Digital transformation: Risk Management and Governance · 2019-04-09 · of rows of business data...
Transcript of Digital transformation: Risk Management and Governance · 2019-04-09 · of rows of business data...
© Deloitte LLP and affiliated entities.
“When digital transformation is done right, it's like a caterpillar turning into a
butterfly, but when done wrong, all you have is a really fast caterpillar.”
George Westerman | Principal Research Scientist with the MIT Sloan Initiative on the Digital Economy
“Most of the executives I talk to are still very much focused on digital largely as a way
to do “more of the same,” just more efficiently, quickly, cost effectively. But I don’t see
a lot of evidence of fundamentally stepping back and rethinking, at a basic level,
“What business are we really in?”
John Hagel III | Co-Chairman at Deloitte LLP Center for the Edge leaders
2CCITAGS Session by Baskaran Rajamani April 2019
3Copyright © 2019 Deloitte Development LLC. All rights reserved 3
A bot populates hundreds of rows of business data
into the data lake
2:00 AM
The NLG tool pulls from the data lake, identifies trends, and creates narratives in a daily management
dashboard
4:00 AM
Two department heads disagree on who owns automation support
The CEO worries they have become reliant on
automation without fully understanding the risks
Dev teams within multiple Business Units work to develop
bots, some in critical or regulated areas
6:30 AM
10:00 AM
An Ops Manager schedules the deployment of several
bots
2:45 PM
3:30 PM
The COO opens up the management dashboard and follows up with a call
The Finance department begins planning a major reorg due to automation based time savings
5:30 PM
11:15 PM
12:30 AM
Dozens of bots start working
Throughout the day, digital provides opportunities and creates risk – here is an Automation example
How many different types of risk do you see? assessment of how the business risks are controlled
in a new automated environmentCCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
What is driving digital adoption?
CCITAGS Session by Baskaran Rajamani April 2019 4
Digital Transformation Drivers:
Pre-Digital Post -Digital
Fig 2: Efficiency / Speed / Revenue
Fig 1: Effort / Transaction Cost
Pre-Digital Post -Digital
Lower Cost and/or Higher Revenue
Lower Effort
Higher Reliability
Improving Customer Experience
Security & Privacy
Process Improvement
Higher Repeatability
CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
4 Billion active AI-powered devices in 2018 (including smartphones)
Proliferation of Digital – Significant opportunity for the enterprise
CCITAGS Session by Baskaran Rajamani April 2019 5
Global Internet users at 3.6 Billion - More than 50% of human population is now online
An adult user spends average of 5.9 hours daily hours with digital media
95% Accuracy of Google machine learning - at threshold for human accuracy
Source: Deloitte, Mary Meeker, KIeiner Perkins Caufield & Byers (KPCB), 2018 and IDC Canada,
72% Canadians use Digital banking (Online and Mobile channels)
Canadian companies spent USD $16 Billion in 2018 to boost digital capabilities. This spend likely to increase to USD 24 Billion by 2021.
CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
Session Objectives
Understand Digital Transformation
1 32
CCITAGS Session by Baskaran Rajamani April 2019 6CCITAGS Session by Baskaran Rajamani April 2019
Understand Digital Transformation: Risks
Risk intelligent Digital Transformation
© Deloitte LLP and affiliated entities.
It is important to develop a common vocabulary for digital transformation at the start..What is Digital Transformation?
CCITAGS Session by Baskaran Rajamani April 2019 7
Digital transformation is the process of exploiting digital technologies
and supporting capabilities to create a robust new digital business
model. With proliferation of Cloud-services, smartphones, analytics,
and advent of technologies like AI, RPA and Blockchain, organizations
are exploring radically different operating models to deliver enhanced
value.
CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
Recalibrated cost structures
Reduce overhead with digitization
Enhance talent capabilities
• Make processes paperless.
• Facilitate cloud transition
• Automate reporting
• Simplify processes
• On-demand talent• Skill-based hiring• Increased flexibility• Global talent pool• Move processes online.• Engage talent on new
platforms
Understanding the drivers key input for risk managementThree key enablers driving business need for digital transformation
CCITAGS Session by Baskaran Rajamani April 2019 8
Reshaped corporate strategies
Invest in a new asset mix
Streamline supply chains
• Replace legacy systems
• Enhance mobility,automation, and data analytics capabilities
• Leverage ‘Internet of things’.
• Use ‘real-time monitoring’ & analytics
• Increase self-service options.
• Integrate B2B systems• Leverage 3-D printing
& Drones
Expanded revenue streams
Access adjacent customer segments
Grow new business opportunities
• Personalized offerings• Leverage social media
• Exploit digital eco-system to create new capabilities.
• Trying small bets, then scaling up successful investments.
