insights - cio summits · 2014. 7. 16. · michael hedges, vice president & chief information...
TRANSCRIPT
A WIPRO COUNCIL FOR INDUSTRY RESEARCH JOURNALS
INSIGHTS
VOLU
ME X
VII
COPYRIGHT 2014, WIPRO LIMITED
Thinking Connectedness Across Product EcosystemsVOLUME XVIII Business Resilience
Wipro set up the Council for Industry Research comprising domain and technology experts from the organization, to address the needs of customers. It specifically surveys innovative strategies that will help customers gain competitive advantage in the market. The Council, in collaboration with leading academic institutions and industry bodies, studies market trends that help will provide organizations a better insight into their IT and business strategies.
For more information on the Council, visit www.wipro.com/insights/ or email us at [email protected]
Resilience: The Next Frontier
At the 2012 London Olympics, amidst thunder and a massive downpour, Ethiopia’s marathon runner Tiki Gelana stumbled over a plastic bottle, fell to the ground, picked herself up and ran to win the gold. When her coach was asked about this incident he said his athletes trained at a height of 9,220 feet above sea level, where oxygen is very sparse. If they can run there, they retain their core ability – and build resilience towards unpredictable disruptions.
Business leaders with foresight have begun to recognize the value of resilience. It helps them beat risk before it beats them. Some of the smartest business leaders are drawing up blueprints that will ensure their organizations come through market, technological and financial stress while staying true to their core. They realize that natural disasters, growing cyber security threats, the emergence of new power centers, increasing regulation, shrinking resources, previously unseen social patterns and the intersection of technologies are destabilizing business.
This issue of WInsights explores the idea of building business resilience in a fast changing world. We believe that reactive corporate disaster recovery is not enough. Building systems and processes that keep business running as usual during a crisis are the key to staying ahead.
To aid your thinking, we bring two special views - a perspective on reputation resilience by David Roman, CMO of Lenovo and another by Michael Hedges, CIO of Medtronic Inc., on how technology builds resilient systems and helps cope with regulatory uncertainty in medicine. I thank David and Michael for their contribution and am sure that you will find them enriching. I am happy to say that we also have some unusual thinking from our own team of experts at Wipro. They bring their on-ground experience with customers across the world to explain ideas around resilience. This is in addition to an insightful piece from HBR which I hope you will enjoy.
Puneet ChandraChief Marketing Officer, Wipro Ltd.
FOREWORD
4
WINSIGHTS Volume XVIII
06 Process Resilience Is Becoming A Business Imperative
Large companies are relatively more vulnerable to process related disasters and therefore need to consider models of risk management that give due importance to the resilience of processes.
Alexis Samuel, Chief Risk Officer, Head BPE, and Global Managing Partner, Wipro Consulting Services
CONTENTS
13 Resilience: Building ‘Bounce’ Into Your Corporate Structure
Some companies bounce back. Others go into tailspin. Why? An executive summary of the FT/Wipro strategic panel discussion in Davos on Tuesday 21st January, 2014
Chaired by: Andrew Hill, Management Editor, Financial Times | Panel: T.K. Kurien, CEO and Member of the Board, Wipro Ltd. | Brian Moynihan, CEO, Bank of America | Dennis Nally, Chairman, PwC | David Roman, CMO, Lenovo
17 Reputational Resilience In A Transparent World
Managing Brand reputation in the age of social media and an increasing millennial audience has to do with proactive transparency and the willingness and ability to respond to what customers are saying.
David Roman, Chief Marketing Officer, Lenovo
23 The State Of Cybersecurity In The Digital Economy: Balancing Accessibility With Effective Risk Management
The biggest corporations in today’s highly cyber threatened world use a combination of awareness, outsourcing and automation to remain cyber resilient.
A research by Wipro and UBMTechWeb
5
40 51Keep It Simple And Serious-Confronting The Challenges In Technology Risk Management
Business Pulse- Davos Dipstick Survey
Managing technology risk in an environment of increasing cyber threats revolves around simplifying decision making and empowering the IT team.
Business risks are no longer isolated and localized, but extend to multiple entities in an increasingly complex, dynamic and interconnected world. A dipstick survey at WEF, Davos 2014 reveals that flexibility, a strong core and a diverse executive team are key to resilient organizations.
32 How do you measure cyber risk?
Since Cyber Risk is an enterprise risk the senior management needs numbers to make decisions. This article discusses various approaches used to quantify Cyber Risk.
Kenneth Hall, VP & Global Head – Cyber Security Consulting, WIpro Ltd. | Guha Ramasubramanian,Head - Corporate Business Development, Wipro Ltd.
42 Surprises Are The New Normal; Resilience Is The New Skill
Success is no longer about being on the top all the time, its about getting back from the bottom.
Rosabeth Moss Kanter, professor at Harvard Business School and the author of Confidence and SuperCorp.
35 Building A Resilient Business For Tomorrow’s Challenges
The CIO of the world’s largest medical technology company shares the challenges and opportunities of an uncertain regulatory environment, a volatile market and evolving technologies.
Michael Hedges, Vice President & Chief Information Officer, Medtronic Inc.
46 Resilience Redefined In Energy & Resources Industry
The critical energy and resources industry is increasingly susceptible to crippling disruptions. This article shares strategies that are needed to safeguard the two components of the industry - Extraction and Supply & Distribution.
Subbi Lakshmanan, Vice President & Global Domain Practices Head, ENU, Wipro Ltd.
Balasubramaniam Ganesh, Sr. Vice President , Banking Products and BFSI in Emerging Markets, Wipro Ltd.
CONTENTS
6
WINSIGHTS Volume XVIII
1.K&W COVER
7
In an increasingly networked world, organizations need to
move beyond the kind of corporate disaster-recovery efforts
that followed the earthquake, tsunami and nuclear incidents in
Japan in 2011. To be in the top-performing tier, organizations
need to become resilient to internal as well as external
disruptions. Process resilience, in particular, is very important
for industries which are either highly regulated, Internet facing,
or serve end-user customers. Below, Morris Cohen and Praveen
Pathak, professors of operations and information management
at Wharton and the University of Florida, respectively, and
Alexis Samuel, chief risk officer and head of business process
transformation at Wipro, look at why process resilience is
becoming a business imperative. This white paper was produced
by Knowledge@Wharton and sponsored by Wipro Ltd.
Process Resilience Is Becoming a Business Imperative
8
WINSIGHTS Volume XVIII
Disaster recovery is typically reactive. If something goes down, can it be re-covered? But organizations need to be proactive about potential disasters, es-pecially when it comes to the resilience of their business processes, says Alexis Samuel, chief risk officer and head of business process transformation at Wipro Technologies. It is an emerging concept, but Samuel expects process resilience to become a “business imperative” in the coming years.
It is about “the resilience of processes and the underlying IT systems, people practices and technologies that together make an enterprise function consistently,” Samuel says. It is also “the ability of an organization to maintain the continuity of its business and meet obligations.”
Taking a broader perspective, Morris Cohen, a Wharton professor of operations and information management, notes, “If you respond quickly to any disruption in an efficient manner, one would say you are resilient.” But remaining resilient is more difficult now because of increasing globalization, interconnectivity and “the way in which we manage supply chains and economies today.” He cites the March 2011 earthquake, tsunami and nuclear
incidents at the Fukushima reactors in Japan. Following this triple disaster, the auto industry across the world was disrupted for many weeks. Part of the reason was that certain Tier 3 or Tier 4 suppliers based in the worst-affected Tohuku region had to shut down, and it had a ripple effect. “Companies like Nissan and Toyota didn’t even know about the existence of these suppliers. One of the lessons learned was that companies need to go all the way down and figure out all the connections in the network, because it can breakdown somewhere and bring the whole system down.”
While every industry is susceptible to risks, the consequences of disruptions vary, Cohen points out. Most vulnerable are defense, banking, financial services and insurance (BFSI) and health care. Samuel, looking at the issue from another angle, suggests that process resilience is most relevant for industries which are either highly regulated, Internet-based, or are end-user service providers, like BFSI and retail.
Both Cohen and Samuel note that process resilience is more relevant for larger players because they are more complex and also part of a larger ecosystem and
Alexis Samuel
Chief Risk Officer, Head BPE, and Global Managing Partner,
Wipro Consulting Services
Morris Cohen
Professor – Operations and Information
Management, Wharton
Praveen Pathak
Professor – Operations and Information Management,
University of Florida
A Knowledge@Wharton – Wipro Article featuring
9
PROCESS RESILIENCE
therefore can be a source of ripple effect. “There are more interconnected parts in large companies, and it is harder to respond fast and effectively if you are big & complicated,” Cohen says. “Therefore, robust processes, whether related to supply chain, IT or anything else, are very important.” Large organizations are also likely to be under greater scrutiny from regulators because of their public impact.
Regulatory pressure following service disruptions has been a key driver push-ing process resilience forward in the BFSI sector. In 2012, for example, the Royal Bank of Scotland- RBS- had a major service disruption in the U.K. because of a software glitch. Customers were unable to withdraw cash from ATM’s or see their bank account details, and certain other transactions were also disrupted. It took RBS a few days to restore normal functioning.
