AuditBoard+数字风险报告2023-英

1

TableofContents

Introduction

1

HowDigitalRiskIsCreatingaHyperconnectedBusinessWorld—andaFragmentedApproachtoRisk

5

HowIRMandIRMTechnologyBridgetheBusinessResilienceGap

14

KeyInsights:IntegratingORM,ITRM,ERM,andGRCtoManageDigitalRisk

18

Conclusion

21

AbouttheAuthor

22

AboutAuditBoard

Introduction

Digitalriskcontinuestobeoneofthefastest-growingandmostpervasiverisksforanyorganization.Asbusinessescontinuetoacceleratetheir

investmentsindigitaltransformation,digitalrisk—theinherent,unwanted,andunexpectedrisksmanifestedbytechnology—continuestoproliferate.Manyorganizationshaveinvestedindigitaltransformationwithoutmakingtheneededinvestmentsin

integratedriskmanagement

(IRM).Toensure

thatdigitaltechnologiescanwithstandwidespread,complexdigitalrisks,

businessesfaceanincreasinglypressingneedtobridgethe“businessresiliencegap”thatresultsfromriskmanagementtechnologiesand

processesnotkeepingpacewithrisingriskdemands.

Digitalbusinessinvestmentcontinuestoaccelerate.IDCreportedthat

worldwidedigitaltransformationinvestmentreached$1.8trillionin20221,andMcKinseyprojectedthattheglobalvalueofloTproductsandserviceswill

reach$12.6trillionby2030.2Atthesametime,thequalityofdigitalbusinessinvestmentishighlysuspect,andcyberattackerscontinuetofindand

exploitvulnerabilitiesinpoor-qualitysoftware.DarkReadingfoundthat88%

ofcodebasesuseopen-sourcecomponentsthathaven’tbeenupdatedin

thepasttwoyears3,andGartner(asreportedbyTheWallStreetJournal)

estimatesthatlessthan50%ofcompanies’APIswillbemanagedproperlyby2025becausetheirgrowthwilleclipsetheabilityoftheirmanagementtools.4Thefinancialimpactisenormous:TheConsortiumforInformation&SoftwareQuality(CISQ)hasestimatedthatthecostofpoor-qualitysoftwareinthe

U.S.hasgrowntoatleast$2.4trillion.5

Riskmanifestedbytechnologyinbusinessoperationsisknownas“digitalrisk.”

Itistheriskassociatedwiththecreation,delivery,anduseofnewdigitalprocesses,products,andservices.

See“

TheEssentialsofIRM

”foradeeperdive.

1IDC,

WorldwideDigitalTransformationSpendingGuide

,2022.

2McKinseyGlobalInstitute,

TheInternetofThings:CatchingUptoanAccelerating

Opportunity

,2021.

3DarkReading,“

80%ofSoftwareCodebasesContainatLeastOneVulnerability

,”2022.

4TheWallStreetJournal,“

T-MobileBreachHighlightsCommonCorporateSecurity

Weakness

,”2023.

5CISQ,

CostofPoorSoftwareQualityintheU.S.:A2022Report

,2022.

3

Digitalriskiscreatingahyperconnectedbusinessworld,astheuseoftechnologyextendswellbeyondanorganization’sfourwallswithdigitalproductsandservices

enabledbythird-partyorganizations.Butasdigitalbusinessgrows,sodothird-partyecosystemsandbusinessdisruptions—andthemostdisruptiveandcostlyrisk

eventsacrossarangeofindustriestypicallyinvolveathirdparty.Plus,organizationsoftenlackvisibilityintoorcontroloverthetechnologiesbeingused.Newdigitaltechnologiesoftenfallundertheumbrellaof“

shadowIT

,”whichincludesIT-relatedautomateddevices,software,andservicesthatareusedandpurchasedoutsidethedirectcontrolofcentralizedITorganizations.

