Interview with Alan Hamzah Sendut, Independent Non-Executive Director of Multiple Public Listed Companies
“The dependency on digital devices and digital connectivity has introduced new risks not seen from the previous largely ‘manual’ way of doing business,” he said, identifying the global pandemic and natural disasters as examples of how large supply chain risks have increased in recent years. “Inadequate capacity or capability to connect remotely and manage logistics, combined with the challenges arising from a long period of a nationwide business slowdown, have thrown up new challenges. The risk landscape is now requiring businesses to build more capacity and capability in terms of people, processes and systems to thrive in the New Normal.”
This complex scenario is quite different from his early experiences as a member of the Board. “Two decades ago, a director was largely concerned with the adequacy of financial controls and audit reports, compliance with regulatory requirements and general business activity,” he said. “But today, Board deliberations are much deeper and broader. There is a lot more focus on operational-type risks and macroeconomic indicators. There is also much greater complexity in managing regulatory compliance, and more sophistication in managing digital interfaces with all stakeholders and business partners.”
With the increased sophistication of technology, new toolkits were now being used to monitor or simulate the impact of potential risks and to generate early warning alerts, he added. Pointing out that there was a greater need today for deeper analytics and more sophisticated statistical modelling, he said, “We have to try to be more accurate in assessing and anticipating the impact of possible shocks to the business.” Emphasising that there was always the probability of something going wrong despite all mitigative measures in place, he therefore stressed the necessity of testing and retesting all disaster recovery plans, business contingency plans and crisis management plans to try to ensure that they are robust and workable in time of need. On the other side of the coin, new digital technologies have also brought new risks such as cyber threats and finding new ways of doing business with fewer physical assets; they are also fresh challenges that need to be addressed.
Additionally, there has to be an increased focus on talent – human resource capabilities and new talent development. Risk training remains important, he said, so that everyone would know what to do in the event of a risk materialising and be able to address it at an early stage before it develops greater impact and consequences. Underscoring the importance of risk training, he pointed out that many companies had, in fact, identified pandemics as a business risk, but many were still unprepared for its actual consequences because they had not tested their capabilities to withstand or manage the impacts of a real pandemic situation, end-to-end.
His experiences as a director in firms across the industrial board has given him a range of perspectives with regard to risk, and how to manage it in different situations. While most companies have similar approaches to risk where traditional risks – such as regulatory and financial risks – are concerned, differences in the risk management approach become more apparent when it comes to individual sectors. Clarifying this, he said that sectors which depend heavily on digital processes to operate have invest extensively in more sophisticated risk management capabilities. “In sectors where consequences of any catastrophe will impact a physical facility, the focus is very much on operational reliability and functioning of that facility.” he said.
Adoption of best practices, with constant monitoring, surveillance, maintenance, retraining and awareness for all stakeholders – all these are also high on everyone’s agenda, he added. “For example, in sectors dealing with biological assets, the focus is on ensuring the health of the assets, and on optimising the production chain from seed to table in order to be in compliance with the expectations of regulators and consumers” he said. “Each sector drives its risk management activities according to the respective demands of its business environment, but all sectors generally put in place risk identification, mitigation, monitoring, education and awareness programmes as well as corrective action plans to address any possible emergence of a risk event.”
However, he pointed out one common trait: everyone at every level is a risk manager in their workplace, and ultimate accountability in managing risks rests with the leadership and the Board. The pandemic, he said, has been a great learning experience. “It has driven companies in all sectors to re-evaluate the robustness of their business models, and how workable they are in the event of a major external shock which has a significant disruption in their business activity,” he explained. “Almost all of them have had to adapt to constraints in their supply chain, deal with employees working from home, and grapple with how to generate income and cashflow in a global scenario that had not been experienced before.”
He added that those in the priority economic sectors collaborated with their peers to approach the regulators to try and stabilise their business linkages in order to serve the community as best they could. This has shown positive results; post-pandemic, many have improved their operating capabilities and processes. He conceded, however, that business activity levels had been impacted in some areas due to the impact of the pandemic on parts of the economy that were beyond their control. Despite his long immersion in the field of risk management, he takes nothing for granted, and keeps his finger on the pulse of business, constantly.
He finds the IERP®’s programmes particularly useful. “These have several elements that help bridge some gaps in knowledge,” he said. “Also, they bring out the different approaches taken by other participants from different sectors. These could all be a useful frame of reference for the future.” He also sees risk management and ERM as ongoing; due diligence and the quest for knowledge never stops. But this, he says, is because “Risk management content needs to continuously evolve – or it too will run the risk of becoming outdated.”