Disruptions in banking services could potentially extend far beyond immediate customers, Samuel notes. The U.K.’s Lloyds Bank, for example, handles 40% of inter-bank transactions in the U.K. If this application were to go down or get throttled, 40% of banking transactions in the U.K. would get impacted. Notes Cohen: “When these institutions fail, they can bring down major parts of the global economy. That is why there are more regulatory controls in banking and trading….” Samuel sees a “big shift” by regulators. For instance, they are “now holding the boards of banks in the U.K.
accountable for resilience failures, push-ing them to take a lead in implementing process resilience programs.”
The growing influence of social media is also encouraging more process resilience. A couple of tweets from an unhappy customer can spread to millions of cus-tomers within seconds. And with no one to judge officially whether the complaint is valid, the risk of damage to reputation is high. “The net effect is that process resilience is moving from a discretionary, good-to-have expenditure to a must-do, non-discretionary investment to address the risk posture,” says Samuel. “While business leaders and risk officers agree there is still the challenge of putting a number on return on capital employed (ROCE) for such investments, it needs to be addressed innovatively.”
Yet, as Cohen points out, resilience has always been an important asset in suc-cessful organizations. Companies that respond quickly and cost effectively -- “strategically or operationally to random stimuli or shocks” -- perform better and have always been rewarded ultimately in the marketplace. “The difference now is that resilience is being recognized as an important business imperative.”
Regulators and Social Media
“There are more interconnected parts in large companies, and it is harder to respond fast and effectively if you are big & complicated.
10
WINSIGHTS Volume XVIII
Another major shift connected to process resilience is the software development lifecycle, including testing of applications. In the past it was viewed as adequate to test any new application internally. But in many industries today the environment is highly networked. Banking applications, for example, are closely linked to telecom service providers or to credit card provid-ers like Amex. So it is important for appli-cations and the underlying infrastructure, people, technology and processes, to be designed to accommodate all players - internally and externally - during the testing phase.
For fully effective resilience in the system,
“testing of any application or process is being brought way up in the design and development lifecycle,” notes Samuel. “Near real-time replication of the test environment may also become a norm in the near future.”
The availability and recovery time of third-party hardware also needs to be evaluated in striving for resiliency. While service contracts have been a mainstay, today organizations are increasingly demand-ing that partners show they can meet the contractual obligations. “This whole focus on resilience is forcing people to think of it on an end-to-end basis with the ends expanding continuously,” says Samuel. “The resilience theme is also expanding to cover cyber security.”Cohen points to another new aspect of managing
New Models
11
resilience -- performance-based con-tracts. Such contracts rest on “actual performance and not on the promise of performance.” Thus, “you don’t need to verify if your partners and suppliers can meet their obligations. You pay them only if they do so. This puts a lot of pressure on them.” Expect this trend to “expand further.”
So how does an organization implement a robust process resilience program? To begin with, and using a bank as an example, it must catalogue all business processes - like account opening, credit card transactions, online or mobile bank-ing and so on, notes Samuel. It then needs to identify the critical processes for each, and then define the risk appetite - or the acceptable threshold - if the process fails.In banking, the risk appetite is not just a financial measure – there are other key metrics, says Samuel. “For instance, a bank could decide that in a particular process, say for credit card transactions, instead of handling 100 transactions per second, it can go down to 70, but not below that. Or, in Internet banking, it can take a maximum of one hour of downtime a year.”
Once the risk appetite has been estab-lished, the underlying infrastructure must be measured. The IT systems, people, and
technology that support the processes and their effectiveness, must be assessed in a systematic manner using pre designed templates to ensure consistency.
This throws up the gaps between current performance and the risk appetite, which then need to be addressed with relevant solutions, Samuel adds. An assessment typically takes around six to nine months while the execution is usually over a three-year period.
According to Praveen Pathak, a professor of information systems and operations management at the University of Florida, any process can be categorized based on the extent of expertise required. While processes such as bio-informatics, equity research, risk modeling in insurance and technical analysis for mergers and acqui-sition require a high degree of expertise, those such as call center-based tele-marketing & tele-collections require less.
For high-expertise processes, resilience requires two important attributes – flex-ibility and adaptive learning, says Pathak. Process flexibility, in turn, requires “loose and variable monitoring of process-output quality metrics (like error rates, produc-
Optimizing Investments
For fully effective resilience in the system, testing of any application or process is being brought way up in the design and development lifecycle.”
PROCESS RESILIENCE
12
WINSIGHTS Volume XVIII
tivity, responsiveness) and interactive managerial guidance.”
Pathak suggests that by “not monitoring the process along all output quality met-rics, and allowing the expert knowledge workers to choose which ones to optimize and when,” flexibility gets built into the process. “My research study of over 150 business processes from Fortune 500 companies shows that process flexibil-ity is positively associated with process resilience – it lowers the error rate and process failure significantly.” An increase in process flexibility of about 10 percent-age points tends to lower the process failure rate by 11% to 17%.
For non-expert processes, Pathak notes that resilience is compromised if there is too much flexibility. Adds Samuel: “Es-tablishing & maintaining the right level of design authority is another important issue to be considered.”
According to Samuel, a process resilience remediation program for a large and old BFSI enterprise could be anywhere from US$300 million to US$600 million over
three years. The cost versus benefit has to be assessed while deciding on the risk appetite. Once the risk appetite is frozen, the company needs to do whatever it takes to meet it. However, the best way to optimize the investments is by identifying and prioritizing the critical processes correctly, and also analyzing the interdependencies of various tasks. Samuel adds that banking professionals feel that “processes that touch fraud, money laundering and regulatory reporting also need to be brought under the ambit of resilience programs.”
Being resilient “depends on making the right decisions, the right investments and managing the investments before any disruption occurs,” Cohen explains. “Sometimes these decisions can be pretty complicated and you many need sophisticated methodologies to make the right decisions. Outside experts can help in optimizing investments in any kind of risk mitigating initiatives. Risk manage-ment as a whole, however, also requires a strong internal team.” Adds Samuel: “It is not a one-time exercise, but something that needs to be constantly updated.”
Performance-based contracts rest on actual performance and not on the promise of performance. Thus, you don’t need to verify if your partners and suppliers can meet their obligations.”
13
In a world moving towards increased com-plexity, volatility and dependence on technol-ogy, a tolerance for uncertainty and an ability to respond rapidly to surprises – both good and bad – within the business environment is essential. Resilience, the term for this core characteristic that enables a company or organization to stage a comeback after what might otherwise be a catastrophic event, is fast making its way up the board-room agenda. The FT/Wipro Executive Dinner Forum, which took place on the eve of the World Economic Forum in Davos, on Tuesday 21st January, 2014, brought together companies with a track record for ‘bounce’ and experts on the topic of resilience to look at operational resilience (what you need to do to prepare for day to day threats to a business, such as
cyber risk) and strategic resilience (adapting and responding to the broader threats – and opportunities - in the business environment).
Andrew Hill, Management Editor at the Finan-cial Times, launched the evening’s discussion by explaining that as the FT’s Management Editor, he tries to write about how compa-nies and other organization are run, “…and one of the things that I have picked up over the last 3-4 years, really since the height of the crisis, is that the buzzwords for chief executives and managers of all sorts are the kind of buzzwords that we are going to talk about tonight.” He was referring not just to resilience, but to agility, adaptability and flex-ibility, and highlighted the fact that whether or not we are now emerging into a period of more recovery in developed markets; the common factor is that companies now need
Some companies bounce back. Others go into tailspin. Why?
An executive summary of the FT/Wipro strategic panel discussion in Davos on Tuesday 21st January, 2014
Chaired by: Andrew Hill, Management Editor, Financial Times
Panel:T.K. Kurien, CEO and Member of the Board, Wipro Ltd.Brian Moynihan, CEO, Bank of AmericaDennis Nally, Chairman, PwCDavid Roman, CMO, Lenovo
Resilience: Building ‘Bounce’ into your Corporate Structure
DAVOS DINNER SUMMARY
14
WINSIGHTS Volume XVIII
to deal with volatile technological change. So what are the key challenges currently facing companies, and how are they build-ing ‘bounce’ into their enterprises in order to weather them?
T.K. Kurien, CEO & Member of the Board at Wipro Ltd., one of the largest global IT ser-vices, referred to a recent piece of research his company has conducted with the FT, in which 98.8% of respondents identified technology risk management as important or very important. The challenge is in part a demographic one, he said, noting that “… up to the age of 30 a person can adapt to and learn technology, beyond 32 it gets a little fuzzy, beyond 50 it gets extremely tough.”
But after 60, the research indicates that there is sudden technology rejuvenation, “everyone wants to learn before retirement from what their kids are doing”. The pre-internet age companies now have to acquire this exper-tise, and use the net effectively. First start with the process, & then use technology as an enabler. And, tempting though it is, just throwing money at this is not the answer, Mr. Kurien warned.
Technology resilience requires simplicity in business processes, Mr. Kurien observed, citing the example of the manufacturing industry, which, he says, has traditionally done this very well. “Take, for example, a car manufacturer,” he said, “essentially you build a platform, and irrespective of what the platform does, you put brands in front of it,
and with that little bit of variation, you sell it.” Without eliminating inherent complexity “you can never have resilience,” he warned. On the ‘how’ of enterprise resilience, Mr. Kurien highlighted the importance of building resiliency into the spine of the company and not making the mistake of thinking resiliency needs to be embedded ‘across’ the enter-prise. To illustrate, he explained that “if a payment system at a bank fails, everybody knows about it: so payments become the spine of the business. In a manufacturing company, it might be the supply chain.”
