Business Resilience

A WIPRO COUNCIL FOR INDUSTRY RESEARCH JOURNALS

INSIGHTS

VOLU

ME X

VII

COPYRIGHT 2014, WIPRO LIMITED

Thinking Connectedness Across Product EcosystemsVOLUME XVIII Business Resilience

Wipro set up the Council for Industry Research comprising domain and technology experts from the organization, to address the needs of customers. It specifically surveys innovative strategies that will help customers gain competitive advantage in the market. The Council, in collaboration with leading academic institutions and industry bodies, studies market trends that help will provide organizations a better insight into their IT and business strategies.

For more information on the Council, visit www.wipro.com/insights/ or email us at [email protected]

Resilience: The Next Frontier

At the 2012 London Olympics, amidst thunder and a massive downpour, Ethiopia’s marathon runner Tiki Gelana stumbled over a plastic bottle, fell to the ground, picked herself up and ran to win the gold. When her coach was asked about this incident he said his athletes trained at a height of 9,220 feet above sea level, where oxygen is very sparse. If they can run there, they retain their core ability – and build resilience towards unpredictable disruptions.

Business leaders with foresight have begun to recognize the value of resilience. It helps them beat risk before it beats them. Some of the smartest business leaders are drawing up blueprints that will ensure their organizations come through market, technological and financial stress while staying true to their core. They realize that natural disasters, growing cyber security threats, the emergence of new power centers, increasing regulation, shrinking resources, previously unseen social patterns and the intersection of technologies are destabilizing business.

This issue of WInsights explores the idea of building business resilience in a fast changing world. We believe that reactive corporate disaster recovery is not enough. Building systems and processes that keep business running as usual during a crisis are the key to staying ahead.

To aid your thinking, we bring two special views - a perspective on reputation resilience by David Roman, CMO of Lenovo and another by Michael Hedges, CIO of Medtronic Inc., on how technology builds resilient systems and helps cope with regulatory uncertainty in medicine. I thank David and Michael for their contribution and am sure that you will find them enriching. I am happy to say that we also have some unusual thinking from our own team of experts at Wipro. They bring their on-ground experience with customers across the world to explain ideas around resilience. This is in addition to an insightful piece from HBR which I hope you will enjoy.

Puneet ChandraChief Marketing Officer, Wipro Ltd.

FOREWORD

4

WINSIGHTS Volume XVIII

06 Process Resilience Is Becoming A Business Imperative

Large companies are relatively more vulnerable to process related disasters and therefore need to consider models of risk management that give due importance to the resilience of processes.

Alexis Samuel, Chief Risk Officer, Head BPE, and Global Managing Partner, Wipro Consulting Services

CONTENTS

13 Resilience: Building ‘Bounce’ Into Your Corporate Structure

Some companies bounce back. Others go into tailspin. Why? An executive summary of the FT/Wipro strategic panel discussion in Davos on Tuesday 21st January, 2014

Chaired by: Andrew Hill, Management Editor, Financial Times | Panel: T.K. Kurien, CEO and Member of the Board, Wipro Ltd. | Brian Moynihan, CEO, Bank of America | Dennis Nally, Chairman, PwC | David Roman, CMO, Lenovo

17 Reputational Resilience In A Transparent World

Managing Brand reputation in the age of social media and an increasing millennial audience has to do with proactive transparency and the willingness and ability to respond to what customers are saying.

David Roman, Chief Marketing Officer, Lenovo

23 The State Of Cybersecurity In The Digital Economy: Balancing Accessibility With Effective Risk Management

The biggest corporations in today’s highly cyber threatened world use a combination of awareness, outsourcing and automation to remain cyber resilient.

A research by Wipro and UBMTechWeb

5

40 51Keep It Simple And Serious-Confronting The Challenges In Technology Risk Management

Business Pulse- Davos Dipstick Survey

Managing technology risk in an environment of increasing cyber threats revolves around simplifying decision making and empowering the IT team.

Business risks are no longer isolated and localized, but extend to multiple entities in an increasingly complex, dynamic and interconnected world. A dipstick survey at WEF, Davos 2014 reveals that flexibility, a strong core and a diverse executive team are key to resilient organizations.

32 How do you measure cyber risk?

Since Cyber Risk is an enterprise risk the senior management needs numbers to make decisions. This article discusses various approaches used to quantify Cyber Risk.

Kenneth Hall, VP & Global Head – Cyber Security Consulting, WIpro Ltd. | Guha Ramasubramanian,Head - Corporate Business Development, Wipro Ltd.

42 Surprises Are The New Normal; Resilience Is The New Skill

Success is no longer about being on the top all the time, its about getting back from the bottom.

Rosabeth Moss Kanter, professor at Harvard Business School and the author of Confidence and SuperCorp.

35 Building A Resilient Business For Tomorrow’s Challenges

The CIO of the world’s largest medical technology company shares the challenges and opportunities of an uncertain regulatory environment, a volatile market and evolving technologies.

Michael Hedges, Vice President & Chief Information Officer, Medtronic Inc.

46 Resilience Redefined In Energy & Resources Industry

The critical energy and resources industry is increasingly susceptible to crippling disruptions. This article shares strategies that are needed to safeguard the two components of the industry - Extraction and Supply & Distribution.

Subbi Lakshmanan, Vice President & Global Domain Practices Head, ENU, Wipro Ltd.

Balasubramaniam Ganesh, Sr. Vice President , Banking Products and BFSI in Emerging Markets, Wipro Ltd.

CONTENTS

6


1.K&W COVER

7

In an increasingly networked world, organizations need to

move beyond the kind of corporate disaster-recovery efforts

that followed the earthquake, tsunami and nuclear incidents in

Japan in 2011. To be in the top-performing tier, organizations

need to become resilient to internal as well as external

disruptions. Process resilience, in particular, is very important

for industries which are either highly regulated, Internet facing,

or serve end-user customers. Below, Morris Cohen and Praveen

Pathak, professors of operations and information management

at Wharton and the University of Florida, respectively, and

Alexis Samuel, chief risk officer and head of business process

transformation at Wipro, look at why process resilience is

becoming a business imperative. This white paper was produced

by Knowledge@Wharton and sponsored by Wipro Ltd.

Process Resilience Is Becoming a Business Imperative

8


Disaster recovery is typically reactive. If something goes down, can it be re-covered? But organizations need to be proactive about potential disasters, es-pecially when it comes to the resilience of their business processes, says Alexis Samuel, chief risk officer and head of business process transformation at Wipro Technologies. It is an emerging concept, but Samuel expects process resilience to become a “business imperative” in the coming years.

It is about “the resilience of processes and the underlying IT systems, people practices and technologies that together make an enterprise function consistently,” Samuel says. It is also “the ability of an organization to maintain the continuity of its business and meet obligations.”

Taking a broader perspective, Morris Cohen, a Wharton professor of operations and information management, notes, “If you respond quickly to any disruption in an efficient manner, one would say you are resilient.” But remaining resilient is more difficult now because of increasing globalization, interconnectivity and “the way in which we manage supply chains and economies today.” He cites the March 2011 earthquake, tsunami and nuclear

incidents at the Fukushima reactors in Japan. Following this triple disaster, the auto industry across the world was disrupted for many weeks. Part of the reason was that certain Tier 3 or Tier 4 suppliers based in the worst-affected Tohuku region had to shut down, and it had a ripple effect. “Companies like Nissan and Toyota didn’t even know about the existence of these suppliers. One of the lessons learned was that companies need to go all the way down and figure out all the connections in the network, because it can breakdown somewhere and bring the whole system down.”

While every industry is susceptible to risks, the consequences of disruptions vary, Cohen points out. Most vulnerable are defense, banking, financial services and insurance (BFSI) and health care. Samuel, looking at the issue from another angle, suggests that process resilience is most relevant for industries which are either highly regulated, Internet-based, or are end-user service providers, like BFSI and retail.

Both Cohen and Samuel note that process resilience is more relevant for larger players because they are more complex and also part of a larger ecosystem and

Alexis Samuel

Chief Risk Officer, Head BPE, and Global Managing Partner,

Wipro Consulting Services

Morris Cohen

Professor – Operations and Information

Management, Wharton

Praveen Pathak

Professor – Operations and Information Management,

University of Florida

A Knowledge@Wharton – Wipro Article featuring

9

PROCESS RESILIENCE

therefore can be a source of ripple effect. “There are more interconnected parts in large companies, and it is harder to respond fast and effectively if you are big & complicated,” Cohen says. “Therefore, robust processes, whether related to supply chain, IT or anything else, are very important.” Large organizations are also likely to be under greater scrutiny from regulators because of their public impact.

Regulatory pressure following service disruptions has been a key driver push-ing process resilience forward in the BFSI sector. In 2012, for example, the Royal Bank of Scotland- RBS- had a major service disruption in the U.K. because of a software glitch. Customers were unable to withdraw cash from ATM’s or see their bank account details, and certain other transactions were also disrupted. It took RBS a few days to restore normal functioning.

