With more people working remotely than ever before as a result of the pandemic, tech capabilities are being stretched to the limit, exposing existing unknown vulnerabilities and creating new tech risks. From network bandwidth issues to governing new collaboration tools to opportunistic cyber threats, companies must move quickly to manage new risks while still supporting business continuity and performance.
And we don’t anticipate the demand on tech risk teams to slow down anytime soon, given that companies across many industries are finding a modified model mixing remote and on premise employees not only works, but in some instances is preferable.
Today, many companies are focusing on addressing employee safety and business operational concerns. In the coming weeks or months, companies will begin to stabilize operations around potential ongoing conditions -- which could include moving more workloads to the cloud and extending work-from-home support for employees by deploying video conferencing and remote collaboration capabilities, buying additional licenses and upgrading network access.
During this recovery phase, management and boards will need greater support from tech risk managers to help them make decisions that are both risk-informed and timely. The following initial considerations can serve as a helpful guide for tech risk managers as they help lead their companies into a post-COVID-19 era.
Recalibrating risk thresholds
Over the past few weeks we have already seen an increase in cyberattacks such as email phishing campaigns, mobile malware, and cyber espionage, along with an increased dependency on a few critical vendors. These trends seen in many companies across industries are raising the overall threat profile.
In responding to COVID-19, companies may consider adjusting their risk appetite on certain technology risk domains, such as identity and access management, vendor risk, change management, vulnerability management, as well as the continued “virtualization” of company assets. An intelligent and balanced approach in the short-term will bolster productivity, and it will also result in the reduction of risky workarounds.
As the economic impacts evolve and the general market becomes more focused, companies should reassess how much risk against return on investment and brand value (e.g., productivity impact, regulatory exposure, or revenue loss) is acceptable and which areas of the company warrant various levels of investment to mitigate risk for the greatest return. Returns may not only result in tech risk mitigation at levels aligned to risk appetite, but also may provide value beyond as it relates innovative techniques and better practices applicable to the wider enterprise.
In particular, CIOs and CISOs should convene a daily stand-up of technology function leaders to discuss critical business continuity planning and resiliency matters, actively listening to key participants and stakeholders in the environment and making timely risk-based decisions.
This view is particularly important in this current time of uncertainly, as organizations may need to recalibrate their risk appetite, or acceptable level of risk exposure, while constructing or enhancing their technology and operational risk framework. This revised risk appetite should allow the business to better understand risk exposures involving technology, especially as they may link to company “crown jewels” (that is, the core assets that make their business special and unique, both now and in an economic rebound/recovery).
Quantifying tech risk
Business leadership continues to rely heavily on IT departments to support the alternate working environment and in making informed decisions to continue operations and regain any lost momentum. Where possible, companies should activate tech risk quantification capabilities, to be able to provide more relevant risk insights to the business, while making important stabilization decisions.
Just as the current outlook for COVID-19 remains uncertain, the final chapter in the book may be long from written. Companies can expect threats to continue to materialize in unforeseen ways, sometimes dramatically and dynamically impacting their risk profiles. By quantifying the impact of technology and business stabilization efforts, through risk exposure measurement techniques, companies can plan future investment spend to align with the highest risks and make up for lost business cycles.
Additionally, organizations should be actively reviewing investment programs and projects (planned and underway) and estimating how different technology investments may address or reduce their risk exposure, supporting their COVID-19 recovery, and establishing foundations for or enabling future capabilities. This approach will provide fresh insights for company leadership to make financially driven, forward-looking and risk-informed decisions.
Manage critical skills/personnel
Tech risk skills are often in short supply in companies across industries, and with the many competing priorities that COVID-19 is creating for company roles where these skills are available, capacity may be in shorter supply than ever. Companies should identify and if possible, supplement critical skills to mitigate key-person challenges, especially around key tech risks and controls (whether that is an internal employee or vendor), including techniques like cross-skilling or job shadowing for coverage and knowledge on an ongoing basis.
For the foreseeable future, tech risk managers will have increased accountability and responsibility in supporting organizations through their response to COVID-19 and beyond -- and in many ways, tech risk managers can be more impactful than ever before.
While the full extent of the impact, and the resulting changes, are not yet known, the above guidelines can help tech risk managers in successfully addressing the many challenges companies are facing now -- and on the road ahead.
Nicole Lauer is a principal in KPMG’s Advisory Services practice. She has 19 years of experience in delivering tech risk, IT audit, controls and compliance, and remediation services to commercial clients who produce consumer goods, chemicals, and energy. Lauer is KPMG’s solution leader for Technology Risk Management in the US and IT Internal Audit in the Americas region.
Vivek Mehta is a partner in KPMG’s Risk Consulting Advisory Services practice. He has over 15 years of experience serving F100 clients in the Financial Services industry, including global diversified-financial institutions, broker-dealers, prime brokers, retail banking, private-equity and investment management companies. Mehta’s primary area of expertise is around IT Risk Management specifically IT Regulatory management, IT Governance & Strategy and IT controls implementation.
Joshua Galvan is an advisory professional with over 22 years of experience helping clients assess and enhance technology, business operations, and risk management capabilities to assist and improve global ventures. Galvan leads client service projects for achieving company goals through better IT governance, performance, and integration. His teams help clients transform and derive more value from process frameworks, IT systems, emerging technologies, organizational models, and sourcing relationships.
This article represents the views of the author(s) only and does not necessarily represent the views or professional advice of KPMG LLP.Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.