The future of risk is shifting away from a regulatory-driven “protect agenda” to one where organisations leverage risk to enable firmwide growth and optimization. That means becoming closer to the business and driving towards an environment with more proactive monitoring and automated controls to address risk events as close to real-time as possible.
Boards and shareholders want the technology risk teams to be a strong partner to the business and want to leverage regulatory-focused investments to further business results.
Six steps toward technology risk transformation
Due to emerging technology risk and regulatory and governmental compliance mandates, large organizations require a holistic risk approach that accelerates strategic value realization and competitive advantage. The goal is an operational risk model built for the accelerated rate of technology change that addresses an organization’s appetite for risk while offering increased opportunities for value creation.
72 percent of respondents in the 2022 KPMG CEO Outlook Survey agreed that they have an aggressive digital investment strategy, intended to secure first-mover or fast-follower status.
Successful technology risk transformation can enable organisations to increase trust by enhancing risk management—simultaneously reducing the likelihood and severity of adverse outcomes more commercially and transparently.
By gaining these capabilities, the role of the risk function will move beyond a defense-only, reporting-centric activity to a trusted partner that delivers proper safeguards and improves the likelihood of successful implementation and execution of a strategy in line with investor risk appetite.
Digital applications are now providing businesses with a tremendous amount of data, which is used as an asset, to create business value to differentiate product offerings.
The benefit of having structured data is that you can pivot from monitoring controls once or twice a year to monitoring them continuously to uncover those anomalies and events that need attention much faster. Then on the more technical side, there are advanced monitoring solutions around firewall rules and network access controls that can alert risk when there is a policy violation, and risk professionals need to act.
Leaders should determine what skills reside on their teams, build a plan to fill in the gaps, and provide training to encourage professional growth and advancement that can include rotations in and out of the risk department.
Equally important is making sure employees are cared for so they don’t burn out. Technology risk can look to a trusted co-source provider that can supply the right subject matter expert with the right skill set when the organisation needs it.
Finally, intelligent automation is an option that is gaining traction in risk functions. The technology has advanced tremendously, and digital or virtual agents can carry out increasingly sophisticated tasks.
When asked how they envision their service delivery model keeping pace with change, 33 percent of respondents said upskilling existing talent, while 25 percent indicated that they are targeting specific skillsets.
Adoption of new technologies can be an opportunity for the risk function to take a step back and reassess controls and environments to ensure their knowledge of emerging technology is keeping up. Do you have the right controls to mitigate these new risks, and are you taking advantage of pervasive controls across these new technologies?
According to the 2022 KPMG global tech report, 61 percent of tech leader respondents said that they expect to have embraced most key new tech platforms within two years, including Web3 and the metaverse.
Technology risk must adapt quickly and effectively to keep up with the organization’s evolving strategy, business, and operating models. Recommended ways to help modernize the risk function may include:
- Start small: Launch a pilot with limited scope to get a quick win and gain internal support.
- Leverage agile approaches: Complete work in sprints to provide flexibility in scope coverage and allow for more real-time reporting and response. more real-time reporting and response
- Clearly understand the business strategy purpose and values and how a change would address those issues: try not to force the technology requirements before understanding the business requirements. Understand your vision and business objectives before vision and business objectives before designing new operating models and adopting new risk technologies.
- Engage with key stakeholders up front and throughout the rollout of your program: Do some campaigning at the start. Make sure people are on the same page with you and get their feedback and recommendations. Then, when you get the entire stakeholder group together, have the benefit of the insights from that whole team.
How KPMG can help
Our Technology Risk services team has deep experience supporting organizations in managing technology risk in the most complex, fast-changing, and global business environments.
With more than 6,000 global practitioners, we deliver technology risk services to hundreds of client organisations with our network of member firms worldwide.
We also help organizations build compliant, effective, efficient, and scalable technology risk services with technology and automation to enable the technology risk program.