Risk Profiling Your Digital Initiative

May 02, 2019 | by Steve Schlarman

Operating Digital
In my first blog in this series, I introduced SR Bank to illustrate an organization using digital initiatives to evolve business operations and compete and capture opportunities in the market. As SR Bank utilizes technologies such as data analytics, mobile products and services and social media to drive growth, their internal business operations becomes more and more digitized. Their customer-centric projects improve customer interactions. Data from these interactions help drive data analytics.  The data then reveals opportunities to improve internal processes enabling SR Bank to cut costs. As each of these projects transforms their business, they see emerging operating models – and risks.

Prior to this current blog series, I presented RSA’s definition of Digital Risk as the ‘unwanted and often unexpected outcomes that stem from digital transformation, digital business processes and the adoption of related technologies.’    Additionally, I outlined RSA’s key domains of digital risk:

  • Cyber/Security: risk of cyber attacks
  • Process Automation: risks related to changes in processes from automation
  • Resiliency: risk to availability of business operations
  • Third-Party Risk: inherited risk related to external parties
  • Cloud: risks due to the change in architecture, implementation, deployment, and/or management of new digital business operations
  • Workforce/Talent: risks related to the dynamic nature of today’s workforce
  • Data privacy: risks related to personal Information
  • Compliance: risks related to existing and emerging compliance requirements driven by new technology

An interesting angle by which to think of digital risk is to look at the intersection of these domains and the various operating models organizations adopt as part of digital transformation. The World Economic Forum (WEF) identifies five Digital Operating Models to portray the various modes that digital initiatives take within organizations. These models are based on common characteristics and provide a backdrop upon which to highlight potential risks created by digital initiatives. It is of note that these models don’t necessarily operate independently but may be in different stages or overlap across initiatives.

Risk Profiles of Digital Operating Models
Customer-centric projects not only may bring in the most topline growth, but also create a significant amount of risk. These projects carry potentially elevated levels of strategic and reputational risk with the high expectations and customer facing objectives. The major risk domains affected by Customer-centric projects center around the fact that customer-facing initiatives generally result in the collection and processing of personal data. Therefore, Cybersecurity, Compliance and Data Governance & Privacy risks are elevated. Additionally, given the expectations of customers for highly available systems, and the financial repercussions of business disruptions related to customer-facing systems, Resiliency is an area of risk management that must be prioritized as well.

Cost cutting and internal optimization efforts (referred by the WEF as ‘Xtra Frugal’) are where many organizations begin their digital transformation journey.  Given the wide variety of these projects, the risk profile will flux based on the nature of the initiatives. Process automation risk is a key element since many of these projects look to transition existing processes to more digital-enabled operations. For example, complications resulting from implementing Robotics Process automation to eliminate manual tasks in a service center must be managed to ensure proper models and procedures are utilized. Additionally, since many of these projects impact the employee base, Workforce-related risks range from managing employee role changes to maintaining skill sets and dealing with attrition.

Digital initiatives powered by data focus on utilization of data in new and innovative manners to unlock value for typically ‘back office’ purposes.  Creating massive data lakes and layering on complex analytics to find interesting ways to optimize business processes skews the risk profile predictably towards data-related risks. Data Governance & Privacy risks are dependent on the nature of the data, e.g. Personally Identifiable Data (PII) vs. Intellectual Property (IP). Cybersecurity is also a key part of managing risk around data powered initiatives.

The WEF uses the term ‘Skynet’, affectionately named after the AI-driven technology in Warner Bros. Studio’s Terminator franchice, to describe the ‘rise of the machines’ and digital initiatives targeting heavy automation. Most commonly, this type of project is found in manufacturing and logistics companies branching out from traditional robotics into other areas such as autonomous vehicles and augmented reality. The risk profile of these initiatives slant toward Process Automation and Resiliency as automation takes a more integral part of the production lifecycle. Cybersecurity, an ever-present risk, is elevated in cases where traditionally segmented infrastructures, such as Operational Technology and IT systems, become connected.

Labeled by the WEF as “Open and Liquid”, the last operating model emphasizes an ecosystem of partners and relationships to further digital strategies. One characteristic called out by the WEF is the ‘shared customer’ where different entities enrich the customer experience by working together. Managing third-party risk and cybersecurity are obviously key objectives to mitigate negative outcomes of these relationships given the connectivity between your business and these outside parties. Depending on the nature of the ecosystem, resiliency may be a factor, especially in terms of supply-chain automation; Data Governance and Privacy becomes an additional element for data-oriented relationships.

Digital initiatives can take many different forms and viewing them through the lens of the operating model provides insights into what risks may bubble to the top.  Understanding the implications of the alterations to the business model will help identify potential obstacles and then allow risk management practices to evolve with the business.   

Come back next week for the final blog to learn how an integrated approach to digital risk management can optimize and transform your practices.

# # #

Register for our executive webinar series on digital risk management to find out why risk management is so critical and how companies are addressing digital risk.

Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity.

Author: Steve Schlarman

Category: RSA Fundamentals, Blog Post

Keywords: Digital Risk, Digital Risk Management, Digital Transformation, Third Party Risk