On the question of cyberspace resilience, T.K. Kurien said getting attacked is inevi-table, “you just hope it’s the other guy and not you; or rather, that it’s the other guy who goes first - because he will be the one that ends up in the headlines.” It’s like piracy in the olden days, he observed, pointing out that there are something like 50 sites in the world that are responsible for around 60% of attacks.
Brian Moynihan, CEO of Bank of America, among the world’s leading wealth manage-ment companies, said that one of the keys to his organization’s ability to bend, rather than break, in a storm, is getting the right team in place. It is extremely important, he said, not to have people who are there to say what is right or what is wrong, but rather “to have people who can get straight to the core of the problem – and fix it.” As well as identifying the burning platform quickly, he agreed with T.K. Kurien on the need to remove
“ Find the burning platform – and fix it.” – Brian Moynihan
“… complexity of technology is not the solution, simplicity is.” - T.K. Kurien
15
complexity and focus on the fundamentals. You must, he said, “…quit spending time and managerial effort on the stuff that isn’t going to drive business.”
In terms of institutional resilience, a strong sense of the company’s purpose is essential to surviving a crisis. “We’re here to serve our clients and customers,” he said, adding that “if our people in 2008/9 thought they were coming into work for any other reason – just to make money, for example – they would never have had the ability to withstand the pounding.”
On being asked if Bank of America has emerged after the financial crisis as more resilient as a result of this process, Mr Moyni-han agreed, but cautioned that the trick is not to have to repeat the lessons. As the
world begins to feel more normal again, more fixed, the test of this will come in 5-10 years’ time, he said.
Dennis Nally, Chairman & Partner, PwC, the world’s second largest professional services firm, cited PwC’s recent survey of some of the world’s top CEOs’ to frame his comments. The three mega trends on the mind’s of today’s CEOs’ that have emerged from the survey gravitate around the challenge of how swiftly technology is moving, the economic shift from the developed to the developing world, and understanding the workforce of the future. “These CEOs’ are telling us that
“ Things are looking better as we move into 2014.” - Dennis Nally
DAVOS DINNER SUMMARY
they are beginning to understand what those issues really are, but that they are not yet well-equipped to deal with the complexity of these challenges for the foreseeable future.” The good news, he said, is that confidence levels are going up, and that things are looking better as we move into 2004.
Trust, or rather lack of it (across all institutions – government, business and society more broadly), was another issue that emerged strongly in the survey. Mr. Nally wondered whether you can really have a resilient or-ganization without it, and concluded that some form of trust – perhaps through more global regulation - between the institutions that shape polices and the businesses that carry them out, must be established. Ex-panding on this point, he underlined CEOs’ concern around the tyranny of the short term, and the need for more transparency about what a company is, what it stands for, and the importance of developing a message around the impacts that a company has on wider society. “Unfortunately, many CEOs’ are concerned about the continued focus on the short term – three month performance, quarterly earnings, over long-term planning”.
David Roman, CMO and SVP of Lenovo, is responsible for driving all marketing activities for the global PC and technology corporation. He prefaced his remarks with the observa-tion that we are seeing a re-definition of the concept of ‘brand’ in the marketing disci-
pline – “the biggest change we’ve probably seen in the last 30-40 years.” It centres on the difference between brand awareness, brand understanding and brand engagement. “There is a very different level of relationship that our users have with the company, and we are seeing this more and more,” he said. This is significant in the context of resiliency, he points out, because “the people that are engaged with the brand are the ones that are going to save you.” They are the ones, he says, that are going to come back and help to rebuild.
While customers are good by definition (be-cause they buy your products), differentiation between customers is key to successful engagement. “Bad customers buy your prod-uct for the wrong reason,” he explains, and they are not likely to become engaged. The problem is that the bad customers are the ones that do the complaining, and require a lot of support – and good customers can be overlooked as a result. Understanding what motivates good customers, getting them involved in the co-creation process and rebuilding the company around them will help you weather a crisis. “The companies that have a community of users around the brand are of course the most valuable brands,” he observed. As part of Lenovo’s efforts at embedding resiliency, the company is trying to understand how to create more of this and to really get to grips with what processes are needed to make it happen.
“… the people that are engaged with the brand are the ones that are going to save you.” - David Roman
16
WINSIGHTS Volume XVIII
18
Lenovo’s Chief Marketing Officer David Roman on why protecting a brand is a valuable marketing opportunity as well as crucial risk mitigation
An Ear on the Ground, 24/7
As is so often the case, Warren Buffett, the American investment guru, put it best. “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”
Leading companies are getting the mes-sage. More than four in five respondents (83%) in a recent Wipro/ Financial Times survey said they now consider reputa-tional risk and brand damage as potential pitfalls to guard against. Their challenge is to develop reputational resilience – an ability to respond quickly when trouble appears on the horizon, to bounce back from issues that might otherwise drag down their brands, and, ideally, to avoid such difficulties in the first place.
How, though, to build such resilience into the business? For David Roman, the Chief Marketing Officer of Lenovo, the world’s largest PC manufacturer, the first step is to recognise what is driving the increasing focus of organizations on reputation management.
Mr. Roman argues that there are two fac-tors at play - first, the increasing demand amongst customers & other stakeholders
for greater transparency from businesses. Particularly since the financial crisis, many people have taken a closer look at the be-haviors of large corporations; and second, the ability of social media to dramatically accelerate the dissemination of news and views about those businesses, whether positive or negative.
“We are increasingly looking at an audi-ence of consumers who expect brands to conform to their values and to be trans-parent about what they’re doing and how they are doing it. As millennials become our key audience, we’ll see that demands for transparency get stronger and the standards to which brands are held get higher,” Mr. Roman argues. “That’s a trend facilitated by social media – it amplifies the speed with which things can go bad and issues can come up.”
In that context, listening in to customers, as close to real time as possible becomes even more important. Three years ago, Lenovo launched a digital and social media hub in Singapore which works
By David Roman
Chief Marketing Officer, Lenovo
with the company’s marketing teams all around the world. One of its functions is to act as a social listening post that can monitor social media conversations its stakeholders may be having about its business, 24 hours a day, anywhere in the world. It can also mobilise its social media team throughout the organization where that is necessary.
The Singapore unit is a centre of excel-lence that uses a range of cutting-edge technologies in tracking, monitoring and analytics, but it is essentially building on work the company has been doing for many years. Lenovo, like other companies, has always monitored media coverage of its business – and engaged with interested reporters – but the advent of social media has democratized the conversation and given customers a voice too. The plural-ity of comment requires Lenovo to work harder to keep track of it and to respond.
Mr. Roman says this is a work in progress. “We have state-of-the-art tools to help us monitor what people are saying about Lenovo and they give us a very early signal when something is out there that we need to deal with,” he says. “But I think it is possible to go further: a more sophisticated form of tracking would enable us to monitor people’s changing perceptions of particular attributes and values at the company – to identify things that might turn out to be issues over time.”
The ultimate aim, he suggests should be to reach a state where all potential problems can be tackled before they do any damage at all to Lenovo’s reputation or brand.
“The key thing here is prevention,” Mr. Roman adds. “Like everyone, we have a crisis management process in place, but we want to avoid a crisis where we can; on anything to do with reputation, the more you can work on the potential issues up front the better, because once you’re into a reactive situation, it’s always really difficult.”
However, Mr. Roman also believes that technology will only take businesses so far. “I think we also now have an at-titude that whatever we do will be seen by the outside world and that it therefore makes sense to have full transparency of everything we have,” he argues. “The monitoring centre certainly enables us to see issues early on but the biggest change has been in the behaviour of the company: we are proactively transparent on everything we do and we work hard to ensure that even though we’re a large, global business, we are equally transpar-ent in all our markets.”
Nor should this drive towards greater transparency be seen as negative – for
“ As millennials become our key audience, we’ll see that demands for transparency get stronger and the standards to which brands are held get higher.
19
Open business, better business?
SPECIAL FEATURE
20
Lenovo, being more open and engaged isn’t an attitude the company sees as having been forced upon it, but an op-portunity to be embraced.
I genuinely believe this transparency makes us a better company, because transparency enables us to have a very direct relationship with our customers – those who want to are very easily able to give us feedback on what’s good, what’s bad, what’s working and what’s not,” says Mr. Roman. “This will make us much stronger as a company and, over time, give us much greater resilience.”
In fact, argues Mr. Roman, the move towards transparency and engagement is changing the very nature of marketing. Where this discipline was once about creating a story for the business and controlling the telling of the tale very tightly, in the new world marketers must learn to cede some of that control. It is a shift from the one-to-many marketing model to a two-way process dependent
on a relationship with the audience.“If you look at the brands that are growing these days, it’s not necessarily the ones that are spending huge sums on mass media in order to build brand presence,” Mr. Roman says. “Rather, it is the brands that have built relationships of trust with their customers, and that’s a pretty fun-damental change; in terms of reputation, if you know what your audience is really thinking, that is going to be a huge help in addressing any negative issues that might cause the brand problems over time.”
Nevertheless, for Lenovo – and all com-panies – these themes are evolving and many in the C-suite are only just beginning to get to grips with them, even if they can see the end benefits.
