Directors are expected to be entrepreneurial while at the same time exercising prudent control. Enterprise and control are two sides of the directorial coin. I will briefly consider whether risk professionals should do more in support of enterprise and then turn to some cyber security and fraud control issues.
Owners of mature companies with defensive strategies may welcome caution. Ambitious spirits might favour quick moves and growth rapid. Incremental improvement may not enable us to cope with challenges or seize opportunities. What if we need transformational change or a new business model?
Have some governance, compliance and risk management practices become a hinder rather than a help? What role should risk managers play in entrepreneurship and business building? Rather than be seen as an overhead cost, could they become front-line creators of value?
Risk managers should be more proactive. They should look beyond the reporting of risks and contribute more to dealing with them and identifying associated opportunities. They should focus more on the support of decision making and helping colleagues to seize these opportunities.
Governance, compliance and risk management frameworks should be continually adaptating and learning systems. They are too important to be left to head office specialists. Risks are all around us, including in the air we breathe. Recognising and handling risk should be a dimension of many if not most roles.
Roles and responsibilities should be regularly reviewed. In relation to cyber security, we should look beyond the IT team at the people aspects. People are a major source of vulnerability in relation to cyber security and fraud. The HR team should be alert to human factors that might result in hitherto trusted people compromising security or engaging in fraudulent activities.
Legal and reputational risks have to be addressed as well as technical and financial issues. A chief financial officer will have an interest in preventing financial fraud. Chief security, information and knowledge officers will be keen to protect corporate data, information and know-how. Should they and others have a remit to protect stakeholders and wider society from illicit activities?
25 years ago in my book Transforming the Company I put the case for organically evolving adaptable, responsive and networked organisations that are portfolios of projects and ventures, involving a wider range of collaborators, stakeholders and supply and value chains.
One can view risk from a community, stakeholder, societal or environmental perspective as well as a corporate, project or venture one. Internal and external auditors assess processes and internal controls, but what about supply chain and other external networks? Risk management needs to embrace them.
Some directors and boards are an area of risk. They cling to past practices. They are prisoners of outdated ideas and victims of groupthink. They are protective of past investments and reluctant to write them off. They favour excessive order, structure and compliance with existing policies, rather than search for better ones. They may view questioning as disloyalty and challenge as a threat.
Moving on to a review of cyber security controls, challenge becomes particularly important. Being watertight yesterday does not mean a company will survive tomorrow’s cyber assault. The digital landscape and threats within it are continually evolving. Many directors face difficult issues and choices.
The internet of things creates new areas of vulnerability. Many customers do not change the default passwords used by manufacturers and suppliers, thus allowing unauthorised access to connected products and devices. External control of a fridge might be inconvenient, but unauthorised control of a car could be life threatening. Expensive liabilities could result.
The most useful anti-fraud collaborators could be equivalent organisations in similar situations in other countries, rather than local companies. The separation of data in terms of storage and access, and the use of different programmes and devices can limit access for hackers who breach outer defences. However, it can make data, information and knowledge more difficult to assemble and share.
Boards can face choices that cannot be delegated. They may seek advice, but they may also need to move quickly and make a call. For example, a security breach has occurred with consequences as yet unknown. Some customer data could have been accessed. Telling customers they may be at risk could help to protect them, but going public could hit a company’s share price and reputation.
Whether or not to share with law enforcement agencies is another issue. They do not have unlimited resources to follow every lead. Hence the need to be selective and focus. Concentrate on known vulnerabilities, where consequences could be serious and recovery or compensation costs would be high.
Some companies are obstacles to attempts to track down and catch criminals. Protecting customers’ communications and devices from state surveillance can benefit criminals. Law enforcers may not be able to monitor the activities of suspects and accumulate the evidence that might bring them to justice.
Directors have to balance the desire of customers for privacy, encryption and secure devices against the risk that some of them may use a company’s public networks and devices for criminal purposes to the detriment of other people. Considerations may range from contractual liabilities to moral responsibilities.
Frauds regularly occur, but they can represent a small proportion of daily transactions. Blocking transactions can cause inconvenience and might result in damages claims. Monitoring has to focus on unusual or suspect transactions without imposing disproportionate cost upon the majority of customers.
There are many other areas in which directors have to balance contending considerations and the two sides of the directorial coin. Resilient systems, quick responses, competent directors, effective boards and relevant support can all help us to ensure that business development is sustainable and secure.
The article is based on speech delivered by the author at 17th International Conference on Corporate Governance and Sustainability held at Millennium Hotel London Mayfair, 44 Grosvenor Square, London W1, (UK) on 25th October, 2017. Theme: The Board: Emerging Issues of Corporate Governance and Sustainability Challenges, Directorial and Risk Management Dilemmas.
Coulson-Thomas, C (1992), Transforming the Company, Bridging the Gap between Management Myth & Corporate Reality, London, Kogan Page
*About the Author: Prof. (Dr) Colin Coulson-Thomas has helped directors in over 40 countries to improve director, board and corporate performance. In addition to directorships he leads the International Governance Initiative of the Order of St Lazarus, is Director-General, IOD India, UK and Europe, chair of United Learning’s Risk and Audit Committee, Chancellor and a Professorial Fellow at the School for the Creative Arts, Honorary Professor at the Aston India Foundation for Applied Research, Visiting Professor of Direction and Leadership at Lincoln International Business School, a Distinguished Professor at the Sri Sharada Institute of Indian Management-Research and a member of the advisory boards of Bridges of Sports and the Arvind Foundation, and ACCA’s Governance, Risk and Performance Global Forum. An experienced chairman of award winning companies and vision holder of successful transformation programmes, he is the author of over 60 books and reports. Colin has held public appointments at local, regional and national level and professorial appointments in Europe, North and South America, Africa, the Middle East, India and China. He was educated at the London School of Economics, London Business School, UNISA and the Universities of Aston, Chicago and Southern California. He is a fellow of seven chartered bodies and obtained first place prizes in the final exams of three professions.
Read more Authored Article by Prof. (Dr) Colin Coulson-Thomas
Read about our Editorial Guidelines