Intoday’sbusinessworld,uniquecombinationsoftechnologyassets,businessprocesses,andstrategicobjectivesareutilizedtobringdigitalbusinesstolife.However,unanticipatedconsequencesofthesecombinationscanleadtounwantedbusinessoutcomes.ExamplesareshowninFigure1.

Organizationsmustworktobridgethegapthatiscreatedwhenrisk

managementtechnologiesandprocessesfailtokeepupwiththeevolving

demandsofdigitalrisk.Werefertothisshortfallinriskmanagementcapabilitiesasthe“

businessresiliencegap

.”Businessleadersthatareabletobridgethegapcannotonlyachievestrongerresilienceagainstunwantedbusinessoutcomes,butalsounlockuntappedpotentialvaluetoenablebetterperformance,greaterassurance,

andmorecost-effectivecompliance.

(Figure1)

4

AsAuditBoard’s2023DigitalRisksurveyof130+riskleadersfound,mostorganizations

arestrugglingtomaturetheirriskmanagementcapabilities.Digitalriskexpandsas

investmentindigitaltransformationaccelerates,andmostorganizationsstillhave

ahighlyfragmentedapproachtomanagingthesenewrisks.Oursurveyexplored

thedigitalriskmanagementprogramsandtechnologiesthatorganizationscurrently

relyupontobetterunderstandtheirdigitalrisklandscapeanddigitalriskmanagement

maturity,integration,andtechnologyadoption.Keyinsightsinclude:

•Digitalriskmanagementisdistributedacrossindividualriskmanagementprograms.

•Maturitylevelsvarywidelyacrosstheuniversallyapplicableriskobjectivesofperformance,resilience,assurance,andcompliance—particularlycompliance(moremature)andresilience(lessmature).

•Nineoutoftenorganizationsaremaintainingorincreasingtechnologyinvestmentsacrossallriskobjectives.

•Eightoutoftenorganizationslackreportablemetricsthatimpendingregulatorychangeswillmandate.

Toensurethatdigitaltechnologiescanwithstandtheincreasingriskcomingfrom

multipledirections—especiallyfromevolvingcomplexityinthethird-partyecosystem

—organizationsmustcontinuetoincreaseriskmanagementinvestmentand

maturity,particularlyintheresiliencespace.Tothatend,AuditBoard’s2023Digital

RiskReportalsofocusesonhowdigitaltransformationitselfisthekeytoeffective

IRM.Byunderstandingcommonchallenges,trends,regulatoryimpacts,andIRMbest

practices,youcanhelpyourorganizationmatureitsriskmanagementcapabilitiesto

moreeffectivelykeeppacewiththeexpandingspectrumofrisk.

5

DigitalRiskReport—TopTakeawaysin2023

79%

oforganizationslackreportable

metricsthatimpendingregulatory

changeswillmandate.

21%

oforganizationsarenotmanagingor

monitoringthird-partydigitalrisk.

44%

oforganizationsprimarilyusemanualtechnologies(spreadsheets,email,shareddrives,SharePoint)tomanagedigitalrisk.

93%

oforganizationsanticipatemaintaining

orincreasingtheirinvestmentin

technologyforperformance,resilience,assurance,andcomplianceinthenext18-24months.

6

HowDigitalRiskIsCreatingaHyperconnectedBusinessWorld—andaFragmentedApproachtoRisk

Asdigitalbusinessgrows,sodoesthevastnatureofour

digitalandthird-party

ecosystems

(e.g.,vendors,suppliers,partners),ourdependencyuponthem—andtheresultingriskforpotentialbusinessdisruptionandotherunwantedbusiness

outcomes.Oursurveyresultsneverthelessshowthatmostorganizationshaveinvestedindigitaltechnologieswithoutprioritizingmaturationoftheirrisk

managementpractices.Instead,theyarerelyingonfragmentedapproaches

anddisconnected(oftenmanual)technologies,processes,andactivitiesthat

arenotintegratedintobroaderriskmanagementoralignedwithoverallbusinessoperations.Asaresult,thebusinessresiliencegapcontinuestowiden.

Furthermore,whiledigitalriskismanifestedacrossthebusiness,it’soften

treatedasanITriskmanagement(ITRM)problem.AsshowninFigure2,whenriskleaderswereaskedtoidentifythefunctionsresponsibleformanagingdigitalriskintheirorganizations,morethan50%indicated“technology,”andnoother

answeroptionreceivedmorethan17%ofthevote.Theseresultssupportthe

findingthatorganizationslargelyaren’tconnectingdigitalriskmanagementwith

theotherriskmanagementprogramareasof

operationalriskmanagement(ORM)

,enterpriseriskmanagement(ERM),andgovernance,risk,andcompliance(GRC).

Whoisresponsibleformanagingdigitalriskinyourorganization?

(Figure2)

7

Theseresultsaresimilartolastyear’s,withaslightincreaseinorganizationsentrustingtheirtechnologyfunctionswiththisresponsibility(upfrom45%in2022to50%in2023).Inaddition,83%ofrespondentsassociateddigitalriskmanagementwithgroupsotherthanbusinessoperations—anincreasefrom78%in2022.

TheincreasingconcentrationofdigitalriskmanagementactivitiesintheITRMspacemaysignalthatorganizationsare,atminimum,givingdigitalrisksomedegreeoftheheightenedattentionitdeserves.Butthistendencymaynotbodewellforoverallriskmanagementeffectiveness,sincedigitaltechnologyinvestmentshappenacrosstheorganizationandoftenasshadowIT.Ideally,digitalriskmanagementshouldbemoreevenlyspreadacrosstheorganizationandmorefocusedinthebusinessoperationsspace,withcollaborationenabledacrossthevariousgroups.

IRMoffersa

betterpathforward

,helpingbusinessestoconnectrisksandteams

acrossthebusinessbylinkingstrategic,operational,technological,andotherriskswithstrategicbusinessobjectives.Aswe’lldiscusslaterinthisreport,IRMcanguidecompaniesinconnectingthedotsondigitalriskwhilesupportingtheneededdigital

transformation.Butfirst,let’slookathowthisdisconnectedapproachtomanagingdigitalriskismanifestinginandimpactingorganizations.

1.DigitalRiskManagementIsLackinginMaturity

Organizationslookingtogetaheadofdigitalriskmustadvancedigitalriskmanagementmaturity.Intheearlystages,they’redefiningandassessingrisksandestablishingthe

requiredfoundationsforincreasingmaturity.Thistypicallyinvolvesmovingfrommanual,piecemealapproachestoautomated,technology-enabledprocesses,andprogressingfromrelyingprimarilyonqualitativemetricstoamorerobustmixofqualitativeand

quantitativemetrics.Asorganizationsprogressfurtheralongthematurityspectrum,theymovetoactiveriskmitigationandultimatelycontinuousriskmonitoring.

Oursurveyaskedriskleaderstoratetheirorganizations’digitalriskmanagementmaturity.AsshowninFigure3,maturitylevelsareallacrosstheboard.

Howwouldyoudescribeyourorganization’sdigitalrisk

managementmaturitylevel?

(Figure3)

8

Whenwezoomout,however,thebigpictureissobering:

•Threeoutoffourorganizationsreporttheyaresignificantlylackinginmaturity.

Thisfigurecomprises12%thatdonotmanagedigitalrisk,19%thatarestilldefiningdigitalrisk,and44%thatareatthepointofassessingdigitalriskwithquantitativeand/orqualitativemetrics.Interestingly,thenumberofrespondentswhoreportedbeingatthestagesofdefiningorqualitativelyassessingdigitalriskactually

increasedfromlastyear’ssurveyresults.Readersmayhaveexpectedtheoppositetrend,sincelowerresultsinthosecategoriesmightheraldincreasingmaturity.(In2022,10%weredefiningand25%wereassessingqualitatively.)

•Onlyaboutoneinfourorganizationsisonthematureendofthespectrum.Thisincludes15%oforganizationsthatareactivelymitigatingdigitalrisk,and11%that

arecontinuouslymonitoringdigitalrisk.

2.DigitalRiskManagementIsHighlyFragmented

Effectivemanagementofdigitalriskrequiresunderstandingitsfullscopeacrosstheentireorganizationanditsthird-partyecosystem.Accordingly,animportantelementofadvancingmaturityisensuringthatdigitalriskmanagementeffortsarepartofanintegrated,enterprise-wideriskmanagementapproachthatiscloselyalignedwithbusinessoperations.Foundationaltothisapproachislookingbeyondtechnologyrisks(e.g.,technical,cybersecurity)tounderstandpotentialrisksacrossthe

business,breakingdownsilos,andhelpingtobuildorganization-wideawarenessofdigitalriskacrossfunctions.Mostcompaniesappeartobefacingchallengesinthis

areaaswell,asreflectedinFigure4.

Howwouldyoudescribeyourorganization’sdigitalrisk

managementmaturitylevel?

(Figure4)

9

Oursurveyresultssignalashifttomorecompaniesaddressingdigitalriskaspartof

theITRMprogramarea,with44%ofriskleadersreportingthatdigitalrisksareprimarilyaddressedandreportedwithinbroaderriskmanagementactivitiesbytheirITand

cyberriskmanagementgroups(upfrom33%in2022).Thisfindingechoesthegeneralconcentrationofresponsibilityinthetechnologyfunctionthatwesawrepresentedin

Figure2.

Theseresultsmayindicateasiloedviewofriskthatfocusesontechnology

risksoverotherbusinessrisks.We’lldivefurtherintothepotentialproblemsandimplicationsofthisapproachinthefollowingsections.

3.DigitalRiskDemandIsOutstrippingRiskManagementCapacity

Whiledigitalriskdemandcontinuestoincreaseexponentially,growthinrisk

managementcapacityremainsslow.Therealityisthatfragmented,inflexible,and

compliance-drivenlegacyGRCsoftwaresimplycannotprovidetheconnectedrisk

capabilitiesneededtokeeppacewithdigitalrisk—andasaresult,mostorganizationsarestillrelyingonpiecemealmanualprocesses,asshowninFigure5.

Whattechnologiesareyouprimarilyusingtomanagedigitalrisk?

(Figure5)

10

Comparingtheseresultsto2022’sfindings,thenumberoforganizationsnot

managingdigitalriskreducedslightly,from11%to8%.Organizationsusing

manualtechnologiesfordigitalriskmanagement—anapproachthattends

tobeverytime-consuming—actuallyincreased,from38%in2022to44%in2023.Useofon-premiseorcloud-basedriskmanagementsoftware,however,remainedlargelythesame.Insum,nearlyhalfoftheorganizationssurveyed(48%)arestillnotleveragingavailableriskmanagementtechnology

solutionstoadvancedigitalriskmanagementmaturity.

4.CompaniesLackVisibilityonThird-PartyRisk

Onekeywaythat

third-partyriskintroducesmorecomplexity

isduetothesheernumberofentitiesandtechnologies(relativetodigitalbusinessactivities)that

organizationsneedtotrackandmonitor.Formostorganizations,it’sdifficulttounderstandthefullextentofthedigitalecosystemthatispartofthebusiness.

Indeed,surveyresultsindicatedthatorganizationshavelimitedvisibility

aroundwheredigitalinvestmentsarebeingmade(e.g.,products,services,processes)andlimitedunderstandingoftherisksthoseinvestmentsbring.

ThisiswherethecomplicationsofshadowITcomeintoplay.Because

organizationsdon’thavethesamecentralizedcontrolandviewontechnologyasinyearspast,thedecentralizednatureofdigitalbusinessbecomesmore

problematic.