Of course, there will be difficulties to overcome. “One of them is the constant tug of war between having information
The fine line around privacy
SPECIAL FEATURE
and people’s concerns about privacy and there is a clear line there in terms of your reputation with your users for handling their information with integrity,” Mr. Roman says. “There are also new tools and technologies to be implemented – particularly in areas such as product development where we need to find ways to really employ the input we get from users at a very early stage.”
Part of the challenge is to embrace new ways of working – such as much greater use of partnerships with other orga-nizations. Lenovo has begun working with Facebook, for example, whose us-ers produce huge amounts of data and comments that may be relevant to the business.
Equally, however, it is important that existing processes and facilities flex to build resilience. “One of the things some people don’t think about, for example, is just enabling commentary reviews on the company website,” Mr. Roman adds.
“Also, you have to respond to those because otherwise you do more damage than good.”
Try to think of these as opportunities rather than problems. The need to build reputational resilience might sometimes seem like a risk management exercise that companies are conducting from a position of weakness in the face of changing consumer attitudes and the pressure of social media. But Mr. Roman’s message is that what is going on is much more positive.
“Marketing is a discipline where you look at the company from the outside in, from the perspective of your audience, and it is now possible to do that for real,” he says. “Rather then conducting huge amounts of research to find out who your audience is and what it really thinks of you, companies that are building engaged relationships with their customers know that already – reputation is part of the story, but the wider opportunity is far larger.”
The brands that are growing these days, are not necessarily the ones that are spending huge sums on mass media, but those that have built relationships of trust with their customers.”
21
Source: 2013, On The Pulse: Information Security Risk in American Business, Stroz Friedberg
of senior managers regularly upload work files to a personal email or cloud account.
A fast-evolving and increasingly virulent threat environment is raising the security stakes for businesses today. This, combined with the highly distributed and more open nature of today’s enterprises, is testing even the best resourced corporations. A research by Wipro and UBMTechWeb
The State of Cybersecurity in the Digital Economy: Balancing Accessibility with Effective Risk Management
24
WINSIGHTS Volume XVIII
At a high level, the research shows busi-nesses battling a wide range of cyber threats, with viruses, malware and botnet-launched attacks highest on their list of concerns. New business collaboration tools such as social media, and IT delivery models such as cloud and mobility, are adding to the security challenge by introducing potential exposure points for corporate data. Businesses now have to rethink policies around safe use and their practices for protecting valuable and sensitive information from possible leaks.
Security spending has significantly increased as security has shifted from being a nonfunc-tional requirement to a business requirement. Business and technology innovations leading to the Internet of Everything and consum-erization have brought security into focus.
In fact, 83 percent of businesses surveyed by UBM Tech plan to increase their security budgets in the next few years. Credit the
constant barrage of threats against vital corporate assets and consumer data and the high-profile breaches of 2013 and 2014, including those at Target, Neiman Marcus & Michaels Stores, for driving enterprises to tighten security controls and operations. A detailed analysis of these breaches has brought process weakness into the fore-ground, along with the need for defense-in-depth security controls.
This appreciation for the critical nature of security controls and enforcements is ap-plicable across almost every industry. Tra-ditional targets such as financial, retail and healthcare companies have evolved and are showing maturity in their security strategies, while newer targets, including manufacturing, utilities, electronics and natural resources, are under high alert because of “hactivism” and terrorist activities. Hackers are perpetrating intelligent attacks, morphing threat agents and initiating stealth attacks that take ad-
To better gauge how businesses today are arming themselves against cyber threats, and to what extent
trusted third-party managed security services providers (MSSPs) play a role, UBM Tech surveyed 146
business technology managers in late 2013 about the solutions they are employing to mitigate their risks.
Survey participants represent a cross-section of industries, including banking, financial services and
insurance; healthcare; retail and consumer packaged goods; and energy and utilities. Respondents
hold a range of management roles, from CEO and CIO to directors and line-of-business managers.
The majority of respondents work for enterprises that employ 1,000 or more people, with 57 percent
employed by organizations with head counts of 5,000 or greater. More than half of the participants —
58 percent — work for companies with annual revenue of $1 billion or greater.
25
vantage of weak controls and process gaps to slip past corporate controls.
Adding to the woes of security officers are the changing regulatory requirements that make it more complex to secure the business. Key challenges include creating the required awareness and building a team of security architects and data scientists to safeguard the business with intelligence.
“Defense in depth,” or security at each layer spanning processes, technology, transac-tions, and people, is what every sector is focusing on. Gone are the days where se-curity was confined to the perimeter and point solutions. New-age businesses run using intelligence, emotions, patterns, and
The Best Defense
70%
66%
62%
35%
31%
26%
25%
24%
21%
19%
14%
12%
3�%
Virus, malware, botnet attacks
Phishing, spam
Lack of awareness among users, operators, administrators
Weak passwords
External users
Social engineering
Silos of tools & technology
Data classification issues
Liberal internet access policies
Wireless access
Insider attacks
Lack of centralized security operaions
Legacy products & lack of documentation
Please name the top five issues that contribute to security breaches in your business
Fig 1.
Note: Maximum of five answers allowed. Data: UBM Tech survey of 146 business technology managers, December 2013
CYBER SECURITY
38%
70%
66%
62%
35%
31%
26%
25%
24%
21%
19%
14%
12%
26
WINSIGHTS Volume XVIII
profiles, which drives security toward con-vergence, analytics and posture. Asked what top security issues contributed to breaches at their enterprises, survey respondents put viruses, malware and botnet attacks at the top of their threat list (see Fig 1).
Phishing & spam can also derail productiv-ity & potentially capture personal or highly sensitive information, and two-thirds (66%) of those surveyed cited these among the top issues they face today. User error remains a major contributor to corporate insecurity, with 62 percent noting that often well-intentioned but poorly executed decisions can put critical information at risk. Weak passwords, easily hacked, can also make it easier for unauthor-ized users to access corporate resources.
The more extensible nature of enterprises also introduces new risks. An environment in which more external users, such as contrac-tors, partners and guests, are able to tap into data they’re not actually authorized to access
can pose a major threat to the security and stability of an organization.
So how are organizations defending their critical information in the current context of unpredictable threats while addressing changing business, technology and regula-tory needs? The simple answer is that busi-nesses are taking a systematic approach that focuses on user awareness, shredding the silos of technology and systems, as well as converging security systems for a unified view of posture and intelligence information. Organizations in all sectors are introducing new systems and technologies into their security landscape, including bring your own device (BYOD) for remote control and operational tasks; health-monitoring devices on home networks; and smart meters on utility networks.
In this context, 85 percent of the respondents require users to secure mobile devices with a password. Approximately three-quarters —
Note: Maximum of five answers allowed. Data: UBM Tech survey of 146 business technology managers, December 2013
We restrict usage of applications on official mobile devices.
We require a mobile device password as part of our mobile security policy.
We enable external devices based on the role of the user.
We communicate upcoming threats and precautions that users should take.
We conduct security drills periodically.
We allow download of trial software on office laptops and workstations.
Which of the following are part of security best practices in your organization?
85%
77%
66%
59%
39%
27%
Fig 2.
27
Entirely insourced/managed by internal staff only
Note: Data: UBM Tech survey of 146 business technology managers, December 2013
Primarily managed by internal resources with fewer than 20% of security functions managed by external providers
Mostly managed internally with less than half of security functions managed by external providers
Mostly managed internally with the assistance of third-party consultants
More than half of all security functions are outsourced
Entirely outsourced
Please describe your organization’s overarching approach to managing security.
Fig 3.
38%
35%9%
5%
1%
12%
77 percent — engage and keep users informed by communicating information both about potential threats and about best practices with which to protect their assets.
66 percent of the respondents restrict appli-cation access to users operating corporate-owned & -managed devices. Over half — 59 percent — enable external devices based on the role of the user. So, for example, while ex-ecutives may be allowed relatively unfettered access to enterprise applications, sales staff may be required to use only corporate-issued devices (see Fig 2).
Businesses are also focusing on resilience and situational awareness. These steps run the gamut from requiring users to access corporate resources via a virtual private net-work (VPN) and USB lock down to encrypting hard drives and using a central “gold” OS image with a predefined program for add-ing or limiting access. Thirty-nine percent of the participants perform security drills on a periodic basis to make sure the IT staff is prepared to mitigate the impact of an attack.
Even as companies have become more com-fortable over time handing off other IT func-tions to third-party service providers, busi-nesses traditionally preferred to manage the highly sensitive area of security internally. As the nature of their operations became more
A Matter of Trust
Enterprises segregated the operational tasks from strategic programs and started outsourcing operational work to security service providers.”
CYBER SECURITY
28
WINSIGHTS Volume XVIII
virtualized and distributed, and the threat environment more complex, enterprises reconsidered their stance on outsourcing some or all functions of IT security. With this, enterprises segregated the operational tasks from strategic programs and started outsourcing operational work to security ser-vice providers. 63 percent of the respondents manage their IT and security infrastructure through service partners (see Fig 3).
About 6 percent say that their provider man-ages more than half of their security needs. 35 percent outsource less than 20 percent of their security functions to a third party. Another 9 percent handle the bulk of their IT security internally but do enlist the help of consultants for support. So where do third
parties provide the most support? There is no one specific need; instead, enterprises are looking for outside help to fill in resource and knowledge gaps in their security resources and meet critical compliance and secu-rity demands. Enterprises turn to external managed security service providers for a fairly broad spectrum of needs, ranging from tactical device monitoring to more strategic areas where they may lack the institutional knowledge base (see Fig 4).
