The risks embedded in your IT landscape
By Annarien Adams, Nolands Advisory Services
Many organisations have chosen to embrace the technology era and have in some form adopted IT within their businesses. Large corporates have embarked on extensive technology journeys, spending millions on transforming the way they work. Although organisations have made significant investments in IT some have overlooked the detailed risks that IT may pose to their business.
Current governance frameworks incorporate IT from an operational perspective but don’t reflect the embedded risks that remain concealed. Disruption dominates the executive agenda and with the constant threat of disruption resulting from emerging technologies and strategic business model transformations, there are many reasons for IT risk exposure, but the three key reasons are:
- The board and executive management levels have extreme pressures as the shortage of risk management skills are considered a major constraint.
- Due to highly sophisticated environments and many operational silos, executive management very rarely have an end to end overview where IT has been incorporated in the risk profile of day to day operations. Succinctly, siloed risk functions reduce value and increases cost.
- Risk governance frameworks are detective rather than preventative due to the lightning speed of the on-going technology revolution. Many risk functions are not IT resilient and can best be described as ‘sluggish’ to adapt and transform.
Although organisations go to great lengths to identify risks, build risk models and implement multiple layers of defense, many still feel despondent with the overwhelming amount of risk management activities, leaving them with more risks than ever before. Functions are connected via informal channels and work with different risk categorisations, terminologies, approaches, rating scales and technologies. Consequently, limited resources may end up focused on the wrong areas.
Contrary to popular belief, risk management should be the responsibility of employees across all spectrums of the organisation inclusive of the board, business, IT, risk, compliance, operations and audit. It has to be a collaborative approach where the probability and severity of IT risk and incidents are considered and incorporated in the overall risk framework.
In essence, IT governance is metrics driven, which due the data age that we live in, provide the executive with a magnitude of information, performance results and trends that become a complete information overload. Without the underlying knowledge of the what is measured, understanding the ultimate drivers of those results and the impact on business operations, the question arises if the executive is lured into a false sense of security.
Many metrics can be produced daily, weekly and even monthly but producing metrics for the sake of it may not be cost effective and an effcient way to deploy resources. The board and executive management often receive multiple unaligned reports containing redundant and often conflicting information.
Although organisations are heavily invested in cybersecurity, cyber criminals aka hackers are constantly trying to gain access to information databases to obtain personal data which will result in fraud. Organisations may not lose money through the loss of data, but these incidents may result in reputational damage, exploitation of company data and trends as well as fines due to respective protection of personal data laws.
With cyberattacks becoming the norm, personnel should attend regular cybersecurity updates and training sessions, with key personnel taking additional steps to stay abreast of changing cybersecurity threats and counter-measures. Focus should be placed on stress testing the environment and staff should document lessons learned to increase their ability to identify potential threats.
Due to the complex nature of IT environments only a few key stakeholders will have the knowledge and oversight to identify risks across the IT infrastructure. In more instances than not, these key stakeholders do not have process documentation and end to end system notes that depict the landscape. This results in a key man dependency.
Many organisations with complex environments, have business resilience plans that will equal any disaster, however these plans have never been put to the test. The fear of actually switching IT off is real, which is a fear in itself. Simulation tests have become crucial for the sustainability of an organisation’s survival.
Mobile and robotics present their own unique sets of challenges.
With mobile, the risks that need to be considered include the fragmented approach of deploying applications, random outsourcing and the resulting lack of focused management and accountability.
Robotics has become more prevalent in recent years eliminating remedial tasks once performed by humans. Although arriving at the correct results, there is a contradiction to the original objective - we are teaching machines to think. Humans will still have to monitor thinking patterns, configurations and the exceptions derived from these robots.
In the end, risk focused employees need to understand the macro and micro factors contributing to the risk exposure within the business environment, business and operational processes and regulatory compliance landscape whilst recognising that technology is front and centre when identifying and prioritising risk.
The proficiency of risk management is firstly dependent on the ability to leverage off the knowledge of all employees and secondly on the ability to assess existing and future risks. Successful risk management can only be achieved when applied in conjunction with the implementation of effective and effcient sustainable solutions. The aim is to coordinate risk activities and align skills to better leverage existing infrastructure and resources.
Annarien AdamsNolands Advisory Services, Cape Town, South Africa
T: +27 21 658 6600
Published: November 2018 l Photo: ©denisismagilov - stock.adobe.com