Continuing the journey of technology risk improvement

This viewpoint will explore:

• The current state of technology risk management 
• Why improving an organisation’s technology risk posture remains a challenge
• Why it is important to continue to build tech risk resilience
• How to make meaningful investments in tech risk management
• Steps organisations can take to improve their tech risk posture

The current state of technology risk management?

Technologies of many different types and complexities continue to dominate our world, in line with an ongoing 50-year plus trend. They have permeated widely throughout societies globally, and are used extensively in support of our professional, personal, and social lives. The opportunity to harness technology for efficiency, improved outcomes, building communities, improving health and driving innovation and progress continues to be a driving force for human development and a cornerstone of our civilisation.

Yet with these opportunities come inevitable challenges, unintended consequences, and the subversion of technology by bad actors or just simple mistakes. This happened as recently as July 2024, when an erroneous update by a global cloud security firm, resulted in a significant technology failure leading to global disruption. Business risks grow as the immersion and systemic reliance on technology does, as this recent event clearly illustrates. 

A prime example of the fast-paced technology changes which enterprises need to respond to is artificial intelligence (AI). The Deloitte Centre for Financial Services estimates that generative AI (GenAI) email fraud losses alone could approximate to $11.5 billion in just four years, through the ‘aggressive’ adoption of email and phone “phishing” scams, which use AI deepfake audios and videos to impersonate both clients and banks¹. A U.S. Treasury Report also highlighted the concern that risk management frameworks in place across certain banks may not be adequate to deal with emerging AI technologies². 

In addition to the opportunities and risks presented by technology to corporations, there have been broader sweeping societal impacts. For example, it is now widely accepted that cyber warfare is the fifth dimension of conflict between nation states. Therefore, nations that wish to remain globally relevant must develop and retain home-grown technology and cyber security skills for their public sector, which have historically been in short supply. Investment in cyber security skills and capabilities for public servants and the broader population cannot be ignored by governments in the future.

Further, the potential for increasingly accessible technology platforms such as social media to influence election results in superpower nations to destabilise some of the most established and globally influential democracies has been hotly debated in recent years. The spread of disinformation disseminated via these platforms is set only to increase with the widespread use of GenAI tools. 

Meanwhile, public services across the globe are increasingly expected to drive efficiencies through new technology to improve value for taxpayer money, whilst simultaneously leveraging the potential of newly implemented technologies to drastically improve service performance. Governments have often sought the help of the private sector in bridging their technology skills gap. Recent failures of third-party technology providers acting on behalf of major government departments in the UK to deliver critical technology services demonstrate a dire need for robust management of the risks arising from procurement, and an intelligent ongoing management and oversight of such technology services providers and third-parties.

The business world continues to grapple with both the opportunities and risks technology presents, particularly in the context of the capital and investment required, not just to deliver, but also to manage the risks effectively. Technology remains one of the most significant contributors to operating costs, and these are usually exacerbated through years of underinvestment, significant capital projects at any given point in time, and the highly skilled technical personnel required to manage the estate effectively (whether onsite or in the cloud).

Whilst there has been significant investment in some cases across the corporate world to respond to and to better manage technology risk, for many, no material improvements to their technology risk profile and risk exposure has been achieved. The same issues are highlighted repeatedly, with seeming paralysis in the ability to make meaningful improvements. Surprisingly, these failures still impact sectors where there has historically been significant investment in technology risk optimisation, such as Financial Services and Defence.

Why improving an organisation’s technology risk posture remains a challenge

Whilst each organisation’s situation is unique, there are common factors and themes that we believe prevents them from  organisations realising improved outcomes in relation to technology risk management:

1. Visibility and understanding of the true scale of the problem by senior leadership – Technology is complex, often surrounded by inaccessible terminology and concepts, whilst also constantly evolving. This makes it difficult to maintain a high level of knowledge of a technical area, especially when you are not a dedicated technology subject matter expert.  When the Board or senior leadership lack sufficient knowledge of technology, effective decision-making capability in response to technology risk is reduced.
2. Failure to link risk appetite to strategic decisions – It is important for the organisation’s technology risk profile and risk appetite to be continually linked and considered in strategic decisions. Also,  the firm’s risk and control functions should be suitably involved, to ensure that investment decisions (or their associated implementation and execution) do not adversely impact the organisation’s risk profile. 
3. Ingrained cultural challenges around technology risk management – There are still sizeable cultural challenges that many organisations face when managing technology risk effectively. Many technology functions struggle to devote sufficient time and resource to technology risk management, and often limit their efforts to cyber and information security risk (see next point). This is because risk management can be seen as a blocker, slowing down delivery, or is seen as a ‘nice to have’. Many technology leaders struggle to transparently highlight risk matters to senior leadership as a tool to achieving necessary investment.
4. Insufficient focus on areas other than cyber security – Whilst cyber security remains one of the biggest technology risks to organisations, there can be unbalanced time, focus and investment in this area, which leaves gaps and vulnerabilities elsewhere. We now live in a world where organisations are continually looking to cut costs whilst broadening risk management skillsets and flexibility. This is increasingly being achieved through procuring vendor products and utilising technology service providers, such as the use of SaaS solutions and third-party tools. However, with outsourcing comes new risks, and organisations must do more to assure the activities of third-party service providers. As well as effective third-party risk management, other areas such as change delivery and technology governance and operations management require additional focus and investment.
5. A long-term investment strategy and approach – In most organisations, a long-term investment strategy and approach is needed to effectively tackle technology risks.  With changes in personnel, and organisational responses to the external economic cycle, most organisations find it difficult to maintain the sufficient levels of investment required over the long term, in order to achieve optimal outcomes. The easier route, as is often the case, is to continue to invest smaller amounts on short-term fixes and avoid tackling the major issues head on, resulting in many organisations ‘investing to stand still’. 

Why it is important to continue to build tech risk resilience?

1. The evolving regulatory environment – Technology risk and operational resilience are hot topics for governments and various regulators globally. For Financial Services and key cloud technology providers, there is the introduction of DORA which aims to ensure robustness and reliability of digital operations within the EU financial sector. The UK Operational Resilience regulation requires FCA and PRA regulated Financial Services firms in the UK to set an impact tolerance for each of their important business services. Across all sectors there are the amendments to the UK Corporate Governance code which have strengthened the basis of reporting and evidencing effectiveness of internal controls, as well as requirements for a new annual resilience statement. For Public Sector companies there is the Cyber Assurance Framework, which whilst not mandatory is largely expected to be used to guide cyber activity and controls. In the UK, the Senior Managers and Certification Regime (SM&CR) aims to encourage a culture of responsibility and accountability within firms, with ‘senior managers’ or individuals performing key roles, having clear responsibilities, making it easier to be held accountable for failings in their areas. All of this puts a higher burden on firms to keep on top of their technology risk management.
2. Wide variety of technology risk issues and setbacks afflicting companies – We continue to see companies experience major issues across all ends of the technology risk spectrum. It is clear that the typical level of corporate maturity in response to technology risk is not sufficient, and enhancements need to be made. Whilst the associated costs can be significant, enhanced resiliency in the face of significant technology global events can provide ‘value for money’. In an increasingly connected world, the scale of potential incidents is significant, and being robust to these events is important for customer goodwill and the organisation’s reputation.
3. Enhancing the ability to meet strategic goals – One of the biggest barriers to efficiency and productivity is long term under-investment in tech, and a failure to appreciate the potential technology risks the organisation is exposed to. Redefining the approach to technology governance and risk management will, in the medium to long term, deliver significant benefits to business performance and stability.

