Meet the expert: James Yates to speak at #RISK London

James has been Chief Risk Officer at Shard Capital since early 2019. A passionate advocate of strong risk management principles and cultures, James has over 24 years’ experience working in Financial Services. He has operated in risk-related roles across a multitude of regulatory jurisdictions, including the UK, Germany, Australia, Singapore and Denmark.

As the number of accidental disclosures continues to rise, more security incidents are being traced back to human error. James will be exploring the issue exclusively at #RISK London and shedding light on how organisations can improve their processes and cultures to reduce risk.

Prior to his talk, James answers questions on this crucial topic and briefs us on his career pathway to date.

Could you outline your career pathway so far?

I have spent almost my entire career in roles that focus on risk management in one form or another. After starting as a ‘runner’ at a small brokerage in Essex during the late 90s, I gained my trading qualifications and joined CMC Markets on their equities desk. Over 10 years I progressed to become Global Head of Equities managing the Market, Credit, and Counterparty risk for a substantial book of equity swaps.

My next role was at Saxo Markets UK, a UK regulated subsidiary of Saxo Bank as the Head of Risk & Reporting. My time here was spent focussed on classical broad operational risks at the start, but with big changes to legislation, including GDPR and MiFID 2, the risk focus expanded to encompass areas such as Data Protection/Information Security risk, Financial Crime risk and Conduct risk to name a few.

In January 2019, I joined Shard Capital as its first full time Chief Risk Officer and member of the Board. In my current role, I am responsible for developing the firm’s Enterprise Risk Management framework and advising the Board on all aspects of risk management. 

Although the firm is relatively small, it is very complex, meaning it is potentially exposed to the full range of traditional and modern financial and non-financial risks.

How big a problem is accidental disclosure when it comes to managing data breach risk?

It is a big challenge. It is generally well understood that human error is the primary driver for a significant percentage of information security and data protection incidents, whether through carelessness, a lack of competence or naivety. 

Managing data breach risk is as much about managing human nature as it is technological systems and controls. Incidents occur at firms all the time, particularly in big organisations where there will be multiple process failures in different areas of the business on a daily basis. 

It’s a matter of ‘when’ and not ‘if’ an incident will occur, to think otherwise is naïve.

Do organisational structures and processes contribute to the risk of accidental disclosure?

Organisations are still not seeing privacy and security by design being embedded across the whole lifecycle when developing new products or tools, or is often not considered for legacy systems. Firms have become used to certain ways of working that are now so ingrained that processes are proving challenging to change.

A good example of this is email, which was developed as a tool for communication but is often used by many individuals and organisations as a repository of information. Any information stored in an email inbox is only a few clicks away from being an accidental data breach, not to mention the risks posed by a malicious actor (internal or external) should they gain access to that system.

What are the key hurdles that organisations face as they push to strengthen processes and culture to reduce risk of accidental disclosure?

The constantly accelerating pace of technological change poses challenges to firms in myriad ways, not least with regards to data protection. As highlighted above, not embedding the principles of privacy and security by design in new processes will lead to elevated levels of risk within a firm that is almost certainly outside of most businesses appetite.

The level of knowledge needed to understand risks and make the correct decisions is also challenging. Boards and executive teams rely on delegation to subject matter experts to help manage risks within a business, but they themselves must maintain a high level of understanding across multiple disciplines if they are to make informed decisions. 

As technology continuously evolves, and the rate of change of legislation and regulation continues at speed, it can be very challenging for those responsible for running a business to make the right decisions.

When it comes to phishing, spear phishing, whaling and social engineering, malicious actors already have advanced techniques at their disposal to attempt to gain access to protected information. Whilst organisations strive to keep all staff trained and aware, due to the onus being on the individual to complete training courses in order to maintain the required level of knowledge and proficiency this remains a significant challenge.