The development of the internet and its growing role in business increasingly expose enterprises to all kinds of threats. IT risk management, which tries to minimise, monitor and control the financial and business impact of unforeseen events, has been developing in leaps and bounds, surging at each important milestone such as the dotcom boom, Y2K (when computer programmes had to be upgraded before the year 2000), and September 11, when IT risk management was again closely examined as part of companies’ business continuity plans.
Most recently, development has been legislation-led, influenced by the US Sarbanes-Oxley Act aimed at more stringent corporate accounting, and demand for better security and privacy of personal data in Hong Kong.
“The market is hot,” says Peter Koo, partner of enterprise risk management with Deloitte China. “From 2012 onwards, we can foresee cloud computing kicking in and there will be another internet boom, with lots of opportunities to work on risk management as companies try to get everything centralised and virtualised. Security is the major reason why executives are hesitant to proceed with changing the infrastructure over to cloud computing. This may lead to high demand for security consulting.”
Deloitte has over 1,000 risk management consultants in the Greater China region, out of more than 10,000 risk management professionals around the world. Hong Kong and southern mainland China contribute 250 staff. The firm primarily serves the financial community and public sector because of their strict regulatory and compliance requirements.
Deloitte hires over 100 fresh graduates every year in the field of IT risk management in China, including Hong Kong. The three-year training schedule offers several options. Those skilled at accounting are trained up in those traditional skills, and receive IT training in their third year.
Others will start from scratch, receiving risk management foundation training including learning business consultancy and technology skills. In the third year, they can specialise in security, privacy or IT internal audit.
“Those specialising in security will join the hardcore technology team. They get internet security training by product and platform. For instance, major enterprise resource planning applications, such as SAP and Oracle,” Koo says.
The privacy team serves mainly financial institutions and the public sector for privacy ordinance-related assignments, such as privacy impact assessments and privacy-related workflow consulting.
Academic results are not the only measure Deloitte judges applicants by. “They should have a sharp, professional appearance, and should be hardworking and careful with details. They should also have good presentation skills. The grade point average (GPA) is not so important,” Koo says.
The first round of interviews involves a written test that gives interviewers a good idea of the applicant’s attitude, IQ, English language ability and the level they have reached in maths.
The second round is a group assessment where applicants are observed in order to assess their soft skills, how they interact with each other and whether they speak up. The final interview is with a panel of managers.
Koo says the panel looks for applicants who are like “a sheet of white paper”, and whom they can train and develop, “putting on all the colours”. Hence, it is vital for candidates to have a positive attitude and be eager to learn.
“We look at their soft skills very seriously. We need a good combination of soft skills and hard skills – they have to be in balance,” he says.
According to Koo, there are plenty of talented youngsters in Hong Kong, but 10 per cent of the intake comes from overseas – usually overseas Chinese who can at least speak Cantonese and English.
“We find, the combination makes the training more effective, the group will be more proactive,” he says.
Cantonese, Putonghua and English are among the requirements as staff often work with companies or counterparts on the mainland.
“We are a centre of excellence within Deloitte. We support Asia Pacific, and even send staff members to Europe and the US. The top 10 candidates in each batch participate in the Global Mobility Programme and receive foreign exposure, usually for 12 to 24 months,” Koo says.
The company also encourages staff to take the CISA professional examination and offers in-house tutoring in the subject.