Is your risk appetite aligned with rocket-fueled digital transformation?

COVID-19 has resulted in many organisations prioritising and accelerating digital transformation investments. Tech-enabled businesses were able to move at speed to meet surging online demand. As companies expedited these plans, many considered cloud technologies to help support efforts. Before entering the cloud environment, management should assess whether its risk appetite that reflects the evolving business strategy and changes in supporting technology solutions. Where does your organisation stand in balancing risk appetite against accelerating digital transformation?

Looking back at the past year, many will realise that COVID-19 prioritised and accelerated their organisation’s digital transformation efforts and compounded the C-suite’s strategic investments in digital technology.  The pandemic brought companies’ vulnerabilities into sharp focus. One consumer-packaged-goods company saw its online orders go through the roof, only to have its operations descend into chaos as it tried to process and fulfill the surge.  Tech-enabled businesses, in contrast, were able to move at speed to meet surging online demand. 

As companies work to digitise at warp speed, they are using investments in cloud computing as both their foundation and rocket fuel. It's cost-effective to implement because it’s flexible and scalable, which facilitates capabilities otherwise not possible.  But moving to the cloud has both implementation and operational risks.  Organisations that see these risks clearly can take full advantage of cloud computing’s speed and agility. 

The pandemic’s impact 

As with many organisations, PwC’s workforce was forced to go fully remote early in the pandemic. Because our business model calls for highly mobile teams, we had already invested in enabling technologies, but we still had to move especially quickly to meet our clients’ needs in the new COVID-19 world. We accelerated investment in a new-generation cloud deployment process and new digital tools. As face-to-face discussions became remote workshops, we looked for more ways to automate services. 

We experienced firsthand what all companies are going through in these uncertain times: the need to navigate a complex balance of speed, safety, consumer centricity and compliance.  Doing so requires reliable, timely and complete information to make decisions, which is predicated on having digitised data and mature, technology-enabled processes. It’s here where cloud computing comes into its own—if companies understand that it’s not just the technology that has to be mastered. A move to the cloud requires companies to rethink their approaches to business and to business risk.  

The cloud imperative

Cloud platforms and adjacent digital tools bring organisations a new level of agility and flexibility. Cloud platforms can help deploy new digital customer experiences in days rather than months and can support analytics that would be uneconomical or simply impossible with traditional technology platforms. But here’s the hitch: As companies move increasingly to the cloud, less focus should be on the move itself and more on adopting a new mindset.  

Cloud migration necessitates a change in attitude in regard to risk and control because the company rethinks corporate responsibilities and accountabilities and, in many cases, depends on someone else’s design preferences.  Security, controls and compliance requirements change radically. As an example, instead of a constrained number of leaders with control over the enterprise, the transformational nature of cloud services means that identity and access may need to be completely rethought. 

The same applies to the skills within IT operations teams, in which skills developed for managing on-premises servers and applications must be adapted to provision services instead of hardware, and to orient processes towards consumption—not capacity.  Traditionally, IT budgets have included a significant component for capital expenditure (CAPEX) in technology. However, a move to the cloud requires changing how budgets are handled, because all cloud-based expenditure will be operations expenditure (OPEX). This can profoundly alter an organisation’s profit-and-loss account (P&L).

In sum, a move to the cloud is not just a lift and shift of technology; it affects how a company operates, interacts with partners and customers, forges partnerships between its business and IT leaders, and tolerates and manages risk. 

A clear eye to risk  

To mitigate security, resiliency and compliance concerns relating to cloud adoption, companies must be cognisant of both implementation and operational risks. Historically, the technology implementation lifecycle spanned years. If an appropriate risk lens was not applied during development, there was time to catch up before the technology launched.  Now, with third-party providers and automation and acceleration tools, deployments are rapid and risk oversight must be early and continuous.  Similarly, some automation initiatives are now independently business-led and -delivered with IT getting left behind.  

Both of these factors increase the chance that there is insufficient attention to associated risks, governance or controls during implementation. Operating in the cloud also brings inherent risks such as cybersecurity, third-party and data-privacy risks.  For instance, rather than data being correlated to a physical data center, it is now in a global cloud footprint where data collected or processed on a geographic instance of the cloud must remain there.

Entering a cloud environment clear-eyed about risks means holding rigorous discussions about the best mechanisms for aligning risk appetite with technology decisions. Instead of letting risks derail progress, CEOs should insist on a reassessment of risk appetite that reflects the evolving business strategy and changes in supporting technology solutions. Where does your organisation stand in balancing risk appetite against accelerating digital transformation?  Consider these questions: 

1. Have you comprehensively assessed anticipated changes to your business, IT and people processes as a result of adopting cloud-based technologies? Have you considered the downstream impacts that these technologies have on underlying operational processes, business and IT controls?
2. Has your organisation considered the security implications of moving to cloud-based applications or infrastructure services? Have you holistically considered the impacts to security design, data privacy, residency, storage, usage and access? 
3. Have you critically reviewed your business continuity and disaster recovery planning in the context of a cloud transition? Have you examined the primary cloud environment you are considering to determine its resiliency relative to your mission-critical applications and resources?
4. Have you drawn parallels between how your cloud solution providers (CSPs)—for infrastructure services and/or products—adhere to compliance standards that are relevant to your business? Are the gaps understood, and if so, what remediation plans do you plan to establish to mitigate such risks? 
5. What level of digital training and upskilling are you providing to your teams? Have you ensured that your training program has the right mix of technology and risk components to prepare your team for the emerging risks?