Bulletproof Risk Management to Thrive in the Digital Economy

Digital technologies have profoundly changed lives, blurring the lines between the digital and physical worlds. From humble beginnings, the current constellation of devices and technologies that empower organizations has grown smarter and more deeply and intimately interconnected and Internet-connected than ever before.

The convergence of rapidly emerging technologies and smart things such as the Internet of Things (IoT), artificial intelligence (AI)-infused computing, robotics, sensors, beacons and analytics are redefining the digital environment by making organizations more intelligent and offering a hyper-local business experience to users.

Along with the substantial opportunities the digital age brings comes a diverse range of risk scenarios and potential harm, including:

• Strategic risk—Due to business adoption challenges, consequences of digital misalignment to native business models and business exhaustion due to change-resistant behaviors
• Operational risk—Due to myopic views of digitally enabling a portion of business process as a bandage solution (i.e., implementing cloud, AI, crypto, robotics process automation), and using suboptimal or legacy solutions for the rest. Legacy solutions are not only poorly suited to address the emerging class of digital risk, but are also overstrained with incremental repairs to the point where they no longer accommodate defenses.
• Cyberrisk—Due to targeted and sophisticated attacks leading to business disruptions and losses from data exfiltration, malware, financial theft and distributed denial-of-service (DDoS) attacks
• Legal and regulatory risk—Due to imminent and potential privacy and data protection obligations (e.g., EU General Data Protection Regulation [GDPR], Germany Bundesdatenschutzgesetz [BDSG], France Commission nationale de l’informatique et des libertés [CNIL], California Consumer Privacy Act [CCPA]) that are uneven and sometimes exclusive to the regions, countries and jurisdictions
• Supply chain risk—Due to unacknowledged weaknesses and threats in the makeup of the digitally enabled supply chain and lack of trust-based decision models for supply chain management that are capable of real-time risk sensing and decision-making to emerging impediments
• Governance risk—Due to inadequate consideration and governance of the interaction of all aforementioned risk factors, which becomes increasingly threatening as a compounding risk and may cause more damage than as an individual risk

The digital landscape is a web of interdependent milieus inhabited by diverse participants including the core business stakeholders, extended affiliates, partners and third parties, as illustrated in figure 1.

Do Risk Management Capabilities Accommodate the Digital Realities?

Digitalization offers unparalleled opportunities while also representing a major source of risk. Digital risk, in a nutshell, is an orchestration of the strategic, operational, cyber, legal and regulatory, supply chain, and governance risk factors for organizations that increasingly rely on digital processes to run the enterprise. As digitalization spreads into every aspect of business, resilient digital risk management capabilities are more critical than ever.¹

While digitalization makes pronounced advancements, organizations often face challenges to rightly sense and manage digital risk. The impediments inhibiting effective digital risk management often are reflected as operational shortcomings such as muddiness of crown-jewel assets, a silo view of risk preventing seeing the forest through the trees, risk intelligence not catering to the right audiences, uneven contours of risk analysis methods that make it difficult to correlate risk and fathom the cascading exposures, lack of stakeholder confidence in risk analysis, failing to deliver relevant insights and foresights, and meager user experience and complex automation, to name a few factors.

The digital revolution is well underway and disrupting multiple aspects of business. Organizations are overwhelmingly pursuing digital transformation. Nine in 10 enterprises are attempting digital transformation as they look to spark innovation and explore efficiencies.² Worldwide spending on the technologies and services that enable digital transformation is expected to reach US$1.97 trillion in 2022.³

And those enterprises that are failing to effectively manage digital risk may be putting themselves at a competitive disadvantage.

Common Digital Risk Concerns Noted From the Front Line

Managing digital risk is sometimes a formidable challenge for organizations. Some of the best-laid digital transformation plans can go awry if they are not reasonably risk managed. Following is a representative list of commonly noted digital risk concerns from the front line.

Risk to Digital Is Risk to Business
The digital-risk-is-business-risk view is fairly forthright to hypothesize, but then, far fewer organizations recognize the potential for losses and uncertainties on business operations inflicted by their digital environments. Traditional risk management practices often characterize their operations into chunks of disconnected units—this is noted as disparate risk management teams merely administering their own chores and often checking the box; non-homogeneity between approaches to understanding, measuring and responding to risk; uneven risk vocabulary and limited reliance on risk models; autonomous camps bingeing on pointed risk management solutions; and silo risk responses that pay no attention to the business and risk synergies. The management of digital risk is no longer an isolated issue but an issue for the enterprise overall. Organizations should focus on reordering the traditional risk management practices by breaking down digital risk silos, reinforcing digital risk governance and enabling risk harmonization across the digital lineages.

A Business Is as Effective as Its Supply Chain
Digitalization is making inroads with novel delivery methods, and the supply chain is too big to ignore. As self-driving cars take to the streets, autonomous drones take to the skies, intelligent robots take over factories and digital currencies become more mainstream, digitalization is disrupting business operations and its supply chain.

The digital landscape creates a complex web of relationships and trust models with its supply chain. Accurate, credible and timely insights into the general state of digital business operations, its intrinsic technology and trade, and the underpinning supply chain arrangements are vital to sense and manage risk. The high-profile supply chain attacks that Target experienced were caused by lax security at a heating, ventilation and air conditioning (HVAC) vendor. Organizations are exposed to a disproportionate volume and variety of supply chain risk scenarios based on their technology and trade. The risk is inherent with every single supply chain arrangement including professional services, outsourced services, managed services, cloud services, and hardware and software services.

During an industrial control system (ICS) software attack, the adversaries compromised the ICS software suppliers and planted malicious binaries on the supplier’s legitimate files, which then cascaded with every installation. Malware is hidden inside the supplier software and allowed the adversary to command and control critical infrastructures, causing many energy-sector organizations to fall victim. In this scenario, it is not only the supplier’s software that is exploited, but the faulty software that is embedded in organizations’ ICS components that result in a widespread impairment.

Forty-one percent of organizations experienced a breach or an incident that was caused by one of their third parties.⁴ Most organizations only pay attention to what was happening within their four walls, and they often find it difficult to unravel the entirety of supply chain risk—those risk factors that originate from sources outside the enterprise. With an accelerating network of supply chain risk, organizations need resilient supply chain management to minimize the impacts of disruptions, as the organization is only as strong as the chain of suppliers with which it works.

Escalating Threats, Burgeoning Data, Uneven Regulatory Landscape
The radical pace of technology modernization, the state of flux and sophistication of threats, intensifying customer expectations, and increasing laws and regulations are converging into what is becoming a perfect storm for the digital landscape. With digitalization, organizations end up processing heaps of data of all forms, ranging from users’ searches, clicks, website visits, likes, user behaviors, online purchases and many more to achieve their competitive edge. This is taking shape in, for instance, the automotive industry with connected cars, in the retail industry with voice-activated shopping, in life sciences with smart pharma (healthcare solutions that harness digital health data), and it is having significant and far-reaching changes in manufacturing with industry 4.0 (also referred to as the fourth industrial revolution, which focuses on automation and data exchange in manufacturing technologies).

With data being the core of digitalization, ironically, it is not uncommon for data-rich digital operations to fall short of reasonable cybersafeguards and struggle with responding to covert attacks and data breaches. It is now clear that any technically literate person with a computer and an Internet connection can launch a cyberattack—from thrill-seeking teenagers to sponsored hacker communities—and cost organizations millions of dollars, as proven by the Equifax and Maersk breaches.

The increasing amount of significant, publicized breaches suggests that not only are the quantity of security breaches going up, they are increasing in sophistication as well. Recent statistics indicate that the odds of an organization experiencing a data breach are one in four,⁵ and the chances of getting struck by lightning are one in 1 million. High-profile attacks ranging from the NotPetya ransomware attacks to coordinated botnet attacks, such as VPNFilter malware, are frustrating reminders of the near inevitability of cyberintrusion. To counter this issue, security and privacy safeguards should be embedded into the design when the digital services get modeled and engineered, and its compliance posture should be continually reviewed in light of changes and/or updates to national and international laws and regulations.

Digital Transformation Should Begin With Risk Transformation
Digitalization is rewriting the business and technology ground rules of many industries. Successful digital risk management calls for an integrated and collaborative administration of strategic, operational, cyber, legal and regulatory, supply chain, and governance risk that requires a high degree of coordinated expertise, including cultivating digital risk talents, nurturing behavioral changes and syndication between the digital risk functions:

• The extent and complexity of the digital risk analysis process is often not characterized rightly. While an excess of risk analysis tools and techniques are at the disposal of risk practitioners, the fundamental issue, of course, is understanding and managing the continuum of digital risk to help make quick, well-informed decisions. Risk practitioners need to look beyond the boundaries of their organization to fathom the links and interdependencies of the digital environment; the biases that shape the computational cognitive models; and the trust architecture between the business, consumers and digital assets to sense and manage risk.
• Risk communication is a simple but often overlooked aspect of managing risk. Effective risk communication is the cornerstone to advance the user experience and to demonstrate business value. Sometimes, the density of statistical analysis or technical details may possibly lose audience attention due to loaded risk reports or confuse audiences who are conditioned to review risk as business losses.
• Administering digital risk through manual techniques, such as spreadsheets and flat files, is often counterproductive for organizations. At the same time, automation is not an ultimate fix. The use of silo technologies without any collaboration with enterprise platforms and autonomous functional camps bingeing on point solutions are far more upsetting than manual paperwork. Remember, the goal for automation is to fulfill the business value by providing accurate, credible and timely intelligence of risk, rather than getting tangled in solution warfare.

Every organization’s digital risk journey is different. Realizing the value of digital risk management requires a strong reinforcement of the previously articulated facts and integrating risk management into an organization’s culture and belief system.

An Integrated View of Risk Is More Important Than Ever
The sophistication of digital transformation can be illustrated using Smart Finance,⁶ a digital financing business in China. Smart Finance offers an AI-powered application (app) that relies on algorithms to make millions of small loans. The service does not go the traditional route of asking borrowers for their paygrade. Instead, it simply requests access to some of the data on the potential borrower’s phone as a means to predict the borrower’s ability to repay the loan amount. The deep-learning algorithms in Smart Finance do not look at the obvious metrics that are traditional to the credit-lending business. Instead, they look for thousands of unusual considerations such as the speed at which the user typed in date of birth, battery power left on the phone and correlations recognized from millions of creditworthy transactions. An emerging new-age digital solution such as this involves a host of systems, devices and data interactions cutting across several business processes, which necessitates distinct risk recognizing across the operational, cyber, legal and regulatory, supply chain, and governance risk pillars. Figure 2 shows a fictitious digital environment and is also supported by questions to benefit synthesizing a practical risk analysis.

There are some questions that merit consideration in assessing the risk⁷ related to digitalization:

• Is the organization aware of the boundaries and interconnections that piece together the digital landscape with the business operations?
• Has the enterprise identified the crown jewel assets, including business processes, systems and data that are affected by the digital transformation and their relative impacts?
• Has the organization recognized all supply chain relationships associated with the digital landscape and assessed their risk exposure?
• What are the probable threats to the digital landscape? Who are the threat actors and what are their skills and motives?
• What are the inherent and emergent weaknesses to controls relating to the digital landscape that can likely expose the enterprise to an attack?
• Does the organization have visibility into the integrated and compounding risk exposure of its digital landscape?
• Are reasonable cybersecurity and privacy requirements incorporated to cope with extreme events including idiosyncratic risk, adversarial actions and fraud?
• Are the information processing layers and decision models (such as deep-learning algorithms) examined and understood by the organization?
• Does the enterprise understand the key biases underlying the risk assessment, and do the biases impair the trustworthiness of risk-based decision-making?
• Has the digitalization process accounted for national and international obligations built into the design?

Where to Start?

Reliable risk decisions on digitalization such as those in figure 2 require an integrated risk management approach, yet not every organization has found a way to piece the integrated risk management puzzle together. As digitalization is becoming pervasive, the digital journey raises novel questions, many of which are just starting to be examined by risk practitioners.

An illustration of a digital risk assessment framework⁸ is presented in figure 3. The perspective offers distinctive but complementary mechanisms for assessing risk⁹ based on top-down and bottom-up approaches, indicated as underlying forces.

The top-down risk assessment approach focuses on discovering the risk relating to the organizational digital transformation goals, where the insights are distilled through reviewing the risk and rewards of digitalization against organizational risk appetites and providing risk-informed decisions to the organizations’ leadership. Of the many risk pillars, strategic risk, governance risk, supply chain risk, and legal and regulatory risk are reviewed through a top-down approach.

The bottom-up risk assessment approach focuses on discovering the risk relating to the digital architecture and its operations at a component level, where the insights are distilled through reviewing the existing safeguards in conjunction with underlying threat actors, motives and outcomes and providing risk-informed decisions to the organizations’ management. Of the many risk pillars, operational risk and cyberrisk are reviewed through a bottom-up approach.

