Embed Size (px)
Citation preview
AFRGA1 S001
We’ll look before you leap.
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
www.afr.com | Wednesday 23 October 2019
Special Report
Humans arestill vital inthe data loop
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
Value Machines lackthe intuition peoplebring to analysis.
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
James Dunn
The risk function has changed recently as it has become driven by technology, says KPMG’s Kevin Smout. PHOTO: JEREMY PIPER
As we see automatedtechnologiesadvancing, thehuman elementbecomes moreimportant.Zoe Willis, KPMG
The confluence of data and technologyis a paradox for the modern organisa-tion, opening up new sources of risk.
The terms ‘‘technology risk’’, ‘‘cyberrisk’’ and ‘‘data risk’’ are all here to stayon any organisation’s list of risks itfaces, and must be bedded down in itsrisk culture – but data and technologyalso give the organisation’s risk func-tion unprecedented ability to review,assess, monitor and manage risk.
The positive side of this paradox isthat technology has enabled organisa-tions to automate aspects of their gov-ernance and risk management.
Speaking at the recent RiskReimagined roundtable in Sydney, co-hosted by The Australian FinancialReview and KPMG, Kevin Smout saidorganisations were starting to under-stand the ability of the risk function toadd value to the business, to enablethem to make smarter business deci-sions, and to contribute to sustainablebusiness growth.
However, he said there were big dis-cussions to be had about the ‘‘quality ofthe data and what is the governanceframework around it.’’
The role of the risk function hadchanged in the last two decades as ithad become driven by technology, saidMr Smout, who is KPMG’s global lead,governance, risk & assurance and riskstrategy & technology partner.
‘‘The risk function can start to beseen as value-adding, because it is tak-ing in all the data on the external and
environmental factors, and can help(management and the front-line) seehow those trends might impact boththe current strategy, as well as its tradi-tional role of risk mitigation.’’
Fellow roundtable participant RobbEadie, BHP’s global chief risk officer,said 20 years ago the role of the riskfunction ‘‘revolved around stoppingbad things happening’’.
Now the risk function is ‘‘all aboutmaking good things happen’’, and thatis primarily enabled by technology.
The role of technology in risk hasalso been greatly empowered by therealisation that risk resides at all levelsof an organisation, and is not justhandled centrally by a risk function,according to Jason Smith, board dir-ector at the Risk Management Instituteof Australasia.
‘‘Risk management has to be embed-ded not only in operational perform-ance, but business planning andperformance management, and reallyevery function. Technology is acceler-ating this process.’’ If one looked atorganisations’ operational risk, said MrSmith said there was ‘‘huge opportun-ity’’ to use digital tools.
‘‘That is certainly an area where busi-nesses can start to collect and collateand understand their operational databetter, to understand the relationshipsbetween the operational data and thekey risk indicators, and allow AI andmachine learning to start to discern thetrends and the relationships betweenthem,’’ he said. ‘‘Historically, risk man-agers have tended to rely on what thehistorical loss events have been, anddoing scenario analysis, and it’s actu-ally been very subjective and verybackward-looking.
‘‘Technology is now allowing organ-isations to be a bit more objective andpredictive around what’s happening
with the operational risk profile of theorganisation.’’
But, Mr Smout said, a wonderful kit-bag of tech tools did not guaranteegreat insights.
‘‘A tech solution doesn’t fix an inher-ent problem that an organisation has,culturally, with its attitude to, andappetite for, risk. You can have the bestgovernance, risk and compliance(GRC) platform or system, for example,but if you don’t have the right people,processes, and quality of input data,you can’t use it,’’ he added.
‘‘The value in such a platform comes
when you start to get the business actu-ally inputting the data into it, owning it,and keeping it up to date. Otherwise,the platform is viewed as not havingworked, it gets written off.
‘‘But if it is ‘owned’ by the business,that’s where you get the value in goodrisk management.’’
Mr Smith agreed and said, ‘‘Often, it’snot so much that the system doesn’twork, it’s that the system doesn’t givethe organisation the value it should.’’Toa large extent, the insights still comefrom humans – as do the risks.
