Sunder Natarajan, CRO at IndiaFirst Life Insurance, deep dives into risk associated with WFH, startups & emerging technologies and people issues:
Ravi Lalwani: Risks associated with WFH – how has been the actual experience vis-à-vis the expectations?
Sunder Natarajan: Every risk has two sides to it, not necessarily with a 50% chance of upside or otherwise. The degree keeps varying with changing circumstances. WFH is no different. It has seen a rapid rise with easy access to mobility and has of course got accelerated during and after the pandemic. For a 360 degree view on this, we can classify this by key stakeholders which could at a bare minimum be the employer, employee, and the customer. There could be larger stakeholders like the supply chain, industry, regulator, nation, and the world at large. In light of this target audience, we will restrict the perspective to BFSI and key stakeholders.
Employer: Most measurable risks would fold up to the risk of attrition and productivity lift or dip from a people point of view. In a connected world, a good chunk would be information security and data leakage and privacy related risks.
Employee: The biggest measurable risk would be net savings which would depend upon a personal productivity lift or dip and drop – in travel time and cost. The biggest elephant in the room is blurring of personal and professional timelines and goal posts leading to a strain in relationships all-round, and an eventual impact on physical and mental health. And this could work both ways.
Customer: The king/queen is the eventual beneficiary irrespective of where the goods or services are manufactured / offered with a distinct possibility of initial teething issues. The relevance of NPS has only gone up in the WFH world.
A robust risk management framework will help an organization manage a WFH ecosystem and leverage the same for benefit to all stakeholders. A traditional Cost Benefit Analysis (CBA) for a new project in this era looks beyond top-line, bottom-line and customer satisfaction and views risks and governance as factors to take a decision. With a rise in entrepreneurial spirit, the gig economy is being embraced and augurs well for all.
What policies and practices have you adopted to mitigate risks associated with start-ups?
A company which is 13 years old in an industry where a policyholder life cycle spans a few decades is akin to a start-up (across the world are half a century or more is like a start-up). IndiaFirst Life has been blessed with a rich legacy of promoters from whom we have imbibed an ethos of good governance. Risk management within our organization is therefore an integral part of our business and effective management of risk is essential to achieve our strategic and business objectives.
An Enterprise Risk Management (ERM) framework policy helps the company to identify, assess, and mitigate our key business risks. The risk management activities consider insurance, business, credit and investment, operational risks, which includes strategic risk, insurance risk, operational risk, investment / market risk, credit risk, fraud risk, information security risk, compliance risk and business continuity management. The key focus areas of our risk management framework includes (i) strategic risk assessment; (ii) governance; (iii) risk universe; and (iv) risk awareness.
A top-down approach with a robust steer from the risk management committee of the board and a strong tone at the top by the leadership guides the company to take risk-based decisions and is supported by a bottom-up team of certified risk experts across the enterprise who are risk ambassadors in their respective function. The risk management team led by the CRO is vested with the responsibility of implementing ERM across the company.
A risk appetite statement and established tolerance limits across defined risks helps operationalize the risk management framework effectively. The second line is supported by the third line, which offers assurance to the board by testing the design and effectiveness of internal controls. The risk framework thus established can offer resilience as it has been built gradually where the policy has been converted to a well-oiled practice. As the company matures, this would need further evolution to be better prepared.
Having mapped the risks associated with emerging technologies like API, RPA, AI, ML, etc., what patterns have you observed?
While APIs enable a business to make use of the functions and data of others and cancels out the need to create those features in-house, they can be a hackers delight and provide access to vital information. While most companies use firewalls to protect their system from hackers, a diluted API security strategy can make it easy for the hackers to enter the software through the backgate. Failure to identify and track all API endpoints within their mobile or web apps or implement adequate controls to authenticate and verify API calls enhances the chances of unauthorized access, data breaches, exposure of data or account takeover.
Robotic Process Automation (RPA) helps hasten repetitive tasks and brings in consistency of delivery and also reduces the cost of the process. While simple tasks are easy, documenting a process, coding it for automation and ensuring that all possible scenarios are envisaged is not as easy as it sounds.
Errors, apart from causing heartburn for the user also result into cancelling the cost advantage if there are frequent changes done. They also have to adapt to an ever-changing business environment. While a good business requirement document is key, poor execution, wrong tool selection and post-production support by the partner can be big challenges.
Artificial Intelligence (AI) & Machine Learning (ML) have become an integral part of several processes today and start nascent and mature only over time. Poor quality of underlying data can lead to a biased outcome. Incomplete, archaic, inconsistent or duplicate data may result in an inaccurate ML algorithm and impact output or experience. It is sometimes difficult to decipher the algorithms decision making. Further, with data being picked from a variety of sources, the risk of data privacy violation is a tight rope walk between what adds value to the customer and what infringes on their rights.
Data laws and implementation of the same are nascent as of now. The common man has to constantly keep improving his/ her knowledge to data privacy for self-protection. An increasingly digital world also means that a lot of activities which were done by a vendor are now executed by the customer themselves. Several awareness programs run by regulators like IRDAI, SEBI and RBI and GOI are aimed to educating customers and we are likely to experience an increase in their intensity in the foreseeable future.
What has been your experience with using technology to mitigate risks arising out of technology momentum?
The third wave predicted by Alvin Toffler in 1980 has passed by followed by a tsunami of changes in the realm of technology. A diamond is needed to cut another and cutting edge technology is essential to mitigate tech risks. We can take the examples of security and access.
Security is critical to any business as all of them have sensitive information and failure to keep them secure could result in potentially disastrous events if the wrong people get their hands on it. Loss of physical files, confidential information stored in any form or device can have an unprecedented impact. Technology can ensure information access is graded by need, relevance and hierarchy. Unique passwords and codes and an emerging culture of protecting files laden with sensitive information are changes being experienced now.
Access is also often misused and sometimes hacked easily. Biometrics and facial recognition are now widely getting used across industries to keep sensitive information safe. Even facial recognition can prevent the theft of data leading to operational risks. Fear of detection is also creating a barrier for malicious behaviour as most activities leave an audit trail.
Use of multiple application also result into information being scattered and not sometimes not updated. Software and cloud-based technologies can now allow management to access real-time information right away from anywhere and help aid quick decision making help them stay nimble footed.
Are you looking at risks associated with emotional issues like frustration, depression, isolation, alienation, resentment, etc? Please give an overview of the mitigation plan.
Mental health is one of the understated challenges of the century so far. Its difficult to detect, assess, diagnose and cure. If we were to treat it like a business exception or challenge, we do not yet have a root cause analysis (RCA), corrective action is random and preventive action is hard to find.
Potential RCA could be a increasingly nuclear society living in an information age and working in a connected world with reducing physical interaction.
Being aware and prepared can be form the basis of a mitigation plan. Setting up listening posts and helplines for employees to reach out discretely, encouraging skip level conversations, leadership outreach to frontline, encouraging leave replenishment, enriched job roles which hold an appeal to the soul and the intellect, and encouraging some fun at work are some ways to overcome the risks.
What risk management frameworks do you expect to put in place as and when crypto-currencies become legal and start gaining traction?
This is a domain which is less understood, highly complex, not regulated in most parts of the world and literally a hot potato to handle. Hence, it is difficult to comment on it.
Read more-