Fast evolving and still new areas such as social media top the demand list for external security support, with 30 percent relying on outside security help for issues in managing cloud, social media and cyber security. 29 percent seek out an MSSP for design and
Which functions are you most likely to rely on a third-party managed security service provider to support?
39%
36%
30%
29%
22%
21%
21%
12%
Fig 4.
New trends such as social media security, cloud security, cybersecurity, security data analytics
Monitoring on-premises equipment
Design/architectural support
Auditing/Governance/Risk and compliance-related professional services
Managing and monitoring security gear
Post-attack remediation
DDoS protection
Policy development/end-user training and support
Note: Maximum of five answers allowed. Data: UBM Tech survey of 146 business technology managers, December 2013
29
architecture help.
More than one-fifth of the respondents use an external provider to help mitigate distributed-denial-of-service (DDoS) attacks. Many of the third-party providers not only help with service scalability, technology expertise and tools, but they also bring intelligence and analytics to the table. They add value by letting users deploy a security solution more quickly, and by providing faster reconciliation and solution integration from an operations and resilience perspective.
Twenty percent seek out an MSSP as a reactive measure, turning to a third party to help restore services and mitigate any dam-age following an attack. Most businesses prefer to manage their compliance needs in-house. Just 6 percent use third parties for governance, risk and compliance manage-ment support.
For those who do choose to use an MSSP or a security consultant, picking the right provider comes down to trust and experience. Expertise in the relevant vertical is the most widely used criterion to select the right third-party partner, but businesses also tend to choose providers with whom they already have a trusted relationship, with 23 percent citing an existing trusted relationship as an important factor in engaging with an MSSP or security expert (see Fig 5).
There are distinct differences by industries in how companies factor in specific criteria when choosing a third-party provider. For example, 40 percent of healthcare companies say that an existing trusted relationship is their single most important criterion in choosing a security partner. By contrast, only
Data: UBM Tech survey of 146 business technology managers, December 2013
What is the single most important criterion in choosing a managed security services partner?
Fig 5.
2%2% 5%
4%
5%
6%
18%
23%
35%
Security expertise in relevant vertical segment and regulatory requirements
Deep security technology expertise
Existing trusted relationship
Strong peer recommendations
Strong skills with a particular technology
Portal-based risk management reporting capabilities
Proven analytical skills
Analytical resources
Other
CYBER SECURITY
30
WINSIGHTS Volume XVIII
17 percent of energy and utilities consider a trusted relationship as the most important factor in their selection, instead saying that a provider’s vertical expertise is far more critical.
Businesses recognize the criticality of security and compliance to their longevity. And while companies are largely looking to expand their security budgets, there are still limits. Nearly half (49%) say they expect spending
to increase between 5 and 15 percent in the coming years. Some enterprises are making even more dramatic increases, with 9 percent planning to raise their security budgets by more than 25 percent. Just 16 percent expect their budgets to stay flat, while only 1 percent plans to decrease security spending.
So what kinds of changes do the spending increases signify in security strategies? Going forward, enterprises are looking to simplify and improve their security operations, starting with greater standardization of the tools they use. Sixty-four percent want more commonality and heterogeneity across tools, technology and architecture. To this end, 34 percent plan to decommission legacy tools that are no longer a good fit.
One-fifth expect to outsource basic security management functions so they can focus on more strategic elements that could include areas around policy development, security architecture and data analysis. Automation will also play a key role going forward, as businesses look to remove the manual ele-ment across a number of functions, including antivirus deployment, configuration manage-ment, vulnerability management and patch management (see Fig 6).
The desire to reduce human errors in order to improve the security and overall stability of the enterprise is a major driver for more au-tomated security operations, with 44 percent of the respondents citing that as a primary reason to move away from a more manual approach to security. Nearly 30 percent say cost savings is driving their businesses down a more automated track.
Others are looking to automated solutions to free up expert staff to perform the kind of
63%
60%
60%
60%
49%
31%
Patch management
Password management
Level 0 security operations and support
What are the top five security areas that you want to automate?
Fig 6.
Antivirus deployment
Configuration management
Vulnerability management
Note: Maximum of five answers allowed. Data: UBM Tech survey of 146 business technology managers, December 2013
Forward- Looking Perspective
31
In late 2013, UBM Tech conducted an online survey on behalf of
Wipro on the State of Cybersecurity in the Digital Economy: Balancing
Accessibility with Effective Risk Management.
A total of 146 business technology management professionals
completed the survey and make up the final data set. The greatest
possible margin of error for the total respondent base (N=146) is +/- 8
percentage points. UBM Tech was responsible for all programming
and data analysis. These procedures were carried out in strict
accordance with standard market research practices.
functions that require the kind of analysis, experience and insight not easily replicated by technology. 22 percent want to use auto-mation so that existing full-time employees can shift their focus to more strategic tasks.
A small percentage wants to use automation as a way to supplant and maybe eventu-ally replace internal staff. 6 percent of the respondents say the main appeal of an au-tomated solution is that it provides a good alternate option to using (expensive) internal security experts.
As attractive as automation is to most com-panies, businesses are more reticent about another major change in the way IT security is handled — namely, the cloud. Enterprises are making slow progress in moving to the cloud as a source for IT security services, with only 20 percent today hosting at least some of their IT security services in the cloud. Another 19 percent plan to use some type of on-demand security service within the next 12 months. However, half of the respondents say they have no intention of ever using a cloud-based security service.There are probably a number of reasons behind this
cautious approach to cloud-based security, not the least of which is lack of confidence in the security and stability of the delivery method and questions about the reliability and quality of service. Control, or lack thereof, is another factor, with businesses unwilling to outsource a larger portion of their security operations than they already do. Also, the relative immaturity of some of the solutions and the fact that many of the better-known options are aimed at smaller businesses with lower-scale requirements is less appealing to large enterprises. However, as more large businesses deploy cloud-based security solutions, their peers are likely to reconsider their security-as-a-service strategies.
What is clear today is that while businesses may be wary of cloud-based security, they are not only willing but eager to enlist trusted partners to fill in resource and expertise gaps to more successfully manage risk. The hope is that bringing in expert third-party partners will not only plug holes in their own capabilities but also enhance their overall security posture by providing internal staff with the tools, techniques and intelligence they need to mount a more proactive and effective defense.
The desire to reduce human errors in order to improve the security and overall stability of the enterprise is a major driver for more automated security operations.”
Ready for Takeoff
CYBER SECURITY
Cybersecurity is a threat to business-es globally, and is being increasingly viewed as an “enterprise risk”– it has financial implications and needs to be managed like other major business risk. Board members and senior manage-ment are looking for risk-based metrics to quantify, mitigate and then manage residual threat. The approaches and degree of maturity with regards to cyber risk measurement vary across organiza-tions – from an audit-based approach to quantifying cyber risk in benchmark scores or in dollar terms.
While qualitative measures are used to communicate the level of severity of a cyber-threat, they are unable to pro-vide a sense of the quantum of losses that could occur over a period of time. Without this understanding of the cost of the threat, it is difficult for manag-ers to decide on an appropriate risk management strategy.
The ability to quantify and benchmark cyber risks provides significant advan-tage to an organization when it comes to adopting a cyber-security strategy and prioritizing associated investments. Benchmarking is an effective tool that allows an organization to visualize its
security posture relative to an ideal or peer group, and to view existing gaps in its cyber-security posture. One approach involves a diagnostic toolkit that assesses a company along three key dimensions & provides a score that can be compared against those of peer groups. The key dimensions are:
Business Assets: Understanding of “crown-jewel” business pro-
cesses and data, common view of their criticality across the organization and awareness of their presence on the underlying infrastructure
Threat Perception: Effectiveness of the organization in collecting,
analysing & disseminating threat in-formation
Defence: Evaluation of the various defences across the processes,
defence tools, people & organizational skills; the defence assessment is along three themes – proactive defence, at-tack detection & aspects of response management
Wipro’s approach for quantification of cyber risk is based on the concept of
How do you measure cyber risk?
Kenneth Hall
VP & Global Head – Cyber Security Con-
sulting, Wipro Ltd.
Guha Ramasubramanian
Head - Corporate Business Develop-
ment, Wipro Ltd.
WINSIGHTS Volume XVIII
32
Value-at-Risk (VaR), which measures the potential loss in value of a risky asset or portfolio over a defined period for a given confidence interval.
This VaR sums up the risk in dollar terms, which helps to communicate the likely impact of cyber risk in a language that is familiar to the senior management and helps them make their risk management decisions.
A common aspect across themes in-cludes reckoning the direct cost impacts (customer notification, regulatory pen-alties, and legal expenses) along with the indirect costs (loss of customers, reputational impacts).
The model also looks at various types of threat and their frequency, as well as lay-ers of defence that need to be breached and potential costs. Irrespective of the framework used, the outcome is only as good as the assumptions on which it is built – it is critical that such assumptions follow from business realities and take into account the sophistication, variety and dynamic nature of cyber-attacks. It is also important to view the scores and quantification as directional guidance, rather than try to achieve more precision than is practical.
It is imperative to bring business spe-cific nuances into the approaches mentioned. Hence, participation from business experts is critical to build a view of the importance of various busi-ness assets and potential threats. This would enable delivery of results that are meaningful and acceptable to senior management.
