In the Race to Transform, Is the C-Suite Doing Their Due Diligence?

Geopolitical tensions, rapid technological advancement, supply chain disruptions and climate change are challenging business leaders to transform their companies to secure their place in tomorrow’s world. The pressure is mounting to quickly employ new technologies to gain a competitive advantage, but hastening the pace without a strategic approach can introduce risks and delay change. 

Navigating digital transformation is far from straightforward. Poorly structured data and biased data can result in organizations reporting inaccurate results, which can shake investor and customer confidence. Moving data makes it more vulnerable to breaches, which cost US companies an average of $9.5 million per incident, according to IBM’s 2023 Cost of a Data Breach report. Meanwhile, the shifting regulatory landscape around data, privacy, internal controls and emerging technologies can delay the launch of technological advancements and impede regulatory compliance.

Logistical challenges can also complicate technology adoption. Business leaders vested in implementing advanced technologies such as artificial intelligence (AI) must think through burgeoning data center costs; safely moving data from one system to another; safeguards around access and privacy; and whether those intended to use the tools are sufficiently trained.

Many factors can contribute to tech integrations going wrong. The project team could underestimate data center costs, or not factor in essential hardware to make the technology work. Perhaps there isn’t any user testing to ensure that the new system is intuitive and easy to use, or maybe the benefits of the new technology aren’t realized because it’s been designed to mimic the old solution. 

Daryl Box, Americas Assurance Technology Risk Leader at Ernst & Young LLP (EY) says he’s heard his share of horror stories where the ultimate ROI of a technology program was half of the original projection, or the spend was double what was budgeted.

Due to the complexity of digital transformation, Box says it’s imperative for business leaders to be proactive when assessing the potential risks of any new technology they plan to implement.

He advises organizations to invest in both a pre-technology program assessment and, where applicable, a security/privacy risk assessment well before launching a new system or tool, so that teams can identify risk areas and compliance gaps in advance. 

“When you have to fix a problem on the back end, it’s much more challenging to change processes, embed internal controls or design controls surrounding the underlying data and infrastructure after you go live,” says Box. 

Business leaders need to think through all these potential issues, while also monitoring that the project team implements processes that will hold up to regulatory changes—a particularly daunting task, as few geographies have agreements on how to regulate AI and data privacy. 

“It’s not just the US vs. Europe; each US state has its own view on AI,” says Box. “Organizations, particularly those that operate on a global scale, need to create a framework that factors in this patchwork of regulations, and not risk putting themselves at risk for compliance.”

Getting digital transformation right can put a company miles ahead of the competition—but getting it wrong can result in fines, lawsuits, compliance challenges and reputational damage. This tension is playing out in the C-suite, where business leaders seek balance between rushing adoption to gain a competitive edge and embedding internal controls to mitigate the various potential risks of emerging technology. 

Boardrooms and audit committees are becoming more tech-savvy to understand how their organizations are staying digitally competitive. Jim Okas, Americas Assurance Deputy Technology Risk Leader at EY, says it’s increasingly common for boards and audit committees to have at least one member with a tech background, or to have their Chief Information Security Officer (CISO) and Chief Information Officer (CIO) attend meetings to weigh in on the status of new tech integrations.

“Boards and audit committees can’t afford to sit back and just watch technology unfold or be implemented,” says Okas. “They want the big-picture view, the roadmap, the related compliance program and the risk mitigation strategies. They’re asking management if they’ve partnered with the right people and functions, if they really understand what’s being deployed, which security and privacy controls and safeguards have been implemented and if effective internal controls are in place. And management needs to be able to readily answer those questions.” 

Conducting an independent pre-technology program assessment helps an organization gain confidence that what’s being designed matches its intended business case and complies with regulatory standards and requirements, which include strong internal controls and data security and privacy safeguards, as well as ease of use.

“If a program assessment becomes a reactive exercise vs. a proactive thought process, the cost effectiveness of delivering sound internal controls skyrockets, value plummets and ROI can be diminished because you’re doing it almost when it’s too late,” says Okas.

Ultimately, the key to thriving in the digital age lies in balancing the urgency to innovate and transform with the patience and diligence to protect. As organizations chart their digital course, the wisdom to anticipate risks and the agility to adapt to changing landscapes will distinguish the leaders from the pack.