COVER STORY OF THE MONTH
Managing Risks in a Digital World
Digital Risk is business is only becoming wide and more complex. This has now become a Board Level concern for most Large Enterprises. The Risk Management team needs to continuously establish ways to regularly monitor risks, and provide an informed view to the management. This not only requires input from technology experts and other functional stakeholders but also co-operation and collaboration between governments, industries and companies to combat risks effectively.
Early this year, the FBI was investigating a potentially massive computer hacking on Anthem, Inc., one of US’s largest health insurance companies. Cyber attackers executed a very sophisticated attack to gain unauthorized access to one of Anthem’s IT systems and hacked database containing 80 million records relating to the personal information of their consumers and Anthem employees who were covered. Or consider something as primitive as allegedly North Korea hacking Sony Pictures Entertainment that led to massive online dumps of information from Sony’s systems and caused the studio to briefly cancel plans to release its film “The Interview”. E-Bay was forced to ask users to change their password after a major cyberattack potentially exposed details of its 233 million customers. Retailer, Target’s CEO Gregg Steinhafel stepped down as a result of a data breach which exposed up to 110 million customer details.
It is no longer a question whether your business will affected by digital risks but when and to what extent. Even one breach is enough to cause significant business disruption, lead to loss of consumer confidence and erode profits. It is not only the scale and size of such risks that is a cause of concern. Even something as small as a junior executive’s laptop that contains company data and gets stolen is a cause of worry.
While investment in digital technologies is a sine qua non for organizational survival and growth, the risks associated with digital are many. If not managed well, this is a double edged sword that can lead to rising costs and risks an enterprise. Digital risks include impact of natural disasters on technology and communication infrastructure of a business, identity theft, loss / destruction / theft of information, system failures, privacy breaches, cyber-crime, and espionage with the aim of stealing intellectual property, cyber security, cyber-warfare, cyber-terrorism and cyber-activism. These threats have the potential to cause immense risk for a business including:
- Compromise of customer data: This has a significant bearing on customer engagement and experience. If personal data such as credit card numbers, medical records, birth dates, ID/ Passport details etc. are compromised, this is not only a huge threat to customers, but can also potentially lead to loss of trust and significant customer churn in enterprises.
- Risk of Intellectual Property: The information that is illegally accessed can be used by competitors or extortionists to the detriment of the organization.
- Damage to Digital assets, Reputational Damage, Business Interruption, Resolution of Liability Issues / Legal proceedings and necessity for remediation of Information Systems.
The approach to managing Digital Risk needs to start with first creating a task force entrusted with the responsibility to identify, assess and manage risks and associated potential liabilities across all business functions and in line with regulatory norms. Such a team needs to constantly perform an assessment of the value of information across the enterprise, which in turn helps prioritize and focus on high value assets. Typically enterprises underestimate the inherent value of their information assets until the event of a catastrophe.
The skills of people required to perform such a role is fairly complex entailing not only knowledge of data management and data protection but also aspects of governance, systems engineering and architecture, understanding of business process etc. There will be no one person who will have all the skills and hence it is important that the Risk team be equipped with people having complimentary skills to collaborate and deliver the job.
One third of large enterprises engaging in digital business models are expected to have a Digital Risk Officer (DRO) or equivalent. DRO’s will have a unique mix of both business acumen and technical knowledge to understand the challenges with digital technologies, to be able to assess and make recommendations for addressing digital risks appropriately. She / he will work across business functions working with peers in legal, compliance, marketing, sales and operations. The DRO will influence decision making relating to digital in the context of governance and compliance.
The DRO / Digital Task Force will manage the Digital Risk Program that will handle all components of digital risk (security, data, governance, compliance, liabilities etc) and work with cross functional teams to examine every aspect of the organization. Such team will collaborate across the organization to make an assessment of the value and the liabilities associated with digital risks. By doing this, they not only identify high risk zones for non-compliance but are also able to focus their efforts to identify and plug all the risks associated with it before moving to other processes. They must establish a centralized monitoring (across social, media, regulatory platforms etc.) and tracking system to identify risks early. They must also be more involved in the overall IT governance, strategy and technology transformation initiatives.
In order to be successful in this role, the Digital Risk Team must be positioned as a core, strategic function and entrusted with a clear mandate with the required authority to examine every aspect of the business. Such a team should not ideally report to any specific function and must have direct access to the executive management to be able to provide a candid representation of the findings and quickly put together a plan required to mitigate.
It is also important to impart knowledge to ensure that all the functional stakeholders understand the value and context of digital risk management as well as areas of risks that they need to continuously watch out for.
While investment in digital should be leveraged for driving business growth, businesses should also effectively establish risk control and compliance management processes in place to successfully deliver on its digital mandate.