‘‘The biggest risk you have in anyorganisation is the human being,because as an entity we are quite error-prone in comparison with the alternat-ive, with the alternative beingalgorithmic machine-based data ana-lysis,’’ Mr Eadie said.
‘‘But on the other hand, the one thingthat human beings are exceptionallygood at is that element of insight – thatintuitive interpretation of data. The fac-tual algorithmic interpretation of datais very useful, but sometimes it can
miss the subtle nuances that will beseen by people who have many years ofexperience, and in-depth knowledgeand insight into specific areas,’’ he said.
This factor is ‘‘the human in theloop,’’ said Zoe Willis, KPMG PartnerData and RegTech. ‘‘As we see auto-mated technologies advancing, thehuman element becomes moreimportant. The ‘human in the loop’ iswhat actually provides the context.’’
And this is the paradox of technologyand data, says Anne O’Driscoll, non-executive director at Steadfast Group.
‘‘The business processes themselvesare being increasingly automated, andthe risk processes and access to dataand tools to interpret that data areincreasingly prevalent,’’ she said.
‘‘The challenge is ensuring that youhave people on the frontline and peoplein the risk function that have the exper-ience,’’ Ms O’Driscoll said. ‘‘Ultimately,will people have the experience to say,‘Just because the machine says that, itstill doesn’t look right to me, based onmy experience? That’s my concern.’’
Risk reimaginedSponsored by KPMG
AFRGA1 S002
Some see risk. We see opportunity.
AFRWednesday 23 October 2019The Australian Financial Review | www.afr.com
S2 Special Report Risk reimagined
Data-led strategies hit a snag
Insurance companies can use data to tailor premiums, says Steadfast Group’s Anne O’Driscoll. PHOTO: JEREMY PIPER
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
Innovation gain Ethicalquestions and fairnessare often forgotten.
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
James Dunn
If we’re keeping thesocial licence front ofmind, we can focuson the benefits.Zoe Willis, KPMG
While tools such as artificial intelli-gence and machine learning havegiven businesses an unprecedentedability to segment their data to the indi-vidual level, they are posing increas-ingly deep ethical questions fororganisations.
Businesses are now able to find outmuch more about their users and cus-tomers than in the past.
In theory, this allows them to person-alise the marketing and pricing ofproducts and services – allowing morecompetitive pricing, and happier, moreengaged customers who feel they arebeing considered as individuals. It’swin-win.
But there is plenty of downside inthis data-led business revolution, asnew risks emerge.
‘‘We have situations such as banksbeing much better able to understandthe propensity to default and chargingdifferently, and insurers knowing howmuch you use your car, for example,and tailoring the premium,’’ said AnneO’Driscoll, non-executive director atSteadfast Group.
At the recent Risk Reimaginedroundtable held in Sydney, she said:‘‘On the one hand, your consumer,who’s very digital, says, ‘You are mybanker, you are my insurer, and Iexpect you to know a lot about mebecause I’ve transacted with you foryears. You have all this data about meand I expect you to charge me an insur-ance premium that relates to my indi-vidual risk.’
‘‘But when, for example, we actuallyknow things that make their insurancepremium more expensive, they’re lessaccepting.’’
Insurance as an industry has alwaysworked hard to properly assess risk,and to investigate claims, but the datarevolution creates some grey areas.
One is the problem of unintentionaldiscrimination – the insurer’s artificialintelligence (AI) algorithms mightjudge someone as being a higher orlower insurance risk because theybelong to a particular demographicgroup, driven by factors such as age,sex, income or ethnicity.
‘‘As companies know more andmore about that, if things get inaccess-ible for the poorer risks, is that fair, is
that the appropriate use of data?’’ askedMs O’Driscoll.
Social media’s role is also beingassessed. Its data can improve riskassessment in the insurance industryand improve fraud-detection capabilit-ies. Insurers can look at customers’social media activities and comparethem with their claim records, lookingfor differences. Banks use social mediain much the same way.
‘‘Using social media as an indicatoron somebody’s risk or their propensityto default is a very grey area,’’ said ZoeWillis, KPMG partner Data andRegTech.
‘‘Should you use social media analyt-ics, or the data that people post aboutthemselves online, to drive that? Thereare a lot of very deep conversationsbeing had on that.’’
