Adapting Risk Management to Evolving Technologies

Size: px

Start display at page:

Download "Adapting Risk Management to Evolving Technologies"

Mervyn Freeman
5 years ago
Views:

1 Adapting Risk Management to Evolving Technologies May 9, 2017 Ray Cheung 2017 Crowe 2017 Horwath Crowe International Horwath LLP

2 Agenda Digital Disruption and Shifting IT Spend High Tech Risk Environment IT s New Look within Technology Companies The Driving Force & Risks for Advancing IT Departments Adapting the 2 Speed Risk Approach 2

3 Digital Disruption The largest taxi company in the world owns no taxis (Uber) Largest accommodation provider owns no real estate (Airbnb) Largest phone company owns no telecom infrastructure (Skype) Most popular media owner creates no content (Facebook) Worlds largest movie house owns no cinemas (Netflix) Largest music providers own no music (Spotify) 60% of mobile devices use processors from company that doesn t manufacture computer chips (ARM) 3

4 Digital Disruption by Industry #12 Pharmaceuticals #11 Oil & Gas #10 Utilities #6 Education #5 Telecommunications #2 Media & Entertainment #7 Hospitality & Travel #1 Technology #3 Retail #4 Financial Services #9 Healthcare #8 CPG/ Manufacturing 4

5 How Disruption is Impacting High Tech 1. Accelerating Value Creation/Destruction 2. Encroaching on HardTech/SoftTech Space 3. Shifting a Paradigm from Selling Technology Stack to Selling Total Solution 4. Disruptions are always Risks Hard Tech Soft Tech 5

6 Discussion Does the technology companies operate in a unique risk environment? What are the most prevalent risks for the technology companies? 6

7 High-Tech Risk Environment Appetite for risk High-velocity workflows Commitment to research Demand for talent Creative destruction Cybersecurity is a question of when, not if Digital disruption 7

8 Shift From Traditional IT Spending to Cloud Source: Gartner (July 2016) 8

9 IT s New Look within Technology Companies At today s technology companies in Silicon Valley, IT departments has had to make significant changes to stay current with emerging technologies and remain ahead of their competitors: Faster and more rapid development Increased deployment speeds Heavier reliance on third party vendors More advanced IT departments help improve business efficiency, allow products to be improved and pushed out faster, and help companies support more users. 9

10 The Driving Force for Advancing IT Departments Time to market and availability matters E-Commerce continues to arrive Advanced analytics give the upper hand 10

11 The New IT - Old vs New Traditional IT Current IT Technology Stable universe of IT platforms and tools Continuous new solutions and tools People Process Perspective Heavy reliance on internal IT teams Mostly IT-driven changes Separate development and operations teams Step-by-step systems and development life cycle process with easily auditable artifacts and checkpoints Deemed as a cost center as it only focuses on procuring, operating and depreciating Assets More reliance on third party IT professionals Stakeholder-driven changes Collaboration among teams Agile development life cycle with less structure and fewer documentation requirements Seemed as a profit center as it focuses on providing services that are most impactful to the goals of the business 11

12 The New IT 2 Speed 12

13 The New IT DevOps Approach To support the new model of IT, more and more businesses are shifting from traditional means of organization to more fluid DevOps models 13

14 The New IT The New Speed Because of these changes, IT is getting undeniably faster 200x 24x 200x more frequent deployments 24x faster recovery from failures 3x 2,555x 3x lower change failure rate 2,555x shorter lead times Source: Puppet+ DORA 14

15 The New IT The New Risks Having an IT team that is cross-functional introduces new risks to the business. Developer Security Continuous Monitoring Privileged Identities Access and Activity Logging Cross-Team interfaces Cloud Access Deployment Failures Separation of Duties 15

16 Changing the Risk Approach For increasingly complex IT environments that have adopted DevOps models and other technologies, it is important to focus on these 10 control categories 1. Automated Software Scanning 2. Automated Vulnerability Scanning 3. Web Application Firewall 4. Developer Application Security Training 5. Software Dependency Management 6. Access and Activity Logging 7. Documented Policies and Procedures 8. Application Performance Management 9. Asset Management 10. Continuous Auditing and Monitoring 16

17 Changing the Risk Approach To address the new risks associated with evolving technologies, a change in mindset is in order Solutions Traditional IT Risk Management ITGC SOC Purpose Limitations Assesses internal controls for IT systems used for financial reporting as support for an integrated audit support Focused on financial reporting systems only Manual Intensive Sample Basis (not full assurance) Reports on controls for financial statement audits or controls related to compliance or operations Focused on limited set of systems (financial reporting or other) Manual intensive Sample Basis (not full assurance) 17

18 Changing the Risk Approach Risk Assessment Methodology Innovate Differentiate Run Stakeholders: R&D, Chief Digital Officer, Chief Marketing Officer and CEO Stakeholders: Business Units, Supply Chain and Process Owners Stakeholders: CIO or Shared Service COO 18

19 Changing the Risk Approach Integrated IT Risk Management Sample Framework Enterprises' speed of change outpaces most traditional IT service capabilities. IT Governance Policies and Procedures Roles and Responsibilities Providers that fail to co-innovate with their customers will not realize the full potential of the two-speed IT strategy. Providers that demonstrate the understanding, alignment and prioritization of the two-speed IT will accelerate their relevance and exploit large opportunities. People IT Compliance Process Technology 19

Key Takeaways: IT is now expected to understand business needs and help the company achieve its goals attract new customers, creating new markets, and outperforming

IT departments are starting to recognize the need to adopt advanced technologies and are placing greater reliance on third-party vendors to manage their IT

20 Key Takeaways: IT is now expected to understand business needs and help the company achieve its goals attract new customers, creating new markets, and outperforming competitors. IT departments are starting to recognize the need to adopt advanced technologies and are placing greater reliance on third-party vendors to manage their IT environment. Managing the risks that are relevant to today s complex environment requires a change in mindset. Companies need to strike a balance between protecting the organization and running the business by building sustainable solutions that transform the risk management structure and stay ahead of potential threats. 20

21 Thank you Ray Cheung Phone In accordance with applicable professional standards, some firm services may not be available to attest clients. Crowe Horwath International is a leading international network of separate and independent accounting and consulting firms that may be licensed to use "Crowe," "Crowe Horwath" or "Horwath" in connection with the provision of accounting, auditing, tax, consulting or other professional services to their clients. Crowe Horwath International itself is a nonpracticing entity and does not provide This material professional is for services informational its own purposes right. Neither only Crowe and Horwath should International not be construed nor any member as financial is liable or or legal responsible advice. for Please the professional seek guidance services specific performed to by your any other organization member. from qualified advisers in your jurisdiction Crowe Crowe Horwath Horwath International. LLP, an independent member of Crowe Horwath Internationalcrowehorwath.com/disclosure 2017 Crowe Horwath International 21