Actualités

Optimize for both Social and Business Value – Building Resilient Businesses, Industries, and Societies

Why Is Corporate Capitalism at a Tipping Point?

Stakeholders are beginning to pressure companies and investors to go beyond financial returns and take a more holistic view of their impact on society. This should not surprise us. After all, we have lived through two decades of hyper-transformation, during which rapidly evolving digital technologies, globalization, and massive investment flows have stressed and reshaped every aspect of business and society.

As in previous transformations, the winners created new dimensions of competition and built innovative business models that increased returns for shareholders. Many others found their businesses at risk of being disrupted, with familiar formulas no longer working. To meet the unwavering demands of Wall Street, many companies relentlessly optimized operating models, streamlined and concentrated supply chains, and specialized their assets and teams — leaving them less resilient and less adaptable to shifting markets and trade flows. The resulting waves of corporate restructuring, consolidation, and repositioning have fractured companies’ cultures and undermined their social contracts.

Furthermore, this hyper-transformation cascaded beyond individual companies and created socio-economic dynamics that left many people and communities economically disadvantaged and politically polarized. Combined with the increasing shared anxiety that the earth’s climate is changing faster than the planet can adapt, a global zeitgeist of risk and insecurity has emerged. We will enter the 2020s with more citizens, investors, and leaders convinced that the way business, capital, and government work must change — and change quickly.

We now must rethink the sustainability of the whole system in the face of extreme externalities — or risk losing social and political permission for further progress. The 2030 UN Sustainable Development Goals (SDGs) identify the moral and existential threats that we must meet head-on. While some question the SDGs’ breadth and timeline, most agree that, if achieved, they would create a more just, inclusive, and sustainable world.

Goal 17 calls for new engagement by companies and capital in partnership for collective action across the public, social, and private sectors. Five years into the SDG agenda, there is ample evidence that governments, investors, and companies are beginning to exercise their capacity to create much-needed change.

Change Is Underway but Is Hardly Sufficient

Many institutional investors are racing to integrate ESG (environmental, social, and governance) assessments into their decision making, and they are expecting companies to report on how they deliver on those metrics. New efforts promote radical disclosure, like the Bloomberg/Carney TCFD (Task Force on Climate-Related Financial Disclosures), which encourages signatories to report on the climate risks of their financial holdings.

New standards initiatives are creating a foundation for nonfinancial performance accounting, and the prospect of widespread “integrated reporting” seems realistic. Companies are investing in “purpose” and defining their contributions to society against material ESG factors and SDG goals. Corporate sustainability and CSR (Corporate Social Responsibility) functions, historically on the sidelines, are now being integrated into line business activity, with progressive companies expanding the scope of competition to include differentiation on environmental and societal dimensions. And through industry consortia, many companies are taking collective action on issues that both threaten their right to operate and open up new opportunities for their industries.

Such examples are important early signals that the context for business is changing. However, for all the progress on commitments, agreements, metrics, and policies, there has been little aggregate progress against top-level goals, like

  • reducing CO2 emissions,
  • cutting plastics waste,
  • or narrowing social and economic inequality within nations.

Without demonstrable impact and collective progress, social and political pressure will only build, further threatening the legitimacy of corporate capitalism.

A New Societal Context for Business

Companies will face escalating social activism by investors, stakeholders, social mission organizations, and policymakers on issues of

  • climate risk,
  • economic inequality,
  • and societal well-being.

Governments and local communities will set a higher bar for a company’s right to operate, and in a connected world a company’s local performance will quickly affect its global reputation and trigger social and regulatory consequences. Stakeholders will expect radical transparency on ESG performance.

This will shift investors’ perceptions of a company’s risk and opportunity, skewing capital toward those that deliver both financial returns and positive societal impact. To satisfy a growing demographic of socially minded consumers and businesses, companies will need to demonstrate “good products doing good” and anchor their brands and identity around a credible purpose.

Talent will gravitate toward companies that give employees a line-of-sight to making the world better while also providing a fulfilling career. To win, companies will need to define competition more broadly, adding new dimensions of value through

  • environmental sustainability,
  • holistic well-being,
  • economic inclusion,
  • and ethical content.

This will require radical business model innovation

  • to enable circular economies for precious resources;
  • to provide assets that are shared rather than owned;
  • to broaden access and inclusion;
  • and to multiply positive societal impact.

At this critical moment for corporate capitalism, business is more trusted than government, according to the Edelman Trust Barometer. Farsighted corporate leaders will see the opportunity for their industries to

  • mitigate environmental and societal threats,
  • catalyze collective action to discover new solutions,
  • shape wider ecosystems,
  • and expand trust with stakeholders.

Such actions will be indispensable to strengthen social permission for corporate capitalism before it is further undermined.

CEOs Need an Agenda for Value and the Common Good

We frame the journey to new corporate value and the common good around six imperatives.

It begins with reimagining corporate strategy, then

  • involves transforming the business model,
  • reframing performance and scorekeeping,
  • leading a purpose-filled organization,
  • practicing corporate statesmanship,
  • and elevating governance.

BCG 1

While challenging to execute, we argue that this agenda will be essential to create a great company, a great stock, a great impact, and a great legacy.

Reimagine Corporate Strategy

We believe few companies have strategies for this new era of business. The following exhibit illustrates the ambition of such a strategy, which establishes competitive advantage at the intersection of

  • shareholder value,
  • corporate longevity,
  • and societal impact.

The “quality” of the strategy is thus judged by how it delivers both total shareholder returns and total societal impact.

BCG 2

Consequently, it widens the scope of competition to encompass creating rich differentiation and relative advantage in multiple areas of societal value. It embeds “social value” into new business constructs, shared value chains, and reconstructed ecosystems.

It also opens, broadens, and deepens markets to enable access and inclusion. And it expands the scope of business by calling for coalitions for collective action that address existential risks to environmental and societal ecosystems.

This new type of strategy flips leadership’s perspective from “company-out” to “societal needs-in,” by asking how a specific SDG target could be met by extending the company’s capabilities, assets, products, services, and ecosystem—and those of its industry. The following exhibit lists ten questions that strategists should incorporate into their strategy processes to ensure that they embrace the opportunity to create both shareholder returns and societal impact.

BCG 3

However, these new strategies cannot simply be grafted onto existing business models. Business models themselves will need to be transformed. Sustainable business model innovation (S-BMI) takes a much wider perspective than traditional business model innovation by considering

  • a broader set of stakeholders;
  • the system dynamics of the socio-environmental context;
  • longer time horizons for sustaining adaptable advantage;
  • the limits of business model scale, viability, and resilience;
  • the cradle-to-grave production and consumption cycle;
  • and the points of leverage for profitable and sustainable transformation.

Transform Business Models

We can already observe seven topologies for sustainable business model innovation, sometimes in combination, all with the potential to increase both financial returns and societal benefits.

  • Own the origins. Compete on capturing and differentiating the “social value” of inputs to production processes, products, or services. For example,
    • pursue cleaner energy,
    • sustainable practices,
    • preserved biodiversity,
    • recycled content,
    • inclusive and empowering work practices,
    • minimized waste,
    • digitized traceability,
    • fair trade, and so on.

Performance here will require differentially advancing the societal performance of the supplier base and its stewardship of resources, communities, and trade flows. Achieving this may require backward integration to ensure fast and complete upstream transformation and then holding and using these new capabilities for competitive advantage and differentiation.

  • Own the whole cycle. Compete by creating societal impact through the whole product usage cycle, from creation through end of life. This competitive typology puts a wide aperture on the business and requires systems analysis to uncover business models that offer the richest competitive and financial options. For example,
    • designing for circularity, recyclability, and waste to value;
    • creating offerings that enable sharing rather than owning to ensure high utilization of resources and end-of-life value;
    • constructing infrastructure to facilitate circularity and repurposing;
    • integrating into other value chains to capture societal value;
    • educating and enabling consumers to choose whole-cycle propositions on the basis of value to people and planet.

