RISK MANAGEMENT

Next Article

THE LAST WORD

Managing risk in an ‘unpredictable, pandemic-altered’ South Africa

In today’s ‘unpredictable, pandemic-altered’ world, business owners are dealing with an everexpanding risk landscape that’s likely keeping many of them awake at night.

That’s according to Professor Clifford Rossi, in his article Risk management predictions for 2022: seeking alternatives in times of uncertainty, published by GARP (Global Association of Risk Professionals). His list of risks includes regulatory changes, supply-chain disruptions, credit and interest rate risk, and human capital — all of which are relevant to South Africa, along with its rampant crime, floods, riots, fires, and other disasters.

The starting point for managing risk effectively is recognising that there’s a vast difference between a risk assessor and a risk manager, says independent South African security risk assessor, Andre Mundell of Alwinco. Most of the time, RFQs (requests for quotations) or tender documents state that they require a risk manager to assess their security portfolios, when they actually want an independent risk assessor whose salary isn’t paid by the company they work for, and who is guided by the criminal’s point of view, and not the company’s viewpoint, he says.

The problem with probability

Risk managers, he continues, are taught to use ‘probability’ as their guide to determining certain risks, but while probability may work in health and safety assessments, and maybe even in water and food assessments, it does not apply to security. “If you’re making use of a risk matrix with measuring levels or ratios from 1 to 5 to identify security risks, you are essentially agreeing that a percentage of crime is acceptable. If something is labelled as a risk level 1, you are agreeing that 20 percent of the crime is acceptable. Precisely which 20 percent do you accept? Does this 20 percent include theft? Rape? Perhaps murder? I have met risk managers who’ve never seen a crime scene before, who don’t understand security hardware, and who have never interviewed victims or suspects,” he points out, adding: “The correct approach is to first assess the security risk, and then implement and manage suitable solutions to eliminate the risks. Essentially, once the risk assessor has identified the security risks and has recommended the most risk-specific solutions, the responsibility is then handed over to the risk manager, who now has something tangible to work with. The risk manager is supported by the security manager, building manager, health and safety manager, environmental manager, and so on. Security structures tend to fail when one person is responsible for security as well as health and safety. Remember, health and safety is governed by the law, which means that it will always be the top priority, whereas security is usually neglected.”

Top five security concerns

• Loss of data and the inability to recover it

• Lack of internal skills and resources to manage the risks associated with using third-party providers • Managing user access to information

• Compliance issues related to using providers in other jurisdictions

• Visibility of and control over data

Source: Liquid Tech The evolving Cyber Security threat in Africa

The top concerns for businesses relating to cyber breaches

• Financial loss 26%

• Loss of important company information 18%

• Reputational damage 17%

• Disclosure of strategic information to someone outside the business 17%

• Business disruption 14%

The cancer of insider crime

Mundell goes on to warn of the “cancer” of insider crime. “Inner crime is a cancer that has brought many companies to their knees and will continue to do so if it is not identified and eliminated - yet another reason why employees should never conduct company risk assessments. When you have been working with someone for many years and have come to trust this person, the chances are almost zero that you will ever see him/her as anything other than a colleague and friend, even if they might be a criminal operating from inside the company. An independent security risk assessor is not part of the business and has no connections or relationships with any employee, manager, or director. Their main focus is to identify the security risks, irrespective of what or who they might be, and to find suitable solutions to eliminate these risks. They will look at everything, from the cleaners right through to the directors, from access control to the perimeter fence, from day to night security, from processes and procedures, leaving no stone unturned. In short, a security risk assessor and a risk manager, while equally important, have vastly different functions and timeframes in which they operate.”

Risk from an insurer’s perspective

Brett Schultz is the Managing Director of Econorisk Broker Consultants, a Gold Affiliate member of SASA (Security Association of South Africa) and a member of SAIDSA (South African Intruder Detection Services Association), which provides insurance cover designed to meet the unique needs of South Africa’s high-risk private security industry.

In a world which is now more globalised and connected than ever, he says, the coronavirus pandemic, rising inflation, and the consequences of the Russian invasion of Ukraine will be compounded, leaving businesses and individuals increasingly vulnerable.

Adding to this are protests, sociopolitical unrest, and discontent, which are contributing to the country’s significant increase in crime, and cyber-attackers who are exploiting the growing, pandemic-driven move to working from home.

Top five security concerns

Top five security concerns The top concerns for businesses relating to cyber breaches

• Loss of data and the inability to recover it

• Lack of internal skills and resources to manage the risks associated with using third-party providers • Managing user access to information

• Compliance issues related to using providers in other jurisdictions

• Visibility of and control over data

• Financial loss 26%

• Loss of important company information 18%

• Reputational damage 17%

• Disclosure of strategic information to someone outside the business 17%

• Business disruption 14%

Source: Liquid Tech The evolving Cyber Security threat in Africa

“Businesses must therefore ready themselves for more frequent and extreme developments and put in place effective – and tested – risk management processes, methods and tools to guard against unrest, cyberattacks, climate change-driven natural disasters, and even another pandemic,” Schultz says. “Insurance should be seen as part of a company’s broader approach to risk management and adaptation. Although it’s easy to perceive insurance as a cost, in reality it is probably one of the biggest value-adds to any business. It effectively minimises the damage caused by these and other unforeseen events, by protecting against financial loss and liability, even preventing some companies from closing their doors altogether.”

