Gordon Song: The creative risk manager

When he took on his role at Asian e-commerce organisation Lazada Group, Gordon Song was essentially handed a blank sheet of paper and given the enviable (or unenviable, depending on your perspective) task of creating his role from scratch. Just over two years in and Song was named StrategicRISK’s Asia-Pacific Risk Manager of the Year on 18 May 2017.

“It’s a recognition of the effort that I’ve put into this role, but more importantly such awards are a recognition of unsung heroes, like risk managers,” says Song. “Being a risk manager is never a very glamorous role.” 

Rather than bringing in “the big numbers” the risk manager “is the guy who’s always telling the business, ‘be careful of this, be careful of that’, he jokes. “So he’s never the most well-liked guy in the business. And then when bad things happen, people look to the risk manager and say, ‘why didn’t you warn us?’ I’m exaggerating of course but I do think most risk managers are unsung heroes.”

With a background in both risk management and auditing, Song thinks the two roles have more synergy than they are often credited with, particularly working within a rapidly-growing and innovative start-up environment. “The audit role gives me a lot of deep insight into processes, operations, systems so I can see things from that granular ground-up perspective, and my role also lets me see risk from a very lateral perspective and this is where the ERM, organisational perspective comes in.

A deliberate career choice
Rather than being something he fell into, Song chose his career in risk management. It was a very deliberate move after his interest was sparked by a module he had taken at university. “I thought, oh risk management, very interesting subject, it looks like it’s got a lot of prospects, it makes a lot of sense and I decided to go right into it.” 

His first job was in consulting at KPMG where he worked for eight years. “This was the usual career path for an accountancy graduate, which is what I am, to go into a big four public accounting firm. But instead of choosing audit, I decided to choose risk management advisory as an area to specialise.”

The more senior he became the less time he had at the coalface, interacting with clients and running workshops, leading to his decision to venture into the world outside of consulting. From there he moved to an in-house role heading the risk function with Fortis Healthcare, subsequently moving to low-cost airline Tigerair, where he headed the risk and internal audit department.

The decision to join Lazada was driven by a desire to create. “I joined them in 2015 to set up the whole risk management function… they never had that before. It was privately funded then and they wanted me to strengthen the company in terms of having the proper governance and proper controls as they grew.”

“From the start it was very, very fast moving,” he recalls. “Nobody else knew what audits I should be doing, so they just let me figure out what I was going to do.

This endorsement and direct dialogue with senior management made his job much easier than it might have been, acknowledges Song. As he began to create his role and function from scratch, he also made a point of getting to know the organisation inside out. “I travelled to the region, met all the senior management and made it a point to understand the dynamics and the operations of each country and to know the people.”

Before I joined, insurance was a local topic and everybody in each country kind of did their own thing

Strengthening corporate governance
“After the first three months, I drew up the risk profile for the company, established a risk universe and then set a lot of things in motion,” he continues. “One was audit and the other thing was to consolidate the insurance function. Before I joined, insurance was a local topic and everybody in each country kind of did their own thing. But obviously there are economies of scale that can be achieved by consolidating insurance into a group programme.”

Taking a multinational approach to insurance buying gave the organisation better negotiating power with its regional and global carriers, explains Song. “It gives the big insurance agencies a much clearer picture of what we do at the company. And therefore they have much better comfort in our risk as well. That’s where the savings come, when your insurers understand your risk a lot better and realise that you’re not the cowboy that they started off thinking that you were.”

It may have been an uphill challenge but Song now feels confident that Lazada’s risk function is a centre of excellence within the business. This, he feels, is his greatest achievement. Rather than preventing risk-taking, he is demonstrating how an effective risk function is enabling the organisation to grow at the pace it wants, but backed up with all the right information.

“Now we are at a stage where the heads of business would come to me and my function, before they sign any contracts, to ask for advice. Anywhere the business is looking to expand, new projects or whenever there are new endeavours, they come to my team to ask our advice on both risk but also insurance.”

“There is a positive risk culture within the organisation,” he continues. “This is not an organisation that just accepts things as they are. It is an organisation of extremely young, very intelligent people who would not submit to just being told what to do. They all challenge and will ask questions. So, if I tell them there is a risk, they are willing to enter into an intelligent, quantifiable discussion with me on exactly what are the risks, how big is the impact and what’s the probability of it happening? We go through these very detailed discussions on risk before we do anything.”

“So while this is not an organisation that will turn a blind eye to risk, at the same time this is also not an organisation that would just avoid risk,” he adds. “They are willing to accept risk but of course, they are willing to accept risk where it’s been quantified and measured.”

Staying alert to cyber
Perhaps unsurprisingly, given the nature of Lazada’s business and the changing threat landscape, cyber risk is high on Song’s radar. “As we become a household brand name in this market, we become a higher value target for cyber-crime as well. That risk has always been there but it’s, of course, grown together with the brand itself. We’ve become a higher value target.”

While data protection regulations are still in their infancy across Asian, Lazada recognises its priority to protect its customers’ data. “Data is our asset but our customers are extremely important as well. So it is important to protect their privacy, their personal data and their financial interests, and to ensure that they are not the victims of scams.”

From a reputational perspective cyber security is not just about protecting his own organisation’s brand, but the wider e-commerce environment, he thinks. “We could be doing our part but if another player in the e-commerce world, in this part of the world, doesn’t play ball and destroys the customer confidence, we are at risk as well. So, I think that [data protection] is very important and in this part of the world, it’s still very vulnerable.”

An effective approach to data security involves collaboration with multiple stakeholders, explains Song. “Technology risk does not come from technology. The weakest link is always somebody outside of technology who does not understand what the risk is when he clicks the link from an email that he gets. It’s a simple as that. And that person might come from operations, customer service, finance, HR. So, it’s not just about IT… everybody is responsible for cyber risk.”