Let me begin by observing that risk management appears to be at a similar state of maturity as was literacy in the 15th century Europe and in both cases technology and globalisation are the main driving forces for change.
The technology of paper making was invented by Cai Lun, a Chinese eunuch in the Eastern Han Dynasty in 105 A.D., however the secret of making paper then took almost a millennium to travel to Europe in the 11th Century via Korea, Japan, India, Africa and finally through the Arabs into Spain.
The printing press was also invented in China during the first millennium A.D. and later movable type was invented in China by Bi Sheng who lived roughly from 970 – 1051 A.D., however the secret of the printing press did not finally arrive in Europe until Johannes Gutenberg's adaptation of this technology in 1440.
These technological innovations coupled with the enlightenment that emerged during the Renaissance coincides with the explosive growth of literacy in Europe and later for the World from the middle to late 15th century.
In the same way that technological innovation can be seen to have enabled a sudden growth in literacy and hence the great leaps forward of the industrial revolution and the technology innovations of the modern knowledge area, technology changes are enabling a similar change in Risk Management.
Where once, risk management was the sole domain of Risk Management Experts (analogous to abbey monks’ hand scribing copies of the bible in Latin), the future of risk management is moving us towards the democratising of risk management for everyday people, and other changes that will make risk management more relevant to organisations.
However, risk management is still somewhat of a dark science and the changes needed to bring risk management into the main stream are only now beginning to emerge.
INTEGRATED RISK MANAGEMENT
One such change is a trend by some vendors to implement what is termed by Gartner Integrated Risk Management (IRM).
The scope of IRM covers all business units and compliance functions, key business partners, suppliers as well as outsourced entities.
Risk Management Solutions of IRM cover a range user cases which include:
- Digital Risk Management (DRM)
- Vendor Risk Management (VRM)
- Business Continuity Management (BCM)
- Audit Management (AM)
- Corporate Compliance and Oversight (CCO)
- Enterprise Legal Management (ELM)'
This view of Integrated Risk Management covered much of the traditional scope of existing governance risk and compliance (GRC) business requirements, however the Gartner IRM also incorporates incident management, risk mitigation action planning, KRI monitoring and reporting, and risk qualifications and analytics.
While IRM recognises that risk management must work together with business continuity management, incident management, and with some internal and external stakeholders, however it fails to incorporate crisis and emergency management involving collaboration and coordination with external agencies and organisations and the supply chains of critical infrastructure (unless they impact critical IT systems).
Also, except for external suppliers and direct contractors, IRM is for the most part inward looking and is highly focussed on IT system risks, although to be fair, cybercrime has emerged as one of the top global threats.
GLOBAL THREATS FROM FRIENDS AND FOES
But, the nature of risks themselves are changing, as highlighted by the Worldwide Threat Assessment of the US Intelligence Community (29th JAN 2019), which states that the threats to individual organisations, to industries and to entire nations are becoming increasingly global in nature.
Nations such as Russia, China and North Korea have undertaken actions directed at influencing our election results, the promotion of racial and social destabilisation which has impacted government policy and the priorities of several countries in the West. External actors from these regimes have also used economic tactics to compete more aggressively with western nations to meet their long-term strategies. Their goal is to secure their long-term survival.
Pyongyang’s cybercrime operations alone include an attempt to steal more than $1.1 billion from financial institutions across the world—including a successful cyber heist of an estimated $81 million from the New York Federal Reserve account of Bangladesh’s central bank.
Private companies like Sony have also been hacked by North Korean sponsored agents, stealing private customer details in retaliation for Sony’s plan to release a movie that was deemed disrespectful to Kim Jong Ung.
GLOBALISATION OF RISKS
While global trade has brought many benefits to 21st century society, it has also introduced new threats and risks that must be managed. To illustrate some of these new risks, consider one of the documents disseminated by Wikileaks in 2010.
Wikileaks released the details of a US diplomatic cable called the “Critical Foreign Dependencies Initiative” (CDFI) which documented the location of all key assets and infrastructure, which if disrupted would critically impact the US entire economy.
Most of this infrastructure is not owned and operated by the Government but by private companies that are bound together by a global supply and distribution network.
The CDFI cable included the details of all major foreign port hubs, the specific location of undersea fibre-optic telecommunication cables connecting the US to the rest of the world, identified critical sea lanes and oil and gas supply pipelines, and specifically identified key mines, dams and pharmaceutical facilities that supply the US economy from all major foreign sources.
The US and UK Governments reacted strongly to the release of this information and argued that its public release amounted to a “shopping-list” for terrorist organisations around the world, to enable them to target key resources that could result in dire economic damage to the US.
Cybercrime is also on the rise and is being used by both rogue states and traditional allies to steal intellectual properties and for cyber espionage, as well as by terrorists and organised crime syndicates. However, according to a PwC Global Survey published in July 2018, 60 per cent of economic cyber-crime in Australia was committed by a "frenemy" who comes in the guise of employees, customers or suppliers.
