By Prof. Colin Coulson-Thomas

Directors are expected to be entrepreneurial while at the same time exercising prudent control. Enterprise and control are two sides of the directorial coin. I will briefly consider whether risk professionals should do more in support of enterprise and then turn to some cyber security and fraud control issues.

Balancing Caution and Ambition

Owners of mature companies with defensive strategies may welcome caution. Ambitious spirits might favour quick moves and growth rapid. Incremental improvement may not enable us to cope with challenges or seize opportunities. What if we need transformational change or a new business model?

The Role of Risk Management in Business

Have some governance, compliance and risk management practices become a hinder rather than a help? What role should risk managers play in entrepreneurship and business building? Rather than be seen as an overhead cost, could they become front-line creators of value?

Proactive Risk Management

Risk managers should be more proactive. They should look beyond the reporting of risks and contribute more to dealing with them and identifying associated opportunities. They should focus more on the support of decision making and helping colleagues to seize these opportunities.

Adapting Governance and Compliance

Governance, compliance and risk management frameworks should be continually adaptating and learning systems. They are too important to be left to head office specialists. Risks are all around us, including in the air we breathe. Recognising and handling risk should be a dimension of many if not most roles.

Roles and Responsibilities Review

Roles and responsibilities should be regularly reviewed. In relation to cyber security, we should look beyond the IT team at the people aspects. People are a major source of vulnerability in relation to cyber security and fraud. The HR team should be alert to human factors that might result in hitherto trusted people compromising security or engaging in fraudulent activities.

Addressing Legal and Reputational Risks

Legal and reputational risks have to be addressed as well as technical and financial issues. A chief financial officer will have an interest in preventing financial fraud. Chief security, information and knowledge officers will be keen to protect corporate data, information and know-how. Should they and others have a remit to protect stakeholders and wider society from illicit activities?

Evolving Organizations and Networks

25 years ago in my book Transforming the Company I put the case for organically evolving adaptable, responsive and networked organisations that are portfolios of projects and ventures, involving a wider range of collaborators, stakeholders and supply and value chains.

A Comprehensive View of Risk Management

One can view risk from a community, stakeholder, societal or environmental perspective as well as a corporate, project or venture one. Internal and external auditors assess processes and internal controls, but what about supply chain and other external networks? Risk management needs to embrace them.

Risks from Directors and Boards

Some directors and boards are an area of risk. They cling to past practices. They are prisoners of outdated ideas and victims of groupthink. They are protective of past investments and reluctant to write them off. They favour excessive order, structure and compliance with existing policies, rather than search for better ones. They may view questioning as disloyalty and challenge as a threat.

Cybersecurity and Continual Challenge

Moving on to a review of cyber security controls, challenge becomes particularly important. Being watertight yesterday does not mean a company will survive tomorrow’s cyber assault. The digital landscape and threats within it are continually evolving. Many directors face difficult issues and choices.

Vulnerabilities of the Internet of Things

The internet of things creates new areas of vulnerability. Many customers do not change the default passwords used by manufacturers and suppliers, thus allowing unauthorised access to connected products and devices. External control of a fridge might be inconvenient, but unauthorised control of a car could be life threatening. Expensive liabilities could result.

Global Anti-Fraud Collaboration

The most useful anti-fraud collaborators could be equivalent organisations in similar situations in other countries, rather than local companies. The separation of data in terms of storage and access, and the use of different programmes and devices can limit access for hackers who breach outer defences. However, it can make data, information and knowledge more difficult to assemble and share.

Decision-Making in Security Breaches

Boards can face choices that cannot be delegated. They may seek advice, but they may also need to move quickly and make a call. For example, a security breach has occurred with consequences as yet unknown. Some customer data could have been accessed. Telling customers they may be at risk could help to protect them, but going public could hit a company’s share price and reputation.

Whether or not to share with law enforcement agencies is another issue. They do not have unlimited resources to follow every lead. Hence the need to be selective and focus. Concentrate on known vulnerabilities, where consequences could be serious and recovery or compensation costs would be high.

Some companies are obstacles to attempts to track down and catch criminals. Protecting customers’ communications and devices from state surveillance can benefit criminals. Law enforcers may not be able to monitor the activities of suspects and accumulate the evidence that might bring them to justice.

Directors have to balance the desire of customers for privacy, encryption and secure devices against the risk that some of them may use a company’s public networks and devices for criminal purposes to the detriment of other people. Considerations may range from contractual liabilities to moral responsibilities.

Navigating Fraud and Transactions

Frauds regularly occur, but they can represent a small proportion of daily transactions. Blocking transactions can cause inconvenience and might result in damages claims. Monitoring has to focus on unusual or suspect transactions without imposing disproportionate cost upon the majority of customers.

Achieving Sustainable and Secure Business

There are many other areas in which directors have to balance contending considerations and the two sides of the directorial coin. Resilient systems, quick responses, competent directors, effective boards and relevant support can all help us to ensure that business development is sustainable and secure.