By Stefano Capodagli
Risk management, besides continuing to be a trusted advisor to the board and senior management, to manage risk appetites, and develop risk frameworks and policies, is increasingly called on to swiftly evolve. Digital risk management appears to be the next evolution in enterprise risk and information security.
Building digital resiliency both in terms of strategy and framework, and in an organisation’s processes, operations and systems will be risk management’s new mission. At all levels the final aim should be detecting threats and responding to events that mitigate and minimise financial losses and business disruption. In its privileged position, it will not only manage and mitigate emerging risks, but also help the business take advantage of the upside opportunities for innovation and growth.
In light of emerging digital risks, this first of two articles looks at digital business evolution and how the risk management in an organisation strategically evolves to keep the pace of the digital era by being custodian of the organisation’s digital evolution and acting as digital innovation facilitator and business enabler.
Highly sensitive customer digital data have been growing exponentially and have become a priority for organisations and their digital risk managers. The risk of misuse by hackers and other cyber criminals has risen.
Data protection requires a custodian function within an organisation focused on developing uniform, advanced and comprehensive frameworks, policies and procedures that will be implemented company-wide in order to protect all data stored on all types of devices. Hence a function which understands the risks surrounding the data world, and ensures that there are, over time, sufficient policies, processes and overall mitigating controls in place.
To this function several tasks are assigned. From reviewing approaches to data storage and operations to security protocols, it assesses the relevant data to identify potential security weaknesses, while elaborating reports and recommendations for senior management to address any security issues. In addition, the implementation of new security protocols throughout all applicable departments will have to be performed in cooperation with the IT unit. For operational risk management it promotes a security-awareness culture within the organisation, in order to integrate data security into (and not onto) the business operations throughout the company.
Digital risk management by virtue of its in-depth understanding of risk management is responsible (always in close cooperation with IT) for IT risk management programs that include data related risks.
The risk management function will have crucial role to play in data security since this is not just an IT risk – it is an enterprise-wide and top risk for modern organisations. Needless to stress that data security risks do not exist in isolation. They are interrelated and tend to amplify the impact of other enterprise risks such as compliance risks, reputational risks, and even financial risks.
The digital risk management function has a privileged, holistic position for understanding the inter-relationships between emerging risks and has the capability to identify how data breaches can influence other enterprise risks – or be influenced by them.
Digital risk governance
An integrated overarching risk and control data governance framework and risk data model should be in place and integrate and map all enterprise risks into a single framework along with the related internal controls and control testing. It should also and map the model to the front line (business), second line (risk, compliance) and third line (audit, assurance) universe to enable appropriate digital assets protection by the risk management function through a holistic, integral and objective view of risks.
The optimisation of digital risk outcomes will require organisations to develop, deploy and manage risk assessment and management tools and processes across all forms of technology. Significant and urgent innovative and digital competence requirements emerge. The new digital risk manager needs to have technical knowledge and familiarity with a range of different IT systems and standards; strong analytical skills for the evaluation of technology and business operations to identify potential vulnerabilities; problem-solving skills to be able to determine how to improve security; and communication skills to effectively promote data security and security regulations.
The impact of the new structure of digital risk governance and management on IT and IT security operations is minimal. The IT security team will need to step back from its position as the sole manager of security risk and to form effective partnerships with digital risk teams managing all forms of technology. There is a real opportunity to grow a digital risk and technological culture.
Facilitator and business enabler
Risk management can be an agent for maximising the value which digital data can generate without compromising on security, privacy, and confidentiality. In other words, it can lead the organisation’s digital innovation programme, while also securely and independently guiding the front-line to ensure that data are ethically handled. Those data are exposed to a variety of interrelated endogenous (e.g. enterprise risks) and exogeneous risks (e.g. third-party risk). However, they also provide highly-valuable insights into the preferences of clients and prospects – what suits them in terms of marketing strategies, how to persuade them to invest more, when it is the right time to do so, and so on. Strategic risk management innovation has a critical role in working with this data in an independent, ethical and legal fashion.
On the other hand, as fosterer of innovation it assists the front line to keep up with innovation in technologies and with transformations in business models. Disruption of markets and ecosystems across the global economy has been accelerating without precedent, and if organisations lag behind they could be swiftly out of their markets.
While closely managing risks, quick, calibrated, and disciplined adjustments to risk appetite and tolerances are critical. All lines of defence should be informed of such changes so that business decisions, controls testing, risk monitoring, and risk reporting work in a synchronized and risk-aligned manner. A “well oiled” efficient and effective risk cycle should be in place: continuously assessing those risks appropriately, and prioritising, treating and then monitoring them, so that decision-makers know exactly how and where to capitalise on the upside opportunities.
The second article in this series will look at how new technologies require organisations to adopt the digital approach to risk management and how digital resiliency should be considered the most important long-term asset of an organisation.
Stefano Capodagli, MBA, CPA, MCSI, SIRM – seasoned CRO, risk, finance and business executive and non-executive director of risk advisory firms in CEE, Africa, Asia and MENA region – is senior advisor on strategic and digital risk management to international financial institutions, UN agencies, financial services and microfinance organisations as well as certified professional trainer at IRM, academic lecturer and professional/team coach. The views expressed in this article are the author’s own and do not represent the views or position of IRM.