Peter Smith, senior risk manager at Turner & Townsend in the Middle East and 2016 StrategicRISK MEA Award winner, examines the digital world’s risk challenges
Technology makes the world go round, or so it would seem, as we become ever more reliant on the digital world around us. Email, the internet, servers, the Cloud: as we progress into the Fourth Industrial Revolution and place our trust in computer power to keep our businesses and personal lives moving, we face an ever present “technology risk”.
Innovative technologies, systems and processes and our vital data control share prices and drive profit so it is crucial that we build a resilience to the risk. On top of this, compliance and regulation govern data protection to ensure privacy and protection of personal information from the increasing risk of loss and theft. In late 2016 Yahoo announced it had suffered another massive data breach, affecting the data of an estimated one billion customers. This may not only carry a regulatory investigation and potential fines for failing to secure data, but has also resulted in almost a 5% drop in share price and significant reputation damage.
Technology risk is multifaceted and covers more than data loss. There is a risk to the systems and technology we rely on to conduct business on a day to day basis and this “category” of risk is increasingly taking precedent on corporate level risk registers in organisations across all sectors. It is and will remain part of a risk manager’s identification, analysis and control of risk. The resilience of an organisation to such risk is in the strength of their business continuity management. As the focus of risk registers pushes increasingly more towards technology risk then the focus for mitigating the impacts must be on business continuity management.
Is your organisation building plans to ensure you can quickly recover from a system loss? Can your organisation continue to operate if your wifi goes down? It seems so simple at that level and perhaps not catastrophic but the impact can have a rippling effect beyond a few emails not getting sent. Profit/opportunity loss, reputation damage, market share all at stake on such a simple thing as loss of internet connection.
So it is not just air traffic control towers and nuclear reactors that need business continuity plans to ensure the effect of business interruption from technology risk is minimised. At Turner & Townsend I have seen a sizable increase in the interest in our business continuity expertise. Yet it amazes me that it is 12 years since I wrote my university dissertation on “the drivers of business continuity management”, convinced it was going to become not just a public/government sector requirement but be driven by private sector resilience and innovation. However I regularly see international organisations in this technology-dependant age still not prioritising the process and still not fully understanding the impact of technology risk at board and decision making level.
This, however, is only one side of “technology risk”. The loss of data, failure of a system, building a resilience to ensure continuity of business should the risk occur etc are, or should be, part of the established systematic risk management process of identification, analysis and control. The other side of risk created by our insatiable thirst for being first and pushing technology forward at a lightning speed is where the risk management profession has less of a formal foothold.
The understanding of “risk based decision making” is fundamental in the risk presented by ever evolving technology. “Judgement under uncertainty: bias and heuristics” by Tversky and Kahneman (1982*) explores the psychology of decision making, both in business and everyday life and forms the basis of which “risk based decision making” was founded.
It is not until an organisation understands fully this aspect of decision making and the inherent flaws in human decision making that it can build a more formal and structured approach to combating those flaws, biases and heuristics to improve the process and protect its self from risk. This formal process is found in investment decision panels, project stage gates and change control processes in the more mature risk based decision making companies.
As organisations pursue new technologies in R&D projects, risk management is formalised in the process of stage gates for decision making at key stages and these decisions shape whether we proceed or cut our losses or when there are multiple options they shape whether we, for example, choose to slim our tapes and keep picture quality and thus limit recording time to one hour (Betamax) or compromise quality and size to ensure a full movie can be recorded on a single tape (VHS) and in that decision making process, our technology lives or dies.
Exactly how formal and controlled these decisions and stage gates are may hold the key to just how successful a technology company is. Rooted in Tversky and Kahneman’s (1979*) “prospect theory” relating to decisions being made on the basis of potential future gains or losses while bound by heuristics instead of basing decisions on actual outcomes and data. The simplest example of this being the lottery, the basis of playing the lottery is not in the millions upon millions to 1 odds, it is on the potential gains of millions upon millions of euros.
Equate this to technology and business and often investment decisions are made on the prospect that this technology has the potential to be the next big thing and make millions but often ignores the actual outcomes, stats and information relevant to the decision.
This is where risk, value and change management again becomes a vital tool in decision making and ensuring they are embedded in any organisations decision making process makes them more resilient to technology risks through risk based decision making. Of course there is always an inherent risk in all decisions and other factors can still have us make the “wrong” decision in hindsight but simple techniques like facilitated group decisions with a trained facilitator combating the weighting on opinions through technical expertise or seniority to more complex statistical modelling of likely outcomes are part of the process to ensure more informed decisions based in actual outcomes and not prospect theory.
So to go into the Fourth Industrial Revolution without this formalised risk based decision making process in place top down in your organisation is well and truly, at your own risk.