Disruptions in banking services could potentially extend far beyond immediate customers, Samuel notes. The U.K.’s Lloyds Bank, for example, handles 40% of inter-bank transactions in the U.K. If this application were to go down or get throttled, 40% of banking transactions in the U.K. would get impacted. Notes Cohen: “When these institutions fail, they can bring down major parts of the global economy. That is why there are more regulatory controls in banking and trading….” Samuel sees a “big shift” by regulators. For instance, they are “now holding the boards of banks in the U.K.

accountable for resilience failures, push-ing them to take a lead in implementing process resilience programs.”

The growing influence of social media is also encouraging more process resilience. A couple of tweets from an unhappy customer can spread to millions of cus-tomers within seconds. And with no one to judge officially whether the complaint is valid, the risk of damage to reputation is high. “The net effect is that process resilience is moving from a discretionary, good-to-have expenditure to a must-do, non-discretionary investment to address the risk posture,” says Samuel. “While business leaders and risk officers agree there is still the challenge of putting a number on return on capital employed (ROCE) for such investments, it needs to be addressed innovatively.”

Yet, as Cohen points out, resilience has always been an important asset in suc-cessful organizations. Companies that respond quickly and cost effectively -- “strategically or operationally to random stimuli or shocks” -- perform better and have always been rewarded ultimately in the marketplace. “The difference now is that resilience is being recognized as an important business imperative.”

Regulators and Social Media

“There are more interconnected parts in large companies, and it is harder to respond fast and effectively if you are big & complicated.

10


Another major shift connected to process resilience is the software development lifecycle, including testing of applications. In the past it was viewed as adequate to test any new application internally. But in many industries today the environment is highly networked. Banking applications, for example, are closely linked to telecom service providers or to credit card provid-ers like Amex. So it is important for appli-cations and the underlying infrastructure, people, technology and processes, to be designed to accommodate all players - internally and externally - during the testing phase.

For fully effective resilience in the system,

“testing of any application or process is being brought way up in the design and development lifecycle,” notes Samuel. “Near real-time replication of the test environment may also become a norm in the near future.”

The availability and recovery time of third-party hardware also needs to be evaluated in striving for resiliency. While service contracts have been a mainstay, today organizations are increasingly demand-ing that partners show they can meet the contractual obligations. “This whole focus on resilience is forcing people to think of it on an end-to-end basis with the ends expanding continuously,” says Samuel. “The resilience theme is also expanding to cover cyber security.”Cohen points to another new aspect of managing

New Models

11

resilience -- performance-based con-tracts. Such contracts rest on “actual performance and not on the promise of performance.” Thus, “you don’t need to verify if your partners and suppliers can meet their obligations. You pay them only if they do so. This puts a lot of pressure on them.” Expect this trend to “expand further.”

So how does an organization implement a robust process resilience program? To begin with, and using a bank as an example, it must catalogue all business processes - like account opening, credit card transactions, online or mobile bank-ing and so on, notes Samuel. It then needs to identify the critical processes for each, and then define the risk appetite - or the acceptable threshold - if the process fails.In banking, the risk appetite is not just a financial measure – there are other key metrics, says Samuel. “For instance, a bank could decide that in a particular process, say for credit card transactions, instead of handling 100 transactions per second, it can go down to 70, but not below that. Or, in Internet banking, it can take a maximum of one hour of downtime a year.”

Once the risk appetite has been estab-lished, the underlying infrastructure must be measured. The IT systems, people, and

technology that support the processes and their effectiveness, must be assessed in a systematic manner using pre designed templates to ensure consistency.

This throws up the gaps between current performance and the risk appetite, which then need to be addressed with relevant solutions, Samuel adds. An assessment typically takes around six to nine months while the execution is usually over a three-year period.

According to Praveen Pathak, a professor of information systems and operations management at the University of Florida, any process can be categorized based on the extent of expertise required. While processes such as bio-informatics, equity research, risk modeling in insurance and technical analysis for mergers and acqui-sition require a high degree of expertise, those such as call center-based tele-marketing & tele-collections require less.

For high-expertise processes, resilience requires two important attributes – flex-ibility and adaptive learning, says Pathak. Process flexibility, in turn, requires “loose and variable monitoring of process-output quality metrics (like error rates, produc-

Optimizing Investments

For fully effective resilience in the system, testing of any application or process is being brought way up in the design and development lifecycle.”

PROCESS RESILIENCE

12


tivity, responsiveness) and interactive managerial guidance.”

Pathak suggests that by “not monitoring the process along all output quality met-rics, and allowing the expert knowledge workers to choose which ones to optimize and when,” flexibility gets built into the process. “My research study of over 150 business processes from Fortune 500 companies shows that process flexibil-ity is positively associated with process resilience – it lowers the error rate and process failure significantly.” An increase in process flexibility of about 10 percent-age points tends to lower the process failure rate by 11% to 17%.

For non-expert processes, Pathak notes that resilience is compromised if there is too much flexibility. Adds Samuel: “Es-tablishing & maintaining the right level of design authority is another important issue to be considered.”

According to Samuel, a process resilience remediation program for a large and old BFSI enterprise could be anywhere from US$300 million to US$600 million over

three years. The cost versus benefit has to be assessed while deciding on the risk appetite. Once the risk appetite is frozen, the company needs to do whatever it takes to meet it. However, the best way to optimize the investments is by identifying and prioritizing the critical processes correctly, and also analyzing the interdependencies of various tasks. Samuel adds that banking professionals feel that “processes that touch fraud, money laundering and regulatory reporting also need to be brought under the ambit of resilience programs.”

Being resilient “depends on making the right decisions, the right investments and managing the investments before any disruption occurs,” Cohen explains. “Sometimes these decisions can be pretty complicated and you many need sophisticated methodologies to make the right decisions. Outside experts can help in optimizing investments in any kind of risk mitigating initiatives. Risk manage-ment as a whole, however, also requires a strong internal team.” Adds Samuel: “It is not a one-time exercise, but something that needs to be constantly updated.”

Performance-based contracts rest on actual performance and not on the promise of performance. Thus, you don’t need to verify if your partners and suppliers can meet their obligations.”

13

In a world moving towards increased com-plexity, volatility and dependence on technol-ogy, a tolerance for uncertainty and an ability to respond rapidly to surprises – both good and bad – within the business environment is essential. Resilience, the term for this core characteristic that enables a company or organization to stage a comeback after what might otherwise be a catastrophic event, is fast making its way up the board-room agenda. The FT/Wipro Executive Dinner Forum, which took place on the eve of the World Economic Forum in Davos, on Tuesday 21st January, 2014, brought together companies with a track record for ‘bounce’ and experts on the topic of resilience to look at operational resilience (what you need to do to prepare for day to day threats to a business, such as

cyber risk) and strategic resilience (adapting and responding to the broader threats – and opportunities - in the business environment).

Andrew Hill, Management Editor at the Finan-cial Times, launched the evening’s discussion by explaining that as the FT’s Management Editor, he tries to write about how compa-nies and other organization are run, “…and one of the things that I have picked up over the last 3-4 years, really since the height of the crisis, is that the buzzwords for chief executives and managers of all sorts are the kind of buzzwords that we are going to talk about tonight.” He was referring not just to resilience, but to agility, adaptability and flex-ibility, and highlighted the fact that whether or not we are now emerging into a period of more recovery in developed markets; the common factor is that companies now need

Some companies bounce back. Others go into tailspin. Why?

An executive summary of the FT/Wipro strategic panel discussion in Davos on Tuesday 21st January, 2014

Chaired by: Andrew Hill, Management Editor, Financial Times

Panel:T.K. Kurien, CEO and Member of the Board, Wipro Ltd.Brian Moynihan, CEO, Bank of AmericaDennis Nally, Chairman, PwCDavid Roman, CMO, Lenovo

Resilience: Building ‘Bounce’ into your Corporate Structure

DAVOS DINNER SUMMARY

14


to deal with volatile technological change. So what are the key challenges currently facing companies, and how are they build-ing ‘bounce’ into their enterprises in order to weather them?

T.K. Kurien, CEO & Member of the Board at Wipro Ltd., one of the largest global IT ser-vices, referred to a recent piece of research his company has conducted with the FT, in which 98.8% of respondents identified technology risk management as important or very important. The challenge is in part a demographic one, he said, noting that “… up to the age of 30 a person can adapt to and learn technology, beyond 32 it gets a little fuzzy, beyond 50 it gets extremely tough.”

But after 60, the research indicates that there is sudden technology rejuvenation, “everyone wants to learn before retirement from what their kids are doing”. The pre-internet age companies now have to acquire this exper-tise, and use the net effectively. First start with the process, & then use technology as an enabler. And, tempting though it is, just throwing money at this is not the answer, Mr. Kurien warned.

Technology resilience requires simplicity in business processes, Mr. Kurien observed, citing the example of the manufacturing industry, which, he says, has traditionally done this very well. “Take, for example, a car manufacturer,” he said, “essentially you build a platform, and irrespective of what the platform does, you put brands in front of it,

and with that little bit of variation, you sell it.” Without eliminating inherent complexity “you can never have resilience,” he warned. On the ‘how’ of enterprise resilience, Mr. Kurien highlighted the importance of building resiliency into the spine of the company and not making the mistake of thinking resiliency needs to be embedded ‘across’ the enter-prise. To illustrate, he explained that “if a payment system at a bank fails, everybody knows about it: so payments become the spine of the business. In a manufacturing company, it might be the supply chain.”

