2024

SGV thought leadership on pressing issues faced by chief executives in today’s economic landscape. Articles are published every Monday in the Economy section of the BusinessWorld newspaper.
09 December 2024 Carlo Kristle G. Dimarucut

Guiding Philippine SMEs through the cybersecurity journey

IN BRIEF: Attacks targeting small businesses are on the rise, and a single successful breach could jeopardize operations, customer trust, and business continuity.Rather than try to build a comprehensive security team from scratch — which can be prohibitively expensive — many small businesses are benefiting from "CISO-as-a-Service" models.This model allows companies to bring in experienced security professionals who offer strategic guidance, oversee critical cybersecurity activities, and provide access to a broader team of security specialists, all on a shared-service basis.PULL QUOTE: “By outsourcing key functions, adopting best practices step by step, and focusing on tools that blend security with usability, Philippine SMEs can more effectively protect themselves without overextending their resources.”  In the Philippines, medium and small businesses (SMEs) often face significant challenges when it comes to cybersecurity. With fewer than 20 IT personnel on staff, many organizations may only have basic protections — such as antivirus software programs and a firewall — in place. It’s common for these businesses to not have implemented services like Active Directory, and handle cybersecurity as an afterthought rather than a priority.Yet, in today’s increasingly digital economy, these businesses are at risk. Attacks targeting small businesses are on the rise, and a single successful breach could jeopardize operations, customer trust, and business continuity. With that in mind, this article will discuss how Philippine SMEs with limited resources can embark on a cybersecurity journey that’s practical, achievable, and cost-effective.An effective approach: outsource for efficiencyOne of the most effective approaches towards cybersecurity for SMEs in the Philippines is to consider outsourcing cybersecurity functions. Rather than try to build a comprehensive security team from scratch — which can be prohibitively expensive — many small businesses are benefiting from "CISO-as-a-Service" models.A Chief Information Security Officer (CISO) as a service allows SMEs to access top-tier security expertise without having to hire full-time specialists. Through this model, companies can bring in experienced security professionals who offer strategic guidance, oversee critical cybersecurity activities, and provide access to a broader team of security specialists, all on a shared-service basis. This reduces costs while still ensuring that the business benefits from industry best practices.The cybersecurity journeyAssess current state. Begin by assessing the current capabilities of the company. Understand what assets must be protected, identify any existing vulnerabilities, and evaluate all current tools and configurations. An outsourced partner can help facilitate this process, providing an unbiased, thorough review of the company’s security posture.Focus on the fundamentals. For organizations that have limited resources and basic tools, starting with strong foundational controls is key. This includes the following:Endpoint Security: Go beyond simple antivirus programs by considering endpoint detection and response (EDR) tools. These can provide more visibility into potential threats and help respond to attacks quickly. Choose EDR solutions that are simple to deploy and have an intuitive interface, making them easy for the IT team to manage.Network Segmentation and Firewalls: Reinforce the company’s firewall setup and consider segmenting its network. This way, even if an attacker gains access to one part of the system, they won’t be able to move freely. Look for firewalls that offer user-friendly dashboards, allowing the IT team to easily understand and manage network activity.Prioritize identity and access management. Many Philippine SMEs may not have any form of identity management system yet in place. Implementing a cloud-based solution, such as a simple single sign-on (SSO) or even managed identity access solutions, can significantly reduce risk. These solutions simplify login processes for users while enhancing security. An outsourced partner can make these systems easy to deploy and manage, reducing the burden on the internal team.Embrace managed security services. As part of the company’s journey, outsourcing Managed Detection and Response (MDR) can be particularly valuable. Managed service providers have dedicated security operations centers (SOCs) and can monitor the company network 24/7 for suspicious activity — something most SMEs can’t do on their own. The MDR tools often come with simplified reporting and alerts that are easy for the internal team to understand, ensuring that even non-specialist staff can grasp the current security state.Employee awareness and training. Many attacks target employees through phishing or social engineering tactics. Implement regular training sessions for company employees to teach them how to recognize threats. This is also something that a managed partner can easily help facilitate. Look for training programs that are interactive and easy to understand, ensuring employees find them engaging rather than overwhelming.Adopt user-friendly security controls. One concern that often arises when discussing cybersecurity is that it may hinder productivity. However, many of today’s solutions focus on enhancing both security and usability. Multi-Factor Authentication (MFA), for example, may seem like an extra step, but when integrated properly, it makes logging in faster while also being more secure. Choose MFA tools that are simple to use and integrate seamlessly with the company’s existing systems. Prioritize tools that simplify administration and are transparent to users, ensuring security isn’t seen as a burden but rather as an enabler of efficient work.Benefits of outsourcing cybersecurity for SMESCost efficiency. Rather than investing in full-time employees and costly infrastructure, outsourcing enables paying only for what the company needs, when it is needed.Access to expertise. Cybersecurity is complex and constantly evolving. Partnering with a provider provides access to specialists who are on top of the latest threats and trends.Scalable solutions. Outsourcing allows the scaling of security capabilities as the business grows, meaning companies do not have to worry about outgrowing their protections.Faster implementation. Leveraging external resources means that new security controls can be implemented faster, helping the business reach an improved level of security in weeks, rather than months or years.Transforming security for growthAs an example, a local medium-sized business had started with just an antivirus program and a basic firewall. They began their cybersecurity journey by gradually adopting outsourced cybersecurity services, such as MDR and a CISO-as-a-Service. Over time, they were assisted in implementing more sophisticated controls — including endpoint detection, identity management, and cloud security. While their footprint is smaller compared to global organizations, their level of protection is now at par with international standards.Throughout the journey, their service provider kept a focus on ease of administration and usability. The goal of their journey wasn’t just to make the organization more secure but also to make it easy for their employees to operate securely — resulting in a more productive and safer environment for everyone.Beginning the cybersecurity journey todayThe path to cybersecurity doesn’t have to be overwhelming. By outsourcing key functions, adopting best practices step by step, and focusing on tools that blend security with usability, Philippine SMEs can more effectively protect themselves without overextending their resources. Remember, it’s not about where the company starts — it’s about taking that first step towards securing the business for the future.  Carlo Kristle G. Dimarucut is a Technology Consulting Partner of SGV & Co.This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the author and do not necessarily represent the views of SGV & Co.

Read More
02 December 2024 Joseph Ian M. Canlas and Christiane Joymiel C. Say-Mendoza

