StrategicRISK’s inaugural conference in Singapore highlighted key risks in the region for businesses
The world’s fourth-leading financial centre and an important trading hub, Singapore is one of the most attractive countries in the Asia-Pacific region (APAC) for foreign business investment. Risk management has developed alongside corporate expansion, with multinational risk managers headquartered there and many more adopting an ERM framework, so it was fitting that StrategicRISK Asia held its inaugural risk management conference there in July.
Themed ‘The path to better risk management in Asia’, the conference provided a meeting place for more than 150 risk professionals and specialist brokers to exchange ideas on current and emerging risks and also marked one year since StrategicRISK first launched in the APAC region.
Since the launch, the team has travelled extensively across the area – to Malaysia, Hong Kong, Thailand, Vietnam, Australia, Indonesia, the Philippines and, not least, Singapore – holding roundtables with senior risk professionals and brokers to learn about the particular challenges they face and the future risks they are concerned about most.
Not only have these findings culminated in several country reports ranking the biggest risks facing businesses, but these top stay-awake-at-night threats formed the themes for the six panel sessions that took place over the course of the day. These included: emerging cyber threats; coping with natural catastrophes; managing risks across international borders; regulatory change; managing people risk; and risk-management maturity.
Another key observation from these meetings was the speed at which risk management is developing across APAC, evidenced by various new risk initiatives and the enthusiasm among the risk community to expand its knowledge.
“These are exciting times for APAC,” said Mike Jones, editor of StrategicRISK, who set the tone for the rest of the day with a confident look at the future.
Opening the conference, he said: “Much has changed for the profession and businesses since StrategicRISK was first established in 2000 in Europe. After narrowly avoiding a financial apocalypse within the Eurozone, Europe’s economies are stagnant and its businesses are looking east for growth potential.
“While Europe threatens to implode through a combination of a lack of innovation and collective inertia, Asia, by comparison, is booming. Businesses and national economies are developing rapidly to maintain their positions on this upward curve.
“Risk managers are at the forefront of this [phenomenon], and the launch of StrategicRISK in Asia is indicative of this.
From academia to science, regulation to reputation, politics to terrorism, we have sought insights from the most pioneering minds to help guide our readers to better understand and deal with the enormous and testing complexities surrounding modern business risk.
“Since StrategicRISK Asia was launched a year ago, I have had the good fortune to spend some considerable time meeting with risk managers, brokers and insurers in many countries across the region and have been impressed not only by their thirst for knowledge, but also their ceaseless desire to create or refine new and effective strategies.
“The initiatives being developed in the region provide a glimpse of an exciting and innovative future ahead, and I look forward to exploring this with you, today and years to come.”
Weathering the coming cyber storm
The first session of the day started with a thought-provoking debate about cyber risk after Jones challenged the panel to consider how the word ‘cyber’ is often misused and misunderstood.
“‘Cyber’ is such a nebulous term, and the risks – and, indeed, the opportunities – associated with this term depend on what people perceive the meaning of the word to be,” he said.
“There is a clear and definite interconnectedness around these risks, which are perhaps better described as intangibles – non-physical risks.
“Cyber is just one of a growing number of threats that sit within the intangible spectrum – together with intellectual property, content, branding and, ultimately, reputation, which is perhaps the most overarching risk of all,” said Jones.
A spectrum of risks
The panel agreed that because of the interconnected nature of cyber risk, there is no one way to define what this means. Five panellists offered five different, yet interconnected, definitions of cyber risk, and provided examples of incidences that many businesses will recognise.
The panel described a landscape where cyber risk stretches from infringing corporate privacy laws and data breaches to events involving seemingly innocuous yet negligent employees failing to carry out everyday security measures, from physical and non-physical data theft perpetrated by organised criminals to disgruntled staff, and from businesses competitors to state-sponsored political attacks.
In today’s businesses world, cyber can only be best described as a spectrum of risks. To tackle the risk effectively, Microsoft’s chief security officer for Asia, Pierre Noel, warned delegates against two key phases in an attack.
“There is an ecosystem where ‘bad guys’ access your systems and install some damaging weapons to steal intellectual information. This phase can be quick and stealthy, and malware can remain in your systems for weeks, months, years, during which time your business will be open and vulnerable to attacks.
“Other bad guys from the ecosystem can – and this is the second phase – rent access to these malware for a period of time and remotely instruct your systems to syphon or destroy valuable information, or blackmail your organisation.”
Access to companies’ crown jewels
For Matthew Clarke, head of PI and acting head of cyber insurance, Asia-Pacific, at AIG, risks to a company are not only external but also come from within the business. He warned that businesses are increasingly being subjected to social engineering tactics, where senior management, namely chief executives, are targeted with apparently innocent emails, but in fact they are malicious software in disguise.
