Business risk consultancy Riskskill has highlighted what it sees as the main areas of increasing business risk for UK companies in 2014:
1. Fraud Risks
In 2014 fraud risks are likely to be the major contender for exposing many businesses to significant risk as the closure of the government’s National Fraud Authority (NFA) could, some feel, be seen by fraudsters as a huge victory for the bad guys. The NFA was set up to consolidate and focus upon the handling and approach of combatting fraud and also to direct the strategic elements of the attack on the fraudster. The NFA objectives were previously diluted from eight to three, with the more 'strategic issues' removed. Now its remaining operational functions have been atomized into several government silos.
On the commercial side, payment markets will continue to evolve very quickly this year. New payment systems and software solutions are appearing daily. Many of these do not put in place effective authentication, security, standards or best practice systems. Often, this is because these have yet to be created in a market that is changing so rapidly. New mobile payment and wallet solutions are being developed with the backing of ‘big’ funding and strong marketing campaigns. Only a few of these will win through though. Many will fail, either commercially or because of serious 'fraud attacks' that exploit the lack of authentication.
2. Identity validation / authentication
Who am I dealing with? This will become an increasingly important risk related question in 2014 for businesses and consumers alike and it is very much linked into the whole mobile market evolution. Anti-money laundering legislation, whether it is in the UK or across the EU, requires that businesses properly identify who they are doing business with, know what customers do, regularly check, watch and look for unusual transactions that might be illegal, and report anything suspect.
There are though several weaknesses in this area. For example, some small operators of 'new' payment solutions think that they are excluded from these requirements. There are also some insurance company policy sellers, who are playing catch up and often who do not check identities. Then there is the public who are increasingly becoming payment providers as they buy and sell more on-line. Whereas one used to know who one was dealing with for financial transactions (as it used to be only one’s banks, card companies and utilities that one dealt with) it can now potentially be almost anyone, anywhere in the world.
As a consequence, identity, identity validation and data certainty will all move up the risk hierarchy and as a result so will the level of importance placed on these areas by businesses in 2014. These risks will be amplified greatly or those organizations that do not understand the issues or address them properly.
3. Big-data losses
With such problems increasingly arising where our personal data is held and managed by more and more people, often across the web, a new generation of customers are very open about their data and therein are disclosing almost everything about their finances. They are very keen to become users of the new mobile breed of financial products, which will increasingly present greater opportunities for identity theft and data compromises. With numerous high profile data breaches losing millions of customer data records, including payment details, in 2013, one can see that more of these types of losses will be incurred over the coming year. Thankfully, the PCI DSS initiatives have helped to protect payments but there are too many people now handling our data. Some observers feel that there is not a comprehensive and pervasive enough solution to protect us. Government should be setting the strategy here, but does it have the right body with the appropriate level of oversight to understand the threat now that the NFA has been disbanded?
4. Protection for multiple channels
The proliferation of new wallets, payment instruments, mobile devices, payment applications and standards being developed means that, for businesses to keep up, they need to evolve new protections, controls, and security that are consistent across multiple channels simultaneously – what one might call ‘unified protection’. As ever, the security and controls side of things will often lag behind; so businesses must ensure that these developments are carried out fully and that they are free from short-cuts as these will lead to problems later.
One of the major areas of attack expected is a fresh onslaught of new viruses. With such new threats as Cryptolocker, and other such plagues landing on business of all sizes, there is a risk that this kind of attack could reach epidemic levels in 2014. Even the smallest firms must ensure that they update virus and anti-malware software regularly, maintain strong back-up regimes and avoid clicking on any suspicious links. If these dangers move closer to mobile payments, it could threaten the momentum of the mobile sector evolution especially where authentication is often far less effective than it could or should be.
5. Silo mentality causing corporate ineffectiveness in combatting risk
Borne out of the desire to conduct business correctly, increasingly complicated silo structures have grown up in the corporate world, with many differing and sometimes potentially conflicting interests. Often large businesses, in particular, introduce several highly ineffective theoretical layers of risk management protection that often keep the business too busy and too slow to do the real work required to tackle the challenges that organizations face.
Instead, businesses should be fighting hard to define clear risk management direction, together with business goals that incorporate risk thinking and risk/loss targets. Collaboration is the key here. It facilitates speed of decision-making, clear and assertive action-taking and an understanding of the business drivers. It also enables the ability to act, invest and change the business as required which are key to controlling risks.
•Date: 24th January 2014 • UK •Type: Article • Topic: Enterprise risk management