This viewpoint will explore:
- The current state of technology risk management
- Why enhancing an organization’s technology risk posture remains challenging
- The importance of building ongoing technology risk resilience
- How to make meaningful investments in technology risk management
- Practical steps organizations can take to strengthen their tech risk posture
The current state of technology risk management?
For more than 50 years, technologies of varying types and complexities have increasingly shaped our world. They have become deeply embedded in societies globally, supporting professional, personal, and social activities. The potential to leverage technology for efficiency, better outcomes, community building, health improvements, innovation, and progress remains a key driver of human development and a cornerstone of modern civilization.
Yet with these opportunities come inevitable challenges, unintended consequences, and the risk of misuse—whether by bad actors or simple human error. As recently as July 2024, an erroneous update by a global cloud security firm triggered a significant technology failure that caused worldwide disruption. As this event illustrates, business risks grow alongside our systemic reliance on technology.
A prime example of the rapid technological changes that enterprises must respond to is artificial intelligence (AI). The Deloitte Centre for Financial Services estimates that generative AI (GenAI) email fraud alone could result in losses of approximately $11.5 billion over the next four years, driven by aggressive adoption of AI-powered phishing scams using deepfake audio and video to impersonate clients and banks. A U.S. Treasury report has also raised concerns that existing risk management frameworks in some banks may be inadequate to address emerging AI technologies.
Beyond corporate risks and opportunities, technology is reshaping society at large. Cyber warfare is now widely recognized as the fifth dimension of conflict between nation-states. Countries seeking to remain globally competitive must develop and retain homegrown technology and cybersecurity expertise in the public sector—skills that have historically been scarce. Investment in cybersecurity capabilities for public servants and the wider population will be essential for governments moving forward.
The potential for widely accessible technology platforms, such as social media, to influence election outcomes in major nations—and potentially destabilize some of the most established democracies—has been hotly debated in recent years. The spread of disinformation via these platforms is only expected to accelerate with the widespread adoption of generative AI tools.
At the same time, public services worldwide face increasing pressure to leverage technology to drive efficiency, improve value for taxpayers, and enhance service performance. Governments often rely on the private sector to bridge technology skill gaps, but recent failures of third-party providers supporting major UK government departments highlight the urgent need for robust risk management in procurement, as well as intelligent, ongoing oversight of technology vendors and other third parties.
The business world continues to navigate both the opportunities and risks that technology presents, particularly given the capital and investment required—not only to deliver solutions but also to manage associated risks effectively. Technology remains one of the largest contributors to operating costs, often compounded by years of underinvestment, major capital projects, and the need for highly skilled personnel to manage complex estates, whether on-premises or in the cloud.
Although some organizations have made significant investments to address technology risk, many have seen little improvement in their risk profiles or exposure. The same challenges recur, with a noticeable paralysis in making meaningful progress. Surprisingly, these persistent issues affect even sectors historically known for substantial investment in technology risk management, including Financial Services and Defence.
Why improving an organisation’s technology risk posture remains a challenge
While each organization’s situation is unique, there are common factors that often prevent meaningful improvement in technology risk management:
1. Limited visibility and understanding at senior leadership levels
Technology is complex, constantly evolving, and often shrouded in technical terminology. When Boards or senior leadership lack sufficient understanding, effective decision-making around technology risk is compromised, reducing the organization’s ability to respond proactively.
2. Failure to link risk appetite to strategic decisions
An organization’s technology risk profile and risk appetite must be continually integrated into strategic decision-making. Risk and control functions should be actively involved to ensure that investment decisions—and their execution—do not inadvertently increase exposure.
3. Cultural challenges around technology risk management
Many organizations struggle with ingrained cultural barriers. Technology teams often devote limited time to risk management, focusing primarily on cyber and information security, viewing broader risk management as a blocker or “nice-to-have.” This can prevent transparent reporting of risk issues to leadership, limiting opportunities for necessary investment.
4. Overemphasis on cybersecurity at the expense of other areas
While cybersecurity is a critical risk, overconcentration here can leave gaps elsewhere. As organizations increasingly rely on SaaS solutions and third-party service providers, new risks emerge that require robust third-party risk management. Other areas, such as change delivery, technology governance, and operations management, also demand focus and investment to maintain a balanced risk posture.
5. Lack of a long-term investment strategy
Effective technology risk management requires sustained, long-term investment. Personnel changes, economic cycles, and shifting organizational priorities often lead to short-term fixes rather than addressing systemic issues. This results in many organizations “investing to stand still,” rather than making meaningful progress in mitigating technology risks.
Why it is important to continue to build tech risk resilience?
1. The evolving regulatory environment
Technology risk and operational resilience are increasingly under scrutiny by governments and regulators worldwide. In the Financial Services sector and among key cloud technology providers, regulations such as the EU’s Digital Operational Resilience Act (DORA) aim to ensure the robustness and reliability of digital operations. In the UK, the Operational Resilience regulations require FCA- and PRA-regulated firms to define impact tolerances for each important business service.
