article banner
Cyber risk

Renewing digital risk management

How can business leaders better manage threats and hasten digital transformation?

Businesses of all shapes and sizes are trying to carve out a competitive advantage by leveraging digital information. The most cutting-edge companies harness customer preference data to create personalised services and targeted marketing campaigns, scrutinise employee performance data to drive productivity, and analyse supply chain information to drive efficiencies. And that’s just the tip of the iceberg.

This offers huge potential, but also creates vulnerabilities and interdependencies between previously discrete threats. This is particularly the case for cyber security and data privacy risks, which are now linked due to the increased use of personal data. For example, data breaches can result from a cyber attack, but have data privacy implications.

But business leaders’ attempts to come to terms with the changing nature of these threats is hampered because they devote so much time to data privacy. Tellingly, two-thirds of businesses focus more effort on mitigating data privacy than on cyber security risks, according to Grant Thornton’s latest International Business Report (IBR) survey. And the majority (59%) are actively preparing for the next wave of privacy regulation.

That’s no surprise, given the proliferation of data privacy regulation. But cyber threats have also soared. The number of cyber attacks causing losses in excess of $1m have increased by 63% during the past three years.[i]

So to make sure nothing falls through the cracks, and to better deal with the complexity of interlinked threats, business leaders must review then renew the way they manage cyber security and data privacy risk. We call this digital risk.

But where should those leaders start? The IBR survey provides some answers by asking senior executives about their weak points in managing digital risk.


Top of the list is an overreliance on software. It’s great that business leaders acknowledge that they’re asking technology to do all the work, but now they must act.

Our ‘Digital risk: Technology is no silver bullet’ article makes the case for bolstering the cyber-awareness of the entire workforce and building specific capabilities around identifying cyber vulnerabilities.

That’s not all. With cyber-attacks now an inevitability, business leaders should look into specific cyber insurance. More than two-thirds of surveyed businesses say the insurance industry needs to improve its privacy risk offering. It’s therefore imperative to educate insurers about vulnerabilities so that the risk is priced effectively.

Integrated digital risk management avoids confusion...

According to the survey data, business leaders’ second greatest weak-point in managing digital risk is uncertainty among employees and teams about which risks they are responsible for.

Our ‘Strategically aligned, organisationally distinct’ article makes the case for merging cyber security and data privacy into one digital risk function.

A single digital function could conduct important processes such as third-party assurance and data classification, which have historically been conducted by separate teams.

This would clarify responsibility, remove duplication of effort and create efficiencies. More importantly, it will produce a more joined-up understanding of the interdependencies between cyber security and data privacy risk.

…And adds value

Risk teams must stop just focusing on mitigating digital threats. They must also integrate risk into strategy development in a way that adds value. We call this performance-driven risk management.

A single digital risk function, led by a Chief Digital Risk Officer, is much more capable of championing digital risk and ensuring it’s factored into strategic and operational decisions across the business.

A practical example of this is preapproving vendors, such as cloud providers, from a cyber security and data privacy perspective. By doing this, businesses can rapidly purchase and deploy their solutions, and digitally transform faster than the competition.

Better data breach identification and response

The IBR survey reveals that businesses are not at all satisfied with their ability to identify and respond to breaches. Only 28% are highly satisfied with their ability to protect against the risk of a serious data breach, and only 26% with their ability to even identify that a breach has occurred.

Integrated digital risk functions can respond more effectively because the breach may have resulted from a cyber incident, but it will have data privacy implications if personal data is compromised.


[i] Linklaters, Global cyber-incidents soar by 63% in the last three years - January 2019.