@ the IERP® Global Conference, August 2024
The views and opinions expressed in this article are solely those of the featured speakers and do not necessarily reflect the official view or stance of the IERP®. The content is provided for informational purposes only.
This session, by Abid Adam, Chief Risk and Compliance Officer of Axiata, covered why data-driven risk management is important, and how organisations should apply it. He also talked about the two platforms used by Axiata. Acknowledging that everyone wants to move forward, he stated from the outset that data-driven risk management was not a silver bullet – but it can do certain things that help the business. “With the rise of technology, are there ways we can adopt it to enhance and leverage some of the work we are doing,” Abid said. “That’s really what it is.”
Quoting a PwC report on top risks faced by businesses released earlier in the year, he said that companies will have very little control over most risks they will face, such as geopolitical risks. Risk professionals need to be familiar with these risks as they present major challenges while underscoring the importance of data-driven risk management. “We are all facing crisis mode,” he warned. “A large percentage of Malaysian CEOs – 63% of AsiaPac CEOs including Malaysian CEOs think that companies will not be economically viable in ten years.”
There was a possibility that in ten years, risk professionals and the companies they work for, will not exist if no changes are made now. Among the risks already on his radar is artificial intelligence (AI). Enhanced AI was being applied in social engineering attacks, sometimes deliberately spreading disinformation but sometimes being used to do so inadvertently. AI risk is not going to go away; in fact, it is rising. Organisations can no longer view financial risk in isolation; all risks are now interconnected.
For example, Axiata has operations in 11 countries, each with its own risks involving physical assets and staff. Each business has a different risk profile. The environment is dynamic and volatile, with things happening fast, making it hard to plan. “If you are a risk officer, how do you give a view of what risks your organisation’s portfolio is exposed to?” Abid said. “Do you consolidate by asset, sector, or market?” Some of these operate in multiple markets, not just Malaysia, he added. For instance, in Bangladesh, Axiata has three different businesses.
“I need to understand the exposure of each of these countries, make reports, and consolidate in real-time or as accurately as possible,” he said, underscoring the difficulties of quarterly reporting. Axiata has replicated similar governance structures in all countries where it has a presence, and a lot of time is spent discussing details; there is a correlation between what is discussed at group and country levels. Although he works with counterpart risk officers in other companies, the amount of data collection that has to be done is staggering.
“As a group, I have to give a consolidated view of the group’s risk exposure,” he said. “I have to give by risk categories, different portfolio of assets, different businesses – all these things need to be reported.” This is further complicated when it comes to issues like cybersecurity which is extremely volatile. “Anybody who has worked on cybersecurity will know that anything you see ten minutes ago becomes irrelevant and out of date (quickly),” he said. “You are exposed immediately, and you (must) make decisions.”
Data-driven risk management allows the rapid identification and assessment of risk, based on data. “When you need to make trade-offs, you want to make educated trade-offs,” he said. “You want to do some level of scenario analysis, to establish base case, best case, and worst case scenarios. If you want to do sensitivity analysis, you will need data.” Identifying some differences between traditional and data-driven risk management, he said identifying risk traditionally was backwards-looking.
“It’s historical data you are reporting,” he said. “Most board members already know anything material that has happened. You have to ask yourself what value you are bringing to the discussion.” He advised against presenting historical data; instead, it should fuel questions for the board to handle. Risk managers and CROs need information that is relevant, accurate and reliable at any time, in any part of the world because of the uncertain nature of disruptive incidents. But they are likely to face numerous issues in obtaining this, including data quality, he added.
“You have to make an effort to get the right level of data, consistently,” he said. Challenges arise when trying to integrate data from multiple, sometimes disparate, outdated or legacy systems, and putting all of it on a platform where it can be used for maximum effect. Another challenge is that many risk team members may not be technically inclined enough; the skills gap is an issue. The CRO should ensure that they understand what is required of them. “If there is something people don’t understand, they will fear it,” he said. “And you will get pushback.”
Instead, risk professionals should make it psychologically safe for people to go on the journey, which should start with a framework that outlines where and how data will be collected, and which systems will be integrated. He advised risk professionals to carefully choose what they wanted to focus on. “Start small; don’t do everything in one go,” he advised. “Work on small pieces – what kind of data will you analyse? How will you present it?”
Abid rounded off his presentation with overviews of two platforms used by Axiata: ‘Helios’ and Axiata’s own GRC platform, developed in-house which allows the organisation to see how exposed they are in real-time. Axiata uses the Helios platform for cybersecurity as it can identify potential vulnerabilities, which enables the organisation to reduce its threat response time. He clarified that Helios was developed because Axiata has a huge web presence across numerous countries. “It allows us to see and respond…get real-time information, and know what assets are exposed,” he said.
