Anyone who has tried to introduce new technology into an existing organization knows that anticipated risk may look nothing like what is encountered in actual operations. The more complex the technology and its interplay with operations and other organizations, the harder to match predicted risk with reality. This seems even more true for what is labeled as emerging technology. If the purpose of risk assessment is to address ambiguity, then how might we get closer to having predictions match reality, especially as we move into scaling the implementation?
New Technology Challenges
Organizations seeking to use new technologies face multiple challenges, including:
- Implementing and supporting the new technology while still operating the old technology and the old processes and business model
- Defining and implementing process changes required in technical teams and user functions
- Defining new business capabilities that can be enabled and the business goals associated with these
- Defining and assessing the risk the organization faces that is different from the risk with existing technology either because of the technology and the way it is used or the processes involved with it
- Considering the roles and interplays with third parties
The newer the technology and the more it supports radical changes in operations, the greater the impacts and the harder they are to determine. Generally, emerging technologies have complex interactions. Typically, upgrading servers to the latest models or even adopting the latest operating systems poses little risk compared to adopting an all-encompassing enterprise resource planning (ERP) application from a new vendor. But even that is less complex than determining how to effectively incorporate artificial intelligence, cloud computing or blockchain into an existing, operating organization.
Assess the Risk: What Methodology Should We Use?
Every well-run organization assesses the risk of introducing any new technology. The first reaction is often to use the organization’s existing risk approach and shoehorn the new technology into the approach. For emerging technology especially, this can be daunting given the ambiguity across the technology itself, the business model associated with it and the processes and third parties that may be involved for the adoption to be successful. The more data-driven the risk framework used by an organization is, the more difficult it can be to use that framework for the assessment.
We ran into this problem in our bank when we decided to use the cloud more widely. We were using a risk model similar to the Risk and Control Self-Assessment (RCSA) framework. In particular, we lacked the data to determine the impact and likelihood to the level normally desired for risk assessments, so we decided to use a more general approach and refine it as we progressed. We looked at various models and chose a modified version of the European Union Agency for Cybersecurity’s (ENISA’s) Cloud Computing Risk Assessment, which concentrates on information security and gives a broader view. This gave us an initial view to inform decision makers and identify the areas needing attention.
As we progressed, we defined a governance model for the cloud that included the technical, security, legal, compliance, risk and business teams. This augmented our normal risk approach. As we combined former operations and newer cloud teams and understood the issues, we moved the cloud risk assessment into our existing risk approach.
The Next Challenge: Digital Assets and Blockchain
Many players in the marketplace are determining how to be involved with digital assets and with blockchain. This introduces not only new technologies but also significantly more reliance on partners, and this combination makes the move to digital services and their ecosystems fraught with uncertainties. The toe-in-the-water approach is to first build on existing products that service digital asset organizations and see where the risk lies. At some point, though, most organizations will want to be actively involved.
Headlines screaming about breaches in digital asset–focused organizations stress the importance of assessing the risk. It is helpful to examine each digital asset and determine how to build services around different digital assets. But deploying capability in the organization means assessing the risk based on the interrelated nature of these technology platforms and the networked parties along with the business and asset risk. For example, implementing a blockchain use case that does not use digital assets does not make the issue much simpler because most blockchain use cases also involve smart contract capabilities, which have their own inherent risk.
Rethinking Emerging Tech Risk Assessment
Our organization is taking a measured approach to adopting digital assets and a more holistic approach to risk assessments while trying to include the results using our existing framework. We will see whether it works or we reach a tipping point where the networked interactions overcome our predictions and models.
Both existing organizations and start-ups must begin to think about what approaches they may be considering for assessing the risk of emerging technology in general, in addition to digital assets and blockchain specifically.
Editor’s note: For further insights on this topic, read Michael Kelly and Adeline Chan’s recent Journal article, “Performing Risk Assessments of Emerging Technologies,” ISACA Journal, volume 6 2022. For more ISACA resources on emerging technologies, learn about the Certified in Emerging Technology (CET) credential.