Technology – everybody wants it; it gets more valuable by the hour. As businesses move forward, it becomes a necessity, no more a luxury. But different parts of the world have different rules and regulations, and these need to be recognised – which means managing technology risks better in order to make it work more effectively for us. In today’s disrupted, irrational world, technology comes with even more risk than it already inherently contains, so how do we manage? “Manage IT risks by starting at the core,” stated Lee Chin Hon, Head of AmGeneral Insurance’s Data Governance & Cybersecurity, speaking on risk management strategy for business sustainability in a disruptive environment, at the recent IERP International Conference 2020.
Those who are at the forefront of managing technology risk will have to consider managing incidents and tech projects, he said, as well as data centres and networks. Other areas of concern include third party providers and cloud facilities. They will have to maintain these facilities and provide constant feedback on performance. This continuous feedback will be used to build assurance of the viability and reliability of the systems in place. Organisations will have to look at their technology risk management as a continuous learning process, perhaps relying initially on outside expertise, but building their own capacity as they progress.
As with most risk management endeavours, it is the tone from the top that sets the pace and attitude that the rest of the firm should follow. At management level, there should be a constant stream of information about what, where, why and how risks may be originating and flowing to the Board.
“The Board needs this kind of information to consider and approve matters,” Lee said, stressing that with a dynamic landscape, it was important that changes were understood. “Even without the pandemic, tech has become a new ball game,” he remarked. “We need to approach it differently, with a new mindset. Tech is abstract. You need to understand it before it can be discussed.”
This represents another challenge for Boards as not all members may be on the same page when it comes to IT. He suggested establishing committees with a diverse representation, not just from IT, for maximum effectiveness. “Committees should be cross-domain or cross-functional,” he explained. “You need the right people. The wrong combination of resources will be costly in the long run.” Sometimes, the realisation comes very late that something is wrong, hence the need for appropriately-competent people, and leaders who can give the required guidance and support. This is particularly important where legacy systems are in place but cannot function at the levels needed.
“Organisations may have different systems in different parts of the business that are not aligned,” Lee said. “You will need to understand the kind of tech you intend to apply. Different kinds of tech carry different risks. Sometimes businesses may also have to rely on group systems but accountability or risk remains with the subsidiary even if its operations are tied to group policy.” Security is paramount; all units or departments should have their own security in place even if security is centralised for the whole organisation. You can manage what you can identify, and individual units will know best their own areas of risk.
Another area which tends to be forgotten is testing. “Senior management needs to be aware of the need for sufficient time for testing and validation,” Lee said. “This is a key security risk. When testing is reduced due to time constraints, there may be increased risk.”
Organisations should also apply testing to a wide range of technical equipment that is used across the firm including PCs, phones and laptops. However, Lee cautioned that different environments require different kinds of testing. He noted that at the development stage, controls were often lax but these needed to be tightened significantly at the testing stage.
IT systems do not come cheap; different parts, perhaps in different subsidiaries or regions, may have been changed in the course of operations. Many organisations may opt to upgrade rather than change completely because of cost constraints. When this happens, testing should also include determining if any parts of the new system could affect any parts of the existing system. While systems are being tested for robustness and effectiveness, due attention should also be given to physical infrastructure such as data centres and operation sites. Where these are sited is critical; data recovery or back-up centres, for instance, should not be sited in a disaster-prone area.
With back-up or recovery sites especially, restoration testing must be done to ensure that recovery is possible. Organisations must also take into consideration the time required to get systems up and running again, in the wake of an incident. Recovery needs to be in the shortest time possible, so firms should determine what their disruption tolerance levels are. All procedures must be thoroughly documented. This will help when there is a need to upgrade, and for trouble-shooting in the future. Comprehensive documentation becomes a necessity in the light of staff turnover. Employees may come and go but proper documentation adds what they learn to the organisation’s knowledge.
If organisations choose to use service providers or cloud services, they need to understand in-depth the extent of what is available to them. Lee explained that cloud services are basically data centres that are managed by another party. Organisations access their storage and applications through controls which involve identification, authentication and authorisation but there are limitations and risks associated with these as well. Cyberattacks happen constantly; organisations need software to track this and should not be complacent – there are a myriad of ways that their systems may be hacked without them even realising it.
In this age of constant disruption, one of the best methods of mitigation is vigilance. Firms need to be always alert and watchful, and develop skills in applying the principles of IPDRR – identify, protect, detect, respond and recover – to their operations and strategies for sustainability and competitiveness.