Businesses are rapidly becoming more digitally dependent. Measures introduced in response to COVID-19 have forced many to change the rules by which they interact and engage with both customers and employees. This has caused an increased reliance on digital technologies, collaboration tools and distribution channels, and new ways of working with a largely remote workforce.
This brings with it new risks, and changes how existing risks manifest. Getting it wrong can quickly create the next social media storm or front-page news story—reputational damage can threaten the very existence of a business.
The pandemic has been a catalyst for many organizations to embrace digital transformation for the first time. For others, it has reinforced how important digital transformation is to their organization’s long-term success and survival. In either case, this will likely cause an irreversible shift toward increased digitalization across many industries.
As organizations look toward the post-pandemic future, there is also a rare opportunity for introspection. Did the company make pandemic response decisions that it may regret? How can it best monitor its new, more digital control environment?
Avoiding Control Debt
The overnight shift has required many businesses to make tough decisions, usually very quickly and with limited information. For example, many found themselves having to procure, secure and distribute IT resources to their entire workforce so they could work remotely for the first time, while simultaneously navigating IT security and software licensing requirements.
While there were good intentions behind these decisions, they often required existing control processes to be temporarily relaxed, changed or disregarded without fully appreciating the potential risk. Much like reckless spending can result in financial debt, rapid changes made in the heat of the moment can lead to accumulation of “technical control debt.” This exposes the organization to an unknown level of risk, including potential regulatory compliance and corporate governance gaps.
Although the circumstances under which these decisions were made may have been uncomfortable for many risk professionals, the commercial and reputational impact of inaction made it critical to act.
For example, a U.K. energy company transitioned its call center staff to remote working for the first time to continue managing customer queries while adhering to social distancing measures. If it had not acted, the company would have been unable to meet customer service expectations. Particularly during a time of increased financial uncertainty, potentially losing customers and incurring reputational damage are serious risks. However, the abrupt move also increased the risk that confidential customer information could be leaked due to the inability to enforce data security prevention controls in a non-office environment, such as restricting the use of mobile phones.
Transitioning to Recovery
As organizations continue to transition out of the initial response phase, they need to understand the residual risk exposure from the high volume of rapid early changes.
Given the ease and speed with which consumers can directly react and engage with companies via social media, there is huge potential for a digital risk to materialize quickly and become a significant reputation threat. Failing to have an all-encompassing and ever-evolving understanding of current digital risks leaves an organization vulnerable. To address this, organizations should:
- Identify all changes to the control environment during the response phase. If a record of changes and decisions was not made at the time, this may require significant effort.
- Assess the impact of changes on risk exposure, including identifying new risks from increased reliance on new digital technologies, distribution channels and ways of working.
- Based on an impact assessment, reverse any changes made to the control environment causing increased risk that exceeds risk appetite or has compliance implications. This is particularly important where there are no obvious mitigating controls that can be applied.
- Based on the impact assessment, consider whether there is opportunity to permanently relax or remove controls, such as in cases where changes have not resulted in increased risk. This includes consideration of further opportunities to rationalize the control environment, such as by consolidating duplicative controls or automating control activities.
- Design and implement control monitoring to gauge the ongoing impact of changes and detect increased risk exposure before issues occur. There is often a delay between decisions and impact—fraud can take weeks to manifest and themes in customer complaints take time to emerge.
Some of the lessons learned during the pandemic can be embedded into everyday processes to permanently increase the speed and effectiveness of decision-making. Many risk departments have demonstrated their true value to the business by working more closely with delivery teams during the pandemic to quickly launch new products and channels into the market while remaining in control. This has allowed them to prove they are vital to the success and safety of the business, rather than simply a compliance or “tick-box” function that hinders and delays speed to market.
Turning Digital Risk into Digital Advantage
Three new truths have emerged in response to accelerated changes driven by COVID-19: 1) an increasing proportion of customers are now willing to regularly interact with digital channels; 2) those digital aspects that were difficult to navigate before COVID-19 are now easier, as businesses rethink their operations and the market in which they operate; and 3) organizations are developing completely new approaches to meet the need to do things faster.
Essentially, businesses will be expected to deliver an increased number of digitalized services through new distribution channels. To do so, businesses will need to maintain increased speed to market.
One way to achieve this is to digitalize risk management activities. An example is the use of predictive data analytics to monitor controls in near real time and respond to threats proactively. It is important to ensure risk and delivery teams remain closely aligned and work together to build a continuous improvement process that replots the balance between speed and control, rather than allowing friction and delays to reemerge.
Supporting the Business
Since the start of the pandemic, risk professionals have played a vital role in helping their organization navigate key challenges. Going forward, they will continue helping organizations maintain control of digital transformation.
New ways of working will need to be established, with risk and product teams integrating more closely. To better understand the complexities and nuances of managing risk in a digital business, risk teams must address their digital knowledge gaps. Getting this right will take time, so risk professionals should approach it as a continuous and iterative improvement process, rather than a one-time activity. They should be prepared to adopt the same agile mindset that is often seen in other parts of the business, like IT.
Practical steps that risk professionals can take to help manage risk in a digital organization include:
- Understand the new risk landscape. Develop a digital risk framework to help identify and manage digital risks, and prioritize areas for review based on inherent risk. It is also important to understand the organization’s future transformation agenda, including its risk appetite for digital services.
- Identify skills and knowledge gaps. Develop a skills and knowledge matrix for digital services (across digital technologies, distribution channels and ways of working) and use it to identify and remediate gaps through training or new hires.
- Define new ways of working. Experiment with new ways of working, both within risk teams and through interactions with key stakeholders in other parts of the business. Break down key tasks into focused “sprint” exercises. Keep track of lessons learned throughout each sprint to regularly reflect on what did or did not work well. Help build a continuous improvement process by sharing feedback and best practices among teams.