“I’m not talking about employees maliciously attacking the company or leaking data. I’m referring to their lack of understanding about the risks in the market, which often leads them to open harmful emails. For example, a week or so after this conference, you may receive an email that appears to be from a contact you made here. A PowerPoint presentation is attached. You download it, and before you know it, the hacker is in and has access to the businesses’ crown jewels. These social engineering tactics are taking place more and more and are increasingly targeting chief executives because they usually have the greatest access to information.”
The effect of any event on the cyber risk spectrum, no matter how small the attack, can have far-reaching consequences. The panel summed up the key ramifications of an attack and, although business interruption and financial loss were key features in the debate, the potential reputational damage raised the most questions from the floor.
Gordon Song, head of enterprise risk management and internal audit at Tigerair, started the reputation debate, stating: “It’s not just the financial implications that businesses have to worry about, it’s also the reputational damage. “Fundamentally, [preventing cyber threats] is not so much concerned with [stopping] the act of intrusion or the act of being attacked because, if a criminal really wants to attack you, they will, and they will succeed. The most important thing is your response and resilience levels.
“The biggest risk for any company is the failure to respond effectively to an incident, rather than the failure to prevent the event. Many recent events have shown that the real ‘crisis’ for companies was in the badly orchestrated response to incidents, including the failure to address social media and stakeholders, and the poor control over essential information.”
Panellists then scoped out an effective cyber risk programme. An issue that was central to the discussion was what steps companies were taking to incorporate internal stakeholders in their cyber risk programme.
Delegates questioned the panel over whether insurance is failing to take account of the interconnectedness of cyber risks, and whether it is reasonable to expect insurers to provide
solutions with an approach of ‘wholeness’.
Gary Chua, head of FINPRO at Marsh Singapore, suggested that a good cyber programme involves getting the right balance between insurance and a robust risk management programme. He added: “Risk-transfer solutions do not supersede the risk processes you may have in place; they serve to complement them and act as a safety net if it all goes wrong.”
The panel concluded that, above all, risk managers can successfully combat cyber threats only if they have the support of their board. But for many in the APAC region, there is a worrying disconnection between boards and the risk function.
Coping with catastrophe
The next panel session, ‘Lessons learnt from recent nat cat events’, brought together four risk professionals with hands-on experience of preparing for and dealing with the consequences of such disasters.
Kittiphan Sallakanonta, director of corporate insurance at Thai Airways, started the session with an insightful, blow-by-blow account of how the airline responded to the Thai floods of 2011.
Sallakanonta and his team were tasked with challenging objectives, including preventing its aircrafts, components and engines from being damaged by floods.
Many risks, particularly those related to natural catastrophe, carry a reputational threat, and it is crucial that businesses seek to protect their reputation. It was no different for Thai Airways. His team devised a plan to ensure the airline repaired any damage to commercial aircrafts and engines on time and to the highest quality.
Flood and other nat cat prevention
That plan came in several stages. The first was the preliminary actions the airline took before the arrival of the floods. This included building water barriers around the airport and renovating the electrical systems, relocating equipment or protecting it by elevating them it 50cm-60cm above ground.
Crucial to this stage was a meeting Thai Airways held with its insurer to agree an interim payment based on the airline’s loss calculations.
Sallakanonta then explained the action plan for facing the floods. This included activating the continuity plan; moving priority equipment to designated storage areas; activating water barriers, gate valves, pumps, power generators and flood-protection equipment; and preparing for evacuation.
In the immediate aftermath, the team conducted site and settlement assessments, located damaged areas, assessed the final financial losses and agreed a claims payment with its insurer, while also activating its recovery and restoration plan.
“One of the biggest lessons I’ve learnt from the Thai floods is you need to work with all sources to get all the information you need,” said Sallakanonta.
The panel then opened the discussion to assess whether weather-related disasters have become more frequent or whether increased urbanisation in areas prone to such events are making businesses more vulnerable.
Lenny-Baptiste Conil, risk and business continuity manager at Veolia, said: “Although we know extreme climatic events will affect more and more people in the future, we have short memories about past events. The concentration of populations in big cities has reached levels never seen in the past, therefore a single big storm has more consequences,” he warned. “Runoff is a also major factor in rain-related events; the more impermeable the ground is with roads, car parks and built structures, the bigger the downstream effects are.”
Guru Rao, catastrophe-management officer at AIG, agreed that urbanisation is increasing the level of loss and damage.
