3 minute read 25 Jul 2019
Female security guard watching monitors control room

How to turn uncertainty into confidence in technology risk

By

EY Global

Multidisciplinary professional services organization

3 minute read 25 Jul 2019
Related topics Trust Risk

Show resources

Technology risk should never stop an institution from embracing digital, but it should add a critical design element to new projects.

The Asia-Pacific region is an exciting hotbed of innovation, with both incumbents and new start-ups harnessing digital technology to leapfrog ahead. But many executives are rightly concerned that, while emerging technologies hold the key to competitive advantage, they also introduce new levels of complexity to operating models, creating risks that traditional frameworks aren’t equipped to deal with. Layered upon this is the ever present and growing issue of trust – both customer and employee – in ensuring the right technology has been carefully considered so that an organization can protect their data and privacy, manage supply chains and operate ethically.

But many executives are rightly concerned that, while emerging technologies hold the key to competitive advantage, they create risks that traditional frameworks aren’t equipped to deal with.
Vincent Chan
EY Asia-Pacific Advisory Technology Risk Leader

Understand what causes technology risk

One of the reasons technology risk is so hard to grasp is that it’s being created by three converging trends:

  1. Technological advances. Every year, the typical business process has more tools, applications, interfaces, supporting technologies and service providers than ever before. This complexity, together with the surging volumes and sources of data pumping through each process, means ownership is often fragmented. It’s increasingly rare that one person at an institution can describe any given process from beginning to end. Generally, it takes several people from the business and IT to fully understand a business process. Also, if your processes are sitting in the cloud, someone else is operating them. Are their technology risk controls effective? Do they store your data in another jurisdiction?
  2. Cross-border expansion. When organizations enter new markets, they either need to develop new products and services, or modify existing ones. This frequently requires new processes and related supporting technology and service providers, especially in Asia, where diverse country requirements often necessitate separate business processes and supporting technologies. Each new market adds more vendors and data centers – and new connection points and multi-party handoffs where risk issues can arise.
  3. Evolving laws, regulations and professional standards. The ever-increasing layers of global and local compliance requirements often mean institutions need to modify their business processes or implement new applications to capture, transfer, modify, report and analyze data. Many regulatory agencies are operating with broader mandates and enforcing stricter penalties. The paradigm-shifting Cybersecurity Law requires organizations to radically change the way they collect, store, transmit and use any data that is generated in China. GDPR infringements may carry fines up to EUR20 million, or – if it’s higher – 4% of the worldwide annual revenue of the prior financial year.

Identify and control new risk areas from Day 1

Technology risk should never stop an institution from embracing digital, but it should add a critical design element as each new project is added. And digital projects always merit C-suite and board consideration of how they change the risk universe. With the right approach and a risk mindset that centers on trust, they can help secure long-term growth in uncertain times. Executives and directors should be asking IT and the business to:

  • Map the data flow – It’s important to deconstruct the flow of transactions and data in new or changed processes from input to reporting. Before approving the budget for a new digital initiative, senior executives need to understand: Where are we storing data? Who owns the data? How many other processes does it flow through? Who is supporting it?
  • Critically analyze business processes to identify where risks could occur – Has a new or automated process created new risks, loopholes or compliance requirements? If RPA is being used to mimic keystrokes and mouse clicks in online banking or medical appointments for example, where are the passwords, sensitive information and identities stored – and how are they being protected?
  • Look for unforeseen risks arising from new products – As institutions wrap emerging technologies and IoT (Internet of Things) devices into their products and services, their technology risk ‘surface’ expands exponentially. When considering risk, we need to think about the unexpected. When a municipality used facial recognition to catch jay walkers, the cameras also captured the face of a person in a billboard on a passing bus, resulting in the system issuing a ticket to the model in the advert!
  • Build in controls to address those risks before the project rolls out – Technology risk controls should be automatically embedded in a project’s design just like any other essential protocol. Retrofitting controls is inherently risky and always more expensive.

Technology risk should never stop an institution from embracing digital, but it should add a critical design element as each new project is added. And digital projects always merit C-suite and board consideration of how they change the risk universe.

How can we become confident and trusted entities that are increasingly global while still complying with diverse data privacy and security laws and regulations?

One good news is that the Institute of Big Data Governance (IBDG) in Hong Kong is on track to create a Greater Bay Area cross-border scheme that will give institutions a single certification standard for enabling cross-border data transfers, leveraging Hong Kong as the international big data hub. IBDG is working with EY, governments and regulators, researchers and technology, and business sector leaders including, the major technology giants from US and China, and also the key representatives from the financial services industry. The aim is to allow businesses to have free – yet still approved and controlled – cross-border data flows as cost effectively as possible.

This and other cross-industry data governance developments will eventually simplify at least one aspect of technology risk controls. Institutions can expect to see progress from this initiative in the coming months. At the same time, as leading companies get controls right, the learnings will cascade throughout their respective industries.

Summary

Technology risk will become embedded in the risk universe, with robust controls executives and boards can rely on to make sense of the risks and opportunities they face today and ensure their company’s trust tomorrow and beyond. Until then, technology risk must be at the top of the governance agenda for every digital implementation.

About this article

By

EY Global

Multidisciplinary professional services organization

Related topics Trust Risk