Businesses are rapidly becoming more digitally dependent.
Measures introduced in response to COVID-19 have forced many to change the
rules by which they interact and engage with both customers and employees. This
has caused an increased reliance on digital technologies, collaboration tools
and distribution channels, and new ways of working with a largely remote
This brings with it new risks, and changes how existing
risks manifest. Getting it wrong can quickly create the next social media storm
or front-page news story—reputational damage can threaten the very existence of
The pandemic has been a catalyst for many organizations to
embrace digital transformation for the first time. For others, it has
reinforced how important digital transformation is to their organization’s
long-term success and survival. In either case, this will likely cause an
irreversible shift toward increased digitalization across many industries.
As organizations look toward the post-pandemic future, there
is also a rare opportunity for introspection. Did the company make pandemic
response decisions that it may regret? How can it best monitor its new, more
digital control environment?
Avoiding Control Debt
The overnight shift has required many businesses to make
tough decisions, usually very quickly and with limited information. For
example, many found themselves having to procure, secure and distribute IT
resources to their entire workforce so they could work remotely for the first
time, while simultaneously navigating IT security and software licensing
While there were good intentions behind these decisions,
they often required existing control processes to be temporarily relaxed,
changed or disregarded without fully appreciating the potential risk. Much like
reckless spending can result in financial debt, rapid changes made in the heat
of the moment can lead to accumulation of “technical control debt.” This
exposes the organization to an unknown level of risk, including potential
regulatory compliance and corporate governance gaps.
Although the circumstances under which these decisions were
made may have been uncomfortable for many risk professionals, the commercial
and reputational impact of inaction made it critical to act.
For example, a U.K. energy company transitioned its call
center staff to remote working for the first time to continue managing customer
queries while adhering to social distancing measures. If it had not acted, the
company would have been unable to meet customer service expectations.
Particularly during a time of increased financial uncertainty, potentially
losing customers and incurring reputational damage are serious risks. However,
the abrupt move also increased the risk that confidential customer information
could be leaked due to the inability to enforce data security prevention
controls in a non-office environment, such as restricting the use of mobile
Transitioning to Recovery
As organizations continue to transition out of the initial
response phase, they need to understand the residual risk exposure from the
high volume of rapid early changes.
Given the ease and speed with which consumers can directly
react and engage with companies via social media, there is huge potential for a
digital risk to materialize quickly and become a significant reputation threat.
Failing to have an all-encompassing and ever-evolving understanding of current
digital risks leaves an organization vulnerable. To address this, organizations
- Identify all changes to the control environment
during the response phase. If a record of changes and decisions was not made at
the time, this may require significant effort.
- Assess the impact of changes on risk exposure,
including identifying new risks from increased reliance on new digital
technologies, distribution channels and ways of working.
- Based on an impact assessment, reverse any
changes made to the control environment causing increased risk that exceeds
risk appetite or has compliance implications. This is particularly important
where there are no obvious mitigating controls that can be applied.
- Based on the impact assessment, consider whether
there is opportunity to permanently relax or remove controls, such as in cases
where changes have not resulted in increased risk. This includes consideration
of further opportunities to rationalize the control environment, such as by
consolidating duplicative controls or automating control activities.
- Design and implement control monitoring to gauge
the ongoing impact of changes and detect increased risk exposure before issues
occur. There is often a delay between decisions and impact—fraud can take weeks
to manifest and themes in customer complaints take time to emerge.
Some of the lessons learned during the pandemic can be
embedded into everyday processes to permanently increase the speed and
effectiveness of decision-making. Many risk departments have demonstrated their
true value to the business by working more closely with delivery teams during
the pandemic to quickly launch new products and channels into the market while
remaining in control. This has allowed them to prove they are vital to the
success and safety of the business, rather than simply a compliance or
“tick-box” function that hinders and delays speed to market.
Turning Digital Risk into Digital Advantage
Three new truths have emerged in response to accelerated
changes driven by COVID-19: 1) an increasing proportion of customers are now
willing to regularly interact with digital channels; 2) those digital aspects
that were difficult to navigate before COVID-19 are now easier, as businesses
rethink their operations and the market in which they operate; and 3)
organizations are developing completely new approaches to meet the need to do
Essentially, businesses will be expected to deliver an increased
number of digitalized services through new distribution channels. To do so,
businesses will need to maintain increased speed to market.
One way to achieve this is to digitalize risk management
activities. An example is the use of predictive data analytics to monitor
controls in near real time and respond to threats proactively. It is important
to ensure risk and delivery teams remain closely aligned and work together to
build a continuous improvement process that replots the balance between speed and
control, rather than allowing friction and delays to reemerge.
Supporting the Business
Since the start of the pandemic, risk professionals have
played a vital role in helping their organization navigate key challenges.
Going forward, they will continue helping organizations maintain control of
New ways of working will need to be established, with risk
and product teams integrating more closely. To better understand the
complexities and nuances of managing risk in a digital business, risk teams
must address their digital knowledge gaps. Getting this right will take time,
so risk professionals should approach it as a continuous and iterative
improvement process, rather than a one-time activity. They should be prepared
to adopt the same agile mindset that is often seen in other parts of the
business, like IT.
Practical steps that risk professionals can take to help
manage risk in a digital organization include:
- Understand the new risk landscape.
Develop a digital risk framework to help identify and manage digital risks, and
prioritize areas for review based on inherent risk. It is also important to
understand the organization’s future transformation agenda, including its risk
appetite for digital services.
- Identify skills and knowledge gaps. Develop
a skills and knowledge matrix for digital services (across digital
technologies, distribution channels and ways of working) and use it to identify
and remediate gaps through training or new hires.
- Define new ways of working. Experiment
with new ways of working, both within risk teams and through interactions with
key stakeholders in other parts of the business. Break down key tasks into
focused “sprint” exercises. Keep track of lessons learned throughout each
sprint to regularly reflect on what did or did not work well. Help build a
continuous improvement process by sharing feedback and best practices among