Potential discrimination and dataprivacy are emerging risks in manyindustries. Retail, for example, has
come under scrutiny for the use offacial tracking technology, which cancapture the faces of shoppers andcross-reference biometric data poten-tially to identify known shoplifters,with the ability – in a ‘‘smart’’, or inter-connected shopping centre – to alerttenants as the tracked person movesaround the mall. The abilities that tech-nology can give businesses can often‘‘over-excite’’ them, said Scott Guse,partner audit, assurance and risk con-sulting at KPMG.
‘‘That is a situation where the tech-nology’s wonderful, and it has greatapplication for stopping leakage in aretail business, so the retailers love it,but those ethical elements are very dif-ficult,’’ he said.
‘‘If people get too excited about thetechnology and its capability, you couldargue that they can lose sight of the big-ger ethical picture.’’
The use of data, and of any techno-logy, should always be considered interms of the social licence to do so, saidMs Willis.
For example, facial recognition tech-nology could be used to spot vulnerablepeople that may need help as well aspeople likely to commit a crime.
‘‘Where we can, I think we have tofocus on the positives that can come
from the use of this technology, as wellas the negatives. If we’re keeping thesocial licence front of mind, we cankeep the focus on the benefits to societyas a whole.’’
Surveillance is a ‘‘particular mine-field’’ for the insurance industry, saidMs O’Driscoll. ‘‘The justification forsurveillance is the extent to which peo-ple actually try to defraud insurance(companies), and fraudulent claimsdrive up the cost of insurance for every-one.
‘‘But on the other hand, the industrybetter understands ... the interaction ofinjury, and claims for injury, with men-tal health. So instead of the focus of sur-veillance being on potential fraud, theindustry is changing that to a focus onthe fact that, where possible, peoplewill be better off getting back to work.’’
According to Jason Smith, directorat the Risk Management Institute ofAustralasia, it ultimately comes back tothe human element.
‘‘Whatever technology you’re using,for whatever role, you need to maintainhuman oversight,’’ he said.
‘‘You need to have governance inplace that ensures that the data thatyou’re collecting is actually fit for pur-pose, and you need to make sure thatyou’ve got absolute transparency.’’
Hackers makea beeline forthe internet
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
Jonathan Porter
The internet of things, the network ofembedded software in devices of com-mon use, has increased the amount ofrisk we are exposed to. Every businessin Australia is at risk – as long as it’sconnected to the internet.
Worldwide, the number of internet-connected items will grow from 14.2billion to 25 billion by 2021, accordingto research heavyweight Gartner.
Professor Jill Slay, La Trobe Uni-versity’s Optus chair of cyber security,says these low-power devices are ofteninadequately protected and make atempting target for hackers.
‘‘Every user, whether home or busi-ness, who uses a device connected tothe internet is at risk,’’ says ProfessorSlay, who is also director of the OptusLa Trobe Cyber Security Research Hub.
‘‘Especially where a hacker can man-age to infect many of the same type ofdevice and create a botnet – or use thecollective power of large numbers ofdevices together.
‘‘The devices at risk include web-cams, any kind of home monitoringdevice. We have heard of attacks oncow trackers (they wear them to mon-itor the amount of milk given).’’
Other larger devices Professor Slaysays are at risk include small internet-of-things (IoT) devices such as connec-ted security systems, cars, light bulbs,alarm clocks, speaker systems, vendingmachines and coffee pots.
‘‘There are huge unknown andunmitigated risks produced by themassive uptake in IoT devices. If theyare not secured downstream, the risk isunacceptable,’’ she says.
‘‘Australian businesses need to firstbe aware of and find out which devicesare connected to the internet, and findout which devices, if any, have any kindof built-in security.’’
The rewards for getting the securityright make the expense and effortworthwhile, Professor Slay says.
‘‘It means they will be able to use IoTdevices for competitive advantage, touse sensors and gather big data, forpositive digital disruption and flexibil-ity for their business.’’
Foolproof solutions are yet toemerge, she says. ‘‘As yet there is noconsensus on how to secure IoTdevices, and no comprehensive solu-tions have appeared to date.
‘‘We see large-scale acceleration ofthe use of IoT sensors, more excite-ment about their use, some develop-ment of security standards, but noobvious engagement with potentialdisruption.’’