Integrating ESG into risk management

IN BRIEF: Integrating environmental, social, and governance (ESG) into risk management is not just a moral imperative but a strategic necessity.As companies are increasingly required to outline their ESG policies and positions, it is crucial to evaluate how these commitments are being assessed and judged.There is a growing consensus that sustainability risk is also a financial risk, and corporate strategies need to reflect this broader perspective. PULL QUOTE: "By integrating ESG principles into risk management, companies can safeguard their operations against climate-related risks and promote inclusive growth, driving real and positive change." Integrating environmental, social, and governance (ESG) into risk management is not just a moral imperative but a strategic necessity. As businesses navigate a landscape where ESG considerations significantly impact operations and reputation, integrating ESG into risk management becomes crucial. This article explores how companies can integrate ESG into risk management to build resilient, sustainable, and ethically grounded business practices.The crucial role of ESG in risk managementAs companies are increasingly required to outline their ESG policies and positions, it is crucial to evaluate how these commitments are being assessed and judged. Most companies release an annual ESG report, which customers and other key stakeholders review to ensure alignment with their values, and which investors use to support their investment decisions. Companies that pursue management system certification (e.g., ISO Management Standards, Environmental and Energy certifications, etc.) can integrate ESG goals from the initial planning stage of the PDCA (Plan-Do-Check-Act) cycle. The check phase allows them to evaluate the effectiveness of their policies and processes in meeting their commitments and take appropriate actions. This approach also helps proactively address potential risks, build resilience against ESG-related shocks, and comply with regulatory requirements. Enhancing existing risk management practices is vital because negative ESG incidents are increasingly damaging and costly. Research by international ratings firm Morningstar Sustainalytics indicates that companies experiencing significant ESG incidents lost an average of 6% of their market capitalization. Additionally, incorporating ESG into risk management is not just about avoiding negative outcomes; it also involves seizing opportunities to create value and drive innovation. Companies that effectively manage their ESG risks are well-positioned to succeed in a rapidly changing global business environment.According to the 2025 Asia Pacific Risk in Focus study, a survey conducted by the Institute of Internal Auditors, organizations consider climate change or environmental risk to be in their top ten risk expectations this year but consider it to be in their top five in the next three years, highlighting its increasing significance and the need to address it sooner than later. Companies with effective ESG practices are less likely to encounter harmful controversies and are better equipped to respond when incidents occur. Medium and smaller firms may not face the same level of stakeholder scrutiny or regulatory requirements, but they are equally at risk from ESG incidents, which can be even more damaging. Without the support of major investors, smaller companies may struggle to recover from adverse events. In essence, ESG risk is a material risk, and failing to address it promptly and appropriately can lead to severe consequences.Integrating ESG principles in the ERM processAccording to the 2023 EY Global Board Risk Survey, highly resilient boards are more aware of the potential of ESG governance to create long term value as well as more aware of the sustainability risks their organization may face. Integrating ESG factors into enterprise risk management (ERM) process is crucial for enhancing executive management’s understanding of risk, encouraging a collaborative relationship with risk owners and risk management units, ensuring regulatory compliance, protecting reputation, mitigating risks, and ensuring long-term sustainability.Boards can accomplish this by incorporating ESG risk assessments into regular risk identification processes and exploring how climate change impacts the business model. Companies should adopt a comprehensive approach encompassing internal and external factors, identifying financially material ESG risk exposures through a materiality assessment. In addition, create strategies to mitigate any identified ESG risks, and regularly monitor these and report progress to stakeholders. The current regulatory landscape In recent years, government regulators have introduced various ESG-related regulations, primarily focusing on reporting and disclosure requirements. However, laws and regulations that mandate a more proactive approach towards ESG were deemed essential. Two significant steps in this direction are the Extended Producer Responsibility (EPR) Act of 2022 and the proposed Local Carbon Economy Law.The EPR Act of 2022 addresses the Philippines' plastic pollution problem by requiring large enterprises to establish programs for the effective recovery of plastic waste. Companies must meet target recovery rates, starting at 40% in 2024 and increasing by 10% annually until 2028. This act aims to ensure that producers take responsibility for the entire lifecycle of their products, particularly in managing post-consumer waste.The proposed Local Carbon Economy Law seeks to create a framework for reducing carbon emissions at the local level, promoting sustainable practices, and encouraging the development of a low-carbon economy. This law aims to align local initiatives with national and international climate goals, fostering a more sustainable and resilient economy.Over the years, the Philippines has made significant strides in promoting ESG practices. In 2019, the Securities and Exchange Commission (SEC) issued Memorandum Circular No. 04, requiring publicly listed companies (PLCs) to submit sustainability reports. These reports assess and manage non-financial performance across economic, environmental, and social aspects, enabling PLCs to measure and monitor their contributions towards achieving universal sustainability targets and national policies.The Philippine government is actively working to enhance its ESG regulatory framework. The country has expressed its intention to adopt the International Sustainability Standards Board (ISSB) standards, demonstrating a commitment to align with international best practices. In October 2021, the Sustainable Finance Taxonomy Guidelines (SFTG) for the Philippines were developed through cooperative efforts between the SEC, the Bangko Sentral ng Pilipinas (BSP), and the Insurance Commission (IC). These guidelines, drawing on the ASEAN Taxonomy’s Foundation Framework, initially focus on climate change mitigation and adaptation, with plans to include ecosystems, biodiversity, circular economy, and potential social objectives in future iterations. Additionally, the SEC plans to fully implement the Association of Southeast Asian Nations Sustainable and Responsible Fund Standards (ASEAN SRFS) to enhance transparency and uniformity in reporting.With climate risks looming, the business community has also increasingly integrated ESG into their operations and reporting over the past few years. Several companies in the Philippines have been recognized for leading the way in adopting ESG practices, setting examples for others to follow. To help their organizations manage ESG risks, Chief Audit Executives (CAEs) can help define the Board’s role in sustainability requirements, overseeing the processes around approving disclosure reports. Greenwashing, or the act or practice of making something appear more environmentally friendly than it actually is, poses a new kind of risk that must be incorporated into the overall risk assessment. CAEs can provide assurance for the accuracy of sustainability reporting and guard against potential greenwashing. Driving real and positive changeCompanies that prioritize ESG have been shown to have a positive correlation with financial performance and attractiveness to investors. Many business leaders recognize the importance of strong ESG governance, oversight, and accountability. There is a growing consensus that sustainability risk is also a financial risk, and corporate strategies need to reflect this broader perspective. By integrating ESG principles into risk management, companies can safeguard their operations against climate-related risks and promote inclusive growth, driving real and positive change. Joseph Ian M. Canlas is a Risk Consulting Partner and ASEAN Core Consulting Quality Leader, and Christiane Joymiel C. Say-Mendoza is a Risk Consulting Partner, both of SGV & Co.This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the authors and do not necessarily represent the views of SGV & Co.

Read More
25 November 2024 Aris C. Malantic and Benjamin N. Villacorte

Beyond Metrics: Creating lasting value in the "Age of And"

