How to turn uncertainty into confidence in technology risk

Understand what causes technology risk

One of the reasons technology risk is so hard to grasp is that it’s being created by three converging trends:

1. Technological advances. Every year, the typical business process has more tools, applications, interfaces, supporting technologies and service providers than ever before. This complexity, together with the surging volumes and sources of data pumping through each process, means ownership is often fragmented. It’s increasingly rare that one person at an institution can describe any given process from beginning to end. Generally, it takes several people from the business and IT to fully understand a business process. Also, if your processes are sitting in the cloud, someone else is operating them. Are their technology risk controls effective? Do they store your data in another jurisdiction?
2. Cross-border expansion. When organizations enter new markets, they either need to develop new products and services, or modify existing ones. This frequently requires new processes and related supporting technology and service providers, especially in Asia, where diverse country requirements often necessitate separate business processes and supporting technologies. Each new market adds more vendors and data centers – and new connection points and multi-party handoffs where risk issues can arise.
3. Evolving laws, regulations and professional standards. The ever-increasing layers of global and local compliance requirements often mean institutions need to modify their business processes or implement new applications to capture, transfer, modify, report and analyze data. Many regulatory agencies are operating with broader mandates and enforcing stricter penalties. The paradigm-shifting Cybersecurity Law requires organizations to radically change the way they collect, store, transmit and use any data that is generated in China. GDPR infringements may carry fines up to EUR20 million, or – if it’s higher – 4% of the worldwide annual revenue of the prior financial year.

Identify and control new risk areas from Day 1

Technology risk should never stop an institution from embracing digital, but it should add a critical design element as each new project is added. And digital projects always merit C-suite and board consideration of how they change the risk universe. With the right approach and a risk mindset that centers on trust, they can help secure long-term growth in uncertain times. Executives and directors should be asking IT and the business to:

• Map the data flow – It’s important to deconstruct the flow of transactions and data in new or changed processes from input to reporting. Before approving the budget for a new digital initiative, senior executives need to understand: Where are we storing data? Who owns the data? How many other processes does it flow through? Who is supporting it?
• Critically analyze business processes to identify where risks could occur – Has a new or automated process created new risks, loopholes or compliance requirements? If RPA is being used to mimic keystrokes and mouse clicks in online banking or medical appointments for example, where are the passwords, sensitive information and identities stored – and how are they being protected?
• Look for unforeseen risks arising from new products – As institutions wrap emerging technologies and IoT (Internet of Things) devices into their products and services, their technology risk ‘surface’ expands exponentially. When considering risk, we need to think about the unexpected. When a municipality used facial recognition to catch jay walkers, the cameras also captured the face of a person in a billboard on a passing bus, resulting in the system issuing a ticket to the model in the advert!
• Build in controls to address those risks before the project rolls out – Technology risk controls should be automatically embedded in a project’s design just like any other essential protocol. Retrofitting controls is inherently risky and always more expensive.