Strong Black Women in Telecoms Risk: Stella Makona Simiyu

This is the second of the two-part series highlighting strong black women working in telecoms risk management. This week, Stella Makona Simiyu, co-founder and Chief Operating Officer of Sentinel Africa Consulting, shares her views on helping businesses deploy effective governance, risk and compliance programs, the mindset and qualifications of a risk manager, how African risk management professionals are helping companies navigate a tricky landscape and her passion for empowering women. Stella has previously worked as Head of Operational Risk and Compliance at Airtel Money and was Principal Officer (ERM) at Safaricom.

I would encourage more experts to tell their story, participating and forming strong professional bodies where like-minded individuals can share and learn so as to aid in spreading our expertise and experience across borders.

You now serve as Chief Operating Officer at Sentinel Africa Consulting. There are not many women in positions of leadership in the risk and assurance domain. How was your journey to this position?

My journey started out with a dream. Working in the Enterprise Risk Management department at Safaricom as a Principal Enterprise Risk Manager, I wanted to do more than my current job allowed. Essentially my calling as an entrepreneur and coach began. I partnered with two of my colleagues and incorporated Sentinel Africa in September 2014. I left Safaricom in September of 2015 for Airtel Africa, Where I served for a year as the Head of Operational Risk and Compliance for Mobile Money Africa. In January of 2017, Sentinel Africa opened its doors officially and I became the Chief Operating Officer in charge of project execution and excellence in project management.

Early in your career, you were a customer service representative at Safaricom in Kenya. How did your beginnings in customer service shape your approach in subsequent roles, such as when you later moved to enterprise risk management in Safaricom, and later to the role of Head of Operational Risk and Compliance in Airtel?

My role in customer service entailed ensuring that the customer issues were solved in a timely manner. I remember having a KPI called first call resolution – meaning sort out your customer in the first interaction you have with them. To do this you had to have a good understanding of the business products and services, ensuring that you knew how to solve customers’ issues, who to escalate to and follow up to completion in order to ensure the end result was customer satisfaction. A risk manager essentially works as a consultant to the business. Departmental heads then become your customers looking to you to help tease out their unique challenges and opportunities and guide them through coming up with workable solutions to exploit or mitigate as needed. A clear understanding of the business objective is needed to be effective as a risk manager.

A risk manager needs to be a curious individual who wants to understand the interaction and dependencies faced by her customers, be trustworthy, an excellent communicator, have analytical skills and the ability to understand various complex processes. A background managing and interacting with various customers definitely came in handy transitioning through my various roles.

With Sentinel Africa Consulting, which project are you most proud of and why?

There have been many instances that I am proud of but a certain customer is very dear to me. From an almost chaotic environment they have transformed to an organization that has fully embraced the process approach and risk management excellence as a way to gain competitive advantage. They have successfully certified against the ISO 27001 Information Security Management Certification and are currently on track to extend this certification to include the ISO 27701 Privacy Management Certification in compliance to Data Privacy concerns from their customers. If they successfully complete the certification process, they will be one of the first companies in Africa to achieve this. They are also looking to certify against the ISO 20000 IT Service Management standard. Working with them has been great as they are an agile and young team, that is always willing to learn and execute with speed.

Your firm is active across a number of risk management areas: information security, business continuity, resilience and recovery, as well as governance, risk and compliance. This gives you a good overview of the risk preparedness of companies operating in Africa. Briefly, where do you see the maturity level for each one of those areas?

Unfortunately, not many organisations actively invest in governance, risk and compliance. Implementation is still mostly compliance-based and driven by regulators. We have, however, seen that government policy makers in Africa have adopted several initiatives aimed at raising awareness on best practice. Key regulatory bodies have also advocated implementation of appropriate governance, risk and compliance structures in industries such as financial services and their intermediaries, insurance and the public sector. These requirements from regulators are pushed to suppliers who want to interact with these industries and hence create a trickle-down effect. Organisations that are sanctioned to adopt best practices will most likely in the first years be swimming upstream because of lack of management commitment and buy-in. However, with COVID-19, cyber security incidents, terrorism and changes in regulation as well as other external forces, once reluctant management teams are now reaping some of the benefits of a proactive rather than a reactive approach to governance, risk and compliance management. We are seeing more and more organisations recognising the need for adoption and hopefully in the next few years maturity across various sectors will improve.

We are living in an era of very fast changes. 5G/IoT and proliferation of mobile money services (on a global scale) are just examples. Regulatory challenges are also very much to the fore e.g. GDPR. How do firms like Sentinel Consulting Africa help companies get through all these?

