I’ve seen the ads — svelte, athletic, youngish people
working hard on exercise bikes as trainers urge them to do better and better — but
I never really knew what Peloton was. (Exercise and I have an agreement. I
don’t exercise; it doesn’t Mike.) But a recent development (and lawsuit) made
me sit up (from the couch) and take notice.
First, a quick description of Peloton. It is an approach to
fitness that uses current technologies to bring the gym into your home. Its
main product is a luxury stationary bicycle that allows users to stream
spinning classes from the company's fitness studio through a monthly
subscription service. Live trainers streaming directly to your exercise
equipment allowing you to work out in the comfort of your own home.
The idea has taken off. According to a New York Times article, Peloton became a $4 billion company in just 6 years.
However, this story of success has become a cautionary tale.
In March, nine music publishers — important, significant, deep-pocketed music
publishers — sued Peloton for more than $150 million. (You can find more
details here.) It seems that the music part of the heart-pumping, music-driven
experience Peloton users so enjoyed was the result of the company using
thousands of unlicensed songs in its workouts.
I became aware of the lawsuit last month listening to a presentation
to a group of internal auditors on the impacts of technology. The speaker used
the Peloton story as an example of the evolving risks that develop because of constantly
changing technologies. His contention was that, in this situation, new
technologies led to a new risk, as evidenced by the $150 million lawsuit.
I do not disagree with his statement that we have to keep up
on technologies and the evolution of risk. But I do disagree with his contention
that these new technologies lead to new risks. In fact, I have what might be
considered a rather heretical belief in what new technologies mean about risks,
our understanding of those risks, and the constant pursuit of new risks.
If you look closely at the Peloton case, you are not seeing
a new risk. The lawsuit (and the underlying risk) is based on copyright
infringement, a risk that can be traced back to early-eighteenth-century
England as the printing press made it easier and easier to “steal” the works of
Yes, Peloton is a new wrinkle in this battle — just as was
radio and television and the internet and social media and almost every
technological change that has occurred in that time period. But a new risk? No.
There is nothing new under the sun. And I would argue that,
in most situations (in fact, nigh on over 99% of situations), there
are no new risks.
It is not a “cloud,” it is a database. And what’s the deal
with cybersecurity? Other than a new way to access a whole lot more information, the basic necessities for risk mitigation are not different than those we used to
make sure no one could get in the file cabinet. (This is that heretical part I
warned you about.)
Assuredly, new technologies require new skills to properly
combat and mitigate associated risks. But let’s not get ourselves too wrapped
up in the idea that we have brand new risks. We have new applications of the
old risks, we have greater risk velocity, and we have greater volumes at risk. But
it is important to understand the risk — the old risk — that lies beneath these
concepts. Because the approaches and controls used in responding to those risks,
while they will need to be updated to incorporate new applications, velocity,
and volume, are still a fundamental part of the discussion and the solutions.
Ultimately, I would argue that, while internal auditors need
to understand the new things that are going on — understand the technologies —
it is just as important (if not more important) that they apply the old risks
and mitigation to the new technologies.
We can spend forever trying to figure out new risks. That is
until we realize that what we are really trying to do is figure out how new technologies
will impact the risks we already know.