Kenneth Hall and Guha Ramasubramanian
are working with the World Economic Forum
(WEF) as part of the cyber task force to drive
quantification & bench-marking of cyber risk
While qualitative measures are used to communicate the level of severity of a cyber-threat, they are unable to provide a sense of the quantum of losses that could occur over a period of time.
CYBER SECURITY SIDEBAR
33
of leading business executives feel that a potential company crises would happen in the digital space
Source:Burson-Marsteller Asia-Pacific
Digital Reputation Risk: Over
Building a Resilient Business for Tomorrow’s Challenges
36
Many new healthcare laws have been introduced in the EU and US in recent
years, with a range of implications for firms such as yours. How challenging are these for your business and how are you working to keep pace with these?
Our industry has always seen a lot of regulatory change and so this kind of
challenge is not a new one for us. We’ve always had to deal with this. But what it has meant from an IT perspective is that we’re going to continue in our mission of building more and more common systems, with common processes, and clean data. This is a massive data management job, which is going to be much more important than it had ever been before. And this is going to follow all applicable regulatory requirements, regardless of where we are.
But of course there are changes in the wider environment that affect this. For example, we’ve got a legal requirement to register and track certain events. To do so, we’ve created a single system for this, based on SAP, for the whole of Medtronic. This now allows for significant benefits, because we have far greater visibility
and traceability than before.
The second change is that we have no choice but to strive for zero defects and zero rework. You’ve got to build these common applications that are not just based on what the business is asking for today, but what we know the environment is going to ask for tomorrow. Some of these systems are really complex, but the complexity cannot stop you strive into this zero defects and zero rework, and building for the future.
How much of an enabler are today’s digital technologies, such as the cloud,
mobile and social?
The new technologies are definitely a part of it. The fact that you can do things that
have more elasticity, and that you can do things quicker, is very powerful. It also means you can give multiple people access to that data. With the right security and privacy measures in place, greater ability to provide appropriate access to the data makes a huge difference. For example, for certain functions, we use a cloud-based application around the globe that allows us to provide access without having to invest
WInsights speaks to the Chief Information Officer of Medtronic, the world’s largest medical technology company, about building more resilient systems and processes to cope with both market volatility and regulatory uncertainty.
Q&A with Michael Hedges, CIO of Medtronic Inc.
Michael Hedges
Vice President & Chief Information Officer,
Medtronic Inc.
in large data centers, and without the same concerns you have with those systems when it comes to disaster recovery and backups. That’s now all part of the cloud. That makes a huge difference in terms of speed and agility .
The fact is that we have more capabilities to gain through rapid adoption of digital tech-nologies. For example, when the iPad was first launched, we rolled out apps for use in a hospital environment, including some education By rapidly adopting this new tool, sales people could walk down the corridor of the hospital with the doctors while they were going to a meeting, showing them new tools on the go. It really worked, and drew a lot of attention.
Are these technologies helping you reduce the cost of compliance at all?
Yes, to an extent. We have a huge cloud system we’ve developed internally, and if
you can do things once, and level costs across a company of 46,000 people, you’re going to see some value. Cloud is one way to do that, although of course there are areas we may not choose to use the cloud, for other reasons.
To what extent are you able to use these kind of stronger and more resilient sys-
tems to act as a competitive advantage, or is this an arms race that everyone has to take part in, and just hope to be ahead of your rivals on?
We have no choice but to strive for zero defects and zero rework based on what we know the environment is going to ask for tomorrow.”
37
SPECIAL FEATURE
There are a few things you can achieve here. This falls into three buckets: opera-
tional excellence, optimized costs, and resulting growth initiatives. You can drive operational excellence - by having great support, functional strategies, maintaining your critical systems, securing the online environment, and ensur-ing mature IT systems and governance. Then, based on that, you can start to optimize cost and efficiency. You can look at ways to move infrastructure into the cloud. You can look at how to implement cost effective systems in emerging markets. You can consolidate systems because you’ve got that operational efficiency. This efficiency will drive savings, which you can then invest to enable growth. For instance you can take some of those dollars to invest in analytics, drive mobile platforms, or enable healthcare solutions and services. So it’s one of the things I strive for.
Have these increased regulatory needs been a driver for a greater focus on better
use of data and analytics within the business?
The market is driving a lot of this. You’ve got to use all of your data assets to
unleash maximum value of these analytics. The ability to leverage all of that data, within the boundaries of privacy protection, can inform better decisions & outcomes that will accelerate new opportunities for the business. That’s the model we’re aiming for. Of course, some of the data you have in the medical world is very
complex so many are working to understand the value we can realize from some of these advanced analytics capabilities.
Is there scope for data and analytics to help deal with some of the regulatory
requests and needs that are put in place? For example, are there ways for analytics to kind of help improve that R&D process and speed up the time it takes to get products to market?
Yes, I think it’s going to be huge. We’ve already got a programme in the com-
pany, which IT plays a key role in, called post-analytical networking. It’s really a way of using data to show up front the value and lifecycle of your products. It’s run by our chief technology officer, and is all around using clinical data.
As a final question, in the midst of all this change underway, what are the issues
that keep you up at night?
I think there are three things. I think one is always going to be security. We con-
stantly monitor and address concerns in this area and the importance of these efforts will never diminish. The second thing is speed, and how we keep pace with things as we grow. And third is about skills. There’s a huge demand right now for the skill sets that I’m looking for – the data sciences people, especially those who really understand healthcare.
38
Source: Evaluatepharma World Preview 2013, Outlook To 2018 - Returning To Growth
of worldwide prescription drug sales were lost as a result of expired patent protection.
In 2012
Modern businesses are complex systems of people, processes and technology. In the past, when customer interaction was often physical and infrequent, such as a visit to a shop or the branch of a bank, people could work around weaknesses in the system. Today, when customer interactions with almost every business are immediate and online, failures in the system have an instant impact on customers, on their experience and confidence, and on company reputation.
The immediacy and scale of this impact has been demonstrated by recent high profile system failures in the banking industry: these failures have affected millions of customers, have been reported via social media within minutes, and have been national news shortly after. They have also drawn the attention of regulators, who have become rightly concerned both about harm to customers and to the financial system as a whole.
Just like the regulators, C-suite executives need to play close attention to resilience: they may be just one failure away from serious damage to their customers, their company and their shareholders.Executives can start by taking five key steps to protect their business:
Confronting the Challenges in Technology Risk Management
Keep it simple and serious
By Balasubramaniam Ganesh
Sr. Vice President , Banking Products& BFSI in Emerging
Markets, Wipro Ltd.
40
WINSIGHTS Volume XVIII
An excerpt from “Building confidence: The business of resilience”, a Wipro and FT Remark report.
An excerpt from “Building confidence: The business of resilience”, a Wipro and FT
Remark report.
Understand your risk / understand your system: many companies do not have a
clear and realistic understanding of the risks inherent in their system, and do not explicitly draw connections between the parts that make it up; they may not know that an IT component which is due for replacement supports a process which is critical for customers. The first step in addressing business resilience is to establish an understanding of how the business processes that matter most to customers are underpinned by internal processes and technology. Then, executives can decide which risks to accept and which risks must be addressed.
Invest in people, processes & automation: over the years, the level of investment has
not kept pace with the level required in people, processes & technology. The aggregate impact of this under-investment, coupled with the increas-ing pace of business and increasing customer expectations, have created risks to service which, when made explicit, are no longer acceptable. Such risks will typically need to be addressed by a planned programme of investment, which strengthens skills and understanding within the workforce, tightens relationships within the sup-ply chain, and replaces manual processes with automated steps.
Simplify: many of the risks and weaknesses in the system have also arisen through
unplanned complexity. Manual processes, IT applications and infrastructure have been con-tinuously extended over the years, workarounds have become persistent practices, and diverse solutions introduced through M&A activity continue to run. In the past, a purely cost based case for
removing this complexity has often been hard to make: today, the risk inherent in such complexity makes it dangerous to ignore.
Address external threats: the systems which run businesses are now highly con-
nected to other businesses and to consumers via the Internet. External attacks, whether through technology or through social engineering, are increasing rapidly, and are no longer mounted by lone hackers, but by well-funded organized criminals. Our report reveals a worrying level of ignorance about such attacks and their ability to directly harm customers or wreck a company. Building and maintaining defences against such attacks is vital: the expertise to understand and respond to developing threats is central to these defences.
Be ready for new approaches: the risk to business has changed because the nature
of business has changed. This means that tradi-tional mechanisms to provide resilience, such as improved manual controls, additional hardware, increased backup frequency and so on, will be stretched to the point where they can no longer keep pace: increasing availability from 99.9% to 99.95% is not enough in a world which demands 100% perfect service. For companies which have grown up in the Internet era, this has always been the case, and they have adopted new technologies and methods to support their exponential growth and customer expectations: the mainstream IT industry has been slow to adopt these techniques, but they are reaching the stage of commercial viability, and executives should be open to trying new methods to meet ever tougher standards.
TECHNOLOGY RISK MANAGEMENT
41
The difference between winners and losers is how they handle losing.
That’s a key finding from my on going research on great companies & effective leaders - no one can completely avoid troubles & potential pitfalls are everywhere, so the real skill is the resilience to climb out of the hole and bounce back.
