Seeing the unseen – managing digital risk
August 2021 | TALKINGPOINT | RISK MANAGEMENT
Financier Worldwide Magazine
August 2021 Issue
FW discusses transforming risk management for digital with Charlotte Gribben at Deloitte.
FW: In your experience, are companies becoming more aware of the benefits they can derive from digital risk management? In what ways can it streamline existing processes, expand capabilities and reduce costs, for example?
Gribben: Digital transformation brings huge opportunities to reduce costs, drive efficiency and standardisation, and introduce direct interaction for a business across its entire supply chain and customers. Digital transformation done well reduces duplication, automates process and allows employees to focus on activities that add value. As with all opportunities, their unlocking often involves considerable expense, effort and risk. To be successful in digital transformation you need to understand the risks it brings and manage them proactively. Unlike more traditional risks, the risks to organisations of becoming and being digital are unique based on the current state of the business processes, people and technology, and how this will completely change for your specific business.
FW: What digital risks are businesses prioritising?
Gribben: Businesses are now realising that cyber and data risks are not the only risks that come with digital. There is much more to consider. There is a greater focus on brand and reputational risk. Companies are thinking about how their digital interactions with customers, suppliers or employees need to reflect their organisation’s purpose and have a positive impact. They are also looking at ways to protect their digital brands from fake or inappropriate use. Regulation is increasingly gaining attention; the General data Protection Regulation (GDPR) and the new European Union (EU) artificial intelligence (AI) regulations have begun to set the pace for change globally and companies will have to increase attention to digital regulation moving forward, to ensure compliance. This focus on trustworthy AI and the ability for an organisation to stand behind the decisions made, and to demonstrate how they were made, will help to build confidence in the technology. Something we are seeing organisations thinking about is the ethical risks which digital brings – the risk of doing things which negatively affect the business, employees, customers, supply chain and, in the end, society. Just because you can do something, does not mean that you should. For example, when using AI and robotics, companies need to ensure not only that data is clean and controlled, but that the algorithms behind the AI do what you expect them to. They must use the input data correctly, learn as expected, and continue to act as intended so that businesses can stand behind the decisions they make. Every aspect requires proactive and ongoing risk management. One final dynamic that more traditional businesses are struggling with is around the interaction risk between new digital technology and legacy technology. This is a risk we often see turn to an issue when a new technology or change is made – these legacy technologies can be 15-20 years old and work in ways people cannot understand, so plugging in a brand new technology exposes weaknesses on both sides. We often find the integration brings about data and technology integrity, interaction and resilience issues, which at best impact technology operation and in the worst case can bring both systems down.
FW: In your experience, do businesses adequately understand the digital risk environment? What more should they be prioritising to minimise digital risk exposure?
Gribben: Managing digital risk is not easy and in most cases the path to success has not yet been trodden. Each digital use case is unique, so there is no one formula to getting it right. Each sector, industry and business is moving forward at the same time and learning as they go. The risks around this journey are compounded as digital risks are unknown unknowns and invisible. One of the key differences with these risks is speed – they go from a potential risk to a real risk to an issue visible to the public via the digital press or social media in minutes. Many organisations are starting to realise that the old way of managing risk does not work with digital. Traditional risk management tends to involve precise procedures and understanding financial, reputational and operational impacts. Newer technologies can be very expensive and bring wholesale business change, but not always – think about a robotic process automation (RPA) software solution that costs $50, for example. To implement this RPA, there would be no need for a large-scale IT overhaul, so it would never get caught by a traditional risk assessment. But this RPA could impact a key financial process or control, or it could determine a decision about customers creating risk to the business. In terms of prioritisation, first and foremost it is about understanding ownership and responsibility. Digital impacts every aspect of a business, and its risk ownership cannot just rest with the risk team. New business models, procedures, frameworks and governance – all enabled by new technology tooling – are needed. You have to think about risk and its ownership completely differently. Only once it is owned can you move forward to managing it.
“Change brings risk and digital change extends into almost every sphere of risk that we know.”
FW: So, how can organisations get ahead?
Gribben: Ownership of digital risk is a challenge. Digital cuts through to the core of the business and goes across traditional business areas. There might be a digital technology that impacts finance, marketing and procurement, but who owns the risks it brings? Who is responsible for it? Of course, some companies are very forward looking and have a mature view of digital risk. In the same way that cyber has become an organisation-wide issue – where everyone understands what it is, knows to be wary of phishing attacks and how to respond to a data privacy incident – some businesses are starting to think the same way about digital: it is everybody’s responsibility because everybody interacts with it.