IN BRIEF: CFOs are uniquely positioned to integrate sustainability into financial strategies and drive long-term value creation.Advanced AI and data analytics offer CFOs powerful tools to enhance reporting accuracy and transparency.By fostering deeper engagement with investors and stakeholders, CFOs can build trust and confidence in their company's sustainability commitments. PULL QUOTE: "In the Age of And, CFOs must balance short-term pressures with long-term goals to drive sustained performance.”In today's rapidly evolving business landscape, the role of the Chief Financial Officer (CFO) has never been more critical in driving long-term value. Investors are increasingly demanding clear and credible narratives on how companies will create long-term value while managing immediate challenges. However, recent research highlights significant doubts among both CFOs and investors regarding the reliability of non-financial reporting and the achievement of sustainability targets.The challenge of non-financial reportingThe 2024 EY Global Corporate Reporting Survey, which surveyed more than 2,000 finance leaders and 815 institutional investors globally, reveals a concerning level of skepticism surrounding transparency and sustainability. Only about half of the finance leaders and investors surveyed believe that companies will likely meet their stated sustainability targets. This doubt is compounded by perceptions of greenwashing, where companies are seen as overstating their environmental efforts without substantial actions to back up their claims.Non-financial reporting, particularly in the realm of sustainability, is still maturing. Unlike financial reporting, which is governed by well-established standards and metrics, sustainability reporting often relies on voluntary frameworks that widely vary. The lack of standardization can lead to inconsistencies and a lack of confidence in the reported data. CFOs, therefore, face the dual challenge of improving the quality of non-financial reporting while ensuring that it aligns with investor expectations and regulatory requirements.Balancing multiple priorities in The Age of AndIn what is termed the "Age of And," CFOs are tasked with the complex challenge of balancing short-term financial pressures with long-term strategic goals. This involves making informed capital allocation decisions that drive growth in areas such as artificial intelligence (AI) and sustainability while also meeting near-term performance expectations.The "Age of And" reflects a business environment where companies must simultaneously address multiple, often conflicting, priorities. For CFOs, this means developing strategies that ensure immediate financial stability and position the company for future growth. This balancing act requires a deep understanding of both financial and non-financial drivers of value, as well as the ability to communicate these effectively to investors and other stakeholders.Building credibility in sustainability reportingTo address these challenges, CFOs must take proactive steps to enhance the credibility of their sustainability reporting. This involves understanding investor requirements, resetting non-financial reporting standards, and integrating sustainability into financial decision-making processes. By doing so, CFOs can provide the structured insights needed to distinguish their companies in the market.One of the key steps in building credibility is ensuring that sustainability disclosures are backed by rigorous data and due diligence. This means going beyond mere compliance with reporting standards to provide a transparent and verifiable account of the company's sustainability efforts. CFOs should work closely with sustainability officers and other key stakeholders to develop robust reporting frameworks that can withstand scrutiny from investors, regulators, and the public.The role of AI in enhancing sustainabilityAI presents a significant opportunity to transform finance functions and enhance sustainability efforts. It can improve the efficiency of core processes, enhance data analytics, and generate insights that drive value creation. However, the successful implementation of AI requires strong data and technology foundations as well as a responsible approach to building trust in AI systems.AI can help CFOs address some of the key challenges in sustainability reporting by automating data collection and analysis, identifying trends and anomalies, and providing real-time insights into the company's performance. For example, AI tools can be used to monitor sustainability metrics, track progress against targets, and identify areas where additional investment or action is needed. By leveraging AI, CFOs can improve the accuracy and reliability of their reporting while also freeing up time and resources for more strategic activities.Recommendations for CFOsEnhance reporting credibility. CFOs should ensure that their sustainability reporting is backed by rigorous data and due diligence to avoid perceptions of greenwashing. This involves developing robust reporting frameworks, conducting regular audits, and engaging with stakeholders to ensure transparency and accountability. To provide additional comfort to their stakeholders, CFOs and financial reporting teams should endeavor to align sustainability reporting with financial and regulatory reporting implications and disclosures to achieve consistency in reporting. Leverage AI. Utilize AI to improve data analytics and decision-making processes, ensuring that the technology is built on solid data foundations and adheres to ethical principles. CFOs should invest in AI tools that can enhance the efficiency and accuracy of their reporting while providing valuable insights into the company's performance. This includes developing a clear strategy for AI implementation, training staff on the use of AI tools, and establishing governance frameworks to ensure the responsible use of AI.Engage with investors. Building deeper engagement with investors is crucial for gaining their trust and confidence. CFOs should regularly communicate with investors about the company's sustainability efforts, progress against targets, and plans for future growth. This includes providing detailed and transparent reports, hosting investor briefings, and seeking feedback from investors to understand their concerns and expectations.Cultivate a sustainability-driven culture. CFOs should play a key role in fostering a culture of sustainability within the organization. This involves promoting sustainability as a core value, encouraging collaboration between different departments, and providing training and resources to support sustainability initiatives. By embedding sustainability into the company's culture, CFOs can ensure that it becomes a key driver of long-term value creation.Driving long-term value through sustainable practicesCFOs play a pivotal role in shaping the future of their organizations by providing credible, transparent, and forward-looking reporting. By addressing investor concerns and integrating sustainability into their financial strategies, CFOs can build trust and drive long-term value creation. In doing so, they position themselves as essential strategic partners to the CEO and the board, capable of navigating the complexities of the modern business environment.The journey towards reliable non-financial reporting and sustainable value creation is challenging, but it is also an opportunity for CFOs to demonstrate their leadership and vision. By taking proactive steps to enhance reporting credibility, embed sustainable principles into their core operations, leverage AI, engage with investors, and foster a culture of sustainability, CFOs can ensure that their companies are well-positioned for long-term success in the Age of And. Aris C. Malantic is the Financial Accounting Advisory Services (FAAS) Leader, and Benjamin N. Villacorte is the Sustainability Services Leader, both of SGV & Co.This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the authors and do not necessarily represent the views of SGV & Co.

Read More
18 November 2024 Joseph Ian M. Canlas and Christiane Joymiel C. Say-Mendoza

Harnessing the human element in cybersecurity

IN BRIEF: Recognizing employees as the cornerstone of cybersecurity, organizations must shift from tech-centric defenses to fostering a vigilant, security-aware culture.Comprehensive education and behavioral change strategies are essential to mitigate human-related security risks and reinforce a collective approach to cybersecurity.A balanced strategy that combines technological tools with human oversight and continuous cultural development is key to maintaining a resilient cybersecurity posture. PULL QUOTE: "Empowering employees with knowledge and vigilance is as crucial as technology in building a resilient cybersecurity defense.” In today’s rapidly evolving digital landscape, cybersecurity threats are more sophisticated and pervasive than ever. While companies invest heavily in advanced technologies and security protocols, the most critical line of defense consists of their own employees. Despite having robust security measures in place, organizations frequently find themselves vulnerable due to human error, negligence, or a lack of awareness. This reality underscores the urgent need for a shift in focus—from solely relying on technology to cultivating a culture where every employee actively contributes to cybersecurity.The critical role of human behavior in information securityThe prevalence of cyber threats in our interconnected world is undeniable, and the assumption that technology alone can safeguard information security and privacy is a misconception. A security-conscious culture within an organization is essential to effectively complement and enhance the technical safeguards already in place. IT risk management, therefore, must be a holistic practice that not only includes technological solutions but also addresses the human factors that significantly influence the security landscape.The impact of human error on security breachesHuman error continues to be a significant contributor to security breaches, with recent statistics from the 2024 Verizon Data Breach Investigations Report indicating that 68% of breaches involve some form of non-malicious human element. According to IBM, the financial repercussions are staggering, with the global average cost of each data breach in 2024 reaching USD 4.88M — the highest total ever recorded. This figure reflects direct financial losses and encompasses the long-term reputational damage that organizations suffer following a breach. Case studies from various industries have shown that breaches often stem from a lack of awareness or negligence, underscoring the importance of addressing human error as a critical component of cybersecurity strategies.Understanding human behavior in cybersecurityDelving into the psychological and behavioral aspects of cybersecurity reveals that human actions are often the weakest link in security chains. Common risky behaviors such as password reuse, oversharing on social media, and susceptibility to phishing and social engineering attacks can significantly compromise an organization's security. To effectively mitigate these risks, it is imperative to understand the underlying motivations and cognitive biases that drive such behaviors and to develop targeted strategies that promote secure practices.To combat the risks associated with human behavior, organizations must implement comprehensive and continuous education programs that raise awareness about the dangers of insecure practices and actively engage employees in adopting and maintaining secure habits. These programs should be dynamic, incorporating real-life scenarios and practical exercises that resonate with employees and foster a sense of personal responsibility for cybersecurity.Building and sustaining a security-conscious cultureCreating a security-conscious culture within an organization begins with the development of engaging and effective training programs. These programs should be designed to capture the attention of employees, providing them with the knowledge and skills necessary to recognize and respond to cybersecurity threats. Leadership commitment is crucial in reinforcing the importance of these programs, ensuring that security awareness is not just a one-time event but an ongoing priority.A human-centered approach to designing security processes and IT risk management is essential. By considering the user experience and incorporating principles of secure-by-design and human-centered design, organizations can create systems and processes that naturally encourage secure behaviors. The promotion of security champions within teams can also further embed security awareness into the fabric of business operations.The responsibility for maintaining a secure environment extends beyond the cybersecurity function or the Chief Information Security Officer (CISO). It is a collective responsibility that requires the engagement and participation of every employee. By instilling a culture where security is viewed as a shared obligation, organizations can create a more resilient and vigilant workforce capable of defending against cyber threats.Technology and human oversight: a balanced approachWhile technology plays a vital role in supporting good security habits through tools such as two-factor authentication and password managers, human oversight remains indispensable. Employees must be trained to understand the limitations of these tools and to remain vigilant in their daily activities, ensuring that security practices are consistently applied.The balance between automating security processes and maintaining human oversight is particularly important in the context of Zero Trust models. These models, which integrate privacy, security, and cyber resilience, rely on a combination of technology and human insight to verify trustworthiness and manage access to sensitive resources.Evaluating the effectiveness of security awareness programs is critical to ensuring that they are meeting their objectives. Organizations should employ strategies for continuous improvement, staying abreast of emerging threats and adapting their programs to address the evolving cybersecurity landscape.Securing the futureFostering a culture of security and privacy awareness is a collective endeavor that requires the active participation of every individual within an organization. By integrating the human element into IT risk management strategies, organizations can build a resilient defense against cyber threats. Continuous education and cultural evolution are imperative in promoting this balanced approach in risk management, ensuring that organizations remain vigilant and prepared to face the rapidly evolving cybersecurity challenges of the digital age.  Joseph Ian M. Canlas is a Risk Consulting Partner and ASEAN Core Consulting Quality Leader, and Christiane Joymiel C. Say-Mendoza is a Risk Consulting Partner, both of SGV & Co.This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the authors and do not necessarily represent the views of SGV & Co.