Effectivedigitalriskmanagementrequiresimprovedvisibilityintothefullscope

ofthird-partydigitalrisk.Whenriskleaderswereaskedabouttheprocesses

usedformanagingandmonitoringthird-partyrisk,however,theirresponses(seeFigure6)showlittleprogressfrom2022.

Howareyoumanagingandmonitoringthird-partydigitalrisk?

(Figure6)

11

•Approximately1in5organizations(21%)arenotmanagingand

monitoringthird-partydigitalrisk.Thisisasmalldecreasefrom2022(26%).

•Morethanhalfoforganizationsrelyonqualitativeassessment

approachesofferinglimitedeffectiveness.Specifically,56%ofriskleadersarerelyingonlyonqualitativeriskassessments,with24%basingtheir

assessmentsoninternalviewsofthirdpartiesonly—anapproachofferingverylimitedeffectiveness.

•Approximately1in5organizationsaretakingthemostmatureapproachtomanagingthird-partydigitalrisk.Upslightlyfrom18%in2022,22%of

riskleadersreportedusingthemostmatureapproach(i.e.,“Qualitativeandquantitativeriskassessmentbasedoninternalandexternalviewssupportedbyriskquestionnaires,targetedaudit,andindependentdataanalysis[e.g.,

securityratingservices]”).

Thesurveyalsoaskedriskleaderstoidentifytheirgreatestchallengewhen

managingandmonitoringthird-partydigitalrisk.AsshowninFigure7,weseeafairlywideandevendistributionacrossresponses.

Whatisyourgreatestchallengewhenmanagingandmonitoring

third-partydigitalrisk?

(Figure7)

12

Theseresultsreinforcehowthird-partydigitalriskpresentschallengesacrosstheorganization,withbusinesscontinuityandcontract/SLAcompliancetied

forNo.1andregulatorycomplianceanduseofAPIs(technologyintegration)

fairlyeven.Withregulatorsandstandard-setters

stilldeterminingtherightpath

forwardforenvironmental,social,andgovernance(ESG)reportingrequirements,ESGisn’tcurrentlyashighonmostorganizations’radar.

5.CompaniesLackReportableMetrics—WhichImpending

RegulationsWillMandate

Monitoringbasedonreportablemetricsisabetteroverallprocessfordigital

riskmanagementthanrelyingonperiodicriskassessments.Butorganizationscontinuetolagintheiruseofreportablemetrics,evenasimpending

regulatorychangeswillrequireswiftadoption.Beforetakingadeeperdiveontheexpectedcybersecuritydisclosurerequirementsandtheirlikelyimpact,

however,let’sexaminethecurrentstate.AsFigure8reflects,approximatelyfouroutoffiveorganizations(79%)arenotusingreportablemetricstoeffectively

managedigitalrisk.

Areyouusingreportablemetricstoeffectivelymanagedigitalrisk?

(Figure8)

13

Thisfiguremarksasmallreductionfrom2022results(droppingfrom84%).Inotherwords,maturityinthisareaislargelynotchanging,thoughtherisksmostcertainlyare.

AsshowninFigure9,wealsoaskedriskleaderstoaddresshowtheyuseanyreportablemetricsthattheydohave.

Digitalrisksaremanifestedthroughoutthedigitalproduct/service

developmentprocess.Identifythestageswhereyoucurrentlyutilize

reportabledigitalriskmetrics.

It’sstrikingthatwhile79%ofrespondentsadmittednotusingreportablemetricsinthepreviousquestion,only41%ofthesamerespondentsofferedthesameresponsetothisone.Aportionofthedisparitymaybeexplainedbytheuseoftheword“effectively”in

thepriorquestion:Riskleadersmaybeawarethatwhilereportablemetricsarebeingusedincertainstagesoftheprocess,theyarenotbeingused“effectively.”Anotherpossibleexplanationisthatorganizationsoftenwanttobelievethatthemetricsthey’reusingarereportable—wheninfacttheyarenot.

