Martin Tang, Chairman of the IRM Switzerland Regional Group

On 18 September 2018, the Institute of Risk Management Switzerland Regional Group held its annual Risk Culture event, at the historic Haus zum Rüden, a guild house built in 1348 next to the River Limmat in Zurich.

The event was sponsored by Thomson Reuters, following the successful collaboration in Autumn 2017.

We were delighted to hear the upbeat views in the keynote speeches of Alison Bewick, Head of Risk Management of Nestlé, on “Harnessing the Risk Agenda for strategic success”, John Pottage, MD & Head of the Business Risk Competence Centres of UBS Global Wealth Management on “How to build a sustainable competitive advantage through Risk Culture” and Nicola Passariello, EMEA Market Specialists Manager of Thomson Reuters on “World Check Risk Intelligence”. Alison and John are both Institute of Risk Management members and the keynotes were followed by a lively and engaging panel discussion with the panel comprising the keynotes and Martin Tang, as a panellist on Cyber Security Risk Culture. In addition to his role as Chairman of IRM's Regional Group in Switzerland, Martin is Principal of MT Associates, a risk management & insurance consultancy specialised in Cyber Security.

10

Mike Shields, Bureau Chief of Thomson Reuters Switzerland and Austria moderated the event.

Some key learnings from the evening were:

1. The criticality for firms to nurture a healthy risk culture that embeds risk into the heart of decision-making. A robust, strong risk culture helps organisations to avoid or mitigate those risks that destroy value, for example, compliance-related risks . However, it also should help to embrace strategic risks– risks that fit to your strategic intent and which are aligned with your principles and values. These strategic risks, if they pay off, create value and contribute to achieving the organisation’s long-term purpose.

2. Disruption and innovations inherently present a wide array of risks as well as opportunities. Along with the uncertainty they bring, they also inevitably mean change, which is not always embraced by people. Stressing the benefits of effective risk management can be key.

3. How to help organisations be bolder in pursuing strategic risks? A few key things to consider:

a. Tone from the top – does the board set the right tone and incentives to encourage management to be bold with innovation?

b. Set up your people for risk-taking success – is failing an accepted part of doing business? Do we have a lessons learned culture or do we live in fear of mistakes and blame?

c. Champion your values – do leaders walk the talk and are they clear about what our values mean in practice?

2

4. The overriding importance of Risk Culture cannot be overemphasised. As Peter Drucker said “Culture eats strategy for breakfast”. Unlike a product innovation, a good risk culture cannot be easily replicated by competitors.

5. There are different phases of risk maturity, often beginning with a non- compliance risk culture (where risks are often unknown or ignored), though to a compliance risk culture (with an emphasis on rules) through to the ultimate effective embedded Risk Culture, when risk considerations are appropriately and proportionately embedded in every business decision. In this risk culture, firms neither obsess about risk nor treat it as a separate topic. For this there needs be a clear internal motive, strong incentives, open minded assessment, leading and directing with a focus on producing an optimal solution with optimised risk. Risk is then firmly in the mind of both the leadership, with everyone at all times trying to reach an objective. Risk is spoken about in addressing difficult business dilemmas. An embedded risk culture also contemplates people-based controls (using judgement and common sense), in addition to rule-based and system-embedded controls that are part of a compliance culture.

6. Risk Management is all about people, but people are fallible and subject to biases. Culture is all important because it can create sustainable competitive advantage if your whole organisation is focused on ensuring that the defined customer journey is consistently delivered. 5 topics to get right are accountability, supervision, resolving conflicts of interest, offering the right incentives and establishing a healthy culture of speaking up and challenging.

8

7. An embedded Risk Culture is also vital to Cyber Security. Cyber is fast becoming the greatest emerging risk and each year the threat landscape increases in multiples. It will be interesting to see if Cyber tops the list of the next WEF Global Risks report in January 2019. In 2018, Cyber was no. 4 in terms of likelihood and Risk no. 6 in terms of impact. Cybersecurity Ventures predicts the annual cost of cyber crime to businesses will increase from USD 3 trillion in 2015 to a staggering USD 6 trillion by 2021. This compares with its prediction that global cybersecurity spending on products and services will exceed USD 1 trillion in 2021. Per Trend Micro, 91 % of all Cyber attacks are initiated with a spear phishing mail. So, great progress can be made and Cyber Insecurity significantly reduced, with regular anti-phishing mail employee training programs. Whilst compliance with regulation is vital, it must not be the only incentive. The Chief Information Security Officer best needs to marshal the support of Human Relations and Compliance to produce the correct incentives for employees to become Cyber risk aware. This way, even though people are often the weak link, they can be trained to rather become the 1st line of defence. Job stress and more importantly, e-mail stress are factors increasing this risk. With a cultural focus on Cyber risk, employees can avoid the temptation to do things quickly and instead be cyber risk aware and respond appropriately to unusual situations.  The motto “Stop! Think! Act!" is a good guide here. People, rather than products or machines, were also the focus at Trend Micro’s Cloudsec event in London on 4 September 2018.

8. Data is critical in addressing the fundamental question “Do you really know your customers?” Fraudsters will always try to outsmart  the system and be one step ahead of law enforcement agencies by leveraging new technologies to their advantage and, in some instances, by colluding with unethical employees to perpetrate their crimes. Also, business partners who act improperly on behalf of a company to secure business, expose the company to criminal charges. Combating money laundering, terrorist financing, bribery and corruption are not just legal and regulatory requirements. In case of breach or gross misconduct, the magnitude of the economic impact in terms of fines, disgorgement in profits and legal fees can be huge.

11

The preventive measures start with accurate, reliable and structured data to perform in-depth due diligence on the counterparties in line with the company risk appetite. Obviously, people then need to make judgements about what the data is telling them.

9. Thomson Reuters’ World-Check is a risk database which combines data with automation, to screen individuals, entities and their beneficial owners and to remediate the results thanks to powerful algorithms and it provides a robust and defencible audit trail .

The event attracted 43 risk professionals with high seniority levels:

26 % or 11 “C” level or Executive Director level.

26 % or 11 Head of ERM, Director, CISO or Global Head level.

We thank our keynote speakers for their great presentations and also our sponsor, Thomson Reuters, for making the event possible.

We are excited about the optimism on the importance of Risk Culture to business success and also about the clear focus on people. We hope that this is the beginning of a new trend.

12

For more information about the IRM Switzerland Regional Group and the events it hosts, click here to visit the webpage.