WIXLIB

Managing Risk in Digital TransformationManaging Risk in DigitalTransformationOctober 2018Risk Advisory1

Managing Risk in Digital Transformation2

Managing Risk in Digital TransformationIntroductionConsumers and businesses are adopting digitaltechnology at a rapid pace, and while this isManaging RiskTransformationgenerating new opportunities,it inis Digitalalso creatingnew risks.Currently risk management teams remain on a reactivefooting with a predominant focus on traditional ITgeneral controls and risk assessment techniques,and are limited by the processes, systems and widerbusiness insight with which they have been equipped.As technology transformations shift the risklandscape, organisations willneed to develop anentirely new approachto digital risk. OurDeloitte Digital RiskAn increased burden is being placed not only onFramework will assistthe IT department but also on the internal riskLaying out the building blocks of the digitalriskourclients in thisfunction. Business leadersareismakingstrategycrucial tostrategicits success. An immediate stepJourney.choices on the investment, technology, resourcingThe digital transformation journey of manyorganisations is well underway. With Industry4.0 we are already seeing the application of newtechnologies, including robots, the internet ofthings (IoT), artificial intelligence (AI), cloudcomputing, predictive analytics and blockchainrapidly changing the way many companies designand curate experiences, manufacture, distributeand service products.Beyond Traditional Risk andSecurityby organizations is to have robust measures aroundcybersecurityand theeasiest approach is to performlevels and the skills neededto operatea digitaltypicalinformationbusiness, all of which willhavean impactsecurityon theand/or cyber securityassessments of systems. The questions which needshort-term profitably and long-term viabilityto be addressed are, ‘Is this enough? Is cybersecurityof their businesses. Thesestrategic choicesthe only risk to a digitally enabled organization?’inevitably involve an element of risk. At the sametime businesses have Forto copewith externalan effectivedigital environment to meet thedesiredobjective,it is critical to consider risk areasthreats. For example, asbusinessesundergotraditionalFor example, social mediadigital transformation beyondand moreof theirrisk.assetsis becoming an integral part of marketing, thereby,become digital, the threat of cybercrime and riskscreating risks to brand value and reputation.around data privacy aregrowing.Similarly,customer profiling is prominent for bettercustomer experience, but then profiling processshould bealigned tomajorprotect privacy of customerWhile digital transformationis creatingdata. Anotherimportantaspect to be considered isopportunities for organisations,it isalsodigital resiliency–due to large dependency on theintroducing a new dimensionto the traditionaltechnology, the availability of the systems is nonview of risk.negotiable. There are several other scenarios acrossdifferent industries and operations that cover otherrisk domains that could be considered.061

Managing Risk in Digital TransformationManaging Risk in Digital Transformation2

Managing Risk in Digital TransformationBeyond Traditional RiskIndustry 4.0 – A New Era bringing New RisksThrough Industry 4.0, smart,connected technologies aretransforming organisations,operations, and the workforce byincreasing information flow, creatingnew insights, and revolutionisingbusiness models. Although Industry4.0 has its roots in manufacturingand supply chain, it extends tomany other sectors. The power andvalue of Industry 4.0 lies in flowsof information, and the ability tointegrate digital information frommany different sources and locationsto drive the physical act of doingbusiness. In this way, informationflows in an ongoing cycle, wheredata from one process informs thenext. This ongoing loop incorporatesthe use of many physical and digitaltechnologies, including analytics,additive manufacturing, robotics,high-performance computing,natural language processing,artificial intelligence and cognitivetechnologies, advanced materials,and augmented reality. Theillustration below depicts howinformation flow occurs throughan iterative series of three steps,referred to as the physical-to-digitalto-physical (PDP) loop.This introduces new risks as anexample the digital environment’scapability to enable investigationin the event of a fraud or securitybreach, including capturing of dataevidences which is presentable in acourt of law. Ensuring protection ofdata across the digital ecosystem atvarious stages of data life-cycle-datain use, data in transit and data at rest.Physical-to-digital-to-phsycial loop and related technologies1. Establish a digital recordCapture information from thephysical world to create a digitalrecord of the physical operationand supply network.2. Analyse and visualiseMachines talk to each other to shareinformation, allowing for advancedanalytics and visualisations of real-timedata from multiple sources.1PHYSICAL2DIGITAL3Source: Deloitte Centre for IntegratedResearch/Deloitte Insights.3. Generate movementApply algorithms and automation totranslate decisions and actions fromthe digital world into movements inthe physical world.3

Deloitte’sDigitalRiskDeloitte’s Digital RiskFrameworkDeloitte’s Digital RiskFrameworkManaging Risk in Digital TransformationManaging Risk in Digital TransformationDeloitte’s Digital RiskFrameworkFrameworkStrategicStrategicOpe rat ioOpnse rat ioTechnologynsTechnologyDigital PaymentsStrategicDigital PaymentsOpe rat onof RM of RMThirdThirdPartyPartyDigital cleLifecycleDigitalisationof cleDataDataLifecycleRoboticLifecycle eIntelligence(RPA&CI)(RPA&CI)DataWe have consideredriskWe have10 risk 1010Weconsideredhave perations,Third Party,Operations,ThirdParty,Operations, Third ics,Cyber,Regulatory,Forensics, Cyber,We have Resilience,considered10 riskDataLeakage, e,andareas– Strategic,Technology,Privacy-asthe risk irdParty,Privacy–asthe risk landscape in inin digitalecosystem.on onanydigitalecosystem.BasedBasedon theapplicablerisk icableriskareasfortheareasforthedigitalthe applicable risk areas for thePrivacy–asthe riskcontrollandscapeindifferentmeasuresany digitalecosystem.Based onneedtobedesignedas to be designedmeasuresneedmeasuresneedto be designedthe applicable riskareas for theper leadingstandards andas per leading standards andaspractices.per leadingstandards andindustryThe criticalEmployeeindustrypractices.The he n definingpractices.the Employeeindustry practices.criticalis toThetakeintoofconsideration theIOTLifecyclePrivacythe naturelevelis toandtakeinto consideration thePrivacyBlockchainnatureandlevel of digitization indigitisationintheoperations,IOTnature andthelevel of digitization inis to take into considerationPrivacyDigital Risktheoperations,as mostof theseasmostoftheseareasareatAInature and leveltheof digitizationin as most of andtightlyareas are at a nascent stage andStrategyDigital Riskthe operations, as most of theseyAIStrategyareasare at aornascent stage andcoupledwith coupledsystemsto rtightlyaluareas are at a nascentstage andwith systems orResiliencee g to r yRymanualprocesses,so theretightly coupledwithsystemsororprocesses,so theremightulatightly coupledmanualwith systemsorla nualprocesses,sotheremightbe constraintsto implement theForensicsmanual processes,so there mightRisk Areasimplement the straintsto implement theForensicscontrols.Risk AreasRisk AreasExtended SCADA)Digital GovernanceDigital GovernanceDigital I)Customer ExperienceCustomer ExperienceCustomer ExperienceDataLeakageLeakageExtended terprise0707Risk AreasExtended EnterpriseEnterpriseDigital Enablers4

Managing Risk in Digital TransformationManaging Risk in Digital Transformation5