Digital transformation? Don’t bother unless you plan to address risk

Digital transformation is a concept that has dominated the business world for some time now. Everybody’s planning it, doing it or wondering why they haven’t taken the leap yet.

The benefits to your company can be endless, from streamlining processes to making your next big innovation. Of course, the value of digital transformation has been particularly prominent in the last year, where COVID-19 and its associated lockdowns completely upended the way many businesses operate at a fundamental level. Digital transformation went rapidly from a ‘nice to have’ to an essential for allowing employees to work remotely and continuing to serve your company’s customers. Organisations of all kinds adopted cloud services and productivity and collaboration apps to keep their staff working even though they were stuck at home.

In a recent McKinsey Global Survey of executives, respondents estimated that the digitisation of their customer and supply-chain interactions and of their internal operations had been accelerated by three to four years. As for the share of digital or digitally enabled products in their portfolios, those had been moved ahead by as much as seven years.

Respondents also said that they are anticipating the majority of these changes to be long lasting. Many have already made significant investments in time, money and resources to ensure that these are changes that will endure.

Outside of the pandemic, another specific motivator of digital transformation is the opportunity to eliminate risks that stem from legacy processes. However, at least in the short term, this will bring forth new pressures which will alter an organisation’s risk profile.

That’s because digital transformation is a catalyst for change. As workflows migrate to the digital realm, organisations are met with a host of new threats which affect their risk profile. This is demonstrated in RSA’s 2020 Digital Risk Report, which includes findings from a study conducted across the globe which asked the question: ‘How has your organisation’s risk profile changed over the past two years, due to its digital transformation?’ Respondents also reported how they expect their risk profile to change over the following two years.

The results are in. In Western Europe, 87% stated that digital transformation is expanding their risk profiles due to new or increasing risk. The principle is a simple one: as an organisation’s digital surface area expands, more things come into contact with it.

Over the following two years, this statistic is expected to drop by a fraction, yet the unpredictability and ubiquitous nature of cyber risk could mean a greater period of time must elapse before risk profiles truly settle in the wake of digital transformation. What’s more, these patterns are similar globally, with North America and the APJ region yielding equally startling results.

There exists an ongoing tug-of-war. On the one side are the digital transformation initiatives essential to modern-day business survival, pulling enterprises towards success; on the other are the risks such initiatives simultaneously cause.

Digital transformation must dig in its heels to win the match, something that can only be achieved if management teams keep a close eye on both ends of the rope.

Build your risk profile

While risk profiles may more traditionally refer to health and safety, taking the time to identify what risks your digital transformation will unearth will allow your organisation to avoid them.

An organisation’s risk profile is comprised by evaluating the variety of threats faced. Numerical values are assigned to variables, quantifying the threat level each poses. The risk profile is closely associated with the risk appetite; that is to say, the amount of risk an organisation is willing to take on. Balancing the two is the key to ensuring digital transformation initiatives prove to be a success.

Here, organisations must ask themselves what threats a digital transformation initiative will come into contact with, and whether they are manageable or too hefty a meal for their appetite.

For instance, will transitioning from physical data centres to a cloud provider be too great a shift in controls? If you cannot afford the protocols that ensure cloud security, your appetite is too small and the initiative should, for now, be put on hold.

How to manage risk

Building a risk profile allows the organisation to identify where their security and risk management is lacking, and subsequently expand their capabilities in these areas. RSA’s 2020 report found that respondents indicated a desire to invest in risk management solutions proportional to the extent of digital transformation. With your risk profile in front of you, management can ensure that they spend the right amount on the right things to elevate initiatives.

This proportionality is indicative of the desire to keep pace with the rapid change that comes part and parcel with digital transformation. Effective digital risk management can keep digital initiatives on schedule, and ensure their effectiveness; conversely, retrofitting controls after implementation is generally much more costly and less effective.

There is no avoiding that a crucial element in managing risk is an expansion of resources. A flexible budget is necessary to handle the risk landscape’s rate of change. Expertise must be invested in to oversee security measures including threat detection and response, network security, and vulnerability management.

Managing risk isn’t solely about tackling the negative symptoms caused by digital transformation; instead, organisations must focus on the cause, namely, the initiative itself. Balancing the costs and benefits of initiatives, both in isolation and as part of wider movements, is the most effective method of addressing risk profiles that are threatening to spiral out of control.

While digital transformation is essential in the modern-day, too much of a good thing threatens to negate its benefits.