Safeguard against IT risks in digital transformation

Digital transformation isn't a one-time job. The best organizations are constantly upgrading their technologies to keep pace with evolution and demand. But upping your digital game doesn't come without risk. For companies to get the most out of their digital transformation effort, and for them to remain onside with regulators, it's important that they have a sound approach to information technology (IT) risk management. But as they transform and develop, it's not unusual for many companies to fail to spot risks.

Digital transformation doesn't often happen across the whole company in one hit. It's usually undertaken project by project, and the result can be complex. Multiple technologies operating in different ways, all interacting with one another. Companies may well have covered the first-order risks emerging from the application and operation of a single technology, but it's unlikely they've got it all covered when it comes to how all the technologies work together. This leads to many companies experiencing one or more of the five key IT risk management challenges:

1. Lack of visibility: IT and business leaders don't have full insight into the breadth or the detail of their IT infrastructure and applications, meaning they struggle to identify where risks may be lurking within their systems
2. Complexity: Organizations have evolved their digital and IT environments so rapidly that many struggle to stay abreast with ever-emerging threats and vulnerabilities. This can mean they're exposed to unseen risks and are unprepared for when they strike
3. Compliance: As more technologies emerge, so do more regulations designed to control them. Plenty of risk and compliance workers struggle to keep up with the pace of change and to see where new rules, such as GDPR, HIPAA, and PCI DSS, might apply across their IT ecosystem
4. Talent availability: Few companies have the luxury of having a large workforce with specialized IT risk management skills. Furthermore, it's rare for them to have employees who are cross-trained in all the technologies and systems they use
5. High cost: An increasingly complex IT architecture at companies, along with a relatively low degree of automation in the controls functions, results in a high cost of compliance – not to mention the cost of hiring in-house talent

Companies experiencing the challenges we've outlined need a solution that covers their IT risks and controls in five critical areas.

Genpact's IT risk management solutions do just that, so companies can select what they need to get the job done quickly, accurately, and efficiently.

Our solutions include:

1. IT Sarbanes–Oxley (SOX) controls: The solution includes general controls (on access management, change management, and operations), automated business process controls (on systems configuration supporting manual business processes), and interface controls (on data transfer completeness and accuracy). We also undertake key business report testing, shoulder System and Organization Controls (SOC) report reviews for SOC 1 and 2, and automate control performance and testing
2. Enterprise Resource Planning (ERP) and digital transformation controls: Our solution includes identifying risks at the process level throughout the implementation of an ERP system and then recommending controls. Our team can work with any existing client ERP system and other microplatforms, such as BlackLine, HighRadius, and Tradeshift, to help you streamline control design and transformation for your digital assets
3. Segregation of duties (SOD): For this solution option, we perform SOD reviews across all your applications to reduce the risk of fraud and error. We also improve your internal access controls in line with SOX and other regulatory mandates as well as undertake ongoing SOD monitoring and access management for all employees per the company's SOD policy
4. Data privacy: Our solution uses leading compliance platforms to help our clients build a robust data privacy framework. We map data throughout its entire life cycle so that clients can be certain they are adopting the right technical, functional, and behavioral data privacy measures to keep them compliant and their customers safe. Our solution includes consent compliance for personal information, cookie compliance management using tools like OneTrust, and data loss prevention through a record of processing activities (RoPA)
5. Cyber and information security: Our solution includes a cyber maturity assessment based on the COBIT framework, NIST CSF, and ISO 27001 standard to guide companies in understanding what policies they need to formulate, using best-in-class benchmarks as reference points for comparison. We use the latest technology to ensure the company is cybersecure across its own technology and the third-party platforms it may use

Our solutions deliver notable value for customers by maturing and optimizing their controls environment, making certain they're fully compliant. Five leading impacts for our customers include:

1. Reducing controls environment complexity: Reduced the total controls count by up to 67% and harmonized existing controls
2. Improving audit: Increased auditor reliance by up to 82% and cut audit costs by up to 57%
3. Reducing error: Increased the overall controls automation to up to 25%
4. Enhancing controls: Delivered immediate or zero-day control readiness during large-scale system upgrades or migrations, including ERP implementation
5. Boosting efficiency: Standardized and rationalized controls to provide a year-on-year efficiency increase of 11% for the first three years

For one large US-based financial services company, we embedded new best practices for cyber and information security. Our IT risk and controls experts helped establish fresh competencies for policy governance and control design and review, then conducted operation and risk assessments.

This included reviewing systems for identity and access management, patching, vulnerability management, secure software development life cycle, asset management, data loss prevention, and incident management. Additionally, we reviewed these controls in projects that were still in the development phase and had not yet been launched.

In the end, the company built its capacity to address risk and improved the maturity of several key processes, all at a significantly lower cost of compliance. The result? Greater visibility, lesser complexity, and lower risk.