Insights

Emerging digital risks for the CxO to look out for in 2023

December 8, 2022

Whether you are a bank or financial institution that handles sensitive information, odds are that you face various threats to compliance, privacy, and many similar areas. With the introduction of new technologies, here we will look at emerging digital risks and compliance issues in the areas of existing IT systems, cross-enterprise integration, process impact, and blockchain adoption, and also discuss tools that can provide new insights, such as graph information and new security analytics.

Understanding the Risks

The key digital initiatives in the banking, financial services, and insurance (BFSI) sector for 2023 include an online platform called the Cyber Risk Matrix. An organization’s risk management function necessity a detailed understanding of the frequently developing risks as well as the practical tools & techniques accessible to address them. Cyber risk is a risk related to “financial loss, disruption or damage to the reputation of an establishment from some kind of disappointment of its information technology structures”. The same matrix may be considered by all companies and the specific areas may be focused on.

Infrastructure Risk

As big businesses carry on accepting cloud infrastructure & approaches, the urgency for IT to implement cyber risk management measures to tackle cybersecurity risks is high. Though new technologies bring productivity gains, at times, this can be at the cost of data security. This present situation demands an integrated cyber risk management method for undertaking all cybersecurity risks & threats in cyberspace.

Security Tools and Analytics

Multiple security technologies are leveraged through Cyber risk management platforms such as SIEM, advanced & next-generation networks, endpoint security & DLP, provided that deeper analytics & insights for an integrated method to grip the overall threat lifecycle & address cybersecurity risks holistically.

A cyber risk matrix is a tool that helps organizations assess and prioritize their cyber risks based on the impact and likelihood of different scenarios. 

Four components of cyber risks

1. A list of cyber risks that could affect the organization’s information assets, such as 
   • Data breaches
   • Ransomware attacks
   • Phishing scams
   • Denial-of-service attacks
   • And others
2. A scale of impact that measures the potential damage or loss that each risk could cause to the organization’s 
   • Reputation
   • Operations
   • Finances
   • Legal obligations
   • And others
3. A scale of the likelihood that estimates the probability and frequency of each risk occurring, based on factors such as 
   • Threat sources
   • Vulnerability levels
   • Existing controls
   • And others
4. A risk score that combines the impact and likelihood of each risk, using a formula or a matrix, to rank the risks from high to low and determine the appropriate response or mitigation strategy.

Risks during Inter-company Integration

Inter-company integration is the process of combining or aligning the operations, systems, and culture of different entities within the same group or organization. It can involve various aspects such as finance, accounting, human resources, IT, sales, marketing, etc. Some of these are,

1. Not realizing the expected synergies, value creation, and financial performance goals that motivated the integration in the first place
2. Facing difficulties in reconciling and reporting inter-company transactions, balances, and agreements across disparate software systems and accounting standards
3. Encountering complex inter-company agreements that require legal, tax, and regulatory compliance and transfer pricing adjustments
4. Experiencing operational disruptions, data loss, or security breaches due to incompatible or outdated IT systems and infrastructure
5. Facing resistance, confusion, or dissatisfaction from employees, customers, or suppliers due to cultural differences, communication gaps, or role changes

Integration risks may not mean just IT-related or system-wise integration issues that may appear when one changes some kind of system support for an operational scenario. Let’s list them all and take a look at the possible mitigation strategies for each one.

IT Systems

IT systems are a vital piece of operations and it’s impossible to conceptualize an operational landscape without such support. Changing something at the operations level that prompts current systems or entering systems to integrate in a different way or with different systems to bring about change itself is a serious risk. To mitigate this issue, one needs to:

1. Identify technical owners for each of the involved systems, with a minimum competency set and relevant experience, that have enough ownership to provide actual support to any modification and information request related to the information being exchanged and the processes that generate, trigger and process these flows
2. Include technical owners in all project stages, promoting clear and global information about the process, the information, events, and requirements to all stakeholders
3. Create clear, stable test environments that replicate all involved systems in the process change, assuring team ownership about those systems and the processes required to generate and validate required data
4. Design complete integration testing scenarios validated and approved by all relevant technical owners, which much be executed at least in two different test cycles by different testing teams, with evidence collection and validation
5. Execute load tests on relevant scenarios to assure interface stability, performance, and resilience

People Risks

People tend to resist change, moreover, if that change entails responsibility increase, service level improvement, cycle team reduction, or activity proliferation. To mitigate this, we need to seriously engage in managing the impacts of putting people in the line. Some of the key considerations are: 

1. Involve people early in the process. The later one engages them, the more easily they will be susceptible to imagining the wrong things about what’s about to change
2. Be clear, concise, and transparent about what’s changing. If one does not know what exactly is going to change, be clear about the areas that will be affected and the schedule that will bring on that change
3. Invest in creating multiple layers of engagement, to assure knowledge transfer and promote change selling. Focal points, deeply engaged in the change process are extremely useful in passing on the appropriate message and allow you to scale training quickly
4. Training is never enough, so be sure to create appropriate training schemes and schedules that should be executed as close to the change date as possible.

