The conclusions of a technology risk study, which explored whether technology risk functions have the right strategy, skills and operating models in place to enable the organization to understand, assess and manage existing and emerging risk, have reinforced Protiviti’s long-held view that technology risk is failing to keep up with the rapid pace of technological change. This is particularly true for organizations that are struggling with the notion that they are becoming a “technology company.”
The companies assessed in Protiviti’s Technology Risk study all have ambitions to mature their technology risk activities, but it is uncertain whether they will be able to achieve their goals, given delivery and budget pressures. In many cases, to effect necessary changes, significant modifications are needed, not only to risk management processes and tools, but also to the way in which governance, risk management and compliance teams are organized.
This process does not necessarily require additional people or cost. Firms can drive operational effectiveness and efficiencies through consolidation or better integration of technology governance, risk management and compliance activities, but this will only be achieved by using technology more effectively. The operating model needs to come first, however. Once the framework has been established, a creative risk function can bring it to life and increase levels of automation using technology.
Ultimately, technology risk activities need to undergo a digital transformation to be fit for purpose. It is time to reimagine the way firms manage technology risk and empower the risk function to become innovators and remain relevant to the business.
This paper introduces the Protiviti Technology Risk Model 2.0 — a proven framework and methodology firms can use to create a more integrated and more effective technology risk function. This approach goes much deeper than utilizing a common platform: it seeks to re-engineer and redesign the way technology risk and information security work is done by integrating methodologies to create a more holistic view of risks in the enterprise.