-Pacific CROs recognise climate change as a top risk requiring their utmost attention — compared with 49% globally.

“As the need for sustainability disclosures become a requirement in Asia, Singapore has formally set out comprehensive expectations for banks’ environmental risk management disclosures via the Monetary Authority of Singapore and I expect neighbouring countries will soon follow suit.”

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's AppStore and Androids' Google Play.