The Gray Rhino in the Room: Preparing for the Risks of AI

By Mykhailo Rushkovskyi – Originally published on RUNDERC

The “gray rhino” concept describes probable events that have a high impact on society. Unlike the unpredictable nature of Nicholas Taleb’s “black swan”events, gray rhinos, which was introduced as a concept by Michele Wucker (and written about in her book “The Gray Rhino: How to Recognize and Act on the Obvious Dangers We Ignore“) are visible and well-known risks that are often overlooked until it is too late. These risks are like a herd of rhinos, which are seen in the distance, and while we are aware of their potential danger, we cannot fully perceive their dimensions or predict when they will charge.

Gray rhinos are imminent risks that organizations must be prepared to handle. They require a framework in place to manage and mitigate the risks when they occur. Sometimes, multiple gray rhinos may stampede simultaneously, leading to a “crash” of rhinos, which can be devastating to society.

The development of artificial intelligence (AI), particularly Artificial General Intelligence (AGI), presents a “gray rhino” problem. AGI has the potential to revolutionize society, but it also poses a significant risk. AGI systems would have a broad range of cognitive abilities and could learn and reason about a wide range of topics, making them potentially more powerful than a human intelligence. However, the risks associated with AGI, such as unintended consequences or AI systems acting in ways that are not aligned with human values or goals, must be addressed.

OpenAI’s GPT-4 is being considered an early version of AGI system. Microsoft researchers have tested it and concluded that it’s exhibiting signs of AGI, capable of performing tasks that exceed human ability. Some sources report that GPT-5 is scheduled to complete training this December and that OpenAI expects it to achieve AGI.

The last week open letter signed by Elon Musk, Steve Wozniak, and other tech luminaries, argues that AI systems with human-competitive intelligence pose significant risks to society and humanity. The authors of the letter call for a pause in the training of AI systems more powerful than GPT-4 for at least six months highlights the need for a comprehensive risk management framework to mitigate the potential risks associated with AGI. It is crucial that such a framework involves a collaborative effort from various stakeholders, including policymakers, industry experts, and academics. It should be continuously updated and adapted as the development of AGI progresses, ensuring that it remains relevant and effective in mitigating potential risks.

Overall, the “gray rhinos” concept has significant relevance in the context of AI development, especially in the case of AGI. These risks demand a comprehensive risk management framework that requires a collective and coordinated approach from all stakeholders. It is imperative for organizations to anticipate and address the potential risks of AGI, like “gray rhinos”, to minimize their impact and ensure the responsible utilization of AGI’s benefits.

---

The image, shown below, features a gray rhino standing in the middle of a bustling business center. What makes this image remarkable is that it was generated entirely by AI for this article, utilizing a combination of machine learning algorithms and deep neural networks.

Welcome to the Metaverse

By Alexander Larsen, Originally published in Enterprise Risk Magazine (by The Institute of Risk Management)

Preparing for the cyber generation of employees. Part 2- Is your company resilient enough to survive?

By Horst Simon, The Risk Culture Builder

As introduced in Part 1, the Cyber generation kids are entering their mid-teens, those who are not already running their own companies are preparing to enter your workplace in a few years.

They do not like supervision; not because they are arrogant, but because they have not grown up with the concept and they do not need that. They have grown up with both parents working; now they manage their own time and most of them are getting through High School “on their own”. A recent study showed that

“Boys get an alarmingly low average of one half-hour of direct face time with their dads per week, but over 40 hours of screen time (Internet, TV, and gaming).”

(From Fuller Youth Institute article entitled “Guys and Gaming” by Brad Griffin)

As they do not like supervision, they are not likely to fit into the “boxes & lines” of your current corporate structure of supervisors and different levels of management and as such these will naturally disappear when these Cyber-kids come into the workplace. Their collaboration and teamwork skills that they learned through playing massively multiplayer online role-playing games will ensure their success in the workplace. (There you have it: It is a type of game genre which allow thousands of gamers to play in the game’s evolving virtual world at the same time via the Internet, a perfect training ground for today’s Global business world)

They are driven to survive and win; In Cyber- world, you are not accepted onto teams if you do not have the capability to deliver; and if you get in and do not deliver, you are quickly told to move on. I guess it is more “cut-throat”, direct and gender irrelevant than today’s business world, so changes are surely coming the day these guys and girls get to where you are today; the top chair. “Dead wood” will never grow in their companies; companies that will be just be very large networks of partners and providers.

