 Provided by Wilna Meiring, IRMSA Risk Intelligence Committee Member
From online transactions and banking to shopping and gaming, cyber attackers are methodically finding new ways of using your devices against you, making each one of us increasingly vulnerable. In order to have a positive and safe experience in the digital world, we need to understand the ever-increasing diversity of digital threats and equip ourselves with the necessary knowledge and skills. Unfortunately, too many users/consumers are oblivious to the threats and how quickly cybercrime is evolving. Hackers are no longer as interested in breaking through firewalls or systems just to show they can. Their focus has shifted to theft of personal information and identity theft for financial gain with phishing being the most common method used to trick/deceive you into disclosing your data. According to the 2018 Norton Cyber Safety Insights Report, 37% of consumers globally experienced cybercrime with malicious software being the most common cyber related crime experienced.The report further highlights that less than half of consumers globally have taken any measure(s) to protect their personal information and online activities. The information below will assist to stay abreast of the risks and to anticipate and safeguard us against some of these threats. Protecting information online Companies learn a lot about consumers/users through the data they collect from online activities which assists them in understanding consumer behaviour and developing personalised offerings for targeted advertising. This includes data on preferences when shopping online, social pages that are liked or followed, media channels that are used and the personal information included on social profiles. Another dimension to the digital world and online activities is sharing - users share news, information, events, pictures, experiences and a lot more to build and maintain relationships as well as create new ones. Staying safe and secure in a digital world can be difficult. Not all hope is lost though, and there are some simple measures you can take to protect yourself and your information online:
We have all seen the message “This website stores cookies on your computer” while browsing the internet. So what are cookies? These are essentially a mechanism to how the internet (web) works. An HTTP cookie is a small piece of data sent from a website and stored on the user's computer by the web browser while the user is browsing. Cookies were designed to be a reliable mechanism for websites to remember a record of interaction information or to record the user's browsing activity. While cookies cannot infect computers with viruses or other malware, the danger with cookies are that cyber attackers can hijack cookies and, therefore, browsing sessions and track individuals' browsing histories. Take care to ensure that if you are using a public computer/device, you should delete cookies when you have finished browsing so that subsequent users will not have access to your data (sent to websites) when they use the browser. Business Email Compromise (BEC) BEC is a type of attack where a cybercriminal compromises or spoofs a corporate email account of an executive/senior member of staff to defraud the company, its employees, customers or business partners. In recent years the amount of BEC attacks have significantly increased with the FBI’s Internet Crime Complaint Centre putting global BEC losses in excess of $12 billion (USD) over the last 5 years (2013 – 2018).BEC attackers rely heavily on social engineering tactics and trick unsuspecting employees with well-worded, very specific email requests that appears completely legitimate. While there are many variations, the attack basically entails targeting employees with access to company funds/finances and tricking them into making transfers or payments to the bank accounts of the cybercriminal/fraudster. Requests typically impersonate senior employees and include an element of urgency and a request for confidentiality. The same modus operandi is also used to target customers or business partners. BEC prevention measures that can reduce this risk includes monitoring networks for suspicious emails, encrypting emails, diligently checking the sender details, independently confirming requests with the sender and most importantly employee training given BEC attacks rely primarily on employees’ vulnerability. Email and connected devices In some cases, risk-avoidance behaviour by users do not seem to extend to how email and connected home devices are used.Case in point, approximately half of all users cannot distinguish between a real or scam/fake email or are operating their home devices with limited or no protective measures in place. Frank Abagnale, the subject of the book and film, Catch Me If You Can, states that, “stealing your identity is like counting to three.” The reality is that we are all at times careless with our information or likely to accept certain risks online. Taking a few basic steps will however go a long way to protect yourself and your privacy:
