Companies across the globe are focused on cybersecurity threats yet another major threat is looming in the shadows.
While companies and boards of directors focus on cybersecurity threats from hackers, breaches, ransomware and internal compromise, there is another significant risk that is not widely discussed. That risk is technology operational risk.
Looking at risk holistically
Before we talk about technology operational risk, let’s take a step back. Cybersecurity often gets the headlines based on a cloak and dagger scenario where there is the villain and the victim. Cybersecurity is also a regular boardroom discussion topic. But should it be the only one?
If you look at risk, it generally comes in three types: Legal, financial and reputational. Each of these encompass different aspects and a single threat could impact multiple forms of risk to the enterprise. There are also sub-components to each of these.
Cybersecurity, for example, often spans all three risk types. However, there are other risks that can be just as significant and span all three risk types. Those are technology operational risks.
Technology operational risk
The technology estate covers hardware, software, services, processes, architecture, expertise, culture, third parties and more. Over time, the technology estate has become incredibly complicated, intertwined and spans beyond our own control to third party organizations.
The degree of complication and interconnectedness of the technology estate has created a collective ball of yarn where the inherent nature of the complications create risk on to themselves. Beyond that, the complications create systemic risk to the overall company should a component fail. Hence the systemic risk from even small components. These risk, in many ways, have the potential to outweigh cybersecurity risk.
When a server fails, a process goes haywire, a connection is down, the company and customers are directly impacted.
Having worked across many different organizations, it is common that most organizations do not fully understand nor appreciate technology operational risk. Or if they do, the mitigation activities are often unevenly applied. Worse yet, as we go through time, new innovative technology is bringing greater complication to the equation, not less.
De-risking the problem
One way to combat the complication is to de-risk the environment. There are many ways the enterprise can work to de-risk their technology operations. Those efforts fit into one of two categories: Preventative and reactive.
Some of the common ways technology organizations de-risk their environment includes business continuity (BC) planning, disaster recovery (DR), redundancy or failover processes.
BC/DR is the most common way for enterprises to create a backstop in case of failure. BC/DR is a reactive action that is put into play when a failure occurs. While most enterprises have BC/DR plans, they are often not comprehensive nor actively tested. To be fair, exercising BC/DR is time consuming, costly and can be incredibly disruptive. This often leads to an exercise of balance between intent, impact and actual action.
Historically, redundancy in infrastructure was one of the leading preventative ways to de-risk technology operations. The downside is that it can get costly and as the environment gets more complicated, the complexity from redundancy grows exponentially. Today, there are many questions on where redundancy is still feasible.
One of the other ways enterprises may have de-risked technology options in the past was with manual processing. Unfortunately, we have long since passed the point where this is still possible. Think processing a credit card, making a phone call or getting in touch with a customer.
Where to go from here
Leadership teams need to take a systemic approach to considering risk. Technology operational risks need consideration right up there with cybersecurity risk. Using a technology risk rubric to map the risks across both cybersecurity and technology operations provides a more holistic view of technology risk for the board of directors.
Putting funding toward addressing cybersecurity risks while neglecting technology operational risk creates an imbalance in effectively stemming risk from a holistic perspective. It is like fortifying the back door while leaving the front door untouched.
Enterprises that use a rubric to measure, monitor and discuss overall technological risk provide a more comprehensive and transparent view for boards of directors to act on. In addition, it ensures a more stable and protected operation for the benefits of all stakeholders.