June 19, 2020
By CIO Academy Asia

CIO Academy Asia held a virtual roundtable on the 16the June, attended by 10 technology industry leaders across several sectors, in Singapore. The discussion was centred on business continuity and risk management coupled with CIO Academy’s recent regional survey into technology trends and priorities. Moderated by CIO Academy, in close partnership with RSA, the roundtable provided an opportunity to gain insights from technology leaders on their business continuity and risk management activities against the backdrop of the COVID-19 crisis.

Today’s organisations are becoming more complex with an interconnected tapestry of products, services, processes technologies, third parties, remote locations and more. They collaborate and exchange mission critical data across their supply chains over a disparate mix of in-house and SaaS-based enterprise applications, making it increasingly difficult to maintain complete visibility over internal and external risk factors.

The global COVID-19 pandemic has forced many organisations to implement operational ‘stop-gaps’ that have been reactive, ad-hoc and incrementally adaptive. As organisations seek to enhance their resilience to address the prolonged crisis, it is critical that they manage risk exposure associated with their third-party partners. When one third party experiences a disruption, it could damage the entire supply chain. Organisations must regularly assess their third-party ecosystem and implement measures to hedge against all possible outcomes including bankruptcy, cyber-breaches, and temporary or permanent shutdowns.

CIO Academy Asia research shows since the COVID-19 crisis, operational risk management and customer engagement and sales generation have become the most critical business areas for business resiliency plans.

Business continuity and crisis management plans must be overhauled

During the roundtable discussion, most organisations revealed that their business continuity and crisis management plans need to be reviewed, in light of the COVID-19 crisis. Major challenges were faced in establishing remote working business models rapidly and none of the roundtable attendees expected to face a sudden spike in cybersecurity threats.

The discussion started by emphasising the need for organisations to have the capability to manage all disruptions and incidents in an integrated way, while simultaneously ensuring business continuity.

According to Patrick Nathan, Senior Advisor at Deloitte, “Organisations need to change their business continuity management and crisis management plans to make them fit for purpose.” Nathan continued “Businesses need to have an honest appraisal of their readiness and preparedness for disruption. They need to optimise the technology for sensing the environment and be able to systematically anticipate new risks and opportunities, protecting against strategic surprise”.

The need for employee education was highlighted by several attendees. Working remotely makes it especially important that employees understand policies and procedures relating to business continuity and crisis management. Remote working also exposes organisations to a lot more cybersecurity risk – phishing attacks, in particular, have become a frequent occurrence. Employees need to know how to recognise phishing attacks and the process for raising the alarm.

Some participants attending the roundtable, such as Grab, were better prepared for the crisis. Businesses that have all their data in the cloud such as Grab experience levels of agility that can help manage crises, and pivot quickly to new business models. According to Grab’s Luiz Enriquez, Head of Grabber Technology Solutions and Enterprise Cyber Security, “We were ready. We looked at risk from China early in the crisis and prepared ourselves based on the China experience”. He added that “Having a full SaaS environment enabled Grab to onboard merchants rapidly and switch drivers from transporting people to transporting food in days.”

Don’t be blindsided by third party risks

The vulnerability of offshore outsourcing was discussed. Companies that outsource to India and the Philippines struggled to maintain customer services during lockdowns in offshore locations. Their revised business continuity plans, will seek to mitigate this risk by bringing some activities back onshore. In general, managing risk associated with suppliers was highlighted. A cyber attack that disrupts a critical partner will also disrupt you. For example, the recent DDoS attack on Verizon affected its ability to provide its CDN service to its customers.

Access to data emerged as a major issue to be addressed. As employees work remotely, access to data as well a classification of data becomes more important. The enhanced risk of data leakage also increases the need for transparency across all endpoints. Data access and data leakage issues also become issues across supply chains as third parties also work remotely.

Managing cyber risk before and after the crisis

Attendees discussed how risk needs to be managed holistically. James Fong, Regional Business Director at RSA, highlighted the need to view risks in the context of four pillars namely, operations, workforce, supply chain and cybersecurity, that most organisations are struggling with. Taking an integrated and automated approach is key as it enables organisations to better manage these risks.

Fong continued “Risk data needs to be shared across functions on customised dashboards for executives, CISOs and others for action to be taken. The data is to provide a clear understanding of the monetary cost or business angle associated with the risks. For example, how much is a risk worth? What is the cost of the threat?”.  Another crucial area that is imperative for organisations to understand especially during these times is the risk associated with third party suppliers, especially on their security posture. Many organisations are embarking on third party security risk monitoring to have validation checks on their security risk exposure.

Fong said that “The critical success factors for an effective resiliency program and longer term risk management strategy is to have the operational risk management, IT and security risk management, regulatory and corporate compliance, business resiliency, third party governance and audit management, to be part of an integrated risk management framework.”

A more common view expressed is that no matter how much you prepare yourself, there will always be instances when organisations need to react to situational change. For example, incoming threats that can choke or change content in the media industry. In Singapore, this is currently a major challenge because the General Election is taking place soon. A framework for addressing these threats to content is needed.

From a cyber risk perspective, attendees discussed the need to establish a business context for IT and security, quantify IT and security risks in financial terms, identify and resolve deficiencies and detect and respond to attacks as necessary.

Concluding remarks

In summary, it was agreed that the COVID-19 crisis has forced most organisations to review and change their business continuity and crisis management plans. The crisis has exposed organisations to increased risk from multiple dimensions including, cybersecurity attacks, operations, supply chains and the workforce. For these reasons, more holistic risk management frameworks are required that offer visibility and dynamic assessment of risk across entire supply chains. These integrated structures need to be able to manage the magnitude, velocity and complexity of the risks we now face.

The Southeast Asia Technology Trends & Priorities for 2020 Report, published by CIO Academy Asia in collaboration with the Lee Kuan Yew Centre for Innovative Cities at SUTD, is now available for download.

Visit here to get your copy