No appetite for risk is no excuse for subsequent failures

Written by on June 28, 2017 in Opinion with 0 Comments

risk appetiteThe recent rash of cybersecurity breaches should have increased business awareness of risk that comes with being part of the digital economy.  Yet, sadly, risk awareness and risk preparedness are not always high on the list of priorities of most businesses and small to medium enterprises in particular.

You would expect that companies like communications service providers (CSPs) would be exceptionally aware of risks that could not only jeopardise their own business but also those of their customers. However, a recent survey of enterprise risk management (ERM) practices within telcos has highlighted the lack of self-awareness among many telcos when it comes to risk.

The survey, undertaken by the Risk and Assurance Group and led by Lee Scargall (with over 20 years’ experience in telecoms risk and assurance), yielded some very interesting results in its interim report. Perhaps of most concern was that ERM is still at the early stages of maturity for the majority of companies with an obvious lack of seniority visibility – both in job title and management hierarchy.

Lack of independence for ERM teams is a big issue. 77% are still under the direction of Audit or Finance with only 45% actively involved in risk mitigation activities. Risk extends far beyond financial issues these days and one wonders why ERM is not a fully fledged department in its own right reporting to the C-suite, if not the CEO directly. It also begs the question why boards and stakeholders are not pushing for greater transparency when it comes to risk in general.

Today, any type of failure within a CSP is pounced upon by an eager press and the effect on share price is usually catastrophic. In a recent presentation at the RAG Conference in Bonn, Lee showed some dramatic use cases to prove this:

  • In 2015, TalkTalk announced that 157K accounts hacked and 15K bank account details stolen – share price dropped by 15% and the company was fined GB£400k by the UK ICO.
  • Also in 2015 African operator MTN copped a US$5B regulatory fine for not disconnecting SIM boxes – share price dropped by 20%.
  • In 2016, Vodafone was fined GB£4.6m by OFCOM for breaches of consumer protection rules – resulting in a 15% drop in share price.
  • In 2017, BT made a public announcement of accounting irregularities in its Italian operations – share price dropped 20% with the subsequent loss of GB£10B in market capitalization.

Despite these nerve-wracking examples the survey discovered that 55% of boards do not set and approve the risk appetite; 33% do not report their risk appetite to shareholders or the public and 44% do not disclose their actual risks in their annual corporate report. And 22% of Audit & Risk Committees (A&RCs) meet just once a year or never to discuss their risk profile! Alarm bells should be ringing, surely?

But wait, there’s more! 22% do not adhere to any risk standards such as ISO31k and 56% have never undertaken a maturity assessment, such as RIMS. 55% have not fully integrated ERM in to the business planning cycle and 55% have not integrated ERM in to the decision-making process to take out insurance cover. Yet, these same companies market themselves as ‘trusted partners’ to manage corporate communications, secure internet access and cloud services!

Of course, it would be interesting to see if OTT digital service providers would respond to a similar risk survey and what those results would show. My guess is they wouldn’t and I’m not sure the results would be very different if they did. ERM is not that easy to do and there doesn’t seem to be a flood of risk specialists in the market just now.

Perhaps CSPs should look closer at their Revenue Assurance and Fraud teams that already have access to so much relevant data and skills that could be utilised for broader risk assessment and mitigation functions. Or will they wait until another headline-grabbing disaster befalls them before they swing into a very costly and belated reaction?

Tags: , , , ,

About the Author

About the Author: Tony is a freelance writer, regular speaker, MC and chairman for the telecoms and digital services industries worldwide. He has founded and managed software and services companies, acts a market strategist and is now Editor of DisruptiveViews. In June 2011, Tony was recognized as one of the 25 most influential people in telecom software worldwide. .


If you enjoyed this article, subscribe now to receive more just like it.

Subscribe via RSS Feed

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: