Digital transformation is a convenient term to reflect the disruptive journey that companies undertake to make use of new, fast, and frequently changing digital technology and business models. It’s not about taking old products and simply rebuilding them in the cloud; it’s about solving problems better, with more creativity, to create experiences that excite and build fierce loyalty from customers, users, and employees. If your company isn’t already talking this way, it should be!
Risks that are considered “digital” have been around since before the age of digital transformation. However, accelerated digitisation introduces new risks and amplifies existing risks that many fast-moving companies overlook. Additionally, old ways of managing risks don’t always account for these new types of risks or are too cumbersome to scale.
Does your company address and have plans for managing these new types of risks?
Let’s look at the different risk types your company may face as you go through the process of digital transformation.
Privacy risk is the potential theft, loss, or unauthorised disclosure of personal information (customer, workforce, consumer, and so on). With technology innovating ahead of most security efforts, companies have many soft spots for bad guys to go after in their search for this data. Country and regional privacy regulations keep expanding and may affect your business, too. All those cookies you have to accept are part of the General Data Protection Regulation (GDPR), but now there’s the California Consumer Privacy Act (CCPA). Both are regulations about how to properly collect, handle, transfer, and store personal information. Because they affect most companies that sell to residents of these two economic powerhouses, they certainly impact most enterprises in some way. In addition, Brazil, India, New Zealand, and many other regions are rolling out regulations in a similar spirit. Factoring in flexibility to support expanding privacy requirements is really just self-defence for a digital business.
With so many regulations rolling out, the odds of avoiding a problem are much lower, and the costs to recover are much higher than with previous regulations.
Cyber risk
Cyber risk commonly refers to the potential for financial loss, business disruption, or harm to an organisation and its reputation caused by the failure of its information technology. A simple example of cyber risk is database breaches. These can be caused by external forces like hackers or internal forces like employees who make mistakes or become disgruntled.
Cyber risk can include any compromise of confidentiality, integrity, or availability of a computer network, database, system, product, facility (including industrial control system), connected device, or application. In this digital age, your digital footprint (things that technology interacts with) is growing faster than you can possibly secure it.
Technology risk includes cyber risk but expands the definition to the potential that failures in computer, application, database, infrastructure, and connected devices can cause disruption of your business. Technology risks could come from accidents, acts of nature, or other catastrophes, and this risk isn’t limited to within the walls of your company. Many companies leverage third parties, cloud-hosted software, tools, and infrastructure, and the same risks apply to those systems as well.
Data officially surpassed oil as the most valuable resource on earth only a couple of years ago, and it’s not slowing down any time soon. You must be able to protect not only your client data but also your employees’ and company’s data. You have an ethical responsibility to protect data from both attackers and corporations. Not only do you have to worry about the confidentiality of your data, but also you need to ensure its integrity and availability.
What’s new with digital transformation is the range of ways people can capture and abuse data (with or without meaning to cause harm) and more detailed requirements about data handling. An example would be an insurance company that’s branching out into a new business line of travel insurance, requiring the collection of new types of personal information that could invoke new regulations. The company must capture, share, use, store, and destroy (when the time comes) this data according to regulations that vary by geography. The risks and regulatory-required controls around selling or transferring data to other companies make the data landscape more challenging.
Third-party risk comes from third parties that include suppliers, vendors, contract manufacturers, business partners and affiliates, brokers, distributors, resellers, agents, contractors, and guests to facilities. Third-party risk is the potential risk that comes with businesses being connected or involved with other businesses and entities. These entities could be “upstream” (suppliers and vendors) or “downstream” (distributors and resellers). Large enterprises with many third parties or vendors don’t understand the risks of their companies being extended outside their own walls. It is often difficult to measure the risk that outside organisations bring to your company.
The use of third parties is nothing new - companies have worked with third parties for years. What has changed, however, is the frequency and scale of third-party use and the regulatory focus on how organisations are managing third parties to address the inherent risks.
When you think of digital risk, you may not think of people. The truth is, people might be one of the biggest risks to organisations. You need to make sure you’re creating an environment that’s ready for the change. Create digital-friendly workplaces by training your employees properly. Also, stay open-minded to change and don’t be quick to discount early and late adopters.
Reputational risk is the risk of a negative view of your company to the world. Reputational risk has been around for as long as business has been around, but digital transformation is shrinking our world. A lawsuit, a disgruntled customer, product failure, and a negative review are all examples of threats to a company’s reputation and brand. Social media and the Internet create much more visibility and risk to your companies’ reputation than in the past. The damage can be expensive to reverse.
Financial risk is the possibility that your company will incur financial losses. Part of financial risk includes credit risk or the risk behind borrowing money. Financial risk can also tie back to cybersecurity and digital risk related to fraud, digital theft, identity theft, and government fines and fees.
Economic risk is the risk of markets (local, national, world) constantly changing. The markets have been going up and down for a hundred years. As various markets fluctuate based on economic factors, changes to customer demand — both expected and unexpected — can occur. Root causes could stem from failures of national governments, fiscal crises, unemployment and so on. While many of these factors are difficult to predict, a mitigation plan may include how a company could pivot under certain economic conditions.
Competition risk is the risk that your competitors will outperform you, decrease your revenues, shrink your profits, or put you out of business. There is a connection between cyber and digital risk and competition if unethical competitors or governments use cyber techniques to steal digital or non-digital intellectual property (IP).
Building a solid foundation of risk management is a critical first step to any transformation initiative. After you build this foundation, it will support the organisation’s strategy, people, processes and technology.
This solid foundation for managing risk is made up of three things:
A good goal to have and to support the above is to foster a positive risk and compliance culture, which can be established at the beginning and iteratively improved over time.
With these foundational elements in place, businesses can take the right steps to evolve from managing compliance and risk with ad hoc manual processes to making risk-informed business decisions and providing holistic risk visibility to the Board.
Beyond these foundational elements, your risk management program needs to have strategic elements:
Your strategy should tell a clear and compelling story as to why risk management will yield positive outcomes to enable your company’s digital transformation. Being able to tell this story helps your risk program get the resources necessary to be successful. After you get the proper resources, delivering and measuring value against your strategy is paramount to keep your momentum in managing digital risk.
For more information on managing risk download the free eGuide below.