Read More
11 November 2024 Joseph Ian M. Canlas and Christiane Joymiel C. Say-Mendoza

Managing third-party risk

IN BRIEF: Shifting from traditional Third-Party Risk Management (TPRM) to agile, real-time methodologies is crucial due to the intricate interdependencies and evolving cyber threats in IT operations.Proactive TPRM, powered by AI, enables organizations to predict and respond to third-party risks swiftly, ensuring continuous IT security.Embracing transparency and strategic collaboration with vendors fortifies TPRM, equipping organizations to handle emerging challenges and maintain robust IT systems.PULL QUOTE: " Proactive and AI-powered TPRM is vital for navigating the complexities of today's IT ecosystems and effectively managing third-party risks. In an era where technology is deeply integrated into business operations, managing third-party risk has become a critical concern for organizations worldwide. The traditional methods of Third-Party Risk Management (TPRM) are being challenged by the fast-paced and complex nature of modern IT environments, where external vendors play a pivotal role in day-to-day operations. As the reliance on third parties grows, so does the potential for risk, making it imperative for TPRM strategies to keep pace with the dynamic landscape of IT risks. This article seeks to explore the transformative approaches necessary for managing third-party risks effectively, ensuring that organizations can maintain robust IT operations amid the ever-present threat of external vulnerabilities.The evolving landscape of TPRM in IT operations The complexity and interconnectivity of modern IT operations demand a more agile and continuous approach to managing third-party risks. This necessity is underscored by the escalating frequency and sophistication of cyber threats, which can significantly impact IT operations. As businesses become more reliant on third-party vendors for essential services, the potential for risk exposure grows, highlighting the need for TPRM strategies that can adapt to new threats as they emerge. The evolving landscape of TPRM in IT operations requires a strategic shift from static, periodic assessments to a dynamic, real-time risk management model that is capable of identifying and mitigating risks promptly.From static to dynamic TPRM: adapting to real-time threats The transition from a traditionally reactive TPRM approach, characterized by annual assessments, to a more proactive and dynamic model marks a significant shift in risk management practices. This shift necessitates the continuous monitoring of third-party activities to swiftly identify and address potential risks.As an example, a global organization implemented continuous real-time monitoring tools to proactively assess third-party risks. By leveraging advanced analytics and real-time data, they were able to swiftly detect and mitigate potential vulnerabilities introduced by external vendors, enhancing their overall security posture. Continuous threat intelligence and monitoring solutions allowed the organization to detect and respond to third-party risks in real time, minimizing the window of exposure to potential threats.Integrating cyber threat intelligence (CTI) into this proactive TPRM framework offers a strategic advantage, transforming reactive security measures into a forward-thinking, intelligence-driven approach. By enabling real-time monitoring of potential vulnerabilities and emerging threats, CTI enhances the ability to share tactical intelligence with industry peers and conduct comprehensive risk assessments, thus strengthening the overall security posture of the extended enterprise. The importance of this approach was starkly highlighted by incidents such as the CrowdStrike incident, which exposed vulnerabilities in third-party risk management and had profound implications for critical IT infrastructure. Incidents such as these serve as wake-up calls, prompting organizations to reevaluate their TPRM practices. The evolution of TPRM practices post-incident, focusing on lessons learned and the implementation of strategies to prevent similar issues, is essential for safeguarding IT operations against the ubiquitous risk of third-party threats.Interdependencies between TPRM and IT operations The interdependencies between TPRM and IT operations are becoming increasingly apparent as third-party failures, such as cybersecurity breaches or service outages, directly impact IT operations. These incidents can have cascading effects across an organization, affecting everything from data security to business continuity. For example, an organization that experienced a service disruption due to issues with a third-party provider strengthened its incident response and disaster recovery plans by implementing redundancy measures and conducting regular recovery drills. This integration of TPRM and IT operations ensured that the organization could swiftly recover and maintain operational stability during future vendor-related disruptions.The integration of TPRM with IT disaster recovery and incident response planning is crucial for building resilience. Organizations must employ redundancy, backup systems, and other measures to mitigate the impact of third-party risks on IT operations. Understanding these interdependencies is vital for developing robust TPRM strategies that can withstand the ripple effects of third-party issues and maintain operational stability.Navigating unforeseen changes and unvetted updates from vendors The challenge of navigating unforeseen changes and unvetted updates from vendors is becoming increasingly relevant in today's IT landscape. Vendors' software or service updates are often released without comprehensive testing, and these can introduce significant vulnerabilities or compatibility issues. Organizations must develop adaptive response mechanisms to quickly adjust to these changes.For instance, one organization faced unexpected compatibility issues when a vendor released a critical software update without thorough testing. In response, they established an automated testing environment to assess vendor updates before deployment, allowing for seamless integration with existing systems and minimizing operational disruptions.This includes maintaining robust patch management processes, utilizing automated testing environments, and employing rapid deployment frameworks to ensure the continuity and security of IT operations. By adopting such strategies, organizations can better manage the risks associated with unpredictable vendor changes and maintain the integrity of their IT infrastructure.Future-proofing TPRM Future-proofing TPRM strategies with advanced technologies and collaboration is essential for staying ahead of potential third-party risks. Leveraging AI and machine learning can provide predictive insights into third-party risks based on patterns and trends, enabling organizations to anticipate IT disruptions before they occur. For example, a logistics company used AI-driven predictive analytics to identify potential disruptions from third-party providers, such as delays due to external factors. This allowed them to adjust operations proactively, minimizing risks and maintaining service continuity.Enhancing vendor collaboration and transparency ensures that all parties are aligned on updates, vulnerabilities, and risks. Additionally, the continuous integration of feedback from IT incidents, risk assessments and cyber threat intelligence into the TPRM framework drives ongoing improvements, ensuring that TPRM strategies remain effective and aligned with the evolving IT landscape, providing organizations with actionable intelligence, facilitating informed decision-making, and fostering a proactive security posture.Evolving together – the future of TPRM in IT-driven environments As IT operations continue to evolve at a rapid pace, the need for an evolving, dynamic approach to TPRM becomes increasingly apparent. Organizations must view TPRM as an integral component of their IT strategy and resilience planning, rather than as a mere compliance requirement. Managing third-party risk in an IT-centric world requires a forward-thinking approach that embraces advanced technologies, collaboration, and continuous improvement. By adopting dynamic TPRM strategies and viewing them as integral to IT strategy, organizations can confidently and effectively navigate the challenges of an IT-driven environment and secure their operations for the future.  Joseph Ian M. Canlas is a Risk Consulting Partner and ASEAN Core Consulting Quality Leader, and Christiane Joymiel C. Say-Mendoza is a Risk Consulting Partner, both of SGV & Co.This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the authors and do not necessarily represent the views of SGV & Co.

