Jenny is currently leading a global internal audit practice, including IT audit, with a global real estate cum fund management MNC. Outside of work, she volunteers heavily in the technology community space where she actively promotes technology (including cyber) awareness and adoption to both the business and IT professionals and organisations. She is currently the President of ISACA SG Chapter. She is the winner in 2022 Top Woman in Security (SG & Asean), 2022 Women Program of the Year Award (Asia), 2021 Women in IT Outstanding Contribution Award (Asia) and 2021 SG 100 Women in Tech recipient. She has also received the Top 20 Cybersecurity Women in Singapore, 2020 award.
Digitalisation or Digital Transformation has been the buzz word in the corporate world nowadays to catch up with business evolution, with the hope of gaining business advantage if the transformation is successful. There is nothing wrong with embracing transformation. However, there is something wrong when such initiatives are not handled right and fit, and not handled from a good strategic perspective but wanted something of a quick fix.
While more people are starting to understand what digital transformation and digitalisation entail, there are still common misunderstanding of these two terminologies, and they are often used interchangeably. I often stress to my audience that understanding the definition of any terminology is very important as it sets context to applying the right knowledge treatment and to enable clear execution to avoid unnecessary resources (including costs).
Researchers characterise “digital transformation” as a major organisational change driven by or enabled by digital technology, altering how business is conducted. Whereas “digitalisation” is about leveraging digital technology to change socio-technical structures (Karen Osmundsen et al, 2018 [1]). If there is no organisational change and no social-technical structures change, then this initiative is only “digitisation”. Socio-technical structures can be explained in two parts i.e. “socio” refers to the social (human interactions, relationships, norms, etc.) and “technical” refers to technology, tasks, routines, etc. aspects of the structure. (Karen Osmundsen et al, 2018 [1]). Hence, “digitalisation” is a subset of “digital transformation”.
As understood from the above-mentioned, when an organisation undergoes either digitalisation or digital transformation, structural changes happen. When there are such changes, processes change and hence, existing risks may change, and new risks introduced. During such times, a pro-governance organisation will consider this as an opportune time to fix their risk management processes to enable better risk resilience position. Ordinarily, other organisations would just let the project teams run on their own and risk considerations are often the last priority given conventionally, business users treat risk management as efficiency roadblocks.
Personally, I belief that “Digital Transformation” or “Digitalisation” can be the right moment, right opportunity to enhance an organisation’s risk management processes. The following are some key reasons why I belief so:
- There is a budget! Yes! It is rarely that an organisation will set aside a huge budget to implement a project. With a good budget, many considerations can be included, including risk management. There can be a risk pillar in the project where risk specialist (in-house or externally engaged) can be involved and to participate in the end-to-end project.
- Mindset shift! Surprisingly, people suddenly become very open-minded when embarking on transformation project. The key stakeholders tend to be willing to accept new ideas to ensure their project is a success and hence willing to apply different “lenses” to view risk and risk management. This is a good time that the risk specialist can advocate the changes needed, especially when the existing risks have changed their forms and take the opportunity to re-perform a risk assessment exercise, including business continuity planning (“BCP”) exercise.
Note that risk assessment exercise measures business risks when the business is on-going. BCP exercise measures business risks when the business is down and under-going recovery. Both exercises look at risks from different angles and cannot be undermined. Covid, pandemic BCP risk, has taught many organisations a good lesson that their recovery processes are inadequate. Most, if not all, controls mitigating the identified risks have not been effective as most risks did not benefit from deep thoughts at the point of BCP risk assessment and BCP procedures design. A very typical example of both enterprise risk versus BCP risk is backup control. Enterprise risk identified that backup control is essential to mitigate the risk of data loss and business operations continuity. The backup control follows the backup policy of say weekly backup frequency. In a BCP exercise, the same system owner assessed that the function can only afford to lose data of up to 3 days. But the backup policy and backup control indicated 7 days. So there is a gap here. Many IT and Business Owners did not realise that they have not considered risk and control design from an integrated risk approach. To be fair, while enterprise risk management and BCP are overlapped, you need different skillsets to conduct both exercises. Hence, the control gap example cited is a common finding.
- Resilience is the new risk focus! Most organisations have experienced Covid and hence will better appreciate the importance of being resilient. Resilience involves an organisation to be independently self-sufficient and agile, but it also means the supply chain of an organisation has to be as strong too. With digital transformation or digitalisation, organisations have to be very sensitive towards its assets (information and physical) protection strategies. Hence, physical and information security (including technology risk management) will gain attention from the Board when they consider their risk responsibilities.
On one hand I do belief that the opportunity to enhance risk management is great and is available, but on the other hand, I am also aware that most organisations are not handling the “digital transformation” or “digitalisation” right and hence making them a nightmare to risk management. The following are some key issues I see that led to the “nightmares”:
- Data owners misunderstood their risk responsibilities. Most of such projects ended with cloud solutions. Data owners thought that since they outsourced their function, processing capability and data storage, they are not responsible for anything that may happen to their data &/or their cloud service providers (“CSPs”). And this is often a nightmare because Information Technology (“IT”) and Information Security (“IS”) departments are not informed and not involved in this business project.
- Data ownership and data governance. In a digital ecosystem, data is mobile and fluid. It may reside in many applications that may be controllable or not. The understanding and appreciation of data governance risks are usually not mature or inadequate. Hence, data governance is often not part of such project consideration and is often a after-implementation consideration. There are many regulatory risk implications, reputational and technology risk implications in digital transformation or digitalisation projects. When there is no data ownership identified, no one will take responsibility.
- Cybersecurity risks. You need to leverage on technology to achieve your digitalisation goals. You may deploy emerging technologies too. Hence, new risks from cyber are introduced. From my experience, inventorising the projects and their respective components (both hardware and software) are common gaps that hinder cybersecurity controls to be timely and accurately implemented. In addition, cybersecurity talent gap is high and hence organisation may not be able to address these risks timely.
Research by Martens et al, 2022 [2] has also indicated that Digitalisation and Digital Transformation are double-edged sword to risk management and governance approaches. There have been studies that indicated despite the popularity and familiarity of digitalisation and digital transformation projects, many such project failed. They failed because they did not understand the business problems well, they undermine the influence of corporate culture, they set wrong KPIs, they did not cost the project right and poor leadership. Ali Alkhafaji, 2021 [3]. All these failure indicators touched on many risks associated with such projects and leaning them more towards risk management nightmares.
In conclusion, I personally feel that we should not be discouraged with the failures. Transformation is a journey. Let the failures be our lessons learnt and avoid repeating them in your (next) transformation project. Risk professionals should seize the opportunity to capitalise on such projects to promote good risk management practice and not take a back seat. Everyone should understand that collaboration is important in risk management as regardless which role you are holding on to now, everyone has risk responsibility, and everyone’s common goal is to ensure the interest of the company is looked after.