To achieve these ends, expect to reposition operations, reinvent supply chains and distribution networks, pursue new backward or forward integration, acquire business adjacencies, or undertake unconventional strategic partnering.

  • Expand “social value.” Compete by expanding the value of products or services on six dimensions:
    • economic gains,
    • environmental sustainability,
    • customer well-being,
    • ethical content,
    • societal enablement,
    • and access and inclusion.

Then advocate new standards, increase transparency and traceability, tune marketing and segmentation, engage customers on the product’s wider value and their involvement in bigger change, and seek premium pricing. In business-to-business offerings, help customers integrate the full social value of your products, services, and business model into their own differentiation and ESG ambitions.

  • Expand the chains. Compete by extending the company’s value chain, layering onto other industries’ value chains to extend the reach of your products and services and the societal impact for both parties, while changing the economics and risks of doing so. For example,
    • use the reach of a consumer products distribution system to extend payments and financial services to small merchants;
    • layer one company’s health services onto another company’s physical supply chain to benefit its workers and their families while expanding markets for health services;
    • or use the byproducts of one company’s operations as feedstock in other companies’ value chains.
  • Energize the brand. Compete by digitally encoding, promoting, and monetizing the full accumulated social value that is embedded in products and services, along the whole value chain— from origins to customer, from cradle to grave. Use such data to rethink differentiation, the brand experience, customer engagement, pricing for value, ESG reporting, investor engagement, and even potential new businesses. For example,
    • strengthen the brand with promotions that showcase the business’s performance on the open, clean, green, renewable, and inclusive attributes of its operations;
    • and increase customer engagement and loyalty by using data on the product’s environmental and societal footprint to empower customers in choosing how their lifestyle affects the planet and its people.
  • Relocalize and regionalize. Compete by contracting and reconnecting global value chains to bring societal benefits closer to home markets in ways stakeholders value. For example,
    • build local and regional brands that better express local tastes and values;
    • source from smaller local producers to minimize logistics emissions and strengthen local economies;
    • reimagine production networks against total environmental and societal costs;
    • capture local waste streams as feedstocks for other activities;
    • or reconstitute jobs for microwork to use local talent.
  • Build across sectors. Compete by creating models that include the public and social sectors to improve the company’s business and societal proposition, particularly in emerging and rapidly developing economies. For example,
    • work alongside governmental bilateral aid institutions and NGO development organizations to improve the agricultural capacity of small farmers so they become reliable sources of agricultural inputs to the agro-processing value chain;
    • partner with global environmental organizations and governments to promote the reuse of ocean plastics as feedstocks to production systems;
    • partner with governments to strengthen social safety nets and prevent corruption through digitization and electronic payments;
    • or partner across sectors to restructure recycling systems to enable higher penetration of waste-to-value business models.

Extend this into industry coalitions for collective action that reshape broader rights to operate and generate new opportunities.

All seven types of S-BMI create new sources of differentiation, operating advantage, network dynamics, and societal value — enabling more durable and resilient businesses that benefit shareholders and society. But to assess and improve the performance of these business models and communicate their value, we need to expand today’s scorecards.

Click her to access BCG’s full article

 

From Risk to Strategy : Embracing the Technology Shift

The role of the risk manager has always been to understand and manage threats to a given business. In theory, this involves a very broad mandate to capture all possible risks, both current and future. In practice, however, some risk managers are assigned to narrower, siloed roles, with tasks that can seem somewhat disconnected from key business objectives.

Amidst a changing risk landscape and increasing availability of technological tools that enable risk managers to do more, there is both a need and an opportunity to move toward that broader risk manager role. This need for change – not only in the risk manager’s role, but also in the broader approach to organizational risk management and technological change – is driven by five factors.

Marsh Ex 1

The rapid pace of change has many C-suite members questioning what will happen to their business models. Research shows that 73 percent of executives predict significant industry disruption in the next three years (up from 26 percent in 2018). In this challenging environment, risk managers have a great opportunity to demonstrate their relevance.

USING NEW TOOLS TO MANAGE RISKS

Emerging technologies present compelling opportunities for the field of risk management. As discussed in our 2017 report, the three levers of data, analytics, and processes allow risk professionals a framework to consider technology initiatives and their potential gains. Emerging tools can support risk managers in delivering a more dynamic, in-depth view of risks in addition to potential cost-savings.

However, this year’s survey shows that across Asia-Pacific, risk managers still feel they are severely lacking knowledge of emerging technologies across the business. Confidence scores were low in all but one category, risk management information systems (RMIS). These scores were only marginally higher for respondents in highly regulated industries (financial services and energy utilities), underscoring the need for further training across all industries.

Marsh Ex 3

When it comes to technology, risk managers should aim for “digital fluency, a level of familiarity that allows them to

  • first determine how technologies can help address different risk areas,
  • and then understand the implications of doing so.

They need not understand the inner workings of various technologies, as their niche should remain aligned with their core expertise: applying risk technical skills, principles, and practices.

CULTIVATING A “DIGITAL-FIRST” MIND-SET

Successful technology adoption does not only present a technical skills challenge. If risk function digitalization is to be effective, risk managers must champion a cultural shift to a “digital-first” mindset across the organization, where all stakeholders develop a habit of thinking about how technology can be used for organizational benefit.

For example, the risk manager of the future will be looking to glean greater insights using increasingly advanced analytics capabilities. To do this, they will need to actively encourage their organization

  • to collect more data,
  • to use their data more effectively,
  • and to conduct more accurate and comprehensive analyses.

Underlying the risk manager’s digitalfirst mind-set will be three supporting mentalities:

1. The first of these is the perception of technology as an opportunity rather than a threat. Some understandable anxiety exists on this topic, since technology vendors often portray technology as a means of eliminating human input and labor. This framing neglects the gains in effectiveness and efficiency that allow risk managers to improve their judgment and decision making, and spend their time on more value-adding activities. In addition, the success of digital risk transformations will depend on the risk professionals who understand the tasks being digitalized; these professionals will need to be brought into the design and implementation process right from the start. After all, as the Japanese saying goes, “it is workers who give wisdom to the machines.” Fortunately, 87 percent of PARIMA surveyed members indicated that automating parts of the risk manager’s job to allow greater efficiency represents an opportunity for the risk function. Furthermore, 63 percent of respondents indicated that this was not merely a small opportunity, but a significant one (Exhibit 6). This positive outlook makes an even stronger statement than findings from an earlier global study in which 72 percent of employees said they see technology as a benefit to their work

2. The second supporting mentality will be a habit of looking for ways in which technology can be used for benefit across the organization, not just within the risk function but also in business processes and client solutions. Concretely, the risk manager can embody this culture by adopting a data-driven approach, whereby they consider:

  • How existing organizational data sources can be better leveraged for risk management
  • How new data sources – both internal and external – can be explored
  • How data accuracy and completeness can be improved

“Risk managers can also benefit from considering outside-the-box use cases, as well as keeping up with the technologies used by competitors,” adds Keith Xia, Chief Risk Officer of OneHealth Healthcare in China.

This is an illustrative rather than comprehensive list, as a data-driven approach – and more broadly, a digital mind-set – is fundamentally about a new way of thinking. If risk managers can grow accustomed to reflecting on technologies’ potential applications, they will be able to pre-emptively spot opportunities, as well as identify and resolve issues such as data gaps.

3. All of this will be complemented by a third mentality: the willingness to accept change, experiment, and learn, such as in testing new data collection and analysis methods. Propelled by cultural transformation and shifting mind-sets, risk managers will need to learn to feel comfortable with – and ultimately be in the driver’s seat for – the trial, error, and adjustment that accompanies digitalization.

MANAGING THE NEW RISKS FROM EMERGING TECHNOLOGIES

The same technological developments and tools that are enabling organizations to transform and advance are also introducing their own set of potential threats.

