Chapter 3 – Managing technology risk

Businesses understand emerging risks, but the measures to manage and mitigate those risks may not be adequately developed

Across all sectors, organisations have experienced a variety of technology-related disputes (see Chapter 2) over the preceding three years. The process of identifying risks and executing plans to mitigate them, however, remains somewhat ad hoc. Responses indicate that policies for managing a range of highly consequential risks are often left in the planning rather than execution phase (see figure 4). 

Figure 4: Processes to manage technology risks 

Q: Which of the following plans/processes have you adopted or intend to adopt to manage current and future technology-related risks?

Confidence or overconfidence?

Nevertheless, respondents across all regions exhibit high confidence in senior executives’ understanding of technology-related risks (see figure 5). And a similar confidence in senior executives’ identification of risks related to new technology (see figure 6). No respondents stray into the ‘somewhat unconfident’ or ‘extremely unconfident’ categories. 

Figure 5: Senior executives’ understanding of current technology-related risks

Q: To what extent do you consider that the senior executives in your business understand your company’s current areas of technology-related risk?

Figure 6: Senior executives’ identification of risks related to new technologies

Q: How confident are you that the senior executives in your business have identified the primary risks associated with adoption of new technologies?

At the same time, respondents (albeit comprising mostly in-house lawyers and risk managers) express high confidence (see figure 7) that in-house counsel have the necessary knowledge and expertise to manage current and future risks. And very few (7%) feel general counsel are insufficiently consulted regarding risks of new technologies. 

However, distinctions emerged between knowledge and expertise on the one hand and practical execution on the other. Respondents see challenges in their response to risk planning and mitigation by a range of factors. Internal barriers (see figure 8) include perennial concerns over time and resources, including budget, and are strongly felt. 

Cultural impediments like resistance to change were stronger, perhaps frustrating attempts to close the gap between strategies they plan to adopt and those fully adopted (figure 4).

Figure 7: Confidence in legal teams’ identification of risks related to current technologies 

Q: How confident are you that your legal team has the right level of expertise and knowledge to manage current technology-related risks?

No universal risk management approach

Each sector exhibits particular characteristics with regard to risk preparedness, of which outliers include the following:

  • The media industry exhibits multiple risk management omissions, including:
    • Almost two in five (37%) have no crisis management plans for technology failure
    • Three in five (59%) have no response plans to manage cyber breaches
    • More than half (56%) have no policies for mitigating infringement of third-party IP.
  • Life sciences and healthcare organisations are likewise troubled by omissions, including:
    • Over a third  (37%) do not have a policy for assessing data security standards of suppliers
    • Nearly a half (47%) failed to implement policies to regulate IP licensing.
  • In financial services:
    • Two in five (41%) have yet to adopt a document management system for discovery/disclosure management
    • Over a quarter (28%) do not maintain a regulatory risk register.

Resistance to change is the leading internal barrier in the US and Canada, EMEA, and Latin America. 

Organisations show a sound understanding of the importance of technology risks at all levels, but responses suggest that many businesses have some incomplete measures in place. As the management of technology-related risks becomes more strategic, the gap between risk identification and execution of mitigation plans poses a growing threat.

Figure 8: Internal barriers to minimising technology-related risks

Q: What internal barriers does your business face in minimising technology-related risks?

Resistance to change is a fact of organisational life and a huge factor in the successful implementation of technology programmes. It is the leading internal barrier in the US and Canada (chosen by 55%), EMEA (56%) and Latin America (54%). 

In APAC the top barriers are lack of time or resources and lack of budget (50%), with resistance to change joint third with lack of skills (49%). 

Businesses must understand and prioritise technology risks and rank them by likelihood and by the gravity of consequence. It is then possible to develop plans to manage those risks and mitigate any possible impact. These plans should be periodically reviewed and updated to make sure they continue to meet the needs of the business.

Chris Watson
Change can prompt conflicting emotions. On the one hand it’s exciting to move an organisation forward and open it up to new opportunities. On the other hand, it can be an anxious time because it opens up organisations to uncertainty and risk. But this is not an excuse for inaction. Organisations will need to be more agile in navigating the new risk landscape.
Chris Watson, Partner, Technology, Media and Communications, CMS