In response to the growing cyberthreat, rapid technological change and opportunities for digital innovation, second line functions are beginning to recognise that their mindset needs to change. Technological advancement is an unstoppable force. Customers will demand innovation. It is therefore essential that risk, compliance and security teams are not viewed as too risk averse and rather become enablers of innovation. There is always a balance between risk and reward. Risk and compliance teams have a critical role to play in ensuring the organisation gets this balance right. For many, the medium-term risk of not innovating may be more significant than the shorter-term pain associated with adverse events arising from the risks that the business is controlling tightly.
Digitalisation Meets Risk & Compliance
Over the past few years, security teams have acknowledged that their mentality has had to change. They used to be seen as a function that blocked requests from the business; they now acknowledge that their role is much more about working out how to best manage the risk while embracing changes the business leaders want to push throughout the organisation. “Bring your own device” was a classic example of something that many security functions looked to block before recognising that their role was to help manage the risk. The majority of organisations now allow these devices and manage the risk was to a greater or lesser extent.
Risk and compliance teams also need to recognise that they too have a role to play in ensuring organisations are able to benefit from digitalisation projects and embrace new technologies. At the same time, risk and compliance teams need to ensure that risks are understood, assessed and managed and that regulations are met. The key is recognising that there are many ways to embrace most technologies and manage risk together. Risk management does not always mean risk avoidance. The risk associated with a pilot or proof-of-concept project can often be managed without completely locking down the technology. It is also worth noting that many of the regulations are not as prescriptive as many might assume from the restrictive policies and standards that the business has put in place.
To add value, second line teams need to be actively engaging with the business leaders to provide guidance and advice during the planning phase of a project using emerging technologies. If they are not consulted, there is a significant likelihood that technology will be implemented without the risks and regulations being fully considered and without the appropriate controls in place. It is essential that when consulted, the second line does not make it difficult for the business to be agile. To do this well second line functions will need to anticipate the future demands of the business, and have an opinion on the use of the new technology and the associated risks. The team will be familiar with rules and regulations around the world and will be able to provide guidance to the business on how best to harness the new technology and manage the risks. The difficult questions will already have been asked, and the rules of engagement defined. When this process works well, the second line becomes a valued partner, which is empowering the business rather than being viewed as a barrier to change.
To date, many second line functions have not been good at anticipating the demands of the business and are not as well informed as they could be when fully engaged. Without adequate knowledge and preparedness, the risk and compliance function is forced to tilt more heavily toward risk mitigation, often at the expense of speed and innovation. Leaders are recognising the need for this to change, however.
Without clearly defined policies, guidance and opinion on the risks new technologies poses, the business moves forward without realising the value of or need for consultation with the second line. It is critical that risk and compliance functions stay abreast of emerging technologies and ensure that they are engaged by the business as it looks to evaluate new technologies such as biometrics, AI, robotics, blockchain, virtual currencies and much more.
Key questions for risk and compliance functions to consider :
With more advanced consultation and active engagement, the risk and compliance function can more effectively fulfil its mission to ensure that the organisation’s risks are managed and adequately controlled and avoid the internal and external consequences of failing to act.
. . . Consequences of Failing to Act
When assessing the organisation’s preparedness for pursuing each of the digitalisation objectives, they should consider the questions below :
. . . Digitalisation Objectives and Considerations
- What information is the organisation currently storing and using, and what types of information should it be collecting?
- What information would customers expect to be stored, and how would customers expect this information to be used?
- Other personal data often has more value on the black market, as it does not need to be exploited immediately to obtain the value. For example, it is hard to change biometric data. GPS data can also be misused, as it provides a lot of information about a person. What is the organisation’s view on capturing and using GPS information on smartphones to learn more about the consumer? When is it allowed and appropriate to collect and use that data commercially?
- What is the organisation’s view of customers using Siri and Alexa to access account information? Does the organisation have a view on access limits?
Digitising Products & Services
- What is the organisational view on the use of robotics for risk-based decisions and at what stage do humans need to be involved?
- What level of understanding is required of the rules that are being applied by systems using AI to make decisions?
- Is there a limit articulated for when and how the organisation uses customer data?
- Have rules of engagement been defined when the business is looking to collaborate with technology companies that might become competitors? What information can we share?
- How will virtual currencies impact the business?
- Does the business have a clear view of the use of blockchain technology?
- Do any countries still require physical signatures to evidence contracts? How might this impact plans to use blockchains to replace traditional contracts?
Business Analytics & Decsion Science
- Does the company have policies around data sharing, data storage and the use of the cloud?
- What restrictions should the business put in place on the utilisation of AI? Are there ethical considerations? For example, would it be appropriate to train an AI engine to support recruitment decisions? Might AI result in an organisation unknowingly not selecting candidates on certain criteria that a business would never knowingly discriminate against? Is not understanding the rules ever a defence?
- What policies and/or rules exist to ensure that all AI is subject to the appropriate validation and/or testing? What ‘black boxes’ exist in the organisation?
- Customers are demanding faster decision making and approvals for new products, which will require firms to undergo radical change. Is the business effectively assessing the risk of not making these changes, or is the focus only on the operational risks associated with making the change?
- Automating processes can improve operational efficiency but brings additional risks that need to be consider and managed. Does the organisation have a view on where those boundaries lie?
- Are there laws and regulations firms need to comply with that impact the digital strategy?
- How is the use of technology going to be regulated?
- How are regulators responding to new technologies, and what new rules are expected?
- How are regulations likely to vary between jurisdictions?
- Does the organisation have processes in place to consider the regulatory mood and direction for any products and services based on new technology?
The velocity and rate of change of digital innovation is an undeniable disruptor to many traditional businesses. New technology is enabling new products and service channels that adapt to changing customer behaviours, as well as driving efficiencies and creating competitive advantages.
Risk management and compliance functions need to evolve. They need to engage with the business, anticipate how technology could/will be used, understand potential implementation timelines, conduct more research and define policies and/or guidance where necessary.
Fundamentally, risk and compliance functions need to get to a point where the business is looking to engage with them because they value their advice. If leaders of digitalisation initiatives believe that the second line will guide them effectively on how to embrace technologies in a risk-managed way and not create barriers, they will consult. It is essential that the second line is seen as empowering and guiding, not blocking. In summary, they need to redefine the rules of engagement and advise the business how to do something rather than provide many reasons why it should not.
How Protiviti Can Help
Protiviti has developed a digitalisation/digital transformation framework that provides a high-level overview of how we help our clients fulfil their goals and objectives. In the graphic below, the vertical columns represent the problems that we are seeking to help our clients to solve; the horizontal bars explain how we help.
Protiviti is working with the leaders of risk and compliance functions to help them transform and become more forward-looking and prepared for the opportunities and challenges a digital future holds. These include :
- Educating risk and compliance functions on the latest technological trends
- Providing training on risks and controls within the digital arena
- Providing guidance on how to manage the digital risks and promote business innovation
- Helping organisations ensure that policies are fit for purpose in the digital age and not inadvertently stifling innovation
- Advising on how to transform into a digital function that proactively collaborates with the business
- Helping with their digital strategy and forming an opinion on the latest trends
Digitalisation provides an opportunity for risk and compliance functions to engage with the right people and help their organisation embrace digitalisation in all its technological guises to face the future with confidence. It also provides the second line functions with opportunities to embrace these emerging technologies to improve performance and to manage escalating costs. These opportunities should also not be overlooked.