Businesses are quickly implementing transformative technologies such as cloud, AI (Artificial Intelligence) and other leading systems and applications for strategic advantage, risk reduction and cost savings. The new risks introduced by transformative technology creates a challenge for organizations to manage. In this series, we discuss how the first, second and third lines of defense can proactively manage these risks.
Traditionally, risk is identified and evaluated in product and business development review and approval through project initiation and planning phases. However, it is more important than ever for businesses to proactively identify and manage risk throughout the system end-to-end lifecycle (from ideation through deployment and sustainability) in a more proactive Agile way because risks can arise during implementation and post deployment due to emerging threats and/or technologies. For example, the 2020 Cloud Misconfigurations Report studied all of the data breaches publicly reported between 2018 and 2019 across the globe and found that 196 separate data breaches were identified as having been definitively caused primarily by cloud misconfigurations1.
In terms of scope, traditional considerations of technology risks (e.g. Basel’s category of Business Disruptions and System Failure2) do not account for the range of IT risks and the associated compliance, reputational, model and strategic risks that stem from emerging technologies i.e., cloud-based services, machine learning/ artificial and block chain. Firms that are still assessing IT risk based on traditional Basel categories are failing to adequately control for new technology-based applications. Whereas technology risk traditionally includes risks such as asset management risk, IT operations risk, software and infrastructure development risk, operational risk and physical security, new transformative technologies introduce new security concerns, and risk management resource challenges in both first line and second line, and ethical and reputational concerns. In alignment with these risks, Gartner’s MOST Framework for managing AI Risk stresses the need for enterprise security measures, AI data and model integrity and responsible AI3.
Recent industry and industry publications highlight some of these risks. A recent BIS paper noted increasing reliance on technology infrastructure for financial services and that during COVD 19 “cyber threats (ransomware attacks, phishing, etc.) have spiked”4. In the Fall 2020 Risk Perspective published by the OCC, cybersecurity was also highlighted as one of the risks banks face, specifically the difficulty in managing the risk in a virtual environment where many employees are working from home5.
In our next blog, we will discuss how businesses and their control partners can holistically identify risks associated with new technologies as well as design and monitor effective controls throughout the technology lifecycle.
- “2020 Semiannual Risk Perspective, Fall 2020”, Office of the Comptroller of the Currency, November 9, 2020. Access at: https://www.occ.treas.gov/publications-and-resources/publications/semiannual-risk-perspective/files/semiannualrisk-perspective-fall-2020.html
- “Anatomy of data breach in cloud generation”, Security Magazine, November 27, 2020. Access at: https://www.securitymagazine.com/articles/94036-anatomy-of-data-breach-in-cloud-generation
- “International Convergence of Capital Measurement and Capital Standards”, Basel Committee on Banking Supervision, June 2004. Access at: https://www.bis.org/publ/bcbs107.pdf
- “Top 5 Priorities for Managing AI Risk Within Gartner’s MOST Framework“, Gartner, January 15, 2021. Access at: https://www.gartner.com/document/3995616?ref=solrAll&refval=280657318
- “Principles for Operational Resilience”, Basel Committee on Banking Supervision, March 2021. Access at: https://www.bis.org/bcbs/publ/d516.pdf