AFRGA1 S003
Risk management from the board to the front line, powered by technology and data, helps you seize opportunity. No one has a crystal ball, but our technology and data capabilities enable you to identify and manage potential risks for positive outcomes for your business, stakeholders and customers.
It’s not about telling you what you can’t do, but letting you know what’s within your risk appetite.
AFR Wednesday 23 October 2019www.afr.com | The Australian Financial Review
S3Special ReportRisk reimagined
Hybrid wars will bewon without a fight
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
Cyber conflict Thestrategy is to exploitweakness on the quiet.
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
Mark Eggleton
AustCyber’s Michelle Price: cyber is being weaponised. PHOTO: PETER BRAIG
The term ‘‘hybrid war’’ has beenaround since the former US Secretaryof Defense General James Mattis andLieutenant Colonel Frank Hoffmanused the term back in 2005.
In a paper titled Future Warfare: TheRise of Hybrid Wars, Mattis and Hoff-man outlined a major component offuture wars would involve ‘‘psycholo-gical or information operationsaspects’’, and this would be meldedwith more conventional methods.
Interestingly, it was first alluded to in1991 when the US National ResearchCouncil warned of our over-reliance oncomputers and their inherent vulnerab-ility in a report titled Computers at Risk:Safe Computing in the Information Age.
As for the relevance of hybrid war tobusiness – one of its key tenets is a focuson economic entities. It’s often referredto as ‘‘grey’’ or ‘‘cool’’ war, where actionis deliberately kept below the thresholdthat would spark a major war by usingnon-military means to achieve warlikeaims. Put bluntly: to undermine anation’s business entities and its widereconomy.
The most obvious example of hybridwar in recent years has been the Rus-sian government’s attempts to influ-ence the 2016 US presidential election,although other powers are also quicklymoving into the field. China acknowl-edged its value in 1999 by advocatingtargeting areas such as a reliance ontechnology and respect for the rule oflaw in democratic countries.
A recent paper by the AustralianStrategic Policy Institute’s Dr Saman-tha Hoffman, titled Engineering globalconsent: The Chinese CommunistParty’s data-driven power expansion,outlines the extent the Chinese govern-ment’s tech-enhanced surveillance isexpanding globally.
In the report, Dr Hoffman saysChina’s efforts don’t revolve aroundobvious technology such as surveillancecameras in countries outside China, butthrough useful technologies such as 5Gand, potentially, smartphones.
She says these ‘‘services are designed
to bring efficiency to everydaygovernance and convenience to every-day life’’.
‘‘The problem is that it’s not only thecustomer deploying these technologies– notably those associated with ‘smartcities’, such as ‘internet of things’ (IoT)devices – that derives benefit from theiruse. Whoever has the opportunity toaccess the data a product generates andcollects can derive value from the data.How the data is processed, and thenused, depends on the intent of the actorprocessing it,’’ she says in her report.
The report cites Global Tone Com-munications Technology Co. (GTCOM)as a case study to illustrate how theglobal expansion of the party’s tech-enhanced authoritarianism can work.
GTCOM is a subsidiary of a Chinesestate-owned enterprise that the CentralPropaganda Department directlysupervises. It openly co-operates withthe state’s intelligence services andstrategically co-operates with largeChinese firms such as Huawei andAlibaba Cloud.
According to AustCyber chief exec-utive officer Michelle Price, it would bewise for Australian business to be alertto businesses that have been flagged tohave close ties with organisations suchas GTCOM.
‘‘There’s enough global competitionout there that companies goingthrough their procurement processesshould be asking more questionsaround cyber risk,’’ she says.
Ms Price says Australian organisa-tions need to immunise themselvesagainst malicious cyber activity andthis will involve getting the right policysettings out of the federal government.
‘‘While there has been lots of invest-ment on the national security side ofthe coin, more needs to be done on theeconomic side.’’
While much nefarious cyber activityis often the work of cybercriminal net-works, Ms Price warns we’re also see-ing more nation states accessing bankdetails and changing business invoices,for example, in a bid to underminetrust in economies.