Volatile times bring disruptions, interrup-tions, and setbacks, even for the most successful among us. Companies at the top of the heap still have times when they are blindsided by a competing product and must play catch-up. Sports teams that win regularly are often behind during the game. Writers can face dozens of rejections before finding a publisher that puts them on the map. Some successful politicians get caught with their pants down (so to speak) and still go on to lead, although such self-inflicted wounds are harder to heal.
Resilience is the ability to recover from fumbles or outright mistakes and bounce back. But flexibility alone is not enough.
You have to learn from your errors. Those with resilience build on the cornerstones of confidence — accountability (taking responsibility and showing remorse), collaboration (supporting others in reaching a common goal), and initiative (focusing on positive steps and improvements). As outlined in my book Confidence, these factors underpin the resilience of people, teams, and organizations that can stumble but resume winning.
For anyone who wants to get beyond adversity or start over rather than give up, America is the Land of Second Chances. According to Jon Huntsman, former US Ambassador to China, getting back on our feet is an American strength widely admired in China. And everywhere, rapid recovery from natural disasters is increasingly a key to a robust economy. Entrepreneurs and innovators must be willing to fail and try again. The point isn’t to learn to fail, it is to learn to bounce back.
Some stumbles are due to circumstances outside of most people’s control, including
Surprises Are the New Normal; Resilience Is the New Skill
By Rosabeth Moss Kanter
Rosabeth Moss Kanter is a professor at Harvard Business School and the author of Con-fidence and Su perCorp. Her 2011 HBR article, “How Great Companies Think Differently,” won a McKinsey Award for
best article.
42
WINSIGHTS Volume XVII
“You have to learn from your errors. Those with resilience build on the cornerstones of confidence — accountability, collaboration and initiative.
weather events and geopolitical shocks. But while people might not control the larger problem, they control their reactions to it — whether to give up or find a new path. Recession in Europe is an example. I recently spoke to European audiences at public conferences and within companies about cultivating resilience in their businesses even when markets are shrinking, so that they hold their own as recession continues and are well-positioned for recovery. A German machinery company showed resilience by growing its service contracts when demand for machines slowed, and it mobilized employees to find new service possibilities. An Italian cosmet-ics firm grabbed talent from job-shedding multinationals and increased its international
marketing tied to both health and fashion; new sales followed. In both companies, like others described in my book Super Corp, such initiatives were made possible by a strong sense of purpose that drew members together & motivated them to take responsibility to help the companies survive and thrive. Employees were resilient because they cared, and that made the companies resilient.
Complacency, arrogance, & greed crowd out resilience. Humility & a noble purpose fuel it. Those with an authentic desire to serve, not just narcissism about wanting to be at the top, are willing to settle for less as an investment in better things later. Raymond Barre, former Premier of France,
43
TECHNOLOGY RISK MANAGEMENT
after being defeated for reelection at the na-tional level, ran for a lesser office as Mayor of Lyon and became a hero of his region. That’s the strategy Eliot Spitzer is taking by running for a lesser city office after having been gov-ernor of a state. He showed remorse quickly when scandal surfaced and then reentered the public conversation talking about the issues, increasing his comeback prospects.
Some observers say it is harder for women to stage comebacks. Still, consider Martha Stewart. She served prison time for insider trading rather graciously, showing remorse, and that graciousness restored much of her fan base afterward. In a more positive vein, Hillary Clinton was not a sore loser to President Obama in 2008 (though some of her followers were) and accepted his offer to become his Secretary of State. She’s now perhaps even better-positioned for a 2016 Presidential run. In
the long term, graciousness beats sour grapes.Resilience draws from strength of character, from a core set of values that motivate efforts to overcome the setback and resume walking the path to success. It involves self-control and willingness to acknowledge one’s own role in defeat. Resilience also thrives on a sense of community — the desire to pick oneself up because of an obligation to others and because of support from others who want the same thing. Resilience is manifested in actions — a new contribution, a small win, a goal that takes attention off of the past and creates excitement about the future.
Potential troubles lurk around every corner, whether they stem from unexpected environ-mental jolts or individual flaws and mistakes. Whatever the source, what matters is how we deal with them. When surprises are the new normal, resilience is the new skill.
Complacency, arrogance, and greed crowd out resilience. Humility and a noble purpose fuel it.”
44
WINSIGHTS Volume XVII
Source: The 2012 Chief Executive Study, Booz and Company
the second - highest since 2000
CEO turnover rate in 2012 was
46
WINSIGHTS Volume XVIII
In July 2012, a 12 hour power outage in India impacted 670 million people, which is one in every two persons in the country or 10% of the world population . The effects were crippling. Traffic lights went off throwing streets into chaos, hospital staff struggled to provide emergency care, sanitation plants ground to a halt, miners were trapped underground and airports and factories went dark. The resulting economic loss was estimated to be US$107.5 million . The actual damage was beyond numbers: the country’s reputation was badly dented.
Earlier, in March 2011, when a nuclear reactor in Fukushima, Japan, was battered by an earthquake and a tsunami, it resulted
in radioactive contamination of 11,580 square miles of land. Land within 12 miles of the reactor was declared unsafe for human habitation. The value of property and other assets lost in that area alone are estimated at between US$250 and US$500 billion . Globally, stock prices of nuclear power companies fell. These and several other recent examples – such as the Gulf of Mexico oil spill and the mine collapse in Chile – have shown that outages and disruptions in the Energy & Resources industries are catastrophic and result in large scale and long lasting impact. These high profile incidents have underlined the urgency for building resilience into the global Energy & Resources industries.
What is the state of readiness in the Energy & Resources industry to assess such risk? What is its state of readiness to deal with events that threaten operations? How re-silient is your own business?
High impact disruptionsbecoming part of businesses
By Subbi Lakshmanan
Vice President & Global Domain Practices Head, ENU,
Wipro Ltd.
RISK IN TRADING AND HSE
48
WINSIGHTS Volume XVIII
Resilience as an organizational trait has never been more relevant. With growing awareness, the ability to measure, analyse and predict the future, organizations are building effective ways to insulate themselves from events that threaten their survival. They are, in effect, building business resilience.
In this article, we have identified the key forces that have resulted from various events along with potential strategic responses. For the purpose of this discussion the Energy & Resources industry can be classified into two broad segments of operations:
• Extraction (of resources): such as oil,gas, coal, metals, etc.
• Supply & Distribution: infrastructure to generate, process & transport utilities such as power, gas, water, oil.
The need is to create strategies around both, Extraction and Supply & Distribution, in order to build resilient organizations.
There are six major forces that will test resilience. Businesses have to brace for them. Or, they can create strategies around each to de-risk the future.
Depleting resources: Gone are the days when you could drill, mine or fell to get at
deposits and resources. Today, companies have to drill deeper and go further, operating with several constraints (labor, equipment and local
legislation). It is not easy to extract resources as it once used to be.
• Strategy: Businesses need to pursue an early entry into unconventional and renewable asset portfolios which could include coal seam gas, shale gas/ oil, and tight gas/ oil sands, wind, solar, hydro, tidal, and biomass to complement their conventional operations.
“Unfriendly” terrain: As mature fields decline, companies have to explore in
increasingly inaccessible, economically chal-lenging, poorly serviced locations. One fall out is the increased cost of production that threatens profitability in these locations.
• Strategy: In response, the industry is deploying new technology to reduce cost of extraction, production and marketing. For example Floating Liquefied Natural Gas (FLNG) is a technology that can improve profitability of economically challenged offshore gas developments. Mono-diameter well technology is another concept that has the potential to reduce cost of drilling and environmental impact in unconventional shale plays. These provide better capabilities for the recovery of resources, lowered costs and improved safety.
Political sensitivity: As companies move beyond mature fields, they are likely to
encounter geographies that have the potential to grow economically on the back of their resources. But they may be restrictive or still evolving in terms of policy. The question of political sensitivity is of enormous importance to the industry.
• Strategy: Industry leaders are showing the way with innovative partnership models where long term sustainability models are drawing governments to the negotiating table.
Resilience in Energy and Resources Industry
Building resilience around the six major forces impacting Extraction
49
Skills shortage: Workforces operate from remote locations and in socially unenviable
conditions. Very few want to educate and skill themselves for these industries. In addition, there has been a surge in the demand for energy in developing geos such as India and China, leading to a shortfall in qualified resources. Finally, the workforce is ageing, showing signs of imminent retirement.
• Strategy: The industry is working at ways to increase interest in this field. On the other hand significant investment is being made to reduce dependencies on manual work through tech-nology. For instance central collaborative work environment is being created using immersive visualization technology to monitor, analyse and control fields and plants remotely. These technologies make it possible to do more with fewer resources.
Major push on Health, Safety, Security, and Environment (HSSE): Concerns
around employees, society and the environment have been growing and so have regulations. For example high water usage and hydraulic fracturing in shale plays have caused HSSE concerns resulting in limited large scale adop-tion of shale plays.
• Strategy: Businesses must ensure they take every precaution to meet regulatory require-ments. Technology can be an important enabler here. For example, as per a recent McKinsey study, water reuse and treatment technologies
could reduce freshwater needs by as much as 50% which could potentially improve adoption of shale plays in several regions that suffer from water scarcity. Analytics is another enabler that can identify and examine all areas of risk and predict them. It is also necessary to consider training personnel using a Competency Risk Analytics, Simulation and Training plan.