The following steps summarize the considerations to establish a defensible digital risk management paradigm:

1. Ensure effective risk intelligence—Accurate, credible and timely risk intelligence is fundamental for the organization to address the menaces stemming from digital transformation. Often, risk practitioners cannot communicate the risk scenarios that need attention from decision-makers, leaving the organization at a disadvantage. With the convoluted digital landscape and the scenarios it presents, decision-makers today rarely choose a course of action without a clear sight of the risk exposures. Effective risk intelligence should simplify the risk insights to the level where they can influence the right decisions.
2. Right-size risk management—Every organization is unique in its risk culture and digitalization journey, hence, a one-size-fits-all approach is seldom appropriate with digital risk maturation. Realizing resilient risk management is often hindered by the aspects called out in the Common Digital Risk Concerns Noted From the Front Line section. A purpose-led risk management system that is right-sized to match the organizational undercurrents, including a consistent integrated risk management framework and strong governance is central to instigating a defensible digital risk strategy and to make the risk values stick.
3. Facilitate integrated risk management—Every so often, organizations fall short by looking at the digital landscape to identify factors that could affect the overall system in a silo rather than holistically. Organizations focused heavily on horizontal scrutiny of risk, either by risk capabilities or by functions, most times miss the opportunity to integrate the disparate risk undertakings across a range of diverse business activities into aggregated risk exposures. These actions repeatedly miss the opportunity to paint the integrated risk view or the big picture of the risk scenarios and their concentrations. Integrated risk management transpires outside of traditional risk management and requires coordinated expertise in piecing the puzzles of digital risk together through enabling cultural harmony between the risk functions.
4. Safeguard compliance and consumer rights—With reasonable risk management constituting the core values of the user community, tangible engineering strategies integrating risk and compliance by design still remain unclear for many organizations. Sometimes, digital transformation efforts are rushed to market for competitive reasons without considerable thought given to risk and compliance by design. Risk and compliance by design is multifaceted and can require reordering of priorities or reevaluation of assumptions—a trade-off between the risk posed and business value should be reviewed sensibly within the constraints of the agreed-upon purposes. Risk limits should reinforce compliance with laws and regulations, including those related to the protection of rights and freedom of consumers.

Conclusion

In today’s era of exponentially increasing data; interactive, intelligent technologies; and ubiquitous digitalization, the new landscape makes digital-business risk challenges more real and more significant than ever.

The ramifications of these digital breakthroughs cut across every industry, with the potential to radically shift the organizational risk landscape. None of these digital expansions, however, can be realized without dealing with the associated risk. As digital adoption will only accelerate and continue to constantly reinvent the rules of competition, managing digital risk in this era of change is critical to business sustainability. While organizations are challenged to find new avenues of sensing and managing risk, successful risk practitioners are staying ahead of the shifting landscape by continuously experimenting with effective digital risk management to achieve business value creation. Organizations must challenge and change their traditional risk management attitudes and make the right decisions and transformations to thrive in this new age of digital ecosystems.

Endnotes

¹ Mele, N.; The End of Big: How the Digital Revolution Makes David the New Goliath, St. Martin’s Press, USA, May 2013
² ISACA, Digital Transformation Barometer, 2018, h04.v6pu.com/info/digital-transformation-barometer/index.html
³ International Data Corporation (IDC), Worldwide Semiannual Digital Transformation Spending Guide
⁴ Ponemon Institute, Measuring & Managing the Cyber Risks to Business Operations, December 2018, http://www.ponemon.org/news-2/85
⁵ Ponemon Institute, Cost of a Data Breach Study, July 2018, http://www.ibm.com/security/data-breach
⁶ Lee, K. F.; AI Superpowers: China, Silicon Valley, and the New World Order, Houghton Mifflin Harcourt, USA, 2018
⁷ International Organization for Standardization/International Electrotechnical Commission, ISO/IEC 27005 Information technology—Security techniques—Information security risk management, 2011, http://www.iso.org/standard/56742.html
⁸ ISACA, COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, USA, 2018, h04.v6pu.com/COBIT/Pages/COBIT-2019-Implementation-Guide.aspx
⁹ International Organization for Standardization/International Electrotechnical Commission, ISO/IEC 31010 Risk management—Risk assessment techniques, 2009, http://www.iso.org/standard/51073.html