Business leaders are feeling positive about their digital risk management capabilities. Perhaps, too good, since the evidence suggests they are vastly underestimating the repercussions of digital incidents.
Three quarters of business leaders (75%) are confident in their ability to deliver on their responsibilities when it comes to identifying and managing digital risks, albeit only a third (35%) express full confidence.
Such levels of assurance represent a remarkable sea-change in attitudes in a relatively short timeframe: our 2019 Global Risk Survey found that just 19% of leaders felt confident that their team had the right combination of skills and talent to effectively manage digital risk.
This new-found confidence extends to their perceptions of their performance, with four in five (79%) believing have achieved the desired value or return on investment (ROI) from their digital transformation activities in the last 12 months.
While nearly half (46%) express concern that the digital dividend, in the form of value creation, is taking longer than expected to materialise, this nevertheless indicates a step change from the state-of-play reported in our 2019 Global Risk Survey.
At that point, just 40% of organisations were adopting digital technology at scale. The impetus to accelerate digital transformation generated by the pandemic is a contributory factor to this.
However, benchmarking against consumer perspectives suggests that this confidence around digital risk may verge on hubristic at times.
Consumers are far from passive when it comes to their reaction and response to being exposed to digital incidents. Instead, they would proactively seek restitution and redress. More than two in five (43%) would stop engaging with an organisation or switch suppliers while a third (33%) would report an organisation to the regulator.
Worryingly, just 15% of business leaders have identified and acknowledged the risk of customers abandoning them as the result of digital incidents.
This failure to anticipate or mitigate digital risks has clear implications for the functioning of the organisation, given the potential to create adverse impacts on customer experience, society, operational efficiency, profitability, and public reputation.
Since digital risk first emerged as a separate category in the corporate risk register, no definitive best-practice model for managing, monitoring, and mitigating it has prevailed.
Patterns of ownership of digital risk remain hugely varied and idiosyncratic from organisation to organisation. This reflects the unique characteristics of each individual organisation’s digital transformation journey and adoption strategies, as well as their cultures and legacy structures.
Our survey confirmed this disparity by revealing a striking lack of consensus. While 19% of organisations saw the chief technology officer (CTO) as being responsible for digital risk, 17% felt that ultimate ownership resided with the chief digital officer (CDO). Meanwhile, 16% believed that the chief security officer (CISO), should lead compared with 15% who saw it as the remit of the chief information officer (CIO). Positively, only 1% of respondents were unsure about who owns digital risk, which is a significant change from the 12% giving the same answer in our 2019 survey.
In a sense, all views are correct. With digital now integral, rather than peripheral, to all aspects of a business, risk management models are adapting. Ideally risk controls associated with digitisation should be automated, embedded in the organisation and be fully aligned to business goals.
However, when asked how mature their organisations were across a spectrum of core digital risk capabilities, more than a third of business leaders (34%-39% depending on capability) acknowledged that they were either not mature, still scoping, or had simply not considered the risks.
Arguably, the greatest obstacle to successful digital risk management is failure to recognise that digital is not just the technology – it’s also the people, the processes and the interaction points that facilitate it. Yet, perhaps counter-intuitively, less than 5% of organisations currently place ownership of digital risk with the risk team.
Forward-thinking organisations are recognising the need to accelerate the introduction of controls so that they do not lag too far behind, and impede, digitally enabled operational innovations. They take an agile approach, hiring and embedding a new generation of risk managers who more intrinsically understand the digital landscape and the opportunities it presents.
The difficulty for risk and compliance teams is that digital means they can’t provide confidence or assurance in the way they traditionally did. Things are more joined up now and happen at extreme pace and scale. Rather than sitting on the outside looking into the business risk and control need to be seamless and embed people into transformation teams to enable an agile approach to governance.
Digital Risk Lead Partner
Digitisation will continue to be interwoven into the fabric of business until it is seamless and indivisible. Those organisations that manage the process effectively and quickly will emerge as winners.
Best practice in risk and control will evolve from viewing digital risk as a new, separate and discreet risk category to taking a systemic, enterprise-wide approach to managing all risks associated with digitisation.
Establishing a business structure and culture which ensures digital risks are both managed and controlled is key.
We work hand-in-hand to get to know teams across the business and understand every organisations unique ecosystem. By helping to establish the right roles and responsibilities to align with digital strategy we can develop an integrated holistic and agile digital risk strategy that builds confidence and value through digitisation.
See the unseen
Visit report hub