U.S. Federal Agencies Suffer 1,300 percent Rise in Cyber Incidents
CrowdStrike’s Shawn Henry on Cyberterrorists, Ransomware and Hacked Elections
Taking Charge of Disruptive Technology RisksManaging Director and U.S. Client Executive Practice Leader at Marsh
There’s a lot of talk these days about disruptive technology—3-D printing, autonomous vehicles, blockchain and more. It’s easy to find breathless descriptions of a world gone digital, be it the promise of connecting all the world’s people to all the world’s knowledge or the perils of poorly governed artificial intelligence running amok.
Despite the abundance of information on disruptive innovation, our research raises questions about the level of discussion companies are having about managing the risks of disruptive technology. The 2017 Excellence in Risk Management project from Marsh and RIMS, the Risk Management Society, looks at an array of issues around disruptive technology risks. For this survey, disruptive technology was defined as “one that purposefully displaces an established technology and alters an industry or way of doing business—including jobs—or a ground-breaking product that creates a completely new industry.”
For some companies, a lack of focus on such risks will bring financial difficulty; for those with foresight, a focus on the risks will enhance the opportunities.
A surprising number of respondents (24 percent) acknowledged that they do not use or plan to use any of 13 common disruptive technologies; the numbers were even higher around individual items.
For example, 48 percent of risk executives told us their organization doesn’t use or plan to use the Internet of Things (IoT); yet, according to many estimates, 90 percent of companies will be using IoT technologies within two or more years. Similarly, only 25 percent of our respondents said their organization uses or plans to use wearable technologies, while studies show 93 percent of companies across a range of industries are already evaluating or using them.
Such disconnects show a gap in understanding: Too many risk executives don’t seem to realize the pervasiveness of these technologies. Perhaps they are simply mesmerized by the “gradual evolution rather than radical change” with which technology now disrupts the business world. But companies cannot afford to be surprised when technology fails or goes awry.
Risk executives need to fortify their strategic role by understanding how technologies impact not just their own operations and business models but also the direction of entire industries—both theirs and related ones.
Align and Assess
A primary responsibility for any risk executive is to ensure that new and emerging risks are being identified and assessed. Yet we found a significant number (60 percent) of respondents saying no risk assessment is being done for disruptive technologies. That should make people nervous given the impact that disruptive technology can have on an organization’s strategy. In fact, such lack of attention to the risks should be viewed as unacceptable.
From a liability standpoint alone these innovations may upend the status quo. Look at a driverless car or truck or train. When the vehicle of the not-so-distant future is involved in an accident and injures a pedestrian or damages property, will that be the fault of the owner, who is not actually driving the vehicle? Will liability fall to the vehicle manufacturer? What about the software designer who built the algorithm to “tell the car” what to do leading up to the accident?
By definition, disruptive technologies can make or break a business. Assessment and analysis of the risks need to be integrated into existing business strategy decisions. Why, then, this lack of focus on assessing disruptive risks? “Other areas have greater priority,” was the top answer when respondents were asked about the biggest impediment to understanding disruptive technology risks.
But today’s risk executives need to develop insights that will help leadership prepare for the unexpected. Disruption from technology is an area that unexpected events will no doubt emanate from and should be treated as a priority.
Take Charge of Disruptive Risk
The transformational changes that come with managing disruptive technology risks can be difficult. So what can be done now to help organizations map out the way forward?
First, understand. You need to know what disruptive or innovative technology is. What is your organization already using? What is coming? If our Excellence survey is any indication, this is a dangerous gap that needs to be bridged by risk executives.
The pace of innovation is truly fascinating. As our colleagues at Lippincott put it: “There is no more important question to answer than ‘What is the big, unstated need of tomorrow?’ The answer is deep, constant, and insatiable inquiry.” Educate yourself on terminology, on leading-edge innovations, about hits and misses, emerging risks, and other disruptive technology topics, especially for those your organization or industry is using or planning to use.
In doing so, expand your network, the people and places you turn to for answers and ideas. There may be other industry sectors with experts you don’t typically tap into that can help you to better understand how disruptive technology may shift your risks—or how it is already changing them.
“You can’t stick your head in the sand with what’s happening with disruptive technology,” the director of risk management for a major freight company told us. “At some point, you have to adapt.”
Second, invest. The inability to model the magnitude of disruptive technology risks was cited as a strong impediment to managing them and undoubtedly contributes to the lack of focus. Models, data, analytics—such tools can help prioritize, but they require investment from leadership.
Risk professionals have told us for many years that their organizations intend to invest in data and analytics, yet usage remains elusive: Analytics ranked near the bottom of techniques our survey respondents said they use to assess and model disruptive risks.
And it’s more than just money that needs to be invested. A commitment of time and collaboration to discuss disruptive risk issues across the organization will help set priorities, lay out the implications for decision-makers, and develop mitigation strategies. One way to do that is through the effective use of cross-functional risk committees. And yet, we continue to see a decrease in the number of organizations reporting they have such committees. This year, only 48 percent of respondents said they have a cross-functional risk committee, a drop from 52 percent last year and 62 percent five years ago. Interestingly, 41 percent of respondents without a committee said their company should have one.
Finally, engage. Organizations generally, and risk management professionals in particular, need to adopt a more proactive approach about disruptive technologies—what is already in use, what is on the horizon, and what are the risks and rewards.
Forward-thinking executives will look for alternative means to generate the necessary discussions to raise the risk profile of disruptive technologies. For example, in most organizations today, the term “cyber” is likely to attract attention. In our survey, “establishing effective cybersecurity” was the top concern related to disruptive technology among respondents across various industries. While data breach and privacy issues are real and should not be downplayed, the focus on cyber risk may at times obscure other concerns organizations should consider regarding disruptive technologies.
Several risk professionals we spoke with suggested using the current allure around cyber risk to pivot to broader discussions: “‘Cyber’ is a good catch-all word,” a risk executive at an industrial contracting firm told us. “It provides a level of comfort that people can understand. If you get too detailed or technical during conversations about disruptive technologies, people may be less willing to engage. But if you keep it general, keep it high level, and talk about potential cyber threats and managing them—that’s an easy way to start the conversation.”
Companies should also make use of an executive-level risk committee to discuss broader disruptive technology risks. Risk professionals can help lead the way as companies adapt to technology innovation, but they will be relegated to support roles if they fail to understand and address the unique issues the fourth industrial revolution brings. The good news is that the desire and ability to play a leading role are there.