Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​A Board's Eye View of Digital Disruption

Organizations fear keeping up with born-digital competitors.


Comments Views

At the end of every year, North Carolina State University and Protiviti publish a survey report on the enterprise risks occupying the minds of board directors and corporate executives for the following year. The Executive Perspectives on Top Risks report is always worth reading, and the 2019 edition does not disappoint.

What’s topping the charts for this year’s risks? Fear that the organization’s existing operations and technology won’t match performance expectations, especially against “born digital” competitors. That’s no surprise. Taxis vs. Uber, hotels vs. Airbnb, broker dealers vs. robo-advisors — even the record industry vs. iTunes, a bit further back in history. Fear of more nimble, next-generation competitors, while your own organization is too hide-bound to get out of its own way, is not new. 

So how should boards approach digital transformation? “It’s something we talk about all the time,” says Tom Richlovsky, audit committee chair of United Community Banks (UCB), a regional bank based in Georgia. A generation ago, UCB would never find itself squeezed by fintech startups or global banks courting everyone with a mobile phone. Today, UCB does. As Richlovsky says: “We have a front-row seat to how digital disruption operates.” 

The Strategic Threat

First, let’s appreciate what happens with digital disruption. Born-digital firms can be so disruptive because they build business models for existing problems with dramatically less commitment to physical assets. That’s the economics of it. 

What happens operationally is a bit more nuanced. Digital firms can be more nimble because they are less bound to specific ways of doing things. Code is code, after all; if you don’t like how it works, you can change it.

So digital firms are less committed to physical assets, and they can pick off specific problems in a business, introducing whatever new solution they want. That’s how they disrupt the business models of established companies. They provide new choices to customers, who often  depart the organization’s model for the upstart’s. 

A big part of success at digital transformation, then, involves close observation of the organization’s customers, plus a big dollop of imagination about what new relationships the organization can forge with them. “You have to understand what’s happening with your customers so that you can get a step ahead of them, and get them to adopt technologies and become a better customer who stays with you,” says Glenn Gow, a former board director at data analytics firm acuteIQ, who now advises boards on digital strategy. 

Gow uses the example of ordering pizza. In the last decade, consumers have moved from placing orders by phone to placing them by app. Online ordering eases the transaction for the customer and generates more customer data for the pizza company — a great example, Gow says, of digital disruption benefitting all parties involved.

Too many boards fear the threats of digital disruption more than they embrace its opportunities. The truth is digital disruption will drive both threats and opportunities. “The ways in which disruption can occur are multiplying,” Richlovsky says, so the board needs to educate itself on all those ways. 

Governance of Digital Disruption

Top Risks for 2019

  1. Existing operations meeting performance expectations, competing against “born-digital” firms.
  2. Succession challenges and ability to attract and retain top talent.
  3. Regulatory changes and regulatory scrutiny.
  4. Cyber threats.
  5. Resistence to change operations.
  6. Rapid speed of disruptive innovations and new technologies.
  7. Privacy/identity management and information security.
  8. Inability to use analytics and big data.
  9. Organization’s culture may not sufficiently encourage timely identification and escalation of risk issues.
  10. Sustaining customer loyalty and retention.

Source: Executive Perspectives on Top Risks 2019, Protiviti and North Carolina State University Poole College of Management’s ERM Initiative


In theory, if the board wants to gain more knowledge about the risks a certain issue might pose, step 1 is to ask the internal audit function. Digital disruption, however, poses so many strategic questions that it doesn’t lend itself to such straightforward analysis. It’s an open question whether most audit functions could understand and assess the challenges at hand.

“The concept is a good idea,” says Alan Siegfried, who is on a bank’s audit committee now and has served on the audit committees of UNICEF and Bon Secours Health System, “but realistically, probably 90 percent of the audit functions out there don’t have the qualifications or skill sets to do that well.” 

Boards can take a few steps to improve that picture. First, they can identify strategic priorities for digital transformation more clearly, so the business units can determine which operations and business processes should be digitally transformed, and how. For example, should the business focus more on the “offense” of developing new products or services, or the “defense” of developing improvements to existing ones? Should it cut fixed costs by moving to cloud-based services, even if that drives up security, privacy, and litigation risks? 

Gow suggests that boards work closely with the CEO and the chief information officer (CIO) on those points. After all, if success at digital disruption depends on astute data analytics and bold imagination on how to serve the customer in new ways — the CIO handles the former, the CEO the latter. 

Then the board and management can develop a technology strategy that supports digital transformation, including the critical step of what new controls will be necessary to implement the strategy. For example, moving business processes to the cloud and taking advantage of mobile devices, so the organization can launch an international sales force with more in-the-field agents , is a reasonable digital transformation goal. 

The technology strategy, however, will raise questions such as: How can the company harness all its operational data, if the data is stored within different apps? How does the company secure its data on employees’ personal devices? At that point, internal audit or compliance functions can return to the conversation, because the digital transformation goal is already laid out. The questions are more about risk management to ensure the transformation doesn’t go awry.

Oversight of Digital Transformation

So, which board committee should have digital transformation as part of its remit? A strong argument exists that no specific committee should own it. The only logical candidates would be the audit committee or a risk committee, and they are, to use Richlovsky’s phrase, “reactive committees.” That is, they seek to ensure that safeguards are in place for whatever strategies the organization pursues. How an organization moves into the digital world, however, is a strategic choice unto itself. Thus, the whole board should be responsible for infusing digital awareness into every organizational strategy and objective. 

“When it’s a strategic journey the company is going through, it needs to be a full board topic,” says Eric Allegakoen, head of internal audit at Adobe and chair of The IIA’s Audit Committee. “Once the strategy becomes clear in how it’s getting executed, there would be responsibilities at the audit committee or risk committee level to monitor progress.”

Indeed. And if the risks listed by Protiviti, above, are any indicator, digital transformation will likely permeate boardroom conversations for some time. 

Matt Kelly
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author

 

 

Matt KellyMatt Kelly<p>​Matt Kelly runs RadicalCompliance.com, an independent blog about audit, compliance, and risk management issues, based in Boston. ​</p>https://iaonline.theiia.org/authors/Pages/Matt-Kelly.aspx

 

Comment on this article

comments powered by Disqus
  • IIA GRC_May 2019_Premium 1
  • IIA Awareness Month_Premium 2
  • IIA Sawyer-OrderToday Bookstore_May 2019_Premium 3