Social media giants areamong the many culprits
Angelene Falk
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
Data breaches● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
Jonathan Porter
The nation’s finance and health sectorsare ground zero for data breaches, Aus-tralia’s privacy watchdog has found.
Private health service providersreported 19 per cent of the totalbreaches reported between April andJune under the Office of the AustralianInformation Commissioner’s (OAIC)National Data Breach scheme.
The finance sector was next, with 17per cent of data breaches for the period,the commission said in its latest report.This was followed by the legal,accounting and management servicessector (10 per cent), private education(9 per cent), and retail (6 per cent).
The most common informationrevealed in the breaches was contactinformation (90 per cent), financialdetails (42 per cent), identity informa-tion (31 per cent), health information(27 per cent), tax file numbers (16 percent), and other sensitive information(9 per cent).
Human error was the leading causeof data breaches in the health sector,accounting for 55 per cent of breaches,compared with an average of 35 percent for all other industries annually.
Personal information sent to thewrong recipient was the most commonhuman error in health, whether byemail, mail or other communication.
In the finance sector, human erroraccounted for 41 per cent of databreaches (higher than the cross-sectoralaverage of 35 per cent).
As in the health sector, a number ofthese data breaches were the result ofpersonal information sent to the wrongrecipient.
‘‘The fact that there is a human factorinvolved in so many cases demonstratesthe need for staff training to increaseawareness of cyber risks and to take thenecessary precautions,’’ Informationand Privacy Commissioner AngeleneFalk said on release of the report.
A commission spokesman said theconsistent presence of health and fin-ance at the top of the rankings likelyreflected the scale of data holdings andvolume of processing activity in thosesectors.
Other factors included the ‘‘sensitiv-ity of the personal information held bythose sectors’’.‘‘Both industries havealso been subject to long-standinginformation protection obligations(including duties of confidentiality andstrict regulatory frameworks) whichhave likely contributed to their relativematurity and preparedness to meet
obligations under the NDB scheme,’’the spokesman said.
The OAIC said cyber attacks in thefinance sector had risen in recent years.
Meanwhile, the Business Council ofAustralia said its members from allsectors were working together tocounter growing cyber security threats.
‘‘Cyber security is critical for businessto address the connectivity conundrum:providing consumers connectivity,while building trust and security,’’ chiefexecutive Jennifer Westacott said.
‘‘Business has to do much of theheavy lifting in increasing our cyberresilience. The business community iscommitted to working together, andwith government and research, toshare information on threats and co-design a fit for purpose regulatoryenvironment,’’ she said recently.
‘‘By actively working together as wellas focusing on maximising the cybersecurity of our individual companieswe can provide the community withgreater confidence in the capacity ofour economy to stay a step ahead ofwould-be cyber criminals.’’
A spokesman for the Financial Ser-vices Council said the OAIC report wasa sobering reminder of the importanceof cyber security.
‘‘Cyber attacks on the nation’s largestindustry, financial services, carrieslong-lasting consequences on our fin-ancial stability, productivity and over-all economy,’’ the spokesman said.
‘‘It’s important the financial servicessector is equipped with the defencesand infrastructure needed to preventmalicious attacks ...
‘‘Cyber security should remain bipar-tisan. Industry and government mustwork together to ensure the financialburden of preventing future attacksisn’t passed down to consumers.’’
AFRGA1 S004
To learn more about how our Audit, Assurance & Risk Consulting team can help you reimagine risk, visit KPMG.com/au/RiskReimagined.
Anticipate tomorrow. Deliver today.
We’ll look before you leap.
© 2019 KPMG, an Australian partnership. All rights reserved. 321440840AARC.
AFRWednesday 23 October 2019The Australian Financial Review | www.afr.com
S4 Special Report Risk reimagined
Opportunityrising withthreat levels
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
Change velocityBusinesses face fearof being left behind.
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●
Lydia Maguire
BHP chief risk officer Robb Eadie says businesses now have the insight to place the right bet. PHOTO: JEREMY PIPER
KPMG Australia’s Zoe Willis says we need to anticipate change. PHOTO: JEREMY PIPER
‘‘The opportunity doesn’t sleep, but thethreat doesn’t sleep, either,’’ said RobbEadie at the recent Risk ReimaginedRoundtable, co-hosted by The Austra-lian Financial Review and KPMG.