On the question of cyberspace resilience, T.K. Kurien said getting attacked is inevi-table, “you just hope it’s the other guy and not you; or rather, that it’s the other guy who goes first - because he will be the one that ends up in the headlines.” It’s like piracy in the olden days, he observed, pointing out that there are something like 50 sites in the world that are responsible for around 60% of attacks.

Brian Moynihan, CEO of Bank of America, among the world’s leading wealth manage-ment companies, said that one of the keys to his organization’s ability to bend, rather than break, in a storm, is getting the right team in place. It is extremely important, he said, not to have people who are there to say what is right or what is wrong, but rather “to have people who can get straight to the core of the problem – and fix it.” As well as identifying the burning platform quickly, he agreed with T.K. Kurien on the need to remove

“ Find the burning platform – and fix it.” – Brian Moynihan

“… complexity of technology is not the solution, simplicity is.” - T.K. Kurien

15

complexity and focus on the fundamentals. You must, he said, “…quit spending time and managerial effort on the stuff that isn’t going to drive business.”

In terms of institutional resilience, a strong sense of the company’s purpose is essential to surviving a crisis. “We’re here to serve our clients and customers,” he said, adding that “if our people in 2008/9 thought they were coming into work for any other reason – just to make money, for example – they would never have had the ability to withstand the pounding.”

On being asked if Bank of America has emerged after the financial crisis as more resilient as a result of this process, Mr Moyni-han agreed, but cautioned that the trick is not to have to repeat the lessons. As the

world begins to feel more normal again, more fixed, the test of this will come in 5-10 years’ time, he said.

Dennis Nally, Chairman & Partner, PwC, the world’s second largest professional services firm, cited PwC’s recent survey of some of the world’s top CEOs’ to frame his comments. The three mega trends on the mind’s of today’s CEOs’ that have emerged from the survey gravitate around the challenge of how swiftly technology is moving, the economic shift from the developed to the developing world, and understanding the workforce of the future. “These CEOs’ are telling us that

“ Things are looking better as we move into 2014.” - Dennis Nally

DAVOS DINNER SUMMARY

they are beginning to understand what those issues really are, but that they are not yet well-equipped to deal with the complexity of these challenges for the foreseeable future.” The good news, he said, is that confidence levels are going up, and that things are looking better as we move into 2004.

Trust, or rather lack of it (across all institutions – government, business and society more broadly), was another issue that emerged strongly in the survey. Mr. Nally wondered whether you can really have a resilient or-ganization without it, and concluded that some form of trust – perhaps through more global regulation - between the institutions that shape polices and the businesses that carry them out, must be established. Ex-panding on this point, he underlined CEOs’ concern around the tyranny of the short term, and the need for more transparency about what a company is, what it stands for, and the importance of developing a message around the impacts that a company has on wider society. “Unfortunately, many CEOs’ are concerned about the continued focus on the short term – three month performance, quarterly earnings, over long-term planning”.

David Roman, CMO and SVP of Lenovo, is responsible for driving all marketing activities for the global PC and technology corporation. He prefaced his remarks with the observa-tion that we are seeing a re-definition of the concept of ‘brand’ in the marketing disci-

pline – “the biggest change we’ve probably seen in the last 30-40 years.” It centres on the difference between brand awareness, brand understanding and brand engagement. “There is a very different level of relationship that our users have with the company, and we are seeing this more and more,” he said. This is significant in the context of resiliency, he points out, because “the people that are engaged with the brand are the ones that are going to save you.” They are the ones, he says, that are going to come back and help to rebuild.

While customers are good by definition (be-cause they buy your products), differentiation between customers is key to successful engagement. “Bad customers buy your prod-uct for the wrong reason,” he explains, and they are not likely to become engaged. The problem is that the bad customers are the ones that do the complaining, and require a lot of support – and good customers can be overlooked as a result. Understanding what motivates good customers, getting them involved in the co-creation process and rebuilding the company around them will help you weather a crisis. “The companies that have a community of users around the brand are of course the most valuable brands,” he observed. As part of Lenovo’s efforts at embedding resiliency, the company is trying to understand how to create more of this and to really get to grips with what processes are needed to make it happen.

“… the people that are engaged with the brand are the ones that are going to save you.” - David Roman

16


18

Lenovo’s Chief Marketing Officer David Roman on why protecting a brand is a valuable marketing opportunity as well as crucial risk mitigation

An Ear on the Ground, 24/7

As is so often the case, Warren Buffett, the American investment guru, put it best. “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”

Leading companies are getting the mes-sage. More than four in five respondents (83%) in a recent Wipro/ Financial Times survey said they now consider reputa-tional risk and brand damage as potential pitfalls to guard against. Their challenge is to develop reputational resilience – an ability to respond quickly when trouble appears on the horizon, to bounce back from issues that might otherwise drag down their brands, and, ideally, to avoid such difficulties in the first place.

How, though, to build such resilience into the business? For David Roman, the Chief Marketing Officer of Lenovo, the world’s largest PC manufacturer, the first step is to recognise what is driving the increasing focus of organizations on reputation management.

Mr. Roman argues that there are two fac-tors at play - first, the increasing demand amongst customers & other stakeholders

for greater transparency from businesses. Particularly since the financial crisis, many people have taken a closer look at the be-haviors of large corporations; and second, the ability of social media to dramatically accelerate the dissemination of news and views about those businesses, whether positive or negative.

“We are increasingly looking at an audi-ence of consumers who expect brands to conform to their values and to be trans-parent about what they’re doing and how they are doing it. As millennials become our key audience, we’ll see that demands for transparency get stronger and the standards to which brands are held get higher,” Mr. Roman argues. “That’s a trend facilitated by social media – it amplifies the speed with which things can go bad and issues can come up.”

In that context, listening in to customers, as close to real time as possible becomes even more important. Three years ago, Lenovo launched a digital and social media hub in Singapore which works

By David Roman

Chief Marketing Officer, Lenovo

with the company’s marketing teams all around the world. One of its functions is to act as a social listening post that can monitor social media conversations its stakeholders may be having about its business, 24 hours a day, anywhere in the world. It can also mobilise its social media team throughout the organization where that is necessary.

The Singapore unit is a centre of excel-lence that uses a range of cutting-edge technologies in tracking, monitoring and analytics, but it is essentially building on work the company has been doing for many years. Lenovo, like other companies, has always monitored media coverage of its business – and engaged with interested reporters – but the advent of social media has democratized the conversation and given customers a voice too. The plural-ity of comment requires Lenovo to work harder to keep track of it and to respond.

Mr. Roman says this is a work in progress. “We have state-of-the-art tools to help us monitor what people are saying about Lenovo and they give us a very early signal when something is out there that we need to deal with,” he says. “But I think it is possible to go further: a more sophisticated form of tracking would enable us to monitor people’s changing perceptions of particular attributes and values at the company – to identify things that might turn out to be issues over time.”

The ultimate aim, he suggests should be to reach a state where all potential problems can be tackled before they do any damage at all to Lenovo’s reputation or brand.

“The key thing here is prevention,” Mr. Roman adds. “Like everyone, we have a crisis management process in place, but we want to avoid a crisis where we can; on anything to do with reputation, the more you can work on the potential issues up front the better, because once you’re into a reactive situation, it’s always really difficult.”

However, Mr. Roman also believes that technology will only take businesses so far. “I think we also now have an at-titude that whatever we do will be seen by the outside world and that it therefore makes sense to have full transparency of everything we have,” he argues. “The monitoring centre certainly enables us to see issues early on but the biggest change has been in the behaviour of the company: we are proactively transparent on everything we do and we work hard to ensure that even though we’re a large, global business, we are equally transpar-ent in all our markets.”

Nor should this drive towards greater transparency be seen as negative – for

“ As millennials become our key audience, we’ll see that demands for transparency get stronger and the standards to which brands are held get higher.

19

Open business, better business?

SPECIAL FEATURE

20

Lenovo, being more open and engaged isn’t an attitude the company sees as having been forced upon it, but an op-portunity to be embraced.

I genuinely believe this transparency makes us a better company, because transparency enables us to have a very direct relationship with our customers – those who want to are very easily able to give us feedback on what’s good, what’s bad, what’s working and what’s not,” says Mr. Roman. “This will make us much stronger as a company and, over time, give us much greater resilience.”

In fact, argues Mr. Roman, the move towards transparency and engagement is changing the very nature of marketing. Where this discipline was once about creating a story for the business and controlling the telling of the tale very tightly, in the new world marketers must learn to cede some of that control. It is a shift from the one-to-many marketing model to a two-way process dependent

on a relationship with the audience.“If you look at the brands that are growing these days, it’s not necessarily the ones that are spending huge sums on mass media in order to build brand presence,” Mr. Roman says. “Rather, it is the brands that have built relationships of trust with their customers, and that’s a pretty fun-damental change; in terms of reputation, if you know what your audience is really thinking, that is going to be a huge help in addressing any negative issues that might cause the brand problems over time.”

Nevertheless, for Lenovo – and all com-panies – these themes are evolving and many in the C-suite are only just beginning to get to grips with them, even if they can see the end benefits.

