Home > Audit, COSO, Governance, GRC, IIA, ISO, Risk, Technology > Are you ready for the new technology that will change our world, again?

Are you ready for the new technology that will change our world, again?

It’s not that long since we were dismissing the Internet of Things as something very much ‘next generation’. But, as you will see from Deloitte’s collection of articles (Deloitte Review Issue 17), many organizations are already starting to deploy related technologies. I also like Wired magazine’s older piece.

Have a look at this article in the New York Times that provided some consumer-related examples. Texas Instruments has a web page with a broader view, mentioning building and home automation; smart cities; smart manufacturing; wearables; healthcare; and automotive. Talking of the latter, AT&T is connecting a host of new cars to the Internet through in-auto WiFi.

At the same time, technology referred to as Machine Learning (see this from the founder of Sun Microsystems) will be putting many jobs at risk, including analysis and decision-making (also see this article in The Atlantic). If that is not enough, the IMF has weighed in on the topic with a piece called Toil and Technology.

Is your organization open to the possibilities – the new universe of potential products and services, efficiencies in operations, and insights into the market? Or do you wait and follow the market leader, running the risk of being left in their dust?

Do you have the capabilities to understand and assess the risks as well as the opportunities?

Do your strategic planning and risk management processes allow you to identify, assess and evaluate all the effects of what might be around the corner? Or do you have one group of people assessing potential opportunity and another, totally separate, assessing downside risk?

How can isolated opportunity and downside risk processes get you where you need to go, making intelligent decisions and optimizing outcomes?

When you are looking forward, whether at the horizon or just a few feet in front of you, several situations and events are possible and each has a combination of positive and negative effects.

Intelligent decision-making means understanding all these possibilities and considering them together before making an informed decision. It is not sufficient to simply net off the positive and negative, as (a) they may occur at different times, and (b) their effects may be felt in different ways, such as a potentially positive effect on profits, but a negative potential effect on cash flow and liquidity; the negative effect may be outside acceptable ranges.

With these new technologies disrupting our world, every organization needs to question whether it has the capability to evaluate them and determine how and when to start deploying them.

COSO ERM and ISO 31000 are under review and updates are expected in the next year or so. I hope that they both move towards providing guidance on risk-intelligent and informed decision-making where all the potential effects of uncertainty are considered, rather than guiding us on the silo of risk management.

Are you ready?

I welcome your comments.


For more on this and related topics, please consider World-Class Risk Management.

  1. August 8, 2015 at 1:12 PM

    I believe that the recent wave of major system hacks answers your reasonable question emphatically, And the related link at the bottom of your post: “Protivity study on IT auditing raises more questions than it answers” adds the exclamation point.

    If we cannot effectively secure centralized environments, how can we presume to effectively extend control in distributed environments with the added risk of cross fertilization of risk from interfacing technologies and services of widely varying design and control integrity.

    I believe we saw a precursor of this show in the run-up to Y2K when two big risks evolved to prominence toward the end, once players had ‘buttoned down’ their mainframe and desk-top environments:

    The first was the risk of ’embedded chips’, little computing devises of unknown and often undocumented sensitivity to date functions, produced by a multitude of vendors, many of whom were out of business by eve of Y2K. In many cases, users would not know their vulnerability until the calendar flipped. Fortunately, the problems were nowhere near as great as feared. But the point is….WE DID NOT KNOW the potential consequences of technologies we created in a scenario that was known as early as 1975. And we created a whole new platform of technologies (the WIntel desktop environment) with the benefit of that knowledge, but not addressing the risk until the 11th hour.

    The second risk was the recognition that in a highly and increasingly distributed supply chain, organizations that became comfortable with their own level of risk mitigation suddenly realized their potential exposure to, and ignorance of, the state of mitigation (control) by their supply chain partners. That concern grew in the last months leading up to The Date as they sensed that litigation attorneys were hovering overhead in search of fresh kill.

    Of course none of this will deter corporations from collectively racing headlong into calamity, as they have so often in pursuit of profit, irrespective of cost or risk, and in absence of effective regulation.

    “Those who do not heed the lessons of history….”

  2. August 9, 2015 at 8:44 AM

    Norman, most of us are still grappling with good old fashioned cyber risk! But of course, you are right to follow the advances in technology with consideration of the resulting risk impact.

    Sidney, it’s interesting to see you cite Y2K. Back then I was up to my eyes in managing Y2K conversions for insurance companies and never really had a chance to look at it from a risk management standpoint until now. Nice observation!

    • August 9, 2015 at 2:29 PM


      A follow-on to your response. When I first heard of Y2K in 1975, I was an internal auditor at a major multi-line insurer. I was the financial auditor on a team that was looking at a major new database system that took five years and ten million dollars to develop. State of the art technology, but denuded of the most basic external accounting controls over what was happening inside the black box. Because it was so technologically excellent, running on the newest, fastest mainframes, everybody in management assumed everything had to be o.k. on the inside.

      As we were were reminiscing on the aftershocks from the boardroom of a highly negative report, my IT audit colleague was talking about all the new challenges on the horizon. He mentioned Y2K. And here comes the payoff: “But that’s 25 years away, and technology will change so fast that it will be solved by then.”

      Yes, it was twenty five years away. And technology did change rapidly during that time. But I didn’t hear anything about Y2K again until 1995 when I read my first article on the subject, and it noted how ii-prepared the IT community and businesses were. From that point, I followed the subject closely to the end. I saw that many of the legacy systems that were in place in 1975 were still the core engines behind gussied up web faces and ‘front-end’ interfaces. New was built on top of old, but the heart and guts and nervous system was very old.

      Society began to get serious in 1997 or there abouts. It helped when Alan Greenspan stepped up and threatened to have the Fed take over, close or transfer any bank that wasn’t Y2K ready by a specified date. Then the brokerage industry and the insurance industry began to fall in line, and institutions got serious.

      In the matter of Climate Change, it is for all practical purposes 1995. We will soon reach panic point, perhaps in another five years.

      The same will come to pass with The Internet of Things, cyber security, AI. We will remain complacent to what we know until an incident injects abject fear to make us face what we know. It’s what we do.

      The only positive in this: It makes risk assessment and management a secure business.

  3. August 10, 2015 at 8:33 AM

    Great points here. I think what this all really means is that risk management will be something more people will be needing in the future! Thanks for sharing your insight here.

  4. August 16, 2015 at 11:06 PM

    Reblogged this on Information Security Blog.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: