Being risk-averse could be just as much detrimental as taking excessive risk.
For Taj Chopra, BOQ’s operational risk advisory chief and a veteran ‘fire snuffer’ in the world of financial services, the risk function is as much about enabling businesses to take risks as it is about helping avoid them.
Speaking with FST, Chopra offers insight into major threats facing Australian financial organisations today, lessons to engage with and translate the complex world of cyber risk to ‘non-techies’ across the business, and the three key pillars for FSIs to deliver operational resilience whilst also empowering calculated risk-taking.
FST Media: It’s no secret that social engineering, fraud, ransomware, nation-state threats, and DDoS attacks have spiked in recent years.
As a seasoned IT and cyber risk professional in the financial services orbit, what do you rate as the biggest security threat FSIs face today?
Chopra: As simple as it may sound, for me, it has to be about having all team members (and indeed customers) aware of the business’s risks and security concerns. You can have the latest security capabilities with all bells and whistles in the world, but if your human shield is weak, you are bound to have attacks breach your perimeter.
During Covid and the resulting stress factors, there has also been a significant spike in internal threat actors committing unauthorised activities.
We must therefore invest in ongoing education, awareness and monitoring to help ensure our people understand the rapidly evolving threats and how they can respond responsibly with confidence. We need to constructively challenge ourselves as an industry and community to do more in this important area by leveraging the significant advancements made on approaches to raise capability to prevent, detect and recover from security incidents.
FST Media: Against this evolving threat environment, what does risk maturity look like for today’s FIs?
Chopra: Interesting question as it has many different aspects.
The ‘north star’ for me is predictive intelligence and decisioning – the ability to piece together various internal and external data points to pre-empt and take a decision on probable security events and threats.
In the shorter term, achieving, maintaining, and adapting operational resilience must be a key focus area for any organisation. It includes the ability to anticipate, withstand, and recover from shocks and changes in the business environment. As an example, the Covid-19 global pandemic has brought this important capability into focus, especially given our reliance on geographically dispersed third parties who underpin customer-facing critical business processes.
The key foundational considerations on operational resilience include:
- A deep understanding of end-to-end processes, which includes identification of control points, supporting third parties and clarity on roles and responsibilities;
- Hypothesising extreme but plausible scenarios with catastrophic impacts; and
- Implementing, monitoring, and testing control capabilities to withstand, respond, and recover timely from disruptive events.
As the saying goes: “It ain’t how hard you hit. It’s how hard you can get hit and keep moving forward.”
FST Media: As risk and compliance functions within FSIs evolve to become more cyber-aware, how then should security governance change? In your view, are there steps organisations should take to help foster better collaboration between Governance, Risk, Compliance (GRC) and IT/security teams?
Chopra: Good governance is fundamentally about enablement and achievement of business goals and objectives. Traditional governance practices have primarily focused on lagging indicators. Given the fast-evolving threat landscape, leading indicators should be explored, embraced and leveraged at every opportunity.
Secondly, continue to focus on the security basics as the fundamentals still hold true. It is easy to get distracted by new service models and approaches. However, the core practices have not changed, just that they are applied differently.
FST Media: Determined, democratic or freethinking. What best defines your management style?
Chopra: All three! Putting myself in the shoes of my team and key stakeholders, they are most likely to define me as empathetic, supportive, and achievement-focused.
FST Media: Communicating risk beyond tech-savvy IT and security teams remains a foremost challenge in any customer-facing organisation. How can security teams do a better job at communicating (and quantifying) risk across the wider business, particularly to the boardroom?
Chopra: I follow three simple rules:
- Align to specific business goals and objectives;
- Keep the key messages simple and always answer the ‘so what?’;
- Be achievement-focused with clarity on the remediation plan and support required.
Lastly, orchestrate your communication to generate dialogue and use every opportunity to drive the right ownership and accountability of risks and impacts.
FST Media: “Only those who dare to fail greatly can ever achieve greatly.” As a senior manager of risk, how do you balance your mandate to mitigate risk without stifling innovative, potentially revolutionary business thinking?
Chopra: Risk and opportunity are two sides of the same coin. Financial intuitions’ entire business model is based on taking risk.
The risk appetite is as much about taking risk as it to avoid and/or minimise it. My role is to partner with the business to achieve the same goals by helping them to understand and manage risks, which includes stretching boundaries to break new ground.
Do I always get it right? No. However, failing, or as I like to call it ‘falling’, is part of standing up.
Being risk-averse could be just as much detrimental as taking excessive risk.
The art of the risk practitioner is to understand when to explore the limits and where it is prudent to pull back. ◼
Taj Chopra will be a featured keynote speaker at FST’s Future of Security, Melbourne and Sydney 2021 events on the 24 & 26 August. Register now to secure your place!
