Bang the risk management drum – risk manager profile
Today is a good day to meet with David Ralph, head of risk management and compliance at Pacific Century Cyber Works (PCCW). The Hong Kong-based information and communications technology company has just released its annual results for 2015, which include a 19% rise in core revenue and a 36% increase in consolidated profits. According to analysts, the positive performance was largely driven by the successful integration of mobile carrier CSL. But Mr Ralph feels that, in some small way, the “fantastic results” were partly down to the company’s good risk management practices.
Mr Ralph’s background is in information security, beginning in the early 1980s before the internet as we know it existed and before most people knew what information security actually was.
At that stage, the only bodies really interested in information security were government agencies and also a number of large financial institutions that were looking to transfer all their data and processes onto computers and had recognised the risk involved.
hide
“These risks were mostly internal because there were very limited opportunities to access the information externally. It was looking at things like database security and mainframe security. We were looking at the sort of applications that were developing and ensuring that security was an adequate part of the design process. It was an interesting time,” he tells Commercial Risk Asia in an interview in Hong Kong.
Those formative years as a computer programmer and working with machine codes have stood him in good stead given the pivotal role that technology plays in the modern corporate world. “I understand how machines communicate with each other. Even though things have changed a lot today, to the point where coding is cut and pasted, I have a fundamental understanding that is still relevant today,” he explains.
This knowledge has proved particularly useful, says Mr Ralph, when some of his younger colleagues start engaging in “techno-speak”, expecting to lose him. “Instead, I lose them because I am going three levels further than they have ever understood,” says Mr Ralph.
Following some years working in Australia with financial institutions and then contracting in the UK for a number of large corporations, including a large insurance company and also British Telecom, he landed a two-year contract working for Cable & Wireless Hong Kong Telecom, which was later to become PCCW, to set up the information security department as part of a major systems enhancement.
“Over a number of years, I started looking at the general risks arising from IT and that then evolved to include other forms of risk management—contract risks and other types of liabilities—and then eventually the operational risks within data operations,” he explains.
And then in 2000, Mr Ralph was asked to take on the insurance management role. “Back then, it was considered a minor role that would take up a couple of hours a day—but things change very quickly. My reach into general risk management became a much more key role. I had to fully understand the risks in a more systematic way to ensure that we had the right insurance coverage. I must admit, when I was first asked to buy insurance for the company, I had this image that insurance salesmen where one step down from a used car salesman. The only experience I had of insurance prior to that was buying it for my car,” says Mr Ralph.
It is not unusual for risk and insurance managers to inherit the role rather than seeing it as the realisation of well-planned career path, but Mr Ralph is hopeful that this changing.
“I think insurance will still be an integral part of risk management and a risk manager’s career but I hope we will move further away from having ‘insurance managers’ because I think it goes further than simply buying insurance.
“For example, when you are establishing a captive, you are looking at the total cost of risk and you need to value that process and you need to understand that you are buying your insurance for yourself. The profitability of that captive is part of my KPIs, so I have to make sure the risk mitigation measures we put in place are a more fundamental part of my responsibilities and part of an holistic approach to risk management,” explains Mr Ralph, who is also head of the Pan-Asia Risk Management Association’s (Parima) Hong Kong chapter.
Cyber risk
Given that cyber risk is such a massively developing area within risk and insurance, Mr Ralph has an advantage on many of his peers because this is a risk that he has managed all along. “PCCW has been a technology company ever since it was first formed. It has always built networks. And we have been successful in developing from a telecoms firm to an ICT company. So we do a lot of application development for government agencies and large corporations.
“Cyber has therefore been a risk that we have managed all along and we have been able to develop our policies, strategies, systems and processes, unlike some businesses that have had these things dropped on them and been left scratching their heads. So it’s not a sea change for us. We have recognised the various threats and how they have changed. For example, back in the 1980s, the only threat was internal. It is still the most significant threat but now we [also] have industrialised sabotage and the like,” explains Mr Ralph.
One of risk managers’ biggest problems around cyber risk has been the lack of suitable insurance policies and the challenge of trying to extend existing and longstanding insurance programmes to cover an ever-changing cyber risk landscape. But for PCCW and other network-focused businesses, cyber has always been considered within its insurance coverage, says Mr Ralph.
“From day one we made it clear that the standard programmes for cyber, general liability, professional indemnity and crime programmes, would have to include certain provisions. So we don’t need to buy extra cyber coverage. Precedents are coming in all the time but we have a fantastic group of insurers supporting us and they have been able to understand what we have been doing to mitigate the risk and they’ve been very accommodating,” he says.
Mr Ralph has a team of four assisting him on the risk management side, plus one other working on the insurance management. “The rest of the team is helping various business units to complete their risk assessments, setting up risk policies and procedures and also working with the IT team on the development of new products and any security assessments. The team essentially acts as a link between the technology team and the business,” he explains.
This role was originally performed with the internal audit team that traditionally looks back on businesses to see how well they comply, but Mr Ralph suggested that they work with the business to advise them on what to avoid. “That gave me a small team of two or three people. In the early years we spent a lot of time writing policies, standards and procedures, and encouraging separate business lines to build risk assessment processes for their day-to-day operations,” he says.
As with many other businesses, Mr Ralph’s team has had to withstand financial pressures and cost-cutting, although this was relieved by the 2014 acquisition of CSL, which had its own risk management team and was subsequently absorbed into PCCW.