Three Enablers of
digital transformation
CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
Each new technology brings new risks that have specific mitigation requirements..Different Technologies enable the Digital playing field
Agile Practices
Natural Language Generation (NLG)
Natural Language Processing (NLG / NLP)
Machine Learning (ML)
Cloud Computing
Digital Playing
Field
Robotic Process
Automation (RPA)
Data Analytics and
Visualization
Artificial Intelligence
Digital Identity
APIs
Micro services Blockchain
Edge Computing
Platform as a service
Additive Manufacturing
CCITAGS Session by Baskaran Rajamani April 2019 9
CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
Digital transformation has a ripple effective on all 3 lines of defenseDigital Transformation Risk Governance
CCITAGS Session by Baskaran Rajamani April 2019 11
Perspectives of 3 LODOn DT
Business (First line) wants to
a) Roll out products & services to drive better customer experience & expand sales channels
b) Hence business needs to understand the net new risks and manage them)
Audit & Assurance groups (Third Line) wants to :
a) Become familiar with risks, governance model and impact on audit’s role
b) Determine the best role IA can play and how to provide assurance to stakeholders
c) Embrace ‘digital transformation’ to enhance audit’s own efficiency, effectiveness and agility
Risk & Control groups (Second Line) want to:
a) Become familiar with risks and governance impact
b) Evolve their current operating model to address Digital
c) Embrace ‘digital transformation’ to enhance their own efficiency, effectiveness and agility
CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
Session Objectives
Understand Digital Transformation
1Understand Digital Transformation: Risks
Risk intelligent Digital Transformation
32
CCITAGS Session by Baskaran Rajamani April 2019 12CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
Risk functions will need to evolve (learn, be agile, be innovative…)Digital transformation is driving unique new risks – it is real!
CCITAGS Session by Baskaran Rajamani April 2019 13
CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
Key is to consider all options and develop a strategy for Digital Transformation…Not responding to digital transformation is not an option…
CCITAGS Session by Baskaran Rajamani April 2019 14
CybercrimeDoes your company understand the threats to your digital assets? Are you protected?
Privacy and trustWill your customers still trust you by the time you’re done?
ComplianceWill your new strategy/initiative break the law?
Strategic RiskWill you disrupt or be disrupted?
Execution RiskYou’ve decided to act, will you realize
benefits?
Culture readiness riskDoes your company have the business
capability to act decisively and fast?
Increased pressure to
act
© Deloitte LLP and affiliated entities.
Governance of risks from digital transformation needs significant thought.. Digital transformation is not just about enabling emerging technology
CCITAGS Session by Baskaran Rajamani April 2019 15
Start risk management of digital transformation journey with small steps, by asking right questions..
Do you know which technologies will drive greatest benefit for the your organization ?
What are the significant barriers in your organization to adopting these technologies ?
Do you think your current governance structure is ready to support the roll out of this technology ?
Does your risk appetite provide any guidance on the uptake digital transformation?
Are your risk appetite statements well defined for uptake of digital transformation?
How evolved and prepared is your risk management function evolved to support your organization in undertaking digital transformation?
CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
Traditional risk management is too manual, too expensive, and gives a false sense of control
Why traditional risk management is no longer sufficient?
CCITAGS Session by Baskaran Rajamani April 2019 16
• Due to the restrictive nature of controls, professionals can’t perform all activities they need
• Compliance-driven risk management programs can slow down innovation or impede the free flow of information
• Does not leverage the power of data
• Business relies on the system while professionals find non-compliant workarounds
• Business does not feel responsible to be in control
• Sample-based testing does not suffice on large transaction streams
• Many businesses are over testing. A significant amount of time is spent by 2nd line of defense (LOD) FTEs on controls testing
• Audit spends extensive time on auditing and investigating control breaches, often months after the fact
• This will levy increase in the future due to upcoming litigation and regulatory compliance
kills performance… is too expensive… Gives a false sense of control...
e.g. Australian gov. research
e.g. Duplication of control testing
e.g. Sample or Population testing
CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
The risk and control landscape for digital transformation is highly complexThe universe of risks introduced by digital transformation is massive and complex
CCITAGS Session by Baskaran Rajamani April 2019 17
CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
There are ways to identify relevant risks, like exploring relationships between risk and digital
Digital Transformation and Risk Management
CCITAGS Session by Baskaran Rajamani April 2019 18
The number of controls required increases exponentially with adoption of disruptive digital technologies like
like cloud automation and RPA
Num
ber
of C
ontr
ols Emerging
Traditional
Increased adoption of Disruptive technologies
Factors driving control design for digital transformation (illustrative)…
• Choice of technology • Choice of tool / in-built support for controls• Process design • Likely frequency of control execution• Risk appetite• Complexity of transaction• Data handling / Exposure• Cyber exposure• Regulatory requirements• Management reporting requirements
CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
Traditional Risk Ownership Model – Example risks
Business unit heads• Risk Appetite• Revenue leakage.• Program risk.• Churn risk.• Brand risk.• Financial crime
CIO• Data risks.• Information
leakage.• Cyber crime.• Insider fraud.• IT availability.
