Think outside the check box

Think outside the check box

Technology resilience is no longer just a compliance exercise.

Managing Director, CIO Advisory

KPMG in the U.S.


Related content

Checked marked rating

Thinking about your digital infrastructure? You should be asking yourself one question: can your resilience plan account for threats you haven’t seen before, or are you working under a false sense of security?

There was a time when a corporate website was just a communications tool, an online directory listing that would help bring customers to the door. Organizations developed websites to check a box on their list of marketing strategies. If the server went down, customers would simply try again later.

In two decades, corporate technology has become more complicated, more extensive and more integral to every single aspect of business. For many organizations, technology now underpins every transaction and every interaction. If the server goes down, even for minutes, customers will go elsewhere, workflows are interrupted and processes come to a stand-still.

But many businesses are still treating technology—and technology resilience—as a checkbox exercise, complying with changes they believe they need to make rather than thinking critically about why they need to make them.

Technology resilience

When I talk about technology resilience, I’m referring to the KPMG definition: “the ability of technology systems to withstand operational stresses, cyber-attacks and constant change.”

The definition is intentionally broad. In 2016 technological systems are encountering stresses that range from external events—like natural disasters, security breaches and even disease and political unrest—to a host of disruptions from inside organizations, from the failure of the systems themselves. In the future, these disruptions will only grow in number and in scope, and being prepared will mean literally preparing for the unknown.

Unlike those first corporate websites however, resilience against an unknown digital future can’t just involve a “bolt-on” solution that brings readiness easily and seamlessly. It requires a culture that enables resilience to be built into systems from the beginning.

The dangers of checking boxes

A list of “must-haves” can be useful for the end result of a resilience plan, used as an exercise to measure completeness and consistency. The problem arises when a plan is made to fit those lists, because that only helps in meeting issues that have been encountered in the past. Instead of a predictive system, KPMG professionals create a retroactive system that’s always catching up to the next vulnerability.

Instead, resilience methodologies should not be rigid. In my experience, rigidity can lull people into a false sense of security, and compliance becomes about meeting minimums rather than thinking critically about those issues and their potential impacts.

Building a resilience plan has to start from the ground up, and that begins and ends with people. If you’re interested in learning more about some of the frameworks KPMG firms have developed to help businesses think outside the checkbox, contact me at

KPMG Anticipate

KPMG Anticipate is a new online space where we share insights on the subjects which we feel are at the heart of how the business world is changing.

Read more

Connect with us


Request for proposal



KPMG's new digital platform

KPMG's new digital platform