According to all the surveys, CEOs place technology as the number one driver of change in their business. New technologies like predictive analytics and the Internet of Things, or significant advances on existing technologies, like robotics and artificial intelligence, provide opportunities to not only enhance existing process but deliver new products and services.
When an organization's management is considering whether a new technology would be of value, risk and audit practitioners should be involved to help them understand and assess the effect on enterprise risks.
What I have typically seen is that the audit or risk practitioner will identify new "risks" that might be created, such as security vulnerabilities or privacy concerns.
I don't think that is the best way to do this.
First, let's recognize that risk is the effect on objectives, so security vulnerabilities are not the risk; how they might affect the achievement of organizational objectives is the risk. Risk thought leaders will tell you that security vulnerabilities are a "risk source."
The technical language matters less than recognizing that any assessment has to be within the context of how the implementation of the new technology might affect enterprise objectives.
So this is what I would suggest:
- Understand and assess the benefit that is likely to be obtained. What enterprise objectives will be positively affected and by how much, and what is the likelihood of that degree of value creation? Consider the reduction of an existing risk as a source of value.
- What might happen if the initiative fails? What "risk sources" are created or increased with the adoption? Which enterprise objectives might be adversely affected and by how much? What is the likelihood of such an adverse effect?
Operating management may estimate value creation and even identify potential "risks." But risk and audit professionals can help them by ensuring that they follow a systematic process for assessing both the positive and negative potential effects on objectives, including the likelihood of such effects and the actions that can and should be taken to increase the likelihood of favorable outcomes.
Often, management will only consider the objectives directly related to adoption of the new technology. Risk and audit professionals can ensure a more holistic view is taken, considering all the enterprise objectives that may be affected.
I welcome your comments.