Digital transformation: Risk Management and Governance · 2019-04-09 · of rows of business data...

Digital transformation: Risk Management and Governance

Baskaran [email protected] April 03, 2019

© Deloitte LLP and affiliated entities.

“When digital transformation is done right, it's like a caterpillar turning into a

butterfly, but when done wrong, all you have is a really fast caterpillar.”

George Westerman | Principal Research Scientist with the MIT Sloan Initiative on the Digital Economy

“Most of the executives I talk to are still very much focused on digital largely as a way

to do “more of the same,” just more efficiently, quickly, cost effectively. But I don’t see

a lot of evidence of fundamentally stepping back and rethinking, at a basic level,

“What business are we really in?”

John Hagel III | Co-Chairman at Deloitte LLP Center for the Edge leaders

2CCITAGS Session by Baskaran Rajamani April 2019

3Copyright © 2019 Deloitte Development LLC. All rights reserved 3

A bot populates hundreds of rows of business data

into the data lake

2:00 AM

The NLG tool pulls from the data lake, identifies trends, and creates narratives in a daily management

dashboard

4:00 AM

Two department heads disagree on who owns automation support

The CEO worries they have become reliant on

automation without fully understanding the risks

Dev teams within multiple Business Units work to develop

bots, some in critical or regulated areas

6:30 AM

10:00 AM

An Ops Manager schedules the deployment of several

bots

2:45 PM

3:30 PM

The COO opens up the management dashboard and follows up with a call

The Finance department begins planning a major reorg due to automation based time savings

5:30 PM

11:15 PM

12:30 AM

Dozens of bots start working

Throughout the day, digital provides opportunities and creates risk – here is an Automation example

How many different types of risk do you see? assessment of how the business risks are controlled

in a new automated environmentCCITAGS Session by Baskaran Rajamani April 2019


What is driving digital adoption?

CCITAGS Session by Baskaran Rajamani April 2019 4

Digital Transformation Drivers:

Pre-Digital Post -Digital

Fig 2: Efficiency / Speed / Revenue

Fig 1: Effort / Transaction Cost

Pre-Digital Post -Digital

Lower Cost and/or Higher Revenue

Lower Effort

Higher Reliability

Improving Customer Experience

Security & Privacy

Process Improvement

Higher Repeatability

CCITAGS Session by Baskaran Rajamani April 2019


4 Billion active AI-powered devices in 2018 (including smartphones)

Proliferation of Digital – Significant opportunity for the enterprise


Global Internet users at 3.6 Billion - More than 50% of human population is now online

An adult user spends average of 5.9 hours daily hours with digital media

95% Accuracy of Google machine learning - at threshold for human accuracy

Source: Deloitte, Mary Meeker, KIeiner Perkins Caufield & Byers (KPCB), 2018 and IDC Canada,

72% Canadians use Digital banking (Online and Mobile channels)

Canadian companies spent USD $16 Billion in 2018 to boost digital capabilities. This spend likely to increase to USD 24 Billion by 2021.


http://www.kpcb.com/


Session Objectives

Understand Digital Transformation

1 32

CCITAGS Session by Baskaran Rajamani April 2019 6CCITAGS Session by Baskaran Rajamani April 2019

Understand Digital Transformation: Risks

Risk intelligent Digital Transformation


It is important to develop a common vocabulary for digital transformation at the start..What is Digital Transformation?


Digital transformation is the process of exploiting digital technologies

and supporting capabilities to create a robust new digital business

model. With proliferation of Cloud-services, smartphones, analytics,

and advent of technologies like AI, RPA and Blockchain, organizations

are exploring radically different operating models to deliver enhanced

value.



Recalibrated cost structures

Reduce overhead with digitization

Enhance talent capabilities

• Make processes paperless.

• Facilitate cloud transition

• Automate reporting

• Simplify processes

• On-demand talent• Skill-based hiring• Increased flexibility• Global talent pool• Move processes online.• Engage talent on new

platforms

Understanding the drivers key input for risk managementThree key enablers driving business need for digital transformation


Reshaped corporate strategies

Invest in a new asset mix

Streamline supply chains

• Replace legacy systems

• Enhance mobility,automation, and data analytics capabilities

• Leverage ‘Internet of things’.

• Use ‘real-time monitoring’ & analytics

• Increase self-service options.

