The future of technology risk management: Agile and proactive


Managing enterprise technology always has been synonymous with managing change, which also is about managing risk. But never has change come as fast or as disruptively as over the past decade.

And there’s no letup in sight. In fact, the pace and scope of technology change will only intensify in the future, so much so that the “old” ways IT leaders used to cope with change — yelling at subordinates, for example — will be inadequate. What’s needed in its place, concludes a new report from Forbesinsights and KPMG, is a more focused approach.

“Traditional technology risk methods have evaporated and enterprises need to create an agile and dynamic technology risk organization to keep up with the pace of change,” write the authors of the report, titled “Disruption is the new norm.”

Among the factors driving this perpetual disruption are the proliferation of data, automation, artificial intelligence and machine learning, the Internet of Things, and increasingly complex technologies. But an alarming percentage of the 200 or so enterprise IT leaders surveyed for the report say they are adopting these technologies without assessing the associated risks:

  • 47% — Mobile applications and devices
  • 46% — Internet of Things
  • 44% — Cloud computing
  • 34% — Artificial intelligence
  • 32% — Robotics process automation
  • 25% — Cognitive computing

So what does “an agile and dynamic technology risk organization” look like? For starters, such an enterprise addresses technology risk proactively, rather than reactively.

Unfortunately, most enterprises fall into the latter group: 87% of survey respondents said their organizations “do not currently view IT risk’s role as the proactive management of technology risk.” And 72% said “technology risk teams are only included in projects after the fact, once issues begin to arise.”

Well, that hardly makes sense!

The report blames this sad state of affairs on several factors, including organizational mindsets that fail to treat technology risk concerns as strategic considerations, the misuse of key risk indicators (which too often are viewed individually rather than as a whole, or suffer from poor data), and the lack of in-house skills to manage the risks associated with integrating emerging technologies.

Overcoming these obstacles is critical if organizations want to keep up with the accelerating pace of technological change and its accompanying risks. Here are some key elements identified in the report:

  • Integration of technology risk management into early discussions about business strategy
  • The ability of IT leaders to translate risk for business leaders
  • Raising the profile (and budget) of technology risk operations within the enterprise
  • Creating nimble, predictive risk data metrics and models
  • Risk reporting that emphasizes business outcomes

Another report, this one by McKinsey & Company, focuses on technology risk management for banks, but the lessons apply across all industries and mirror the advice and conclusions of the Forbesinsights/KPMG report. McKinsey highlights several “principles” for technology risk management best practices, including:

  • Adopting a business-first approach
  • Coordinating across risk management subdisciplines such as compliance and cybersecurity
  • Integrating technology risk management with enterprise risk management
  • Investing in specialized talent

Bottom line: If your organization is among the 87% that don’t believe your IT risk team’s role should include proactive management of technology risk, you’re literally inviting risk through your digital doors.

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.