These guys will still be living with Mum & Dad when they enter the workplace in a few years’ time, they are DOING LIFE, not gathering possessions and worrying about retirement. They are generations away from the great depression of the 30’s. They will not iron out used gift-wrap for re-use and they cannot gather all the used Christmas and Birthday cards, as they never got any “paper” ones. They do not have childhood photo albums and home videos to show, it’s all on Facebook and YouTube.

They will not apply for jobs; your Human Resource function will have to search for them on Linked-In if you want to employ some of them, remember, they are the only people who would be able to protect you against the Cyber-threats of the future, they grew up with them; sometimes creating them. If your company’s profile in Cyber- world and on Social Media is good enough; they will find you! They will walk through the door and tell you how they can add value to your business and they would expect to be adequately compensated for that value. After that, they will move on to the next place; as mentioned, they have no interest in becoming a slave to your payroll!

Will you be ready? Alternatively, will you risk going out of business by refusing to accept MMORPG- warriors and all the changes coming with them.

 “People are now increasingly being found for jobs, versus having to find their next job,” Jon Bischke said in an article on Quartz and in the same article, Jeff Zinser is quoted to have said: “To a good recruiter there is no difference between passive and active candidates”

( qz.com/242663/a-new-tool-tells-companies-when-theyre-about-to-lose-their-best-people/)

Back to the mall idea…

So, the future of work is like owning a shopping mall, you are the manager and marketer of Your Own Brand. You will have one, preferably two anchor tenants; the ones who pay the bills, and then you will be in the open market for the rest. You’ll be opening and closing the outlets as the market rolls on; to those who need a coffee shop, you will give a coffee shop and to those who need a bank, you will give a bank, or at least be able to find a bank in your network and collect some commission during the referral and introduction process. Sometimes you will close some areas for renovations and improvements.

People will focus on their key skills and develop an income stream for a steady income by applying those key skills in the businesses of their “anchor tenants” adding value and building sustainable competitive advantage as without that, your mall will close down and go to the corporate graveyard.

The rest of your time you will spend on helping other smaller outlets to do business, riding the ebb-and-flow of the market to make sure your mall stays in business.

Therefore, if your shopping mall has some really good anchor tenants and an attractive, well-kept building in the right business neighbourhood and you have a good marketing strategy; the smaller outlets will queue up at your door for space in your mall. Keep in mind that building a mall is very hard work; it will require some capital and good risk management skills, as it is very different from “just renting a shop”

“The butterfly can just look back, Flap those wings and say, oh, yeah; I never have to be a worm again”

Sara Groves, Like a Skin (Listen here: https://www.youtube.com/watch?v=84w8W4E9G2U )

Preparing for the cyber generation of employees. Part 1- Is your company prepared?

By Horst Simon, The Risk Culture Builder

The Real Future of Work is like a Shopping Mall, the days are gone when employees were looking for bosses and long-term employment relationships. Prospective employees are looking for customers; and they favour the ones paying the highest price in relation to their perceived total personal value. In this global war for talent, people have taken charge of their own careers and they manage their careers the way they want, focused on achieving their personal goals. Sort of their own brand managers, after all, Human Resource Directors failed for over fifty years to get to understand the top of Maslow’s pyramid—for all people, it is all about themselves!

Many people are now working from their homes and converted garages became home-offices; perhaps the layout of the family home of the future will be much different to what we have today. We see how 24/7/365 broadband connections run trillions of megabytes of data all through our quiet and peaceful neighbourhoods. Mothers and Fathers again have time to play with their children and not just exist to “keep up” with the Jones’ next door.

Chief Executives must prepare their businesses for the Cyber Generation of MMORPG- warriors; they will not apply for jobs and will not become slaves to your payroll.

The Cyber generation kids are entering their mid-teens, those who are not already running their own companies are preparing to enter your workplace in a few years; will you and your company be ready for them? Who are they? The front-runners are those born in the year after Y2K, remember that fiasco? They follow the Millennials, but are very different; for some of you, these are known as your grandchildren.