CRO• Regulator
engagement.• Risk management
operating model.• Risk appetite• Risk reporting• Policy development• Independent
ChallengeCOO• Supply chain
optimization.• Customer
satisfaction.• Pricing risk.• Increased churn risk.• Employee
remuneration.
CFO• Integrity of financial
reporting.• Business
performance.• Revenue assurance.• Business case
realization.
CEO• Risk Appetite• Regulatory change.• Revenue loss/fines.• Brand and reputation
risk.• Market share.
As business becomes digital, ownership of digital and technology risk shifts from CIO to respective business owners, Chief Digital Officer and rolls up to the CEO.
With digital transformation, ownership of digital and tech risk changes
CCITAGS Session by Baskaran Rajamani April 2019 19
Evolving Risk Ownership Model –Example risks
CEO• Revenue• Reputation Risk• Disruption Risk• Cyber Risks• Digital
transformation execution risks
• Market share
Business Unit Heads• Risk Appetite• Program risk• Churn Risk• Brand risk• Financial crime• Cyber risk• Data risks
CIO• Execution risks• IT performance• IT readiness• Crises mgmt. /
Recovery• IT availability• Sourcing /Supplier
Management
C.Digital.O (projects)• Execution risks• Digital risks• Cyber risks• Regulatory risks• Reputation risks• Strategic risks
CCITAGS Session by Baskaran Rajamani April 2019
Illustrative – not exhaustive
© Deloitte LLP and affiliated entities.
Traditional risks evolve with new triggers for digital transformation
CCITAGS Session by Baskaran Rajamani April 2019 20
Reputation Risks Change Risks
Auditability Risks
Compliance Risks
Security & Privacy
Inconsistency across technology platforms
Unapproved use of third party technology platforms
Overall increase in complexity with exposure to multiple 4th and 5th party code and technology
New business models and workflows
Change to Agile methods
Pace of change exceeds capacity.
Disruption of existing cash flow.
Talent gaps to manage digital assets
Integrity of record keeping
Integrity of transaction processing
Integrity of digital business processes.
Maintaining the auditability of data within digital frameworks and extended enterprise.
Ensuring compliance during rapid change.
Redundancy of experts post automation
Evolving testing paradigms to keep pace with rapid change.
More access points and devices holding data
Aggregation of sensitive data.
More data in easily accessible form.
Increased sophistication of cyber threats.
Higher volume and multi-point customer data collection
CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
Illustrative net new risks introduced from RPANew risks are introduced by Digital Transformation
CCITAGS Session by Baskaran Rajamani April 2019 21
• Governance for new technology assets (Bot IDs, Bot machines, Automated Processes)• Change management complexity due to new systems, automated-process, undocumented
configuration items (e.g. document folder structures) with complex interrelationships • Complexity in cases where target systems do not have equivalent non-production environments• Overloading of source applications due to higher transaction speeds because of automation
Automation Risks
• Automation of manual processes, leading to redundancy of in-house experts• Re-allocation of roles and responsibilities between IT and business causing interim risks• Inadequate communication leading to fear of job loss and poor employee morale • Unauthorized use of IA (like Shadow IT) exposing the Bank to unintended risks
Organizational Risks
• With increased transaction processing speeds, processing errors undetected during testing can proliferate fast causing losses or reputation risk; apps may not respond to bot speeds
• Accumulation of privileges (especially when same bot has multiple roles to manage licenses) can increase the complexity to manage and vulnerability when hacked
• Complexity in disaster recovery and business continuity as more processes are automated.• Controls designed for people might not translate effectively for automation / bots • Automation of poorly designed process may could lead to complex unforeseen issues.
Operational Risks
CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
Illustrative net new risks from Artificial IntelligenceNew risks are introduced by Digital Transformation
• Human involvement may be able to identify issues that are not apparent to the bot • Automation of a bad process may delay or override the much needed addressing of underlying root causes
and redesigning poor processes or upgrading systems• Accumulation of privileges (especially when same bot has multiple roles to manage licenses) can increase
the complexity to manage and vulnerability when hacked• Complexity in disaster recovery and business continuity as more processes are centrally automated.• With increased transaction processing speeds, processing errors undetected during testing can proliferate
fast causing losses or reputation risk
• Self-learning AI, or AI that includes a feedback loop, often involves changes being made directly into the production environment
• The volume of data processes increases the threat of targeting through Cyber crime
• Disparate coding standards for developing algorithm’s can lead to long-term support issues
Model Risk
Technology & Cyber Risks
• Algorithm’s developed and trained on data sets that deliberately or inadvertently create bias or ethical issues.