Read More
04 November 2024 Christiane Joymiel C. Say-Mendoza and Joseph Ian M. Canlas

Key components for strategic risk management

IN BRIEF: Board surveys reveal a pressing need for more effective risk management, with several boards recognizing room for improvement.The strategic empowerment of CROs is essential to navigate the complex risk landscape and capitalize on emerging opportunities.Implementing a connected risk approach and embracing technology are key steps to advancing risk management practices and driving organizational value.PULL QUOTE: " As organizations strive for resilience amid escalating risks, empowering CROs is essential. They must break down silos, foster collaborative interactions, adopt a connected risk approach, and harness technology to modernize risk management strategies." In an era where risk landscapes are rapidly evolving, the role of Chief Risk Officers (CROs) has never been more crucial. The 2023 EY Global Board Risk Survey revealed a stark reality: 60% of boards agree that emerging risks are insufficiently addressed in risk management. Looking ahead, the survey suggests that boards need to strengthen their governance structures, processes and knowledge to improve oversight of both risks and opportunities.The survey further echoes the urgency for robust risk management, identifying various risks poised to severely impact organizations in the upcoming year. From geopolitical events and supply chain disruptions to cyberattacks and changing customer demands, the array of threats is diverse and daunting. Notably, while certain risks such as changing customer demands have decreased in perceived importance since 2021, others like misaligned culture and increased remote working have surged in significance.Empowering the risk steward/Chief Risk Officer (CRO)Successful risk management lies in the empowerment of the CRO. In many non-regulated sectors, this role is not formally recognized within the C-suite, despite the intense demands on risk leaders. As the complexity of the risk environment evolves, the need for CROs to collaborate closely with executive management and the board becomes paramount.Boards now expect executive management to identify risks and uncover the opportunities they may present. For example, a competitor's new joint venture could be seen as a threat, but from a strategic standpoint, it might also represent an acquisition target or potential partnership. Additionally, boards are calling for a deeper understanding of interconnected risks and their second-order impacts, such as the multifaceted challenges posed by climate change.CROs must be fully integrated into the business strategy and kept abreast of emerging megatrends that could affect the organization. Their insights are invaluable for mitigating downside risks and seizing "upside" opportunities. To be effective, CROs need clear and open communication channels with other senior executives and should be involved in regular management reporting, including strategies, business plans, and investment proposals.Successful risk stewards are characterized by their ability to break down organizational silos and work across all lines of defense. They understand the cultural risk appetite and can motivate leaders to adopt a common risk definition. Their experience in prioritizing risk outcomes is crucial for organizational performance.Connected risk approachA connected risk approach leverages improved data access to risk taxonomy, implement dynamic risk assessment methods that adapt to the changing business environment and coordinate risk response and reporting across all Three Lines (e.g., management, risk and compliance teams and internal audit). This approach unifies data on a common platform, offering continuous refresh capabilities and creating value through analytics and dashboards for better risk management planning.To execute a connected risk approach, an integrated risk taxonomy is essential. It provides a single view of risk by connecting data from traditionally siloed functions across the Three Lines. This enables rapid identification and assessment of risks that matter. Building a dynamic risk assessment is a collaborative effort that must be comprehensive and flexible, incorporating new data and market changes for agility.The dynamic risk assessment process includes orienting the mandate to manage risk, identifying risks through data-driven inputs, prioritizing current risks, and responding in a manner that fits the organization's risk posture. It incorporates qualitative assessments, quantitative metrics, risk performance leveraging a common taxonomy, and external data to challenge internal risk assessments.Technology-enabled risk managementThe 2023 EY Global Board Risk Survey indicates that only 31% of boards say their oversight of risks related to digital transformations is very effective, while 19% say it is slightly or less effective. Traditional risk management, which relied on professional judgment and manual processes, must evolve to take advantage of automation and data analysis capabilities.Integrated Risk Management treats risk and compliance activities as an enterprise-wide responsibility, promoting transparency and better decision-making. Automation technology can process low-value manual tasks and free up management time to enable them to focus on emerging risks, while data collection and monitoring can be automated to occur in real time to flag issues earlier. Cloud and AI technologies can execute complex scenario analyses and reveal insights into risk interdependencies.An integrated risk platform is foundational for connected risk capabilities, storing and modeling relationships between various data sources. This unified technology solution provides better insights, enabling a common risk ecosystem, consolidating risk management activities, and managing customer expectations through informed risk-taking.Fostering resilient risk leadershipTo be risk resilient, the boards need to understand the full spectrum of current and emerging risks that could impact the organization.  CROs can swiftly generate value by aggregating risk registers to form a comprehensive risk landscape and conducting collaborative sessions to unify risk definitions across the organization. This establishes a centralized framework and common taxonomy, essential for integrating risk management with strategic and operational planning. By embedding risk considerations into decision-making and employing technology for automation, CROs enhance the organization's proactive risk posture, turning risk management into a strategic asset for resilience and success.As organizations strive for resilience amid escalating risks, empowering CROs is essential. They must break down silos, foster collaborative interactions, adopt a connected risk approach, and harness technology to modernize risk management strategies. The strategic empowerment of CROs is not just beneficial—it is imperative for safeguarding and driving value. Christiane Joymiel C. Say-Mendoza and Joseph Ian M. Canlas are Business Consulting Partners of SGV & Co.This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the authors and do not necessarily represent the views of SGV & Co.