They are from two worlds; the one you and I know and Cyber- world, hopefully they have grown up spending more time in the real one, but that could be debatable. Their worldview has a few new lenses and filters added to it, lenses and filters you are not familiar with and as such, if you do not shape up, you will not understand them.

They have more friends than you do; both in the real world and in their Cyber-world, simply because they had more opportunities to make friends than you had. The early ones, before 2005, came quietly into the world; later, their brothers and sisters (and in a few cases their parents) posted their births on Facebook, it was the way to tell the family and the whole world they have arrived.

They know more about computers than you do; they are currently hacking; or at least trying to hack the High School’s computer system. Either to make a statement, or to improve their grades for re-gurgling information that they have been fed through things called books by people called teachers. The successful ones will be the ones who supplemented that learning with Khan Academy! By the time they leave school they will also know a lot more than MS Office, they will have some programming skills and most will run their own websites and blogs.

They are better at Strategy, Operations and Teamwork than you are; By the time they enter your workplace, they would have spent 30% of their lives playing MMORPGs (if you do not know what that is, ask Google) In my opinion, that is a better way to prepare for the business world than learning “outdated” information and reading historic works of corporate literature written by retired CEO’s who once had some “claim to fame”. Anything older than 5 years is outdated in today’s world, sadly some are hanging on to the thought that the degree they got in the early 80’s still means something and even more sadly- some companies still want to see the evidence of 30-year-old degrees, thinking that such historic knowledge can add value to their business today!

See Part 2 for more information…

Why 90% of ICO’s fail (and much of the rest, including STO’s may follow)

This article was originally Published by the Institute of Risk Management’s ERM Magazine & Blocktribune.com

The ICO Boom

The ICO space saw a boom in the last couple of years and has been looked upon as a valid alternative to Initial Public Offerings. Less regulation, more opportunity for the average investor to “get in early” and the excitement of new technology and a movement.

I recently had the pleasure of meeting up with a number of companies in the crypto space and they all suggested that we are seeing a revolt against IPO’s due to investments being heavily in favour of venture capitalist getting the most out of it. This has seen a huge rise in ICO’s and expected to see the same for STO’s. Aside from raising funds, a major benefit of these token offerings is that it has brought in a community and supporters.

This has been extremely positive for them and has brought enthusiasm and motivation to all involved including token holders. As an example, a few companies have between 3000-8000 members of which ¼ are active every 30 days. An impressive figure for smaller crypto companies and one that shows the enthusiasm that token offerings can bring.

More recently, ICO’s are being seen as purely speculative and a money making opportunity. Additionally they are being looked upon with scepticism by investors and regulators alike. This has a lot to do with the huge number of ICO’s being launched, often with no real vision or potential product, as well as outright scams. As if it wasn’t already difficult enough to meet such aspirational objectives with the myriad of technological issues they face, these additional pressures only make it more difficult for ICO’s with a genuine and innovative proposition to prosper or survive

Due to a number of scams (80% of ICO’s are now considered to have been scams according to a study by Statis Group) and the crash of the crypto market however, there has been the creation of a new form of ICO. a hybrid between traditional IPO’s and ICO’s. These are called Security Token Offerings (STO’s) and have more stringent requirements and regulation to follow.

With 80% having been scams, it leaves the leftover 20% of ICO’s to be successful, however according to a number of studies, 50% of these fail with the verdict still out on the rest. That means a whopping 90% have failed (if you include the scams). What does it mean for the other 10% and why do so many fail?

 

Technological Challenges

The fact that this is a new space based around innovation and firsts, makes the technological challenges numerous and difficult to predict. This has also been the case for a number of the companies I spoke with. One smaller company has employees based globally in over 10 countries with 8 of them being based at the Headquarters.

A couple of the companies were set up between 5 – 10 years ago with a specific vision. Whilst It was initially expected to take 2-3 years, the vision remains. The fact it has taken so long to make progress is an indication of the technological challenges that the space faces.

Many companies in the crypto space focus on timescales but the companies I spoke to by their own admission, realise these timescales were not so accurate.

“It’s always difficult to predict new technology like this and you can never be sure what problems you will face.” one CIO suggested. As a result, a few of the companies have decided to stay away from timelines although this type of honesty is rare in the space and can also be seen as a weakness by the typical cryptocurrency investors who demand timelines (whether unrealistic or not).

