& vulnerability
Cyberattacks, data security and other risks associated with operational complexity and vulnerability were TMT concerns long before COVID-19, but the pandemic’s impact on business operations and buyer behavior exposed new organizational shortcomings or aggravated old ones.
Peering through their risk binoculars, TMT executives see little relief as geopolitical tensions worsen, new technologies (and new competitors) emerge, and digitalization burrows more deeply into all aspects of their business. Asked to share their thoughts about the emerging risk landscape, the following themes emerged:
COVID-19 was both a distraction and a complicating factor in efforts to manage risks surrounding operational security. The pandemic did not permit companies to ease efforts to block cyberattacks and data theft. At the same time, the pandemic added new risks by, among other things, forcing a sudden and widespread shift to remote working arrangements.
Nor did the pandemic slow global regulatory efforts to protect consumer data, with a tough European regulatory model spreading to the United States, parts of Asia and elsewhere. Meanwhile, TMT companies continue to step up data security efforts to protect intellectual property and ensure data security throughout their enterprises and with business partners and other stakeholders.
TMT executives expect to improve internal training to help employees take a more active role in guarding data and protecting the enterprise. Sometimes a simple oversight has major consequences: Some of the most serious phishing attacks are triggered when an employee innocently opens an e-mail attachment, releasing a virus or ransomware into a company network.
Phishing takes on an almost quaint look when compared to real and threatened supply chain disruptions. The world’s largest economies – the European Union, China and the United States – are each considering actions that would disrupt global trading and supply chain patterns in the interest of protecting or expanding certain vital industries or products, microchips being a primary example.
Supply chain redesign introduces a whole new wave of risks, ranging from building new production facilities and supplier relationships to product design and distribution. It is increasingly clear that TMT companies need to bring procurement and risk management into a much tighter partnership that some have shown in the past.
Operational vulnerabilities also have been opened with remote working arrangements that go beyond the fear of data loss or cyberattacks. A year of work-at-home staff relationships is having a yet-to-be measured impact on workforce engagement and satisfaction, or the impact on an all-important corporate culture.
The risks that lurk behind operational complexity and vulnerability grew significantly in recent years with the spread of geopolitical conflict and the COVID-19 pandemic, but TMT executives are having to meet the new challenges while keeping an eye on such perennial threats as cyberattacks and data security.
Our prior study of risk megatrends found that cyberattacks formed the primary risk facing technology companies. Media and telecom companies had other priorities – piracy and operational continuity, notably, but also saw significant exposures with network and data security as well as gaps in security training.
Within our new insights, we found that operational continuity concerns have grown, in large part because supply chain shocks are becoming more frequent and severe. Supply chain concentration is of particular concern, especially when procurement functions are isolated from corporate risk management.
The concentration risk is especially acute on the hardware side of the business. McKinsey notes that the COVID-19 virus has exposed previously unrecognized risks, leading to potential shortages of critical parts and components. Semiconductor manufacturers, for example, rely on a comparatively concentrated and specialized supply chain to meet customer expectations for chips. Software, on the other hand, is more diversified with a very different, and arguably more manageable, risk profile.
As if that were not enough, the pandemic has accelerated the impact of increased automation and digitalization on supply chains as well as among TMT employees. This includes the explosive growth of remote working technology with yet-to-be determined impact on staff productivity and commitment.
TMT executives are now more alert to workforce wellbeing and a growing employee preference for flexible work styles that, in combination with the pandemic, have many TMT companies redesigning procedures and reshaping their technology platforms while changing workplace standards and even office layouts.
Frederic Lucas – Willis Towers Watson TMT Regional Industry Leader, Western Europe Karl Sawyer – Willis Towers Watson Great Britain TMT Industry Expert
In recent decades, global companies have wrestled with substantially increased operational complexity and vulnerability. Starting from an integration model in ...
Read more
TMT leaders were asked to identify current risks and how they have changed over the past five years. Within our operational complexity and vulnerability megatrend, the TMT executives identified four broad risk categories:
Operational security risks took an unexpected turn in 2020 with the global spread of COVID-19. The pandemic quickly became both a distraction and a complicating factor in TMT efforts to thwart more conventional but persistent risks such as network cyberattacks and data theft.
Cyberattacks are unrelenting. Security Boulevard, a security news platform, published a list of what it considered the 60 most significant cyberattacks in 2020, many of which struck TMT companies.
Among the targets:
An Asian video game developer had a security breach when hackers accessed its internal networks. The hacker obtained information to an estimated 350,000 records.
A data breach at a U.K. provider of telephone, television and internet services exposed the personal information of approximately 900,000 customers.