“About 15-16 years ago, I undertook a project in Chicago where I compared catastrophes and their effects in developing countries to those in developed areas, and the big distinction was significant. Developed countries suffered more property and insured losses, while developing countries suffered more from debt and loss of lives. Sixteen years later, Asia’s economy is growing quickly. In 40-50 years, some of the mega cities in nat cat-prone areas in Asia are going to have a four to sevenfold increase in population. The rapid urbanisation of mega cities in Asia will contribute to increases in the type of property and economic loss that developed economies have experienced”
Ly Xuan Thu, head of risk and compliance at Vietnamese investment management and real estate development firm VinaCaptal, concluded the session by suggesting that whatever the issue – whether nat cats are increasing in frequency or urbanisation is intensifying the loss – nat cats are a real threat in a globalised business world.
Thu suggested that all businesses should implement an environmental, social and governance (ESG) plan: “For many countries in Asia, ESG will be mandatory in the future, so it is advisory for all the companies represented here today to start thinking about devising an ESG framework.
“This framework will help measure the impact and likelihood of ESG risk in a sustainable way and is also a good way of minimising the risks from climate change-related issues.”
The session on how to manage the risks of operating across international borders produced some interesting debates about the biggest risks for multinationals and how the risk landscape is likely to change in the next five years.
Li Shan, underwriting director at Zurich Insurance Group, Singapore, suggested that corporates with operations abroad must get to grips with three other risks: namely regulatory changes; extreme weather; and political instability.
She explained that planning an efficient and cost-effective multinational insurance programme was becoming ever more complex as regulation increased around the world. “With the global economy in expansion mode once again, Asian multinationals may be exposed to unfamiliar legal systems and faced with compliance challenges in the jurisdictions in which they operate.
“Complying with local insurance regulations and laws is of increasing importance for multinational businesses, as lawmakers across the globe – especially in emerging markets – increasingly take an interest in previously unregulated or loosely regulated activities. This compliance could prevent unanticipated reputational, tax or financial repercussions.”
Singapore-based risk and governance professional Eric Lee Chuin Howe added that human capital is an important problem for multinationals. “We are only as good as the processes and the people who run the show. If your human capital risk is not managed, there will be high turnover, and your processes will fall through the cracks – these risks are important when operating across borders.”
The discussion moved on to the challenges of implementing ERM across Asia-Pacific. The take-home message was that a one-size-fits-all approach was unrealistic. It was agreed that to successfully embed ERM, risk managers must adapt and align their risk or ERM strategy with the mindset and cultural differences of the country in which they want to implement the framework. This was summed up well by Geetha Kanagasingam, Singapore-based vice-president of group risk at Barclays Bank, who said that risk culture must be cultivated and integrated with the overall organisational culture and values across the region.
“ERM is about connecting the key risk dots across the departments and territories you are operating in. This provides a holistic view of an organisation’s risk profile so your action plans can be developed to address the key risks effectively, resulting in better-informed strategic resolutions and decisions.”
Regional regulatory change
Next was a practical session on regulatory change in the APAC region. Panellists touched on data protection and management, employment regulation, directors’ liability, trade practices legislation and a perceived lack of consistency in the regulatory environment.
Risk management expert and Pan-Asian Risk and Insurance Management Association board member Steve Tunstall said corporate governance was becoming an important issue for risk managers: “The recent changes of the Singapore Code mean directors now have to talk about risk management in their annual reports, and that’s driving more interest in the topic.
“Not only do you have to do that, but you have to watch out for the fact the compliance field is changing dramatically all the time – it’s [vital to keep] up with the changing regulations in your area, making sure your company is on top of them and dealing with them in a practical and pragmatic manner.”
The panel then considered whether the region is experiencing an increase in regulation or whether it is the enforcement of existing regulation that is increasing.
Amy Sommers, China-based partner at law firm K&L Gates, said it was more “tweaking of the margins” than a greater increase in new laws. “I don’t see profound change, but rather a more committed or more intense level of enforcement.
“Some comments were made [at the conference] about economies in other parts of the world being stagnant. APAC is one of the most dynamic places in the world that is also relatively stable. So, more and more is invested here, it is not surprising that regulators perceive the need to increase the level of scrutiny and enforcement activity.”
She added that areas of increased enforcement relate to anti- money laundering laws and anti-monopoly enforcement, explaining that the Association of South-East Asian Nations has created a network to tackle money laundering and corruption. These efforts include training on how to track legal
The conference ended with two more sessions, one looking at the regional fight for talent, covering the effect of Asia’s ageing population and the shortage of skilled workers, and the other reviewing risk management maturity. It provided much food for thought, and – as the theme suggests – it perhaps helped many consider a path to better risk management in