 

Building strong foundations

The recent ICO boom, which has seen thousands of new ICOs and some huge funding raised, means that many companies don’t have time or the possibility to be so transparent and honest. Their investors expect immediate results, and being a speculative market, they care more about their token price than the technology or results produced. This has put additional pressure on companies to overpromise and launch unfinished products too soon.

Some companies do focus more on product however. Two companies I spoke to have seen their product take longer than many new ICO’s to launch or progress. The reasoning for this is, that unlike many companies who simply launch their product after ironing out only a few teething problems, these particular companies have been determined to get the bigger more complex problems resolved as a priority before launching anything.

The trouble with launching a product early is that it causes major difficulties down the line when the larger problems make themselves known and they need to resolve these issues within the confines or parameters of the design they have already launched.

“By solving the fundamentals we can ensure we are less likely to be disrupted. The downside is that it appears you are moving backwards and slower than competitors. Mostly however, others are only making incremental changes to an existing flawed design” says one CIO.

So what are the key risks to survival in the coming years for these companies?

 

Risks and challenges in the space:

Below are just some of the key risk areas the companies I have spoken to face going forward, and which I believe all ICO’s and STO’s need to be in a position to manage:

1.   Funding related risks:This is the nature of the business. With much of the work being research and development based as opposed to creation of an immediate product, initial funding, ongoing funding and future funding remains a key risk to the industry.

2.   Regulation related risks: I have written several articles on regulation and self-regulation (see riskguide.wordpress.com for these articles) and it is a major concern to companies in the space.

As an example, for many companies, a major part of their envisaged product would be encryption or privacy. Therefore, The UK’s Prime Minister, Teresa May’s current focus on access to information, would potentially require banning encryption.

“This is only the beginning and with the rise of ICO’s it is probably an important and necessary step as not everyone is fully equipped to understand what they are investing in. There needs to be a middle ground in terms of regulation. Too little doesn’t offer protection. Too much stifles innovation.” suggests a CEO of one crypto company who is open to regulation.

There are upsides to regulation too however, which I have suggested in previous articles. China’s move for example, can be taken as quite positive in terms of coming out and taking a definitive stand which should encourage other governments to do the same. It essentially removes uncertainty. Uncertainty is the source of so many risks and often a negative certainty is better than uncertainty as it allows a focus within set parameters.

One CEO suggests that if regulation was introduced it could make their job easier:

“If we knew what was coming we could work around it but when its uncertain we can’t prepare properly.”

Many countries are also encouraging blockchain and ICO investment by implementing clear regulation that is often positive. Slovenia and Malta are just some examples of countries encouraging growth.

3.  Exchanges related risks: Many coins and tokens are on various exchanges globally but 90% of volume may be on one specific exchange, such as on a US based exchange for example. If that exchange shuts down (hacking incident, new regulations, and business decisions) their coin could be heavily impacted

4.    Assets: This is no doubt a concern for many companies. There needs to be a balance between having your assets in crypto currency and cash. Some would argue that you should keep it in the currency you trade with, but others would say Bitcoin increases so much and is a better long term investment. It is however also very volatile. Additionally, there is 18 trillion dollars in circulation vs 66 billion Bitcoin. So it is therefore easier to manipulate the Bitcoin market.

5.  Product completion – too many ICO’s and STO’s have a vision that is just unachievable. The scales and promises are too grand. Not only do deadlines get missed but a product never seems to be anywhere near completion. Whilst investors will “HODL” (a term used in the cryptocurrency community for holding a coin no matter how low the price gets and for the long term) as long as possible, when products don’t see the light of day and no progress seems to be being made, it spells trouble.

In these situations, communication is key! Keeping investors up-to-date with progress helps. Mostly however, unless you have achievable objectives, you are doomed to fail. During the height of the crypto and ICO mania, it was difficult to set achievable objectives. These wouldn’t excite investors. Now that the cryptocurrency market is down 90% however, investors are beginning to look for the few who might actually achieve what they set out to do.

6.  Lack of use cases, competition and traditional alternatives:going hand-in-hand with product completion is use case. whilst some companies may go on to develop and launch a working product, the use case for these products is often limited. Firstly, a product has to solve a current problem. If it doesn’t, it’s unlikely anyone will use it.

