As technology advances, automation and efficiency have become the driving forces for businesses. But this digital transformation introduces significant security and compliance challenges. For business leaders and investors, the key isn't just adopting new technology - it is  managing the associated dangers. 

This requires robust Governance, Risk, and Compliance (GRC) policies that are clearly communicated to build trust and ensure long-term value. Associate Professor of Accounting and Academic Director for SMU-X, Dr. Yuanto Kusnadi, explains why GRC is a critical component of any successful digital strategy and why investors need to understand the significance of these initiatives.

What is digital transformation?

For his research, Assoc  Prof  Kusnadi defines digital transformation as “a company-wide change that leads to the development of a new business model”. Essentially, it is about using technology to fundamentally change how a business operates. This trend has accelerated due to the rise of artificial intelligence (AI), intense competitive pressures, and new remote work models spurred by the COVID-19 pandemic. Digital transformation has pervasively transformed how organisations operate. This can be seen in the prevalence of video calls and remote working setups and even ordering food at hole-in-the-wall eateries.

Misconceptions of digital transformation

Prof. Kusnadi believes that business leaders often misunderstand the true scope of digital transformation, leading to costly errors. He highlights four common misconceptions:

1. “It’s Only About Technology”

A primary misconception is that digital transformation “is only about technology.” While tools are important, Assoc. Prof. Kusnadi clarifies that digitalisation is also “a business-wide initiative that involves not just digitising the process but also changing people's mindset and upskilling workers.”

2. “It’s a One-Time Project”

Many companies mistakenly approach digital transformation as a finite, one-time project. In fact, it should be something a company continuously invests in. As an example, Assoc Prof Kusnadi notes that some local SMEs in Singapore's logistics sector have been investing millions of dollars in their digital processes for the last two decades.

3. “It’s Just One Department's Job”

Another error, he observes, is limiting the initiative to a single department like IT. “HR will need to be involved, marketing will need to be involved, your finance people will need to be involved,” Kusnadi comments. “It changes the way everyone operates, so it should be a whole company initiative rather than just one department's.”

4. “It's Meant to Replace People”

Finally, there’s the fear that these projects will replace employees, when the focus should be on enhancement of their capabilities. “That's where reskilling and training come into play,” he says. “The goal is reskilling existing workers so that they can contribute towards more value-adding processes.”

Ignoring these realities can lead to high turnover and wasted resources. Digital transformation is a very costly project that requires a constant, open conversation between investors and top management.

Importance of GRCs: From High Stakes to Actionable Strategies

With the adoption of digital innovations, more risks arise, especially when an organisation handles sensitive or personal data. “This will contribute towards an increase in cybersecurity risks. We have seen these resulting in data breaches, viruses, ransomware attacks, and others. So cybersecurity risks will need to be something that companies have to think about,” says Assoc. Prof. Kusnadi.

Another prevalent risk is operational disruption. Once a business becomes overly reliant on an AI or digital platform, experiencing an outage could stall or stop business operations entirely. This can include system crashes or failed cloud migrations, so organisations must prepare contingencies for these disruptions.

Therefore, to ensure business resilience and continuity risk mitigation should be embedded in GRC frameworks early. In many countries, a single compliance failure can cost millions or even billions of dollars, making it critical for organisations to invest in their GRC framework from the start. As Assoc Prof Kusnadi puts it, “There is an increasing emphasis towards regulatory and compliance risk. Using digital tools without considering evolving data privacy, AI or industry regulation can lead to non-compliance, and can result in fines, audits and other consequences.”

From Policy to Practice: GRCs in a Smart City

While GRC policies are essential, Assoc Prof. Kusnadi cautions that it cannot be treated as a simple ‘box-checking exercise.’ “It must be a whole company initiative that involves top management clearly and consistently communicating their strategy to investors” he stresses. 

From an urban perspective, let's consider a public utility company implementing a city-wide network of smart water meters. Or, picture a public transport operator rolling out a new AI-powered smart card system for fares and scheduling.

For massive urban projects like these, leadership must demonstrate a GRC framework that is deeply embedded in their operations. Here’s how they could actively bring their GRC strategy to life for stakeholders:

1. Disseminate information in a transparent way: 

The company should create a public-facing GRC portal on its website, to reflect a unified corporate strategy where HR, finance, and operations are aligned. This portal should transparently highlight its GRC policies, detailing how consumer data is protected and how it is used to improve services. This is critical because, as Assoc Prof Kusnadi notes, a clear framework helps to "support the ethical digital transformation practices which involve AI and data."

2. Use clear, tangible metrics

In its annual report, the company must use numbers and actual examples. Says Assoc Prof Kusnadi: “This demonstrates that GRC is not just about avoiding consequences like fines, audits and so on,but about creating value. It shows a commitment to embedding risk mitigation early in the digital transformation initiative."

In the case of a subway system or a train operator, for example, this means reporting tangible results, such as "The new system has reduced fare card fraud by 70%." or "We have maintained 99.8% operational uptime during peak hours, preventing service disruptions." Presenting such metrics provides clear documentation and a transparent framework that helps build the confidence of the stakeholder.

3. Establish leadership KPIs

To demonstrate that commitment to digital transformation starts at the top, organisations can establish and publicly report on key performance indicators (KPIs) for their leadership. One compelling KPI is the Return on Innovation - which measures the tangible value generated by digital projects, either through cost savings or increased revenue. This signals to investors that leaders are not simply chasing digital trends, but are making deliberate, high-impact investments. 

By tying leadership performance to outcomes like ROI on Innovation, it reinforces the message that digital transformation is a continuous, strategic priority. It also builds what Assoc Prof Kusnadi describes as “investor trust.” This is because it shows that management can "have control over the risk factors," which in turn will "increase their future valuation and further increase investor confidence.” 

Ultimately, navigating the digital transformation journey requires more than just adopting new technology - it demands a commitment to managing its inherent risks. As Assoc Prof Kusnadi's insights reveal, a robust GRC framework is not a barrier to innovation but a catalyst for sustainable growth.

For leaders in our increasingly smart cities, from public transport operators to utility companies, the message is clear: transparent GRC is the bedrock of trust. By communicating a clear, metric-driven strategy for managing risk, companies show investors that they are not just building for the future, but are building a future that is secure, resilient, and valuable. In the digital age, this is not just good governance - it is the ultimate competitive advantage.