GDPR in economic uncertainty, Europe and cyber breaches, regulation, storing data in Europe

The expert view: Managing uncertainty 2 – taking advantage of risk in a fast-changing European landscape

Risk can be an opportunity as well as a threat, said Sungard’s Dr Sandra Bell, introducing the second in a series of Business Reporter briefings on the subject of risk in the fast-changing European landscape. She told attendees at London’s Savoy Hotel that, rather than defending against negative outcomes, it can be better to stack the odds in favour of a positive outcome.

The first briefing in the series was defined by two European issues: Brexit and GDPR. The latter dominated the conversation, while the former was largely dismissed. Perhaps surprisingly, this second briefing followed a similar pattern. In two major areas of uncertainty, only one is preoccupying our attendees and their businesses.

Risk isn’t bad

These are far from the only risks that businesses face today, of course. Economic uncertainty, crime and terrorism, cyber breaches and ageing infrastructure are also on the radar for those who attended the briefing. All of these risks have to be lived with to some extent and, as one attendee pointed out, businesses often create risk as their company grows over time. For example, two attendees said that they had discovered a branch of their company was running on Windows XP, a long unsupported version of the Microsoft operating system and a considerable security risk.

It often takes discoveries like this to bring about improvements. One delegate, from a large retailer, said his firm had found significant amounts of unsecured data during their response to the WannaCry ransomware attack. This allowed them to consider how much it was worth to protect this data and decide whether or not to spend the money. As another attendee put it: “Never waste a good crisis.”

This kind of reasoned approach is exactly what’s needed, delegates agreed. “Risk is not a bad thing,” an attendee from an international bank argued. “We all get paid to take risk. It’s about deciding how much risk we are willing to accept.” Often, he added, the greatest rewards are in the areas of the greatest risk, so risk cannot be avoided.

GDPR and its benefits
As with the first briefing, a lot of time was spent discussing GDPR. This group were generally positive about the impact of the legislation. It has been an “amazing lever”, said one attendee. Another was grateful for the publicity surrounding GDPR, which has made it very easy to get the board signed-up to compliance measures.

“A lot of businesses had an immature approach to risk,” an attendee said. She explained that GDPR had been beneficial because it made them improve their efforts in a meaningful way. Other businesses have been forced to rethink too. For example, companies that have been overly blasé about risk in the past are now having to consider whether they need to take action to minimize risk of breaching GDPR.

Most of those present felt that, as with PPI mis-selling, there will be businesses built on encouraging individuals or groups to bring GDPR claims against large companies. However, there was no consensus over how successful this might be, with some arguing that the Information Commissioner’s Office would likely be skeptical of opportunistic claims and others saying that businesses would probably settle such cases just to avoid bad publicity.

‘A small inconvenience’
Brexit remains an issue that few want to discuss. However, unlike attendees at the first briefing who mostly felt that the uncertainty was such that it isn’t worth attempting to plan ahead, this group seemed quite relaxed about the risks of Brexit.

It could be, said an attendee from an insurance company “a small inconvenience” but he felt that, since his firm has bases across Europe, they will simply shift European operations there. Another argued that the main concerns around Brexit are about the economy and immigration, rather than legislation or regulations. If Brexit has a negative effect on the British economy, then that will hit business. Any company that employs lots of workers from the EU will have concerns about whether they can still hire who they want to hire. Those were the main risks on his company’s radar, he said.

Changing cultures
Most attendees felt that a culture change is necessary to get a better attitude for risk within their organisations. Regulations and auditing can be a useful lever to change. One attendee said that auditors can be “friends” if you use them to help you drive change.

However, another argued that regulations are always a drain, limiting a company’s innovation budget and bringing costs that are inevitably passed-on to the customer.

Ultimately, what is required is the agility to respond to ever-changing regulations, new technologies and other challenges. Too many companies still operate on large-scale, ‘waterfall’ projects, said one attendee. The best strategy for today’s uncertain landscape is to move forward in increments, releasing and assessing risk as you go.

Whether this is a strategy that can be adopted by legacy organisations, particularly those in regulated industries, remains to be seen.

For notes from the first session, click here.

 

Shares