Report: risk management disciplines not keeping up with tech

New research shows that while technology is business critical to most companies, technology risk disciplines aren't moving quick enough to keep up with the rate of change in technology itself.

Companies must learn to live with risk turned up to high
Companies must learn to live with risk turned up to high

New research from Protiviti, a risk and business consultancy, has shown that while technology is business critical to most companies, technology risk disciplines aren't moving quick enough to keep up with the rate of change in technology itself.

Despite this, Jonathan Wyatt, managing director of information technology at Protiviti, opened a press briefing this morning by saying, “A large multi-national financial services firm has told us that within five years we see ourselves running no onsite services – we'll be entirely cloud managed."

He went on to explain that while there is a sense of ambition to improve and become better at managing technology risks that are associated with things like cloud technologies, translating those technology risks into business risk can often be challenging as senior management can't see how one affects the other. “You're not driving change, you're reporting risk”.

In a sample base comprised of 70 percent financial services companies, Protiviti devised a scale of one to four (with four being strongest) and found most companies scored a one or two. Fewer than ten percent were counted as a level four.

As a result of the difficulties of managing technology risk, most large companies would be happy to hand over the risk of processing and storing data to external suppliers. Wyatt says this is particularly true in SMEs which are probably too busy to think about technology risk management.

Risk and opportunity

Ryan Rubin, managing director of information security and data privacy at Protiviti, said that it is all about learning to take the right risks that will encourage business growth.  

Rubin stated that cyber-risk is often put into a different silo than traditional business risks. To explain, he gave the example of a company engaging with a new supplier of a cloud-based HR system.

“Often a business would make such a purchase based on the benefits of the system for HR staff, and this is normally where information security professionals might advise against it because of the risks associated with losing HR data to cloud providers with [poor] security,” he said. 

He advises looking broadly at all your people, processes and tech risks, but to focusing on a 'crown jewels' approach: “Consider what you really care about and make sure you protect it, rather than try and protect everything”. And he added that companies should “focus on particular areas which control key business aspects” to avoid stifling the business due to the lack of risk taking.

“Ride the wave of change – respond and engage to get the reward from tech changes”, Rubin said. “If you aren't agile, you can't embrace opportunity if you're always looking for risks."

It's not all doom and gloom

Although these preliminary survey results have shown that technology risk management at many companies is not currently fit for purpose, many companies surveyed have plans in place for rapid progress over the next 12-24 months. 

Budgets allocated to technology risk activities are increasing to support these investment activities as senior management are becoming increasingly aware of the inadequacies of existing processes. This is in part a response to technology risk functions finding themselves subject to scrutiny from regulators – the upcoming General Data Protection Regulation being one of the biggies.

And finally, many business are taking steps to enhance technology risks. More and more businesses are looking to align technology risk assessments more closely with business risk, improving integration and increasing their understanding of risk appetite. 

Leaders are also investing in governance, risk management, and compliance tools to drive efficiencies and improve reporting capabilities, with some also looking into automated tools to provide even higher levels of compliance with policies.