Of course, there will be difficulties to overcome. “One of them is the constant tug of war between having information

The fine line around privacy

SPECIAL FEATURE

and people’s concerns about privacy and there is a clear line there in terms of your reputation with your users for handling their information with integrity,” Mr. Roman says. “There are also new tools and technologies to be implemented – particularly in areas such as product development where we need to find ways to really employ the input we get from users at a very early stage.”

Part of the challenge is to embrace new ways of working – such as much greater use of partnerships with other orga-nizations. Lenovo has begun working with Facebook, for example, whose us-ers produce huge amounts of data and comments that may be relevant to the business.

Equally, however, it is important that existing processes and facilities flex to build resilience. “One of the things some people don’t think about, for example, is just enabling commentary reviews on the company website,” Mr. Roman adds.

“Also, you have to respond to those because otherwise you do more damage than good.”

Try to think of these as opportunities rather than problems. The need to build reputational resilience might sometimes seem like a risk management exercise that companies are conducting from a position of weakness in the face of changing consumer attitudes and the pressure of social media. But Mr. Roman’s message is that what is going on is much more positive.

“Marketing is a discipline where you look at the company from the outside in, from the perspective of your audience, and it is now possible to do that for real,” he says. “Rather then conducting huge amounts of research to find out who your audience is and what it really thinks of you, companies that are building engaged relationships with their customers know that already – reputation is part of the story, but the wider opportunity is far larger.”

The brands that are growing these days, are not necessarily the ones that are spending huge sums on mass media, but those that have built relationships of trust with their customers.”

21

Source: 2013, On The Pulse: Information Security Risk in American Business, Stroz Friedberg

of senior managers regularly upload work files to a personal email or cloud account.

A fast-evolving and increasingly virulent threat environment is raising the security stakes for businesses today. This, combined with the highly distributed and more open nature of today’s enterprises, is testing even the best resourced corporations. A research by Wipro and UBMTechWeb

The State of Cybersecurity in the Digital Economy: Balancing Accessibility with Effective Risk Management

24


At a high level, the research shows busi-nesses battling a wide range of cyber threats, with viruses, malware and botnet-launched attacks highest on their list of concerns. New business collaboration tools such as social media, and IT delivery models such as cloud and mobility, are adding to the security challenge by introducing potential exposure points for corporate data. Businesses now have to rethink policies around safe use and their practices for protecting valuable and sensitive information from possible leaks.

Security spending has significantly increased as security has shifted from being a nonfunc-tional requirement to a business requirement. Business and technology innovations leading to the Internet of Everything and consum-erization have brought security into focus.

In fact, 83 percent of businesses surveyed by UBM Tech plan to increase their security budgets in the next few years. Credit the

constant barrage of threats against vital corporate assets and consumer data and the high-profile breaches of 2013 and 2014, including those at Target, Neiman Marcus & Michaels Stores, for driving enterprises to tighten security controls and operations. A detailed analysis of these breaches has brought process weakness into the fore-ground, along with the need for defense-in-depth security controls.

This appreciation for the critical nature of security controls and enforcements is ap-plicable across almost every industry. Tra-ditional targets such as financial, retail and healthcare companies have evolved and are showing maturity in their security strategies, while newer targets, including manufacturing, utilities, electronics and natural resources, are under high alert because of “hactivism” and terrorist activities. Hackers are perpetrating intelligent attacks, morphing threat agents and initiating stealth attacks that take ad-

To better gauge how businesses today are arming themselves against cyber threats, and to what extent

trusted third-party managed security services providers (MSSPs) play a role, UBM Tech surveyed 146

business technology managers in late 2013 about the solutions they are employing to mitigate their risks.

Survey participants represent a cross-section of industries, including banking, financial services and

insurance; healthcare; retail and consumer packaged goods; and energy and utilities. Respondents

hold a range of management roles, from CEO and CIO to directors and line-of-business managers.

The majority of respondents work for enterprises that employ 1,000 or more people, with 57 percent

employed by organizations with head counts of 5,000 or greater. More than half of the participants —

58 percent — work for companies with annual revenue of $1 billion or greater.

25

vantage of weak controls and process gaps to slip past corporate controls.

Adding to the woes of security officers are the changing regulatory requirements that make it more complex to secure the business. Key challenges include creating the required awareness and building a team of security architects and data scientists to safeguard the business with intelligence.

“Defense in depth,” or security at each layer spanning processes, technology, transac-tions, and people, is what every sector is focusing on. Gone are the days where se-curity was confined to the perimeter and point solutions. New-age businesses run using intelligence, emotions, patterns, and

The Best Defense

70%

66%

62%

35%

31%

26%

25%

24%

21%

19%

14%

12%

3�%

Virus, malware, botnet attacks

Phishing, spam

Lack of awareness among users, operators, administrators

Weak passwords

External users

Social engineering

Silos of tools & technology

Data classification issues

Liberal internet access policies

Wireless access

Insider attacks

Lack of centralized security operaions

Legacy products & lack of documentation

Please name the top five issues that contribute to security breaches in your business

Fig 1.

Note: Maximum of five answers allowed. Data: UBM Tech survey of 146 business technology managers, December 2013

CYBER SECURITY

38%

70%

66%

62%

35%

31%

26%

25%

24%

21%

19%

14%

12%

26


profiles, which drives security toward con-vergence, analytics and posture. Asked what top security issues contributed to breaches at their enterprises, survey respondents put viruses, malware and botnet attacks at the top of their threat list (see Fig 1).

Phishing & spam can also derail productiv-ity & potentially capture personal or highly sensitive information, and two-thirds (66%) of those surveyed cited these among the top issues they face today. User error remains a major contributor to corporate insecurity, with 62 percent noting that often well-intentioned but poorly executed decisions can put critical information at risk. Weak passwords, easily hacked, can also make it easier for unauthor-ized users to access corporate resources.

The more extensible nature of enterprises also introduces new risks. An environment in which more external users, such as contrac-tors, partners and guests, are able to tap into data they’re not actually authorized to access

can pose a major threat to the security and stability of an organization.

So how are organizations defending their critical information in the current context of unpredictable threats while addressing changing business, technology and regula-tory needs? The simple answer is that busi-nesses are taking a systematic approach that focuses on user awareness, shredding the silos of technology and systems, as well as converging security systems for a unified view of posture and intelligence information. Organizations in all sectors are introducing new systems and technologies into their security landscape, including bring your own device (BYOD) for remote control and operational tasks; health-monitoring devices on home networks; and smart meters on utility networks.

In this context, 85 percent of the respondents require users to secure mobile devices with a password. Approximately three-quarters —


We restrict usage of applications on official mobile devices.

We require a mobile device password as part of our mobile security policy.

We enable external devices based on the role of the user.

We communicate upcoming threats and precautions that users should take.

We conduct security drills periodically.

We allow download of trial software on office laptops and workstations.

Which of the following are part of security best practices in your organization?

85%

77%

66%

59%

39%

27%

Fig 2.

27

Entirely insourced/managed by internal staff only

Note: Data: UBM Tech survey of 146 business technology managers, December 2013

Primarily managed by internal resources with fewer than 20% of security functions managed by external providers

Mostly managed internally with less than half of security functions managed by external providers

Mostly managed internally with the assistance of third-party consultants

More than half of all security functions are outsourced

Entirely outsourced

Please describe your organization’s overarching approach to managing security.

Fig 3.

38%

35%9%

5%

1%

12%

77 percent — engage and keep users informed by communicating information both about potential threats and about best practices with which to protect their assets.

66 percent of the respondents restrict appli-cation access to users operating corporate-owned & -managed devices. Over half — 59 percent — enable external devices based on the role of the user. So, for example, while ex-ecutives may be allowed relatively unfettered access to enterprise applications, sales staff may be required to use only corporate-issued devices (see Fig 2).

Businesses are also focusing on resilience and situational awareness. These steps run the gamut from requiring users to access corporate resources via a virtual private net-work (VPN) and USB lock down to encrypting hard drives and using a central “gold” OS image with a predefined program for add-ing or limiting access. Thirty-nine percent of the participants perform security drills on a periodic basis to make sure the IT staff is prepared to mitigate the impact of an attack.

Even as companies have become more com-fortable over time handing off other IT func-tions to third-party service providers, busi-nesses traditionally preferred to manage the highly sensitive area of security internally. As the nature of their operations became more

A Matter of Trust

Enterprises segregated the operational tasks from strategic programs and started outsourcing operational work to security service providers.”

CYBER SECURITY

28


virtualized and distributed, and the threat environment more complex, enterprises reconsidered their stance on outsourcing some or all functions of IT security. With this, enterprises segregated the operational tasks from strategic programs and started outsourcing operational work to security ser-vice providers. 63 percent of the respondents manage their IT and security infrastructure through service partners (see Fig 3).

About 6 percent say that their provider man-ages more than half of their security needs. 35 percent outsource less than 20 percent of their security functions to a third party. Another 9 percent handle the bulk of their IT security internally but do enlist the help of consultants for support. So where do third

parties provide the most support? There is no one specific need; instead, enterprises are looking for outside help to fill in resource and knowledge gaps in their security resources and meet critical compliance and secu-rity demands. Enterprises turn to external managed security service providers for a fairly broad spectrum of needs, ranging from tactical device monitoring to more strategic areas where they may lack the institutional knowledge base (see Fig 4).