Market economics: Oil and Gas prices are volatile. Extraction has to be agile to
respond to market conditions.
• Strategy: The ability to predict market con-ditions is key to staying ahead of trends and guaranteeing business resilience. Companies are also finding ways to make operations more nimble to quickly react to market conditions.
Like Extraction, Supply & Distribution can also be reshaped to build a higher degree of resilience. Supply & Distribution constitutes thousands of kilometers of power lines or pipe-lines, collectively called network that transport energy & water from source to consumption points. Companies spend billions of dollars managing and maintaining complex networks.
In the context of building resilience there are four major forces that impact Supply & Distribution operations:
The need is to create strategies around both, extraction and supply & distribution, in order to build resilient organizations.”
Building resilience around the four major forces impacting Supply & Distribution
RISK IN TRADING AND HSE
Natural disasters: We have already seen how the industry is unable to insulate
itself or respond quickly to natural disasters.
• Strategy: No matter what precautionary measures companies take, natural catastrophes leave their distinct mark. What is important is how quickly companies recover from the dam-age. With advanced instrumentation becoming more reliable, companies are looking at active controls and automatic flow routing to -(a) isolate networks before the storm to contain and limit damage and (b) Resume services through alternate routes.
Demand variance: Demand pockets are changing. In the case of Oil & Gas the
growth of demand is no longer in developed countries. Demand pockets are no longer close to supply sources. In the case of power, distributed generation (example: rooftop solar panels) is creating imbalance in the network.
• Strategy: Oil & Gas companies are invest-ing in LNG and FLNG plants to enable quick transportation. Leading utilities and energy providers are turning to predictive models that help anticipate the demand and design a flexible network accordingly.
Supply variance: An industry that has been dependent on standard sources of
energy and materials is suddenly witnessing renewables & alternate sources come into play, introducing complexity & causing disruption in the traditional supply chain.
• Strategy: Progressive companies are re-designing the supply chain to make it more agile. Digitization and real time monitoring of the supply and demand positions are critical
to create agility.
Next Gen consumers: Companies have never seen the kind of revolution sweeping
across social media. Their consumers today are freely expressing concerns and reservations on public platforms, impacting the brand image of the company.
• Strategy: Companies must include social media in their communication strategy. Constant communication builds a positive brand image. For instance, utility companies can leverage social media to warn and alert their consumers in real time on anticipated events.
The Energy and Resources industries are in the throes of the most significant change in decades. This is happening at the hands of technology, political and social changes, and heightened consumer expectations. Today, it is as important to invest in business resilience as it is to invest in the right markets, projects and people. Resilience is the single factor that will determine which businesses survive and which don’t.
Resilience redefined – In Summary
50
WINSIGHTS Volume XVII
Businesses throughout the world have grown increasingly more interconnected and value chains are spreading across continents. Risks in one geography or line of business have the potential to affect worldwide operations. For instance, the financial crisis of 2008 and the euro zone crisis were manifestations of a chain reaction that affected almost all geographical areas and industries. Even as the world economy recovers, there are concerns about the impact of US Federal Reserve’s stimulus rollback on other countries. Clearly, businesses need to have a certain tolerance for volatility due to infrastructure outages, political uncertainty, natural calamities, man-made disasters, and so on.
The top three aspects of resilient organizations, as per the survey responses, were flexibility (66% of
respondents endorsed this), having a strong core (50%) and diversity of the executive team. The other options were modularity, strong supply chain and risk savviness. This may seem intuitive at first glance but shows how a firm can set its priorities in order to improve responsiveness and continuity of operations. Flexibility and diversity are essential for coping with todays’ rapidly evolving business environment. This also helps firms expand into seemingly unrelated fields.
The evolution of Samsung Electronics is a prime example. It was established in 1969 as a manufac-turer of appliances like televisions & refrigerators. As the semiconductor industry boomed in the seventies, it entered the microprocessor business. It staved off the Asian financial crisis of the late nineties, by hiving off 45 companies and shutting down 52 product lines. Since then, it has moved from strength to strength and has today emerged as the global leader in smartphone sales.
Google Inc. is another example. Its driverless car has allowed Google to leverage its existing core
The Case for Business Resilience
Business Resilience: What Works and What Doesn’t
51
Wipro’s survey on Business Resilience at the World Economic Forum 2014,
Davos indicates that businesses across the world continue to suffer from
inadequate understanding of risk. At the same time, there is a general
awareness that flexibility and core strength are key characteristics of
resilient organizations. According to respondents, North America emerges
as the strongest in terms of resilience among other geographical regions.
The poll was taken by some of the world’s top business leaders.
Business Pulse
DIPSTICK SURVEY
A dipstick survey of delegates at Davos 2014 on Business Resilience.
business to move into the automotive industry. Similarly it has not only expanded its search ca-pabilities but forayed into many other areas like wearable technology with google glass and home products by investing in Nest. Thus, if a firm can diversify its portfolio by using its core competencies and executing well, it can weather almost all kinds of market change.
Kodak is an example that has suffered heavily be-cause of their inflexibility, losing out leading market position in mobile handsets and cameras respec-tively. Today, the biggest competition for camera companies are smartphones – the competitive scenario today is such that companies today are going beyond their core capabilities to address the gap in the market. Indeed, the biggest hurdles that organizations face in such an endeavor are – lack of understanding of business risks and a low prior-ity given to resilience on a strategic level. Unless driven from the very top levels of management, a firm cannot build an infrastructure that can rapidly adapt to change.
In a telling statistic, a large chunk (50%) of the respondents agreed that while they understood the threats faced by their businesses, there is still
room for improvement with respect to managing unpredictable threats. As many as one third of the respondents either do not have such an understand-ing or aren’t aware of it. This makes a firm highly vulnerable to unpredictable business, operational challenges and cyber threats.
As can be expected, North America is the strongest among different geographies in terms of business resilience. This was the view held by about 60% of the respondents. Asia and Western Europe were next, but with only about 35% of the C-level executives believing in their resiliency capabilities. Such a large difference becomes relevant in the context of globalization. Any organization looking to make a mark in its field can no longer limit itself to the US. Its expansion plans should thus include costs for setting up resilient operations.
One of the side effects of advances in computing and networking has been the emergence of cyber risk. No organization today is completely immune from, say, denial of service attacks. However, it would be fruitful to know whether there are some industries
Key characteristics of a resilient organization
Geographical Spread and Industry Snapshot
0%
Flexibility Diverse and multi-skilled executive team
Strong core
10%
40%
20%
50%
30%
60%
70%
52
WINSIGHTS Volume XVII
particularly sensitive to such threats. Respondents were asked to select three industries which they thought would face the greatest cyber risk in the coming year. The final results showed that financial services firms may have to be the most cautious in this regard as the industry figured in the top three for close to 90% of the respondents. Defense suppliers are also expected to face a high level of threat as per 56% of the respondents. The third place is shared between media & telecom, technology and retail industries (33%). As the survey shows, a large majority of the respondents understood that cyber security is a very real concern across all business lines.
Technological developments have enhanced organi-zations’ ability to adapt to changing conditions and cope with disruptions. However, the good work has been undone to some extent by malicious uses of technology. It is difficult to quantify the intercon-nectedness of different industries and regions, and hence the full impact of any local crisis cannot be gauged easily. In such a scenario, it becomes even more important for a firm to prioritize resilience in all centers of operation. Businesses need to have robust risk management plans and a focus on their core competencies. Top management must have a proper perspective on the kinds of threats that the firm can and does face in its day-to-day operations.
The need of the hour is to understand that risks today have systemic impacts and the thinking needs to move from risk management to building resilient systems. Given that the world is more complex, unforeseeable, dynamic, and interconnected than ever before, businesses cannot afford to look at short reporting cycles, but give greater priority to building resiliency.
Is there an understanding of threats to deal with unpredictable business, operational and cyber challenges?
Conclusion
50% 11%
11%
11%
17%
Don’t know
NoYes, but there is room for improvement
No
Yes
53
Regions particularly resilient
61%
33%
39% Asia
Western and Northern Europe
North America
DIPSTICK SURVEY
We hope you enjoyed reading “WINSIGHTS”
If you would like to read more, please visit our website
www.wipro.com/insights/— where we regularly publish
our viewpoints and perspectives that can help companies
sustain competitive advantage.
We would love to hear your thoughts and suggestions
that could go a long way in making this journal a valuable
knowledge-sharing tool for senior executives like yourself.
Please write to us at [email protected]
Best Wishes,
Wipro Council for Industry Research
Wipro Ltd. (NYSE:WIT) is a leading Information Technology,
Consulting and Outsourcing company that delivers
solutions to enable its clients do business better. Wipro
delivers winning business outcomes through its deep
industry experience and a 360 degree view of "Business
through Technology" - helping clients create successful
and adaptive businesses. A company recognized globally
for its comprehensive portfolio of services, a practitioner's
approach to delivering innovation, and an organization wide
commitment to sustainability, Wipro has a workforce of
140,000 serving clients across 60 countries.
For more information, please visit www.wipro.com
About Wipro Ltd.
Give us your feedback online
http://www.wipro.com/winsights-feedback/
No part of the report may be reproduced in whole or in part without the written permission of the
authors. For more information, please visit our website: www.wipro.com/insights
COPYRIGHT 2014, WIPRO LIMITED