Cyber incidents

With the acceleration of digital transformation on the back of the Covid-19 pandemic, businesses across the world are looking at implementing new and evolving ways of using information technology, Schultz says. Digital and remote solutions have never been more essential, with millions of people suddenly needing to perform daily operations and deliver services to clients and customers seamlessly from anywhere and at any time. And, while this has brought many benefits, the increasing reliance on digital solutions has also amplified the risk of cyberattacks. “South Africa has seen a significant increase in the number of malware and other cyber attempts since the onset of the pandemic, with a notable increase in the frequency and sophistication of cybercrime. Protecting personal information, as required by the Protection of Personal Information Act (POPIA), has become more of a challenge than ever. Cyber threat is a huge reality and the thinking that ‘this won’t happen to me’ is not an option,” he continues. “Every business must take steps to understand their network’s real strengths and weaknesses — the relevant threats, any internal and external vulnerabilities, the impact if those vulnerabilities are exploited, and the likelihood of exploitation. This can be done through an independent risk assessment which will identify, estimate, and prioritise cyber risk. From here, a comprehensive cyber liability programme can be put in place, based on your actual risk.

“And remember, cyber liability insurance is not the same as general liability insurance, so don’t make the mistake of assuming you’re covered for cyber risks through your current insurance plan. This mistake cost Sony $171 million dollars! Also, many businesses are under-insuring for cyber insurance cover and are confusing cybercrime with normal business interruption. They are not the same! With the threat landscape constantly evolving, and new threats being presented every day, as enterprising hackers and cyber criminals look for new ways to exploit systems, and unwanted events unfold, businesses must put adequate measures in place now to assess and manage risk and protect themselves,” adds Schultz.

Travel risk

A company or organisation usually has four key assets that require protection, says Benedict Weaver, Managing Partner of corporate intelligence firm Zero Foundation Africa: property, people, information, and reputation — and the one risk that has the potential to create a perfect storm and adversely affect all four of these assets simultaneously is travel.

“Companies need to manage travel risk in the same way they do other workplace risk,” says Weaver, an advocate of the ‘4-Step Travel Risk Assessment (TRA)’.

The starting point is identifying individuals or staff categories most at risk when travelling. “Female travellers are more of a target than males; executives are at greater risk of being kidnapped for ransom than line managers; and corporate travellers carrying sensitive company information are more at risk than support staff,” he explains.

Step two concerns locating existing company travel protocols and identifying the department or individuals responsible for travel security. “There should be a published corporate travel security policy with supporting standards and guidelines around, whether travellers are being met at their destinations or whether they’re relying on e-hailing and other risky local transport options; whether their accommodation has suitable security and fire prevention procedures, and so on.”

The third step is reducing risk. “What recommendations can you make to lower identified travel risks? Have you considered how to track and communicate with your corporate travellers when a disaster occurs? Do you have documented and properly resourced evacuation procedures? How will you repatriate a corpse? Do you provide actionable destination intelligence before your travellers leave on a business trip? Does your travel insurance cover KR&E (kidnap, ransom and extortion), theft of data and/or disaster recovery incidents?”

Number four on his list is when the travel risk management (TRM) programme will be implemented. “After reviewing existing travel security protocols and identifying practical recommendations to lower the risks to corporate travellers, you need to identify individuals to take responsibility for the programme,” says Weaver. “Set deadlines for what tasks need to be completed by when. Seek assistance from professional travel risk management and advisory professionals. Document how you will reduce the risks of the loss of liberty, life, and limb for corporate travellers.”

By adopting the 4-Step Travel Risk Assessment (TRA), you and your company will be able to realise the actual – rather than perceived – threats to corporate travellers. Directors will know about the risks and identify any failure to comply with their Duty of Care (DoC) obligations; and it will reduce business liability by providing a robust defence against a class action. Given the uncertain times in which people are now travelling, such a defence is a vital component of a company’s risk management strategy.

Conclusion

As Andre Mundell constantly reminds himself and his clients: “Crime cannot be undone.”

Contributors:

GARP

Web: www.garp.org

Andre Mundell / Alwinco

Email: andre@alwinco.co.za Web: www.alwinco.co.za

Econorisk Broker Consultants

Web: https:// econoriskbrokerconsultants.co.za/ Email: bretts@econorisk.co.za

Zero Foundation Africa

Web: www.zerofoundationafrica. com/

Liquid Tech

Web: www.liquid.tech/

Web: https://liquid.tech/wps/ wcm/connect/corp/00d614b5e6cf-4552-9085-c12e47b6246c/ Liquid+Intelligent+Technologie s+Cyber+security+Report+2021. pdf?MOD=AJPERES&CVID=nKxjVS0