If it doesn’t solve a problem you face the reality of competing against traditional alternatives. “But it’s on the blockchain” doesn’t cut it as most users of software or social media or any other technology don’t care what’s running it. Most don’t know what blockchain is and couldn’t care less. If it doesn’t improve their user experience and it doesn’t have as many users, or if it’s too difficult to migrate, then they aren’t going to swap what they currently use for this new technology. Even when using traditional technology backed by a mega company like Google, their initiative to try to compete with Facebook failed (see Google Plus)

Even if it solves a problem however, in most cases, ICO or STO backed companies are competing with the big boys. Companies like IBM who do this kind of stuff for a living. They have a large R&D centre with experienced staff and a structure that has worked for decades. They also have a large client base to sell to, something the ICO’s and STO’s can’t compete with. Moreover, these larger companies also have a large set of products with which to integrate their new technology with.

7.  Bear Market liquidity: finally, looking at this bear market where prices are down 90% or more in most cases. Many ICO’s have held onto tokens (see assets above) instead of diversifying their assets into FIAT. Many can only last a few months to a year with current spending on staff, infrastructure and having no workable product. Expect to see many cryptocurrency companies fail during 2019 if prices don’t pick up!

It is for the above reasons that risk management and having advisors or non-executive directors with the right risk management experience is so critical for companies in the space. It can help drive success sustainability. An article I wrote highlights how:  https://riskguide.wordpress.com/2018/12/07/crypto-the-failed-ico-risk-can-help-icos-stand-out-from-the-crowd-and-drive-success/

 

The early day challenges of ICO’s (2013-2015)

Whilst the above risks are certain to be relevant to many ICOs, it’s interesting to see some of the more interesting challenges of the last five years that early crypto companies faced, that whilst not specifically relevant nowadays, at a higher level still remain very much a top risk :

1. Combination of getting the right people and funding – in the early days there wasn’t the abundance of developers and programmers who were used to the technology, but at the same time there weren’t the same amount of competition as there is today either.
2. Technology related risks – most employees are working remotely. Nowadays it’s easy to do this due to online tools such as slack, Skype, hangouts and screenshare etc. but back then it wasn’t so easy. So the business model was far more difficult. To add to this, bandwidth at the time was a real challenge. You are talking about speeds of 2 mb vs 300 mb in terms of broadband. Whilst these days you wouldn’t be concerned about bandwidth or the lack of apps, technology still remains a major risk.
3. ICO launch related risks – these days, the technological advances have made it easier than ever to launch an ICO. The number of tools and platforms on which  to launch are increasing every day. Imagine the difficulty however for those who didn’t have such options and were trying to raise an ICO during an experimental phase. Too many coins launched, the ICO launch continuing past the deadline, and the technology it was launched on becoming obsolete were some of the examples.

Alexander Larsen can be contacted on linkedin or Twitter @alexlarsen_Risk

Visit riskguide for more technology and risk related articles: www.riskguide.wordpress.com

Crypto – The failed ICO’s – How future ICO’s/STO’s can not only survive but thrive by managing risk

Background

2017 was the year of the ICOs with a record 5.5 Billion USD raised compared to 90 million USD the year before and 2018 has been no different and has already surpassed this figure with 7 billion having been raised to date, according to ICOdata.io.

Whilst it sounds like the ICO machine is growing in strength, the trend tells a different story. A dramatic fall in funds raised month on month during 2018, as well as the number of ICO’s reducing suggests that all is not well with the market.

 

 

 

A number of high profile incidents regarding outright scams, alongside poor management, overvaluation of ICO’s and the crypto space have had an impact on the market with investors being more careful and more demanding of ICO’s.

Additionally, regulators getting stricter and introducing KYC and other requirements for investing in ICO’s means that ICO’s are now facing a tougher time getting off the ground and raising funds. This has created the rise of the STO. The security token offering which is more regulated and a hybrid of IPO’s and ICO’s.

It is here that Risk Management can help ICO’s and STO’s gain credibility and stand out from the crowd and gain competitive advantage, adding value by bringing a level of transparency rarely seen in the industry, and ultimately, leading to investor confidence in the token offering and it’s management team.

One example that springs to mind was a Nordic property development company who decided to not only introduce risk management within their organisation but also communicate it (along with their top risks to the various developments) to potential investors. The results were two fold with sales increasing as a result of increased confidence in the company compared to competitors, as well as better performing projects/developments.

