WIXLIB

Managing Risk inDigital TransformationJanuary 2018Risk Advisory

Managing Risk in Digital Transformation02

Managing Risk in Digital TransformationIntroductionDigital. Is it a buzzword in the corporate world or way beyond that?In the current times, every industry/enterprise has its own definition of ‘Digital’and what it means to them. Boards, CIOs, and Executives are extensively talkingabout going digital.Organizations can no longer evade the truth that Digital has become the needof the hour and the most effective enabler for creating a differential and uniquecompetitive advantage.A “digital mindset” and the requisite investment of capital, are critical enablersfor a successful transformation exercise.Key trendsSeveral factors have been playing a crucial role in the exercise of digitaltransformation. A few among them have been listed below:Exponentially increasing penetration of smart devices.Evolving customer expectations and changingdemographics.Increase in internet speed and its penetration.Technological innovations and inclination towardsadvanced technologies.Digital Technology isslowly being recognizedas an important enablerfor innovations. DigitalTransformation brings forthunmatched opportunities andcapabilities for growth andvalue creation.None of the opportunities,however, can be realizedwithout dealing with theassociated risks. Managingrisks in the changingera is, thus, critical to anorganization’s sustainability.03

Managing Risk in Digital Transformation04

Managing Risk in Digital TransformationDigitalization meansdifferent things for differentstakeholdersFor an effective digital environment to meet the desired objective, it is critical to consider risk areas beyondtraditional risk.Enterprise ViewStrategy and VisionImplementation Define a digital vision and strategy Transforming the tools andcapabilities used to deliver services Conduct a feasibility assessmentof the initiatives which canundergo digital transformation Identify the key stakeholders inthe ecosystem aiding the digitaltransformationProgram Management Focus on timely and cost-effectiveimplementation of the digitalinitiative, for the respectivebusiness teamsRisk ViewContextual Risk Adequacy of selection of digitalenablers of the digital program, inthe context of business objectives Setting the tone of riskmanagement at the design stageof digital program Prioritization of initiatives ensuringminimal impact or disruption ofservice.Implementation Risk Risk-based architecture for thedigital enablers, w.r.t. technology,operations, vendors, compliance,security and resiliency Right digital technologies fordifferent business processes Culture of ‘digital mindset’ anda secure usage of the digitalcomponentsGovernance Risk Effective governance around theDigital transformations to ensurecross functional synergies andeliminate risks arising due to interdependent processes Risk management framework thatcan be used by the organizationfor managing risks that may arisein any future digital initiatives.05

Managing Risk in Digital TransformationBeyond Traditional Risk andSecurityLaying out the building blocks of the digital riskstrategy is crucial to its success. An immediate stepby organizations is to have robust measures aroundcybersecurity and the easiest approach is to performtypical information security and/or cyber securityassessments of systems. The questions which needto be addressed are, ‘Is this enough? Is cybersecuritythe only risk to a digitally enabled organization?’For an effective digital environment to meet thedesired objective, it is critical to consider risk areasbeyond traditional risk. For example, social mediais becoming an integral part of marketing, thereby,creating risks to brand value and reputation.Similarly, customer profiling is prominent for bettercustomer experience, but then profiling processshould be aligned to protect privacy of customerdata. Another important aspect to be considered isdigital resiliency–due to large dependency on thetechnology, the availability of the systems is nonnegotiable. There are several other scenarios acrossdifferent industries and operations that cover otherrisk domains that could be considered.06

Managing Risk in Digital TransformationDeloitte’s Digital RiskFrameworkStrategicOpeiora tnsTechnologyAutonomousRobotsCloudAdditive Mfg.ThirdPartyCyberCustomerLifecycleHorizontal& verticalsystemintegrationAssetLifecycleBig CyberSecurity &RiskAugmentedRealityDataLeakageIndustrialInternet ofthingsHorizontal andvertical systemintegrationResilienceRForensicsuegla tor yRisk AreasExtended EnterpriseDigital GovernanceCustomer ExperienceWe have considered 10 riskareas– Strategic, Technology,Operations, Third Party,Regulatory, Forensics, Cyber,Resilience, Data Leakage, andPrivacy–as the risk landscape inany digital ecosystem. Based onthe applicable risk areas for thedigital initiatives, different controlmeasures need to be designedas per leading standards andindustry practices. The criticalaspect in defining the controlsis to take into consideration thenature and level of digitization inthe operations, as most of theseareas are at a nascent stage andtightly coupled with systems ormanual processes, so there mightbe constraints to implement thecontrols.Enterprise07