The European Union passed the General Data Protection Regulation (GDPR), giving their citizens (data subjects) for the first time, explicit power over their data. In East Africa, Rwanda, Uganda and Kenya have recently assented into law the Data Protection and Privacy regulations, signalling a positive step towards empowering data subjects on the collection and use of personal data. While at first glance the push for data protection seems an additional burden in terms of the investment that will need to be in place to meet the technical and organizational requirements for Data Protection by Design and by Default, hiring data protection personnel in some cases and so on, this law also presents an opportunity for organizations that aim to differentiate themselves as responsible custodians of their customers’ right to privacy.It also confers competitive advantage upon those that take the necessary steps to comply. As a company, we train and certify Data Protection Officers on the GDPR standard as well as the ISO 27701 Privacy Management Standard which is the international standard for the implementation of a privacy management system in compliance to GDPR. We also help organisations implement privacy management systems.

We see a lot of thought-leadership and expert views from European and North American risk managers and not so much exposure for African experts, for example. In your opinion, why is that the case and how can it be changed?

As the Chair of the Business Continuity Institute East Africa Chapter and having trained extensively in the Middle East, I agree with the above. I note that unfortunately that as Africans we shy away from offering our story sometimes fearing it to be “inferior”. Risk Management is customized to your context. The African context and challenges differ from the Western context. For example challenges related to financial inclusion and the lack of proper structures for registering and identifying individuals are pronounced in Africa but not as prominent in more advanced cultures. However, as Africans we have found unique risk mitigation structures to both exploit the opportunity presented by mobile money and manage the risks. I would encourage more experts to tell their story, participating and forming strong professional bodies where like minded individuals can share and learn so as to aid in spreading our expertise and experience across borders.

Operating in Africa comes with its own set of (complex) challenges. Companies on this continent need to be aware of the context. Yet, some companies rely on group policies set in headquarters thousands of miles away. How can they navigate this divide?

This is a common problem. When consulting for such organisations my advice is, standardise but customise where necessary. There are some processes that are easily transferable across borders. For example, an incident management process may be standard across borders and can even be managed by remote teams in a central offsite office. However, there may be some processes within your organization that are unique to a particular jurisdiction e.g. human resource laws related to screening, data protection laws related to processing of data etc. The global organization should clearly map internal and external requirements as well as legal and regulatory considerations before sanctioning group polices across countries, allowing adaptation of policies to better suit country context and in so doing meet key stakeholder requirements.

If you were advising a fresh university graduate starting out in a risk management career right now, what are some of the tips you would give such a person?

We are in the era of automation, where whole professions are being replaced by robots. The hardest jobs to automate are the ones that involve managing and developing people, helping organisations solve and analyse problems and jobs that require innovation and creativity. While there are risks systems that assist in crunching orgnisations’ data for better risk analytics, a graduate that can employ system 2 thinking is still highly sought after. System 2 thinking is “the mind’s slower, analytical mode, where reason dominates”. Usually, system 2 activity is activated when we do something that does not come naturally and requires some sort of conscious mental exertion. If this is you, risk management is definitely something you should pursue. Risk managers come from diverse backgrounds but commonly have undertaken first degrees in engineering, information security, computer science, actuarial studies, commerce, mathematics, data science and cybersecurity. They then commonly augment their degrees by taking relevant professional courses in risk management including CPA, ACCA, CISA, CRISC, Lead Risk Manager, Lead Implementer Business Continuity and/or 27001 Lead Implementer.  Further, risk managers should be good communicators, problem solvers and project managers.

The busy schedule of a risk management professional can be overwhelming. Away from the office, you have also been active in charity, serving as project coordinator at Little Angels Children’s Home Sagana. What other activities do you engage in your free time?

As a company, we are passionate about the environment and support Nature Kenya. We have been and continue to be involved in a number of activities to support environmental conversation activities. Personally, I am passionate about women empowerment. Being a woman in a position of influence, I actively champion of women’s rights at the workplace including ensuring we have equal opportunities, reduce gender bias and have work policies that enable women can balance managing family and work obligations. I mentor various young ladies who are seeking to scale the career ladder and offer my support where necessary.

What next for Stella? For Sentinel Consulting Africa?

Sentinel Africa’s Vision is to be the advisor of choice in Africa. That to us means that we must constantly focus on building and enabling teams that are passionate about the customer and their discipline of choice. My focus is to build a strong culture, work ethic and business process to deliver on our vision and take Africa by storm. In the next few months we will be launching an innovative risk management package solution focused on ensuring cost effective, scalable and holistic solutions to our target customers.

Joseph Nderitu
Joseph Nderitu
Joseph Nderitu is a director at Integrated Risk Services Ltd and specializes in revenue assurance. He previously worked as Head of Revenue Assurance and Fraud Management at Vodacom's operation in Tanzania, having previously served in the same role at Vodacom Mozambique.

Before his work with Vodacom, Joseph was an internal audit manager for Airtel, with responsibility that covered their 17 countries in Africa. Whilst at Airtel, Joseph led reviews of the Revenue Assurance, Customer Service and Sales & Marketing functions.

Prior to his stint at Airtel, Joseph was an RA manager at Safaricom in Kenya. He holds an MSc Degree in Information Systems.