Managing Risk in Digital Transformation

Managing Risk in Digital

Transformation
Risk Advisory
October 2018
1
Managing Risk in Digital Transformation

2
 Managing Risk in Digital Transformation

Introduction
Consumers and businesses are adopting digital
technology at a rapid pace, and while this is
generating new opportunities, it in
Managing Risk is Digital
also creating
Transformation
new risks.

The digital transformation journey of many Currently risk management teams remain on a reactive

Beyond Traditional Risk and

organisations is well underway. With Industry footing with a predominant focus on traditional IT
4.0 we are already seeing the application of new general controls and risk assessment techniques,
technologies, including robots, the internet of and are limited by the processes, systems and wider

Security
things (IoT), artificial intelligence (AI), cloud business insight with which they have been equipped.
computing, predictive analytics and blockchain As technology transformations shift the risk
rapidly changing the way many companies design landscape, organisations will
and curate experiences, manufacture, distribute need to develop an
and service products. entirely new approach
to digital risk. Our
An increased burden is being placed not only on Deloitte Digital Risk
the IT department but also on the internal risk Framework will assist
Laying out the building blocks of the digital
ourrisk
clients in this
function. Business leaders areismaking
strategy crucial tostrategic
its success. An immediate step
choices on the investment, technology, resourcing Journey.
by organizations is to have robust measures around
levels and the skills needed to operate
cybersecurity a digital
and the easiest approach is to perform
typical
business, all of which will information
have an impactsecurity
on theand/or cyber security
assessments of systems. The questions which need
short-term profitably and long-term viability
to be addressed are, ‘Is this enough? Is cybersecurity
of their businesses. These strategic choices
the only risk to a digitally enabled organization?’
inevitably involve an element of risk. At the same
time businesses have Forto cope with external
an effective digital environment to meet the
threats. For example, asdesired objective,
businesses it is critical to consider risk areas
undergo
digital transformation beyond
and moretraditional
of theirrisk. For example, social media
assets
is becoming an integral part of marketing, thereby,
become digital, the threat of cybercrime and risks
creating risks to brand value and reputation.
around data privacy are growing.
Similarly, customer profiling is prominent for better
customer experience, but then profiling process
While digital transformation
should beis creating
aligned tomajor
protect privacy of customer
data. Another
opportunities for organisations, important
it is also aspect to be considered is
digital resiliency–due to large dependency on the
introducing a new dimension to the traditional
technology, the availability of the systems is non-
view of risk. negotiable. There are several other scenarios across
different industries and operations that cover other
risk domains that could be considered.

06
1
 Managing Risk in Digital Transformation

Managing Risk in Digital Transformation

2

Beyond Traditional Risk
Industry 4.0 – A New Era bringing New Risks
Through Industry 4.0, smart,
connected technologies are
transforming organisations,
operations, and the workforce by
increasing information flow, creating
new insights, and revolutionising
business models. Although Industry
4.0 has its roots in manufacturing
and supply chain, it extends to
many other sectors. The power and
value of Industry 4.0 lies in flows
of information, and the ability to
integrate digital information from
many different sources and locations
to drive the physical act of doing
Physical-to-digital-to-phsycial loop and related technologies
1. Establish a digital record
Capture information from the
physical world to create a digital
record of the physical operation
and supply network.
1
PHYSICAL
Source: Deloitte Centre for Integrated
Research/Deloitte Insights.
business. In this way, information
flows in an ongoing cycle, where
data from one process informs the
next. This ongoing loop incorporates
the use of many physical and digital
technologies, including analytics,
additive manufacturing, robotics,
high-performance computing,
natural language processing,
artificial intelligence and cognitive
technologies, advanced materials,
and augmented reality. The
illustration below depicts how
information flow occurs through
an iterative series of three steps,
2
DIGITAL
3
Managing Risk in Digital Transformation
referred to as the physical-to-digital-
to-physical (PDP) loop.
This introduces new risks as an
example the digital environment’s
capability to enable investigation
in the event of a fraud or security
breach, including capturing of data
evidences which is presentable in a
court of law. Ensuring protection of
data across the digital ecosystem at
various stages of data life-cycle-data
in use, data in transit and data at rest.
2. Analyse and visualise
Machines talk to each other to share
information, allowing for advanced
analytics and visualisations of real-time
data from multiple sources.
3. Generate movement
Apply algorithms and automation to
translate decisions and actions from
the digital world into movements in
the physical world.
3
Deloitte’s Digital Risk
Managing Risk in Digital Transformation