Our survey shows the PARIMA community is aware of this dynamic, with 96 percent of surveyed members expecting that emerging technologies will introduce some – if not substantial – new risks in the next five years.

The following exhibit gives a further breakdown of views from this 96 percent of respondents, and the perceived sufficiency of their existing frameworks. These risks are evolving in an environment where there are already questions about the relevance and sufficiency of risk identification frameworks. Risk management has become more challenging due to the added complexity from rapid shifts in technology, and individual teams are using risk taxonomies with inconsistent methodologies, which further highlight the challenges that risk managers face in managing their responses to new risk types.

Marsh Ex 9

To assess how new technology in any part of the organization might introduce new risks, consider the following checklist :

HIGH-LEVEL RISK CHECKLIST FOR EMERGING TECHNOLOGY

  1. Does the use of this technology cut across existing risk types (for example, AI risk presents a composite of technology risk, cyber risk, information security risk, and so on depending on the use case and application)? If so, has my organization designated this risk as a new, distinct category of risk with a clear definition and risk appetite?
  2. Is use of this technology aligned to my company’s strategic ambitions and risk appetite ? Are the cost and ease of implementation feasible given my company’s circumstances?
  3. Can this technology’s implications be sufficiently explained and understood within my company (e.g. what systems would rely on it)? Would our use of this technology make sense to a customer?
  4. Is there a clear view of how this technology will be supported and maintained internally, for example, with a digitally fluent workforce and designated second line owner for risks introduced by this technology (e.g. additional cyber risk)?
  5. Has my company considered the business continuity risks associated with this technology malfunctioning?
  6. Am I confident that there are minimal data quality or management risks? Do I have the high quality, large-scale data necessary for advanced analytics? Would customers perceive use of their data as reasonable, and will this data remain private, complete, and safe from cyberattacks?
  7. Am I aware of any potential knock-on effects or reputational risks – for example, through exposure to third (and fourth) parties that may not act in adherence to my values, or through invasive uses of private customer information?
  8. Does my organization understand all implications for accounting, tax, and any other financial reporting obligations?
  9. Are there any additional compliance or regulatory implications of using this technology? Do I need to engage with regulators or seek expert advice?
  10. For financial services companies: Could I explain any algorithms in use to a customer, and would they perceive them to be fair? Am I confident that this technology will not violate sanctions or support crime (for example, fraud, money laundering, terrorism finance)?

SECURING A MORE TECHNOLOGY-CONVERSANT RISK WORKFORCE

As risk managers focus on digitalizing their function, it is important that organizations support this with an equally deliberate approach to their people strategy. This is for two reasons, as Kate Bravery, Global Solutions Leader, Career at Mercer, explains: “First, each technological leap requires an equivalent revolution in talent; and second, talent typically becomes more important following disruption.”

While upskilling the current workforce is a positive step, as addressed before, organizations must also consider a more holistic talent management approach. Risk managers understand this imperative, with survey respondents indicating a strong desire to increase technology expertise in their function within the next five years.

Yet, little progress has been made in adding these skills to the risk function, with a significant gap persisting between aspirations and the reality on the ground. In both 2017 and 2019 surveys, the number of risk managers hoping to recruit technology experts has been at least 4.5 times the number of teams currently possessing those skills.

Marsh Ex 15

EMBEDDING RISK CULTURE THROUGHOUT THE ORGANIZATION

Our survey found that a lack of risk management thinking in other parts of the organization is the biggest barrier the risk function faces in working with other business units. This is a crucial and somewhat alarming finding – but new technologies may be able to help.

Marsh Ex 19

As technology allows for increasingly accurate, relevant, and holistic risk measures, organizations should find it easier to develop risk-based KPIs and incentives that can help employees throughout the business incorporate a risk-aware approach into their daily activities.

From an organizational perspective, a first step would be to describe risk limits and risk tolerance in a language that all stakeholders can relate to, such as potential losses. Organizations can then cascade these firm-wide risk concepts down to operational business units, translating risk language into tangible and relevant incentives that encourages behavior that is consistent with firm values. Research shows that employees in Asia want this linkage, citing a desire to better align their individual goals with business goals.

The question thus becomes how risk processes can be made an easy, intuitive part of employee routines. It is also important to consider KPIs for the risk team itself as a way of encouraging desirable behavior and further embedding a risk-aware culture. Already a majority of surveyed PARIMA members use some form of KPIs in their teams (81 percent), and the fact that reporting performance is the most popular service level measure supports the expectation that PARIMA members actively keep their organization informed.

Marsh Ex 21

At the same time, these survey responses also raise a number of questions. Forty percent of organizations indicate that they measure reporting performance, but far fewer are measuring accuracy (15 percent) or timeliness (16 percent) of risk analytics – which are necessary to achieve improved reporting performance. Moreover, the most-utilized KPIs in this year’s survey tended to be tangible measures around cost, from which it can be difficult to distinguish a mature risk function from a lucky one.

SUPPORTING TRANSFORMATIONAL CHANGE PROGRAMS

Even with a desire from individual risk managers to digitalize and complement organizational intentions, barriers still exist that can leave risk managers using basic tools. In 2017, cost and budgeting concerns were the single, standout barrier to risk function digitalization, chosen by 67 percent of respondents, well clear of second placed human capital concerns at 18 percent. This year’s survey responses were much closer, with a host of ongoing barriers, six of which were cited by more than 40 percent of respondents.

Marsh Ex 22

Implementing the nuts and bolts of digitalization will require a holistic transformation program to address all these barriers. That is not to say that initiatives must necessarily be massive in scale. In fact, well-designed initiatives targeting specific business problems can be a great way to demonstrate success that can then be replicated elsewhere to boost innovation.

Transformational change is inherently difficult, in particular where it spans both technological as well as people dimensions. Many large organizations have generally relied solely on IT teams for their “digital transformation” initiatives. This approach has had limited success, as such teams are usually designed to deliver very specific business functionalities, as opposed to leading change initiatives. If risk managers are to realize the benefits of such transformation, it is incumbent on them to take a more active role in influencing and leading transformation programs.

Click here to access Marsh’s and Parima’s detailed report

Optimizing Your GRC Technology Ecosystem

Most organizations rely on multiple technologies to manage GRC across the enterprise. Optimizing a GRC technology ecosystem aligned with a defined GRC process structure improves risk-informed business decisions and achievement of strategic business objectives. This illustration outlines ways to continuously optimize your GRC technology ecosystem for

  • greater process consistency
  • and development of actionable information.

An integrated GRC technology ecosystem built on common vocabulary, taxonomy and processes enables

  • more accurate and timely reporting,
  • increased reliability of achievement of objectives
  • and greater confidence in assurance with less burden on the business.