Across sectors, amendments to the UK Corporate Governance Code have strengthened reporting requirements and the evidence of internal control effectiveness, including the introduction of a new annual resilience statement. For public sector organizations, frameworks such as the Cyber Assurance Framework—though not mandatory—are widely expected to guide cyber controls and activity. The Senior Managers and Certification Regime (SM&CR) in the UK reinforces a culture of accountability, with senior managers clearly responsible for specific areas, making them answerable for any failings. Collectively, these frameworks increase the burden on organizations to actively manage technology risk.
2. Wide variety of technology risk issues and setbacks
Companies continue to experience major challenges across the entire spectrum of technology risk. Current corporate maturity levels are often insufficient, highlighting the need for enhancements. While the associated costs of resilience can be significant, investing in robust technology risk management provides value for money, safeguarding customer trust and organizational reputation in an increasingly connected and high-stakes environment.
3. Enhancing the ability to meet strategic goals
Long-term underinvestment in technology and insufficient appreciation of associated risks remain major barriers to efficiency and productivity. By redefining approaches to technology governance and risk management, organizations can achieve medium- to long-term benefits, including improved business performance, operational stability, and strategic goal attainment.
How to Make Meaningful Improvements in Technology Risk Management
1. Drive effective technology risk reporting
Ensure the Board and those charged with governance receive the right risk data, accompanied by detailed and sufficiently granular analysis to support informed decision-making. Given the central role technology plays in cost and investment agendas, this data should be treated with the same importance as financial and regulatory reporting—though in many organizations, it often is not.
2. Bring clarity and transparency in linking investment decisions to risk outcomes
Organizations should maintain a clear and honest view of their risk appetite over time, understanding how it may shift based on investment decisions. It is essential to define when and where interventions are needed to achieve the desired risk posture, and to link enterprise-wide change programs to measurable reductions in the technology risk profile over time.
3. Strengthen board training and awareness
Regular sessions, workshops, and open dialogues between the Board and senior management in technology, cyber, and risk functions help increase visibility of key technology risks and improve governance. Boards may also consider engaging technology-savvy members, including non-executives, to provide robust challenge and oversight on complex technology matters.
4. Review and rebalance the Target Operating Model (TOM) and Service Model (SM)
Ensure a balanced focus across all relevant risks in line with ongoing risk and threat assessments. Optimize the operating and service models with the right breadth and depth of technical skillsets and a strong understanding of service processes to deliver an effective technology risk capability.
5. Adopt an agile rather than a waterfall approach
Given the rapid pace of technological change, an agile approach allows for flexibility, particularly when requirements are uncertain or evolving. While a waterfall model has its merits, organizations that adopt it often run out of budget and leadership support before achieving meaningful improvements. Focusing agile efforts on the most significant risk exposures first, and prioritizing the fastest path to risk reduction, can materially improve overall technology risk posture.
6. Focus on cultural improvement
Technology risk management should not be seen as the sole responsibility of risk functions. Embedding a culture of risk awareness across the organization is critical, encouraging employees to take ownership of risk in their daily activities and to raise concerns transparently without fear of penalty. Performance management incentives should also reinforce desired behaviors around risk management.
7. Prioritize quality and sustainability of foundational data
High-quality data—such as that in Configuration Management Databases (CMDBs), incident records, change tickets, and risk repositories—is foundational for informed decision-making, effective controls, and regulatory compliance. Improving data governance in these areas is often a “low-hanging fruit” that mitigates risk, reduces the likelihood of fines, and protects organizational reputation.
8. Policies, standards, and controls
Getting the basics right ensures risk management procedures are clearly documented, promoting discipline and consistency across the organization. Well-documented controls provide a transparent way to demonstrate risk mitigation, enable effective testing, and create opportunities for continuous improvement.
9. Automation of controls
Organizations can achieve significant benefits by automating key technology and security controls, ideally using an agile approach. Processes such as user access management and privileged account management are prime examples where automation can strengthen the effectiveness and efficiency of the control environment.
Overall conclusions
Successfully managing technology risk remains one of the most significant challenges for corporations. Underinvestment in this area coincides with the rapid evolution of technology and cyber risks, driven by emerging innovations such as AI and the growing influence of powerful global technology service providers.
While the challenges are significant, we remain optimistic that senior leaders can benefit from our recommendations. The top three points to consider are:
- Embed a strong technology risk culture – Recognize the cultural challenges many organizations face and take deliberate steps to integrate risk awareness and accountability across the enterprise.
- Enhance the quality of technology risk information – Improve the accuracy, granularity, and relevance of risk reporting, ensuring it informs strategic decision-making effectively.
- Prioritize agile, targeted improvements – Focus on the most critical risk areas first while maintaining a long-term vision for meaningful, sustained enhancements in technology risk management.