MEDIA CONTACT: Rosa-Mari, 060 995 6277, rosa-mari@thatpoint.co.za, www.atthatpoint.co.za For more information on IRMSA please visit: Website: https://www.irmsa.org.za/ Twitter: https://twitter.com/IRMSAInsight Facebook: https://www.facebook.com/IRMSAInsight/?ref=hl LinkedIn: https://www.linkedin.com/company/irmsa-institute-of-risk-management-sa/
0 Comments
 Authored by: MS. Mpho Modisane, IRMSA Risk Intelligence Committee
In recent years, many more organizations have established Business Continuity Management Programmes (BCP’s) which define the different processes (suggestion to utilise the wording of ‘process’ rather than ‘system’ due to general, but not always, confusion around BCP and DRP) of avoiding and recovering from potential disasters to their business. With the number one goal of a Business Continuity Plan (BCP) serving to allow for continuation of operations while recovering from a disaster, the key component of the success of BCP’s relies on the organization’s resilience programme. Resilience Defined: The Business Continuity Institute defines Resilience as the adaptive capacity of an organization in a complex changing environment. Resilience is the more mature aspect of recovering from disaster which is the ability of an organization to uphold its functions regardless of drastic changes in the internal and external environment. Therefore, in their quest to achieve greater maturity in response to and recovering from disasters, an organization must consider a tailor-made resilience program to enable continuation of business under adverse circumstances. Resilience Statistics: In their annual Africa Resilience survey, Ernst and Young (EY) discovered that although majority of African Organizations have good BCPs; they in addition require a matured resilience programme to reduce the likelihood of exposure and recover from disruptive events when they happen. The conclusions from the survey indicate that approximately 72% [Level 2 – Level 5] of the respondents reported that their resilience programme can assist in recovering business operations after a disaster. Of that number, 5% is certifiable and 28% can recover all critical functions within approved Recovery Time Objectives. Only 28% either cannot recover operations or the respondents do not know the maturity level of the programme. Over 64% of the aggregated participants have indicated an alignment of their companies BCM resilience solutions, to international best practices, i.e. ISO 22301, ISO 22316, BS 65000, ISO 27031, the Business Continuity Institute Good Practice Guidelines 2013 and/or COBIT. Of the 64% approximately 10% have specified that their companies are aligned to BS 65000 i.e. a Guidance document on organisational resilience. The EY survey further rated the resilience maturity of the sampled organizations in line with international standards on a five-point scale, with five being the most mature level: Level 5 Certifiable Programme Level 4 Can recover all critical functions with approved recovery time objective Level 3 Can recover some critical functions with approved recovery time objective Level 2 Can recover limited business processes via information and undocumented processes Level 1 Cannot recover from or survive a disruption (programme does not exist) With the survey having revealed that 5% of the sampled organizations have reached level 5, 28% level 4, 24% level 3, 15% level 2 and 10% level 1 maturity of business resilience. The remaining 18% of the respondents indicated level of resilience unknown. What this indicates is that although 72% of the respondents reported that their resilience programme can assist in recovering business after a disaster, only 5% have their risk management sources spread beyond the scope of traditional risk methods. The need to be multinationally resilient: The complication with any organization operating multinationally is that the nature of disasters become foreign, away from the home country. The best assurance any organization can get against unknown material disruptive events is to align with international standards both at policy level and implementation. A multinationally resilient organisation can reduce their vulnerability through adopting a resilience programme which gives them the opportunity to recover all critical functions within the approved Recovery Time Objectives. As a risk professional have you considered that:
ENDS MEDIA CONTACT: Rosa-Mari, 060 995 6277, rosa-mari@thatpoint.co.za, www.atthatpoint.co.za For more information on IRMSA please visit: Website: https://www.irmsa.org.za/ Twitter: https://twitter.com/IRMSAInsight Facebook: https://www.facebook.com/IRMSAInsight/?ref=hl LinkedIn: https://www.linkedin.com/company/irmsa-institute-of-risk-management-sa/  The latest listed entity to meet the wrath of investors is Tongaat Hulett, who indicated earlier that it may have to restate its 2018 financial statements following a comprehensive review of “certain past practices”.