Fast evolving and still new areas such as social media top the demand list for external security support, with 30 percent relying on outside security help for issues in managing cloud, social media and cyber security. 29 percent seek out an MSSP for design and

Which functions are you most likely to rely on a third-party managed security service provider to support?

39%

36%

30%

29%

22%

21%

21%

12%

Fig 4.

New trends such as social media security, cloud security, cybersecurity, security data analytics

Monitoring on-premises equipment

Design/architectural support

Auditing/Governance/Risk and compliance-related professional services

Managing and monitoring security gear

Post-attack remediation

DDoS protection

Policy development/end-user training and support


29

architecture help.

More than one-fifth of the respondents use an external provider to help mitigate distributed-denial-of-service (DDoS) attacks. Many of the third-party providers not only help with service scalability, technology expertise and tools, but they also bring intelligence and analytics to the table. They add value by letting users deploy a security solution more quickly, and by providing faster reconciliation and solution integration from an operations and resilience perspective.

Twenty percent seek out an MSSP as a reactive measure, turning to a third party to help restore services and mitigate any dam-age following an attack. Most businesses prefer to manage their compliance needs in-house. Just 6 percent use third parties for governance, risk and compliance manage-ment support.

For those who do choose to use an MSSP or a security consultant, picking the right provider comes down to trust and experience. Expertise in the relevant vertical is the most widely used criterion to select the right third-party partner, but businesses also tend to choose providers with whom they already have a trusted relationship, with 23 percent citing an existing trusted relationship as an important factor in engaging with an MSSP or security expert (see Fig 5).

There are distinct differences by industries in how companies factor in specific criteria when choosing a third-party provider. For example, 40 percent of healthcare companies say that an existing trusted relationship is their single most important criterion in choosing a security partner. By contrast, only

Data: UBM Tech survey of 146 business technology managers, December 2013

What is the single most important criterion in choosing a managed security services partner?

Fig 5.

2%2% 5%

4%

5%

6%

18%

23%

35%

Security expertise in relevant vertical segment and regulatory requirements

Deep security technology expertise

Existing trusted relationship

Strong peer recommendations

Strong skills with a particular technology

Portal-based risk management reporting capabilities

Proven analytical skills

Analytical resources

Other

CYBER SECURITY

30


17 percent of energy and utilities consider a trusted relationship as the most important factor in their selection, instead saying that a provider’s vertical expertise is far more critical.

Businesses recognize the criticality of security and compliance to their longevity. And while companies are largely looking to expand their security budgets, there are still limits. Nearly half (49%) say they expect spending

to increase between 5 and 15 percent in the coming years. Some enterprises are making even more dramatic increases, with 9 percent planning to raise their security budgets by more than 25 percent. Just 16 percent expect their budgets to stay flat, while only 1 percent plans to decrease security spending.

So what kinds of changes do the spending increases signify in security strategies? Going forward, enterprises are looking to simplify and improve their security operations, starting with greater standardization of the tools they use. Sixty-four percent want more commonality and heterogeneity across tools, technology and architecture. To this end, 34 percent plan to decommission legacy tools that are no longer a good fit.

One-fifth expect to outsource basic security management functions so they can focus on more strategic elements that could include areas around policy development, security architecture and data analysis. Automation will also play a key role going forward, as businesses look to remove the manual ele-ment across a number of functions, including antivirus deployment, configuration manage-ment, vulnerability management and patch management (see Fig 6).

The desire to reduce human errors in order to improve the security and overall stability of the enterprise is a major driver for more au-tomated security operations, with 44 percent of the respondents citing that as a primary reason to move away from a more manual approach to security. Nearly 30 percent say cost savings is driving their businesses down a more automated track.

Others are looking to automated solutions to free up expert staff to perform the kind of

63%

60%

60%

60%

49%

31%

Patch management

Password management

Level 0 security operations and support

What are the top five security areas that you want to automate?

Fig 6.

Antivirus deployment

Configuration management

Vulnerability management


Forward- Looking Perspective

31

In late 2013, UBM Tech conducted an online survey on behalf of

Wipro on the State of Cybersecurity in the Digital Economy: Balancing

Accessibility with Effective Risk Management.

A total of 146 business technology management professionals

completed the survey and make up the final data set. The greatest

possible margin of error for the total respondent base (N=146) is +/- 8

percentage points. UBM Tech was responsible for all programming

and data analysis. These procedures were carried out in strict

accordance with standard market research practices.

functions that require the kind of analysis, experience and insight not easily replicated by technology. 22 percent want to use auto-mation so that existing full-time employees can shift their focus to more strategic tasks.

A small percentage wants to use automation as a way to supplant and maybe eventu-ally replace internal staff. 6 percent of the respondents say the main appeal of an au-tomated solution is that it provides a good alternate option to using (expensive) internal security experts.

As attractive as automation is to most com-panies, businesses are more reticent about another major change in the way IT security is handled — namely, the cloud. Enterprises are making slow progress in moving to the cloud as a source for IT security services, with only 20 percent today hosting at least some of their IT security services in the cloud. Another 19 percent plan to use some type of on-demand security service within the next 12 months. However, half of the respondents say they have no intention of ever using a cloud-based security service.There are probably a number of reasons behind this

cautious approach to cloud-based security, not the least of which is lack of confidence in the security and stability of the delivery method and questions about the reliability and quality of service. Control, or lack thereof, is another factor, with businesses unwilling to outsource a larger portion of their security operations than they already do. Also, the relative immaturity of some of the solutions and the fact that many of the better-known options are aimed at smaller businesses with lower-scale requirements is less appealing to large enterprises. However, as more large businesses deploy cloud-based security solutions, their peers are likely to reconsider their security-as-a-service strategies.

What is clear today is that while businesses may be wary of cloud-based security, they are not only willing but eager to enlist trusted partners to fill in resource and expertise gaps to more successfully manage risk. The hope is that bringing in expert third-party partners will not only plug holes in their own capabilities but also enhance their overall security posture by providing internal staff with the tools, techniques and intelligence they need to mount a more proactive and effective defense.

The desire to reduce human errors in order to improve the security and overall stability of the enterprise is a major driver for more automated security operations.”

Ready for Takeoff

CYBER SECURITY

Cybersecurity is a threat to business-es globally, and is being increasingly viewed as an “enterprise risk”– it has financial implications and needs to be managed like other major business risk. Board members and senior manage-ment are looking for risk-based metrics to quantify, mitigate and then manage residual threat. The approaches and degree of maturity with regards to cyber risk measurement vary across organiza-tions – from an audit-based approach to quantifying cyber risk in benchmark scores or in dollar terms.

While qualitative measures are used to communicate the level of severity of a cyber-threat, they are unable to pro-vide a sense of the quantum of losses that could occur over a period of time. Without this understanding of the cost of the threat, it is difficult for manag-ers to decide on an appropriate risk management strategy.

The ability to quantify and benchmark cyber risks provides significant advan-tage to an organization when it comes to adopting a cyber-security strategy and prioritizing associated investments. Benchmarking is an effective tool that allows an organization to visualize its

security posture relative to an ideal or peer group, and to view existing gaps in its cyber-security posture. One approach involves a diagnostic toolkit that assesses a company along three key dimensions & provides a score that can be compared against those of peer groups. The key dimensions are:

Business Assets: Understanding of “crown-jewel” business pro-

cesses and data, common view of their criticality across the organization and awareness of their presence on the underlying infrastructure

Threat Perception: Effectiveness of the organization in collecting,

analysing & disseminating threat in-formation

Defence: Evaluation of the various defences across the processes,

defence tools, people & organizational skills; the defence assessment is along three themes – proactive defence, at-tack detection & aspects of response management

Wipro’s approach for quantification of cyber risk is based on the concept of

How do you measure cyber risk?

Kenneth Hall

VP & Global Head – Cyber Security Con-

sulting, Wipro Ltd.

Guha Ramasubramanian

Head - Corporate Business Develop-

ment, Wipro Ltd.


32

Value-at-Risk (VaR), which measures the potential loss in value of a risky asset or portfolio over a defined period for a given confidence interval.

This VaR sums up the risk in dollar terms, which helps to communicate the likely impact of cyber risk in a language that is familiar to the senior management and helps them make their risk management decisions.

A common aspect across themes in-cludes reckoning the direct cost impacts (customer notification, regulatory pen-alties, and legal expenses) along with the indirect costs (loss of customers, reputational impacts).

The model also looks at various types of threat and their frequency, as well as lay-ers of defence that need to be breached and potential costs. Irrespective of the framework used, the outcome is only as good as the assumptions on which it is built – it is critical that such assumptions follow from business realities and take into account the sophistication, variety and dynamic nature of cyber-attacks. It is also important to view the scores and quantification as directional guidance, rather than try to achieve more precision than is practical.

It is imperative to bring business spe-cific nuances into the approaches mentioned. Hence, participation from business experts is critical to build a view of the importance of various busi-ness assets and potential threats. This would enable delivery of results that are meaningful and acceptable to senior management.

Kenneth Hall and Guha Ramasubramanian

are working with the World Economic Forum

(WEF) as part of the cyber task force to drive

quantification & bench-marking of cyber risk

While qualitative measures are used to communicate the level of severity of a cyber-threat, they are unable to provide a sense of the quantum of losses that could occur over a period of time.

CYBER SECURITY SIDEBAR

33

of leading business executives feel that a potential company crises would happen in the digital space

Source:Burson-Marsteller Asia-Pacific

Digital Reputation Risk: Over

Building a Resilient Business for Tomorrow’s Challenges

36

Many new healthcare laws have been introduced in the EU and US in recent

years, with a range of implications for firms such as yours. How challenging are these for your business and how are you working to keep pace with these?

Our industry has always seen a lot of regulatory change and so this kind of

challenge is not a new one for us. We’ve always had to deal with this. But what it has meant from an IT perspective is that we’re going to continue in our mission of building more and more common systems, with common processes, and clean data. This is a massive data management job, which is going to be much more important than it had ever been before. And this is going to follow all applicable regulatory requirements, regardless of where we are.

But of course there are changes in the wider environment that affect this. For example, we’ve got a legal requirement to register and track certain events. To do so, we’ve created a single system for this, based on SAP, for the whole of Medtronic. This now allows for significant benefits, because we have far greater visibility

and traceability than before.

The second change is that we have no choice but to strive for zero defects and zero rework. You’ve got to build these common applications that are not just based on what the business is asking for today, but what we know the environment is going to ask for tomorrow. Some of these systems are really complex, but the complexity cannot stop you strive into this zero defects and zero rework, and building for the future.

How much of an enabler are today’s digital technologies, such as the cloud,

mobile and social?

The new technologies are definitely a part of it. The fact that you can do things that

have more elasticity, and that you can do things quicker, is very powerful. It also means you can give multiple people access to that data. With the right security and privacy measures in place, greater ability to provide appropriate access to the data makes a huge difference. For example, for certain functions, we use a cloud-based application around the globe that allows us to provide access without having to invest

WInsights speaks to the Chief Information Officer of Medtronic, the world’s largest medical technology company, about building more resilient systems and processes to cope with both market volatility and regulatory uncertainty.

Q&A with Michael Hedges, CIO of Medtronic Inc.

Michael Hedges

Vice President & Chief Information Officer,

Medtronic Inc.

in large data centers, and without the same concerns you have with those systems when it comes to disaster recovery and backups. That’s now all part of the cloud. That makes a huge difference in terms of speed and agility .

The fact is that we have more capabilities to gain through rapid adoption of digital tech-nologies. For example, when the iPad was first launched, we rolled out apps for use in a hospital environment, including some education By rapidly adopting this new tool, sales people could walk down the corridor of the hospital with the doctors while they were going to a meeting, showing them new tools on the go. It really worked, and drew a lot of attention.

Are these technologies helping you reduce the cost of compliance at all?

Yes, to an extent. We have a huge cloud system we’ve developed internally, and if

you can do things once, and level costs across a company of 46,000 people, you’re going to see some value. Cloud is one way to do that, although of course there are areas we may not choose to use the cloud, for other reasons.

To what extent are you able to use these kind of stronger and more resilient sys-

tems to act as a competitive advantage, or is this an arms race that everyone has to take part in, and just hope to be ahead of your rivals on?

We have no choice but to strive for zero defects and zero rework based on what we know the environment is going to ask for tomorrow.”

37

SPECIAL FEATURE

There are a few things you can achieve here. This falls into three buckets: opera-

tional excellence, optimized costs, and resulting growth initiatives. You can drive operational excellence - by having great support, functional strategies, maintaining your critical systems, securing the online environment, and ensur-ing mature IT systems and governance. Then, based on that, you can start to optimize cost and efficiency. You can look at ways to move infrastructure into the cloud. You can look at how to implement cost effective systems in emerging markets. You can consolidate systems because you’ve got that operational efficiency. This efficiency will drive savings, which you can then invest to enable growth. For instance you can take some of those dollars to invest in analytics, drive mobile platforms, or enable healthcare solutions and services. So it’s one of the things I strive for.

Have these increased regulatory needs been a driver for a greater focus on better

use of data and analytics within the business?

The market is driving a lot of this. You’ve got to use all of your data assets to

unleash maximum value of these analytics. The ability to leverage all of that data, within the boundaries of privacy protection, can inform better decisions & outcomes that will accelerate new opportunities for the business. That’s the model we’re aiming for. Of course, some of the data you have in the medical world is very

complex so many are working to understand the value we can realize from some of these advanced analytics capabilities.

Is there scope for data and analytics to help deal with some of the regulatory

requests and needs that are put in place? For example, are there ways for analytics to kind of help improve that R&D process and speed up the time it takes to get products to market?

Yes, I think it’s going to be huge. We’ve already got a programme in the com-

pany, which IT plays a key role in, called post-analytical networking. It’s really a way of using data to show up front the value and lifecycle of your products. It’s run by our chief technology officer, and is all around using clinical data.

As a final question, in the midst of all this change underway, what are the issues

that keep you up at night?

I think there are three things. I think one is always going to be security. We con-

stantly monitor and address concerns in this area and the importance of these efforts will never diminish. The second thing is speed, and how we keep pace with things as we grow. And third is about skills. There’s a huge demand right now for the skill sets that I’m looking for – the data sciences people, especially those who really understand healthcare.

38

Source: Evaluatepharma World Preview 2013, Outlook To 2018 - Returning To Growth

of worldwide prescription drug sales were lost as a result of expired patent protection.

In 2012

Modern businesses are complex systems of people, processes and technology. In the past, when customer interaction was often physical and infrequent, such as a visit to a shop or the branch of a bank, people could work around weaknesses in the system. Today, when customer interactions with almost every business are immediate and online, failures in the system have an instant impact on customers, on their experience and confidence, and on company reputation.

The immediacy and scale of this impact has been demonstrated by recent high profile system failures in the banking industry: these failures have affected millions of customers, have been reported via social media within minutes, and have been national news shortly after. They have also drawn the attention of regulators, who have become rightly concerned both about harm to customers and to the financial system as a whole.

Just like the regulators, C-suite executives need to play close attention to resilience: they may be just one failure away from serious damage to their customers, their company and their shareholders.Executives can start by taking five key steps to protect their business:

Confronting the Challenges in Technology Risk Management

Keep it simple and serious

By Balasubramaniam Ganesh

Sr. Vice President , Banking Products& BFSI in Emerging

Markets, Wipro Ltd.

40


An excerpt from “Building confidence: The business of resilience”, a Wipro and FT Remark report.

An excerpt from “Building confidence: The business of resilience”, a Wipro and FT

Remark report.

Understand your risk / understand your system: many companies do not have a

clear and realistic understanding of the risks inherent in their system, and do not explicitly draw connections between the parts that make it up; they may not know that an IT component which is due for replacement supports a process which is critical for customers. The first step in addressing business resilience is to establish an understanding of how the business processes that matter most to customers are underpinned by internal processes and technology. Then, executives can decide which risks to accept and which risks must be addressed.

Invest in people, processes & automation: over the years, the level of investment has

not kept pace with the level required in people, processes & technology. The aggregate impact of this under-investment, coupled with the increas-ing pace of business and increasing customer expectations, have created risks to service which, when made explicit, are no longer acceptable. Such risks will typically need to be addressed by a planned programme of investment, which strengthens skills and understanding within the workforce, tightens relationships within the sup-ply chain, and replaces manual processes with automated steps.

Simplify: many of the risks and weaknesses in the system have also arisen through

unplanned complexity. Manual processes, IT applications and infrastructure have been con-tinuously extended over the years, workarounds have become persistent practices, and diverse solutions introduced through M&A activity continue to run. In the past, a purely cost based case for

removing this complexity has often been hard to make: today, the risk inherent in such complexity makes it dangerous to ignore.

Address external threats: the systems which run businesses are now highly con-

nected to other businesses and to consumers via the Internet. External attacks, whether through technology or through social engineering, are increasing rapidly, and are no longer mounted by lone hackers, but by well-funded organized criminals. Our report reveals a worrying level of ignorance about such attacks and their ability to directly harm customers or wreck a company. Building and maintaining defences against such attacks is vital: the expertise to understand and respond to developing threats is central to these defences.

Be ready for new approaches: the risk to business has changed because the nature

of business has changed. This means that tradi-tional mechanisms to provide resilience, such as improved manual controls, additional hardware, increased backup frequency and so on, will be stretched to the point where they can no longer keep pace: increasing availability from 99.9% to 99.95% is not enough in a world which demands 100% perfect service. For companies which have grown up in the Internet era, this has always been the case, and they have adopted new technologies and methods to support their exponential growth and customer expectations: the mainstream IT industry has been slow to adopt these techniques, but they are reaching the stage of commercial viability, and executives should be open to trying new methods to meet ever tougher standards.

TECHNOLOGY RISK MANAGEMENT

41

The difference between winners and losers is how they handle losing.

That’s a key finding from my on going research on great companies & effective leaders - no one can completely avoid troubles & potential pitfalls are everywhere, so the real skill is the resilience to climb out of the hole and bounce back.

Volatile times bring disruptions, interrup-tions, and setbacks, even for the most successful among us. Companies at the top of the heap still have times when they are blindsided by a competing product and must play catch-up. Sports teams that win regularly are often behind during the game. Writers can face dozens of rejections before finding a publisher that puts them on the map. Some successful politicians get caught with their pants down (so to speak) and still go on to lead, although such self-inflicted wounds are harder to heal.

Resilience is the ability to recover from fumbles or outright mistakes and bounce back. But flexibility alone is not enough.

You have to learn from your errors. Those with resilience build on the cornerstones of confidence — accountability (taking responsibility and showing remorse), collaboration (supporting others in reaching a common goal), and initiative (focusing on positive steps and improvements). As outlined in my book Confidence, these factors underpin the resilience of people, teams, and organizations that can stumble but resume winning.

For anyone who wants to get beyond adversity or start over rather than give up, America is the Land of Second Chances. According to Jon Huntsman, former US Ambassador to China, getting back on our feet is an American strength widely admired in China. And everywhere, rapid recovery from natural disasters is increasingly a key to a robust economy. Entrepreneurs and innovators must be willing to fail and try again. The point isn’t to learn to fail, it is to learn to bounce back.

Some stumbles are due to circumstances outside of most people’s control, including

Surprises Are the New Normal; Resilience Is the New Skill

By Rosabeth Moss Kanter

Rosabeth Moss Kanter is a professor at Harvard Business School and the author of Con-fidence and Su perCorp. Her 2011 HBR article, “How Great Companies Think Differently,” won a McKinsey Award for

best article.

42

WINSIGHTS Volume XVII

“You have to learn from your errors. Those with resilience build on the cornerstones of confidence — accountability, collaboration and initiative.

weather events and geopolitical shocks. But while people might not control the larger problem, they control their reactions to it — whether to give up or find a new path. Recession in Europe is an example. I recently spoke to European audiences at public conferences and within companies about cultivating resilience in their businesses even when markets are shrinking, so that they hold their own as recession continues and are well-positioned for recovery. A German machinery company showed resilience by growing its service contracts when demand for machines slowed, and it mobilized employees to find new service possibilities. An Italian cosmet-ics firm grabbed talent from job-shedding multinationals and increased its international

marketing tied to both health and fashion; new sales followed. In both companies, like others described in my book Super Corp, such initiatives were made possible by a strong sense of purpose that drew members together & motivated them to take responsibility to help the companies survive and thrive. Employees were resilient because they cared, and that made the companies resilient.

Complacency, arrogance, & greed crowd out resilience. Humility & a noble purpose fuel it. Those with an authentic desire to serve, not just narcissism about wanting to be at the top, are willing to settle for less as an investment in better things later. Raymond Barre, former Premier of France,

43

TECHNOLOGY RISK MANAGEMENT

after being defeated for reelection at the na-tional level, ran for a lesser office as Mayor of Lyon and became a hero of his region. That’s the strategy Eliot Spitzer is taking by running for a lesser city office after having been gov-ernor of a state. He showed remorse quickly when scandal surfaced and then reentered the public conversation talking about the issues, increasing his comeback prospects.

Some observers say it is harder for women to stage comebacks. Still, consider Martha Stewart. She served prison time for insider trading rather graciously, showing remorse, and that graciousness restored much of her fan base afterward. In a more positive vein, Hillary Clinton was not a sore loser to President Obama in 2008 (though some of her followers were) and accepted his offer to become his Secretary of State. She’s now perhaps even better-positioned for a 2016 Presidential run. In

the long term, graciousness beats sour grapes.Resilience draws from strength of character, from a core set of values that motivate efforts to overcome the setback and resume walking the path to success. It involves self-control and willingness to acknowledge one’s own role in defeat. Resilience also thrives on a sense of community — the desire to pick oneself up because of an obligation to others and because of support from others who want the same thing. Resilience is manifested in actions — a new contribution, a small win, a goal that takes attention off of the past and creates excitement about the future.

Potential troubles lurk around every corner, whether they stem from unexpected environ-mental jolts or individual flaws and mistakes. Whatever the source, what matters is how we deal with them. When surprises are the new normal, resilience is the new skill.

Complacency, arrogance, and greed crowd out resilience. Humility and a noble purpose fuel it.”

44


Source: The 2012 Chief Executive Study, Booz and Company

the second - highest since 2000

CEO turnover rate in 2012 was

46


In July 2012, a 12 hour power outage in India impacted 670 million people, which is one in every two persons in the country or 10% of the world population . The effects were crippling. Traffic lights went off throwing streets into chaos, hospital staff struggled to provide emergency care, sanitation plants ground to a halt, miners were trapped underground and airports and factories went dark. The resulting economic loss was estimated to be US$107.5 million . The actual damage was beyond numbers: the country’s reputation was badly dented.

Earlier, in March 2011, when a nuclear reactor in Fukushima, Japan, was battered by an earthquake and a tsunami, it resulted

in radioactive contamination of 11,580 square miles of land. Land within 12 miles of the reactor was declared unsafe for human habitation. The value of property and other assets lost in that area alone are estimated at between US$250 and US$500 billion . Globally, stock prices of nuclear power companies fell. These and several other recent examples – such as the Gulf of Mexico oil spill and the mine collapse in Chile – have shown that outages and disruptions in the Energy & Resources industries are catastrophic and result in large scale and long lasting impact. These high profile incidents have underlined the urgency for building resilience into the global Energy & Resources industries.

What is the state of readiness in the Energy & Resources industry to assess such risk? What is its state of readiness to deal with events that threaten operations? How re-silient is your own business?

High impact disruptionsbecoming part of businesses

By Subbi Lakshmanan

Vice President & Global Domain Practices Head, ENU,

Wipro Ltd.

RISK IN TRADING AND HSE

48


Resilience as an organizational trait has never been more relevant. With growing awareness, the ability to measure, analyse and predict the future, organizations are building effective ways to insulate themselves from events that threaten their survival. They are, in effect, building business resilience.

In this article, we have identified the key forces that have resulted from various events along with potential strategic responses. For the purpose of this discussion the Energy & Resources industry can be classified into two broad segments of operations:

• Extraction (of resources): such as oil,gas, coal, metals, etc.

• Supply & Distribution: infrastructure to generate, process & transport utilities such as power, gas, water, oil.

The need is to create strategies around both, Extraction and Supply & Distribution, in order to build resilient organizations.

There are six major forces that will test resilience. Businesses have to brace for them. Or, they can create strategies around each to de-risk the future.

Depleting resources: Gone are the days when you could drill, mine or fell to get at

deposits and resources. Today, companies have to drill deeper and go further, operating with several constraints (labor, equipment and local

legislation). It is not easy to extract resources as it once used to be.

• Strategy: Businesses need to pursue an early entry into unconventional and renewable asset portfolios which could include coal seam gas, shale gas/ oil, and tight gas/ oil sands, wind, solar, hydro, tidal, and biomass to complement their conventional operations.

“Unfriendly” terrain: As mature fields decline, companies have to explore in

increasingly inaccessible, economically chal-lenging, poorly serviced locations. One fall out is the increased cost of production that threatens profitability in these locations.

• Strategy: In response, the industry is deploying new technology to reduce cost of extraction, production and marketing. For example Floating Liquefied Natural Gas (FLNG) is a technology that can improve profitability of economically challenged offshore gas developments. Mono-diameter well technology is another concept that has the potential to reduce cost of drilling and environmental impact in unconventional shale plays. These provide better capabilities for the recovery of resources, lowered costs and improved safety.

Political sensitivity: As companies move beyond mature fields, they are likely to

encounter geographies that have the potential to grow economically on the back of their resources. But they may be restrictive or still evolving in terms of policy. The question of political sensitivity is of enormous importance to the industry.

• Strategy: Industry leaders are showing the way with innovative partnership models where long term sustainability models are drawing governments to the negotiating table.

Resilience in Energy and Resources Industry

Building resilience around the six major forces impacting Extraction

49

Skills shortage: Workforces operate from remote locations and in socially unenviable

conditions. Very few want to educate and skill themselves for these industries. In addition, there has been a surge in the demand for energy in developing geos such as India and China, leading to a shortfall in qualified resources. Finally, the workforce is ageing, showing signs of imminent retirement.

• Strategy: The industry is working at ways to increase interest in this field. On the other hand significant investment is being made to reduce dependencies on manual work through tech-nology. For instance central collaborative work environment is being created using immersive visualization technology to monitor, analyse and control fields and plants remotely. These technologies make it possible to do more with fewer resources.

Major push on Health, Safety, Security, and Environment (HSSE): Concerns

around employees, society and the environment have been growing and so have regulations. For example high water usage and hydraulic fracturing in shale plays have caused HSSE concerns resulting in limited large scale adop-tion of shale plays.

• Strategy: Businesses must ensure they take every precaution to meet regulatory require-ments. Technology can be an important enabler here. For example, as per a recent McKinsey study, water reuse and treatment technologies

could reduce freshwater needs by as much as 50% which could potentially improve adoption of shale plays in several regions that suffer from water scarcity. Analytics is another enabler that can identify and examine all areas of risk and predict them. It is also necessary to consider training personnel using a Competency Risk Analytics, Simulation and Training plan.

Market economics: Oil and Gas prices are volatile. Extraction has to be agile to

respond to market conditions.

