Pivoting to a digital risk and controls mindset

This blog is the first in our series on managing cloud and digital risk. It explores key considerations for risk specialists to effectively enable digital transformations.

Digital transformation started long before COVID-19, but the pandemic left no alternative than to serve customers through digital channels, meaning acceleration was critical. To do this safely and securely, delivery teams needed to work alongside enabling functions, such as technology risk and controls, in a collaborative way.

The need to quickly pivot to digital channels was, and continues to be, enabled and accelerated by the adoption of cloud technologies, from which organisations expect to benefit from economic and operational efficiencies. In this article, we explore some of the challenges technology risk and control teams face in supporting digital transformation and provide key recommendations to consider.

The challenges

• Collaboration: a key challenge for successful digital transformation often boils down to the collaboration between delivery teams and risk and control specialists, as they often struggle to find a common language. This leads to them operating in silos, rather than as a coordinated cross functional team. All involved in the transformation should be working towards an agreed common objective, with collaboration front of mind.
• Input at the right time: we’ve seen many cases where risk and controls are an afterthought, due to businesses wanting to move quickly, and without the perceived impediment of ‘check-box’ risk management processes. It’s fundamental that risk and controls experts have sight early on and input throughout the transformation lifecycle, but that they have also adapted their requirements to align to the pace and agility of the rest of the organisation.
• Understanding of the key risks and controls: the quality of digital (e.g. cloud) risk and control assessments can often depend on the skills and knowledge of the individuals performing them, rather than being based on a comprehensive and scalable risk and control taxonomy. This can result in significant risks being missed, for example, not considering the materiality of services and therefore the development of proportionate exit plans.
• Automated monitoring: Manual legacy controls are often applied to automated processes, which results in a missed opportunity to automate controls and a failure to achieve downstream efficiency benefits (such as real-time monitoring, rather than manual testing, of the controls).
• Leveraging pre-existing data as an accelerator: across many organisations, cloud risk assessments tend to start from scratch every time rather than leveraging pre-existing assessment data. This duplicates effort spent to carry out each assessment and causes frustration within the business. This is often due to the lack of configuration of a repository/solution to manage cloud risk assessments or the improper configuration and usage of such a solution to enable the execution of the cloud risk assessment service.
• Cloud skills and bandwidth: whilst principles of ‘risk and control’ are common, cloud brings with it great opportunities for enhanced controls but also specific risks (which are further nuanced across the different cloud service providers). This requires upskilling of the existing technology risk and control teams, and there is a current shortage of such skilled individuals in the market. This shortage creates capacity constraints resulting in upskilling of existing teams often being a ‘side of desk’ activity. 
• Ways of working: the ability for the governance processes to operate at the same pace as the business is fundamental. However, it is often the case that lean processes, enabled by digital controls, are constrained by established ways of working, hindering the realisation of benefits initially expected through the adoption of cloud technology. 

Recommendations to ensure the safe and secure adoption of cloud technologies 

• Risk assessments at the right level and in the right way: risk and control teams need to play a key role in assessments. For example, defining a holistic risk assessment at the platform level that services can consume when they use the cloud (rather than doing things from scratch) every time for each service. There are also better ways of monitoring risk and control activities related to these processes, by embedding relevant checks and feeds at the right position within delivery pipelines.
• Cloud risk and controls taxonomy development and implementation: develop and implement a cloud risk and controls taxonomy through which businesses can identify and manage risks associated with using cloud, in a consistent and coherent way. The risk and controls taxonomy should encompass all operational risks and should be reviewed regularly to ensure latest developments (e.g. operational resilience) are reflected and considered by the teams which are following it.
• Cloud risk appetite definition and measurement: define risk appetite for use of cloud services and establish ongoing monitoring capability to monitor cloud risk exposure across individual and thematic risks (e.g. concentration risk, exit planning, etc). The risk appetite could either be defined explicitly for cloud or by revising the organisation’s existing risk appetites, considering the transition to cloud. It is important monitoring is carried out on an ongoing, automated basis to enable timely decisions and ensure actions are relevant and proportionate to the latest organisational developments.
• Cloud risk SME capability: develop capability of SMEs who can provide relevant and proportionate input depending on the materiality of the risks identified, whilst also considering the costs and benefits to the business. SMEs and accountable stakeholders should collaborate with cloud service providers and regulators on how to optimally manage risks. This can either be done by uplifting the existing capability of technology risk and control professionals through training or by complementing the existing capability through hiring cloud risk SMEs. There are pros and cons to both approaches which need to be evaluated, including impact to the team's culture, impact to delivery, financial costs, and more. 
• Improved assurance mechanisms: develop better assurance mechanisms through which assurance over key controls is determined once and passed on to the various consumers of the services (i.e. cloud platforms). This avoids performing the assessment multiple times, and can be achieved through the use of automated controls rather than relying on ‘traditional’ methods, which requires clear understanding of what can be done with the automated feeds available across cloud service providers.
• Risk and control mandate: establish and communicate the mandate by which the risk and control teams will enable the business to effectively assess and manage risks identified, in turn, supporting the delivery of business objectives. The mandate should clearly detail the scope for available support and should extend across both BAU and transformation activities.
• Identity and branding of the risk and control team: establish the internal branding of the risk and controls team to act in an advisory capacity to the business, moving away from policing and enforcing the framework. Develop relationships between risk and control teams and the business by mutually defining and agreeing business objectives. Establish bi-directional lines of communication to provide feedback against a mutual set of objectives and ensure ongoing collaboration, including reporting of associated risks in response to relevant regulatory requirements. 

Pivoting to a digital risk and control mindset is hugely important for risk and control teams to do. Not doing so will result in less value being provided to the business and their customers, and can result in regulatory compliance challenges where risks and controls have not been effectively managed. Risk management should be a core component of technology delivery. By revisiting the approaches through which technology delivery and risk and control teams work together, and developing improved and traceable end-to-end risk management, risk becomes easier to identify, monitor and manage, equipping teams to make informed decisions more quickly. 

If you would like to discuss the contents of this article with one of our experts, please get in touch below.