Read More
28 October 2024 Victor C. De Dios

The far-reaching effects of VAT on digital services

IN BRIEF: As more countries legislate on the imposition of consumption tax on digital services, the Philippines joins the list with the recent enactment of Republic Act No. 12023, commonly known as the VAT on digital services law. The law defines digital service providers (DSPs) as the suppliers of digital services consumed in the Philippines, and sets certain VAT obligations upon them, both resident and non-resident.The far-reaching effects of the new law are to be felt more by non-resident DSPs who are assigned unprecedented VAT responsibilities.PULL QUOTE: “For the very first time, a Philippine law calls the attention of non-resident businesses, DSPs in particular, to comply with local VAT requirements such as registration, invoicing, and more importantly, VAT payment.” The digital economy significantly changed the landscape of doing business worldwide, and with this change comes the obvious need for governments to regulate, as well as the opportunity to conceptualize measures for raising revenue. As more countries legislate on the imposition of consumption tax on digital services, the Philippines joins the list with the recent enactment of Republic Act No. 12023, commonly known as the VAT on digital services law. This new law took effect last 18 October 2024. According to the Department of Finance, the initiative is set to generate an estimated Php16 billion VAT collection annually, and somehow level the playing field between traditional and digital businesses. It introduces amendments to the general VAT provisions of the Tax Code, putting emphasis on ‘digital service’ as among the services subject to VAT. It defines digital service as any service supplied over the internet or other electronic network with the use of information technology, describing the supply as essentially automated. Included in the definition of digital service are online search engines, online marketplace or e-market places, cloud services, online media and advertising, online platforms, and digital goods. Defining digital service providers The law defines digital service providers (DSPs) as the suppliers of digital services consumed in the Philippines, and sets certain VAT obligations upon them, both resident and non-resident.Resident DSPs, being local service providers, are presumed to have been operating within the purview of the old VAT provisions. Thus, for them, the new law would serve as a reaffirmation of the obligation to report and remit VAT. The far-reaching effects of the new law are to be felt more by non-resident DSPs who are assigned unprecedented VAT responsibilities. These responsibilities are anchored on the core of the law, which treats digital services by non-resident DSPs as performed or rendered in the Philippines, provided that they are consumed in the country, thus subjecting them to VAT.VAT implications The following are VAT implications of the new law as far as non-resident DSP transactions are concerned, highlighting what transacting parties should be on the lookout for:VAT registration. The law requires non-resident DSPs to register with the BIR for VAT purposes if their gross sales for the past three months exceed Php3 million or if there are reasonable grounds to believe that their gross sales for the next 12 months will exceed the same threshold. The actual requirements and process for VAT registration are not yet clearly set out. In any case, non-resident DSPs are advised to watch out for the ‘simplified automated registration system’ that the BIR is mandated to establish. Invoicing and accounting. The law requires non-resident DSPs to issue VAT invoices for digital services consumed in the Philippines. In any case, the law ensures that a non-resident DSP’s invoice is simplified in terms of contents as compared to mandatory contents of a regular local invoice. A non-resident DSP invoice only needs to reflect the date, transaction reference number, consumer identification, brief description of the transaction, amount, and breakdown of sale price by component if subject to VAT at 12%, VAT zero-rated, or VAT exempt, if necessary. Non-resident DSPs are advised to be on standby for announcements on when the government will operationalize the invoicing requirement. For accounting purposes, non-resident DSPs are not required to maintain subsidiary sales and purchase journals.VAT payment. The law mandates the manner of VAT remittance, which depends on whether the non-resident DSP transacts with a non-VAT consumer or VAT-registered consumer in the Philippines. For transactions with non-VAT registered consumers, the non-resident DSPs are the ones required to directly remit the VAT to the BIR. For transactions with VAT-registered consumers, the said consumers are the ones supposed to withhold VAT and remit the same to the BIR. This process is referred to as the ‘reverse charge mechanism,’ a similar mechanism to our existing withholding VAT. The BIR will likely soon release mechanics for VAT payment, whether via direct remittance or reverse charge. In either case, transacting parties are advised to assess whether the imposition of VAT on the digital services would have an effect on agreed pricing between them.Special rule for online marketplaces or e-marketplaces. Online marketplaces may also be required under the law to remit the VAT on behalf of its non-resident sellers, if the online marketplaces are involved in setting the terms and conditions of supply, or are involved in the ordering or delivery of goods. Recognizing the far-reaching effects of VAT on digital servicesFor the very first time, a Philippine law calls the attention of non-resident businesses, DSPs in particular, to comply with local VAT requirements such as registration, invoicing, and more importantly, VAT payment. The law even goes on to say that, in case of failure to register and non-compliance, the BIR, through the Department of Information and Communications Technology, can suspend business operations by blocking access to their digital services in the Philippines.At the same time, the law subtly calls the attention of Philippine customers transacting with DSPs. With a local tax ecosystem that encourages taxpayers to comply, Philippine customers, especially businesses placed on the receiving end of tax audits, should assess its implications from various angles. Questions around the consequences of transacting with unregistered non-resident DSPs, transacting with DSPs that issue non-compliant VAT invoices, and the applicability and proper implementation of the reverse charge mechanism are just some of the valid concerns consumers should recognize in view of the recent VAT law development.The effects of the VAT on digital services law are far-reaching. For now, taxpayers can expect further clarifications to come from the tax authority as it designs the rules and regulations for effective implementation. Atty. Victor C. de Dios is a Tax Principal of SGV & Co.This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the authors and do not necessarily represent the views of SGV & Co.

Read More
21 October 2024 Henry M. Tan

Why entrepreneurs are critical to the Philippine economy

IN BRIEF:While entrepreneurs represent 10% of the adult population, their ventures account for 70% of employment, making them the most important drivers of job creationEntrepreneurs solve the most complex challenges in today's world and boost the overall economyPhilippines ranks as the world’s 18th most entrepreneurial country, besting developed nations like Denmark, Switzerland, Taiwan, Japan, Singapore, Italy, and New ZealandPULL QUOTE: “When you solve problems, you also attract capital and investments. The Philippines has already produced three unicorns—privately-held startups valued at USD 1 billion or more—with each finding its niche.”  There are 594 million entrepreneurs worldwide, according to the Global Entrepreneurship Monitor, representing 7.5% of the global population, or about 10% of the adult population. This makes entrepreneurs a minority, but their impact on the world is unmistakably massive, as ventures by entrepreneurs account for 70% of total employment—making them significant drivers of job creation and critical for economic development.In this article, we run down the reasons why we should celebrate the successes of entrepreneurs and why we should enable more of them to succeed and flourish.Solving the most complex challengesWe recognize the importance of entrepreneurs because they solve the most complex challenges in today's world by bringing new ideas, products, and services to the market. The essence of entrepreneurship is finding innovative ways to solve seemingly impossible problems—from driving healthcare revolutions to enabling financial inclusion and advancing education technology. The pandemic showcased how entrepreneurial agility in startups can respond to global health crises, giving rise to telemedicine, AI-driven diagnostics, personalized medicine, and vaccine development at unprecedented speeds.Entrepreneurs have created platforms that provide financial services to underserved populations, making it easier for people to access banking services, thus enabling economic growth and helping reduce poverty. Through EdTech, free or affordable education has bridged the gap between formal education and those who need it most, at a time and place they prefer.Entrepreneurs are also bringing the world closer to solving the toughest challenges, such as climate change and the destruction of natural ecosystems. The World Economic Forum points out certain grim realities—10% of the global population still live in extreme poverty, 8 million tons of plastic are deposited into the ocean each year, and an area the size of a football pitch is deforested every second. However, the new generation of entrepreneurs is using technology such as drones and satellites to monitor and heal our planet.Being able to solve problems can also potentially attract capital and investments. The Philippines has already produced three “unicorns”—privately-held startups valued at USD 1 billion or more—with each finding its niche. Two of these unicorns notably emerged during the pandemic. Specifically, a developer of prefabricated properties became the nation's first unicorn in October 2017. A digital wallet and lending platform followed in November 2021, and a payment gateway solutions provider joined the ranks in April 2022.Creating jobs and boosting the overall economyWe celebrate entrepreneurs because they excel at creating jobs and boosting economic growth by introducing innovative technologies, products, and services. In the Philippines, MSMEs make up 99.59% of businesses, providing 65.1% of national employment.Filipinos are very entrepreneurial. Data compiled by the business publication and news site CEOWORLD Magazine ranks the Philippines as the world’s 18th most entrepreneurial country, besting developed nations like Denmark, Switzerland, Taiwan, Japan, Singapore, Italy, and New Zealand.This buoyant entrepreneurial environment is likely to inspire more entrepreneurs to join the ranks. A recent research survey by polling firm OCTA found that four out of five Filipinos would prefer to own their own business. Conducted among 1,200 Filipinos aged 18 and above, the survey revealed that 31% of respondents were motivated by the desire to manage their own time and explore horizons that offer limitless opportunities.By offering something better or new, entrepreneurs create competition within the ecosystem, challenging existing firms to become more competitive. This, in turn, creates more jobs and investments in a wide range of industries.All of this results in increased productivity–which Ray Dalio, founder of the world's largest hedge fund firm, Bridgewater Associates, and author of Principles for Dealing with the Changing World Order: Why Nations Succeed and Fail—argues is the most important force in causing the world's total wealth, power, and living standards to rise over time.“Without innovation, productivity growth would grind to a halt,” he said. “In a market-based system, the most powerful way to drive innovation is to bring new ideas to market and to commercialize and profit from them. The marketplace is incredibly efficient at weeding out bad ideas and pricing good ones. In this way, the concepts of innovation and commercialism go hand in hand.”By encouraging a culture of innovation, entrepreneurs enable countries to produce more relative to the rest of the world, making them more attractive places to do business. By doing what they do best, entrepreneurs also create a platform with the potential to lift people out of poverty and improve the overall quality of life. Many international and local studies have shown that entrepreneurship has a positive and significant impact on poverty reduction. There is evidence proving that entrepreneurship increases the probability of individuals moving out of poverty and remaining above the poverty threshold in the Philippines.Empowering entrepreneurs to shape opportunitiesTo empower more entrepreneurs to shape the future of their businesses with confidence, we are pleased to have once again launched a search for entrepreneurs who are shaping opportunities through the EY Entrepreneur Of The Year Philippines 2024.Formed in 1986, the EY Entrepreneur Of The Year program seeks to honor entrepreneurs whose ingenuity and perseverance have created and sustained successful ventures. In 2003, the SGV Foundation first launched the program in the Philippines and has since been recognizing impactful business who can mold and reshape the country’s economic landscape to build a better Philippines and a better working world.This year’s theme, “Shaping Opportunities,” honors individuals who are turning possibilities into realities and making a profound impact on both the country and the world. The current theme recognizes the transformative ability of Filipino entrepreneurs in reimagining and advancing economic and national development with vision, passion, and innovation, according to the SGV Foundation.Inspired by their dreams and propelled by their unwavering resolve, these Filipino business leaders have played a pivotal role in elevating the country. Over the recent weeks, their narratives have been featured in BusinessWorld, sharing their stories of challenges and triumphs to hopefully encourage current and aspiring entrepreneurs.   Henry M. Tan is a Partner and the Entrepreneur Of The Year Philippines Program Director of SGV & Co.This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co.

