Tigerair ERM expert’s message is music to APAC ears

The new head of enterprise risk management (ERM) and internal audit at the Singapore-based budget airline Tigerair Gordon Song has told StrategicRISK that he believes that the risk function in most Singapore companies is “still very much compliance driven”.

“My observation is that the awareness of risk management has grown tremendously, but in terms of the maturity of internalising what it should be about, we are not there yet,” Song said. “People still see risk management as a kind of a compliance-driven regime. I don’t see many companies formally embedding risk management into processes like business development, supply chain management, and due diligence on corporate transactions such as joint ventures.”

Tigerair turns 10 in 2014, and Song laments that he had expected more Singapore companies to invest in risk management over that decade. “Whilst quantum leaps have been made by many companies, there is still a long way to go before companies in Singapore embrace and internalise risk management like some companies have in Europe and Australia, for example,” Song said. “I want to see Singapore companies moving in that direction because there is value, but the value can’t be realised until there is good tone at the top on internalising it instead of treating it as a ‘tick the box’ exercise.”

Raising the RM bar

The self-described “advocate for improving risk management practices” will deliver a presentation at the Governance, Risk & Compliance (GRC) for Internal Audit 2014 conference being held in Singapore next month. It’s all part of his aim to raise Singapore’s risk management bar. “I want to be a change agent, I see myself taking on that role,” Song said. “I have a passion for set-up because I come from a consulting background.”

Song has taken on several internal audit and risk management set-up projects during his career. He was with KPMG for more than eight years, leading project teams that delivered risk management and internal controls projects for clients. Then he took the job of senior manager of risk and internal audit at Fortis Healthcare in 2012.

A year later he joined Tigerair where he is now working on the set-up of the carrier’s ERM function. “My role in Tigerair has organically evolved into a GRC role because I’m setting up the [company’s] whole risk-management space,” Song said. “By that I mean enterprise risk management, which is a kind of a conduit for risk governance and oversight reporting from various groups into the boardroom.”

One of his first points of action concerned cyber risk. “We are extremely dependant on IT,” Song said. “We know that 75-80% of our conversions, our direct sales, come through the web, so we must always question how resilient our IT system is.” As cyber threats become more pervasive, Song said that there is a need to continuously enhance the company’s IT security and resiliency framework.

Dealing with data

A strategy that Song is keen to employ and to promote to others involves analytics and risk quantification. “One area that has been underinvested in is the mining of data,” he said. “Traditionally, risk quantification hasn’t been a topic that non-financial institutions have embraced; in fact, even financial institutions struggle with it. So, non-financial institutions say ‘that’s the dark side, let’s not go there at all’.

“Fortunately for us at Tigerair, the board is extremely attuned to the financials and we have invested in putting together a framework that really focuses on quantification and analytics.”

Song believes that analytics “lets numbers tell the story” of where the risks and their drivers are. “Therefore, this is where we should focus the risk mitigation, because there is a lot of subjectivity to the old 5 x 5 risk matrix,” he said. “When one doesn’t sit down and look at the numbers and the root causes of what the risk is, unfortunately you then get very misguided risk management.” This leads to action plans that might be convenient to implement, but do little to change the risk profile, Song said.

“If the stakeholders do not get any value from the programme, you can bet that the whole risk-management agenda gets downplayed or is completely destroyed after a few short painful years,” he added.

‘Technology bandwagon’

Song’s presentation at the GRC conference is titled ‘Maximising GRC – Value of an Integrated Approach’. He said that GRC was a topic of interest to most organisations. “Everybody has realised that there is a need for it, especially in the financial sector,” Song explained. “But not every organisation out there can embrace the big GRC technological solution, so I want to focus on stepping back from technology and just revisit what the concept of GRC is all about.

“People need to know what the building blocks are before they start jumping on the technology bandwagon.”

An organisations can spend a six-figure sum on GRC technology, only to be left with “a white elephant on the shelf collecting dust”, Song said. “It is simply because the culture in the organisation is yet to embrace it; they didn’t know how to implement it properly,” Song said. “The organisation’s structure is not set up properly, it is misaligned with the entire GRC platform itself.

“If the risk process itself is not mature, the fundamental building blocks are not there. I want to look at what needs to be done before an organisation embarks on a GRC journey.”