Risk Evaluation and Management

Oct 02, 2020

An organisation's Board determines the strategic direction. To do this, one of the factors which need to be considered is risk evaluation and management. The majority of Boards are comfortable with their assessments of geopolitical, environmental, macro and microeconomic risks, which are leveraged for decisioning. However, many are relatively uncomfortable when assessing the risks associated with technology, including industry specific, regional or international regulatory requirements and responsibilities. This relative unease with regards to risks posed by technology is understandable. Given the pace of change, unless an organisation’s business is technology, most companies leverage technology to support business and operational goals rather than on the technologies per se.

Nevertheless, most operations are ubiquitously dependent on technology. The effective use of it will deliver operational efficiencies, allow the organisation to respond to change, and take advantage of new opportunities. This has been clearly demonstrated by the COVID-19 pandemic. Organisations which were able to respond effectively to the changed operational conditions are those with the visibility, and the understanding, of their technical environment, even when it does not form the basis of their business. These organisations were able to risk assess and implement quickly, pivoting efficiently to new ways of working and eliciting confidence, from customers, the market, and investors.

Indeed, it is customary to leverage specialist expertise, internally or externally, especially for rapidly changing specialisms. Despite external support, it would be advantageous for the Board to have a good base understanding of the technology and their risks associated. The reasons for this are as follows:

1. Whilst support can advise on specialist knowledge and expertise, including observations and standards in the industry, the Board will have a better understanding of the organisation’s business and operations.

2. The Board’s understanding of the organisation will help to tailor the remit and focus when external expertise is sought.

3. Board level technical understanding will allow organisations to seek clarifications on potential recommendations as well as assessing suitability for the organisations.

Given the importance of technology in business and operations, is it time to supplement Board's understanding of technologies for a comprehensive risk evaluation and management?

Dr. Wendy Ng is a DevSecOps Security Managing Advisor, who’s honed her technical consulting skills through a number of industries: aerospace, healthcare, fintech, telco, transport logistics, and critical national infrastructure. Wendy completed her doctoral studies at the University of Oxford and has contributed to the scientific community through peer-reviewed publications. She has been sharing her experience and expertise, addressing key challenges, in her blogs since 2016.