With technology increasingly touching nearly every aspect of the business, more C-suite leaders now acknowledge the direct connection between IT risk and enterprise risk—and more broadly enterprise strategy. As such, many organizations are beginning to view technology risk as a value center that helps meet critical business objectives, and are investing accordingly.
Although technology risk teams clearly have a larger role to play, their ability to do so is hindered by the fact that an overwhelming majority (87%) of organizations do not currently view IT risk’s role as the proactive management of technology risk across the organization.
According to our survey data, organizations primarily view technology risk as an arm of compliance or cybersecurity, rather than an organization-wide function for proactive risk management. We also found that often, technology risk teams are only included in projects after the fact, once issues begin to arise. At this stage, the impact they are able to make is minimal.
Other KPMG research backs up the fact that technology risk has a larger role to play when it comes to protecting the organization from risk—especially with regard to cybersecurity.
According to KPMG’s 2017 U.S. CEO Outlook survey, only 40% of CEOs say their organizations are well prepared for a cyber event. In addition, KPMG found that a significant portion of technology incidents are preventable with the right precautions (see sidebar on technology risk’s role in preventing blockchain breaches).
In our recent report, Technology risk radar, we found that more than 30% of the 700+ technology incidents we examined over the past year across industries were caused by software glitches. By engaging technology risk from the get-go, exercising rigor when testing systems, and building the right level of resilience to enable failover, most of the incidents would have been avoidable.
How can technology risk gain their warranted seat at the table and increase their impact on the business?
For one, technology risk leaders should establish a plan of activity and menu of services that line up with the day-to-day and project-based activities of the IT group that directly support the overall business. For example, technology risk could align its activities with the priority projects in IT’s annual budget cycle, even becoming a direct work stream of those projects.
It is also important for technology risk to participate in committees and focus groups that are looking at new products or services, with a focus on providing clarity on the potential risks of innovation and strategies to remove obstacles associated with those risks.
In addition, top-level tech risk professionals should interact regularly with the CIO, CISO, CRO and COO. Annually, technology risk should also report to the board’s risk committee. In fact, in conversations with business leadership, technology risk leaders should take on the role of friendly “challenger”—using their risk perspective to help think through business issues and question decisions that might increase the organization’s risk profile, whether it’s the introduction of a new technology or entry into a new market. To be effective challengers, tech risk professionals need broad knowledge of business strategy and processes, as well as the experience and gravitas to speak up with confidence. That will require technology risk to close the skills gap and leverage data more effectively, both of which we discuss later in the report.
Finally, only establishing a clear tone at the top will make the business want to actively collaborate with technology risk. That requires a dual effort by both technology risk and business leadership. They must work together to show the entire organization that technology risk deserves to be a critical part of the strategic decision-making process, be it about M&A, embracing a new technology, or any business transformation initiative.
The article “Getting technology risk a seat at the table” by Phil Lageschulte, KPMG International, was taken from KPMG’s publication entitled Disruption is the new norm.