The question — are you playing with risk? — is neither rhetorical nor hypothetical. It is in fact literal and multi-layered. That is because risk — of injury or even death — has been part of our lives since life began.
But that is not the risk we want to discuss here. Our discussion goes back to 62 years ago, when Hasbro launched a commercial board game called Risk. It can be played by up to six people and involves strategy, alliances, tactics (and hidden conspiracies) to win. Unlike in Monopoly, Risk players do not handle money. They collaborate or conspire with other players to conquer geographical territories. According to internet lore, Risk has been “destroying friendships ever since it was launched in 1959”.
Risk the board game is akin to the risk that corporate boards often discuss. The parallels are obvious: in both cases, some strategies succeed and some fail. There are alliances of people who collaborate and of those who compete. And there are markets — both territorial and conceptual — that need to be won, with or without the aid of alliances or partners.
At the corporate core, there were traditionally two key risks — fiduciary or financial and reputational or positional. But now, the biggest risk probably comes from cyberspace. And then, equally challenging, there are those that come from government regulations, consumer advocacy groups, the local environment and climate change.
“Regulation enjoys broad popular support in many sectors and regions; where it is tightening, it is putting stresses on profitability. Climate change is affecting operations and consumers and regulators are demanding better business conduct in relation to the natural environment,” says a McKinsey study.
“Geopolitical uncertainties alter business conditions and challenge the footprints of multinational corporations. Corporate reputations are vulnerable to single events as risks once thought to have a limited probability are actually materialising.”
The problem lies at the very top, with the board itself. Risk management at non-financial companies has not kept pace. For many non-financial corporates, risk management remains an underdeveloped and siloed capability, receiving limited attention from top management. From 1,100 respondents to McKinsey’s Global Board Survey in 2017, the firm discovered that risk management remains a relatively low-priority topic at board meetings.
Cybersecurity — or lack of it — is currently the top risk that most Asian organisations face. And many companies are turning to data analytics to understand the dynamics of risk. In a poll of 70 chief information officers (CIOs) conducted by the CIO Academy Asia (CIOAA) earlier this year, cybersecurity and data analytics were rated key focus areas by tech leaders in 2019. About 70% of respondents said their organisations would likely spend the most on cybersecurity and risk management, as well as data analytics, in the next one to two years.
“Specifically, respondents were most concerned with how best to handle advanced threat prevention. More specifically, on dealing with insider and unknown threats, complying with government regulations and managing consistent security policies across their organisations,” says CIOAA CEO Ramakrishna Purushotaman.
Risk in Malaysia
Cybersecurity is also the top risk among local companies. In 2017, the Malaysia Computer Emergency Response Team (MyCERT) recorded 2.9 million malware hits from botnets; 1.2 million spam email, some of which contained code to infect users; and 8,000 targeted security incidents. In 1H2018 alone, botnet-based hits reached 1.7 million, spam email crossed 754,000 and security incidents went up to 3,200. Targeted security incidents included fraud, intrusions, cyber harassment and Distributed Denial of Service (DDoS) attacks.
In June, Bank Negara Malaysia will launch its Risk Management in Technology policy to provide guidelines for financial institutions to combat the rise in cybercrime. This was announced in February by CyberSecurity Malaysia CEO Amirudin Abdul Wahab.
He said more than 10,000 cases of cybercrime were reported last year. Up to 10 sectors have been identified as “critical national information infrastructure” under the national cybersecurity policy, including government bodies, defence, finance and banking and transport.
“More than 50% of the cases involved cyberfraud, amounting to millions of ringgit. We hope that with the launch of this policy, we can tackle these scams,” Amirudin told the media at the Islamic Fintech Dialogue 2019.
In September last year, Bank Negara unveiled a draft of the Risk Management in Technology policy that would be applicable to all entities under the banking and financial services industry. To help companies ramp up awareness and incidence management, CyberSecurity Malaysia — a national-level specialist agency under the Ministry of Communications and Multimedia — will conduct courses to boost local talent in cybersecurity.
Why is this necessary? “In the past, there were not so many sectors using high-technology. This has changed. Today, we cannot just rely on universities to produce these specialists as it can take up to four years to train a graduate,” said Amirudin.