• Strategy: The ability to predict market con-ditions is key to staying ahead of trends and guaranteeing business resilience. Companies are also finding ways to make operations more nimble to quickly react to market conditions.

Like Extraction, Supply & Distribution can also be reshaped to build a higher degree of resilience. Supply & Distribution constitutes thousands of kilometers of power lines or pipe-lines, collectively called network that transport energy & water from source to consumption points. Companies spend billions of dollars managing and maintaining complex networks.

In the context of building resilience there are four major forces that impact Supply & Distribution operations:

The need is to create strategies around both, extraction and supply & distribution, in order to build resilient organizations.”

Building resilience around the four major forces impacting Supply & Distribution

RISK IN TRADING AND HSE

Natural disasters: We have already seen how the industry is unable to insulate

itself or respond quickly to natural disasters.

• Strategy: No matter what precautionary measures companies take, natural catastrophes leave their distinct mark. What is important is how quickly companies recover from the dam-age. With advanced instrumentation becoming more reliable, companies are looking at active controls and automatic flow routing to -(a) isolate networks before the storm to contain and limit damage and (b) Resume services through alternate routes.

Demand variance: Demand pockets are changing. In the case of Oil & Gas the

growth of demand is no longer in developed countries. Demand pockets are no longer close to supply sources. In the case of power, distributed generation (example: rooftop solar panels) is creating imbalance in the network.

• Strategy: Oil & Gas companies are invest-ing in LNG and FLNG plants to enable quick transportation. Leading utilities and energy providers are turning to predictive models that help anticipate the demand and design a flexible network accordingly.

Supply variance: An industry that has been dependent on standard sources of

energy and materials is suddenly witnessing renewables & alternate sources come into play, introducing complexity & causing disruption in the traditional supply chain.

• Strategy: Progressive companies are re-designing the supply chain to make it more agile. Digitization and real time monitoring of the supply and demand positions are critical

to create agility.

Next Gen consumers: Companies have never seen the kind of revolution sweeping

across social media. Their consumers today are freely expressing concerns and reservations on public platforms, impacting the brand image of the company.

• Strategy: Companies must include social media in their communication strategy. Constant communication builds a positive brand image. For instance, utility companies can leverage social media to warn and alert their consumers in real time on anticipated events.

The Energy and Resources industries are in the throes of the most significant change in decades. This is happening at the hands of technology, political and social changes, and heightened consumer expectations. Today, it is as important to invest in business resilience as it is to invest in the right markets, projects and people. Resilience is the single factor that will determine which businesses survive and which don’t.

Resilience redefined – In Summary

50


Businesses throughout the world have grown increasingly more interconnected and value chains are spreading across continents. Risks in one geography or line of business have the potential to affect worldwide operations. For instance, the financial crisis of 2008 and the euro zone crisis were manifestations of a chain reaction that affected almost all geographical areas and industries. Even as the world economy recovers, there are concerns about the impact of US Federal Reserve’s stimulus rollback on other countries. Clearly, businesses need to have a certain tolerance for volatility due to infrastructure outages, political uncertainty, natural calamities, man-made disasters, and so on.

The top three aspects of resilient organizations, as per the survey responses, were flexibility (66% of

respondents endorsed this), having a strong core (50%) and diversity of the executive team. The other options were modularity, strong supply chain and risk savviness. This may seem intuitive at first glance but shows how a firm can set its priorities in order to improve responsiveness and continuity of operations. Flexibility and diversity are essential for coping with todays’ rapidly evolving business environment. This also helps firms expand into seemingly unrelated fields.

The evolution of Samsung Electronics is a prime example. It was established in 1969 as a manufac-turer of appliances like televisions & refrigerators. As the semiconductor industry boomed in the seventies, it entered the microprocessor business. It staved off the Asian financial crisis of the late nineties, by hiving off 45 companies and shutting down 52 product lines. Since then, it has moved from strength to strength and has today emerged as the global leader in smartphone sales.

Google Inc. is another example. Its driverless car has allowed Google to leverage its existing core

The Case for Business Resilience

Business Resilience: What Works and What Doesn’t

51

Wipro’s survey on Business Resilience at the World Economic Forum 2014,

Davos indicates that businesses across the world continue to suffer from

inadequate understanding of risk. At the same time, there is a general

awareness that flexibility and core strength are key characteristics of

resilient organizations. According to respondents, North America emerges

as the strongest in terms of resilience among other geographical regions.

The poll was taken by some of the world’s top business leaders.

Business Pulse

DIPSTICK SURVEY

A dipstick survey of delegates at Davos 2014 on Business Resilience.

business to move into the automotive industry. Similarly it has not only expanded its search ca-pabilities but forayed into many other areas like wearable technology with google glass and home products by investing in Nest. Thus, if a firm can diversify its portfolio by using its core competencies and executing well, it can weather almost all kinds of market change.

Kodak is an example that has suffered heavily be-cause of their inflexibility, losing out leading market position in mobile handsets and cameras respec-tively. Today, the biggest competition for camera companies are smartphones – the competitive scenario today is such that companies today are going beyond their core capabilities to address the gap in the market. Indeed, the biggest hurdles that organizations face in such an endeavor are – lack of understanding of business risks and a low prior-ity given to resilience on a strategic level. Unless driven from the very top levels of management, a firm cannot build an infrastructure that can rapidly adapt to change.

In a telling statistic, a large chunk (50%) of the respondents agreed that while they understood the threats faced by their businesses, there is still

room for improvement with respect to managing unpredictable threats. As many as one third of the respondents either do not have such an understand-ing or aren’t aware of it. This makes a firm highly vulnerable to unpredictable business, operational challenges and cyber threats.

As can be expected, North America is the strongest among different geographies in terms of business resilience. This was the view held by about 60% of the respondents. Asia and Western Europe were next, but with only about 35% of the C-level executives believing in their resiliency capabilities. Such a large difference becomes relevant in the context of globalization. Any organization looking to make a mark in its field can no longer limit itself to the US. Its expansion plans should thus include costs for setting up resilient operations.

One of the side effects of advances in computing and networking has been the emergence of cyber risk. No organization today is completely immune from, say, denial of service attacks. However, it would be fruitful to know whether there are some industries

Key characteristics of a resilient organization

Geographical Spread and Industry Snapshot

0%

Flexibility Diverse and multi-skilled executive team

Strong core

10%

40%

20%

50%

30%

60%

70%

52


particularly sensitive to such threats. Respondents were asked to select three industries which they thought would face the greatest cyber risk in the coming year. The final results showed that financial services firms may have to be the most cautious in this regard as the industry figured in the top three for close to 90% of the respondents. Defense suppliers are also expected to face a high level of threat as per 56% of the respondents. The third place is shared between media & telecom, technology and retail industries (33%). As the survey shows, a large majority of the respondents understood that cyber security is a very real concern across all business lines.

Technological developments have enhanced organi-zations’ ability to adapt to changing conditions and cope with disruptions. However, the good work has been undone to some extent by malicious uses of technology. It is difficult to quantify the intercon-nectedness of different industries and regions, and hence the full impact of any local crisis cannot be gauged easily. In such a scenario, it becomes even more important for a firm to prioritize resilience in all centers of operation. Businesses need to have robust risk management plans and a focus on their core competencies. Top management must have a proper perspective on the kinds of threats that the firm can and does face in its day-to-day operations.

The need of the hour is to understand that risks today have systemic impacts and the thinking needs to move from risk management to building resilient systems. Given that the world is more complex, unforeseeable, dynamic, and interconnected than ever before, businesses cannot afford to look at short reporting cycles, but give greater priority to building resiliency.

Is there an understanding of threats to deal with unpredictable business, operational and cyber challenges?

Conclusion

50% 11%

11%

11%

17%

Don’t know

NoYes, but there is room for improvement

No

Yes

53

Regions particularly resilient

61%

33%

39% Asia

Western and Northern Europe

North America

DIPSTICK SURVEY

We hope you enjoyed reading “WINSIGHTS”

If you would like to read more, please visit our website

www.wipro.com/insights/— where we regularly publish

our viewpoints and perspectives that can help companies

sustain competitive advantage.

We would love to hear your thoughts and suggestions

that could go a long way in making this journal a valuable

knowledge-sharing tool for senior executives like yourself.

Please write to us at [email protected]

Best Wishes,

Wipro Council for Industry Research

Wipro Ltd. (NYSE:WIT) is a leading Information Technology,

Consulting and Outsourcing company that delivers

solutions to enable its clients do business better. Wipro

delivers winning business outcomes through its deep

industry experience and a 360 degree view of "Business

through Technology" - helping clients create successful

and adaptive businesses. A company recognized globally

for its comprehensive portfolio of services, a practitioner's

approach to delivering innovation, and an organization wide

commitment to sustainability, Wipro has a workforce of

140,000 serving clients across 60 countries.

For more information, please visit www.wipro.com

About Wipro Ltd.

Give us your feedback online

http://www.wipro.com/winsights-feedback/

No part of the report may be reproduced in whole or in part without the written permission of the

authors. For more information, please visit our website: www.wipro.com/insights

COPYRIGHT 2014, WIPRO LIMITED

Business Resilience

Documents

Transcript of Business Resilience