Read More
14 October 2024 Carlo Kristle G. Dimarucut

Bridging the cybersecurity and business strategy gap

IN BRIEF: Today’s cyber risks go beyond technical vulnerabilities, where a breach can disrupt supply chains, damage brand reputation, and lead to significant financial losses. To mitigate cyber risks and protect business interests, cybersecurity must be integrated into the highest levels of decision-making, aligning security measures with the business’s overall objectives to enhance both security and performance.By embedding cybersecurity into the organization’s DNA, C-suite leaders can protect their assets, enhance innovation, and strengthen customer trust.PULL QUOTE: “To effectively safeguard intellectual property, business continuity, and customer trust, companies must bridge the gap between cybersecurity and business objectives for maximum protection. In the digital era, cybersecurity is no longer just a technical concern—it is a strategic imperative. As organizations embrace new technologies to drive growth, the urgency for robust cybersecurity has escalated. However, many businesses still see cybersecurity as a separate function rather than a critical component of their overarching strategy. This disconnect can be costly, as cyber incidents have far-reaching consequences that threaten every facet of the enterprise. For C-suite executives, integrating cybersecurity into the core business strategy is essential. Cyber threats are increasingly sophisticated, targeting intellectual property, business continuity, and customer trust. To effectively safeguard these assets, companies must bridge the gap between cybersecurity and business objectives, aligning them for maximum protection.Cybersecurity: more than an IT issueTraditionally, cybersecurity was relegated to IT departments as a defensive measure against data breaches, malware, and other threats. However, today’s cyber risks go beyond technical vulnerabilities. A breach can disrupt supply chains, damage brand reputation, and lead to significant financial losses. The average cost of a data breach in 2023 reached $4.45 million, underscoring the financial impact of cyber incidents.High-profile ransomware attacks on global companies demonstrate that cyber threats are not just IT issues—they are business risks that demand executive attention. For businesses to thrive, cybersecurity must be viewed as a strategic priority that permeates all levels of the organization.The cost of misalignment The misalignment between cybersecurity and business strategy stems from how risk is perceived at the executive level. While financial, market, and operational risks are often discussed in boardrooms, cybersecurity remains the domain of technical experts. As a result, cybersecurity measures frequently lag behind business initiatives like mergers, acquisitions, or digital transformation projects, leaving companies vulnerable.This reactive approach can lead to crisis management scenarios rather than proactive risk mitigation. For example, adopting cloud solutions without fully assessing security implications exposes sensitive data to potential attacks. When cybersecurity is treated as an afterthought, companies are forced to respond to breaches rather than preventing them, resulting in increased costs and lost opportunities.To mitigate cyber risks and protect business interests, cybersecurity must be integrated into the highest levels of decision-making. The goal is not just to prevent breaches but to align security measures with the business’s overall objectives, enhancing both security and performance.Embedding cybersecurity in digital transformationDigital transformation initiatives aim to enhance customer experience, optimize operations, and streamline processes. However, these efforts can introduce new vulnerabilities if security is not embedded from the outset. For example, integrating internet of things (IoT) technologies or migrating data to the cloud can open up new attack vectors.Cybersecurity should not be seen as a barrier to innovation but as an enabler. By incorporating security considerations into digital transformation, businesses can mitigate risks while maximizing the benefits of new technologies.Cybersecurity as a value propositionIn industries such as financial services, healthcare, and e-commerce, where data breaches can have severe consequences, demonstrating robust cybersecurity practices can differentiate a business in the market. Customers are increasingly aware of how their data is handled, and a strong cybersecurity framework can foster trust and loyalty and create a competitive advantage.By communicating the company’s commitment to data security, executives can build trust and position their brand as a leader in privacy protection.Integrating cybersecurity into risk managementCybersecurity is not just a technical challenge; it is a critical component of enterprise risk management. A cyber incident can affect a company’s finances, operations, and reputation, making it essential to integrate security into the broader risk framework.C-suite leaders and board members should regularly review cybersecurity performance metrics, monitor emerging threats, and ensure that security investments align with the company’s risk profile. This proactive approach enables companies to anticipate and address cyber risks before they escalate, protecting both the business and its stakeholders.Effective cybersecurity requires collaboration across all business functions. From HR to finance and operations, each department plays a role in maintaining security. For example, HR can drive a security-first culture through regular training, while finance can ensure that security investments align with business goals.The C-suite must foster cross-functional collaboration to create a unified approach to cybersecurity. Breaking down silos ensures that security considerations are embedded into every aspect of the business, enhancing resilience and maximizing ROI.The role of leadership in cybersecurity integrationSuccessful integration of cybersecurity into business strategy requires strong leadership from the top. Executives must champion cybersecurity as a core business priority, actively participating in shaping security strategies and ensuring alignment with business objectives.This begins with a shift in mindset: understanding that cybersecurity is not just about preventing breaches but enabling secure, long-term business growth. Regular communication between cybersecurity teams and the board ensures that the organization remains agile and prepared for emerging threats.In an era of escalating cyber risks, companies that fail to align cybersecurity with their business strategy do so at their own peril. By embedding cybersecurity into the organization’s DNA, C-suite leaders can protect their assets, enhance innovation, and strengthen customer trust. Those that bridge the gap between cybersecurity and business strategy will be better positioned to navigate the complexities of the digital age, turning security from a defensive measure into a strategic advantage.To thrive in the digital age, executives must integrate cybersecurity into their business strategies, emphasizing the importance of aligning security with organizational goals for a holistic, proactive approach.  Carlo Kristle G. Dimarucut is a Technology Consulting Partner of SGV & Co.This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the author and do not necessarily represent the views of SGV & Co.

