When we walk into our homes, we can ask our voice assistants to turn the lights on, use our faces to unlock doors and monitor our home cameras on our phones. When we travel, the planes we take now include connected blockchain-based parts that regularly alert crews for vital maintenance. Brought on by the Fourth Industrial Revolution (4IR), smart, connected technologies are helping make life easier, faster and more convenient, because they can significantly boost the intelligence and reach of one digital technology alone. However, blended artificial intelligence (AI), internet of things (IoT), blockchain and other 4IR technologies also bring infinite entry points for risk.
Imagine, for instance, how many companies are using AI for analytics that improve with use. But data errors, or bias in software or models, can misinform decisions and bring unforeseen accidents. AI-related risks have ranged from public pushback on the use of AI-based surveillance cameras, to software glitches that led to self-driving car crashes. Add to this list evolving regulations in areas like data privacy, and missed risks can be costly. A 2018 report by the Ponemon Institute estimates noncompliance costs to be 2.7 times the cost of maintaining or meeting compliance requirements — up 45 percent since 2011.
While companies race to digitally transform themselves and realize the full potential of 4IR technologies, we should pause to consider how companies can best navigate the immense risk that these blended technologies bring.
Making Better Decisions and Taking Smarter Risks with 4IR Overhauls
This is where the risk function comes in. Contrary to myth, functions such as internal audit and compliance can clear the way for warp-speed digital growth. They have long helped companies undertake major digital initiatives by monitoring controls for cybersecurity and regulatory risks through their proven frameworks and perspective on the cost of noncompliance.
But as companies race to digitally transform themselves, our internal audit and compliance functions must also evolve, shifting to work alongside the business to identify new types of risk and determine the right controls and mitigation strategies to manage them. Digitally fit risk functions can flag and address vulnerabilities in 4IR initiatives early and continuously after launch. That sort of vigilance is critical; missed risks can course rapidly through networks, wreaking havoc on our blended technological and physical worlds.
What Does “Digitally Fit” Mean?
Digitally fit risk functions are a data-driven group that blends their functions’ proven strengths with powerful digital capabilities that include new service models and digitized operations. For instance, a digitally fit compliance and ethics program may use analytics against a global regulations database to identify and prioritize potential regulatory changes based on the organization’s geographic footprint, business model and customer. An early-warning system like this gives compliance valuable insights to be proactive in helping the organization manage regulatory compliance risks.
In our 2019 PwC Risk in Review Study, we categorized these digitally fit risk functions as “Dynamics”and identified six behaviors or habits that are fueling safe, prosperous and sustainable digital transformations for their organizations. The following habits come to mind as we contemplate how organizations are increasingly leaning on their internal audit and compliance functions to navigate ambitious 4IR overhauls.
- Dynamics find the right fit for emerging technologies. Robotic process automation (RPA) or intelligent automation is anticipated to be the most used emerging technology by 2021 by internal audit and compliance functions for tasks like monitoring, data retrieval or audit testing. Additionally, IoT sensors are already being deployed to assess and respond to risk in critical processes, particularly in the manufacturing industry. By automating these activities, Dynamics are freeing up time and resources for more value-added analyses and insights.
- Dynamics enable the organization to act on risks in real time by using digital technologies to rapidly gather, analyze and route critical information to decision-makers. They prioritize risks through AI, and they mine structured and unstructured data for real-time identification of risks like fraud. This helps boost the odds of safe and sustainable digital overhauls because risks can be addressed if flagged early.
- Dynamics are meeting the need for on-demand expertise by both upskilling and injecting new talent to handle 4IR technologies and manage the risks associated with them. Organizations that are filling the demand for technical skills like analytical model development and RPA programming recognize that the profile of today’s risk professional has greatly evolved in the context of 4IR.
Learning from Dynamics to Reap the Most Value from 4IR
Dynamics provide valuable lessons on how digitally fit internal audit and compliance functions can speed progress on digital journeys, enable better decision-making and ultimately help companies fully embrace 4IR. These lessons include:
- Changing the mindset and narrative to a strategic one. Internal audit and compliance teams should be seen as strategic, trusted advisors over digital transformations — not obstacles. Their identification of risks and monitoring and testing of the controls designed to manage those risks for safe rollouts of novel technologies will enable companies to take smarter, calculated risks as they embrace the 4IR.
- Filling skill gaps for a 4IR world. Digital knowledge and capabilities help internal audit and compliance professionals retrieve data, monitor controls and relay the repercussions of missed technology risks through technology and policy lenses.
- Creating new operating and service models for faster analyses and insights. Dynamics are moving from fixed time, limited sample audits toward continuous audits of full populations. Meanwhile, new integrated products, like shared data lakes, with unstructured data are dynamically scanning foreign press reports or social media feeds to allow us to monitor third-party risks or public sentiment shifts.
- Leaning in often at meetings with leaders like Chief Data Officers to show how internal audit and compliance can anticipate and plan for 4IR risk. Make the importance of keeping and protecting data — and the true cost of noncompliance — part of the conversation.
Internal audit and compliance functions with digitized risk monitoring, analytics and alert capabilities are valuable guides on the 4IR journey. Channeling their vision and voice will help companies reap the full value of a connected society.
Mike Maali is Internal Audit, Compliance & Risk Management Solutions Leader at PwC US. In this role, he leads nearly 800 PwC professionals who advise clients on their risk and compliance programs and also conduct audits, deliver monitoring, surveillance and testing solutions and develop internal controls for business performance issues and IT systems, all through the use of technology and data.
For nearly 30 years, Mike has delivered a range of risk management, external audit and internal audit services to leading global and national organizations. His expertise includes implementing and optimizing enterprise-wide risk management programs and systems and performing risk assessments for organizations across industries and translating the results into efficient, risk-based plans for internal audit, risk and compliance functions. He has advised clients on how to stand up their internal audit, risk management and compliance functions and has counseled companies on how to transform their existing functions to be strategically aligned with the business and other risk prevention lines of defense. He also offers best practices to embed data analytics and advanced technology into all components of risk management and control and leverages PwC’s deep industry and technical capabilities for enhanced insights in the planning, execution and reporting of internal audit projects, risk management programs and compliance testing solutions.
