According to a well-respected risk management and governance consultant, “IT risk” shouldn’t exist at the corporate governance level. This seems to track with the philosophy that IT serves business needs. However, prohibiting standalone IT elements from the board agenda entirely could be counter-productive in several critical scenarios. I’d appreciate your thoughts here.
Is “IT Risk” a real risk?
Norman Marks, a recognized expert in internal audit, risk management and governance, recently blogged on the myth of IT risk. He posits that “there is no such thing as IT risk, only [IT-related] business risk.”
On the surface, this makes a lot of sense. Marks makes two specific points that I believe are relevant:
- “A technology-related risk may be only one of several that could affect the achievement of a corporate objective. All risks related to an objective need to be considered as, when considered together, they may, in aggregate but not individually, indicate a need for action. …
- “Some technology-related risks may seem significant to IT and other technical staff, but when considered within the context of business objectives pale in comparison to other risks.”
Generally, this aligns with both my philosophy and my experience. Approaching senior executives and directors with anything that looks at all technology-driven will result in ridicule (at best) most of the time.
However, there are cases that will fall into the minority and need scrutiny at the highest level. Let me suggest two categories.
Major Systems Implementation Failures
These don’t happen often. However, they do happen and they do have to be part of a board agenda.
There are times when, in spite of all care and consideration, a major systems project gets so far off course that there is no alternative to pulling the plug. This may occur with or without any functionality going live.
Sometimes the failure is due to purely external challenges (supplier going out of business or being incapable of delivering). These cases are rare. More often, the original functional and technical specifications were inadequate or wrong or cannot be adjusted to accommodate new business realities (e,g,, buying a company with radically different requirements).
The board needs to be aware of all of the consequences and be prepared to make decisions on pursuing compensation, re-staging projects, etc.
Innovation and Disruption
As much as we want to say that technology must support business strategy, there are times when technology will lead us into the next realm of the previously unthinkable.
This is not new. The introduction of second-generation computers allowed real-time quotes. Personal computers put those quotes into agents/brokers offices. Usage-based insurance was a by-product of improvements in automotive technology.
In all of these cases, it was innovation in technology that allowed us to think about changes to insurance business practices.
And more is coming. Last November, we blogged on a report from the analysts at SMA which reviewed 9 emerging technologies that would impact insurance. Some are barely out of the labs. Waiting for these to mature before making a decision would remove any first-mover advantage in areas such as insurance products, distribution channel strategy, customer engagement.
That isn’t to say it is wrong to wait. Just to say, it is a decision.
These are IT Risks
Like it or not, technology is driving decisions in many industries. Insurance is not immune. Senior executives and directors need to be aware and prepared to evaluate these trends and how they impact current – and future – business plans.
Doing nothing is a high risk alternative.
What do you think?
I’d appreciate your feedback on this. Do you think that IT risks need to be part of corporate governance? If so, what are the parameters? If not, what are the alternatives?
We are hosting the 2015 Insurance-Canada.ca Executive Forum tomorrow which will focus on key trends. We’ll be pushing out information on a number of topics, including governance thereafter. This is an important conversation.