Here are just a few of the key benefits:

Process and Technology Alignment

  • Common methods for core tasks, uniform taxonomies, and consistent vocabulary for governance, risk management and compliance across the organization
  • Risk-based actions and controls that ensure timely responses to changed circumstances
  • Standardized GRC processes based on understanding where in the organization each defined process takes place and how data is used in managing risks and requirements
  • Connected technologies as necessary to gain a complete view of the management actions, controls and information needed by each user

Governance Systems to include:

  • Strategy / Performance
  • Board Management
  • Audit & Assurance Tools

Risk Systems to include:

  • Brand & Reputation
  • Finance / Treasury Risk
  • Information / IT Risk
  • External Risk Content
  • Third Party Risk

Compliance Systems to include:

  • Policies
  • Helpline / Hotline
  • Training
  • EHS (Environment Health and Safety)
  • Fraud / Corruption
  • Global Trade
  • Privacy
  • Regulatory Change
  • AML (Anti Money Laundering) / KYC (Know Your Customer)

Enabling Systems to include:

  • Data Visualization
  • Analytics
  • Business Intelligence
  • Predictive Tools
  • External Data Sources

Protective Systems to include:

  • Information Security
  • Data Protection
  • Assets Control

Benefits and Outcomes

  • Enhanced tracking of achievement of objectives and obstacles
  • Connected reporting for board/management/external stakeholders
  • Timely understanding of impact from operational decisions
  • Actionable view of changes needed to meet regulatory requirements
  • Clear action pathways for resolution of issues and process reviews
  • Consistent risk assessments feeding into advanced analytics
  • Improved predictive capabilities to support strategic planning
  • Control testing and audit trails for response to regulators and auditors
  • Greater confidence in assurance with less burden on the business
  • Enterprise-wide, departmental and geographic control standards

OCEG

Tips for Optimization

1. Process Framework

  • Identify tasks appropriate for standardization and schedule implementation across units
  • Assess vocabulary used throughout organization for inconsistencies and establish rules
  • Adjust process model periodically to continue alignment with business objectives and activities

2. Technology Ecosystem

  • Periodically review GRC technologies for gaps and duplication of systems
  • Assess appropriateness of connection of systems for data sharing and user access
  • Maintain a current road map for re-purposing and acquisition of technologies

3. Outcome Management

  • Apply standard processes for resolution of issues and remediation of identified process framework or technology ecosystem weaknesses
  • Enhance reporting capabilities with refined report structure and delivery methods/schedules
  • Ensure all users apply the process framework and understand how best to use the technology

Click here to access OCEG’s illustration in detail

Internal Audit’s Guide to Planning, Managing and Addressing Risks

As time passes and the modern-day enterprise evolves, so does the role of the internal auditor. What was once a function that was perceived as rule enforcers and compliance police is expanding into one that is a trusted advisor within the business. The last several years have introduced an enormous amount of change, but the proliferation of technology within the enterprise is accelerating every aspect; from operations to decision making.

The progressive steps organizations are taking as a result of the digital age present a bevy of benefits, but in turn, create a slew of challenges and risks. Subsequently, the internal audit function has been forced to adapt along the way, assuring key stakeholders in the business that risks have been identified, but above all, addressed and mitigated.

While identifying and managing risks tied to the business fall on management, it’s internal audit’s responsibility to focus on closing the loop. That’s why our second article focuses on the effective audit follow up, in addition to outlining the how and when tied to escalating risks.

A DYNAMIC AND ITERATIVE PROCESS

The COSO Internal Control – Integrated Framework (2013) provides that a “risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives.” (emphasis added). To be effective, internal audit should be aware of and responsive to changes in known risks and additionally the emergence of new ones.

A purpose for the traditional (i.e., annual risk assessment) is to allow internal audit to develop a planning horizon which is understood by stakeholders and, in particular, executive management and the audit committee as a basis for the risks identified. In this process there can also be a push to finalize the internal audit “plan” so that budgets, schedules and staffing can be arranged.

With the emerging concept of “risk velocity”—measuring how fast a risk may affect an organization—is recognition that the typical risk assessment process is one that is not dynamic and iterative nor responsive to change in real time. Change does not occur on an annual basis. The move to a continuous and dynamic audit plan is significant for most internal audit departments. Some departments are already moving on this path and have had to adjust from a static process focused on listening to management on a seasonal basis to monitoring business objectives and risks that are rapidly changing.

Tony Redlinger, internal audit director with IHS Markit, observes the difficulties of the timely capture of risks as “asking the pertinent questions often without the broader knowledge of what the business is getting into, where the technology often advances much faster than the controls.”

BEYOND THE TYPICAL INTERNAL AUDIT RISK ASSESSMENT

What approaches internal audit functions can take to ramp up the process to achieve more dynamic audit planning?

One technique is to increase the frequency of the process and design a rolling service of assessments and audit planning. If existing processes can be made more streamlined and efficient, the time trajectory can be intensified to occur more frequently. Potentially, a concerted effort can result in an audit plan being updated every six months instead of annually. Since the risk identification process ideally is ongoing, management should be encouraged to implement a schedule to periodically review risks, while reserving the ability to accelerate reviews if a company objective changes, or risk factors increase.

For example, if management is considering an acquisition in a new jurisdiction, it could require the reevaluation of risk factors to determine how the decision could impact operations. Such processes can be formally linked into internal audit planning. Of course, existing sources of risk information should be identified and integrated into internal audit planning.

Other assessment processes including Enterprise Risk Management activities, department self-assessments and other functionspecific reviews in high-impact areas depending on industry (e.g., environmental hazards, cybersecurity threats, etc.), should connect and feed into internal audit processes.

Internal Audit 1

TECHNOLOGY TOOLS AND REALISM ABOUT SURVEYS

In the typical risk assessment, preparatory materials are provided and participants are asked a series of questions during sessions with audit staff. This process is expected to produce information to guide the allocation of resources and activities within internal audit so as to optimize the match between the company’s greatest risks and the corresponding mitigation efforts. The availability of sophisticated technology tools such as online surveys can seem to make it cheap and easy to gather voluminous data from a larger population, and to conduct statistical analysis of that data.

Dr. Hernan Murdock, vice president of the audit division at MISTI, finds surveys and questionnaires to be a technique to collect information. “[Questionnaires] promote risk and control awareness, while encouraging transparency and accountability,” he says.

Potentially, this means we can conduct a much larger assessment with the same resources. There is definitely a place for crowdsourcing risk as well as casting a wide net for particular fact patterns of concern, such as use of third-party sales intermediaries or collection of consumer personal data. Still, more data is not always better data. The essence of a good risk assessment is not popular opinion, mechanically sliced and diced; it is informed opinion and expert judgment applied to the facts. Be careful with gathering far more data than can be followed up on or that can be analyzed meaningfully which can result in human-judgment bottlenecks in the process.

Ordinarily, risk assessments gather information from senior executives and managers, as well as a sample of senior operational personnel in the business units. To the extent that “risk owners” are not in these groups, they are usually sought out, and sometimes manager-level input is also requested.

Front-line workers should be considered as well. It’s usually those who are in the details on a daily basis that have the best perspectives on risks and low-hanging fruit when it comes to increasing operational efficiency.

THE RISK OF THE INTERNAL AUDIT RISK ASSESSMENT

Here we are not talking about the risk assessment that drives the audit plan. Rather, this is the risk that the internal audit function itself will not achieve its objectives as a result of the risk assessment. Should you perform this type of quality engagement as well? See IIA’s Standards for the Professional Practice of Internal Auditing 2120—Risk Management: “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.”

The internal audit function in this regard should consider risks such as:

  • The potential that the audit risk assessment is inaccurate or incomplete leading to an ineffective audit plan
  • Audit staffing that is insufficient in terms of quality and capacity to deliver useful results on every engagement
  • Changes in business and risk not promptly identified so that the audit plan can be updated
  • Audit communications failing to provide information organizational stakeholders need, when they need it
  • Governance roles not able to understand audit results and their implications for management of the organization

Internal Audit 2

Beyond Quality: The Four-Part Approach for Audit Efficiency and Effectiveness

STEP 1: PLAN FOR ORGANIZATIONAL GROWTH

While the concept of quality is uniform for internal auditors of different varieties and capacities, effectiveness and efficiency can vary from organization to organization. Accordingly, clear definitions for these terms—the expectations for your team—must be established and adopted to plan for growth.

Use these questions as guidance when defining exactly what effectiveness and efficiency mean for you and your team:

  • Are we equipped with the up-to-date tools needed to conduct the best work possible?
  • Do we have the right resources and skill sets required to deliver our audit plan?
  • Are we contributing to organizational improvement? If so, can others see this?
  • Have we obtained any validation of our team’s quality, such as notification from managers or executives?
  • Is feedback effectively distributed to team members, so they know what areas to improve?
  • What quantifiable metrics can we associate with these definitions?

While you and your team’s definitions of effectiveness and efficiency are crucial, it is also important to gain the approval of key stakeholders involved in internal audit.

A major reason that process improvement initiatives fail, according to one Harvard Business Review article is that the people whose work will be directly impacted are often left out of the process.

Accordingly, feedback from stakeholders at the helm of the financial success of your company should also be incorporated. Here are a few stakeholders who should weigh in on your definitions of effectiveness and efficiency:

  1. Internal stakeholders: Board of directors, audit committee, executives, senior management and department leads
  2. External stakeholders: Regulators, standard-setters, vendors, customers and external audit teams

STEP 2: DO THE WORK NEEDED TO SET EXPECTATIONS

The second step of this process continues to articulate the definitions of effectiveness and efficiency, and sets expectations for your team.

By this stage, you should have an internal definition of effectiveness and efficiency, and you have tempered that definition in the context of what key internal and external stakeholders need. To better set your organization up for success, make these definitions more actionable and specific through the assignation of qualitative and quantitative metrics.

As described in a Forbes article, Forrester reports 74 percent of firms say they want to be “data-driven,” but only 29 percent are actually successful at connecting analytics to action. Actionable insights appear to be the missing link for companies that want
to drive business outcomes from their data.

Make these definitions more actionable and specific for your team by assigning qualitative and quantitative metrics for each. To collect qualitative and quantitative metrics, try the following tactics:

  • Look back at past performance data to determine quantitative metrics:
    • How many audits were scheduled?
    • How many were completed?
    • How was staff utilized?
    • What were the budgeted hours as compared to the actual hours?
  • Go on a listening tour of departments impacted by your work to determine qualitative metrics:
    • What do clients think of your team’s performance?
    • What do other internal stakeholders think of your team’s performance?
    • Do they consider you and your team leaders in their role or order-takers?
    • Would they want to engage in future projects with your team?

With these actionable definitions in hand, the expectations for your team should be crystal clear. It is ultimately up to chief audit executives to hold their teams accountable for efficient and effective—along with quality—work.

STEP 3: CHECK PROGRESS AGAINST SET EXPECTATIONS

To check the quality, effectiveness, and efficiency of your team’s work, internal audit leaders should look at individual performance on an ongoing basis—not just an annual one. After all, it is easier and less problematic for leaders to reevaluate individual performance in small increments before it becomes a major issue.

In organizations of all sizes, a traditional once-per-year approach to employee reviews is fading away in favor of more ongoing ones. As a Washington Post article describes, today’s employees have come to expect instant feedback in many other areas of their lives, and performance reviews should be the same. Besides, the article states, one report found that two-thirds of employees who receive the highest scores in a typical performance management system are not actually the organization’s highest performers.

Chief audit executives should encourage the completion of self-appraisals. A Harvard Business Review article explains that an effective self-appraisal should focus on what you have accomplished and talk about weaknesses carefully, using language with an emphasis on growth and improvement, rather than admonishment. Highlight your team’s blind spots that they might not be aware exists.

In short, employees want more frequent and iterative assessments of their work, and internal audit leaders need to step up to deliver this and ensure quality, effectiveness, and efficiency at all stages.

STEP 4: ACT UPON WHAT YOU HAVE LEARNED

By this step, internal audit leaders have an array of tools at their disposal, including:

  • Actionable definitions of effectiveness and efficiency for their teams
  • Qualitative and quantitative metrics to bolster these definitions
  • Information gathered from self- and manager-guided evaluations
  • An understanding of how team members have performed along these guidelines

With this information in hand, many opportunities for growth are apparent—simply compare where you want your team members to be against where they are right now. By
implementing these fact-based changes into your internal audit processes, leaders set the stage for cyclical organizational and personal improvement.

According to a survey, this type of continuous improvement yields a positive ROI for organizations, helping increase revenue, along with saving time and money—an average annual impact of $6,000. Additionally, these improvements are designed to compound with each cycle.

Just as the approach to monitoring and improving audit quality is ongoing and cyclical—there are always improvements yet to be made—this approach to improving effectiveness and efficiency is fluid as well.

By weaving this four-part process into the fabric of your internal audit methodology, leaders can improve effectiveness and efficiency in their organizations.

 

Click here to access Workiva’s and MISTI’s White Paper

EIOPA Insurance Risk Dashboard: Risk exposures for the European insurance sector – July 2019

Risk exposures for the European insurance sector remain overall stable.

Macro and market risks are now at a high level due to a further decline in swap rates and lower returns on investments in 2018 which put strain on those life insurers offering guaranteed rates. The low interest rate environment remains a key risk for the insurance sector.

Credit risks continue at medium level with broadly stable CDS spreads for government and corporate bonds.

Profitability and solvency risks increased due to lower return on investments for life insurers observed in year-end 2018 data; SCR ratios are above 100% for most undertakings in the sample even when excluding the impact of the transitional measures.

Market perceptions were marked by a performance of insurers’ stocks broadly in line with overall equity markets, while median CDS spreads have slightly increased. No change was observed in insurers’ external ratings and rating outlooks.

RD 719 1

Macro risks are now at a high level. Since the April 2019 assessment, swap rates have further declined for all the currencies considered (EUR, GBP, CHF, USD). The indicator on credit-to-GDP gaps has deteriorated due to a more negative gap in the Euro area. Key policy rates remained unchanged and the rate of expansion of major central banks’ (CB) balance sheets is now close to zero. Recent monetary policy decisions suggest that some degree of monetary accomodation is still to be expected for the forseeable future.

Credit risks remained stable at medium level. Since the previous assessment, spreads have remained broadly stable for all corporate bond segments except financials (unsecured). The average credit quality of insurers’ investments remained broadly stable, corresponding to an S&P rating between AA and A, while the share of below investment grade assets remains limited.

Market risks are now at a high level. Volatility of the largest asset class, bonds, remained broadly stable compared to the January’s assessment, whereas equity market volatility spiked in June 2019. Newly available annual information shows a decline in the spread of investment returns over the guaranteed rates to negative values in 2018, mainly due to lower investment returns. The mismatch between the duration of assets and liabilities remained broadly stable in the same period.

Liquidity and funding risks remained stable at medium level. Liquidity indicators have remained broadly unchanged since the previous quarter, while funding indicators such as the average ratio of coupons to maturity and the average multiplier for catastrophe bond issuance increased.

Profitability and solvency risks remain at medium level but show an increasing trend. This is mainly due to newly available data on the return on investments for life solo undertakings, which was considerably lower in 2018 than in the preceding year. SCR ratios are above 100% for the majority of insurers in the sample even when excluding the impact of the transitional measures on technical provisions and interest rates. The proportion of Tier 1 capital in total own funds remains high across the whole distribution and the share of expected profit in future premiums in eligible own funds is below 15% for most undertakings in the sample.

Interlinkages and imbalances risks remained at medium level in Q1-2019. A minor increase is observed for exposures to banks, while the opposite is true for exposures to other financial institutions. An increase has been reported in the share of premiums ceded to reinsurers.

Insurance risks remained constant at a medium level. Median premium growth of life and non-life business remains positive and a reduction has been reported in insurance groups’ loss ratios and cat loss ratios.

Market perceptions remained constant at medium level. Insurance groups stocks’ performance was broadly in line with the overall market. Median insurers’ CDS spreads have increased, while external ratings have remained unchanged.

RD 719 2

Click here to access EIOPA’s Risk Dashboard July 2019

The Future of CFO’s Business Partnering

BP² – the next generation of Business Partner

The role of business partner has become almost ubiquitous in organizations today. According to respondents of this survey, 88% of senior finance professionals already consider themselves to be business partners. This key finding suggests that the silo mentality is breaking down and, at last, departments and functions are joining forces to teach and learn from each other to deliver better performance. But the scope of the role, how it is defined, and how senior finance executives characterize their own business partnering are all open to interpretation. And many of the ideas are still hamstrung by traditional finance behaviors and aspirations, so that the next generation of business partners as agents of change and innovation languish at the bottom of the priority list.