The share price has been bludgeoned and billions of rands have been wiped off its market value. Other big players such as Steinhoff, KPMG, Enterprise and Volkswagen have also felt the pain when they misled customers and investors. South African companies have no shortage of guidance on best practices in risk management and auditing with a myriad of ethics and good corporate governance codes. It is then no surprise that the market punishes those who do not live up to their “commitment” to integrity, competence, responsibility, accountability, fairness and transparency. The ripples of brand and reputation damage go beyond the firm and its auditors. Investors and their investment decisions are based on, amongst other things, audited financial statements that are supposed to give assurance of the integrity and credibility of companies’ financial performance. What happened at Steinhoff, Enterprise and Tongaat Hulett, significantly impacts investment choices and returns where hard earned income of people saving for their pensions are now lost or at least significantly reduced, says Christopher Palm, Chief Risk Advisor of the Institute of Risk Management South Africa (IRMSA). Pointing fingers – in the wrong direction Ironically enough the 2019 IRMSA risk report shows that companies consider governance failure in the public sector – not amongst themselves – to be one of their biggest risk. The loss of reputation and severe brand damage is number 17 out of the top 20 South African Industry risks highlighted in the 2019 IRMSA Risk Report. However, Palm says recent corporate failures place the effectiveness of risk management once again under the spotlight. “I think there is a lot to be said for organisation’s risk profiles not receiving enough thought in the organisation.” This goes for the board, the audit and risk committees and management. Effective defences Effective governance has three lines of defence; strong leadership, effective safeguarding functions like risk management, governance and compliance combined with assurance from a strong internal and strong independent external audit functions. When a company has all of these defences in place, but does not consider its effectiveness and the way it is integrated into better decision-making it is purely for compl,iance purposes, he says. Risk management is all about highlighting risks and opportunities to allow boards and the leadership of an organisation to make the best possible decisions, says Palm. A company must consider the following when the board and the executive leadership debate the organisation’s risk profile:
If you measure only financial performance, this is what drives the behaviour in the company. “Companies are not forward-looking enough. The changing environment Palm warns that consumers and investors, especially younger generations, are already considering companies differently. The Youth is not only looking at profits and returns on shareholder money but increasingly demanding leadership with integrity, good corporate citizenship, necessary social investments and a responsible return on investment – all of this, made possible in a way that respects the environment. They consider at which cost it was achieved, and who is really benefiting from their actions, says Palm. ENDS MEDIA CONTACT: Rosa-Mari, 060 995 6277, rosa-mari@thatpoint.co.za, www.atthatpoint.co.za For more information on IRMSA please visit: Website: https://www.irmsa.org.za/ Twitter: https://twitter.com/IRMSAInsight Facebook: https://www.facebook.com/IRMSAInsight/?ref=hl LinkedIn: https://www.linkedin.com/company/irmsa-institute-of-risk-management-sa/  In celebrating Youth Day, we are reminded that the uprising that began in Soweto more than 40 years ago was all about education, and how it profoundly changed the socio-political landscape of the country.