FW: How has the coronavirus (COVID-19) pandemic changed the risk profile for businesses? How have businesses adapted to new customer preferences, priorities and journeys?
Gribben: COVID-19 has forced a shift in terms of businesses going online, using digital platforms or completely changing the way they interact with employees, supply chains, clients and customers. Many have had to cut out traditional routes to market, going from a business-to-business approach to a business-straight-to-the-consumer approach. They have used digital solutions to offer new and different services incredibly quickly. Many did this for business survival, but now they have an opportunity to take a step back and ask whether the rapid decisions they took in reaction to COVID-19 opened them up to risks, and what control debt have they developed. For some, remediation and mitigation may be needed to ensure the business is safe, secure and appropriately controlled. They may need to redesign the way they monitor and manage risk across new processes, new technologies and new business models, as well as the way in which their people and processes interact with the technology. In addition, we are seeing more risk management functions using digital technology to achieve these goals. Sample-based or yearly reviews are no longer fit for purpose. Data-driven risk and control monitoring needs to be continuous, capture the entire organisation, and leverage what already exists but for a different purpose.
FW: As part of this, how important has it been for companies to have access to clear, accurate data insights in order to effectively assess and manage risk?
Gribben: The majority of successful businesses run on data. Digital technology will only work as intended when it draws on clear, accurate data. The old adage of ‘garbage in, garbage out’ has never been more prevalent. This is a heightened risk, especially for businesses that are not digitally native, which have huge amounts of old data held in systems that do not provide the quality or richness of data the company now needs. Most importantly, companies need digital risk insights to identify priority risks and how to monitor them. They are using digital visualisation tools or even AI to discover nuanced trends that demonstrate where they are open to risk or that systems are not working as expected. They are pulling data from various available sources – including outside of the business, such as social media, environmental or societal data – and mapping it to the business to determine what the future might hold for risk and control. The move is toward using data to drive knowledge and understanding of risk, and to predict where challenges may lie going forward.
FW: What essential advice would you offer to executives on implementing a holistic digital risk framework to help them make better decisions, and maximise value from digital risk management?
Gribben: Change brings risk and digital change extends into almost every sphere of risk that we know. Companies therefore need to adopt the mindset of tackling risk before, throughout, alongside and after the digital transformation process. The best way to get the maximum value is to think about digital risk from the outset. Build digital risk into the strategy as you go, through design, through testing, through implementation, and embed it into business as usual. The benefits to be gained from proactive digital risk management come down to confidence for employees, clients and shareholders. Confidence can come in terms of transformation delivery, regulatory compliance, financial upside, and operational and brand protection. Creating a holistic digital risk framework requires the full strength of the business to pull together. Transformation and risk teams cannot do it alone. To be complete, you need the perspective of people across the whole business. The input required is much wider than many companies initially expect, and senior executives need to ask themselves critical questions about the level of oversight, control and understanding they have about their digital risk exposure. How confident are they that digital transformation is achieving the right outcomes, impact and value?
FW: How do you expect digital risk management to evolve in the months and years ahead? In an uncertain future, will a data-driven response to risk be indispensable?
Gribben: Over the last 18 months, businesses have taken a huge step into the unknown due to the COVID-19 pandemic. The risks that have surfaced as a result of recent changes are being recognised in retrospect, and sometimes mitigated, sometimes remediated, sometimes accepted. As technology advances into new and different offerings, the way companies need to control it will also change, and being proactive on managing this is key. Ultimately what we all need to do is look at digital risk from a different perspective. Society does not really understand the full risk of digitalisation and what it means for them. Put yourself in the consumer’s shoes – how could you be left more at risk when buying a new car, or using a new mobile app? Climate change and the movement toward sustainability triggered a huge societal shift when people started to understand their impact and demanded change. I wonder if we will see something similar around digital in the years to come.
Charlotte Gribben is a partner who leads Deloitte’s digital risk team with 15 years delivering technology and digital governance, risk, security and controls. She can be contacted on +44 (0)77 3621 2539 or by email: cgribben@deloitte.co.uk.
© Financier Worldwide