HOT TOPICS: Customer Experience Marketing Automation Social Business SharePoint 2013 Document Management Big Data Mobile DAM

Reflections on IT Risk, Technology, Risk Management, Internal Audit

All the studies show an increasing pace of change in and around technology. It’s not just that we run the back-office with enterprise software, it is also invading the front office and the products and services offered by organizations around the world.

The Pace of Change

Would you use a bank for your checking account that does not have online banking? I don’t think so. I wouldn't bank with one that doesn't have a mobile app either.

Would you prefer an airline that offers online booking, check-in, flight status and boarding passes, or do you still use a travel agent and get printed tickets?

Are you as amazed as I am by some of the things that Amazon is doing? Consider the fact that as they build replenishment centers across America, they are staffing them with robots! Robots in the warehouse are far cheaper than employees in China and enable Amazon to set targets of "click to ship" of no more than two and a half hours, with some items shipping 20 seconds after the customer clicks the purchase icon. They are also using dynamic pricing (see here for an explanation) to balance inventory and demand.

CEOs are saying that technology is now the number one driver of change in their organization, and they use some of the latest tools to maintain contact with their customers. My bank is suggesting that I contact them on Twitter if I have a problem, and the best way to complain to United Airlines is on their Facebook page.

Add the fact that the combination of advances in analytics (of all kinds, from mobile analytics to sentiment analysis to predictive and visual analytics) provides the capability to make leap changes in the quality of decision-making. Now, instead of relying on their experience and intuition, executives can have timely, current, insightful and useful information on which to base their decisions. The insight can be on customer experiences and views of their current or future offerings, of the level of risk, or simply of their ability to fine-tune their manufacturing and other processes to drive revenue up and cost down.

But have the practitioners (and by extension those responsible for board oversight) kept pace?

The End of Isolated IT Risk

Protiviti has shared with us their 2013 IT Audit Benchmarking Survey. It contains some useful information, which I will comment on momentarily.

First, though, I want to address the use of the terms "IT risk" and "IT audit." Personally, I look to ISACA for insight on "IT risk" and they don’t disappoint. This is what they have to say:

COBIT 5 for Risk defines IT risk as business risk, specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.”

In other words, we should stop talking and thinking about "IT risk" as something separate. Instead, we should be talking and thinking about technology-related business risk.

This is very important: It is much more than semantics!

For most of us, IT is a department. It has processes and addresses risks that may arise from failings in those processes through the operation of IT general controls (ITGC).

But we should be expanding our view to consider all the technology that is relied upon across the enterprise.

In my years as Chief Audit Executive (CAE), I ran into several situations where a focus on IT would have been too narrow:

  • At Tosco Corporation — at that time the largest oil refining company in the US — every refinery was run using sophisticated process control and other computer equipment. It was relied upon for the safe and reliable operation of the various units (catalytic cracker, hydrogen plant, etc.), blending of fuels, measurement of receipt and shipping of crude oil and finished products and much more. All of this equipment was acquired, maintained and operated by individuals in the Engineering and other refinery departments. IT had very little involvement, and arguably all the technology-related business risk was outside IT’s span of control — and awareness.
  • At Maxtor Corporation, a $4 billion manufacturer of hard drives (later acquired by Seagate), the Engineering department (responsible for product development) managed its own network and devices. The IT team only managed the wider network.
  • At Business Objects, a major software company (later acquired by SAP), the largest number on the balance sheet was the warranty reserve. This reserve is for potential repairs and replacement of units that had been sold and failed within their warranty period. The software used to calculate the potential cost of such repairs or replacement was maintained outside the IT department.

I think it is time to stop talking about IT risk and instead talk about technology-related business risk, which I would shorthand to technology risk. Similarly, it is time to stop talking about IT audit and instead talk about specialists with a deeper understanding of technology.


Continue reading this article:

Useful article?
  Email It      

Tags: , , , , , , ,



Featured Events  View All Events | Add Your Event | feed Events RSS