Today structurally high unemployment, growing income disparity and inequality as well as inadequate or substandard education and skills development count under the top five risks facing our country, says Christopher Palm, Chief Risk Advisor of the Institute for Risk Management South Africa (IRMSA). According to the 2019 IRMSA Risk Report industry sees inadequate and substandard education and skills as the second biggest risk for companies. The latest statistics on unemployment shows that the biggest burden of unemployment falls on people aged between 15 and 34 years. According to Stats SA they accounted for 63,4% of the total number of unemployed persons during the first quarter of this year. The youth aged 15–24 years are the most vulnerable in the South African labour market as the unemployment rate among this age group was 55,2% in the reported period. The danger of a disillusioned youth How we respond to these risks are critical, says Palm. In the IRMSA report the growing disillusionment among the youth of South Africa is highlighted. The report warns that it could lead to a youth-driven protest movement, on a much larger scale than the student protest movement. “Such a movement, if led and supported by other population groups in the country, would hold a particular challenge for the general political and social stability of the country...” Palm says this is a real consequence if we do not get unemployment and our education system in order. Palm also suggests that identifying the most effective risk treatment options require both the public and private sectors as well as our career advisors and learning institutions to better understand the future skills requirements; this is best achieved by engaging the risks and opportunities presented to us by trends like the Fourth Industrial Revolution and future thought leadership insights provided by the Institute for Futures Research at Stellenbosch. To identify and understand what future skills are needed and to align country and industry skills planning with the ability of the educational system to deliver is a critical success factor in addressing the risks highlighted above. “The youth must know what the skills of tomorrow are going to be; it is said that the skills that will be needed 10 years from now haven’t even been given names yet. We need to respond and get this right NOW; if we don’t, the system will not allow us to align quick enough to enable our labour market to produce these skills when it is needed. We will end up with skills that are redundant by the time students start their careers and South Africa will not be able to exploit the global opportunities presented by the fourth industrial revolution.” The folly of quick fixes The report quotes American economist Joseph Stiglitz who wrote in his book Price of Inequality: “If a country doesn’t give a large proportion of the population the education that they need to earn a decent living, if employers don’t pay a decent wage, if society provides so little opportunity that many people become alienated and demotivated then that society and its economy won’t work well”. It also does not help to “give” people an education for the sake of the numbers; they must be able to do the work and to realise the values of significance and self-reliance. The folly and ineffectiveness of “quick fixes” has to be emphasised. For IRMSA it is a year of risk activism and the Institute wants to make a difference in not just highlighting country and industry risks but also capacitating leadership and the risk profession to make a difference. The IRMSA report reiterates the importance of a “social pact” and the need to align socio-economic programs towards youth investment. At IRMSA’s conference in October and their Awards Gala Dinner in November, they will focus on the youth and recognise and honour public and private companies that are addressing the risks relevant to the youth with innovative and supportive initiatives. Several professional associations (such as the Actuarial Society of South Africa, Project Management SA and the Association of Chartered, Certified Accountants), represented by the South African Graduate Employers Association (Sagea) are already involved at school and university level to promote careers where there are skill shortages, or where there is insufficient information about career opportunities in specific professions. In around 28% of the cases associations are involved in career promotion activities because they need to improve the “attractiveness” of their profession. At school level the associations are involved in presentations to learners (17%), they are present at career expo’s (17%) or they are sponsoring related events (14%). Around 7% of the associations who participated in a recent survey by Sagea provide bursaries and 3% offer job-shadowing opportunities. At university level most offer presentations to students (21%) or they offer guest lectures (15%). Around 12% make use of university career fairs to promote their professions and 7% offer bursaries. “We will honour those who, amongst many other innovative ways to treat the risks spoken about earlier, make schools safer, assist with skills development for educators, and who provides learnerships, apprenticeships and the like,” says Palm. ENDS MEDIA CONTACT: Rosa-Mari, 060 995 6277, rosa-mari@thatpoint.co.za, www.atthatpoint.co.za For more information on IRMSA please visit: Website: https://www.irmsa.org.za/ Twitter: https://twitter.com/IRMSAInsight Facebook: https://www.facebook.com/IRMSAInsight/?ref=hl LinkedIn: https://www.linkedin.com/company/irmsa-institute-of-risk-management-sa/  Authored by: Christelle Marais, Executive Director - Lucidum Consulting. The Institute of Risk Management South Africa member.
