The risk to an organization of technology debt or deficit
I was talking to an old[1] friend yesterday and he mentioned his concern, shared by board members (he talks to many), about the level of technical/technology debt or deficit owned by many organizations, large and small.
There are many different definitions of the term, but he was referring to the fact that the technology deployed by many organizations is lacking in agility, responsiveness, and downright functionality.
In these times of dynamic volatility, organizations need the right information at their fingertips to make informed and intelligent decisions.
They need systems that can adapt at speed to changes in business and customer needs.
Yet, many remain legacy systems that are hard to maintain. Changes to the more modern replacements take time, a limited resource and one that may be insufficient to deliver the needed changed or new functionality.
The CIOs of these organizations usually know about this, but they are constrained by budget limitations.
They may also be challenged by the demand to allocate much of that budget to cyber and information security.
While the demands for cyber budget may be justified, they are not usually supported by risk analyses that indicate the level of risk in business terms. So we can’t be sure. The justification for investments in cyber cannot readily be compared to the risk posed by inadequate or outdated technologies.
Studies show that many CIOs are reluctant to commit funds to cyber because of their need to upgrade the technology and systems used by the business. They see cyber as a lower priority – perhaps because of the way it is assessed in a silo: risk to information assets instead of risk to the achievement of enterprise objectives.
This brings me to several points:
- Risk and audit practitioners need to recognize the risk posed by the organization’s technology debt/deficit. They should ensure it is reported to top management and the board.
- They also need to understand the limitations posed by the current technology change management systems. They are often slow when business is changing fast. If management doesn’t know about DevOps, they should investigate it immediately.
- They should help leaders of the organization allocate both capital and expense budgets in line with the returns on those investments – and that means that all sources of risk and opportunity need to be assessed in comparable ways.
- Deficiencies in the ability to understand and assess the risk posed by technology debt/deficit should be highlighted to top management and the board.
- Deficiencies in the assessment of any and all sources of risk in business terms, such that they can be compared and aggregated to see the big picture, should be reported to top management and the board.
- Boards should ensure this issue is discussed as often as needed (at least annually) and appropriate actions taken.
Does your organization handle the issue well? Are each of my points addressed?
I welcome your thoughts and experience.
[1] Maybe not so old, but we have been friends a long time.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman,
This has been one of the most eye-opening posts in a long while. Thank you. After reading, I did some research via a reliable site – Statista.com (https://www.statista.com/statistics/486586/it-infrastructure-spending-forecast-by-type/)
My observations of the comments made by your friend led me to recall a number of experiences I’ve had with tech challenges/deficits/debt with a number of clients. Here is a small selection that applies to your comments:
1. Most risk analyses done in a tech environment are very single-focused – cyber, data, malware . . . tech folk are generally not trained to do a ‘business value’ impact and risk analysis – so they go with what they know. This is a very significant disconnect between business and tech.
2. The ‘justification for investment’ must be made in business terms, not in tech terms. The people who approve the budget for upgrades, upskilling or upping any part of the tech capabilities are usually not from the tech world. It must be translated into business value for them (the ‘WHY’), not insurance or regulatory terms.
3. The ‘legacy system’ is an old story and it has long passed its expiry date. If someone is still operating with a system from the ’70s, ’80s or even mid-’90s, then what on earth are they doing with the tech spend? . . . that is a lot of band-aids!!
The conclusion I have come to, if cyber is a low priority, is that the business has little of value to be taken.
To your bulleted points, I offer the following thoughts on select points:
#1 – Strategy is the weak link – why is risk to tech not being tied to the overall strategy?
#3 – Spend is not aligned with stated outcomes. Tech is not trained to manage the outcomes or to design an effective tech strategy, and they should be. When aligned with strategy and capabilities, ROI is built in. This would give them greater access to funding.
#4 – Inability to make a good business case for investing in what should be creating value (tech). Being able to communicate in clear and persuasive terms is essential. This has been a major weakness in tech before.
#6 – This discussion needs to be happening on a monthly basis. We are very long past annual cycles for reviews, assessments, reporting and discussions about risk in general, not just tech.
Norman, very timely post. From my experience/observations, you covered most areas. The issues seem to be: 1) Technology is changing by the day (if not the hour). This makes for challenges in staying on top of the organization’s technology risk profile and matrix. One hates to elevate anything to weekly review status, but this is one. 2) The Big One – money. Keeping up means constant investment in tech people and technology.