 Process Risks

Changing a process, for whatever reason, means that one will do either new things or change the way it is already being done. Either way, there are critical integration aspects at the process level that one needs to focus on:

1. Pilot all activities in real-life scenarios, to assess if they will have adequate performance and information at every step of the process. If not, put in place the tools, interfaces, training, and information for each activity to reach the intended results
2. Check if all information is available at the right time in each activity. Check if the source of that information is reliable and accessible. Otherwise, cross-check the people and system risks to ensure appropriate information on the right spot at the right time
3. Check if the information generated in each activity reaches the target. If people are forwarding the required information to the right target at the right time
4. Assure that you have activity level and process level monitoring tools and metrics that tell if exceptions occur. Check if performance is up to par with relevant KPIs
5. Perform an upstream and downstream consistency check., This is to assure that the requirements and results of the process meet the benchmark set by the stakeholders

Applying these strategies when changing an operation ensures that we eliminate integration risks. Everyone involved can approach change with confidence.

Graph Information in Risk & Compliance

Graph information in risk and compliance can help organizations to:

1. Get a holistic and comprehensive overview of your risk and compliance landscape, e.g., involved companies, relationships, transactions, events, and regulations
2. Identify and monitor potential risks, threats, and vulnerabilities, such as fraud, money laundering, cyberattacks, etc. Detect the patterns, anomalies, and behaviors in graph data
3. Improve and automate their risk and compliance processes, such as due diligence, audit, reporting, remediation, etc. Integrate with existing systems and tools and leverage Graph APIs
4. Improve their risk and compliance performance, efficiency, and accuracy. Use graph analytics to generate insights, recommendations, and actions based on graph data

Legal and Regulatory Risks in blockchain implementation

There are general risks associated with blockchain development such as underdeveloped standards, high energy demand, data privacy, and legislation. Other risks include trusting blockchain managers & developers, transaction speed, and malicious users. Apart from this, there are legal risks that are more severe. Enforce the laws to protect the users while implementing blockchain technology. Governments are also keen to govern the new technology centrally. Government makes these rules to protect the interests of the user and the service provider.

Data Privacy

Data privacy is the biggest concern when it comes to distributed ledger technology. By nature, different geographies store a copy of this data. It means that it can easily fall under a massive multitude of jurisdictions — making data privacy a very complex subject.

 The GDPR regulation is aimed explicitly at EU citizens. Another thing that makes data privacy complex is the fact that the data is immutable on the blockchain. No user, in any case, can remove the information once stored from the blockchain database.

Jurisdiction and Dispute Resolution

The jurisdiction and dispute resolution are big concerns. A distributed ledger is all about a decentralized network, which makes applying jurisdiction an inevitable problem. Smart contracts can help to program avoid violation of jurisdiction, but the challenge is to enforce the use of jurisdiction. The process of dispute resolution is challenging and needs resolution. Overall, it is tough to resolve the issues considering the nature of the DLT.

Regulatory Risks

The last blockchain legal risk is a regulatory risk. Governments have to pass regulations to the DLT. In some cases, states are also empowered to make their own regulations, which can make things more complicated. With the rise of digital currencies, it is common to have federal regulations so that they can protect the interest of the users and keep the economy in balance. There are also security risks associated with blockchain.

People and Technical Risk

Human-Related Risks

The decentralized blockchain has to interact with humans in order to work correctly. In that case, new blockchain security risks come in. Hackers can steal credentials when a user is interacting with the computer. It only happens at endpoints, which makes blockchain vulnerable. 

Risks with Private and Public Key

The whole idea of blockchain or distributed ledger technology relies heavily on public and private keys. Hackers try to obtain the keys by attacking the weakest point as they are difficult to guess. It can be a mobile device or a personal computer. 

Vendor Risks

Many ad-hoc platforms and services work with DLTs to improve their functionality. Scan the 3rd party vendor platforms for vulnerability to avoid issues during the run-time. The security risks can come due to bad code, weak security, and wrong handling by the persons. Vendors must ensure that smart contracts are free from all kinds of flaws or security loopholes. If there is one, then it can easily lead to a system-wide effect.

Untested Code

The quality of the code remains a big concern to most blockchain solutions. Decentralized organizations need to take extra care when they deploy their solutions. One such example is the Decentralized Autonomous Organization (DAO). It is an autonomous system that automates a certain or the whole organization.

Not Tested at Full Scale

Run the DLTs on a small scale before going live. To test the DLT, the developers need to use “testnet” which simulates the network. They can do a wide range of tests. However, it doesn’t cover the issues that can come at full scale.

Final Thoughts

As an organization, you need to understand that risk and compliance play an important role in securing data and governance as you execute digital transformation initiatives. Alongside the IT transformation, people and processes are equally important to establish safeguards during inter-company integrations. 

Grep Digital helps businesses to adopt the best technology practices to maximize their return on investments. Connect with us to partner in your digital transformation journey.