The scope of business partnering

According to the survey, most CFOs see business partnering as a blend of traditional finance and commercial support, while innovation and change are more likely to be seen as outside the scope of business partnering. 57% of senior finance executives strongly agree that a business partner should challenge budgets, plans and forecasts. Being involved in strategy and development followed closely behind with 56% strongly agreeing that it forms part of the scope of business partnering, while influencing commercial decisions was a close third.

The pattern that emerges from the survey is that traditional and commercial elements are given more weight within the scope of business partnering than being a catalyst for change and innovation. This more radical change agenda is only shared by around 36% of respondents, indicating that finance professionals still largely see their role in traditional or commercial terms. They have yet to recognize the finance function’s role in the next generation of business partnering, which can be

  • the catalyst for innovation in business models,
  • for process improvements
  • and for organizational change.

Traditional and commercial business partners aren’t necessarily less important than change agents, but the latter has the potential to add the most value in the longer term, and should at least be in the purview of progressive CFOs who want to drive change and encourage growth.

Unfortunately, this is not an easy thing to change. Finding time for any business partnering can be a struggle, but CFOs spend disproportionately less time on activities that bring about change than on traditional business partnering roles. Without investing time and effort into it, CFOs will struggle to fulfill their role as the next generation of business partner.

Overall 45% of CFOs struggle to make time for any business partnering, so it won’t come as a surprise that, ultimately, only 57% of CFOs believe their finance team efforts as business partners are well regarded by the operational functions.

The four personas of business partnering

Ask a room full of CFOs what business partnering means and you’ll get a room full of answers, each one influenced by their personal journey through the changing business landscape. By its very variability, this important business process is being enacted in many ways. FSN, the survey authors, did not seek to define business partnering. Instead, the survey asked respondents to define business partnering in their own words, and the 366 detailed answers were all different. But underlying the diversity were patterns of emphasis that defined four ‘personas’ or styles of business partnering, each exerting its own influence on the growth of the business over time.

A detailed analysis of the definitions and the frequency of occurrence of key phrases and expressions allowed us to plot these personas, their relative weight, together with their likely impact on growth over time.

FSN1

The size of the bubbles denotes the frequency (number) of times an attribute of business partnering was referenced in the definitions and these were plotted in terms of their likely contribution to growth in the short to long term.

The greatest number of comments by far coalesced around the bottom left-hand quadrant denoting a finance-centric focus on short to medium term outcomes, i.e., the traditional finance business partner. But there was an encouraging drift upwards and rightwards towards the quadrant denoting what we call the next generation of business partner, “BP²” (BP Squared), a super-charged business partner using his or her wide experience, purview and remit to help bring about change in the organization, for example, new business models, new processes and innovative methods of organizational deployment.

Relatively few of the 383 business partners offering definitions of a business partner, concerned themselves with top line growth i.e. with involvement in commercial sales negotiations or the sales pipeline – a critical part of influencing growth.

Finally, surprisingly few finance business partners immersed themselves in strategy development or saw their role as helping to ensure strategic alignment. It suggests that the ongoing transition of the CFO’s role from financial steward to strategic advisor is not as advanced as some would suggest.

Financial Performance Drivers

Most CFOs and senior finance executives define the role of the business partner in traditional financial terms. They are there to explain and illuminate the financial operations, be a trusted, safe pair of hands that manages business risk, and provide s ome operational support. The focus for these CFOs is on communicating a clear understanding of the financial imperative in order to steer the performance of the business prudently.

This ideal reflects the status quo and perpetuates the traditional view of finance, and the role of the CFO. It’s one where the finance function remains a static force, opening up only so far as to allow the rest of the business to see how it functions and make them more accountable to it. While it is obviously necessary for other functions to understand and support a financial strategy, the drawback of this approach is the shortcomings for the business as a whole. Finance-centric business partnering provides some short-term outcomes but does little to promote more than pedestrian growth. It’s better than nothing, but it’s far from the best.

Top-Line Drivers

In the upper quadrant, top line drivers focus on driving growth and sales with a collaborative approach to commercial decision-making. This style of business partnering can have a positive effect on earnings, as improvements in commercial operations and the management of the sales pipeline are translated into revenue.

But while top line drivers are linked to higher growth than financial-focused business partners, the outcome tends to be only short term. The key issue for CFOs is that very few of them even allude to commercial partnerships when defining the scope of business partnering. They ignore the potential for the finance function to help improve the commercial outcomes, like sales or the collection of debt or even a change in business models.

Strategic Aligners

Those CFOs who focus on strategic alignment in their business partnering approach tend to see longer term results. They use analysis and strategy to drive decisionmaking, bringing business goals into focus through partnerships and collaborative working. This business benefit helps to strengthen the foundation of the business in the long term, but it isn’t the most effective in driving substantial growth. And again, there is a paucity of CFOs and senior finance executives who cited strategy development and analysis in their definition of business partnering.

Catalysts for change

The CFOs who were the most progressive and visionary in their definition of business partnering use the role as a catalyst for change. They challenge their colleagues, influence the strategic direction of the business, and generate momentum through change and innovation from the very heart of the finance function. These finance executives get involved in decision-making, and understand the need to influence, advise and challenge in order to promote change. This definition is the one that translates into sustained high growth.

The four personas are not mutually exclusive. Some CFOs view business partnering as a combination of some or all of these attributes. But the preponderance of opinion is clustered around the traditional view of finance, while very little is to do with being a catalyst for change.

How do CFOs characterize their finance function?

However CFOs choose to define the role of business partnering, each function has its own character and style. According to the survey, 17% have a finance-centric approach to business partnering, limiting the relationship to financial stewardship and performance. A further 18% have to settle for a light-touch approach where they are occasionally invited to become involved in commercial decision-making. This means 35% of senior finance executives are barely involved in any commercial decision-making at all.

More positively, the survey showed that 46% are considered to be trusted advisors, and are sought out by operational business teams for opinions before they make big commercial or financial decisions.

But at the apex of the business partnering journey are the change agents, who make up a paltry 19% of the senior finance executives surveyed. These forward thinkers are frequently catalysts for change, suggesting new business processes and areas where the company can benefit from innovation. This is the next stage in the evolution of both the role of the modern CFO and the role of the finance function at the heart of business innovation. We call CFOs in this category BP² (BP Squared) to denote the huge distance between these forward-thinking individuals and the rest of the pack.

Measuring up

Business partnering can be a subtle yet effective process, but it’s not easy to measure. 57% of organizations have no agreed way of measuring the success of business partnering, and 34% don’t think it’s possible to separate and quantify the value added through this collaboration.

Yet CFOs believe there is a strong correlation between business partnering and profitability – with 91% of respondents saying their business partnering efforts significantly add to profitability. While it’s true that some of the outcomes of business partnering are intangible, it is still important to be able to make a direct connection between it and improved performance, otherwise those efforts may be ineffective but are allowed to continue.

One solution is to use 360 degree appraisals, drawing in a wider gamut of feedback including business partners and internal customers to ascertain the effectiveness of the process. Finance business partnering can also be quantified if there are business model changes, like the move from product sales to services, which require a generous underpinning of financial input to be carried out effectively.

Business partnering offers companies a way to inexpensively

  • pool all their best resources to generate ideas,
  • spark innovation
  • and positively add value to the business.

First CFOs need to recognize the importance of business partnering, widen their idea of how it can add value, and then actually set aside the enough time to become agents of change and growth.

Data unlocks business partnering

Data is the most valuable organizational currency in today’s competitive business environment. Most companies are still in the process of working out the best method to collect, collate and use the tsunami of data available to them in order to generate insight. Some organizations are just at the start of their data journey, others are more advanced, and our research confirms that their data profile will make a significant difference to how well their business partnering works.