Deloitte’s Digital Risk Managing Risk in Digital Transformation

Framework
Framework
Deloitte’s Digital Risk
Deloitte’s Digital Risk
Framework
Framework
Strategic
Strategic
We have We have considered10 risk 1010 risk
Weconsidered
have considered risk
ns areas–Strategic,
areas:areas–
Strategic,Strategic,
Technology, Technology,
t io ns Technology Technology,
e ra t io Technology
Op e ra Operations,
Operations, Third
Third Party, Party,
Op Operations, Third Party,
Strategic Regulatory, Forensics,
Regulatory, Cyber,
Forensics, Cyber,
Digital Payments
Digital Payments Regulatory,
We have Resilience,
considered 10 risk Forensics, Cyber,
Data Leakage, and
ns Cloud
Cloud areas– Strategic,Resilience,
Resilience,
Technology, Data
Data Leakage,
Leakage, andand
e ra
t io Technology Privacy-as the risk landscape
Op
Digitalisation
Digitalisation
of RM of RM Third-
Third- Operations, Privacy–as
Privacy–as
Third
in any Party,
digital the risk landscape in in
the
ecosystem. risk landscape
Party
Party
Digital Payments Regulatory,
Based any
Forensics,
any digital
Cyber,
digital
on the ecosystem.
ecosystem.
applicable Based
risk Based on on
Resilience, Data Leakage,
the andinitiatives,
applicable risk areas for the
CyberCyber Cloud
Customer
Customer
Lifecycle
Robotic
Robotic areas the applicable risk areas for the
for the digital
Digitalisation
of RM
Lifecycle Process
ProcessThird-
Automation
Privacy–as the riskcontrol
different landscape in
measures
Automation
Party
Operational
Operational andand any digital ecosystem.
need to be Based on
designed as to be designed
Technology
Technology Asset
Asset
Data
Data Cognitive
Cognitive measures
measures need
need to be designed
Cyber (SCADA) Customer
Lifecycle Lifecycle
Robotic Intelligence the applicable risk areas for the
(SCADA) Lifecycle
Lifecycle Lifecycle Process Intelligence
(RPA&CI) per leading standards and
as per leading standards and
Data
Operational
Automation
and
(RPA&CI)
Data
Leakage industryaspractices.
per leading standards and
The critical
Employee Leakage
measures needindustry
to be practices.
designed The critical
aspectindustry
in definingpractices. The critical
Technology Asset Data Cognitive
(SCADA) Lifecycle
Employee
Lifecycle
Lifecycle
Lifecycle
Intelligence the controls
(RPA&CI)
Data as per leading standards and
Blockchain
BlockchainLeakage
is to take into consideration
IOT Employee industry practices.
is toThe
take critical
intoofconsideration the
Privacy IOT Lifecycle the nature
is toandtake level
into consideration the
Privacy nature and level of digitization in
Blockchain
digitisation in the operations,
IOT
nature andthe
is to take into consideration level of digitization in
Privacy Digital Risk
AI as the
most ofoperations,
these areas as most
are at of these
DigitalStrategy
Risk nature and levelthe operations,
of digitization in as most of these
Strategy AI a areas are at a nascent stage and
nascent stage and tightly
the operations, as most of these
areas are at aornascent stage and
Digital Risk
y
to r coupled with coupled
systems
AI
Strategy
u l a tightly
areas are at a nascent stage andwith systems or
Resilience e g to r y
or y R
ula
manual tightly coupled
processes,
tightly coupledmanual
with systemsprocesses,
or
with
so there systems
so there or
might
Resilience la t eg
Resilience gu R might be constraints to
Forensics
R e
manual processes,
Risk Areas
manual
be constraints processes,
so there might so there
to implement the might
implement the controls.
Forensics
Forensics Risk Areas be
Risk Areas constraints be
to constraints
implement
controls. the to implement the
Extended Enterprise
controls. controls.
Digital Governance Customer Experience Extended Enterprise
Extended Enterprise
Enterprise
Digital Governance Customer Experience
Digital Governance Customer Experience Enterprise
Enterprise
07
07