Managing Risk in Digital Transformation08

Managing Risk in Digital TransformationUnderstanding the risk areas is critical to identifying and dealing with all therisks that an organization may be exposed to in a digital environment. Thissection explains in brief all the risk areas considered in the framework.TechnologyPotential for losses due to technology failures or obsoletetechnologies. Technology related risks have an impacton systems, people, and processes. Key risk areas mayinclude scalability, compatibility, and accuracy of thefunctionality of the implemented technology.CyberProtection of digital environment from unauthorizedaccess/usage and ensuring confidentiality and integrityof the technology systems. Key controls may includeplatform hardening, network architecture, applicationsecurity, vulnerability management, and securitymonitoring.StrategicUsually derives from an organization’s goals andobjectives. It can be external to the organization and,on occurrence, forces a change in the strategic directionof the organization. Typically would have an impacton customer experience, brand value, reputation, andcompetitive advantage in the market place.OperationsAn event, internal or external, that impacts anorganization’s ability to achieve the business objectivesthrough its defined operations. Includes risks arising dueto inadequate controls in the operating procedures.Data LeakageEnsuring protection of data across the digital ecosystem atvarious stages of data life-cycle–data in use, data in transitand data at rest. Key focus control areas would be arounddata classification, data retention, data processing, dataencryption, etc.Third-partyComprises of risks arising due to inappropriate controls atvendors/third party operating environment.Key controls would be around data sharing, technologyintegration, operations dependency, vendor resiliency, etc.PrivacyRisk arising due to inappropriate handling of personal andsensitive personal data of customer/employee, which mayimpact privacy of the individual. Key controls includesnotice, choice, consent, accuracy, and other privacyprinciples.ForensicsDigital environment’s capability to enable investigation inthe event of a fraud or security breach, including capturingof data evidences which is presentable in the court of law.RegulatoryAdherence to statutory requirements including technologylaws, sectoral laws, and regulations.ResilienceRisk of disruption in operations or unavailability ofservices, due to high dependency on tightly coupledtechnology. Key areas of consideration would includebusiness continuity, IT/Network disaster recovery, cyberresiliency, and crisis management.09

Managing Risk in Digital TransformationDigital Risk PortfolioOur portfolio of services to mitigate risks around digital enablers10Digital Risk StrategyEstablishing a governanceframework to address therisks in implementation ofDigital ProgramsDigital IdentityHaving an effectiveauthentication &authorization mechanismacross all digital enablersBlockchainLeveraging Blockchainarchitecture to secureagainst internal and externalthreatsRPAEnabling a secure RPAimplementation andleveraging of RPA forCybersecurity & RiskmanagementIoTDesigning a risk-basedIoT architecture for datacollection and managementof remote systemsOT (SCADA)Protecting the OTinfrastructure through secureintegration with enterprisetechnology eco-systemDigital PaymentsSecure digital paymentofferings using a structuredrisk based approachCyber AnalyticsAnalytics based risk andcompliance monitoringsupported by AdvancedTechnologies.Digitalization of RMEnabling the riskmanagement leveragingdigital technologies

Managing Risk in Digital TransformationNavigating Digital RisksApproach to establish an effective risk management in digital environmentDiscoverAligned to the organization’s Digital vision, study the selection of digital enablers, andanalyze the context so as to assess the digital footprint and its impact.DevelopBased on Deloitte’s Digital Risk Framework, develop a risk based digital architecturecustomized to the organization’s digital needs and operating environment.ImplementIn the context of business, implement the risk based digital architecture for the selecteddigital enablers supported by an overall risk governance.MonitorEmbed a continuous review process that evolves in response to disruption and newdevelopments across the digital estate, legal and regulatory requirements.11

Managing Risk in Digital TransformationSustainability“An approach to digital risk management should begin with an understanding of the organization's digital footprint and creating a register of digital risks”Support Risk Management by conducting risk awareness workshops and trainings. Takeit up as a as a proactive exercise embedding it into the organization’s strategy instead ofmerely keeping it a reactive one01Periodically monitor, review and update the digital risk framework.02Enabling risk management through atool will be appropriate for a systematicidentification and management of theevolving digital risk0312

Managing Risk in Digital TransformationConclusionDigital Transformation acrossindustries has led to a rapidlychanging business environmentwhich offers exponentiallyaugmenting opportunities for newcapabilities and initiatives.One of the most critical successfactors to win in this digital era isorganizational agility. Businessescan create a scalable and adaptabledigital journey encompassing awell-defined digital strategy, anappropriate business case, and acustomized and flexible approach.Along with Digital transformation,it is imperative for organizationsto also manage the risks that areintroduced into the environmentand its impact to the existing eco-system to drive optimum valuefrom their digital initiatives.Despite all the challenges and risksthat the evolving environmentpresents, organizations cannotoverlook the opportunities that‘moving to digital’ brings forthalong with the profound impactthat it shall have on them.13

Managing Risk in Digital TransformationContactsRohit MahajanPartner Leader, Risk Advisoryrmahajan@deloitte.comShree ParthasarathyPartner Leader, Cyber Risksparthasarathy@deloitte.comVishal JainPartner, Risk Advisoryjainvishal@deloitte.comFor further queries and feedback please email on indigitalrisk@deloitte.com14

Managing Risk in Digital Transformation15