Covid 19: Responsible management of technological risks today and beyond

Technology and risk functions play a critical role in ensuring technological and operational resilience while enabling business continuity. 

In addressing Covid 19 responses and beyond, many companies can follow a model that resembles "resilience, recovery and a new reality". Currently, many companies are moving forward in the resilience phase and taking immediate action to address employee safety and business operations concerns. Soon, businesses will recover and stabilise operations for the coming weeks (if not months). Based on reliable signals, businesses will eventually develop plans and enter a new reality where business operations play a role in economic recovery. 

Technology risk functions, including all technology roles in the organisation (CIO, CTO, CISO, IT risk, IT audit, etc.), need to be focused and engaged toa manage this dynamic situation and bring critical value to the business through an effective and risk-aware response. Government action to enforce 'social distancing' has forced more people than ever before to use remote access to corporate networks, creating immediate challenges and risks for organisations.

In our virtual peer exchange on technology risk management, held on 31 March 2020, global industry leaders came together to share their current experiences and suggestions for managing through the Covid 19 response. We learned about corporate practices that enable an effective approach: 

• Respond in a timely manner to ensure stability and business continuity, while monitoring government requirements; 
• stabilise around temporary measures and new ways of working; 
• and emerge with key experiences, skills and capabilities that build resilience through growth and transformation on the road ahead. 

The following sections provide an overview of the issues and challenges that technology risk teams face as they move through the three phases of resilience, recovery and new reality, and recommendations on how to successfully manage these issues. 

Forces impacting the business and technology risk teams.

With response efforts in full swing around the world and a host of public health interventions, business continuity and employee safety plans have been escalated. Working remotely is now the default mode, but this has complicated video conferencing capabilities and internet connectivity. Technology control teams are under pressure balancing almost fully integrated life and work tasks, which impacts on associated control performance (quality, accuracy and timeliness).

Current and evolving technology risk practices.

• As technology investments are re-evaluated, organisations may re-evaluate information technology (IT) risk tolerance (with some risk levels increasing significantly, such as access control) and throttle up or down requirements in the most critical IT control areas.
  
• Technology risk teams are improving business alignment and collaboration with partners to provide real-time information that can be considered in rapid frontline decision-making, and to use quantifiable business key risk indicators (KRIs) (where possible) to measure control performance and support 'risk appetite' reviews if the pandemic is prolonged.
• Technology risk teams continue to conduct granular scenario evaluations to identify potentially high-risk outcomes (resource capacity shortages, fraud risk, employee morale, workplace communication and collaboration technology controls, etc.).

KPMG Perspectives

• Govenance of collaboration tools - Technology risk leaders should ensure risk governance when deploying collaboration tools (e.g. WebEx, Slack, Microsoft Teams) and test performance, productivity and high-risk work environments at scale.
  
• Risk reduction - Work with CISOs to de-risk remote access, sensitive data access and software development access as a result of an increase in remote working.
• Internal controls - assess control frequencies, reliability, documentation methods; prepare for alternative approaches for external auditors (virtual audit execution and data-driven methods).
• Monitoring of key risks - analysis of KRIs in relation to specific technological risks, including enforcement of thresholds and communication/escalation of cases where tolerance is not met, especially for KRIs in leadership positions or appetite statements at board level.

Forces Impacting the Company and Technology Risk Teams

As the current health situation creates economic uncertainty about the size, duration and shape of the ongoing decline in gross domestic product, organisations continue to face liquidity and solvency issues that are critical to central banks' and governments' efforts to keep the financial system functioning. As companies continue to operate, risk and control monitoring is in high demand to provide key insights and decision support to senior management and boards.

Current and evolving technology risk practices.

• Companies will continue to optimise technology risk and control resource models and activities required to meet regulatory requirements, including preparation for alternative regulatory and external audit models. Heavily regulated businesses (e.g. financial services) work with local regulators to obtain relief on compliance-related activities. 
• Internal IT audit teams reduce their remaining annual plans and focus only on mission-critical areas to reduce business impact and demonstrate capacity to other areas of the business.
• Some companies are implementing continuous controls monitoring programmes to gain early insight into emerging issues to improve their ability to manage risks and opportunities.

KPMG Perspectives

• Quantify technology risks - Enable technology risk quantification capabilities (if available) to gain more relevant insights into risks to the business while making key stabilisation decisions. 
  
• Begin control automation - use IT-based monitoring (if available), especially if a trusted source system is used. Consider small investments in an initial set of key controls for automation that will pay off in the longer term if there are persistent resource constraints and additional automation plans are to be initiated. 
• Recalibrating risk thresholds - Recalibrate (as much as possible) specific risk thresholds for technology depending on the situation (e.g. consider relaxing certain access controls and strengthening controls around supplier and fraud risks).
• Critical skills/personnel management - Identify and, where possible, add critical skills to mitigate key personnel risks, particularly in the area of key technology controls (whether internal employee or supplier). Consider cross-skilling and job shadowing to ensure coverage and knowledge on an ongoing basis. 

 Force acting on the company and technology risk teams. 

Companies are now asking. "What will normal look like? " They face the challenge of looking into the crystal ball and predicting the need for business resumptions and scale-ups and the associated technology risks. As a company's responses come into focus, even after what may be an extended period of time, we can expect that tomorrow will not look like yesterday or today. Day-to-day technology operations, as well as investment programmes, will be closely scrutinised to adopt and adapt leading practices and lessons from the Covid 19 era, and to support risk-aware implementation.

Current and evolving technology risk practices.

•  Some companies are considering reverse engineering their business continuity plans to incorporate Covid 19 information to refine business impact analysis measures for more accurate scenario definition, likelihood and business impact of the same or similar events.
• Technology risk and control activities leverage data and technology capabilities for more timely performance and accurate insights.
• The associated technology risk and control processes are increasingly digital and flexible, so they can be changed or improved as organisations refine their operating model. 
• Improved relationships between business and technology risks enable accelerated investment opportunities based on Covid-19 insights into what is required to align and drive productivity.

KPMG Perspectives

• Budget and new investments - Review access management policies to improve controls around multi-factor authentication, personal device access, etc.
  
• Apply lessons learned today to build resilience - Capture experience and lessons learned to inform not only updates to business continuity plans, but also technology risk and control activities overall.
• Control monitoring - Consider building capabilities that enable continuous monitoring of controls.