This example highlights the fact that it is not just during the token offering stage that risk management will play a key part. The introduction of risk management to the company will lead to improved performance, resilience, strategy setting and optimisation of said strategy, as well as improved decision making. Consider that yet more competitive advantage!

Innovation

It has long been said by people who don’t understand risk management, that it is a hinderence to innovation. Quite the opposite is true however. Risk management can help foster a company’s innovation agenda by revealing blind spots and areas of underinvestment. Companies such as Google, who challenge staff to find faults and risks in their projects, are a perfect example of the marrying of risk and innovation.

Clearly the blockchain space is all about Innovation which makes risk management all the more important. So what do current organisation’s in the space do in terms of risk management?

 

What should ICO’s focus on?

Objectives and strategy setting

There are a number of articles and courses out there that cover how to set up risk management within an organisation and how to identify risks, however some key focus areas for this industry is that ICO’s and STO’s need to be very clear as to their objectives and focus their efforts on Identifying and assessing their risks to these objectives whilst looking at solutions to mitigate them.

These companies in particular are covering uncharted territory and at the very least, areas that most investors are not familiar with. This is why having clear objectives that investors can understand is a must. This then sets context when identifying risk.

Opportunities need to be considered in this context too, and embedding the risk process within strategy setting or objective setting can add real value to an organisation’s success as risk management can often influence the strategy significantly.

 

Innovation, Research and development

It’s not just the high level objectives that need to be considered with regards to risk management however. A process needs to be developed that allows risk to be embedded throughout the research and development process. It should be a natural part of idea generation and a tool to enhance all aspects of the project. Risks that are identified when an idea is born on the back of a napkin at a coffee shop, are cheaper and easier to rectify than  once infrastructure or software has been built!

Having met with a few companies in the space, it is clear that some have decided to focus their approach on getting the fundamentals right. One reason it has taken these specific companies longer for them to achieve their goals is that, they have been determined to get the bigger more complex problems resolved as a priorty before launching anything. This makes managing any unforeseen risks in the future much easier.

Many other companies who simply launch their product after ironing out only a few teething problems, then realise they face major difficulties going forward when the larger problems make themselves known and they are forced to resolve themn within the confines or parameters of the design they have already launched.

 

Risk Culture

Whilst having a process is important, more important for any organisations looking to implement risk management, is understanding that having a positive risk culture is cruicial. All employees, managers and directors are responsible for managing risk and making risk based decisions. Therefore, aside from having the necessary training, they also need to feel empowered to bring bad news to the table and share concerns. The risk framework needs to ensure that risks can be escalated and not blocked by managers or directors protecting their bonus.  Building a strong risk culture isn’t easy but the value it brings is unparalleled. Recently, I sat down with Vibeke of Kontrapro Risk Management to discuss the topic of Risk Culture, what it means and ideas on how to build a positive risk culture. This has been launched as a Video Miniseries that can be found at www.riskguide.wordpress.com and www.youtube.com/c/riskguide

Some aspects to consider in order to build a successful risk culture are:

• Ensuring there is incentive to identify and manage risk
• Involving everyone in the process and breaking down silo’s. Your people are your experts, use them!
• Engaging people and ensuring that they see the value of risk management
• Consider looking past regular reporting and instead focusing on real time risk sharing and communication
• Having a communication plan that includes internal and external risk communication (investors, partners and other stakeholders)

 

Risk Communication

Communicating risk is a critical part of risk management success. Both internally and externally. Internal risk communication ensures that everyone in the organisation is aware of the top risks and can work towards solving or reducing them. It also allows staff to see the results of their input into the process.

External risk communication on the other hand ensures that the company can work with partners to understand risks that they may not have been aware of. It also encourages partners to engage in risk management.

In the early 2000’s, Dell computers discussed upcoming risks with partners in Asia and one particular risk, the closure of the east coast ports due to strikes, was managed by chartering jumbo jets and ensuring that if the risk occurred, they would be in a position to continue building and delivering computers to customers. The risk did happen and Dell did continue to keep customers happy and it played a major part in propelling Dell to becoming one of the major computer manufacturers.

