Can digital business models enhance and reduce risk? How is risk management changing? How do businesses put a value on risk reduction? Jason Crabtree, QOMPLX CEO and co-founder, joins business leaders to discuss what it’s like to manage risk in a digital-first environment. Check out highlights from the insightful roundtable with Charlotte Gribben, Digital Risk lead partner, Deloitte; Emily Jenner, Board member at Airmic, Managing director, global head of risk strategy and appetite Standard Chartered Bank; and Romaney O’Malley, Chief financial officer, AIG UK. The full article appeared in The Sunday Times Raconteur Special Report: The Future CFO.
How do digital business models enhance and reduce risk? And what do business leaders need to consider as their companies become more digital?
EJ: There is a meaningful opportunity for us to retool our businesses and equip them with real-time risk information. Previously risk managers needed to focus more on tangible risks than the intangible. As we adopt these data-driven business models, we need to carefully consider the emerging risks we face as a consequence. Trust, confidentiality and security are key.
JC: One of the challenges is that risk is fundamentally a consequence of dependence. Companies would like to be more dynamic: they would like to be able to have a living, breathing way of interacting with the underlying relationship of the supporting technological processes systems with the company or client. But this connection is a bit tenuous and abstract because most lack a common language to be able to actually describe it in a way that allows for both qualitative and quantitative reasoning. Establishing this is a key executive responsibility.
CG: What we’re finding is that organisations are looking at specific digital technology risk. So with the risk of disruptive tech, they’re thinking, “What is the risk of this robot?” What we’re trying to do is help them see the bigger picture and understand that, a bit like digital, the risk is organisation and society-wide. In order to turn digital risk into digital advantage, they need to consider it at a much higher level than just that specific robot or technology.
RO: One of the shifts we see with a lot of our corporate clients is a move towards strategic partnerships. So recognition that this is not something you’re going to be able to address as a standalone company. Does it actually make more sense to be connecting through a trade or industry organisation to better understand or come up with solutions to mitigating a specific risk? It might also be a case of working with organisations like the National Cyber Security Centre or government bodies, which have capabilities and competencies and data insights that can help you make better decisions.
What changes are you seeing in risk management?
RO: There has been a move from insuring risks in the really traditional sense, which has historically meant waiting for something bad to happen, and then indemnify that company for whatever they’ve lost as a result of the risk crystallising. Whereas now, data is used to really understand what is actually driving some of those losses, and then get much more into risk mitigation and prevention mode.
EJ: Not only does data and the way in which we’re harnessing it help us take a more forward-looking view, it also helps us quantify the risk a lot more easily. In my experience, thinking through and quantifying our risks in an informed way allows us to better understand the uncertainty we face, and helps us make good risk-informed decisions.
How do businesses put a value on risk reduction?
EJ: By harnessing the data that is becoming evermore so readily available you can use a series of ‘what-ifs’. This shows you how you can measure the value of risk management by comparing return of investment under different ‘what-if’ scenarios, systematically testing the value of strategies to manage risk.
CG: Many companies will implement a new technology or go down a new business model with a digital aspect without considering risk or control. We’re finding we’re actually being called in by a number of organisations that have done this and are now trying to forensically undo what they have done. The impact is about three to four times more expensive than embedding the controls as you go and considering the risk as you go and considering the risk, control and compliance up front.
RO: I think it’s both sides. It’s about measuring the opportunity and being able to really quantify the business case for the opportunity a particular risk might give a business. Then it’s also being able to quantify the value of offloading or mitigating certain risks. This is where companies probably need to look more broadly for support. Insurers can help with this.
JC: When we assess the basic risk profile an organisation maintains, regardless of the type of institution, you have to make sure that mitigation strategies relate to the actual underlying dependencies you have, as well as capital requirements and control or transfer options. And it has to be the CFO who is thinking about this and tying it all together.