FSN2

The survey asked how well respondents’ data supported the role of business partnering, and the responses showed that 18% were data overloaded. This meant business partners have too many conflicting data sources and poor data governance, leaving them with little actual usable data to support the partnering process.

26% were data constrained, meaning they cannot get hold of the data they need to drive insight and decision making.

And a further 34% were technology constrained, muddling through without the tech savvy resources or tools to fully exploit the data they already have. These senior finance executives may know the data is there, sitting in an ERP or CRM system, but can’t exploit it because they lack the right technology tools.

The final 22% have achieved data mastery, where they actively manage their data as a corporate asset, and have the tools and resources to exploit it in order to give their company a competitive edge.

This means 78% overall are hampered by data constraints and are failing to use data effectively to get the best out of their business partnering. While the good intentions are there, it is a weak partnership because there is little of substance to work with.

FSN3

The diagram above is the Business Partnering Maturity Model as it relates to data. It illustrates that there is a huge gap in performance between how effective data masters and data laggards are at business partnering.

The percentage of business partners falling into each category of data management (‘data overloaded’, ‘data constrained,’ etc) has been plotted together with how well these finance functions feel that business partnering is regarded by the operational units as well as their perceived influence on change.

The analysis reveals that “Data masters” are in a league of their own. They are significantly more likely to be well regarded by the operations and are more likely to act as change agents in their business partnering role.

We know from FSN’s 2018 Innovation in Financial Reporting survey that data masters, who similarly made up around one fifth of senior finance executives surveyed, are also more innovative. That research showed they were more likely to have worked on innovative projects in the last three years, and were less likely to be troubled by obstacles to reporting and innovation.

Data masters also have a more sophisticated approach to business partnering. They’re more likely to be change agents, are more often seen as a trusted advisor and they’re more involved in decision making. Interestingly, two-thirds of data masters have a formal or agreed way to measure the success of business partnering, compared to less than 41% of data constrained CFOs, and 36% of technology constrained and data overloaded finance executives. They’re also more inclined to perform 360 degree appraisals with their internal customers to assess the success of their business partnering. This means they can monitor and measure their success, which allows them to adapt and improve their processes.

The remainder, i.e. those that have not mastered their data, are clustered around a similar position on the Business Partnering Maturity Model, i.e., there is little to separate them around how well they are regarded by operational business units or whether they are in a position to influence change.

The key message from this survey is that data masters are the stars of the modern finance function, and it is a sentiment echoed through many of FSN’s surveys over the last few years.

The Innovation in Financial Reporting survey also found that data masters outperformed their less able competitors in three key performance measures that are indicative of financial health and efficiency: 

  • they close their books faster,
  • reforecast quicker and generate more accurate forecasts,
  • and crucially they have the time to add value to the organization.

People, processes and technology

So, if data is the key to driving business partnerships, where do the people, processes and technology come in? Business partnering doesn’t necessarily come naturally to everyone. Where there is no experience of it in previous positions, or if the culture is normally quite insular, sometimes CFOs and senior finance executives need focused guidance. But according to the survey, 77% of organizations expect employees to pick up business partnering on the job. And only just over half offer specialized training courses to support them.

Each company and department or function will be different, but businesses need to support their partnerships, either with formal structures or at the very least with guidance from experienced executives to maximize the outcome. Meanwhile processes can be a hindrance to business partnering in organizations where there is a lack of standardization and automation. The survey found that 71% of respondents agreed or strongly agreed that a lack of automation hinders the process of business partnering.

This was followed closely by a lack of standardization, and a lack of unification, or integration in corporate systems. Surprisingly the constraints of too many or too complex spreadsheets only hindered 61% of CFOs, the lowest of all obstacles but still a substantial stumbling block to effective partnerships. The hindrances reflect the need for better technology to manage the data that will unlock real inter-departmental insight, and 83% of CFOs said that better software to support data analytics is their most pressing need when supporting effective business partnerships.

Meanwhile 81% are looking to future technology to assist in data visualization to make improvements to their business partnering.

FSN4

This echoes the findings of FSN’s The Future of Planning, Budgeting and Forecasting survey which identified users of cutting edge visualization tools as the most effective forecasters. Being able to visually demonstrate financial data and ideas in an engaging and accessible way is particularly important in business partnering, when the counterparty doesn’t work in finance and may have only rudimentary knowledge of complex financial concepts.

Data is a clear differentiator. Business partners who can access, analyze and explain organizational data are more likely to

  • generate real insight,
  • engage their business partners
  • and become a positive agent of change and growth.

Click here to access Workiva’s and FSN’s Survey²

Cyber Risk Management – From Security to Resilience

Rapidly evolving threats and infiltration techniques have rendered traditional cyber defense strategies insufficient and ineffective. The emerging threat vectors and speed of change amplified by the digital transformation cannot be addressed by traditional means. Globally, laws are also changing to keep pace as cybercrime evolves, knowing no
boundaries. Therefore, organizations must be nimble and agile to keep pace with policy changes, especially when expanding across different jurisdictions.

This report highlights three strategic imperatives to strengthen cyber resilience:

  • Understand (know your threats): Identify organization and industry-specific cyber threats and regulations calls for robust strategies that include cross-disciplinary considerations.
  • Measure (know yourself): Quantify the potential financial impact of cyber exposures to compare against the level of risk appetite acceptable to the board. This will determine the amount of investment necessary to mitigate and transfer any residual risk.
  • Manage (know what you can do): Proactively manage cyber risks by having clear action plans based on your capabilities and capacities to protect against cyber criminals.

It is inefficient and impractical to expect organizations to be ahead of every threat, but organizations should at least be on par with the evolution of cyber threats while ensuring compliance with changing laws and regulations. While cyber attacks are inevitable, proper preparation is the essential element that sets resilient organizations apart from the rest in managing risk, minimizing damage, and recovering quickly from any incidents.

Cyber Risk: A Top Concern

Technology continues to play a profound role in shaping the global risk landscape for individuals, businesses, and governments. Risk experts around the world continue to rank massive data fraud and theft and cyber attacks as their greatest and most likely risks over the next decade, a pattern that is consistent with previous years. Most risk experts also expect cyber attacks to have a much greater impact through business disruption and the targeted theft of money, data and intellectual property. Our increased dependence on pervasive, integrated digital technologies also increases anxiety around cyber security.

Rapid Innovation

The pace of business innovation has been driven by technology and connectivity megatrends such as mobile, the Internet of Things (IoT), big data and cloud solutions. The adoption and use of mobile devices have surpassed that of desktops since the last quarter of 2016, with mobile traffic accounting for 52 percent of total internet traffic in 2018. While business benefits include greater convenience and productivity, the use of mobile devices for both work and personal reasons has blurred the lines between sensitive corporate and confidential personal data, which are increasingly exposed to weaker application security features, mobile malware and other vulnerabilities.

Pervasive, Sophisticated Technologies

A recent study by FireEye Mandiant revealed that cyber attackers have followed cloud-reliant organizations, such as software-as-a-service and cloud computing, into the cloud. Mandiant researchers observed an increased volume of attacks against organizations with access to vast amounts of personal and confidential data, such as cloud providers, telecommunications, and retail and hospitality. More than 730 investigations were performed by Mandiant experts globally in 2018, a higher volume than any year before and an increase of more than 30 percent over 2017.

Devious, Organized Threat Actors

The modern cyber risk landscape is rapidly evolving and populated by threat actors with a myriad of motivations and attack sophistication levels. The methodologies can vary from highly-targeted and deliberate, to mass-scale with self-distributing malware. Different threat actors also have different motivations and ambitions that can be uniquely destructive.