• Algorithm’s generate inaccurate results or are used beyond intended parameters leading to incorrect business decisions
• Feedback into AI models is poorly controlled leading to inaccuracies in the model and output
Operational Risks
CCITAGS Session by Baskaran Rajamani April 2019 22
CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
Session Objectives
Understand Digital Transformation
1 32
CCITAGS Session by Baskaran Rajamani April 2019 23CCITAGS Session by Baskaran Rajamani April 2019
Understand Digital Transformation Risks
Risk intelligent Digital Transformation
© Deloitte LLP and affiliated entities.
Focus on three themesDeloitte approach to leveraging Digital transformation for Risk Management
CCITAGS Session by Baskaran Rajamani April 2019 24
• New technologies with additional risks are emerging,
• Businesses are developing new ways of working and new digital functions,
• Operations that were once local are now global,
• Supply chains are complex and data-driven,
• Bad news travels fast through the internet and social media.
1. Managing Risk in a Digital Organization
2. Digitising Risk Management
• New opportunities to embrace data, tooling and automation technologies
• Reduced costs
• Simplified controls.
• More proactive and efficient controls.
• Lower need for manual intervention
• Lower subjectivity
3. Managing the Digital Transformation Journey
• Change management.
• Evolution of new businessmodels
• Evolution of new talent models
• Evolution of new practices
• Evolution of new risk andcontrol function
• Evolution of new audit andregulatory mechanisms
CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
These pillars allow a consistent approach to risk management across disruptive technologies
Three Pillars for managing Digital Risk
25
Governance
The structure, committees, and roles & responsibilities for managing Artificial Intelligence
Digital transformation Lifecycle
The risks involved in Digital transformation, testing and deployment
Business Process
The impact to processes and controls before and after the Digital Transformation
CCITAGS Session by Baskaran Rajamani April 2019
CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
Key questions to the CRO, CEO and CFOBoard and senior management needs to be engaged
CCITAGS Session by Baskaran Rajamani April 2019 26
CRO • Do your senior stakeholders have an enterprise view of compliance
issues related to digital transformation?
• Is there clarity of ownership and accountability for new risks caused by digital transformation initiatives?
• Is there a streamlined process for control and monitoring of risks and compliance? What are the known issues?
CEO• Which digital activities,
processes and functions pose the most risk exposure to your enterprise and potentially your brand, reputation and/or status?
• What is the risk appetite for the enterprise?
CFO• Do you know and understand
the cost of digital threats to your organization? Can this amount be measured?
• Do you have early warning indicators about potential irregularities occurring and effective mitigation strategies?
CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
Risk practitioners need to create a culture of innovation.Talent Key To Success of Digital Risk Programs
CCITAGS Session by Baskaran Rajamani April 2019 27
An Agile (Test and Learn) Mindset
Focus on emerging areas
Scale talent availability on demand
Collaborate with new partners
Leverage new operating models
Focus on Communication and Collaboration Prioritize risk management over documentation Constantly re-assess and pivot when necessary
Develop multi-skilled risk management teams Bring fresh talent with range of experiences outside risk management
Leverage on-demand talent models for “special skills”
Leverage existing skills where necessary Anticipate and provide training for new skills
Collaborate internally / externally with new partners Collaborate with start-ups in emerging areas like Reg-tech and Fin-tech Explore ideas from more advanced and developing markets
Leverage community models where possible Explore co-sourced delivery to scale capabilities.
Unlearn old skills and learn new skills
CCITAGS Session by Baskaran Rajamani April 2019
© Deloitte LLP and affiliated entities.
Focus on small quick wins, plan ahead, assign accountability, track success…Lessons from Deloitte experience from early adopters
CCITAGS Session by Baskaran Rajamani April 2019 28
Behaviors of the laggards
× Take incremental approach based on software functionality
× Approach digital in functional silos
× View automation as a software installation vs. a business change
× Neglect to consider the new types of data, compliance, and security risks
× Lack a plan to capture value or processes with fragmented population of FTEs
× Look for one vendor to provide all capabilities
Behaviors of the leaders
Think big, start small, scale quickly: Plan for future through phased, scalable implementation
Instill shared accountability: Ensures partnership between business / compliance / audit and IT from start of the journey
Focus on the operating model: Incorporate governance, talent, and change management into program to stand-up
Plan ahead for new types of risk: Define a security architecture with controls upfront and work with compliance to establish protocols
Value capture as a part of the program : Ensure that value-oriented processes are selected and the metrics and plan for value capture are designed upfront
Build the complete suite: Combine automation with other cognitive solutions (i.e., NLP, optical character recognition) to get full value
CCITAGS Session by Baskaran Rajamani April 2019
CCITAGS Session by Baskaran Rajamani April 2019
Thank You
Q & A
Baskaran RajamaniPartner, [email protected](416) 434 5203