How to Rethink Risk for a Digital World: Key Trends & Techniques

Traditional risk management is evolving—from a bias toward caution to being a value-add to the business. As business strategy leader Dr. John P. Kotter writes in his new book Change¹, “Increasingly, risk mitigation means getting on with it and not missing opportunities. In today’s world, not adapting fast enough is the greatest risk.”

We’ve zeroed in on four key digital transformation trends, which are forcing companies to evaluate their risk management techniques:

• Hybrid, gig and global workforce
• Business agility
• Cloud migration
• Automation and machine learning

“Increasingly, risk mitigation means getting on with it and not missing opportunities. In today’s world, not adapting fast enough is the greatest risk.”

Dr. John P. Kotter

Hybrid, Gig, and Global Workforce Brings Human-centric Risks

Hybrid workforce is here to stay, and, coupled with the global teams, today’s workforce is more distributed than ever before. Team members are not only distributed globally but also within the same city. They are no longer in the controlled office environment and are relying on critical IT infrastructure to stay connected. Another ongoing change in the workforce has been the emergence of gig workers, across functions and companies—from the largest enterprises to the fastest-growing startups.

The future workforce will be highly distributed with a combination of full-time and gig employees. People are seeking more flexibility, and, frankly, the definition of “an employee” is being challenged every day.

These workforce changes have led to changes in employee-related risk factors:

Information security and privacy: With data and information crossing borders and the workforce not controlled in an office environment, IT departments are having to strike a fine balance to provide flexible, nimble environments while keeping them secure and under control. Adding the temporary nature of the gig workforce, the traditional security and privacy practices must be even more nimble and customized to the workforce.

Human-centric risks: The beauty of the gig workforce is that it brings agility and expertise on demand. But how do companies adapt and create a secure and balanced risk-based culture as employees are in an ever-shifting mode—especially when traditional waterfall training methods aren’t up to the challenge?

Preventing against social engineering attacks has always been problematic. Throw in the distributed and ever-shifting workforce, and it exponentially increases the risk factors. We’ll continue to see more ransomware attacks, and companies will have to devise both prevention and nimble containment strategies.

Historically, companies have built layers of security and privacy practices with a combination of technology and human-centric trainings. Now, the evolving workforce is challenging traditional trainings and controlled IT infrastructure and physical office locations. It’s imperative for organizations to shift accordingly.

Business Agility Requires Faster, Nimbler Risk Assessments

Organizations are adopting agility across all business functions, as they respond to unpredictable events like COVID. Agile has grown from being primarily an IT-centric framework to an enterprise-wide framework, which is used for business decision-making as well as day-to-day operations.

In 2020, for example, finance functions had to revisit their budgets, forecasts, and investor reporting on a real-time basis, revisiting all the macro changes, annual plans, and budgets throughout the year. Similarly, companies had to change their supply chains on short notice and evaluate contingencies as vendors were hit globally.

Traditional annual risk assessments and stringent annual audit plans can be out of sync with day-to-day operational changes and true business risks.”

As decision-making and operations become more agile, risk management functions need to keep up—risk assessments, audits, and reporting need to be agile as well. Traditional annual risk assessments and stringent annual audit plans can be out of sync with day-to-day operational changes and true business risks. Risk frameworks must be flexible, nimble, and fast-paced so that leaders can focus on the true nature of current risks while looking around the corner and anticipating new ones.

Cloud Migration Creates Both Distributed and Connected Risks

As businesses leverage cloud vendors across almost every day-to-day function—from meetings and phone calls to product delivery and backend ERP systems—cloud systems are everywhere, spanning a variety of hybrid and multi-cloud environments. Risk factors around the security, privacy, and reliability of these cloud vendors are core to business viability.

A lot of companies were handicapped during COVID, when the global workforce was repeatedly impacted in waves across countries. Cloud vendors are part of the same ecosystem, and as our reliance on them becomes pervasive—the reliability and availability of these vendors become a major concern.

Data integration and movement across these cloud vendors lead to complex and challenging security and privacy considerations. The complexity and pace of cloud migrations, usage of cloud systems, and decentralization are forcing companies to dig deeper into risk assessments and mitigation strategies. Gone are the days when you can just trust the cloud vendors to provide their own mitigation strategies; companies will have to perform their own independent evaluations and dig deeper to provide their own risk management strategies.

Look under the hood for your critical vendors and ensure the risks are built into your business continuity plans, along with knowing and protecting critical data. Just like the workforce evolution, the nature of cloud systems is also distributed and global—and has its own human-centric risks. The security, privacy, availability, and reliability of these cloud vendors directly impact an organization’s ability to perform.

Automation and Machine Learning: Who’s Monitoring the Bots?

Process automation using microbots to gain efficiency is becoming mainstream. Single monolithic applications are being replaced or enhanced with multiple micro-bots that can automate various stages of a process. The process can move seamlessly between bots, applications, and human activities. This makes it challenging to manage risks and devise controls in the automation environment.

As the nature of the work and decision-making is distributed across these actors (of humans, bots, and traditional monolithic systems), setting up controls across this distributed decision-making process becomes challenging. And as organizations use these bots to reduce errors and increase efficiencies, they must balance this by setting up appropriate controls without losing the efficiencies.

Another rapidly evolving automation trend is the dependence on machine learning. With machine learning algorithms, systems are moving away from traditional code-based decision-making to data-based decision-making. Machine learning systems evolve through the data sets provided, and at times the bias in the data sets can creep into the system, leading to unintended consequences.

The nature of the potential risks is changing with the introduction of automation and machine learning. Risk management and audit teams across organizations will need the appropriate technical expertise to evaluate risks and controls. Risk and audit techniques will also need to shift more toward data analytics, automation, and machine learning. The need for skills upgrades and shift within the risk management and audit professionals is imperative.

Critical Techniques for Managing Evolving Risks

As you evaluate your own organization’s risk management plan, don’t overlook these critical best practices to account for the distributed and evolving nature of the workforce, cloud systems, and process automations:

• Be more agile in your risk assessments and audits. Ensure your risk management function has a seat at the table early and throughout any strategic projects.
• Build specific programs to manage human-centric risks for a distributed, remote and gig workforce. Do not underestimate the human-centric risks.
• Dig deeper into the security, privacy, reliability, and availability of your cloud systems and your dependency on them. Make your own independent assessments and build multiple redundancies into your business continuity plans.
• Organizations will face ransomware attacks, hacking, data leakage, human error, and fraud, along with other unanticipated impacts like COVID. Ensure you have a strong and nimble incident-response plan and test it periodically.
• Automation with bots and machine learning brings its own set of challenges. Ensure risk management is embedded closely and early in these programs. Upskill and bring in technology skills specific to automation, machine learning, and data analytics in your risk and audit groups.

One thing is certain: the pace of change and digitization will only increase in coming years. The macro trends of hybrid workforce, gig workers, cloud transitions, automation, machine learning, and global supply chain challenges will continue to accelerate—the genie is not going back in the bottle. Are you ready to identify, manage and mitigate the risks that come along with it?

¹ Change: How Organizations Achieve Hard-to-Imagine Results in Uncertain and Volatile Times, John P. Kotter, Vanessa Akhtar, and Gaurav Gupta