• Integrate B2B systems• Leverage 3-D printing

& Drones

Expanded revenue streams

Access adjacent customer segments

Grow new business opportunities

• Personalized offerings• Leverage social media

• Exploit digital eco-system to create new capabilities.

• Trying small bets, then scaling up successful investments.

Three Enablers of

digital transformation



Each new technology brings new risks that have specific mitigation requirements..Different Technologies enable the Digital playing field

Agile Practices

Natural Language Generation (NLG)

Natural Language Processing (NLG / NLP)

Machine Learning (ML)

Cloud Computing

Digital Playing

Field

Robotic Process

Automation (RPA)

Data Analytics and

Visualization

Artificial Intelligence

Digital Identity

APIs

Micro services Blockchain

Edge Computing

Platform as a service

Additive Manufacturing




Digital transformation has a ripple effective on all 3 lines of defenseDigital Transformation Risk Governance


Perspectives of 3 LODOn DT

Business (First line) wants to

a) Roll out products & services to drive better customer experience & expand sales channels

b) Hence business needs to understand the net new risks and manage them)

Audit & Assurance groups (Third Line) wants to :

a) Become familiar with risks, governance model and impact on audit’s role

b) Determine the best role IA can play and how to provide assurance to stakeholders

c) Embrace ‘digital transformation’ to enhance audit’s own efficiency, effectiveness and agility

Risk & Control groups (Second Line) want to:

a) Become familiar with risks and governance impact

b) Evolve their current operating model to address Digital

c) Embrace ‘digital transformation’ to enhance their own efficiency, effectiveness and agility



Session Objectives


1Understand Digital Transformation: Risks


32



Risk functions will need to evolve (learn, be agile, be innovative…)Digital transformation is driving unique new risks – it is real!




Key is to consider all options and develop a strategy for Digital Transformation…Not responding to digital transformation is not an option…


CybercrimeDoes your company understand the threats to your digital assets? Are you protected?

Privacy and trustWill your customers still trust you by the time you’re done?

ComplianceWill your new strategy/initiative break the law?

Strategic RiskWill you disrupt or be disrupted?

Execution RiskYou’ve decided to act, will you realize

benefits?

Culture readiness riskDoes your company have the business

capability to act decisively and fast?

Increased pressure to

act


Governance of risks from digital transformation needs significant thought.. Digital transformation is not just about enabling emerging technology


Start risk management of digital transformation journey with small steps, by asking right questions..

Do you know which technologies will drive greatest benefit for the your organization ?

What are the significant barriers in your organization to adopting these technologies ?

Do you think your current governance structure is ready to support the roll out of this technology ?

Does your risk appetite provide any guidance on the uptake digital transformation?

Are your risk appetite statements well defined for uptake of digital transformation?

How evolved and prepared is your risk management function evolved to support your organization in undertaking digital transformation?



Traditional risk management is too manual, too expensive, and gives a false sense of control

Why traditional risk management is no longer sufficient?


• Due to the restrictive nature of controls, professionals can’t perform all activities they need

• Compliance-driven risk management programs can slow down innovation or impede the free flow of information

• Does not leverage the power of data

• Business relies on the system while professionals find non-compliant workarounds

• Business does not feel responsible to be in control

• Sample-based testing does not suffice on large transaction streams

• Many businesses are over testing. A significant amount of time is spent by 2nd line of defense (LOD) FTEs on controls testing

• Audit spends extensive time on auditing and investigating control breaches, often months after the fact

• This will levy increase in the future due to upcoming litigation and regulatory compliance

kills performance… is too expensive… Gives a false sense of control...

e.g. Australian gov. research

e.g. Duplication of control testing

e.g. Sample or Population testing



The risk and control landscape for digital transformation is highly complexThe universe of risks introduced by digital transformation is massive and complex




There are ways to identify relevant risks, like exploring relationships between risk and digital

Digital Transformation and Risk Management


The number of controls required increases exponentially with adoption of disruptive digital technologies like

like cloud automation and RPA

Num

ber

of C

ontr

ols Emerging

Traditional

Increased adoption of Disruptive technologies

Factors driving control design for digital transformation (illustrative)…

• Choice of technology • Choice of tool / in-built support for controls• Process design • Likely frequency of control execution• Risk appetite• Complexity of transaction• Data handling / Exposure• Cyber exposure• Regulatory requirements• Management reporting requirements



Traditional Risk Ownership Model – Example risks

Business unit heads• Risk Appetite• Revenue leakage.• Program risk.• Churn risk.• Brand risk.• Financial crime

CIO• Data risks.• Information

leakage.• Cyber crime.• Insider fraud.• IT availability.