How to make meaningful improvements in tech risk management

1. Drive effective technology risk reporting – Ensure the Board and those charged with governance are provided with the right risk data, as well as a rich and sufficiently granular analysis, to enable them to make the right decisions. This is key, particularly given the pivotal role technology plays in the cost and investment agenda. This data should be regarded as being as important as financial and regulatory reporting, but in our experience this is not always the case.
2. Bring clarity and transparency in linking investment decisions to risk outcomes – Ensuring that organisations have a clear and honest view of their risk appetite over time and how this may change depending on the investments they make. It is important to have the ability to define when and where interventions may be required to reach an organisation’s desired risk appetite, and link the programme of change at the enterprise to corresponding reductions in risk profile over time.
3. Strengthen board training and awareness – Organisations should consider holding regular sessions, workshops, as well as open conversations between the Board and senior management within technology, cyber and risk management functions. This will help provide visibility to the Board and senior leadership of key technology risks, and enable them to manage risk more effectively. As an alternative or supplementary approach, Boards and executives could pursue the engagement of more technology-aware members including non-executives, to provide more robust check and challenge on technology matters. 
4. Review and rebalance the Target Operating Model (TOM) and Service Model (SM) for technology risk management functions – Ensure a balanced focus is given to all relevant risks, in line with ongoing risk and threat assessments. Also, optimise the operating and service model with the right breadth and depth of technical skillsets and understanding of service model processes to deliver an effective technology risk capability. 
5. Agile over waterfall approach – As technology can change rapidly, an agile approach to improvements provides a more flexible path. It is an ideal approach when there are unknowns or changing requirements, which must be reacted to. A waterfall approach has its benefits but if an organisation is struggling to define its requirements, then it may not be the optimal model. In our experience, many organisations adopt a waterfall approach to technology risk enhancement, and as a result, run out of budget and senior leadership goodwill before making significant enhancements. Agile improvement leaning into one or two of the most significant risk exposures first, and focusing on the fastest path to risk reduction, can make a significant improvement to the overall technology risk posture of the organisation.
6. Focus on cultural improvement – A big culture shift needs to happen with regards to how organisations view technology risk management and technology risk functions. For too long risk management has been deemed as the sole responsibility of risk functions themselves, but it is important for the business and those outside of risk management functions to apply a risk mindset to their everyday activities, taking ownership for the ongoing management of risk. It is important that organisations embed a culture of effective risk management and that individuals within organisations are encouraged to be honest and transparent about raising concerns, issues, and risks, rather than feeling that they will be penalised. Careful consideration around performance management incentives used to guide behaviour around technology risk management needs to happen.
7. Focus on quality and sustainability of foundational data – This refers to data held in the Configuration Management Database (CMDB), incident data, change ticket data and risk data. Ensuring quality data in these areas can be a low hanging fruit for most organisations, and we know too well that poor data governance and quality can result in fines and reputational damage. This data is the foundation to making informed business decisions, achieving an effective and efficient control environment and ensuring compliance with regulations. 
8. Policies, standards, controls – Getting the basic documentation right ensures that risk management procedures are clearly documented, bringing risk discipline and uniformity to an organisation’s operations, which in turn can help shape a better risk culture. If controls are in place and documented, this also gives organisations a clear way of demonstrating what documentation they have in place to help alleviate risks and allow controls to be tested sufficiently, meaning room for continual improvement. 
9. Automation of controls – Most organisations would benefit substantially from automation of controls across key technology and security processes (adopted in an agile way as mentioned previously). Areas such as user access management and privileged user management are examples where such controls can provide significant improvements to the overall effectiveness of the control environment.

Overall conclusions

Successfully managing technology risk is one of the biggest challenges most corporates face. Underinvestment in the capabilities in this area has come at a time when technology and cyber risk is evolving alongside emerging technologies, such as AI, and the technology landscape is dominated by hugely powerful global technology service providers. 

Whilst the challenges are significant, we remain hopeful that senior leaders can benefit from our recommendations. Summarising the top three points to consider below:

• Acknowledge the cultural challenges most enterprises are facing and take steps to embed a strong technology risk culture across the organisation.
• Make a positive step change in the quality of technology risk information that is produced, and engrain technology risk management information more effectively in the strategic decision making of the company.
• Focus on agile improvements across the biggest risk areas first and have a vision for meaningful enhancement in technology risk management in the long term.

_________________________________________________________________________

References

1. Deepfake banking and AI Fraud Risk, Deloitte Insights, Deloitte Center for Financial Services, 29 May 24 Deepfake banking and AI fraud risk | Deloitte Insights

2. Cybersecurity Risks in the Financial Services Sector, U.S Department of the Treasury, March 2024, Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector (treasury.gov)