Risk Areas Extended Enterprise Enterprise Digital Enablers

4
 Managing Risk in Digital Transformation
Managing Risk in Digital Transformation

5
 Managing Risk in Digital Transformation

Understanding the risk areas is critical to identifying and dealing with a

risks that an organization
Understanding themay beisexposed
risk areas to in aand
critical to identifying digital
dealing environment.
with all the T
section explains
risksin brief
that all the may
an organisation riskbeareas
exposed considered in the framework.
to in a digital environment. This
section explains in brief all the risk areas considered in the framework.
Technology
Technology
Potential for losses due to technology failures or obsolete
Potential for losses due to technology failures
technologies. Technology related
or obsoleterisks have an
technologies. impact
Technology related
on systems, people, and processes.
risks have an Key
impactrisk areaspeople,
on systems, may and
processes. Key risk areas may include scalability,
include scalability, compatibility, andand
compatibility, accuracy
accuracy ofof
thethe
functionality of Third-party
functionality of the implemented technology.
the implemented technology. Comprises of risks arising due to inapprop
Third-party
Comprises of risks arising due to inappropriate
vendors/third
controls party
at vendors/third operating environmen
party operating
Key controls
environment. would
Key controls bebearound
would around data sharing
Cyber data sharing, technology integration, operations
integration, operations dependency, vendo
Cyber dependency, vendor resiliency, etc.
Protection of digital environment
Protectionfrom unauthorized
of digital environment from
access/usage and ensuringunauthorised
confidentiality andand
access usage integrity
ensuring
confidentiality and integrity of the technology
of the technology systems.systems.
Key controls may include
Key controls may include platform
platform hardening, network architecture,
hardening, application
network architecture, application Privacy
security, vulnerability management, and security
security, vulnerability management, and security Risk arising due to inappropriate handling
Privacy
monitoring. Risk arising due to inappropriate handling of personal
monitoring. sensitive personal data of customer/emplo
and sensitive personal data of customer/employee,
impact
which privacy
may impact privacyof
of the individual.
the individual. Key Key contro
notice,
controls choice,
includes notice,consent, accuracy,
choice, consent, accuracy, and othe
and other privacy principles.
Strategic Strategic principles.
Usually derives from
Usually derives from an organization’s an organisation’s
goals and goals and
objectives. It can be external to the organisation
objectives. It can be external to the organization and,
and, on occurrence, forces a change in the
on occurrence, forces a change indirection
strategic the strategic direction
of the organisation. Typically
would have an impact on customer experience,
of the organization. Typically would have anand impact Forensics
Forensics
brand value, reputation, competitive
on customer experience, brand value,
advantage in the reputation,
market place. and Digital
Digital environment’s
environment’s capability to enable i
capability to enable
investigation
the event in the
ofevent of a fraud
a fraud or or security breach, inc
security
competitive advantage in the market place. breach, including capturing of data evidences which
of data evidences which
is presentable in the court of law. is presentable in t
Operations Operations
An event, internal or external, that impacts an
An event, internal or external, that impacts
organisation’s an the business
ability to achieve
organization’s ability to achieve thethrough
objectives business objectives
its defined operations.
Includes risks arising due to inadequate controls in
through its defined operations. Includes risks
the operating procedures.
arising due
Regulatory
to inadequate controls in the operating procedures. Regulatory
Adherence to statutory requirements including
Adherence
technology to statutory
laws, sectoral requirements
laws, and regulations. inclu
These will include the electronic communications and
laws, sectoral
transactions regulatorylaws,
universeand regulations.
which is of general
Data Leakage application and industry specific regulation including
Data Leakage Ensuring protection of data across the digital financial services, insurance and medical schemes to
Ensuring protection of dataecosystem
across atthe digital
various stagesecosystem at
of the data life-cycle: the extent applicable.
data in use, data in transit and data at rest.
various stages of data life-cycle–data in use, data in transit
Key focus control areas would be around data
and data at rest. Key focus control areas
classification, woulddata
data retention, be processing,
around Resilience
data classification, data retention, dataetc.
data encryption, processing, data Risk of disruption in operations or unavaila
Resilience
Risk of disruption in operations or unavailability of
encryption, etc. services,
services, due to due to high dependency
high dependency on tightly coupled on tightl
technology.
technology. Key areas Key areas of consideration
of consideration would include wou
business continuity, IT/Network disaster recovery, cyber
business continuity, IT/Network disaster re
resiliency, and crisis management.
resiliency, and crisis management.
6
Digital Risk Portfolio
Digital Risk Portfolio
Example of our portfolio of services to mitigate risks around digital enablers
Our portfolio of services to mitigate risks around digital enablers
Digital Risk Strategy
Establishing a governance
framework to address the risks
in implementation of Digital
Programs
RPA
Enabling a secure RPA
implementation and leveraging
of RPA for Cybersecurity & Risk
management
Digital Payments
Secure digital payment offerings
using a structured risk-based
approach
10
Managing Risk in Digital Transformation
Cloud
Understanding and managing the
risks of adopting a public/private/
hybrid cloud technologies for
Infrastructure, Platform and Software
IoT
Designing a risk-based
IoT architecture for data
collection and management
of remote systems
AI Risk Strategy
Enabling the adoption and
implementation of AI with
confidence
Blockchain Leveraging
Blockchain architecture to
secure against internal and
external threats
OT (SCADA)
Protecting the OT infrastructure
through secure integration with
enterprise technology eco-
system
Digitalisation of RM
Enabling the risk management
leveraging digital technologies
7
Managing Risk in Digital Transformation Managing Risk in Digital Transformation

8
 Managing RiskRisk
Managing in Digital Transformation
in Digital Transformation
Managing Risk in Digital Transformation

Navigating Digital Risks

Navigating Digital Risks
Navigating Digital Risks
Approach to establish effective risk management in a digital
environment

Discover
Aligned to the organisation’s Digital vision, study the selection of digital enablers, and analyse
the context so as to assess the digital footprint and its impact.