It was with a confusing combination of anger, sadness, guilt and frustration that I completed my reading of Pieter-Louis Myburgh’s ‘Gangster State’ recently: Anger – about the disrespectful arrogance with which the dreams of millions were stolen, while they trustingly looked on. Sadness – over the blood, sweat and tears that made this country, the blood, sweat and tears that built a new society after 1994 and the blood, sweat and tears that will rebuild it again, after the capture. Guilt – like many of my risk management colleagues, wondering if we could have done more to prevent the rot (causes) or to uncover what was going on (consequences) as part of our risk management effort in public and private organisations (because as ‘Gangster State’ suggests: it takes two to tango!). And then – frustration… Ah, maybe my frustration weighs heaviest on my heart… But frustration of the kind that would do it all over again, if someone would just listen, if someone would just take me seriously. While reading ‘Gangster State’ I was reminded of whistle-blower Harry Markopolos’ book ‘No One Would Listen’ about his investigation into the Madoff investment scandal and how the US Securities and Exchange Commission failed to heed his warnings. I was struck deeply by many who warned about what was happening in the Free State, such as Patrick Lekota, who’s highlighting of concerns went ignored (at best) and purposely thwarted (at worst); the Goldhawk report, with scathing findings on irregular loans; the Auditor-General, with many reports on the lack of financial controls and disregard for legislative compliance; Beatrice Marshoff, trying to appoint MECs that could do the job, but instructed to appoint Ace Magashule; and Noby Ngombane, whose efforts to implement oversight of Free State municipalities’ spending may have cost him his life. While I found the disregard for these warnings alarming, they awoke in me more familiar feelings: feelings that most risk managers would know all too well… Irritation when risk management is treated as ‘compliance’ only. Disappointment at not being taken seriously when including real risks in my reports, when pointing out real causes of those risks and when showing real consequences if those risks were to materialise. Disempowerment when the accountabilities that my risk management framework seeks to ensure, are negated and not keeping organisational role players to account, are rationalised. Despair when my risk reports are changed, redacted, reduced (or worse, just not submitted) because they include things that would make my leadership uncomfortable. Marginalisation when I realise that I am purposely excluded from key discussions, because my reason for existence in my organisation may expose things that would rather be kept hidden. Dismay if there is no effort by my leadership to understand what ‘risk appetite’ is and how the continued disregard of the impact of wrong decisions can destroy us. But most of all, exasperation when my reports are ‘NOTED’ by my governing body only to be regarded as having failed to convey the message, when things go wrong. As I read, I wondered what Madiba and Thabo Mbeki would say about the fact that they wished away the warnings, tip-toed around the issues and bowed to public and party pressures (diplomatically trying to keep a fragile governing system stable, but creating huge future problems for many people, not least of which is the legitimacy of government). I reflected back on minister Pravin Gordhan’s question at IRMSA’s 2018 Conference to risk managers: ‘How did you miss state capture?’ And I felt like asking: ‘How did you not hear us when we spoke out?’ Perhaps my message today is not so much to risk managers, as it is to leaders in all spheres of our economy (public, private, non-profit organisations, and civil society); to these executives, directors, society leaders, political heads and parliament, please
ENDS MEDIA CONTACT: Rosa-Mari, 060 995 6277, rosa-mari@thatpoint.co.za, www.atthatpoint.co.za For more information on IRMSA please visit: Website: https://www.irmsa.org.za/ Twitter: https://twitter.com/IRMSAInsight Facebook: https://www.facebook.com/IRMSAInsight/?ref=hl LinkedIn: https://www.linkedin.com/company/irmsa-institute-of-risk-management-sa/  Now that the elections are over, it’s time for government - every South African, in fact - to consider how to help the nation recover from its past woes and once again pursue progress and development.