 

The importance of the Non-Executive Director or ICO Advisor

Often, improvement to the process or a better understanding of risk within companies & ICO’s, come from having non-executive directors (NEDS) or ICO advisors who have a wide variety of experience and who can add, for example, to the risk management process. Better still however, is having someone on board with a full understanding of risk management who will ultimately bring the most value as they work towards embedding risk management into the culture and decision making of the organisation. Especially in the case of ICO’s, which can make great use of a variety of advisors, it is an opportunity not to be missed. It is therefore important to choose your advisors and NEDS wisely.

Companies should look for experienced risk professionals who have worked with boards, had involvement in setting strategy, understand technology companies (and have a grasp of the underlying technology), have strong communication skills (communicating with board members, developers, programmers, marketing people etc.) and understand the need to be flexible and adaptable in their approach. Companies in the space already have an abundance of blockchain and tech expertise and therefore, although it is useful to have a deeper understanding of the technology, it remains low on the list of requirements from a risk expert. At the end of the day, everyone in the organisation is responsible for managing their risk.

 

 

 

How Real is the Cyber Threat?

Originally published by Strategic Risk Magazine

                                                                                                                                         

                                                                                                                                         

The power of Social media in business (Internally and Externally) & how Risk Management can enhance it.

Written by Alexander Larsen, Originally published in Enterprise Risk Magazine (IRM)

There is no doubt that involvement in social media activities is the source of a great number of risks to companies. But there are also risks to not having an online presence. Companies who are not active on social media could surrender ground to competitors, fail to attract a younger customer base, and could end up either not building a reputation – or slowly losing an already strong one.

Organisations cannot avoid social media risk by pursuing a policy of non-participation. Customers, journalists, or the public in general, can easily and quickly point out major faults with a company product or service to a large number of people. With enough attention, that can severely impact brand and reputation. Additionally, tweets can be sent out instantaneously from shareholder meetings, board meetings, or from interviews, leaving little time to prepare for a response. It is vital that organisations manage social media risk proactively.

Companies generally have two main concerns about social media. The first relates to risks to the organisation. For example, an employee that uses social media badly can expose a company to intellectual property and data leakage by saying too much about products and services. Or, extreme views expressed by staff on a company’s social media platforms could be interpreted as a reflection of the company’s own values. Viruses, hacker threat, or phishing attacks can all be introduced into the company network because an employee’s work and private login passwords are identical.

The second relates to the organisation’s social media presence. Where companies are active on social media, for example by having a forum, message board or Facebook page, they are exposed to any customers, members of the public, or disgruntled staff posting negatively about the company, or hijacking company-led social media campaigns. Internally, risks can arise from the inef cient use of social media. Often companies will have a presence on social networks but rarely update them, or have inconsistent
or con icting information, such as contact details, across the various networks. This can frustrate users and lead to missed opportunities.

Understanding social media

Keeping on top of social media-related risks should be straight forward if there is an effective enterprise risk management (ERM) programme in place. With reputation risks being at the top of corporate risk registers and board agendas, there is a need for the constant monitoring of reputation risks (such as social media presence) and mitigation actions should be implemented where needed.

But, as with all risks, you can manage them best when you identify them as early as possible – preferably before you even begin to have a social media presence. The best form of prevention is to be well prepared. When entering into social media, a company needs to focus on the purpose of doing so in the first place. Is it to attract talent, or improve customer engagement, for example? Once this is established, objectives can be set for the initiative. Different objectives will require varying approaches, not only to achieve the desired success, but also in how to mitigate the risks.

One of the mistakes many companies make when developing a social media plan is that it is often left to a single department, such as IT or marketing, rather than to a multi-disciplinary team.

Best practice indicates that representatives from risk, legal, compliance, management and any other affected departments should all be involved with the process. Having such a team in place will allow for proper preparation in terms of understanding the risks of using social media, and how to mitigate them, without having a negative impact on the initial objectives of the plan. Once a robust plan is ready, senior management should be informed, educated and commitment must be obtained.

Mitigating risks

Some companies have a total ban on employee access to social media. Others may decide that only certain sites are appropriate, and could help with the company’s online presence. If a business bans specific social media sites, it should consider the consequences of creating an unhappy workforce. An alternative is to have a completely open social network policy, but with an opt-in programme, whereby staff agree
to “friending” the organisation on their social media sites in return for being able to access it from work.

