Technology Risk Management 1.0: The Need for Change
Across nearly all industries, organizations are becoming more and more dependent on technology, so much so that it is easy to argue that many are actually becoming technology companies. Consequently, how organizations embrace technology can have a significant impact on how they are perceived by their customers or business partners.
In some instances, technology is enabling wholesale shifts in business models, as evidenced by the impact of Uber on the taxi industry, Apple and Netflix on the media industry and AirBnB in the hospitality sector, while fintech is disrupting the financial services sector.
Here, technology is redefining how consumers engage with firms and buy products. To compete, traditional companies need to become more agile and adapt rapidly to the changing business environment. The pace of change is a constant and growing challenge, accelerating in line with digital engagement and enabled by emerging and evolving technologies. While some companies have embraced new capabilities and continuous change, innovation has been limited at more traditional institutions. These companies continue to offer products that have not changed fundamentally for several decades and are often underpinned by creaking legacy systems and processes. In response to the changing market dynamic, some of these firms are beginning to recognize the need to adopt newer technologies and operating models, such as cloud computing, and are placing greater reliance on third parties to manage their IT environments.
New technology brings both opportunities and risks. However, the predominant risk facing traditional firms today is failing to innovate. Organizations need to embrace innovation, foster cultural change and embark on digital transformation programs designed to become ever more nimble and keep pace with the rapidly changing business environment. Risk management and IT departments need to be responsive to this change and ensure they are not unintentionally blocking innovation, and provide the organization with the knowledge and the tools to conduct “good” risk tasking within a defined risk appetite.
Against this backdrop, Protiviti conducted a technology risk study to explore whether technology risk functions have the right strategy, skills and operating models to enable the organization to understand, assess and manage existing and emerging risks. The findings enhance Protiviti’s benchmarking data and measure how businesses are responding to their increased dependence on technology. The study also sought to better understand how risk management disciplines are evolving to reflect the increased importance of technology and changing operating models.
The findings from the study, set out in this paper, have reinforced Protiviti’s long-held view that technology risk is failing to keep up with the rapid pace of technological change. This is particularly prevalent in organizations that are struggling with the notion that they are becoming a technology company, for example, within industries such as financial services, where firms are just starting to recognize that technology companies and fintech start-ups pose a greater threat to their business than their more traditional competitors.
This paper details the current state of technology risk, based on our survey findings, while the accompanying document, Technology Risk: A New Approach, introduces the Protiviti Technology Risk 2.0 Model, a proven framework and methodology firms can use to create a more integrated technology risk function.1
OUR KEY FINDINGS
- There is a lack of coordination between different groups performing technology risk management activities.
- Technology risk reporting tends to be technology-centric without providing real business insight.
- Business risk appetite is not driving technology risk practices.
- Many organizations’ technology risk activities are not ready to embrace a cloud-enabled world.
- Vendor risk management needs to be strengthened and integrated into core technology risk activities and reporting.
- Technology risk awareness is not effectively embedded in the culture of most organizations.
- Ironically, there is ineffective utilization of technology by technology risk teams.
- Technology risk functions are not providing adequate or effective information for executives and board members.
- The criticality of technology risk disciplines is elevated by cybersecurity issues (but cybersecurity should not be viewed as synonymous with technology risk).
- There is excessive focus on downside risk, causing organizations to miss key strategic risks and opportunities.