2020 risk outlook: Use GRC to build resilience
ContinuitySA, Africa's leading provider of business continuity and resilience solutions, says as the risk outlook continues to be challenging, organisations should use their governance, risk and compliance (GRC) activities to create robust frameworks that support business resilience.
"Last year, we noted that risks cannot be seen in silos, but rather as part of a complex whole. That continues to be the case, and it is clear that GRC activities can be used profitably to develop an integrated risk picture and response," says Michael Davies, CEO of ContinuitySA.
"To mitigate risk in today's interconnected business environment, it is necessary to understand it thoroughly first, and that means knowing not only your environment, but also what the organisation is trying to achieve. GRC will help guide this process, particularly when the organisation has multiple sites in different geographic areas.
"At a national level, we are seeing how poor governance has placed critical state entities like Eskom at grave risk; the way to avoid this kind of situation is to take GRC seriously and follow the spirit as well as the letter of the applicable regulations and standards."
Based on their experience during 2019 and their informed reading of the coming year, the members of ContinuitySA's exco have identified the following risks as particularly relevant in 2020:
Cyber-risk. As organisations and business generally continue to digitalise, cyber-risk grows. The Business Continuity Institute's (BCI) Horizon 2019 report put cyber-attack as the fourth most prevalent source of disruption in the past 12 months, and predicts it will be number one in the next 12 months. NTT, the Japanese IT and telecommunications company that owns Dimension Data, suggests organisations should pay due attention to the basics of cyber security, ensuring they have the right people, processes and tools in place. At the same time, though, they must collaborate to stay ahead of the trends and adopt innovative strategies where appropriate.
A key, and often unrecognised, element of cyber risk is the increasing use of cloud. Organisations must be aware that cloud providers' data centres can also go down, and build that risk into their business continuity plans.
Utility risk. The resumption of load-shedding by Eskom, the erratic nature of the load-shedding and the spectre of Stage 6 and even Stage 8 load-shedding, are setting off alarm bells. In addition, a water crisis in the near future is highly probable too. Driven by prolonged drought in certain areas of the country, extremely poor reticulation infrastructure and an increase in population in metropolitan areas, water outages and rationing, as previously experienced in the Western Cape, are highly likely. Some figures indicate that up to 30% of municipal water supplies are lost to leaks, while there are ongoing concerns about the maintenance of key hydro-electric and water storage facilities like Kariba and Cahora Bassa. Water and power outages will thus be key focuses of business continuity plans.
The impact of persistent and devastating power outages in both Nigeria and Zimbabwe demonstrate the extent to which unstable utilities can hamstring economies.
A further cause for concern is the way a wage strike - hardly an unusual event in South Africa - was enough to compromise South African Airways' precarious finances and take it into business rescue; Eskom is in a similarly fragile financial position.
Unplanned IT and telecoms outages were the number one disruptor in the past 12 months, and are expected to be number two in the next 12, according to the BCI Horizon survey. As telecommunications are severely affected by power outages, we can expect this risk to remain high on the agenda. Many of these towers also transmit the telemetrics for water pumping and other systems that support everyday life, so the impact of their going down is substantial.
Financial risk. There is a high likelihood that the country's debt rating will worsen in 2020. Other financial risks include exchange-rate volatility. The overall result will be to make capital both harder to access and more expensive.
Supply chain risk. The global nature of business means that companies participate in long and complex supply chains; risk exposures thus affect the entire chain. When doing their business impact analyses, organisations need to give thought to the contingent risks they face thanks to their participation in supply chains.
Geopolitical and socioeconomic risks. Brexit and the high-stakes US-China trade negotiations remain key concerns. However, each region has its own risk profile, which needs to be properly understood. This is particularly true of Africa, where the risk profile varies quite significantly from country to country. Locally, the perceived inability of the government to take the necessary action to restore the economy to growth and create jobs remains a key risk driver.
Socioeconomic risks have been concerning South African businesses for decades, and the continued decline in growth prospects and poor job prospects will continue to be worrying.
Labour and skills risks. Lack of skills has been a consistent problem, and the advent of the fourth industrial revolution exacerbates the issue. A particular challenge is the shortage of cyber security skills, which clearly feeds into the cyber risk issue noted above.
Paradoxically, the shortage of jobs seems to have made the industrial relations environment even more volatile. The risk of protracted and even violent industrial action remains high, and its impact on an already fragile economy, as the example of South African Airways shows, can be profound.
"Because of the scale and quantum of the risks we currently face, and the fact that they are interconnected, it is now more important than ever to bake resilience into the corporate DNA. GRC frameworks offer a good way of bringing this complexity under control, and increase the chances of developing an effective business continuity plan, which improves the resilience of an organisation," Davies concludes.