Technologies once referred to as “emerging,” including cloud computing, connected devices, mobile, robotics and blockchain, have been available for some time now. Adopting them is necessary for an organization’s success and survival. Within the IT departments of many companies, there has been a focus on quickly adopting disruptive technologies to improve the customer experience and increase efficiency. However, many of them struggle to balance the need to deploy new technology with speed and agility with risk management.
While companies are increasing their focus on these technologies to help transform their businesses, many are not assessing the risks that come with adoption. KPMG surveyed 200 senior U.S. IT risk management professionals and found that nearly half surveyed whose companies have adopted mobile applications and devices have not included them in recent IT risk assessments. The findings for other emerging technologies are similar, with 46 percent that adopted Internet of Things, 44 percent that adopted cloud computing, 34 percent that adopted artificial intelligence (AI) and 32 percent that have adopted robotic process automation (RPA) not assessing their risks.
This shortfall in the assessment of emerging technology risks isn’t due to a lack of awareness. Many business leaders worry about the risks associated with their companies’ technology investments, especially when their IT group is implementing new technologies at a feverish pace. Our survey showed that dealing with the effects of industry-wide technological disruption is on most of the minds of IT executives, with mobile being the biggest area of concern, likely because devices are often brought in from the outside beyond the IT group’s purview and oversight.
When managing technology risk, your company should anticipate changes while or before they happen and determine the associated risks. Accordingly, technology risk management should be involved in strategic business planning, embedding risks and adding value upfront, rather than being treated as a cost.
Companies that are transforming themselves and enabling emerging and disruptive technologies can take these initial steps to strike the right balance between innovation and risk management:
1. Leadership culture should be at the top of the technology organization
It’s important to determine how technology leaders within the company embrace, support and drive a culture of risk management. And, it’s critical to understand where the technology risk group is positioned within organization’s structure – who it reports to, how credible it is and how well it is funded.
2. Determine how the technology risk function interacts with other parts of the company
Technology risk should collaborate closely with strategic planning teams including business planning, innovation and technology enablement teams. However, according to our survey, the business and IT risk management still do not engage actively enough to manage risks proactively. We found that almost three-quarters of IT risk management teams are only included technology projects after issues begin to arise. This is likely because many organizations primarily view technology risk as an offshoot of compliance or cybersecurity rather than an organization-wide function for the proactive management of risks. These silos need to be broken to allow for a stronger connection between technology risk management and other parts of the company.
3. Technology risk leaders should be willing to change their view from “it shouldn’t be done” to “how can it be done with less risk?”
Some technology risk teams are rigid about the risks associated with emerging technology, and therefore distanced from the strategic planning process. They often hinder innovation through resistance and negativity. Instead, they should help enable and support the growth of the business through innovation.
4. Find the right talent
While there is a skills shortage in the technology risk area, the talent issue is more due to a lack of awareness than an absence of capabilities. IT risk management leaders should educate themselves and those on their teams about macro business issues, so that they have the understanding needed to incorporate risk management insights into strategic discussions and decisions.
With technology increasingly touching nearly every aspect of the business, more business leaders are beginning to recognize and acknowledge the direct link between IT risk and broader enterprise risk. As such, many are beginning to view IT risk management as a function that can add value to the business, rather than just being a cost. The C-suite should be increasingly understanding that managing technology risk helps their companies meet critical business objectives, and appears to be investing accordingly as our survey found that spending on technology risk is set to accelerate over the next three years.
It is important that companies recognize and responsibly manage the risks associated with the new technologies that they have implemented so that they can realize the benefits and value of IT risk management. Thus, the management of tech risk should be viewed as having an impact on business revenue rather than just simply being treated it as a cost center.