Risk management for a digital world

We’ve all heard the age-old carpentry adage “measure twice, cut once.” It’s excellent advice on the surface, but it also speaks to the more profound importance of proper planning and attention to detail on a macro level.

When it comes to software development, the field has its own set of planning principles, commonly known as the software development life cycle (SDLC):

• Planning: It starts with a project plan, looking at the market for the product or service, and getting feedback from those who will purchase it as well as from industry experts. An identification of the potential risks in the project is done with the goal of implementing the project with minimal risks.
• Requirements Analysis: Lists the design requirements of each software feature and capability that the software must include within its full implementation.
• Design and Prototyping: Architects develop one or more design approach plans, identify key technologies to use and desired toolsets to develop the product.
• Software Development: The product begins software development. The features are implemented that the previous requirements and design phases established.
• Software Testing: Quality assurance finds and reports software defects and retests.
• Deployment and Maintenance: The product releases to the market. As necessary, software defects are remediated, and new product features become available based on market feedback.

Of course, one of many differences between building a house and building software is that building software is a decidedly non-linear process. Typically, the final product is often designed, built and then redesigned before ultimately being deployed – after which it can often be redesigned and rebuilt all over again. And that’s where another age-old adage comes into play: An ounce of prevention is worth a pound of cure.

Digital Risk Management (DRM) is a more encompassing and modern view of Governance Risk Compliance (GRC), Enterprise Risk Management (ERM) and Integrated Risk Management (IRM).

A comprehensive DRM approach helps developers get ahead and stay ahead of potential risk by extending traditional GRC/ERM/IRM capabilities through new tools and techniques. It also amplifies the expertise of risk professionals by enmeshing risk management into operations and technology with unprecedented detail – defining the state of the art while also strengthening the enterprise and shoring up the bottom line.

DRM is a transformational initiative – not only in terms of creating an innovative digital transformation but also in terms of changing the organisation’s strategic orientation and organisational focus.

It can be an integral part of the organisation’s culture that helps executives govern, identify and protect against relevant organizational risks, and enable monitoring and evaluation of how effective governance and risk management controls are – and how well they’re followed.

When implemented properly, the DRM system has several practical advantages that can lead to tangible gains for your organisation:

• Better Decision Making: Board and C-Level staff often have near real-time analytic dashboards of corporate risk and compliance at all times.
• Increased Efficiency and Transparency: Staff at all levels will feel empowered to identify all potential risks throughout the organization.
• Automation of Tasks: Time-consuming tasks can become part of a digital process. Rather than run quarterly or monthly, these processes can be run frequently to spot risks and anomalies sooner rather than later.
• Active, Ongoing Risk Management: Risk becomes part of the development process, from planning to development and testing quality before any product is released to the market.
• Identification of Overlapping Redundancies: Processes once housed with different silos can be condensed into one process.
• Increased Organisational Competitiveness and Agility
• Cost Reduction: Staff is free to monitor dashboards rather than just crunching numbers.

GRC is traditionally a manual process that has yet to become a fully digital process, but by implementing DRM principles, organisations can benefit from many of the same efficiency gains. Of course, as your technology portfolio broadens and more processes are automated, it’s important to ensure you aren’t unknowingly creating new security vulnerabilities.

In business, the constant push to do something new can sometimes mean skimping on documentation and auditability, leaving those hidden trails at the edges – where your organization might even have fluid staff movement in the form of subcontractors.

The emerging DRM philosophy already addresses these with informational material and more tooling via various GRC platforms and services that can assess, let alone implement, within any reasonable timeframe.

One of the goals for DRM is to become an active and transparent stakeholder and participant within your SDLC lifecycle. To accomplish this, DRM embeds staff within development’s Agile/DevOps processes.

Much as there is more transparency and less of a “them versus us” mentality with integrating DevOps and Agile, DRM has the same potential.

Of course, like any large-scale organisational transformation – digital or otherwise – the shift to DRM shouldn’t be taken lightly. While adopting DRM might be little more than a quick step within your organisation’s existing growth goals, a few new tools, processes and roles will help accomplish those goals.

With all great endeavors, it may take a bit more effort, but the best way forward for most companies is to partner with an experienced DRM vendor that will understand all the moving parts, as well as how they need to intertwine to develop a DRM strategy that serves your unique business case.

Boris Khazin is global head of Governance, Risk and Compliance Services at EPAM Systems