If employee access is given, there are some common steps companies can take to mitigate social media risk. First, the company should develop a social-media policy and train staff in its use. A social media policy can be short and sweet, or quite long and detailed. A company should consider having one for employee use of social media as well as a corporate social media policy (for those working with social media on behalf of the company). These should include an outline of the do’s and don’ts when posting online, information on the safe use of social media, off-limit subjects or data, as well as the consequences of being in breach of the policy. The legal department should be of use here.

Second, a company should monitor the comments and behaviour of staff on an ongoing basis in order to avoid reputational damage, or even from being held liable for comments made by employees. When using social media sites, there is a risk that staff will upload sensitive data, perhaps by accident, or that they download files which can contain viruses. IT will often restrict downloading or uploading on company computers,
as well as securing sensitive les. Enforcing virus and malware protection is another way that IT tends to protect a company but this needs to be con rmed by the team. This is another reason why having a multidiscipline team that includes IT is so effective.

Finally, dealing with customer complaints in an appropriate manner is vital. Companies should avoid directly deleting comments or negative posts, as well as avoiding aggressive or negative responses. Instead, a company should try to bring the conversation to another platform and try to deal with the complaint directly. Training will be a key element to successful complaints handling on social media.

Force for good

Something that risk managers may overlook with regards to social media is the potential benefits it can bring to risk management. Used in the right way, social media can be a strong tool for managing risks and opportunities, allowing risk managers to tap into an organisation’s most valuable resource – its employees.

Google is a prime example of using social media tools to minimise risk and maximise opportunity.
For example, Google Moderator allows project leaders, R&D teams and top management to post their ideas, initiatives or innovations for

anyone within the organisation to challenge or ask questions about. Voting within the tool allows many of the questions most relevant, or most concerning, to employees to be pushed to the top of the pile.

Not only does the use of such a tool involve the workforce, and thus increase staff morale, but it can drive the success of major change management initiatives (for example after a merger) if everyone feels that their voice is being heard and considered. It can also potentially highlight key risks to a product launch that may not have previously been identified by a project team working on its own. It was so highly thought of that the Obama administration used it when transitioning into office to make the process of change more successful.

A couple of other initiatives that Google has implemented include Google’s weekly all-hands meetings, where employees ask, through social media tools, questions directly to the company’s top leaders and other execs about any number of company issues. Again, this concept can be used by risk managers to capture risks and opportunities from across the organisation.

Perhaps a more obvious risk tool for risk managers would be to implement something similar to the Google Universal Ticketing Systems – GUTS – which allows users to report issues, and is then reviewed for patterns or problems. Adapting this to a more risk-based solution could really support an organisation in identifying risks or trends before they happen. It can allow the reporting of risks from anyone in an organisation, bypassing more senior employees who may try to stop these risks from being reported. Such a tool could serve as a tool to escalate risk past local management.

Continuity

Business continuity can benefit greatly from social media by, for example, connecting stakeholders to internal staff during an incident. Many countries are already using social media, such as Twitter or Facebook, to issue hurricane and tsunami warnings to citizens on top of the more traditional alarms. This not only informs the local population who are in immediate danger, but also allows family members or friends who are signed up to the service to receive these notifications.

A similar approach should be considered by companies when it comes to spouse management during a major incident. Companies who operate in dangerous locations such as war zones, politically unstable regions, or on offshore oil platforms, should consider offering employees’ spouses the opportunity to connect to a specific company emergency social media page. This page can be the main hub of communication for spouses should an emergency occur. Not only will they get regular and factual updates, but they can post questions and even comfort each other by having a community of people in similar situations as themselves. This could be extended to include sites for connecting with stakeholders during an incident whether it be suppliers, clients or even the media.

Social media has already been used successfully during earthquakes in Japan. Pages were set up on Facebook to keep the public up to date, whilst Microsoft worked with partners to create local applications such as J!ResQ – a smart phone application for emergency contacts– to help people and family and friends and to aid relief efforts with aid agencies. Looking more internally, business continuity plans will have steps that include informing staff of job status, whether to stay at home, work from home, work from an agreed second location, or even return to work. Using an internal social media tool can greatly improve the efficiency of this message compared to more traditional methods such as a phone call to every staff member.

Getting over initial worries about the use of social media can turn many of the risks associated with these technologies into opportunities. By carefully working through the threats and mitigating risk, risk managers can help their businesses benefit from these powerful tools.