THE THREAT TO CRITICAL INFRASTRUCTURE
As highlighted by the Wikileaks CDFI diplomatic cable release, all countries are now dependent upon complex networks of supply chains and interdependent utility infrastructures such as power, water and fuel, as well as key transport networks and telecommunication data channels within each country and between different countries.
While many organisations have identified their key suppliers, customers and distribution partners for the business-critical activities in their Business Continuity Management Plans and in their Contractor Management systems, but few organisations could survive a long-term outage of one of these key dependencies.
Take for example the remote island nation of Tonga, 1,100 miles northeast of New Zealand, which on January 20th lost the main underwater fibre-optic cable that connects Tongans to the internet.
For 11 days the 100,000 residents of Tonga lost international and inter-island phone calls, emails and credit card payments across all 170 island that make up this tiny nation. How would your organisation and the country deal with such an event?
Another example is the Caribbean country of Puerto Rico, still suffering from the aftermath of 2017 Hurricanes Maria and Irma.
After Hurricane Maria, it took 11 months to restore the full electricity grid to Puerto Rico, but too late for the 8,000 small businesses that failed in the aftermath of the storm and too late for the hundreds of Puerto Ricans with treatable ailments like bedsores and kidney problems that died without power for dialysis and refrigeration for medications and proper medical care.
A poignant reminder of our societies vulnerability when critical infrastructure is disrupted beyond a few hours or days.
For this reason, over the last decade, governments around the world such as Australia, New Zealand, Canada, United Kingdom and the United States have been busy implementing Critical Infrastructure Legislation and Protective Security Frameworks to address vulnerabilities of this nature.
So, risk management must adapt from its current focus to a broader national and international supply chain focus that links each organisation to the broader global community we share. This also extends the scope of risk management into the realms of crisis and emergency management and into the domain of continuity of operation.
The White Island volcano in New Zealand where 47 people from seven different countries were caught in an explosion during a shore excursion that resulted over 15 fatalities has highlighted the risk exposure in eco-tourism.
Likewise, the months of continuous civil unrest in Hong Kong triggered by the pro-democracy movement has resulted in a significant drop in GDP, foreign investment and tourism revenue for this semi-autonomous region.
When you talk to risk management professionals they are called risks, when you talk to emergency service and safety people they are called hazards and when you talk to people in the defence and intelligence sector they are called threats, but regardless of what they are called, we are on the cusp of technology revolution that will have a profound impact on risk management.
- Risk and Control Libraries which foster consistency and industry best practice in risk management across the entire enterprise. Wizards that walk people through a simple and intuitive process that hides the complexities of risk management and minimises the training needed for general staff.
- NewSQL databases that provide the scalability of NoSQL systems but retain the key benefits of online transaction processing (OLTP) and the familiarity of the SQL interface for technical staff.
- Predictive/Prescriptive Analytics tools that identify patterns, themes and trends that might not be immediately apparent to a risk manager.
- Data visualisation tools which facilitate “evidence-based decision making” and provide what-if modelling capabilities that allow staff to evaluate and predict in near-real time the potential impact of new risk management initiatives.
- Data-driven risk assessment tools based in machine learning and big data analytics that help staff to identify vulnerabilities and gaps and to plan appropriate operational level controls and measures.
- Improvements in the simplicity and ease of use of software that runs on personal computers, on the cloud and any type of mobile device, which provides the flexibility for non-technical users to tailor the system to meet their unique requirements.
- Hyper-integrated systems that tightly integrate risk management with incident management, compliance management and all the other management systems into a single platform.
- Software platforms that integrates risk management with plans that contain actions and provide us with the ability to monitor the implementation of those actions in real time.
The scope of risk management is changing due to globalisation and a complex web of interdependencies that all organisations must master in order to secure their resilience.
We will need to be even more collaborative with the people in our own organisations and with collaborators in other organisations in the commercial and public sector, and some of which will be half a world away.
While technology is creating new risks such as cyber security threats and social media turmoil, new technology innovations will also improve the ability for risk managers to deal faster with new risk management challenges more simply.
Like the monks in their 15th century monasteries, we are on the cusp of a paradigm change which will improve how risk management is performed in fundamental ways.
It’s hard to predict exactly how all these changes will impact the risk management profession, but to paraphrase Bette Davis, “Fasten your seatbelts, we may be in for a bumpy ride.”
So, what’s the upshot for consultants and system integration partners, precisely? They will need to begin advising clients across disciplines, not just within silos. And that’s why Noggin’s solution takes an integrated platform approach instead of individual point solutions. To learn more about our partner practice, reach out at firstname.lastname@example.org.
*Note A version of this article first appeared in the April 2019 edition of Risk Management Institute of Australasia's The Risk Magazine.
Be sure to follow @teamnoggin on Twitter for more news and updates.