Shocking news! Sixty percent of global CFOs do not acknowledge that cybercrime is a risk, according to a global fraud survey conducted by EY. This statistic is startling, considering the number of high-profile data breaches over the past few years. It also speaks to how the current crop of CFOs view risk management in the digital age: apparently not as a high priority.
This timely topic was the focus of a recent episode of Coffee Break with Game-Changers, presented by SAP and hosted by Bonnie D. Graham of SAP. The broadcast featured thought leaders from Ternium, EY, Forrester, and SAP. Listen to the episode.
The future is here, and it’s full of uncertainties
The discussion opened with each panelist highlighting a quote to illustrate his point of view on fraud and third-party risk in today’s always-on business era.
Carlos Russell, risk management director at Ternium, offered a quote from Groucho Marx: “Learn from the mistakes of others. You can never live long enough to make them all yourself.” Carlos noted that we’re still not learning from others’ mistakes with regard to fraud and third-party risk. “PwC has reported 32% more incidents attributed to business partners and that the theft of intellectual property has increased 56% compared to 2014. EY also did a global fraud survey showing that 41% of global CFOs acknowledge that cybercrime is a risk, stating the obvious, but what are the other 59% of global CFO thinking? Is cybercrime not there?”
He added, “We read about it on the press, but organizations are still finding themselves with obsolete or inadequate system processes. The awareness and maturity to drive results to be more predictive and proactive is still not there.”
Stefan Schaffer, a partner in the area of business integrity and compliance management at EY, provided a quote from acclaimed cyberpunk fiction writer William Gibson: “The future is already here; it’s just not evenly distributed.” Stefan explained that the quote illustrates “Moore’s Law” in the wider sense of exponential growth in computing power: when did it reach a point where it is causing significant rupture? “In the context of risk management and anti-fraud, it means that we need to start thinking about how we deal with the changes ahead early on. Otherwise the bus will just run over us.”
Delving deeper into the subject, Chris McClean, vice president and research director at Forrester, chose a quote from author and journalist Robert Wright: “… All along, the relentless logic of ‘non-zero-sumness’ has been pointing towards this age in which relations among nations are growing more non-zero-sum year by year.” Chris summarized that, simply put, “We have always been destined to find more complex relationships and ways that we can win through partnership and collaboration.” This will always come with a host of risks, he noted. “A key aspect of risk management that some people forget is that it’s not mitigating every possible risk; it’s taking informed risks and doing it in a way that you’re getting opportunities without too much exposure.”
Echoing this sentiment, Jérôme Pugnet, a senior director of GRC product marketing at SAP, quoted Jean de La Fontaine, the famous French poet and fabulist: “Rogues are always found out. Whoever is a wolf will act as a wolf.” No matter how much fraudsters hide themselves, Jérôme said, there will always be behaviors or weaknesses that will give them away. “When people commit fraud, there are certain patterns that can be recognized. There’s a way of doing behavioral analysis that you can detect using technology. We need to understand those behaviors and patterns so we can identify those cases of fraud or potential fraud.”
Risk everywhere: the new normal
The first step to solving a problem is to admit that there is one.
Carlos explained that CFOs can’t just look at the bottom line; they need to look at their whole partner ecosystem. “Both your business and your third-party [partners] are exposed to the same level of threat.” He added that the hacking community is getting more sophisticated every day, and they are not just limited to one or two troublemakers in a basement playing around with a computer. Some hackers “have government or organized crime sponsorship.” He pointed out that this is why compliance is crucial, and that businesses can never go wrong with building a safe and secure ecosystem for everyone in their value chain.
Stefan added, “Without a doubt, societies and companies have benefited hugely since the invention of the Internet and the increasing degree of networking, but we need to adjust to a new normal of the threats impacting daily life.” Chris, on the other hand, emphasized that while we are programmed to find ways to work together, risk managers have to figure out how to make risk part of the equation when considering vendor relationships.
Jérôme pointed to technology to help detect possible risks to the business. “It’s obviously a very difficult problem. But there’s a lot of information out there that we can use. It’s all about using Big Data to find that information, look at these relationships, and learn from that experience. We can use machine learning to see similar situations to recognize and more easily catch them.”
Besides technology, community is key
Although technology certainly has a part in risk management, Stefan underscored that there is a lot to be learned from social media and how it leverages the community to police itself. ”We need to accelerate the usage of intelligent algorithms in business, but on the other hand, we will never be able to detect all fraud.” He suggested complementing technology with your internal community of employees and vendors. Organizations need to create an environment where stakeholders have a sense of integrity and pride so they can play a part in weeding out potential sources of risk.
Chris took it even further, suggesting that even regulators have a responsibility to help find a more universal risk management system for industries. He cited the Health Insurance Portability and Accountability Act (HIPAA) Security Rule as a good example of regulators guiding an industry in terms of assessing risk.
And with all this talk about having controls in place with multiple stakeholders, Jérôme cited the need for speed: the challenge is to execute validation and checks in a way that doesn’t slow down the business. Carlos replied that it needs to be a delicate balance of stringent internal checks while still being open enough externally so as to not limit the system and those using it.
Starting from the ground up
If we think about risk management, much of the focus is on large companies with multinational vendor relationships. However, Chris explained that most of the questions about third-party risk management are actually directed at the manufacturers and suppliers. “Revenue is a driver for all of this. If those suppliers want to make money, they have to figure out how to get their controls in place and have good documentation,” he added.
More automation by 2020
So what’s in the cards for 2020?
The panel was unanimous in their view that there is a lot more room for automation in the near future. Jérôme reiterated the need to build more “intelligent” technology to help risk management professionals weed out “false positives.” Carlos is seeing a lot of investment in algorithms for automated behavioral analysis, which hackers will want to compromise. “We will live in a world where we will need to secure our algorithms.” Stefan agreed, stating that companies refusing to integrate these algorithms will be in “serious trouble.”
Chris predicted that in the next five years, “Better risk management in general will be driven more by customer requirements than by regulatory oversight.” He believes consumers will be able to dictate the requirements on compliance through their purchases. “Large companies will actually bend to our requirements because that’s what’s going to drive revenue for them,” he added.
This excerpt from Coffee Break with Game-Changers, presented by SAP on the World Talk Radio Business Channel June 28, 2016, was adapted for the Digitalist Magazine. It is available on demand.