“We are still keeping it fairly small. We recognise that risk management should not be an overhead or a cost centre, so I am particular about who I employ because I know I will have to work them quite hard and do as much as possible with what we have,” explains Mr Ralph.
Given that PCCW has operations in 42 countries and businesses that cover telecommunications, data centres, outsourcing, media production and property development, it is one of Mr Ralph’s biggest challenges to maintain a sustainable risk management function amid the budgetary concerns. And a growing regulatory burden does not make it any easier.
Central to this effort is promotion of the value and importance of risk management as something beyond operational procedures and processes that are designed to protect and limit the business. “My objective is increase the recognition that risk management is not part of the company’s internal controls but rather that the internal controls are part of the risk management function,” he says.
That recognition is growing, as is evident in Hong Kong with the recent introduction of new listing rules. The previous rules included risk management as part of the internal controls required by executives, which have now been amended to risk management and internal controls.
As trivial as this may seem, the semantics are an important part of the promotion of risk management, believes Mr Ralph. “You may have to take somebody who is performing some of these risk and insurance management roles and formally make them a risk manager. Once you start to call them risk managers, it will be naturally enhancing for the profession.
“This is the most important thing that we have to get across—the value of risk management. Forward-looking companies see the value of risk management, as do companies that are looking to reinvent themselves and cut their operating costs. If they are able to spend money upfront to reduce their risk, it will allow them to do more with less. There is still a huge amount of work to be done, not least the ability to get people recognised as genuine risk managers rather than just buyers of insurance. But more important is the ability of these people to report to senior management,” says Mr Ralph.
Parima objectives
Achieving this objective is one of the reasons Mr Ralph became involved with Parima, for which he now serves as a board member. “I saw that there was a role for people like me that were fortunate enough to have been accepted within my company and are able to have that dialogue with senior management, who have respect for what we are trying to do. They understand what we are trying to achieve, that we are not attempting to limit the business but are trying to find ways for the business to accomplish and develop certain things without incurring undue risk. My current management is fantastic in that area.”
Developing a closer relationship with senior management is not so much about being more assertive in meetings, more aggressive in personal promotion or more accomplished in navigating office politics, says Mr Ralph, but more a question of semantics.
“It is about the language you use to communicate to the board and to make risk relevant. A lot of risk is not easy to quantify and management like to have a set of numbers on a spreadsheet. So the challenge for us is to take these intangible risks and put them into a language that is credible to the board,” he explains.
One of the biggest difficulties facing the risk and insurance management community in Asia is that the responsibility for insurance purchase often sits in other departments—for example, as part of the procurement department. So one day they might be buying stationery, the next day they are buying insurance.
“At Parima we are trying to find those people that are buying insurance in addition to their main role, be that HR, company secretary or procurement. They get no recognition for the work they are doing and no support and they have a great deal of difficulty in having the conversations they need to move themselves out of that role into something more rewarding,” says Mr Ralph.
“The people we are reaching through Parima are the ones that recognise that is where they need to go. The ones we are not getting to are the ones who do not realise there is an issue. They may be happy being a purchasing officer. Their KPIs may be easy to manage. Instead, they have to ask why they are buying insurance and ask what it is they are trying to do. When they get to that stage, we are able to help them progress further,” he adds.
To this end, Parima has put together a comprehensive calendar of events for the next few months, along with the support of its sponsors within the insurance market. “That allows us to get our message across to the people that understand what they are trying to do,” says Mr Ralph.
A major initiative for Parima is its certification programme, which it hopes to launch this year. “Once we have the programme ready we can start to work with the Insurance Commissioner and the CIRC and the CIB and people like that to understand what the education programme is aiming to do and how it can benefit everybody in the industry if risk management is recognised as a profession,” says Mr Ralph.
“There is also a growing recognition of risk management among the tertiary institutions and universities in Asia. They have risk management courses and modules within degree programmes. There is definitely an interest in the profession. I’ve spoken to many students who see it as an interesting career.
“From my own perspective, I’ve found my career in risk management the most fulfilling thing in the world. I’ve had fantastic opportunities to develop my own career. I get very involved in what is happening across the breadth of the company. One day I may be looking at the risk of a property development in Jakarta, the next it may be a cable-laying operation in north Africa, and the next it may be our broadcast team getting into trouble filming in the mountains of Spain.
“I also get involved with some of the starter projects and that gives me a view of where the company is going. D&O insurance gives you access to areas of the company that are normally quite tightly held. And being able to get the respect of your senior management is always valuable. I have also been able to travel and see a lot of the world,” says Mr Ralph.
Finally, Mr Ralph was asked what advice he would give to a young risk manager just starting out in their career. “Firstly, they need to understand and communicate that their role is about risk optimisation. It is not about avoiding risk but about enabling the business to make informed decisions about the level of risk they are able to take. If you are not able to communicate that message, then it can be too easy for the rest of the company to wrongly see you as some sort of cross between an auditor and a policeman.
“Secondly, you should not be afraid to speak out. You will never succeed in the role if you’re worried about upsetting somebody—sometimes you have to say things that people might not want to hear. Thirdly, you have to believe that you have value. I take pride in the fact that, in some small way, I support 26,000 families through what I do for the company. The fantastic results that we have announced today were partly a result of the good risk management that we have practised,” concludes Mr Ralph.