Although it’s crucial to seize control of the technology environment, this goal remains elusive in almost every
industry. Technology is embedded into most critical operating processes, which means the implications of mistakes, failures or breaches can be severe from an operational, financial and reputational standpoint. Cybersecurity vulnerability is high.
And we live in a disruptive world. The rapid pace of technological change represents one of the biggest threats to today’s businesses. In light of this challenging landscape, Forbes Insights teamed up with KPMG to explore the current state of technology risk across industries, surveying more than 200 executives about key issues in the field.
The resulting report, “Disruption Is the New Norm,” distills key findings from the survey in order to unveil insights into next-generation approaches to technology risk—best practices that enable organizations operating in the digital age to regain control over their technology assets, processes and people.
Within the IT departments of many organizations, there has been a strong focus on quickly enabling disruptive technologies so the business can seize its promised benefits—from improved customer experience and increased operational efficiency to boosted profits. However, when it comes to technology innovation, many companies struggle to balance the need for speed and agility with the need for control.
The future tech risk professional will need to demystify the risks of new emerging technology and develop an agile tech risk framework with enough flexibility to respond to new risks. This framework will include a dynamic risk assessment that combines the risk appetite of the organization with adoption of new technologies.
Some companies are taking steps to leverage data analytics and continuous monitoring to change the way they manage technology risk. But a startling number of organizations are failing to follow through on this.
Some key statistics:
- 72% of companies bring tech risk into projects only after the fact, once issues arise.
- 50% are using stale IT risk data collected ad hoc, through conversation, anecdotes, etc., rather than real-time, normalized data from systems of record.
- 47% have adopted mobile apps and devices without including them in risk assessments.
- 87% do not consistently use data analytics to develop Key Risk Indicators.
- 49% of CEOs question the integrity of the data they base decisions on (according to KPMG’s recent CEO Outlook survey).
In contrast, forward-looking tech risk would integrate risk management from the beginning, streamline controls through automation, use predictive KRIs to proactively manage tech risk before an event occurs, use current data to mitigate future risk, incorporate nimble data models that can absorb new risks and define new controls, and produce outcome-focused reporting to synthesize risk data at the executive level.
Part of the problem: Although technology risk teams clearly have a larger role to play, their ability to do so is hindered by the fact that an overwhelming majority (87%) of organizations do not currently view IT risk’s role as the proactive management of technology risk across the organization.
According to the survey data, organizations primarily view technology risk as an arm of compliance or cybersecurity, rather than an organization-wide function for proactive risk management.
Another hurdle: Although clients are increasingly aware of the concept and value of KRIs, and adoption and implementation of KRIs is widespread in some sectors, KRIs don’t always match up well to the actual technology risks facing the organization. There could be numerous reasons businesses lack full transparency into the scope of technology risks that might affect them. A KRI might be viewed only in isolation rather than as part of a collective array, it might emerge from an unfamiliar source of risk, or it might be based on poor data. Some companies may overwhelm themselves with a vast number of KRIs.
Effective KRIs share certain characteristics:
- A smaller set of metrics is easier to maintain, monitor and manage.
- They serve as a measure of risk, rather than sounding an alert about a one-off issue, bug or event.
- They have underlying supporting data, allowing tech risk to map and track risks from business unit to enterprise level.
- They are measurable and actionable, tying directly to business impact, such as lost dollars or customers.
- They are regularly maintained, monitored and refreshed.