This insight is one of 15 risks in our 2024 Risk Trends Report. Navigate back to the main page for the full list of risk trends that you should be monitoring for in the year ahead.
Are you optimizing value from limited resources and budgets?
Organizations have limited budgets to invest in information (IT) and operational (OT) technology, physical infrastructure, and security. Executives may be tempted to answer this challenge by foregoing necessary upgrades and transformation initiatives. But just as there are costs to innovation, there are risks to allowing legacy systems to continue beyond their useful lifespan.
The question isn’t whether to resist or embrace digital transformation; rather, it’s deciding which initiatives to prioritize right now and how to get the best return on the technology investment. Inefficient systems and processes are a drain on morale and productivity. Restricting innovation and transformation will only lead to individual departments making unilateral technology decisions without considering the impact beyond their operational silos.
Arriving at the best answer as to which technology investments should be prioritized and drive the greatest value requires proper governance — with input across the organization, including IT, finance, operations, internal audit (or risk officer), and other relevant stakeholders. Conversations need to consider the current business challenges, the effectiveness of existing systems, and any threats (existing or emerging) to security and privacy. Leaders must also have a strong grasp of the innovation pipeline and the areas where disruption and business interruption are most likely.
All infrastructure will eventually come to the end of its useful life. Every replacement option will eventually include some cloud solution and, eventually, AI-enabled upgrades. Recognizing this, leaders need to set a tone from the top that breeds confidence that the right updates will occur at the right time. They also need the appropriate processes in place to ensure the chosen upgrades will be the best fit for the organization and advisors provide due regard to the opportunities and risks each option brings to the table.
Related risks
- Suboptimal IT/OT decisions reducing control effectiveness
- Lack of / insufficient supervision of third parties and related controls
- Insufficient policy, progress, contracts, and training on the proper/expected use of IT and OT
- Ineffective communication between leadership and the board
Key questions to ask
- Has your organization made sub-optimal investments in technology, and has a root cause analysis been completed to determine why?
- Does your organization rely on third parties to maintain effective control over IT and OT? What is the vetting process for third-party suppliers, and what risks need to be managed?
- Do you have sufficient training and tabletop exercises with leadership to discuss how to respond to and manage a ransomware attack?
- Is the IT/OT budget sufficient to cover the most critical needs of your organization?
- Do you foresee any significant changes to your data or system architecture that might disrupt controls, processes, or policy related to IT and OT?
- Has a strategy been established to guide technology investments to ensure technology is renewed on a timely basis and is optimizing the business?
Red Flags
- History of sub-optimal IT/OT decision making (i.e., excessive spending)
- IT/OT third parties seen as the root cause of issues
- Employees with no knowledge of acceptable and unacceptable technology practices
- Operational issues related to system failures