In Part 1 of our two-part blog series on today’s technology risk landscape, we discussed the results of KPMG’s 2017 inaugural tech risk survey — which found that despite the rising profile of the technology risk function across the 1st and 2nd line of defense, the organization still does not actively manage risks and show its value to the larger business. Instead, many remain stuck in traditional, compliance-focused approaches to technology risk.
The study found that technology risk is seen as reactive and siloed: Although technology risk teams clearly have a larger role to play in the business, their ability to do so is hindered by the fact that an overwhelming majority (87%) of organizations do not currently view IT risk’s role as the proactive management of technology risk across the organization. And 72% said tech risk teams were brought into projects after the fact, only after problems began to arise — exposing the business to even greater risk. Tech risk is also seen by two-thirds of respondents as an arm of compliance, while a third see it as an arm of cybersecurity — rather than an organization-wide function for proactive risk management.
In today’s fast-paced, ever-evolving digital age, technology risk is no longer an isolated, compliance-driven arm of the organization. Traditional technology risk methods have evaporated and enterprises need to create an agile and dynamic technology risk organization to keep up with the pace of change. Organizations are implementing technology at a blinding pace to respond to market disruption — as a result, dynamic technology risk functions that demonstrate risk impact against broader organizational goals must be implemented to gain a seat at the executive table. The tech risk function can maximize impact only when included at the outset of project initiatives.
A move towards proactive, agile technology risk
Vivek Mehta, partner, emerging technology risk at KPMG and co-author of the study, says that organizations have realized that simply managing technology risk without having a direct implication to the bottom line is not enough. Instead, there needs to be a move toward proactive, agile technology risk with enough flexibility to respond to new emerging risks.
To make the process more proactive, “the technology risk group in the first line of defense really needs to add value to the business,” he says. The way they do so can be described as embedded risk teams, he explains: “They are embedded in a process where the business is looking at and asking risk’s point of view while they’re implementing a process or a system, not coming in later where they are auditing after the fact.
In addition, clients are leveraging data analytics and other tools to change the way they manage technology risk, he adds. “This offers more real-time value, he says. “While the board still continues to receive risk reports related to compliance, this is more meaningful, timely and directly related to business goals and objectives.”
Seeing success in embedding IT risk as a front-end strategy
The most important ways to see success in making IT risk more proactive is to make sure the technology risk organization really understands its role and does not look at technology in a silo. They should not hinder the innovation process through resistance and negativity, but rather help enable and support the business growth. They should also collaborate closely with strategic planning teams, including business planning, innovation and technology enablement teams.
“It’s about saying, how we can help the business with a risk-based mindset, rather than it being just an audit and regulatory check,” says Mehta. The consequences of not including technology risk in early, high-level strategic conversations can be dire, according to the study. For example, KPMG studied two recent cyber incidents related to blockchain technology. They discovered that vulnerabilities and design flaws could have been identified and fixed prior to the breaches, if the impacted companies had engaged tech risk professionals to conduct thorough, formal, end-to-end security reviews. “It’s about not looking at technology in a silo, but making sure you are in sync with ops risk and market risk and credit risk teams,” he says.
Rethinking risk data and reporting is also essential to move to a more agile, proactive approach to technology risk. For example, although more than 80% of tech risk executives surveyed reported that their organization’s key stakeholders have confidence in their data, other KPMG research and discussions have found otherwise: According to KPMG’s recent CEO Outlook Survey, 49% were concerned with the integrity of the data they base decision-making upon.
“It’s about using analytics to see your risks and look at them through a new lens — a forward-looking view that predicts and mitigates some of those risks,” says Mehta.
Next-generation risk functions
According to the KPMG study, next-generation technology risk functions will understand the business better, predict risks associated with new technologies or legacy systems, manage risks proactively, and improve the organization’s resiliency should an incident happen.
Next-generation risk functions will have:
- Contributions to strategy discussions: Leading-edge organizations will integrate risk management from the get-go, preparing and managing risks in line with the business strategy.
- Strong business acumen: Technology risk professionals will have both the understanding and the visibility to find the ideal middle ground, where risk is mitigated up front, but business growth is still enabled.
- A seat at the table: Leading-edge organizations will include more collaboration with business stakeholders.
- An increase in brand recognition: Technology risk will be seen within the organization as more than just about compliance.
- Budget and headcount: Organizations will invest at a level commensurate with the business, technology budget and headcount.
- Nimble data models: Leading-edge organizations will emphasize trust and agility, perfecting data controls that can absorb new risks and define new controls.
- Outcome-focused reporting: Business leaders need meaningful information to make the right decisions — data will be tied directly into business impact.
- A key role at all stages of technology adoption, implementation and change: During and after adoption of a new technology risk framework, the team will continuously stress test processes, monitor performance, track metrics and report to management.
The bottom line is that as technology becomes increasingly complex, open and ubiquitous, both business and IT executives are becoming more sensitive to technology risk, as well as more cautious and risk-savvy — in this environment, technology risk has a lot to contribute.