You can't blame board members or senior executives for focusing whatever "technology attention" they might have on cybersecurity. We hear all too often about the everyday threats, risks, losses, and lawsuits resulting from security hacking attempts and breaches. Media reports and even television shows glamorize the lives of those who perpetrate these computer crimes and those who attempt to stop them. Yet, today's organizations face and must manage technology risks that go beyond cybersecurity and fraud. Below are some of the more critical "silent killers" of technology risk that organizations must master not only to protect their computing assets, but to remain in business.
Use web or mobile applications as relationship managers
In the 20th century, relationship managers would meet individually with prospects and even entertain them to explain products or services and generate business. Maybe that still occurs for significant dollar contracts, but not for other types of sales. Disintermediation removes the "middleman" from the sales and service process forcing customers to deal with the company through electronic means—typically a website. That means that customers are developing and maintaining their relationship with your company through your website. If that website is not complete, accurate, relevant or working properly, your organization stands to lose significant sales. And if you are in a regulated consumer-focused industry, you better be sure that your web presence or mobile applications contain the appropriate regulatory-mandated consumer disclosures.
Implement automated enforcement of business policies and practices
Gone are the days when managers and in some cases, owners would review all business transactions. In the digital economy, customers will not wait for time-consuming delays. Rather, consumers expect that the "seller's" ecommerce platform will include the applicable business policies, rules for conducting business, and controls for ensuring the transaction is completed to the customer's satisfaction. Realistically, businesses are often confronted with the need to be early providers of a service before the necessary service-delivery protocols can defined, tested, and implemented. Obviously this can cause challenges in ensuring that transactions and their supporting data are valid, complete, and accurate. Ideally, customer-facing applications should incorporate risk mitigation strategies, such as policy enforcement and credit checks that are preventive and cost-effective. But when that's not possible, sellers should use automated routines to simulate the "owner's" review of customer activity and detect problems as early as possible, minimizing the cost to remedy any problems the automated system identifies.
Rely on social media, not golf buddies, as sales referral sources
Whether networking at the local country club, attending "martini" lunches or conducting other forms of business entertainment, the nature of generating sales leads and referrals has significantly changed. While personal referrals and in-person introductions will always be critical to lead generation and sales success, the fast and demanding pace of today's business environment mandates more efficient channels of new business development. And to satisfy that need, more businesses than ever are leveraging social media and other web-based publicity tools to generate business. How the organization is perceived in the electronic world, including ensuring that business's brand is consistently maintained, is critical in helping to develop and obtain the necessary business leads to remain viable and profitable.
Understand that commoditization of technology makes differentiation more difficult
We've all heard how technology can facilitate business efforts to differentiate their companies from competitors. But with the increasing use and availability of cloud solutions and the consolidation of technology service providers, many industries have few true choices when they outsource their core processing or niche applications. Nicholas G. Carr's classic Harvard Business Review article, "IT Doesn't Matter" (May 2003), explored how the role of technology in many businesses was a commodity—similar to utilities like gas and electricity—and did not provide competitive differentiation among different companies. Technology risk considerations will need to focus on expertly implementing and using these common technologies while executing a service delivery strategy that reflects prices charged (e.g., higher prices will require superior customer service while more competitive pricing will deliver mediocrity).
Hire and train employees who can leverage the data and technology being made available
The possibilities of how one can use Big Data and data analytics to achieve business objectives continue to grow. Yet as quickly as these resources become available, so does the need to have an educated workforce that can leverage the opportunities provided. For example, computer-assisted audit techniques and the concepts of continuous monitoring have been available to the profession since the early 1970s—and, for some applications, even earlier. Relational database technology and query languages that facilitate analysis have been available for a comparable time as well. It does not make business sense to provide funding for the software used to take advantage of these promising opportunities without providing adequate training.
Make sure you have backup plans
The availability of computing records and resources is one of the most underrated and underappreciated technology risks facing most businesses. You can't transact business without systems being available, and the inability to restore business records can directly cause the business to fail. Unfortunately, planning for contingencies and periodically testing the effectiveness of plans and restorations carries little corporate political benefits—unless some type of disaster occurs and the company is then able to recover. Executive management and the board need to make the development and testing of these plans a business priority and appropriately compensate and reward those who manage this risk with the attention it deserves.
Cybersecurity has driven the discussion of technology risks to the board and executive levels, but business leaders must not ignore other factors that significantly impact business success. As with all risk, it is important to understand the risk, identify gaps in managing the risk, and develop prioritized strategies to reduce risks to acceptable levels that enable the organization to achieve its business objectives.
Joel Lanz, CPA/CITP/CFF, CGMA is the founder and principal of Joel Lanz, CPA PC, a niche CPA practice focusing on information assurance, technology risk management, and security. He also chairs the AICPA Information Management and Technology Assurance Executive Committee and is an adjunct professor in the business school at The State University of New York at Old Westbury in Old Westbury, N.Y.
