The mere fact that you are reading this article implies that the last days predicted by modern-day Mayans and other apocalyptics have not arrived on schedule. “In fact, the risks we all face as we go into 2013 are much more complex, and thus much more difficult to counter,” says Michael Davies, CEO of ContinuitySA, Africa’s leading provider of business continuity services.
In what has become an annual exercise, Davies and members of his executive team met late in 2012 to review their predictions for the year and ponder what the coming year might hold for risk managers.
“What became very clear is it has become almost impossible to consider individual risks without taking the overall risk into consideration,” Davies observes. “Globalisation and the profound connectedness between individuals, companies and countries promoted by technology means that risk, too, must be seen broadly.”
Bearing this observation in mind, Davies and the ContinuitySA team have identified the following set of six interrelated risks for 2013.
1. Social malfunction grows. Across the world, it is increasingly clear that established certainties and beliefs about how the world is structured are becoming fluid. From the Arab Spring to Occupy Wall Street and protests against austerity in Greece and elsewhere, there is an overall loss of faith in society’s institutions and their ability to deliver a just world order.
In South Africa, persistent dissatisfaction with service delivery has exploded into widespread and violent protests against the very nature of the system. In that respect, the miners’ revolt in Marikana has been a watershed event, as it bypassed both the settlements negotiated by the miners’ own representatives and the normal processes of democracy. Democratic process, it seems, is either profoundly misunderstood or mistrusted.
This impatience with society’s existing institutions and processes appears to be spreading and there are worrying signs that even the middle class, on whose shoulders society’s prosperity and stability ultimately depend, are also losing faith in basic concepts. The extreme passions roused by the ongoing e-toll saga in Gauteng is an obvious example of this trend. For the middle classes, this type of feeling generally translates into a reluctance to pay tax, an action that can fatally undermine the state itself.
2. Global economic and financial volatility. It appears the 2008 financial crisis is both more far-reaching and profound than first expected. Markets and economies seem unable to regain an even keel, and many commentators are seeing this volatility as “the new normal”. The flip side is an increasing regulatory burden as governments and other institutions attempt to rein in uncontrolled capitalism and protect investors.
For South African businesses, important associated risks are the volatility of commodity prices, greater competition internally and in export markets, and an unstable currency.
3. Environmental risk. If volatility is the new economic normal, then there is every indication that climatic volatility is also becoming a feature of life. For South Africa, climate fluctuations may be expected to increase the risk of water and even food shortages. Thus far, global and national environmental initiatives are gaining traction too slowly, and seem likely to add to the cost of doing business in the short term — giving rise to a classic case of how to balance short- and long-term risk.
4. Infrastructural risk. A common African business risk is inadequate and poorly maintained infrastructure. Water and power are the two obvious risks that threaten business, but the road and rail networks also present challenges. Government efforts to address these problems are affected by the principle of interconnectedness: opposition to e-tolling, one feels, is more influenced by wider dissatisfactions rather than the principle of “user pays”.
Many South African businesses are taking extraordinary measures to mitigate infrastructural risks by assuming responsibility for all or some of the infrastructure needed for their projects. Property developers, for example, are often providing roads and sewerage, and factories some of their own energy — and think of corporate involvement in points-people to ameliorate the effects of faulty traffic lights and schemes to fill in potholes.
5. Data risk. Data is becoming more important as a way for companies to assess risk and compete more effectively — this is the phenomenon of big data. It’s probably true to say that most companies are still coming to terms with the concept and, more importantly, how to use data effectively. Nonetheless, data privacy regulations have already sprung up to protect personal data, creating a set of risks relating to data security. One is the growing menace of cyber crime. Another is the whole question of data sovereignty — as companies try to safeguard their data while reducing costs, they may opt for the security of cloud solutions. However, when those data centres are located and/or owned offshore, it becomes difficult to be sure of data security and accountability for lapses.
“Our approach is to use a hybrid public and private cloud model for our clients for just these reasons,” comments Davies. “This approach allows clients to retain tight control over sensitive data, as is increasingly mandated by law, and to take full advantage of the cost and flexibility of public services where appropriate.”
An associated risk is the peaking trend of IT consumerisation, so-called BYOD (bring your own device — the use of private mobile devices to access corporate data). BYOD offers both advantages and disadvantages: boards and their CIOs need to think carefully about how to protect their data against potential threats — and how to use the available technology wisely to obtain a competitive advantage.
6. Business continuity remains misunderstood. Risk management has definitely become integrated into the corporate agenda, and is maturing. This may be seen by the replacement of the existing BS25999 standard by ISO22301. The BS25999 standard set the standard for business continuity management, but the new ISO223301 standard is much more detailed in its requirements, and requires much more documentation of the processes followed. It also requires committed board-level leadership, thus effectively putting risk management into the spotlight.
However, in practical terms, the broader concept of business continuity management is becoming absorbed into the IT budget, with a concurrent diminishing of focus on operational matters. At the same time, budgets in general are under pressure.
“Ironically, then, the biggest overall risk has become corporate myopia about the true nature of risk — and this at a time when risk has become much more integrated into corporate strategy. Boards must resist seeing risk in terms of technology alone. Business continuity is a much more useful concept, one that takes into account the interconnectedness of risk today. When considering risk, business leaders need to take a broad view of organisational resilience before honing in on their particular company’s situation. Risk is now systemic, and so the approach to risk must also be systemic and have operational relevance to the organisation,” Davies concludes.