Technology’s dual role as both source and mitigator of risk

Innovation is often a dual-edged sword. Technology is no exception to this: offering both risk and reward. It’s a complex picture which requires engagement at the highest level of an organisation, both in terms of continuity planning and in terms of the technology itself.

Cyber risk has risen up the agenda in recent years, especially because of the focus on digitalisation during the pandemic. The new and emerging technologies of Artificial Intelligence (AI) and Large Language Models (LLMs) offer – or threaten – even greater risk and reward.

Making sense of the current risk environment

McKinsey lays out the dangers of the current risk environment, saying that, “On top of public health and environmental pressures, organisations are subject to many business challenges, social uncertainties and geopolitical tensions. The disruptive currents include accelerating digitalisation, cyberthreats, inflation and price volatility. The dynamic pace of change makes disruption hard to predict, even as they grow in severity and frequency.”

While it cites digitalisation and cyberthreats as potential risks, it must be acknowledged that technology also has a dual role to play as potential risk mitigator. Modern intelligent predictive software, machine learning models and digital twins can help organisations to build foresight and risk modelling capabilities.

Furthermore, technology can also be applied to address specific risks. McKinsey cites the example of one global company that applied next-generation AI technology during the pandemic to monitor and identify unusual ordering patterns during the pandemic and respond accordingly. In this way, advanced technology mitigated the uncertainties, enabled the fulfilment of customer orders and protected the organisation’s reputation.

Ensuring technological resilience

McKinsey identifies six types of business risk: business model, reputational, organisational, operational, financial and technological. To counter the threat of technological risk, firms must build technological resilience, it argues.

It defines technological resilience thus: “Resilient firms invest in strong, secure and flexible infrastructure to manage cyber threats and avoid technology breakdowns. They maintain and make use of high-quality data in ways that respect privacy and avoid biases, compliant with all regulatory requirements. At the same time, they implement IT projects both large and small – at high quality, on time, in budget and without breakdowns – to keep pace with customer needs, competitive demands and regulatory requirements. If something does go wrong, they maintain robust business continuity and disaster recovery capability, avoiding service disruptions for customers and internal operations.”

However, there are challenges to developing this resilience.

According to McKinsey, they are concentrated in four main areas:

Geopolitical tensions and the “splinternet”. Tensions – especially between the US and China – are resulting in the Internet splintering into regional variants and technology stacks. There are economic and reputational angles to dealing with this risk.
Complying with data localisation requirements is another risk factor for firms operating internationally.
Data governance is a huge risk for firms. McKinsey stresses the importance of managing data access and ensuring the appropriate compartmentalisation of data as well as the need to protect it from cyber intrusions.
Ensuring resiliency against diverse crises is another complication. This includes the traditional requirements of protecting against and responding to cyber attacks and recovering data, but it also incorporates deploying new technologies and equipment across markets with the necessary speed.

Responding to cyber risk

The UK’s National Cyber Security Centre (NCSC) has published an eight-step cyber security risk management framework to help organisations identify cyber risk and build technological resilience. The framework is based on IEC 27005. It is designed to help you understand what a good approach to risk management looks like for your organisation.

The eight steps are:

Step 1 – Establish organisational context
Step 2 – Identify decision makers, governance processes and constraints
Step 3 – Define your cyber security risk challenge
Step 4 – Select your approach
Step 5 – Understand risks and how to manage them
Step 6 – Communicate and consult
Step 7 – Implement and assure
Step 8 – Monitor and review

For smaller businesses or organisations which are new to risk management, the NCSC directs you to its basic risk management assessment and management method. It is designed for organisations with very simple requirements.

If you need help working through these risk management frameworks or using any of the cyber risk toolkits provided by the NCSC, we recommend that you work with your IT partner. Ideally, you should schedule regular board-level meetings with your IT and cyber security partner to develop and maintain an action plan on managing cyber risk and continually improving your cyber security posture to meet the risks of the continually evolving risk environment.

Technology’s dual role as both source and mitigator of risk

It’s clear that, in today’s digital world, cyber security must be a board-level consideration. Working with a strategic partner with deep expertise in cyber security is a good starting point.

If your IT company isn’t working with you strategically and proactively to identify and address cyber risk, it might be time to look for a new IT partner.