Wealsonoteincreasesacrosstheboardandabetteroveralldistributionthanin2022.Moststrikingarethe10–20percentagepointincreasesfortheuseofreportable

metricsindecision-making(from17%to34%),implementation(from16%to37%),

andmonitoring(from30%to44%).Whileuseinplanningalsoincreased(from28%to34%),wewouldhaveexpectedtoseeagreaterincrease,giventheimportanceoftheopportunityforusingreportablemetricstounderstandifandhowgoalsarebeingmetandwhereplansmayneedtochange.

UNPACKINGTHEIMPENDINGREGULATORYCHANGES

It’stimeforarealitycheckforthefouroutoffiveorganizationsthataren’tyetusingreportablemetrics.Manywillsoonbeforcedtoadoptreportablemetricsby

theU.S.SecuritiesandExchangeCommission(SEC)cybersecuritydisclosurerequirementsexpectedin2023.

Untilrecently,therehasbeennorealurgencyaroundusingreportablemetrics,withthe“need”forthemlargelytheoretical.ButwithfinalizationofSECcybersecurity

disclosurerules

expectedin2023

for(1)publiccompaniesand(2)investmentadvisersandprivatefunds,it’sabouttogetreal.

(Figure9)

14

ImmediateReportingRequirements

Form:8K

Timing:FourBusinessDays

Information:

1.Whentheincidentwasdiscoveredandwhetheritisongoing

2.Abriefdescriptionofthenatureandscopeoftheincident

3.Whetheranydatawasstolen,altered,accessed,orusedforanyotherunauthorizedpurpose

4.Effectoftheincidentonthecompany’soperations

5.Whetherthecompanyhasremediatedoriscurrentlyremediatingtheincident

Privatecompaniesshouldnotassumethattheseruleswon’timpactthem.

SimilarlegislationfromtheU.S.DepartmentofDefenseregardingversion2.0of

itsCybersecurityMaturityModelCertification(CMMC)andWallStreetfinancial

institutionoverseerNewYorkStateDepartmentofFinancialServices—longa

leadingindicatorofregulatorytrends—attestthatthesecybersecurityrule-makingeffortsarepartofmuchlargerregulatorytides.

Withthatcontextinmind,let’stakeacloserlookattheproposedSECcybersecuritydisclosurerulesforpubliccompanies,whicharerepresentativeofsimilarlegislation.Acriticalaspectofboththeimmediateandperiodicreportingrequirementsis

beingabletodeterminethematerialityofagivencybersecurityincident.Withinfourbusinessdaysofamaterialincident,organizationswouldneedtoidentify,quantify,anddescribematerialincidentsandtheiroperationalimpactsinpublicdisclosuresviaForm8-K.Materiality—understoodinfinancialterms—wouldbethetriggerfordisclosure.SeeFigure10foradditionaldetails.

MaterialCybersecurityIncidents

(Figure10)

PeriodicReportingRequirements

Form:10Qand/or10K

Timing:Quarterlyand/orannually

Information:

1.Sameasrequiredinformationonimmediatereporting

2.Includeanypreviouslyundisclosed,immaterialcybersecurityincidentsthatareclearlyrelatedandhavebecomematerialintheaggregate

3.Includeanyupdatesonindividualmaterialcybersecurityincidents

15

Withoutreportablemetricsinplace,organizationseitherwon’tbeabletodeterminewhetheranincidentismaterialorwillhavetorelyonadhocmeanstodoso.This

becomesariskinandofitself,becauseorganizationsthatarenotconsistentlyapplyingormeasuringmaterialitymayendupdisclosingsomethingthatisn’tmaterial—ornotdisclosingsomethingthatis.

CybersecurityRiskManagement&Governance(Figure11)

RiskManagementRequirements

Form:10KTiming:Annually

Information:

1.Ifthecompanyhasacybersecurityriskassessmentprogramanddescription

2.Useofconsultantsand/orotherthirdpartiesincybersecurityriskassessment

3.Thecompany’scyb