A survey of 125 risk leaders, conducted by AuditBoard, a provider of a cloud-based platform for managing risk, finds less than a third (30%) are actively mitigating digital risks, with well over two-thirds (69%) still in the early stage of defining and assessing those risks.
A full 84% of respondents currently do not report measurable metrics to management. Of those that do, 89% are measuring only one component of digital risk, such as technology or fraud.
The survey finds 90% of respondents at least have digital risk on their radar. However, it’s not often viewed as a distinct discipline. Respondents report managing digital-related risks separately as part of IT/cybersecurity (32%), operational risk (11%), enterprise risk (31%), or other areas of risk management (18%). More than three-quarters (78%) of respondents have placed ownership of digital risks with functions outside of business operations.
More than (51%) of respondents reported using some form of risk management software, with 32% using a cloud-based application. Well over a third (38%) are managing digital risk manually using spreadsheets, shared drives, and email.
Many organizations are still coming to terms with often multiple digital business transformation initiatives that were launched in haste during the COVID-19 pandemic, notes John Wheeler, senior advisor for risk and technology for AuditBoard.
While cybersecurity is generally a top-of-mind concern, Wheeler added there are other risks such as opportunities for fraud that a digital business process will create that are less obvious. Many digital processes are dependent on third parties that have not passed a Systems and Organization Control (SOC) that is often mandatory for large enterprises. “Many of these risks are more pervasive than thought,” says Wheeler.
The time has come now to make a more rational assessment of those dependencies as the pandemic continues to wane, he adds. Auditors, at the same time, are now more aggressively evaluating whether processes that are often adapted in haste comply with myriad regulations, notes Wheeler. For example, it’s not allowed in many states for a doctor to employ telemedicine applications to evaluate a patient that is physically located in another state, regardless of where their primary residency is. Many of the rules that were either suspended or lightly enforced are now being more vigorously applied.
Audits, of course, will make digital business initiatives more expensive. Any fine or penalty is usually just one element of a total cost of compliance that rises with each audit. Multiply those reviews by the number of digital processes launched, and suddenly the cost of a digital transformation is much higher than initially anticipated. Many organizations are still struggling to fulfill their digital business transformation ambitions, so the scope of such audits has not yet been widely felt. However, as sure as night follows day, audits of any digital process relied on at any meaningful level of scale will come. Savvy digital transformation leaders are preparing to pass those audits now versus starting to conduct a review a few weeks before an audit begins. Like it or not, for each digital process there are likely to be more than a few relevant regulatory requirements that will need to be painstakingly assessed.