Business disruption continues to pave the way for digital transformation
By George Ralph, RFA
Published: 22 March 2021
The term ‘business disruption’ often comes with negative connotations, but my personal view is that the business disruption we have seen in the last 12 months has actually had a really positive effect on the alternative investment industry in terms of operation and technology specifically. Yes, the situation we find ourselves in has been pretty much entirely unpredictable, but it has brought with it a certain kind of freedom, allowing us to embrace technology and drive our businesses forward to the next level of transformation at a pace we wouldn’t have thought possible.
The new way of working, where we are physically disconnected and our approaches to best working practice differs from firm to firm, has pushed risk management even further up the scale of importance for us all. The entire way we do business has changed and it has led to most firms upping the ante with their digital initiatives. We need to redefine our core business models to match and support the way we now work. I think most firms see that they will require increased budget for their digital structure in the short to medium term, particularly on data centralisation and cyber decentralisation which are both key to successful business and workflow.
Cyber decentralisation refers to the need for every firm to protect each user and device linked to its business – and therefore our data - where a standard network and firewall is not now wrapped around the entire IT set up. Every wi-fi connection and device out there that is used for business communications of any sort can become a liability and yet another entry point for a cyber attack. The idea of decentralising security allows firms to monitor and protect their cloud based networks efficiently and effectively. Enhancing protection for businesses also allows firms to start managing and pre-empting bad leavers – allowing behavioural analysis to notify HR teams in advance of an insider threat.
Data centralisation works in the opposite way. Bringing a firm’s data together using data management tools effectively harnesses all a firm’s vital information in to one central point, or warehouse or lake, to keep it not only safe from cyber attack but also to allow data to be accessed in a more efficient manner, often through a central remote dashboard with core controls and policies – a read only dashboard is far more secure that sending out PDFs or sharing spreadsheets (for example).
Factoring resilience into a digital transformation model is also key. Whereas the BCP’s and control frameworks of the past were mostly designed around people led processes, today we manage these frameworks from a 100% cloud based technology perspective. Risk and failure points are very different when we compare a traditional office set up to a fully digital architecture. AI and machine learning advancements allow us to still look at the human centric side of a hybrid business model, while centralised data dashboards support reporting in terms of technology.
Whatever your firms set up, it is vital to stress test against both actual and perceived risk. Cyber attack is cited by far as the largest area of concern in the short and long term amongst the firms we work with. The nature of connectivity can be a problem as well as a solution of course. Security failures can have a domino or ripple effect. Digital resilience is just as important as digital transformation. Security assessments, penetration testing, phishing simulations and ultimately incident response should all be an integrated and regular part of a firm’s due diligence. This periodic testing for vulnerability and threat detection is a requirement that must be carried out and certified correctly.
The entire business eco system is expanding rapidly, particularly in our borderless environment. A centralised and rule based approach to vendor checking can provide the appropriate due diligence events to identify and negate any risks. This centralised approach provides an audit trail that regulators and investors alike can understand and respect. Firms need to take advice to make sure they have the correct controls and practices in place to support their 3rd party oversight. When proactively establishing governance structures and processes to address 3rd party vendor relationships in our new environment, firms should look at strategic and reputational risks as well as operational. Outsourcing services does not outsource the responsibility that comes with engaging with that service. Having full oversight of systems and understanding them is key to having successful vendor relationships. As more firms move towards a centralised data and decentralised cyber model, data and security governance can become less onerous. 3rd party vendors are working with firms more to build cloud-based dashboards that provide the level of oversight both regulators and investors require. This end-to-end strategy means governance is at a level never seen before.
I think it’s also important to add some focus to both a firm’s daily operations and its teams too. While firms are keen not impede work and deal flow, it is also important to build a culture of compliance in the daily activities of the team. Staff training for security, helping to not only identify but also manage risks at the end point or via emails, links and attachments makes a notable difference to a firm’s level of vulnerability and shows vendors and investors that a firm has taken all reasonable precautions to manage external and internal risk. It is also now possible to containerise whole desktops all the way down to an individual folder, delivering secure systems and or data to specific devices for an individual’s use. To maintain operational excellence, firms are also able to specify document specific constraints to manage compliance risk. Technology is now available, again using AI, that can pre-empt a tech issue before it arises. This is not only efficient in terms of business flow and reporting but provides an enhanced user experience too. These day to day activities are good business practise in a cloud environment.
The drive to collaboration and containerisation will continue across the next weeks and months, and while this has excellent advantages in terms of business and deal flow, it is also very encouraging in terms of regulation and due diligence. Next generation technology advances will only assist us to continue with good business practice as we move in to the future.