Develop
Based on Deloitte’s Digital Risk Framework, develop a risk-based digital architecture
customised to the organisation’s digital needs and operating environment.

Implement
In the context of business, implement the risk-based digital architecture for the selected
digital enablers supported by an overall risk governance.

Monitor
Embed a continuous review process that evolves in response to disruption and new
developments across the digital estate, legal and regulatory requirements.

11

9
 Managing Risk in Digital Transformation

Managing Risk in Digital Transformation

Sustainability
Sustainability
“An approach to digital risk management should begin with an
understanding of the organisation’s digital footprint and creating a register
of digital risks using our Deloitte digital risk framework as a base.”

“An approach to digital risk management should begin with an understanding of the organization's digital foot
print and creating a register of digital risks”

Support Risk Management by conducting risk awareness workshops and

training. Take it up as a proactive exercise embedding it into the organisation’s
strategy instead of merely keeping it a reactive one.

01 Periodically monitor, review and update the digital risk

framework to ensure a complete and accurate digital risk
landscape

02 Enabling risk management through tools,

will be appropriate for a systematic
identification and management of the
evolving digital risk.

03
12

10

Conclusion
Digital Transformation across
industries has led to a rapidly
changing business environment
which offers exponentially
augmenting opportunities for new
capabilities and initiatives.
One of the most critical success
factors to win in this digital era is
organisational agility. Businesses
can create a scalable and adaptable
digital journey encompassing a
well-defined digital strategy, an
appropriate business case, and a
customised and flexible approach.
Along with Digital transformation,
it is imperative for organisations
to also manage the risks that are
introduced into the environment and
Managing Risk in Digital Transformation
its impact to the existing ecosystem
to drive optimum value from their
digital initiatives. Despite all the
challenges and risks that the evolving
environment presents, organisations
cannot overlook the opportunities
that ‘moving to digital’ brings forth
along with the profound impact that
it shall have on them.
11
 Managing Risk in Digital Transformation

Contacts
Navin Sing Michele Townsend
Managing Director: Risk Advisory Africa Risk Advisory Africa: Director
Mobile: +27 83 304 4225 Mobile: +27 82 441 7164
Email: navisingd@deloitte.co.za Email: mtownsend@deloitte.co.za

Keshnee Naidoo
Shahil Kanjee
Risk Advisory Africa: De-risking Digital
Risk Advisory Africa Leader: Cyber
Transformation Leader
Technology Risk
Mobile: +27 82 960 0982
Mobile: +27 83 634 4445
Email: kesnaidoo@deloitte.co.za
Email: skanjee@deloitte.co.za

Anthony Olukoju
Wesley Govender
Risk Advisory Regional Leader: West Africa
Risk Advisory Africa Leader: Data Analytics
Mobile: +234 805 209 0501
Mobile: +27 83 611 2929
Email: aolukoju@deloitte.com.ng
Email: wgovender@deloitte.co.za

Gregory Rammego
Risk Advisory Africa Leader: Forensic
Mobile: +27 82 417 5889
Email: grammego@deloitte.co.za
Temitope Aladenusi
Risk Advisory West Africa: Director
Mobile: +234 805 901 6630
Email: taladenusi@deloitte.com.ng

Rushdi Solomons
Risk Advisory Africa Leader: Internal Audit
Mobile: +27 741 414 444
Email: rsolomons@deloitte.co.za
Julie Nyangaya
Risk Advisory Regional Leader: East Africa
Mobile: +254 20 423 0000
Email: woelofse@deloitte.com

Rodney Dean
Candice Holland
Risk Advisory Central Africa: Director
Risk Advisory Africa Leader: Regulatory Risk
Mobile: +263 867 700 0261
Mobile: +27 82 330 5091
Email: rdean@deloitte.com.ng
Email: canholland@deloitte.co.za

12
Managing Risk in Digital Transformation

13
 Managing Risk in Digital Transformation

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network
of member firms, and their related entities. DTTL (also referred to as “Deloitte Global”) and
each of its member firms are legally separate and independent entities. DTTL does not provide
services to clients. Please see www.deloitte.com/about to learn more.

Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk
advisory, tax and related services. Our network of member firms in more than 150 countries
serves four out of five Fortune Global 500® companies. Learn how Deloitte’s approximately
264,000 people make an impact that matters at www.deloitte.com.

This communication contains general information only, and none of Deloitte Touche Tohmatsu
Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by
means of this communication, rendering professional advice or services. Before making any
decision or taking any action that may affect your finances or your business, you should consult
a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any
loss whatsoever sustained by any person who relies on this communication.

© 2018. For information, contact Deloitte Touche Tohmatsu Limited (RA/Vee)

14