StrategicRISK caught up with Victoria Tan, head of risk management and sustainability at Philippine conglomerate Ayala Corporation, at Risk Forum APAC 2018 in Singapore to find out what makes her tick

Ayala is one of the largest and most diversified Philippine conglomerates, with business interests in real estate, banking, telecommunications, water, industrial technologies, energy, infrastructure, health, education and other ventures.

Based on its most recent annual report, regulatory and political risks headline the group’s risk register for two consecutive years.

This is understandable when the unorthodox President Duterte assumed office in July 2016. Two years into office, the current administration has approved new regulations, has new interpretations of laws, and has appointed new secretaries who have differing views from the previous ones.

These changes may be both positive and negative: the government announced more focus on infrastructure with its “Build, build, build” program; outdated laws are being reviewed and revised, which may make processes more efficient; and, negatively, they could change the business model, reporting requirements and additional taxes, which may result in higher cost of compliance.

In addition, with the conglomerate’s target that 10% of its 2020 income will be generated from overseas investments, the regulatory and political landscapes where the group’s companies invest need scrutiny and analysis. Its water infrastructure company, real estate company, energy company started investing in the ASEAN markets.

Behind regulatory and political risk, the result of the annual risk assessment places information security and cyber risk as the second-ranked priority on the conglomerate’s risk register. After that comes the – closely linked – brand and reputational risk, followed by competitive threats.

“I think these are common themes for risk managers within the region. ” Tan told StrategicRISK, speaking at Risk Forum APAC 2018 in Singapore in May.

With the rising trend in cyber incidents and increases in hacking and data breaches, information security and cyber risks have risen on the roster – most notable of which was the 2016’s breach of the Philippines’ electronic electoral database which contained 55 million voter records.

In addition, the Philippines has passed its Data Privacy Act legislation, which will subject companies to fines and even the imprisonment of its data privacy officer, if sensitive personal information in their databases are compromised.

“Since the conglomerate has several databases owing to its size and operations, information security and cyber protection is important to us,” said Tan.

“It’s a major reputational risk when you have a data breach, particularly for banking clients. It’s mostly a business risk, but at the same time compliance risk in relation with the Data Privacy Act in the Philippines,” she continued.

Companies are required to have a data privacy officer , she noted, a position which is supposed to be a senior role across the group – much like Europe’s GDPR legislation.

The Ayala-led Bank of the Philippine Islands (BPI), the country’s oldest bank and the third largest in the Philippines ranked by assets, had a data processing glitch in June last year which made depositors’ bank balances incorrect.

Depositors’ initial reaction was to withdraw their money and put it somewhere else, and BPI’s stock price went down as well. The bank’s senior management team was summoned at the Senate for an investigation in aid of legislation, which Tan says they handled well. After a month of its resolution, depositors returned with their money and BPI’s stock price recovered fast, she notes.

Reputational risk – a share price hit and customer loyalty under threat – were natural concerns.

In recent months the conglomerate has executed a group-wide insurance optimisation programme, Tan explained.

“We identified that one of the areas in which we have room for improvement is in our risk transfer strategy. Aon has worked with us on that, and there have been savings. It’s not only about cost, but about better coverage and better wordings,” said Tan.

“There has been an increased risk maturity in the individual companies within the group, and we’re increasingly asking what we can do better as a group together.”

While reviewing what standalone cyber insurance to buy, the change has also led to different buying for political risk, Tan noted. Costs due to government counter-insurgency operations were previously not insured, she highlighted.

“The cost we faced was mostly from the government’s response to the terrorists. Since 2017-2018, counter insurgency is now included within the cover,” said Tan.

Ayala continues to bring companies into the portfolio, so its risks are changing all the time, Tan noted.

“It’s important to keep people informed from a risk perspective about changes within the business, not just for compliance, more so there is a need for strategy,” she added.

Tan would also win the award for Asia Pacific risk manager of the year at StrategicRISK’s Asia Pacific Risk Management Awards 2018, held the same day as this interview in Singapore.

Topics