I was talking to an old[1] friend yesterday and he mentioned his concern, shared by board members (he talks to many), about the level of technical/technology debt or deficit owned by many organizations, large and small.
There are many different definitions of the term, but he was referring to the fact that the technology deployed by many organizations is lacking in agility, responsiveness, and downright functionality.
In these times of dynamic volatility, organizations need the right information at their fingertips to make informed and intelligent decisions.
They need systems that can adapt at speed to changes in business and customer needs.
Yet, many remain legacy systems that are hard to maintain. Changes to the more modern replacements take time, a limited resource and one that may be insufficient to deliver the needed changed or new functionality.
The CIOs of these organizations usually know about this, but they are constrained by budget limitations.
They may also be challenged by the demand to allocate much of that budget to cyber and information security.
While the demands for cyber budget may be justified, they are not usually supported by risk analyses that indicate the level of risk in business terms. So we can’t be sure. The justification for investments in cyber cannot readily be compared to the risk posed by inadequate or outdated technologies.
Studies show that many CIOs are reluctant to commit funds to cyber because of their need to upgrade the technology and systems used by the business. They see cyber as a lower priority – perhaps because of the way it is assessed in a silo: risk to information assets instead of risk to the achievement of enterprise objectives.
This brings me to several points:
- Risk and audit practitioners need to recognize the risk posed by the organization’s technology debt/deficit. They should ensure it is reported to top management and the board.
- They also need to understand the limitations posed by the current technology change management systems. They are often slow when business is changing fast. If management doesn’t know about DevOps, they should investigate it immediately.
- They should help leaders of the organization allocate both capital and expense budgets in line with the returns on those investments – and that means that all sources of risk and opportunity need to be assessed in comparable ways.
- Deficiencies in the ability to understand and assess the risk posed by technology debt/deficit should be highlighted to top management and the board.
- Deficiencies in the assessment of any and all sources of risk in business terms, such that they can be compared and aggregated to see the big picture, should be reported to top management and the board.
- Boards should ensure this issue is discussed as often as needed (at least annually) and appropriate actions taken.
Does your organization handle the issue well? Are each of my points addressed?
I welcome your thoughts and experience.
[1] Maybe not so old, but we have been friends a long time.
- What is quality internal auditing? - April 17, 2024
- Conflicting research and thoughts on ESG - March 20, 2024
- Useful ethics training for internal auditors - February 21, 2024
Leave a Reply