IT Risk Management Part 1: The Changing Technology Risk Landscape

The technology risk landscape for mobile, IoT and cloud is changing — fast.  Companies are adjusting to keep up with the speed and velocity of change, including the adoption of emerging technologies, such as Robotic Process Automation (RPA) and blockchain. As a result, there is an increasingly direct connection between IT risk and enterprise risk—and, more broadly, enterprise strategy. 

But according to KPMG’s recently-released 2017 inaugural technology risk management survey, technology risk management needs to evolve to be prepared for this new, fast-paced and disruptive world. Many organizations operating in the digital age do not consider technology risk as a value center and still remain stuck in traditional, compliance-focused approaches to technology risk that don’t offer the best control of technology assets, processes and people — including static qualitative measurement, reactive risk decisioning and a lack of innovation.

The survey found, for example, that 72% of organizations bring tech risk teams into projects after the fact, once issues have already arisen. In addition, 50% of organizations are using stale IT risk data collected through ad hoc means, rather than real-time data from systems of record. And 47% of respondents said they have adopted technology such as mobile apps and devices, but not included them in risk assessments.                                                                                                                                                    “We have seen a big digital transition in the marketplace, but the current state of risk management shows a traditional focus on compliance and accumulating and measuring Key Risk Indicators (KRIs), which we feel is not forward-looking and future-ready,” says Phil Lageschulte, a partner at KPMG. 

Many companies have moved down the path of putting some form of IT risk management in place, and certain highly-regulated industries such as financial services are more forward-looking in their establishment of technology risk management, he adds. “But even with concerns over cyber threats, breaches and reputational challenges, processes continue to be informal and ad hoc, while data aggregation, accuracy of that data and measurement is still a struggle,” he says.

The need for speed vs. the need for a control                                                           

Within the IT departments of many organizations, there has been a strong focus on quickly enabling disruptive technologies so the business can seize promised benefits — from improved customer experience and increased operational efficiency to boosted profits. However, when it comes to technology innovation, many companies struggle to balance the need for speed and agility with the need for control. For enterprises, speed of technology deployment is critical to success and survival, but it can’t be at the expense of the health of the organization or its stakeholders and customers, Lageschulte says. Instead, technology innovation and control should go hand-in-hand so new technologies can be released at scale, with confidence.                                                                                               

“Unfortunately, we’re not really seeing IT risk as predictive and nimble — it remains more responsive and reactive,” he says. “Right now technology remains viewed as a cost-center rather than a business enabler.”

Increasing the value of managing technology risk 

Nevertheless, the journey toward increasing the value of managing technology risk is under way. After all, says Lageschulte, the necessity for business to be nimble is requiring risk management to be nimble — otherwise risk management becomes irrelevant. “The risk of not adopting new technologies is clear — you’ll quickly find yourself disrupted or a laggard in your industry, or worse yet, bankrupt,” he says. “Our advocacy and promotion has always been to responsibly manage the risk and reward of disruptive technologies — we would never say no to a technology. But it’s about how to do it responsibly and having that business acumen to manage and measure those risks.”

However, a surprising survey result was the remaining disconnect between the perceived value of managing technology risk and actual investment. The vast majority — 88% — of tech risk leaders believe technology risk is driving value for the organization.

Only 49% of respondents, however, say they will increase their technology risk spend over the next three years. “That seems like a direct disconnect to business rationale — we would have expected a corresponding increase in spending,” says Lageschulte.

In the end, organizations may simply learn from mistakes and incidents, he adds: “That will drive us to see more investment in that area — it is what has happened in the financial services space.”

A forward-looking view of technology risk: How to add value 

The next generation of technology risk management (which will be discussed in-depth in part 2 of this series) will need to be agile and dynamic enough to keep up with the pace of change. According to Lageschulte, these are some important ways to add value to the technology risk function:

1. By improving core blocking and tackling of technology risk management.

Technology risk organizations need to expand their value proposition by being more effective at using data and information to provide results. They need to make sure they are looking at the right KRIs; that they are looking at the right metrics to present to the board; that they have good quality data to use; and that they use automation, RPA or even AI to do analysis that is more effective and efficient.

2. By being a more proactive enabler of the business.

The technology risk function needs to be closer and more responsive to the business, says Lageschulte. “They need to have a seat at the table in the strategy of business, as opposed to hearing about it after the fact,” he explains. That requires a business acumen view rather than a technologist view — that is, a balance between the technologist being a technology risk leader and someone from the business leading the risk technology function.

3. By finding the right talent.

Finding the right talent for a dynamic, agile technology risk function is certainly a challenge when it has been traditionally grown from the technology side and not the business side, Lageschulte explains. “There has been an increase in the demand for individuals with the skill set and capability that the marketplace hasn’t followed,” he says. The future technology risk professional will need to demystify the risks of new, emerging technology and develop an agile tech risk framework with enough flexibility to respond to new risks.

The bottom line? Technology risk management needs to evolve to be prepared for the new world in which disruption is normal, Lageschulte says. “That means IT risk leaders must stop staring down at the steering wheel and look up at where the organization is driving.”