Getting trained manpower is not just an issue in Malaysia. “As with the rest of the world, the biggest challenge for Asean in cybersecurity is finding the people to build and maintain defences,” says Syed Munir Khasru, chairman of think tank The Institute for Policy, Advocacy, and Governance.
“Part of Asean’s problem is that its cyberdefences are uneven among its 10 member states. The 2017 Global Cybersecurity Index ranked Singapore as No 1 and Malaysia at No 3. Vietnam, Cambodia and Myanmar languished at the bottom of the league.”
One option? Get students trained early in coding skills. This could be a necessity for competitive advantage. The problem? Not enough experts or trainers in many countries. The solution? Get trained online with the help of the likes of Coursera, Khan Academy, Udacity and Codeacademy. More niche trainers are constantly popping up to offer training in coding skills, as well as on open-source platforms such as Linux.
“We believe that technology, like most natural resources, is a shared commodity. We see it as our responsibility to ensure that cutting-edge technology is accessible to all and is used for the development of society,” says Sri Harsha, founder of ICyberSol and SocAlty, two India-based start-ups that are keen to expand to Malaysia.
SocAlty claims to have trained 8,500 students and 1,200 faculty members on cybersecurity and artificial intelligence solutions so far. The firm offers online and in-class hands-on training and has tools for remote student and teacher training.
Harsha and an army of open-source trainers and professionals converged in Singapore last month at the FOSSASIA (Free Open-Source Software Asia) forum. FOSSASIA was founded by Hong Phuc Dang and Mario Behling in 2009 and holds one of the largest gatherings of open-source professionals in the world.
Risk and reward
How are global corporations dealing with risk? By linking risk appetite statements to business outcomes. As IT strategies become more closely aligned with business goals, the CIO and chief information security officer (CISO) need to present security matters to top management by showing a direct link between risk and business.
“To avoid exclusively focusing on issues related to IT decision-making, create simple, practical and pragmatic risk appetite statements that are linked to business goals and relevant to board-level decisions. This leaves no room for business leaders to be confused as to why security leaders were even present at strategic meetings,” says Peter Firstbrook, a vice-president of research at Gartner Inc.
That is because data security is a complex issue that cannot be solved without a strong understanding of the data itself, the context in which the data was created and used, and how it is subject to regulation. Rather than acquiring data protection products and trying to adapt them to suit the business need, companies should address data security through a data security governance framework (DSGF).
“The DSGF provides a data-centric blueprint that identifies and classifies data assets and defines data security policies. This is then used to select technologies to minimise risk. The key in addressing data security is to start from the business risk it addresses, rather than from acquiring technology first, as too many companies do,” says Firstbrook.
Meanwhile, the McKinsey survey reported that corporate boards spent only 9% of their time on risk in 2017 — slightly less than they did in 2015. Other questions in the survey revealed that only 6% of respondents believed that they were effective in managing risk (again, less than in 2015). Some individual risk areas were relatively neglected and even cybersecurity — a core risk area with increasing importance — was addressed by only 36% of boards.
What then, is the lesson for companies, especially since its top management could be at high risk? That data security is a board-level topic and should be an essential part of any digital business strategy. Business leaders have not always been receptive to this message, but a string of major incidents is changing that sentiment, according to Gartner.
For example, the Equifax data breach cost the CEO, CIO and CISO their jobs, the WannaCry attack caused global damage estimated at US$1.5 billion to US$4 billion and Verizon got a US$350 million discount on its purchase of Yahoo! as a result of the latter’s data breach.
“Business leaders and senior stakeholders at last appreciate security as much more than just tactical, technical stuff done by overly serious, unsmiling types in the company basement. Security departments must capitalise on this trend by working closer with business leadership and clearly linking security issues with business initiatives that could be affected,” says Firstbrook.
The bottom line: What is the opposite of risk? Is it reward? Safety? Security? None of these. The opposite of risk is opportunity. All businesses in the private sector start with a level of calculated risk.
As the business matures and expands, so do the levels and types of risk. But with rapid growth and expansion, most companies have relegated risk to a line function, holding middle and senior management responsible for mitigating and managing it. That may no longer be viable, especially when cybercrime threatens to permeate the board itself.
It is therefore the top management, and probably the board members first, who needs to understand, appreciate and manage financial and reputational risk — or risk losing it all.