The recent rash of cybersecurity breaches should have increased business awareness of risk that comes with being part of the digital economy. Yet, sadly, risk awareness and risk preparedness are not always high on the list of priorities of most businesses – small-to-medium enterprises in particular.
You would expect that companies like communications service providers would be exceptionally aware of risks that could not only jeopardize their own business but also those of their customers. However, a recent survey of enterprise risk management (ERM) practices within telcos has highlighted the lack of self-awareness among many telcos when it comes to risk.
The survey, undertaken by the Risk and Assurance Group (RAG) and led by Lee Scargall (with over 20 years’ experience in telecoms risk and assurance), yielded some very interesting results in its interim report. Perhaps of most concern was that ERM is still at the early stages of maturity for the majority of companies with an obvious lack of seniority visibility – both in job title and management hierarchy.
Lack of independence for ERM teams is a big issue. Well over 75% are still under the direction of Audit or Finance, with only 45% actively involved in risk mitigation activities. Risk extends far beyond financial issues these days, and one wonders why ERM is not a fully fledged department in its own right reporting to the C-suite, if not the CEO directly. It also begs the question why boards and stakeholders are not pushing for greater transparency when it comes to risk in general.
Today, any type of failure within a CSP is pounced upon by an eager press and the effect on share price is usually catastrophic. In a recent presentation at the RAG Conference in Bonn, Lee offered some dramatic use cases to prove this:
- In 2015, TalkTalk announced that 157,000 accounts hacked and 15,000 bank account details stolen – its share price dropped by 15% and the company was fined £400,000 by the UK ICO.
- Also in 2015 African operator MTN copped a $5 billion regulatory fine for not disconnecting SIM boxes – its share price dropped by 20%.
- In 2016, Vodafone was fined £4.6 million by Ofcom for breaches of consumer protection rules – resulting in a 15% drop in share price.
- In 2017, BT made a public announcement of accounting irregularities in its Italian operations – its share price dropped 20% with the subsequent loss of £10 billion in market capitalization.
Despite these nerve-wracking examples, the survey discovered that 55% of boards do not set and approve the risk appetite; 33% do not report their risk appetite to shareholders or the public; and 44% do not disclose their actual risks in their annual corporate report. And 22% of Audit & Risk Committees (A&RCs) meet just once a year or never discuss their risk profile! Alarm bells should be ringing, surely?
But wait, there’s more! Around 22% do not adhere to any risk standards such as ISO31k and 56% have never undertaken a maturity assessment, such as RIMS. Also, 55% have not fully integrated ERM in to the business planning cycle and 55% have not integrated ERM in to the decision-making process to take out insurance cover. Yet, these same companies market themselves as “trusted partners” to manage corporate communications, secure internet access and cloud services!
Of course, it would be interesting to see if OTT digital service providers would respond to a similar survey and what those results would show. My guess is they wouldn’t, and I’m not sure the results would be very different from the above numbers if they did. ERM is not that easy to do, and there doesn’t seem to be a flood of risk specialists in the market just now.
Perhaps CSPs should look closer at their Revenue Assurance and Fraud teams that already have access to so much relevant data and skills that could be utilized for broader risk assessment and mitigation functions. Or will they wait until another headline-grabbing disaster befalls them before they swing into a very costly and belated reaction?