Digital risk has become one of the fastest-growing, most pervasive risks in any organization. The 2022 World Economic Forum Global Risks Report estimates digital commerce will be worth $800 billion by 2024, while a recent Gartner survey reveals that digital risk is the number one strategic business priority for corporate directors in 2022 and 2023. Gartner defines “digital risk” as the set of risks inherent in digital products, services, and supporting processes. This type of risk refers to unwanted — and often unexpected — outcomes stemming from digital transformation and the adoption of dependent or supporting technologies.
To get a sense of how digital risk is managed, AuditBoard recently conducted a Digital Risk Maturity Survey that asked over 125 risk leaders how their organizations undertake risk management in this area. The survey revealed that while business leaders are aware of digital risks and are working toward comprehensive digital risk management, many organizations lack the visibility to progress beyond the early stages from a maturity point of view. Download the full report, titled Digital Risk Maturity Report 2022: Turning Digital Risk Into Your Competitive Advantage, and read on below for an overview of the report’s key findings.
1. Organizations Are Maturing, But Not Fast Enough.
- While over 90% of respondents have digital risk on their radar, only 30% are at a maturity level where they are actively mitigating digital risks.
- 78% of respondents have placed ownership of digital risks with functions outside of business operations (such as IT or security), which can lead to inappropriate categorization of these risks as technical or compliance-only and create siloed risk management efforts.
The majority of respondents (69%) indicated they were still in the early stages of defining and assessing their risks and had not yet reached the point of mitigation or continuous monitoring. Meanwhile, only 18% of respondents place ownership of digital risk with business management. These results tell us that while many organizations are aware of digital risk, they may misinterpret digital risk purely as a technical or security risk. This could lead to a siloed view of digital risk that focuses on technology risk over other business risks, when, in practice, digital risk is more closely aligned with business risks and strategic initiatives.
This is why an integrated approach to risk management, versus relegating digital risk ownership to a specific function, can benefit the business by affording it a more holistic and accurate view of risks to the organization. Gartner defines integrated risk management (IRM) as “a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision-making and performance through an integrated view of how well an organization manages its unique set of risks.” An integrated approach to risk management combats siloed risk management activities by encouraging awareness of organization-wide risks across all departments and levels.
2. Risk Teams Are Struggling to Generate Reportable Digital Risk Metrics
- 84% of respondents are not reporting measurable digital risk metrics to management.
- Many respondents claiming to use reportable metrics describe their activity as measuring only one component of digital risk, such as technology or fraud.
Metrics designed for continuous risk monitoring throughout all stages of digital transformation initiatives are important for successful digital risk management. Survey participants were asked at what points in the digital risk management process they used reportable metrics. The highest percentage of respondents use reportable metrics during planning (28%) and monitoring (30%). Respondents also reported using metrics during decision-making (17%) and implementation (16%), but to a lesser extent. As organizations move up the maturity curve, metrics should be used at every stage of digital risk management.
3. Investing in Risk Management Technology Is Critical to Keep Pace With Digital Risk
- Only 32% of businesses are using cloud-based risk management software.
- 26% of respondents are not managing or monitoring third-party digital risk.
Technology is a key enabler for successful digital risk assessment and ongoing monitoring. In Figure 3, we noted that over half (51%) of our Digital Risk Maturity Survey respondents said they were using some form of risk management software, yet only 32% reported using cloud-based risk management software. This is cause for concern, as over the past decade, cloud-based tools have become the preferred software for risk management due to their ability to consume data using APIs and other types of system integrations. To keep pace with the evolving risk landscape, further investment is crucial.
The role of cloud-based technology that can integrate with other systems is especially relevant when discussing third-party digital risk. When asked about this growing risk area, 26% of respondents reported that they are not managing and monitoring third-party risk. Of those who are monitoring third-party digital risk, 24% are basing their assessment on internal views of third parties only. A major factor in the ability to monitor, or even consider, third-party information is the technical capability to consume partner data with technology.
To capture external data in your risk management software, you will likely need to work with your partners to exchange data through an API or other type of integration — demonstrating the importance of cloud-based technology, whose integration capabilities ensure the transfer of large amounts of data between systems.
Digital Transformation Can Help Organizations Reach Greater Risk Maturity
Our survey results reveal that there is hope for organizations that are seeking to improve their digital risk maturity. Digital transformation can help organizations automate and improve their digital risk management programs. Per Gartner’s definition of IRM, a key element of an integrated approach to risk management is that it is supported by enabling technologies. Automating a risk management program using technology — e.g., software-as-a-service solutions, robotics process automation (RPA), and advanced analytics solutions — can create efficiencies and lead to more effective risk management practices and assurance activities.
To learn why digital transformation itself is the key to effective integrated risk management, download the full report here.
John A. Wheeler is the Senior Advisor, Risk and Technology for AuditBoard, and the founder and CEO of Wheelhouse Advisors. He is a former Gartner analyst and senior risk management executive with companies including Truist Financial (formerly SunTrust), Turner Broadcasting, Emory Healthcare, EY, and Accenture. Connect with John on LinkedIn.