Singapore, 25 October 2021 – With the proliferation of digital transformation programmes, a new research by Deloitte Southeast Asia (“Deloitte”) and the Singapore Management University (“SMU”) has revealed the polarising view of risk amongst organisations with different digital maturities, and the opportunities that organisations can seize to enable them to manage aspects of governance, risk and compliance (“GRC”) more effectively.

The findings unveiled that digitally mature organisations have more structured and intentional risk governance frameworks, which are characterised by four markedly different traits further discussed below.

The report, “Adopting a risk-intelligent approach to digital transformation: Four traits of digitally mature organisations”, is a joint effort between Deloitte and SMU’s School of Accountancy Research Centre (“SOAR”). Conducted between the second and third quarters of 2021, the findings were derived from a survey of 48 Singapore-based executives as well as an in-depth interview with a Singapore-based executive to understand how GRC aspects of digital transformation are operationalised.

Survey respondents have been segmented into three categories according to their self-reported levels of digital maturity:

Leaders – The most digitally mature organisations, quite or very advanced progress in digital transformation

Chasers – Organisations who are neither the most nor the least digitally mature, moderate progress in digital transformation

Explorers – The least digitally mature organisations, not very advanced progress in digital transformation

Trait 1: Leaders are more likely to recognise the importance of a formal and proactive governance body for digital transformation programmes

The presence of a formal governance body or committee for digital transformation programmes is more prevalent with Leaders (65%), compared to less than half (49%) of all survey respondents reporting the same.  Promisingly, half (50%) of survey respondents who reported not having a formal governance body or committee have indicated that their organisations are likely to consider setting one up in the future. This shows that organisations understand the importance of having such a body or committee.

In addition, more than two-thirds (70%) of Leaders indicated that the governance body or committee should play a proactive – rather than a reactive or ad hoc – role in the organisation.

In terms of overall leadership, the majority of Leaders (72%) indicated that such governance bodies or committees are typically led by either the CEO or CIO of their organisations. However, overall sentiment hinted of the low confidence that existing organisational bodies or committees function in practice, particularly in terms of having adequate leadership support, aligning digital transformation plans within strategy, reporting to top leadership and guiding risk management in relation to digital transformation initiatives.

“An increasing number of organisations have recognised the importance of addressing risks and opportunities alike brought about by digital transformation, and the appointment and role of Chief Digital Officers is becoming more common. This role is key to provide leadership and oversight over all aspects of digital transformation activities, including defining the risk appetite, monitoring risk exposure and driving an enterprise-wide approach to manage digital risk.” says Mr David CHEW, Risk Advisory Regional Managing Partner, Deloitte Southeast Asia.

Trait 2: Leaders are more likely to regard technological readiness as their weakest link in the governance of digital transformation programmes

The top three risks to digital transformation identified by Leaders are cyber risk, data security risk and technological risk. For Explorers, while they similarly prioritised cyber risk and data security risk, they appear to be more concerned about third-party risk and operational risks than Leaders and Chasers. This may be attributed to a higher reliance on external technology vendors rather than in-house technology teams, given Explorers’ relatively lower levels of digital maturity.

In terms of the effectiveness of their organisations at managing these risks, survey respondents generally consider their organisations to be the most effective at managing the risks that they perceive to have increased the most – specifically cyber risk, data security risk and technology risk. However, there is a discernible mismatch for Explorers who reported that their organisations are least effective in managing the risks that have increased the most for them, specifically third-party and operational risks.

“There are significant opportunities, especially for organisations that are less digitally mature, to recalibrate their risk management efforts such as by initiating a thorough risk assessment, in order to better focus on the risks that they perceive to have increased the most,” says David.

For Leaders, the top three weakest governance links are technological readiness, mindset readiness and multiple decision-making points. In contrast, technological readiness was a distant third place for Explorers, along with technological skillsets. Across the board, the results highlight that structural capabilities, such as the ability to deal with complexity and manage decision-making processes, are basic hygiene factors for the governance of a digital transformation programme. It is only when these capabilities are in place that an organisation can move on to consider issues relating to the technology itself.

Trait 3: Leaders are more likely to place the ownership of risk identification and monitoring activities of digital transformation programmes with individual business units

The majority of respondents (88%) recognise that risks associated with digital transformation programmes are both operational and strategic in nature. Where Leaders differ is in the ownership of the risk identification and monitoring activities. While individual business units (41%) and enterprise risk management functions (41%) were the two most commonly identified owners for risk identification and monitoring activities across the board, Leaders were more likely to place the ownership of the risk identification and monitoring activities with individual business units (45%) than their enterprise risk management functions (40%).

“Organisations can take steps to develop a risk-intelligent culture through training and education, so that individual business units are able to bear the primary responsibility for risks originating within their day-to-day operations. This facilitates an enterprise-wide view of risk, and enables the functions of enterprise risk management, compliance and internal audit functions to focus fully on their roles – that is, providing objective assurance, as well as advising, monitoring, and reporting on the effectiveness of the organisation’s risk programme to management,” says Lee Kong Chian Chair Professor CHENG Qiang, Dean, School of Accountancy, SMU.

Trait 4: Leaders are more acutely aware of the regulatory compliance complexity of their digital transformation programmes

The majority of respondents (66%) either strongly agree or agree that regulatory compliance has become more complex as a result of digital transformation initiatives. This was especially pronounced amongst Leaders, of whom 85% either strongly agree or agree with this statement. In contrast, the majority of Explorers (58%) were either neutral or disagreed with this statement.

Leaders were also more inclined to perceive regulatory non-compliance to be posing a high or extremely high risk, with 60% of them expressing this opinion. The majority of Explorers (67%), on the other hand, considered this only to be of medium or extremely low risk.

Where managing regulatory compliance is concerned, 85% of Leaders believe that their

organisations have managed the regulatory compliance aspects of their digital transformation programmes well or very well, whereas 58% of Explorers are either neutral or unaware of how well their organisations have managed the regulatory compliance aspects of their digital transformation programmes.

Leaders appreciate the benefits of regulatory technological tools, with more than half (60%) of them indicating that such tools are either effective or extremely effective. This is in stark contrast to Explorers, of whom the majority (57%) have taken a neutral stance. In addition, while all Leaders have adopted such tools, a significant proportion of Explorers (28%) and Chasers (21%) either do not know or have yet to adopt these tools.

“Organisations can no longer continue to exercise risk oversight in silos that limit management and the board’s view of risk. As digital transformation programmes proliferate, organisations must adopt a more risk-intelligent approach that provides a clear line of sight not only into the risks, but also the opportunities that digital transformation presents. The irony is that the barriers of digital transformation are no longer technology related – they are about culture, skillset, executive, capability and the ability to manage risks. This calls for boards to foster the adoption of risk-intelligent views, policies and processes by setting a strong tone-from-the-top, and ultimately, capture the full benefits that digital transformation brings whilst mitigating the risk of potential losses,” says Ms SEAH Gek Choo, Centre for Corporate Governance Leader, Deloitte Southeast Asia.