CRO• Regulator

engagement.• Risk management

operating model.• Risk appetite• Risk reporting• Policy development• Independent

ChallengeCOO• Supply chain

optimization.• Customer

satisfaction.• Pricing risk.• Increased churn risk.• Employee

remuneration.

CFO• Integrity of financial

reporting.• Business

performance.• Revenue assurance.• Business case

realization.

CEO• Risk Appetite• Regulatory change.• Revenue loss/fines.• Brand and reputation

risk.• Market share.

As business becomes digital, ownership of digital and technology risk shifts from CIO to respective business owners, Chief Digital Officer and rolls up to the CEO.

With digital transformation, ownership of digital and tech risk changes


Evolving Risk Ownership Model –Example risks

CEO• Revenue• Reputation Risk• Disruption Risk• Cyber Risks• Digital

transformation execution risks

• Market share

Business Unit Heads• Risk Appetite• Program risk• Churn Risk• Brand risk• Financial crime• Cyber risk• Data risks

CIO• Execution risks• IT performance• IT readiness• Crises mgmt. /

Recovery• IT availability• Sourcing /Supplier

Management

C.Digital.O (projects)• Execution risks• Digital risks• Cyber risks• Regulatory risks• Reputation risks• Strategic risks


Illustrative – not exhaustive


Traditional risks evolve with new triggers for digital transformation


Reputation Risks Change Risks

Auditability Risks

Compliance Risks

Security & Privacy

Inconsistency across technology platforms

Unapproved use of third party technology platforms

Overall increase in complexity with exposure to multiple 4th and 5th party code and technology

New business models and workflows

Change to Agile methods

Pace of change exceeds capacity.

Disruption of existing cash flow.

Talent gaps to manage digital assets

Integrity of record keeping

Integrity of transaction processing

Integrity of digital business processes.

Maintaining the auditability of data within digital frameworks and extended enterprise.

Ensuring compliance during rapid change.

Redundancy of experts post automation

Evolving testing paradigms to keep pace with rapid change.

More access points and devices holding data

Aggregation of sensitive data.

More data in easily accessible form.

Increased sophistication of cyber threats.

Higher volume and multi-point customer data collection



Illustrative net new risks introduced from RPANew risks are introduced by Digital Transformation


• Governance for new technology assets (Bot IDs, Bot machines, Automated Processes)• Change management complexity due to new systems, automated-process, undocumented

configuration items (e.g. document folder structures) with complex interrelationships • Complexity in cases where target systems do not have equivalent non-production environments• Overloading of source applications due to higher transaction speeds because of automation

Automation Risks

• Automation of manual processes, leading to redundancy of in-house experts• Re-allocation of roles and responsibilities between IT and business causing interim risks• Inadequate communication leading to fear of job loss and poor employee morale • Unauthorized use of IA (like Shadow IT) exposing the Bank to unintended risks

Organizational Risks

• With increased transaction processing speeds, processing errors undetected during testing can proliferate fast causing losses or reputation risk; apps may not respond to bot speeds

• Accumulation of privileges (especially when same bot has multiple roles to manage licenses) can increase the complexity to manage and vulnerability when hacked

• Complexity in disaster recovery and business continuity as more processes are automated.• Controls designed for people might not translate effectively for automation / bots • Automation of poorly designed process may could lead to complex unforeseen issues.

Operational Risks



Illustrative net new risks from Artificial IntelligenceNew risks are introduced by Digital Transformation

• Human involvement may be able to identify issues that are not apparent to the bot • Automation of a bad process may delay or override the much needed addressing of underlying root causes

and redesigning poor processes or upgrading systems• Accumulation of privileges (especially when same bot has multiple roles to manage licenses) can increase

the complexity to manage and vulnerability when hacked• Complexity in disaster recovery and business continuity as more processes are centrally automated.• With increased transaction processing speeds, processing errors undetected during testing can proliferate

fast causing losses or reputation risk

• Self-learning AI, or AI that includes a feedback loop, often involves changes being made directly into the production environment

• The volume of data processes increases the threat of targeting through Cyber crime

• Disparate coding standards for developing algorithm’s can lead to long-term support issues

Model Risk

Technology & Cyber Risks

• Algorithm’s developed and trained on data sets that deliberately or inadvertently create bias or ethical issues.

• Algorithm’s generate inaccurate results or are used beyond intended parameters leading to incorrect business decisions

• Feedback into AI models is poorly controlled leading to inaccuracies in the model and output

Operational Risks




Session Objectives


1 32


Understand Digital Transformation Risks



Focus on three themesDeloitte approach to leveraging Digital transformation for Risk Management


• New technologies with additional risks are emerging,

• Businesses are developing new ways of working and new digital functions,

• Operations that were once local are now global,

• Supply chains are complex and data-driven,

• Bad news travels fast through the internet and social media.

1. Managing Risk in a Digital Organization

2. Digitising Risk Management

• New opportunities to embrace data, tooling and automation technologies

• Reduced costs

• Simplified controls.

• More proactive and efficient controls.

• Lower need for manual intervention

• Lower subjectivity

3. Managing the Digital Transformation Journey

• Change management.

• Evolution of new businessmodels

• Evolution of new talent models

• Evolution of new practices

• Evolution of new risk andcontrol function

• Evolution of new audit andregulatory mechanisms



These pillars allow a consistent approach to risk management across disruptive technologies

Three Pillars for managing Digital Risk

25

Governance

The structure, committees, and roles & responsibilities for managing Artificial Intelligence

Digital transformation Lifecycle

The risks involved in Digital transformation, testing and deployment

Business Process

The impact to processes and controls before and after the Digital Transformation




Key questions to the CRO, CEO and CFOBoard and senior management needs to be engaged


CRO • Do your senior stakeholders have an enterprise view of compliance

issues related to digital transformation?

• Is there clarity of ownership and accountability for new risks caused by digital transformation initiatives?

• Is there a streamlined process for control and monitoring of risks and compliance? What are the known issues?

CEO• Which digital activities,

processes and functions pose the most risk exposure to your enterprise and potentially your brand, reputation and/or status?

• What is the risk appetite for the enterprise?

CFO• Do you know and understand

the cost of digital threats to your organization? Can this amount be measured?

• Do you have early warning indicators about potential irregularities occurring and effective mitigation strategies?



Risk practitioners need to create a culture of innovation.Talent Key To Success of Digital Risk Programs


An Agile (Test and Learn) Mindset

Focus on emerging areas

Scale talent availability on demand

Collaborate with new partners

Leverage new operating models

Focus on Communication and Collaboration Prioritize risk management over documentation Constantly re-assess and pivot when necessary

Develop multi-skilled risk management teams Bring fresh talent with range of experiences outside risk management

Leverage on-demand talent models for “special skills”

Leverage existing skills where necessary Anticipate and provide training for new skills

Collaborate internally / externally with new partners Collaborate with start-ups in emerging areas like Reg-tech and Fin-tech Explore ideas from more advanced and developing markets

Leverage community models where possible Explore co-sourced delivery to scale capabilities.

Unlearn old skills and learn new skills



Focus on small quick wins, plan ahead, assign accountability, track success…Lessons from Deloitte experience from early adopters


Behaviors of the laggards

× Take incremental approach based on software functionality

× Approach digital in functional silos

× View automation as a software installation vs. a business change

× Neglect to consider the new types of data, compliance, and security risks

× Lack a plan to capture value or processes with fragmented population of FTEs

× Look for one vendor to provide all capabilities

Behaviors of the leaders

Think big, start small, scale quickly: Plan for future through phased, scalable implementation

Instill shared accountability: Ensures partnership between business / compliance / audit and IT from start of the journey

Focus on the operating model: Incorporate governance, talent, and change management into program to stand-up

Plan ahead for new types of risk: Define a security architecture with controls upfront and work with compliance to establish protocols

Value capture as a part of the program : Ensure that value-oriented processes are selected and the metrics and plan for value capture are designed upfront

Build the complete suite: Combine automation with other cognitive solutions (i.e., NLP, optical character recognition) to get full value



Thank You

Q & A

Baskaran RajamaniPartner, [email protected](416) 434 5203

Digital transformation: Risk Management and Governance · 2019-04-09 · of rows of business data...

Documents

Transcript of Digital transformation: Risk Management and Governance · 2019-04-09 · of rows of business data...