Balancing the benefits with the risks of emerging technology
Emerging technologies enable companies to maintain a competitive edge through their various benefits but can come with high risks. A balancing act is required.
The business environment is rapidly changing and presenting new challenges for organizations to overcome. Companies face evolving stakeholder needs, uncertain economic conditions, increased regulations and many other unforeseen circumstances, such as a global pandemic.
To stay competitive, many companies are turning to emerging technologies. According to ISACA's "The Pulse: Emerging Technology 2021" survey, emerging technologies can disrupt established markets by solving a current problem or issue. However, the benefits of emerging technologies must be carefully weighed against their challenges.
Benefits of emerging technologies
A well-known example of an emerging technology is AI. This technology has many facets, including machine learning, natural language processing and speech recognition. Nearly 50% of the more than 4,500 global respondents to the ISACA survey indicated they are already using AI technologies (22%) or are in the planning and pilot stages of adopting them (27%).
Companies that have adopted emerging technologies, such as AI, hope to benefit from the competitive advantages that these technologies are able to provide. For example, cost savings and heightened revenues are made possible through increased efficiency and enhanced customer products and experiences.
Companies can accelerate the adoption of emerging technologies by investing broadly across the company and using technologies in a way where the responsibility resides with the process owner. This approach generates better cost savings as process owners can solve a business problem specific to them, resulting in operational efficiencies and an increase in quality analysis.
Internal audit can also embrace AI technologies to enhance risk monitoring and control effectiveness. In a use case-specific example, machine learning can be used to analyze general ledger data and pinpoint incorrect or fraudulent journal entries among thousands of other transactions. Note that larger and more complex business problems -- which may have a broader impact across multiple areas of the business or have aspects that present greater risk to the company -- would require collaboration and consultation with data scientists, who could be internal personnel or consultants.
Risks of emerging technologies
Companies adopting emerging technologies must not only consider the benefits, but also the risks associated with these technologies. To develop an understanding of individuals' perceptions, the ISACA survey asked respondents to indicate their views on the risks of adopting AI technologies. Most respondents rated the risks associated with AI to be low (30%) or medium (33%), whereas only 9% determined AI to be high risk. In practice, companies must consider the maturity and complexity of the business processes using AI to determine true risk to the company.
One risk is that these emerging technologies will not achieve companies' expectations. To combat this risk, a clear vision needs to be established and supported by defined objectives with realistic targets. Due diligence involves thorough research to identify requirements for new projects that have a significant impact on the company. IT governance should play a substantial role as emerging technologies are being integrated into the business, including representation across different IT groups -- such as application development, security and infrastructure -- within the IT governance process. This will enable communication across various parts of the business and help identify additional needs, while streamlining project implementation. Monitoring and regular status updates should be communicated to senior leadership throughout the project, as well as post-launch to help determine if ROI was achieved or miscalculated.
Risks can also emerge from changing regulations that may limit the success of an emerging technology. For example, privacy laws related to the collection of consumer data could impede a company's ability to successfully use certain emerging technologies by disrupting current products and services in production. New regulations are imminent, especially surrounding algorithmic bias for technologies that affect customers. Continuous monitoring of new regulations and nimble development processes are necessary to ensure models comply with changing and new regulations.
Finally, there is a risk that a misconfiguration of the technology could cause an algorithm error issue, which would affect data quality and create threats to data security. These risks can be mitigated by putting strong change management processes in place. These processes ensure that test cases are effectively designed and performed, that version controls appropriately log changes to models and source code repositories, and that peer reviews are conducted for coding and model changes. Additionally, during the planning and building phase, it is critical to be mindful of the data set in order to identify potential biases and ethical dilemmas.
Adopting emerging technologies can create competitive advantages, but these benefits are naturally accompanied with risk. Process owners can take a proactive approach to identify risks by engaging with internal audit or enterprise risk management. Initiating discussions about risks and controls early in the technology's implementation will help identify any unaddressed issues and process improvements and ensure emerging technologies are successfully integrated into the business.
About the author
Jacob Young, CISA, is a senior IT auditor at Protective Life Insurance Company, specializing in IT audits of application development, infrastructure, operations and cybersecurity. He also assists financial and operational audit teams with data analytics initiatives. He currently serves as the webmaster on the ISACA Birmingham Chapter's board of directors and is a contributor to the ISACA Now Blog. His past experience includes external auditing of clients in various industries, including financial services, manufacturing and nonprofit organizations.