TMT executives interviewed for our 2021 study say that cybercriminals are adjusting tactics as pandemic-related vulnerabilities surface. For example, with so many people isolated at home and fearful of the virus, cybercriminals have stepped up phishing attacks. This technique relies on, say, bogus emails with attachments that, when opened, can introduce ransomware into a company network.
Early last year, in the first stages of the pandemic, COVID-19-related cyberattacks had already ensnared nearly half of the companies in a Tenable Inc. survey of more than 800 business and security executives. Alarmingly, about 75% of the respondents said that business and related security efforts were not fully aligned. In the months since that survey, TMT executives told us they remain concerned about the high volume of phishing and other cyberattacks.
Willis Towers Watson Insight Digitalization & technological advances - Science for resilience Lucy Stanbrough - Head of Emerging Risk and Geopolitical Risk Research, Willis Research Network
Stuart Calam - Programme Director Willis Research Network & Climate and Resilience Hub
Developing our understanding of technology, its role in the future of work and where it sits within a corporate structure is perhaps going to be one of the great challenges that will ...
TMT executives are stepping up their efforts to ensure data privacy for their enterprises, business partners and customers. They point to introducing defensive technology and by more systematic security training.
“Our financial investment in raising technology barriers against cyberattacks will be wasted if our employees aren’t alert to phishing and other security threats,” noted one executive. “This is hard to achieve when so many of us are working in remote locations and, our network is already stressed by the workforce fragmentation that we’re seeing with COVID-19.”
The competitive edge, in turn, reflects rising consumer concerns about data privacy. Even in the United States, in some ways a laggard in the privacy rush, 73% of online adults said their data privacy concerns were rising. Ubiquitous data breaches have increased consumer desire for privacy and data security.
One lesson learned among many TMT executives is that technology leaders must embed cybersecurity and privacy processes into business and technology initiatives from the start.
The importance of a strong cyber culture is also being recognized as key.
Although cybersecurity and privacy protection are obvious and unavoidable steps required to protect operations, TMT companies have come to see another advantage – a competitive edge in the market. Data protection is on consumer minds and is table stakes in a game where consumers are increasingly alarmed at the risk data privacy. It is our view that firms that demonstrate that they take privacy concerns seriously are gaining an advantage over this who do not.
For many TMT executives, operational continuity risks are often seen connected with supply chain disruption and related geopolitical friction, particularly on the hardware and semiconductor side of the industry. They point out that their supply chains are complex webs to start with. It doesn’t help to see growing resistance to free trade agreements. They also see geopolitical risk as a long-term exposure as countries jostle for competitive advantage.
Willis Towers Watson Insight An Asia perspective on supply chain risks Lay-See Ong – Willis Towers Watson Asia TMT Industry Expert
For many decades, Asia has been a prime destination for global conglomerates and other organizations seeking to establish upstream supply chain operations ...
Trade disputes also have revealed an overconcentration of suppliers – and even customers -- adding to the checklist of TMT action steps. Excessive dependence of technology companies on a single country’s manufacturing facilities was brought into sharp focus by recent trade conflicts as well as security concerns raised around the possibility of intellectual property theft or even fear of government-backed spying.
Supply chain concentration is a factor in the thinking about globalization versus localization. Several TMT executives with whom we spoke noted that it’s tricky to strike a balance: Globalization with supply chain concentration had significant cost-and-delivery advantages, but trade stresses are prompting many companies to think about looking at alternative solutions, including bringing production closer to home.
This trend is getting a boost from political leaders in the U.S., Europe and elsewhere who are looking into financial and regulatory incentives to increase domestic production of vital high-tech components. Alert to this trend, Intel and Samsung are expanding chip-manufacturing capabilities in the U.S., and Apple has committed $1 billion to promoting advanced manufacturing in the country.
The MIT Sloan Management Review, in a Summer 2020 article, asked, “Is It Time to Rethink Globalized Supply Chains?” The author, Willy Shih, a professor at Harvard Business School, wrote, “For many companies, the combination of lean production and global multistage supply networks is leading to crises. This should be a wake-up call for managers who need to understand their supply chain’s strategic vulnerabilities.”
“Procurement teams and risk management need to work jointly to better identify and mitigate supply chain risks,” according to Frederic Lucas, Willis Towers Watson Regional TMT Industry Leader, Western Europe. “Procurement naturally will focus on costs and efficiencies, while the risk manager would think about location, third party risk, and so on. It’s vital to get the risk manager involved.”
