Technology Risk Quantification Will Play a Critical Role in Effectively Managing the Risk that Comes Along with Transformation Initiatives – KPMG LLP

As organizations across geographies and industries accelerate the deployment of business transformation initiatives, a growing number of executives are exploring how risk quantification can be harnessed to optimize new investments in systems, applications and infrastructures to achieve mission-critical objectives in a safe and secure manner. So says Luke Nelson, Managing Director of Technology Risk Management at KPMG LLP in a thought leadership interview with BizTechReports.

“For most organizations, the introduction of new systems and platforms will not completely replace legacy technologies and infrastructures. As a result, executives will be left to manage an increasingly complex environment that is constantly evolving,” says Nelson.

This growing complexity will trigger a rise in the threat, risk and vulnerability landscape. That is why understanding key dependencies, single points of failure and other factors is so important. It is an issue that will not only require executive attention from the most senior ranks of organizations, but also a much more comprehensive approach to assessing the variables that can potentially harm organizations as they aggressively modernize their enterprise technology estates.

“There are two main questions on which executives need insight: How much potential loss do I have with my current risk profile? And how can I reduce future risk to decrease potential loss most efficiently while increasing the potential for greater returns on investment? ” explains Nelson.

Incorporating a New Level of Discipline to Technology Risk

“Technology risk mitigation has often been more of an art than a science. Historically, risk managers and security professionals have identified threats and vulnerabilities and then applied their own experience and expertise to determine what, when and how to take the steps to mitigate them,” explains Nelson.

Until now, this approach has really been their only option. This is because there has been no systematic way of fully understanding the consequence of an exploitation unless it has occurred before and relationships, dependencies and mitigation importance are known. Few resources have been available to help decision makers understand the full implications of a vulnerability before it plays out.

Moreover, it has been difficult to engage in an apples-to-apples comparison when analyzing risk. Much of the conversation, to date, has focused on the odds of an event occurring and assessing the disruptions that it would cause from an operational standpoint.

“For example, when assessing technology risks in systems that support an HR operation, analysts have focused on determining how disruption might derail day-to-day workflows -- and then assessing the amount of personal information that could be compromised,” says Nelson. “A separate analysis of technology risks to a manufacturing process might explore how exploited vulnerabilities can interrupt an assembly process. The list of technology risks goes on and on, and with it grows the complexity associated with trying to accurately compare the impact of disruptive events on the organization.”

Since risk assessments have tended to take place at departmental levels, they have applied different metrics and values to determine the impact that an adverse development can have on an organization. This creates a fragmented picture of the threat, risk and vulnerability landscape that is difficult to correlate and rationalize for the organization as a whole.

Establishing Common Metrics and Models Across the Enterprise

“A better way to assess the impact of risks, threats and vulnerabilities on the enterprise is to standardize all risk analytics metrics on the one attribute that they share in common: money,” Nelson suggests.

By creating an accurate model -- based on financial impact -- of assets, threats, risks and vulnerabilities, organizations can develop a specific understanding on how to determine the best return on investment from risk mitigation activities.

This universal approach to technology risk management will be increasingly important as enterprises integrate the resources offered by shared services providers to build ever more complex digital capabilities. It also changes who needs to be involved in the process.

“In the past, technology risk may have been an issue that was addressed by leaders and departments responsible for enterprise technology procurement and implementation. However, as enterprises adopt new capabilities and innovations to drive organizations towards desired business outcomes, line of business executives and strategic planning teams need to be brought into the equation,” says Nelson.

The Benefits of Enterprise-wide Technology Risk Quantification

Two key value propositions are introduced when enterprise-wide technology risk intelligence capabilities are deployed across large organizations.

  • It provides organizations with more confidence in mitigation activities, ensuring that the right efforts are being brought to bear in supporting the appropriate services to ensure resilience by determining where -- and how much -- risk currently exists.

    It offers context for how decision-makers decide to shore up business continuity strategies. When there are major shifts in technology infrastructure -- such as moving workloads from legacy on-premises data centers to cloud environments -- changes also have to be made to the strategies that are designed to keep the business running. This provides the basis for making sound decisions about how resources should be invested in specific segments of the enterprise technology environment to effectively reduce risk.

“At KPMG, we have developed the Tech Risk Intelligence platform to enable leadership to have a full understanding of how these types of changes will alter the risk profile for the business. Executives will have better sense of the potential steps to take to reduce risk exposure once new technologies have been implemented,” Nelson says.

Keys to Effective Technology Risk Quantification Deployment

There are a few foundational aspects that organizations should develop and enhance to deploy effective technology risk quantification programs.

  • It is important to take careful inventory of the current technology systems to establish a clear and robust risk taxonomy. This serves as the bedrock for building the enterprise technology infrastructure going forward. It allows organizations to establish asset inventory and control frameworks, which are also important to standing up or supporting a technology risk quantification program.

  • Based on this inventory, organizations can thoroughly understand the incident management process across the enterprise to ascertain potential data loss concerns so that new -- and better -- business models and financial impact analysis frameworks can be developed.

  • From this position, executives can carefully think through their needs and requirements for capturing, analyzing and reporting currently manifested and potential risks. Effective communication of technology risk assessments must reach all the relevant layers of leadership in order to have a meaningful impact. All too often, risk reporting tools are used only by security or risk managers. This deprives senior leaders of insights that can improve the decisions that they make.

“KPMG has developed a set of offerings and services -- enabled by the KPMG Tech Risk Intelligence platform -- that provide organizations with a clear and in-depth picture of how technology risks can adversely affect an organization by leveraging emerging technologies -- like artificial intelligence, intelligent automation, advanced modeling capabilities, and natural language processing. This is critical to getting the best return on investments from risk-mitigation efforts,” concludes Nelson.

For more information, please visit: read.kpmg.us/TechRiskIntelligence

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organization.

© 2020 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.