Read More
07 October 2024 Rossana A. Fajardo

Realizing transformation success through the human element

IN BRIEF: Companies are engaging in transformational activities at an accelerated rate, making the ability to transform successfully and continuously in response to disruption essential for an organization’s survival.Human factors were commonly identified as a primary reason for the result of transformations.To take their transformation efforts to a higher level, organizations must focus on placing humans at the heart of their strategies.PULL QUOTE: “The complex factors that determine whether a transformation succeeds or fails are deeply connected to the human element.” Transformation is important for the enduring success of any organization. However, there has recently been a noticeable shift in its frequency and pace. The EY Global Board Risk Survey revealed that 82% of board members and CEOs believe market disruptions are happening more frequently, and with greater impact. As a result, companies are engaging in transformational activities at an accelerated rate – making the ability to transform successfully and continuously in response to disruption, essential for an organization’s survival.EY and the University of Oxford’s Saïd Business School collaborated to look into more modern and effective methods for driving organizational change. The approach placed a greater emphasis on human factors, which was commonly identified as a primary reason for the failure of transformations. It was observed that not only is the rate of transformation failure excessively high, but it also imposes a human toll that organizations can no longer tolerate.The research indicates that 85% of senior leaders have participated in at least two major transformations in the past five years. Furthermore, 67% of those surveyed acknowledged that they have been part of at least one transformation that did not perform well during this period. While not surprising, it was astonishing that companies continue to accept this high rate of failure as the cost of change. By any other measure or in any other scenario, such a level of performance would be unacceptable.This research underscores that the complex factors determining whether a transformation succeeds or fails are deeply connected to the human element, a pattern that holds true across various industries and geographies. Adequate support can transform the increased stress associated with transformation into a catalyst for enhanced performance and drive progress. To optimize their chances of success, organizations must become proficient in these key areas.Cultivate essential leadership skillsIn the study, employees identified leadership as the primary factor influencing transformation outcomes, regardless of whether it was successful or not. Leaders themselves considered leadership to be the most critical element in successful transformations, but deemed it insignificant when the transformation did not meet expectations.It's essential for leaders to confront their own fears, worries, and uncertainties about the path that lies ahead. For instance, 47% of participants from highly successful transformations reported that leaders were open to ideas from junior staff members, compared to 29% from less successful transformations.Inspire through a shared and compelling visionThe vision is the cornerstone of any transformation. Leaders should extend their search for an inspiring vision beyond their personal scope, their organization, and even their industry. They should cast a broad net to employ future-oriented planning to uncover bold new possibilities, shaping a vision that garners widespread support and resonates emotionally with everyone involved. Close to half (47%) of participants from highly successful transformations acknowledged that the vision was clear and persuasive, in contrast to just 26% from transformations that did not perform well.For the vision to take hold, leaders must effectively convey the reasons behind the need for transformation, rather than merely dictating the actions required. Nearly half (48%) of employees from successful transformations reported that leaders successfully communicated the reasons for organizational change, as opposed to 25% from unsuccessful transformations.Foster a culture that encourages inputIn the qualitative analysis of the research, employees involved in unsuccessful transformations expressed feelings of being ignored, unsupported, and stressed both during and after the process. Subsequent discussions found leaders surprised at these findings and their lack of awareness regarding the significant emotional impact an unsuccessful transformation has on employees.Leaders must channel the appropriate emotions to keep employees committed and driven, while also offering sufficient emotional support to stave off worry and exhaustion. According to the predictive model used in the study, increasing emotional support raised the average probability of a successful transformation by 17%. By being attuned to the emotional state of employees throughout the transformation, leaders can detect early signs of trouble and implement changes to steer the transformation back on course.Empower through clear responsibilitiesThere will be unexpected developments, and intermittent pauses in any transformation journey. Leaders must strike a balance between providing structure and discipline while allowing space for creativity and innovation. Over half (52%) of participants from successful transformations reported that employees had well-defined roles and responsibilities, and 49% indicated that decision-making powers were distributed clearly and suitably throughout the organization.Leaders should promote a culture of trial and error by shifting from a mindset of avoiding failure at all costs to one that embraces rapid learning from failures. Minor setbacks can pave the way for significant achievements, while a fear of failure often results in lost opportunities. Forty-six percent of respondents from successful transformations said they established a process that fosters innovative experimentation without the risk of such experimentation adversely affecting careers or compensation.Leverage technology and skills to drive actionTechnology is not the end goal, but it is instrumental in bringing the vision to fruition. Selecting the appropriate technology is essential to achieving the vision and streamlining the transformation process. Leaders identified the effective deployment of technology as the second most important factor for a successful transformation and its ineffective use as the second leading cause of poor performance. Nearly half (48%) of those from successful transformations reported that their organizations had made the right technological investments to support their transformation goals, as opposed to 33% from less successful transformations. It's vital to consider the emotional reactions that come with the introduction of new technology. Employees from underperforming transformations are 25% more likely to associate transformation with concerns about job stability (49% compared to 39%). Others might view technology as a substitute for human interaction, which is crucial for the emotional health of employees and the smooth functioning of the organization.Leaders should focus on demonstrating progress rather than striving for perfection. By combining recruitment, upskilling or reskilling, partnerships, and outsourcing, leaders can foster the appropriate digital mindset and skills to actualize the potential benefits of technology. Forty-nine percent of participants from successful transformations indicated that their organizations possessed the necessary digital skills and mindset for the transformation, compared to 35% from less successful transformations.Collaborate to connect and createIn contrast to traditional corporate cultures that favored a directive, top-down hierarchy with employees carrying out a vision dictated by their leaders, the current continuous state of transformation demands mutual reliance and teamwork. Leaders must cultivate a culture that promotes connectedness and inventiveness, creating an environment where employees feel secure to explore new methodologies — both digital and agile — that foster innovation, engagement, and rewarding work experiences. Forty-four percent of those from successful transformations reported that their organization's culture supported the adoption of new work practices, as opposed to 28% from less successful transformations. For new work practices to thrive, leaders and employees must work together to recalibrate the dynamics of delegation, ownership, and empowerment. Forty-two percent of participants from successful transformations noted that a new organizational culture was intentionally defined and put into practice as part of the transformation initiative.Harness the human element to achieve transformation successLeaders are aware that their organizations must undergo change, yet the challenge of transformation can leave many feeling inundated. In a time characterized by relentless change, complacency is not a viable option. By tapping into the collective strength of their employees and by applying best practices in relation to each of the factors mentioned, leaders can steer their organizations towards a successful transformation. To take their transformation efforts to a higher level, organizations must focus on placing humans at the heart of their strategies. Rossana A. Fajardo is the Consulting Leader of SGV & Co.This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co.

Read More
Leading the way in business

Other SGV News and Publications