How important is Digital Risk Management (DRM)?
Businesses today are becoming increasingly dependent on technology. It is the norm to have a website; most firms find it imperative to have this Internet presence, at least. But putting themselves ‘out there’ or digitising their businesses more extensively and widening their electronic outreach brings with it a new kind of risk: digital risk. Digital risk is the term applied to the threats or consequences to organisations when they adopt or upgrade to new technologies. Now critical to business management, digital risk management focuses on the threats to an organisation’s data and the systems which store, process and transfer it, but also recognises the opportunities arising.
Every business is exposed to digital risk today, because they depend extensively on such systems to carry on functioning at an effective level which will allow them to continue delivery of their products and services – making digital risk management an essential component of business management, and of ERM. Digital risk management is, essentially, the risk management of the digital footprint of the business, which refers to the electronic assets including hardware like physical electronic equipment, and software like IT systems, databases, and the various ERP applications that the organisation uses.
Digital risk management has grown in importance because organisations have embraced digital technology with great alacrity, particularly in the past decade or so. More recently, the Covid-19 virus has spurred many businesses to function remotely, thus increasing their dependence on electronic systems and connectivity. Many have had to deal with unexpected consequences as a result.In the rush to establish an online presence to remain competitive, many neglected to consider the risks that would develop in parallel with going digital. In some cases, firms have had to operate completely virtually, increasing their exposure to digital risk.
As firms realise the implications of adopting new technologies, they realise the need for digital risk management as well, particularly because these need to be adopted in a way that does not expose them to untoward, unexpected and unwanted incidents that can leave them and their systems in a compromised position, or damage their reputation.Digital risk encompasses many areas including cybersecurity, identity theft, data security and confidentiality, compliance, automation, artificial intelligence, data privacy and resiliency, among others.
The possibility of cyberattacks is always present in today’s business environment. The objectives involved in such attacks are often malicious, and intended for illegal or unethical purposes.Firms also need to be aware that using new technology sometimes comes with certain requirements, roles and responsibilities, such as permission to retain certain data or the necessity of restricting third party access which may complicate existing business processes.Managing digital risk will depend on how digitised the organisation is, the systems it uses and networks it is connected to.
To a certain degree, the kind of mitigation measures applied will depend on what kind of industry it is in and what it produces. There are a variety of strategies which can be applied in the management of digital risk. One of these is governance, risk management and compliance (GRC).With GRC, the organisation manages its digital risk by applying these three methods stringently across its operations. Generally, however, digital risk management starts with the identification of assets which may be at risk through an internal audit.These assets could be IT systems which may include databases, payment systems, inventory, websites etc.
Vulnerabilities of these assets and what risks they could be subject to, should be identified. Policies, processes and procedures should then be set in place to ensure these assets are utilised according to the GRC principles set by the firm.While identifying assets which may be at risk, the firm may realise that it is also facing other potential threats, such as possible cyberattacks or other types of systems breaches. Organisations have also found that managing digital risk takes time – something which may be in short supply, in the push to digitise to remain competitive, in today’s business environment.
Where, before, firms may have taken a longer time to digitise certain processes, these processes may have taken on a different level of urgency in the current circumstances. It may be possible that the necessary protocols and protection may not have been factored in.When establishing processes for digital risk management, the first step is to identify potential risks and determine the extent of their effect on the business, then mitigation measures can be set in place. Organisations should be aware that the more extensive the process of their digital transformation, the greater their digital risk.
These risks could range from cyberattacks to data leaks that develop into data breaches; risks related to a talent deficit (to manage new or improved systems effectively) and compliance risks due to poor security practices. There are also risks related to increased automated processes, as well as third party risks that originate in vendors’ systems which could affect the supply chain. All these affect the organisation’s ability to achieve its objectives. Of these, research has shown that cyberattacks, data leaks and third party risks have the most significant consequences.
Digital risks are a fairly new addition to the threat landscape and, as such, how they will develop or which direction they are likely to take are quite unpredictable. For now, firms should focus on identifying critical assets most likely to be affected and determine their vulnerabilities, while understanding how threats behave in a virtual environment so that they can tighten their cybersecurity. A firm’s digital risk management systems should ideally be able to assess, monitor and treat risks stemming from their digital transformation efforts, to safeguard operations and protect the value of their business.