The answer, says Christopher Palm, Chief Risk Advisor at the Institute of Risk Management South Africa, is right in front of us. Every system must maintain an upward trend in development to survive. This is true whether discussing a business, national government, the electrical infrastructure, the national economy, or the global environment. If it doesn’t, the inevitable shocks and stresses it faces in its operating environment can lead to a long-term downturn in development, ultimately resulting in the demise of the system itself. “To protect its progress and therefore its existence, each system must acquire the resilience to repel or recover from external threats,” says Palm. What is resilience? Technically, resilience is the rapidity with which a system can bounce back from sudden shock or sustained stresses to resume progressing its development at its normal pace. Practically, it means striving to create sustainable development in modern macroeconomic and microeconomic environments marked by change, risk and uncertainty. However, research indicates that any system that effectively manages risk is likely to become more resilient. “In fact, risk management can be considered successful only to the degree it results in resilience,” says Palm. Building resilience According to Palm, resilience starts with a mindset that is organised around risk management. That mindset, he asserts, is based on the realisation that, as maintainers of a system, we can either react to each crisis individually without actually preventing it from progressively eroding development. Or we can anticipate probable threats and implement countermeasures to minimize their impact ahead of time, and so conserve developmental gains. “Unfortunately, sustained exposure to system shocks and stresses can cause us to accept its degraded performance as the new normal,” warns Palm. “So we first need to foster an uncompromising mental resilience that drives us to return the system rapidly to its former best standard.” When all system maintainers are of the same mind, adhering to accepted behaviours and values, a culture of resilience is created that ensures a high level of development progress is achieved. But how does one nurture a resilient mindset? The resilient risk manager Both systemic and mental resilience are achieved by training members of the system in risk management to a professional level. Organisations who maintain the development of a system need highly qualified people who will implement the right policies and processes. Such qualifications will help it bolster resilience by building a robust risk management function, establishing comprehensive business continuity plans and disaster management plans, gaining the ability to correctly test the effectiveness of those plans, expanding its situational awareness through scenario planning and strategic reviews, and, finally, aligning its business processes to its risk management strategy. In essence, qualified risk practitioners are credible advisors who have the capabilities to protect system development and influence other members to strive for that purpose. “Once that self-organising culture is established,” says Palm, “we can not only preserve the progress of the system’s development, but also capitalize on future opportunities that would otherwise have been missed to make even faster gains.” Palm encourages all organisations to ensure they have a well-trained risk management team who are accredited members of a professional risk management body. ENDS MEDIA CONTACT: Rosa-Mari, 060 995 6277, rosa-mari@thatpoint.co.za, www.atthatpoint.co.za For more information on IRMSA please visit: Website: https://www.irmsa.org.za/ Twitter: https://twitter.com/IRMSAInsight Facebook: https://www.facebook.com/IRMSAInsight/?ref=hl LinkedIn: https://www.linkedin.com/company/irmsa-institute-of-risk-management-sa/  Authored by: Solethu Maku, committee member on the IRMSA Risk Intelligence Committee
In the wake of the global economic crisis there has been a significant change in banking economics; preceded by an avalanche of regulation. Although these prudential reforms have resulted in well capitalized financial institutions; this has certainly come at a cost to the shareholder. The regulatory storm seems to have abated, slightly, and the question remains: will shareholders see an upside on their investment? One of the ways banks seek to harness shareholder value is undertaking a rapid digital transformation journey, which is becoming critical considering the inroads by Fintechs, characteristic of the advances we are seeing in open baking. “To safeguard their organization through the digital transformation journey, financial firms need to close the gap between their digital aspirations and the reality of the legacy IT estates,” Matthew Hayday at Parker Fitzgerald concluded in the report, Digital banking transformation creating new systemic risks. As commercial banking divisions embrace the use of Artificial Intelligence (AI), Machine Learning (ML) and predictive analytics; so should Risk Management rapidly position itself as an enabler for conscious risk taking through the exploitation of technology. The adoption of technology to a large extent been particularly slow, largely because the cost of errors in the risk environment can be unacceptably high. If Risk Management practitioners are to optimally partner with business, a shift in how Risk Management tools are deployed needs serious consideration towards providing intuitive, real-time risk management. Techniques such as AI, ML and analytics are best positioned at modernizing how Risk is managed. As we employ these techniques towards the implementation of a robust and proactive RCSA process, precise capital modelling and efficient risk alert systems we need to consider:
“It was eight years ago that those robots began showing guests around Santander City, but there is still not a single robot to be found in any of Santander’s 13, 697 bank branches,” the Financial Times concluded in, AI in banking: the reality behind the hype. ENDS MEDIA CONTACT: Rosa-Mari Le Roux , 060 995 6277, rosa-mari@thatpoint.co.za, www.atthatpoint.co.za For more information on IRMSA please visit: Website: https://www.irmsa.org.za/ Twitter: https://twitter.com/IRMSAInsight Facebook: https://www.facebook.com/IRMSAInsight/?ref=hl LinkedIn: https://www.linkedin.com/company/irmsa-institute-of-risk-management-sa/ |
RSS Feed