Willis Towers Watson Insight Risks from changing to and relying on a more domestic supply chain George Haitsch – Willis Towers Watson Senior Director & Client Relationship Manager
Beginning in the 1990s, organizations have focused on reducing inventories, minimizing cost and increasing asset utilization. There was a move toward globalized sourcing ...
There also is a disturbing lack of supply chain visibility, as one executive told us. Some supply chain managers have no clear idea of the full range of suppliers and sub-contractors, much less the risks that might be found in a big supply chain network.
“Supply chains are complicated and changing them isn’t easy,” he said. “You have to start with improving supply chain visibility. If you can see it, you can get your hands on it. If you get your hands on it, you can better manage it and mitigate the risks.”
Politics aside, TMT executives say they intend to concentrate on supply chain resiliency and the need for what a 2020 IDC survey describes as a general “lack of digital competencies” at a time when virtual operations have become standard. Not only is there a widespread shortage of digital talent, but companies must also deal with new training needs growing from artificial intelligence, the internet of things (IoT) and the overall advance of digital technology.
Issues around workforce wellbeing also surfaced repeatedly in our discussions with TMT business leaders. In an industry with chronic talent shortages, executives are mindful that they need to balance business needs with the expectations of employees who want a high degree of job flexibility and job satisfaction (See the global talent & skills race megatrend).
If COVID-19 vanished tomorrow, TMT leaders have to plan as if another pandemic or black swan event will follow on its heels. Companies and their employees will need to think about how the new workplace will accommodate long periods of dislocation and adjust business models to support remote workers and to serve customers who have established new shopping patterns and have get-it-now service expectations.
Working from home may become a norm for many companies, though the long-term productivity implications, impact on a corporate culture and other issues are to be determined.
It will be challenging to provide flexible yet structured work arrangements while achieving an effective level of workforce collaboration and integration.
Go to next chapter
With COVID-19 continuing to dominate the headlines and Board agendas, it can be easy to lose focus of the wider risk landscape, but fresh eyes and an all-hazards ...
Back to reading page
In recent decades, global companies have wrestled with substantially increased operational complexity and vulnerability. Starting from an integration model in the ‘50s, companies moved step by step from local to regional and global outsourcing. If you add the accelerated digitalization during the last 10 years, you arrive today to a situation where companies have difficulty identifying their supply chain risks. How to create an efficient yet resilient supply chain is a new mantra!
A supply chain is now an intricate web of suppliers (and the supplier’s suppliers) buttressed with high volumes of data. Then there are geopolitical and regulatory concerns with a growing environmental, social and governance component. Given the complexity, the supply chain is no longer the unique prerogative of the procurement team. It requires involvement of all actors in the company — operations, legal, finance and risk management. Procurement and operational teams typically have a real expertise with technical and logistical solutions. Finance has its role, not the least of which solvency and protecting the credit rating, and lawyers must keep a careful eye on legal and contractual risks. The risk manager will add expertise on external risk factors — fire, explosion, cyber, natural catastrophe, political risks, pandemics, etc.
When you add up these items, you can see the risk manager has a major role to play in developing a resilient supply chain through a dedicated risk map, the identification of weakness signals, reduction of risks through the control of the suppliers, the implementation of business continuity plan — and the transfer of the residual risks to the insurance market.
Companies also must manage stakeholder demands for a sustainable supply chain. The ready-made garments industry found they couldn’t ignore the working conditions of their Tier 2 suppliers after the catastrophe of the Rana Plaza in Bangladesh. The food industry faced disruption when a global movement of consumers led to a ban of palm oil producers in Malaysia and Indonesia based on destruction of primary forest and working conditions of employees. TMT companies will face increased stakeholder pressure, as some have found when accused of using child labor in Asia and Africa.
Effective supply chain management and control will only be possible with a pool of managed data. The development of AI/algorithm tools can now identify risk signals that could change and grow in the next few years. This should improve the risk foresight of an organization in parallel with the insurability of the residual risks.
Lucy Stanbrough - Head of Emerging Risk and Geopolitical Risk Research, Willis Research Network Stuart Calam - Programme Director Willis Research Network & Climate and Resilience Hub
Developing our understanding of technology, its role in the future of work and where it sits within a corporate structure is perhaps going to be one of the great challenges that will require action at every level. Companies that get this right will undoubtedly gain greater opportunities and greater resilience over those who fail to quickly establish effective new ways of doing work.
The most resilient enterprises are those where the top-level executives view areas like cybersecurity as strategic rather than operational. They are finding strategic opportunity for the enterprise as a whole that can boost resilience and business advantage. This is a topic being explored through the Willis Research Network’s partnership with the University of Oxford’s Cyber Security Centre and is leading to enhanced conversations about risk.
