How chief risk officers can prepare for the unknown
Information and agility are key for risk professionals, who need to look beyond current threats to predict the next major challenge
It may be comforting for business leaders to look on Covid and the invasion of Ukraine as once-in-a-generation events that could be neither anticipated nor planned for.
Yet some would argue that far from being black swans, both the pandemic and the Russian invasion should have been high on the radar, even if their precise impacts on business were less certain.
In order to better prepare for the next major threat, risk professionals must get a firmer handle on the information already available to them, says Oliver Harvey, global head of governance, risk and compliance at the intelligence software firm Nuix.
“One of the remarkable features of our age is that the world has never been more awash with data and, in theory, this provides a massive opportunity to reduce the number of ‘out-of-the-blue’ events,” he says.
Yet he points out that many chief risk officers (CROs) are “overwhelmed by the sheer volume of intelligence” from many different sources, including the UK’s National Risk Register, which mentioned a global pandemic back in 2008. He adds that they may lack the skills necessary to interpret the relevance of such information to their own organisation.
Whatever their nature, all current and future risks to a business share a number of likely outcomes which should form the basis of the mitigation process, says Peter Groucutt, co-founder of IT disaster recovery consultancy Databarracks.
While many organisations, he says, base their risk and resilience assessment on theoretical ‘what if’ scenarios, he urges greater attention to the practical, on-the-ground impacts that risks tend to share.
“Regardless of whether it’s warfare, malware, a climate change event or a nuclear disaster, your organisation could be locked out of its headquarters, face a serious loss of data, a cut-off of supplies and be vulnerable to a full-scale business collapse,” he says.
While part of the job of being CRO is to “think the unthinkable”, as Groucutt puts it, many risk professionals can get bogged down in trying to predict both the nature of the next threat and its precise timing.
“While the potential impacts of a whole range of cataclysmic events are terrifying, they are easier to prepare for than the scenarios themselves. In my experience, many CROs seem to lack the insight to understand this,” he says.
Regardless of whether it’s an unexpected malware attack or a surprising media report, picking up the signs that a feared event is going to happen needs vigilance across the entire organisation.
“This is the perfect example of how diverse teams bring big business benefits,” says Ahmed Badr, chief legal and risk officer at online payments platform GoCardless. “The more perspectives you have, the better you become at spotting what’s coming down the line and anticipating risks that may seem ‘out of the blue’ to everyone else.”
In the aftermath of the pandemic, risk and resilience have climbed up the boardroom agenda. While many larger firms have traditionally carried out risk assessments on an annual basis, should their frequency now be increased?
Yes, says Bolade Atitebi, senior vice-president of Mastercard Data & Services, who argues that the disruption caused by both Covid and now Ukraine should trigger a re-appraisal of risk and mitigation planning.
“Volatility, disruption and shocks will occur in the future, and maintaining an emphasis on emerging risks while not losing sight of risks already under the surface is the balance to strike,” she says.
“Most organisations should have learned that the agility to assess business strategies on an ad hoc basis in order to address rising concerns is now critical. Preparation is key and likely to be more effective than prediction when it comes to out-of-the-blue risk.”
Among the potential events that require specific mitigation are industrial action, terrorist attack, plane crash, flood, power, international conflict and future global pandemics, Atitebi adds.
Global cyber threat
While the impact of Covid caught many organisations by surprise, a global cyber attack – potentially as fall-out from the Ukraine conflict – could be equally devastating.
“A major attack on a public cloud provider could include the loss of data centres and suppliers, an inability to access your bank account and an office and team whose roles would be rendered fairly meaningless,” Groucutt says.
“The worst-case scenario for a commercial firm would be the loss of the entire business but hopefully, there would be insurance to cover it. In the case of a hospital, say, the threat to patients would be at an entirely different level.”
While such a major event may appear unlikely, routine malware attacks on businesses of all sizes have already become all too commonplace, he says. Yet many victims prefer to pay up rather than put comprehensive mitigation plans in place.
More than three-quarters of UK businesses were hit with ransomware demands in 2021, according to a report by data security company Proofpoint last month. As many as 82% paid the hackers to restore their data.
“Even when we do meet clients who are prepared to go the extra mile to keep their systems and data highly secure, we tell them that you can only plan so far,” Groucutt says.
“We can back up their data, leave a copy of it on site, encrypt another copy and keep it safe in a cloud provider, copy it all to another cloud provider and even put it all on tape and bury it underground in a bomb-proof bunker. In today’s world, it all depends how far they’re prepared to go and how much they’re willing to pay to protect their business.”
Do brands need a chief worry officer?
Facebook founder Mark Zuckerberg once famously presented a business card with the title ‘chief worry officer’ on it and Coca-Cola boss James Quincey is said to use the same descriptor as a joke in internal meetings. Post-Covid, the chief risk officer, who looks beyond a business’s status quo to predict future risks and plan mitigation, has become an indispensable part of the C-suite line-up. Yet being a professional worrier is only one of the qualifications required.
A good CRO must “understand psychology to prevent them from being adversely impacted by cognitive biases” and needs a strong understanding of the business in order to effectively challenge internal norms, says Oliver Harvey from Nuix.
The need to play devil’s advocate is, he argues, particularly suited to neurodiverse risk professionals. Often more adept than neurotypical colleagues at “seeing existing data in new ways”, such CROs may also be able to “identify risks earlier and more dynamically”, he says.
While associating risk with worry runs the risk of obscuring the many opportunities that are born out of challenging conditions, business troubleshooter Claire Trachet dislikes the ‘worry’ word altogether.
“I doubt a chief worry officer would be extremely helpful to a company because while it’s easy to find problems, what is often needed is the ability to take calculated risks – the definition of enterprise – and have a plan for when a crisis looms.”
She believes that the best risk management “is done as a team”. And she warns: “By always crying wolf, a chief worry officer would most likely end up not being listened to at all.”