Mr Eadie, global chief risk officer atBHP, said: ‘‘Historically, in the riskfunction, we’ve taken the view that thepace of opportunity and the pace ofthreat is at a level that we can manage,nine-to-five, five days a week, 300-and-something days a year.
‘‘The fact is, we can’t, because of thecurrent rate of change; and con-sequently, we need to have some formof response to that rate of change, andone of the ways to do that is througheffective data manipulation, manage-ment and control,’’ he said.
That ‘‘control’’ cannot be total,however.
‘‘It’s in the context of risk, where wecontrol things that either are opportun-ities and we reduce the risk of hazard,and we increase the opportunity of suc-cess,’’ Mr Eadie said.
‘‘Most of the discussion around riskrelates to being able to match the paceof change in the world that we seetoday. As these threats evolve and thesenegatives evolve, we need to be able tomatch that pace.
‘‘At the moment, I think in bothcounts, business is lagging behind boththe rate of change of opportunity andthe rate of change of threat, and the riskfunction has a huge part to play inmatching those paces, and acceleratingto match those paces.’’
For Mr Eadie, the traditional view ofrisk is of ‘‘multiplying probability andimpact of a potential event to get therisk effect: if the benefit is greater thanthe risk, then you do it, and if the benefitis less than the risk, then you don’t.
‘‘That’s the traditional view.‘‘But the more modern view is that
the risk function gives the organisation
the insight that allows the business toplace the right bet.
‘‘You have to take the right risk at theright time, in the right place, in the rightway and use data to give you theinformation that tells you what is theright risk, what is the right place, whenis the right time, and what is the rightway.
‘‘And you can only do that throughdata.
‘‘But we’ve only been existing in thedata world for a couple of decades.’’
Zoe Willis, KPMG partner, data andregtech, said the pace of change isdemonstrated by what is now com-monplace.
‘‘Five years ago, would we have sathere and talked about using facialrecognition, and voice analytics? No,but they’re now very relevant,’’ MsWillis said.
‘‘Will it be different in five years?Absolutely.
‘‘As professionals, we always need tothink about how do we disruptourselves, because we need to be anti-cipating that change.’’
Kevin Smout, KPMG global lead, riskstrategy & technology and global lead,governance, risk and assurance, saidthe firm is experiencing this itself.
Its risk hub product takes in all of theoperational data of a business, data onthe external environment and factorsthat affect the business, and uses aug-mented reality to create a 3D picture ofthe organisation’s risk profile in orderto get a better idea of how to containand manage it as sweeping changes inthe external environment exert mount-ing pressure.
‘‘With that 3D picture, you can actu-ally grab hold of a risk as a bubble andsqueeze it to make it smaller, or expandit to make it big, and watch that conta-gion flow,’’ he said.
‘‘It’s taken us six months to have aprototype operating, and with the paceof change in technology and the rate ofchange, I could see within six monthsthat that will be a market for us.
‘‘And in two years, it will be commonfor people in boardrooms to be havingdiscussions based on the risk hub: forexample, a mining client might say,‘We’re actually focusing on a different
mineral now. What does that do to ourenvironment from a risk and oppor-tunity perspective?’’’
While models are ‘‘only as good as
what you put in,’’ Mr Smout sees therisk hub as a decision-making tool.
‘‘It’s a way to take the external sig-nals, from an industry perspective and
the market, and combine it with theorganisation’s own data, and blendthem into a live model that informs theexperienced executives around thetable, and on which they can makedecisions.’’
The point, he said, is to get directors,front-line, risk and investment all onthe same page, and ‘‘enrich the dia-logue’’ around risk.
And this is where risk managementin an organisation should be, at theheart of the strategic direction, accord-ing to Jason Smith, board director atthe Risk Management Institute of Aus-tralasia.
‘‘I actually think the most successfulrisk functions don’t use the word ‘risk’ –they talk about the opportunity as whatreally matters, and then, from a riskappetite perspective, is ‘what is ourwillingness to lose in this particularstrategy’.
‘‘When you change that lexicon andchange that thinking – along with har-nessing the technologies – that’s whenrisk can really start to offer value,’’ MrSmith concluded.