New technologies and an explosion of data also bring about their own risks and opportunities. WRN and partner Loughborough University are exploring these topics through their “Technology Driven Next Generation Insurance” program. The initiative is aimed at bringing cutting-edge research into the wider corporate discussion and investigate the opportunities and challenges for industry arising from the application of new technologies and the explosion of available data. Potential socio-technical-structural barriers in the ongoing adoption of these technologies need to be understood to better place technology at the top level of an organization’s strategic thinking.
Lay-See Ong – Willis Towers Watson Asia TMT Industry Expert
(continues on next page)
For many decades, Asia has been a prime destination for global conglomerates and other organizations seeking to establish upstream supply chain operations. They have found benefits ranging from political stability, mature infrastructures, relatively sound legal and regulatory systems to well-educated human capital, and of course, the overall relatively low costs of production. In this instance, China has long played a dominant role in global manufacturing.
In recent years, as if U.S.-China trade war tensions haven’t caused enough supply chain disruptions to directly or indirectly reshape global manufacturing, the pandemic hit the world harder when the COVID-19 spread in early 2020. Apart from Taiwan, where the virus has been largely controlled from the beginning, China was the first Asian economy to recover while Southeast Asia, Japan and South Korea were still working hard to keep the spread under control before a vaccine was found. McKinsey reported in June 2020 that Asia showed an early glimpse of how manufacturing and supply-chain leaders were responding to disruption caused by the pandemic. Still, it is too early to say that Asia manufacturers will be out of the woods anytime soon.
Meanwhile, disruption to supply chains is taking a toll on the manufacturers continually, and the semiconductor industry in particular.
Amid trade tensions and a strong chip demand, semiconductor companies have been cautious in managing microchip sales and production. Given the relatively short lifespan of semiconductor items, manufacturers want to meet customer needs while avoiding over-production or holding undelivered stocks that might become obsolete. COVID-19 further upset many of the production and shipment schedules due to widespread lockdown measures. Freezing weather in Texas created further supply disruptions. Meantime, the U.S. is moving to bolster its own R&D and technology base. How will such actions impact supply chains?
Meantime, global chip shortages are mounting. There has been an increase in demand as people snap up 3Cs electronic products for work from home and leisure. These electronic products generally require chips to function. Chip demand further increased when carmakers found their sales rebounded unexpectedly. But meanwhile semiconductors had already committed their productions to electronic products. Demand for chips will keep growing, specially advanced chips required to power increasingly complicated
computer systems built into automobile, smart electronic products, and even in areas such as power grids and the military.
According to the Semiconductor Industry Association in United States, U.S. chip companies have captured about 47% (or $193 billion) of global market share in semiconductor sales (with Intel ranking first) but only 12% market share in semiconductor manufacturing. The world’s biggest semiconductor manufacturers are Taiwan’s TSMC, Chain’s SMIC, and South Korea’s Samsung, all with factories located in Asia where TSMC controls 51.5% of the foundry market.
While the concentration of foundry is currently in Asia, Samsung is looking at four US locations for a $17 billion chip factory, and Intel has announced its intention to spend $20 billion to build two new chip plants in Arizona. Though the expected investments by Intel and Samsung may take a couple of years to realize, their actions may bring chip production and supply within a vital market.
New emphasis on a domestic supply chain component is not limited to the U.S. and China. Europeans have shown similar concerns, and India’s prime minister, Mr. Narendra Modi, has spoken about a “new era of economic self-reliance.” But in each case the effort to effectively reshape supply chains may be more easily said than done.
A Saville article, “Global Manufacturing Supply Chains: The Future,” reminded readers that supply chains are complex and tangled. Saville added, “It is never as simple as closing a factory in one location and opening one in another. Relocating manufacturing is costly, so redirecting future investment is a more likely trend. The perceived benefits of nearshoring will also vary depending on the type of good.”
So, what might the future look like for Asia, today’s global manufacturing hub? Cost of production in Asia countries will remain comparatively cheaper than Europe and North America, at least in the next five years or longer barring an unpredictable geopolitical or financial crisis. However, if future technology advancement takes shape in digital ecosystems, robotics and automation can bring the cost of production in U.S. and Europe to a level playing field with Asia. Localized production may be highly possible for mature economies, achieving the goal of less cross-border reliance for supply and regulatory issues, and hence establish a new paradigm for managing supply chain risk.