Motivations and methodologies of threat actors can also overlap with one another. In many cases, similar tools and techniques are used by different groups since those may be the only tools available. In some cases, state-sponsored actors may even work with hacktivists to carry out an attack. Some threat groups demonstrate increased determination by maintaining persistence in victims’ networks. Some APT attackers plan out their modus operandi and patiently pursue their goals over a long period of time—months or years—before they launch their attack. They rapidly adapt to a victim organization’s attempts to remove them from the network and frequently target the same victim again if access is lost.

After an organization has been successfully attacked, there is a higher probability of re-compromise. According to FireEye, globally two in three (64 percent) compromised organizations were successfully attacked again within a year. It is more significant in APAC where almost eight in 10 (78 percent) of compromised organizations are likely to face at least one additional significant attack over the next year.

Organizations that have been attacked should strengthen their cyber security defenses and close any identified gaps to mitigate risks; unfortunately, this doesn’t always happen.

MMC1

Data Sharing Economies

Data sharing is inevitable as we accelerate into the digital economy. Our growing interconnectedness is combined with a massive increase in velocity, volume, and variety of data shared across boundaries and jurisdictions. The accelerated digitalization of countries and industries amplifies the systemic effects from cyber attacks and increases the severity of successful cyber attacks.

With the advent of digital and transformative technologies that change the nature of business, policymakers are challenged to maintain the robustness of cyber laws and legislations. The anonymity of the Internet further ensures little or no risk of repercussion for cyber criminals.

According to FireEye CEO Kevin Mandia, ”We are on a slippery slope in terms of frequency and seriousness of cyber attacks” and it is likely to get worse unless serious consequences can be put in place for criminal behavior.

Although cyber regulations have lagged behind evolving cyber threats, the past years have seen a substantial increase in new cyber laws and other regulatory schemes, and this is expected to continue. Most regulatory schemes aim to protect data and privacy and fulfil notification obligations by breached organizations, but disclosures and notifications are critical first steps to reveal the volume, frequency and complexity of breaches before data protection and privacy can be further improved.

Complications That Impact Cyber Resilience

In an increasingly complex business and cyber landscape, organizations encounter greater challenges when trying to balance their business resilience and cyber security priorities.

Between 2016 and 2018, the rate of growth for internet users was 10 times faster than the global population. Correspondingly, the surface area for attack has expanded exponentially. The exposure is estimated to impact up to six billion internet users by 2022, approximately three-quarters of the projected world population. Increased connectivity coupled with the expanded adoption of mobile devices makes building cyber security defenses much more challenging since every employee or web-connected device now represents a potential vulnerability.

Underlying Trends Impose Additional Layers of Fiduciary Responsibilities

Rapid digitalization amplifies the systemic effect of cyber threats, which leads to more cyber regulations and policies. In addition to safeguarding the interests of individuals and businesses, governments and policymakers also aim provide a conducive and well-regulated environment to develop transformative technologies to spearhead their respective digital economies.

Unsurprisingly, their business models are impacted by new cyber laws and regulations. As these laws are introduced, revised and enacted, companies can find themselves in a continually reactive state when attempting to comply with changing policies. Organizations with operations across national boundaries face additional compliance costs as they attempt to navigate diverse regulations in different jurisdictions. While GDPR has led to the convergence of cyber security and data protection laws in the EU, cyber regulations in other parts of the world remain largely localized and diverse.

Re-Thinking a Cyber Resilient Culture

To reduce our growing vulnerability to humanenabled cyber threats, workplace culture needs to change. The outlook, attitudes, values, moral goals and legacy systems shared within an organization have a direct impact on how cyber threats are perceived and managed. While cyber security involves many different technical and information solutions, necessary defenses and resilience cannot be fully achieved without the right mindset.

To establish a cyber resilient culture, everyone in the organization—from executive leadership and management to data analysts and salespeople—have an equal and important role to play in defense.

Through social engineering, threat actors increasingly exploit individuals as the weakest link of the cyber security chain. Therefore, cyber security and resilience must begin with the individual. Although Finance or HR departments may be primary targets for potential access to sensitive information, other executives and employees may also be targeted to gain network access.

How To Line Up Your Defense

Given the reality of the cyber threat landscape, you need to determine the tools you need to mitigate and respond to inevitable cyber attacks. Unfortunately, while both the aggressiveness and sophistication of cyber attacks have accelerated, defensive capabilities have been relatively slow to evolve and respond.

MMC2

Darren Thayre, Partner in the Digital, Technology and Analytics Practice for Asia Pacific at Oliver Wyman, mentioned that typical cyber security discussions are often absent when organizations initially strategize on cloud implementation, a process normally driven by developers or infrastructure demands.

Many victim organizations and those working diligently on defensive improvements still lack the fundamental security controls and capabilities to either prevent breaches or to minimize the damages and consequences of an inevitable compromise.

Based on trend observations, Kelly Butler, Head of Cyber Practice, Pacific, Marsh, stated that while security remains important in the 2019 cyber landscape, it is becoming more about resilience.

Organizations must maintain a posture of continuous cyber resilience to prepare for and adapt to the changing threat landscape and recover from the disruptive attacks. Otherwise, they risk facing significant gaps in both basic security controls and—more critically—visibility and detection of targeted attacks. The saying goes, “what gets measured, gets managed,” but you can only measure what you understand.

Understand Cyber Risks from a Business Perspective

Cyber risk is now at the forefront of most corporate risk agendas. Organizations are increasingly looking to understand and assess the nature and extent of their potential cyber-related losses—a necessary first step to mitigate those losses.

A cyber defense strategy delivers substantial benefits for both the senior management and the organization, especially when the strategy and associated action plans are mandated from the top and prioritized with the necessary investments and budgets. A proactive cyber defense strategy demonstrates to regulators that the organization takes cyber risk management seriously and has clear priorities in place.

A cyber security strategy is how you direct and focus the creation of an actionable roadmap and build a comprehensive cyber security program. This process allows you to clearly link gaps identified in the program assessment to your organization’s cyber security investments. However, developing a fit-for-purpose strategy and obtaining buy-in for the cyber security program from senior management can be difficult.

MMC3

After you understand cyber risks from a business perspective, you need to identify how much cyber risk is acceptable (to be absorbed) across your entire organization. This baseline helps make decisions related to cyber risk and implement controls.

For example, you can use a structured methodology to determine your organization’s cyber risk appetite. Ideally, you should break down and prioritize your cyber risk appetite, and the metrics you need to inform and measure the risk appetite. Later, you can develop recommendations regarding governance and operating model requirements, which in turn will determine and influence corporate decisions with respect to cyber security investments.

MMC4

After you assess the amount of acceptable cyber risk, work to quantify your potential cyber risk exposure. Measure its financial impact to inform the business case for cyber security investments as well as cyber insurance that can mitigate or transfer risk.

Quantification determines nature and extent of risk impacts for different threats and scenarios. However, boards and senior executives often struggle to clearly and comprehensively gain a current understanding of their organization’s cyber risk profile.

MMC5

The increase in awareness, cyber data breaches and adoption of cloud-based services are a few of the factors that drive the growth of the cyber insurance market, while high costs inhibit growth. High premiums can be effectively overcome by systematically and clearly understanding organization-specific cyber risks to lower risk exposure and enhance risk profile. For example, the use of data analytics to quantify risk exposure and underwrite cyber risks has proved to drive more efficient and effective risk profiling and provide more accurate policy coverage.

MMC6

With an internally aligned cyber risk strategy and adequately measured risk exposure around expected losses due to cyber attacks, organizations can better insure and secure stronger financials to respond and recover from an incident. An incident response plan requires the support of proper security technologies and expertise. At a minimum, a response plan requires full view of IT assets, strong detection capabilities, clear roles and responsibilities and fast reaction times. The plan must also be regularly practiced through drills to ensure that personnel know their roles and to track and record various metrics that measure their performance. Frequent testing can help identify areas for improvement and provide opportunities to continually refine processes and protocols.

Click here to access MMC-FireEye’s Report