Editor’s note: The following is a sponsored blog post from KPMG:
Most companies today are pursuing technology modernization projects—be it increased digitization, replacing outdated hardware and software, or moving operations to the cloud.
With new technology comes new risks. And technology risk and compliance programs need to adjust to that reality. That means moving closer to the point where the risk events occur and using preventative and automated controls as much as possible. In other words, the future of risk is shifting away from a regulatory-driven “protect agenda” to one where organizations leverage risk to enable firmwide growth, differentiation and optimization.
Here are some key areas where technology risk leaders can focus their efforts to shape their organizations for the business challenges of today—and tomorrow.
Transparency and digital trust
Customers and other stakeholders are increasing their expectations around transparency, information security and overall technology risk management. They expect companies to explain to them how they plan on managing and protecting their data and critical services and how they have implemented meaningful information security and controls. At the same time, regulators globally are looking at developing rules that will demand greater transparency around data protection and cybersecurity.
Successful technology risk functions can enable organizations to secure stakeholder trust by enhancing risk management to improve the likelihood of desired outcomes while simultaneously reducing the likelihood and severity of adverse outcomes in a more commercial and transparent way.
However, this will require technology risk programs to move beyond a defense-only, reporting-centric function into a role that delivers the proper safeguards related to business strategy and improves the likelihood of successful implementation and execution of a strategy in line with stakeholder risk appetite. The bar of transparency to customers and stakeholders has risen and building digital trust is now tablestakes.
Revamping the technology risk operating model
The speed of technology change can be overwhelming for the technology risk function of organizations. Many traditional operating models are now obsolete and understaffed, exposing companies to greater risks.
To keep up with the change, technology risk managers need to take a fresh look at their current operating model and determine how to manage these changes proactively while attending to the day-to-day running of the program. Focusing on skill needs, automation and data opportunities, reporting line structures, governance and accountability mechanisms, and managed services are just example areas to evaluate to adjust for the future.
Technology risk programs also need to have the ability to adapt quickly and effectively to be in line with the organization’s strategy, business, and enterprise operating model as it evolves in reaction to market, industry, and regulatory developments. That requires that the risk function maintains an open business and technical architecture that enables it to adapt to this changing business, regulatory and operating environment quickly, meaningfully and commercially.
Leverage data, analytics, automation, and insights
Digital applications are now providing businesses with a tremendous amount of data. However, technology risk organizations aren’t fully leveraging this data and automation opportunities. So, it makes sense to think about how data can be used as an asset – that is, to create different business value to differentiate technology risk programs.
Technology risk programs can advance the organization’s level of maturity related to data analytics by monitoring key data signals such as monitoring modern application development processes, service availability and incidents, network activity, potential data loss events, and user access activity as examples. Using dashboards and thresholds to identify activities more real time that may present risk will allow technology risk programs to prioritize focus and actions.
Accelerating technology risk transformation
Technology risk teams need to determine what’s preventing the function from reaching the higher maturity levels, and need to ask questions like the following to help prioritize efforts:
- Do we know what our critical services are?
- Do we know what are critical assets are? What are our risks related to these assets?
- Do we have a risk committee established to keep aware of the organization’s strategy and tactics?
- Do we know what new technologies are being deployed?
- Do we know what acquisitions are being planned?
- Do we have a technology control framework deployed that is monitored throughout the organization that goes beyond the traditional financial compliance scope?
When looking to embark on modernizing the technology risk function, here are some recommendations and suggestions:
- First, for new initiatives, launch a pilot with limited scope to get a quick win and gain internal support.
- Second, have a clear understanding of the business strategy purpose and values, and how change would address those issues. Try not to force the technology requirements before understanding the business requirements. Understand your vision and business objectives before designing new operating models and adopting new risk technologies.
- Third, leverage agile approaches. Learn how to fail quickly so you can adapt and learn from those experiences, and build the best solutions for your organization.
- Fourth, engage with key stakeholders up front and throughout the uplift of your program. For example, do you need the customer-facing organizations in your corner to ensure enhancements to transparency and stakeholder engagement are valuable from a commercial perspective? Make sure key stakeholders across the business are on the same page with you and get their feedback, support and recommendations real time.
Discover more about the KPMG Future of Technology Risk point-of-view.
About the author: Beth McKenney is a Principal in the KPMG Technology Risk service network. Located in Detroit, Beth is an effective leader with over 20 years of experience helping clients manage risk, deliver value through technology risk management, and strengthen their governance capabilities. Beth leads KPMG’s Technology Risk Modernization center of excellence which is focused on evolving solutions to respond to digital acceleration, cloud transformation, and emerging technologies.