George Haitsch – Willis Towers Watson Senior Director & Client Relationship Manager
Beginning in the 1990s, organizations have focused on reducing inventories, minimizing cost and increasing asset utilization. There was a move toward globalized sourcing and lean manufacturing with “just in time” inventories. This shift has reduced the ability of many supply chains to absorb specific disruptions or macro-economic shocks. Recent “black swan” events including extreme weather, cyberattacks, supplier disruptions and pandemics have highlighted the interdependency and potential shortcomings of both national and global supply chains.
Significant and increasing attention is being paid within the United States to this topic. Corporate leadership has witnessed the impact of supply chain vulnerabilities on lost innovation and intellectual property, business results and employment. Within government, there are fears at a national level around critical infrastructure and threats to American economic advantage. Increasingly, there are calls to re-domesticate important elements of supply chain that had been outsourced abroad. The impact in 2020 on U.S. semi-conductor manufacturing from supply chain issues and the resulting impact on U.S. technology and automotive production from Asian factory shutdowns amidst the global COVID-19 pandemic is a prime example.
One result has been the U.S. Office of Science and Technology Policy at the White House making federal resilience a national priority and calling for the “reshoring” of critical goods, medical supplies and high tech products to the US in 2021 and beyond. A U.S. dominated supply chain supported by increased domestic manufacturing as well as increased inventory levels of raw material, work-in-progress and final product would be a defensive posture that could protect key American production from external events that currently threaten critical production. It would also be more costly in terms of expense as inventories demand warehousing and domestic manufacturing costs far exceed labor expenses in other countries for the same product.
In addition, a purely domestic supply chain would have to managed to avoid the loss of redundancy in the event of a major U.S.-based natural catastrophe or another black swan event. Leveraging data to predict demand and investing in new manufacturing technologies would enable a more balanced approach to inventories of key elements of supply chains deemed critical. A data-driven supply chain would adjust manufacturing capacity to be vastly more resilient and better able to detect, respond to and recover from disruptions.
Global impacts could include increased expense for U.S. products, making American businesses less competitive. If similar moves occur in other countries there could be an escalation of aggressive industrial practices triggering support from adversarial governments resulting in tariffs, subsidies and currency manipulation. American brands would suffer accordingly in foreign markets, diminishing corporate results and undermining shareholder value. Ideally, a balanced approach can be developed where government partners with industry to drive a process that blends the nimbleness of corporate innovation with the weight and strength of focus that the best federal programs provide.
Lucy Stanbrough - Head of Emerging Risk and Geopolitical Risk Research, Willis Research Network
With COVID-19 continuing to dominate the headlines and Board agendas, it can be easy to lose focus of the wider risk landscape, but fresh eyes and an all-hazards perspective are essential to build resilience and prepare for the future.
In previous Willis Towers Watson TMT research, business leaders listed the threat of pandemics as minor among any variety of “natural disasters, epidemics, and armed conflicts.” In contrast, pandemic risk was Number 1 in the 2017 UK National Risk Register – and yet we sensed a lack of operationalized preparedness at the scale needed. These findings signaled that there is no shortage of risks, but preparation is a different matter. Against a backdrop of warnings and simulations regarding potential emerging risks, are businesses still failing to adequately anticipate events and brace for their future impact?
Identifying risks isn’t enough on its own, and a good risk manager will know that the process of considering them goes beyond the annual process cycle. The past year has emphasized the need to reconsider the full risk landscape and to put other risks back under the microscope. This leads to another question: How can investment in risk management and contingency planning contribute towards overall resilience?
Bill Gates once wrote, “We always overestimate the change that will occur in the next two years and underestimate the change that will occur in the next 10. Don’t let yourself be lulled into inaction.” While he was discussing the evolution of personal computing, it is this perspective that needs to be challenged as we build forwards. Part of that is considering where the pain points of the business are.
Too often “group think” leads to statements such as “impossible to predict” or that mythical “black swan.” This is where a review of risk registers by external advisors can be a good idea as it can bring fresh perspectives, including learnings from other industries. It is also important to remember that you won’t spot everything, and that’s okay. Predictions are valuable in allowing organizations to stress test their thinking and responses.
It is as much a culture challenge as an operational one. Businesses need to be ready for multiple scenarios and be flexible when the exact situation doesn’t unfold as scripted. Keeping an eye on cross-industry developments, such as those outlined in the 2021 WTW Managing the new political risks in the technology sector report can help challenge thinking.
Stress-testing should ensure resilience is viewed through a broad lens, considering a wide pool of triggers. Firms must appreciate the need for systematic resilience to fight systematic risk.
There is growing acknowledgment that risk frameworks require a greater focus on employee safety and well-being and that preparedness must include the continual drive of the operational resilience agenda, involving a collaborative-approach across the entire organization.
