ERM Managing Risks in New Technologies

Shared Assessments new “Role of Enterprise Risk Management (ERM) in Managing Risks Related to New Technologies” briefing paper examines an under-investigated issue: the fact that most ERM programs have not focused on developing a systemic approach to understanding the risks associated with emerging technologies and how those risks may have cumulative impacts when taken together instead of considered in isolation.


The paper focuses on four technologies: the Internet of Things (IoT), 5G, Artificial Intelligence (AI), and quantum computing. It explains the importance of educating boards about emerging technology risks, having an appropriate governance structure (ideally including a Chief Risk Officer and Board Risk Committee) to consistently evaluate and mitigate technology risks, and having the right resources on hand to monitor and analyze and both technology related opportunities and risks.

The interaction between new technologies is explored, especially how the introduction of 5G communications system may magnify existing vulnerabilities in other areas, such as IoT. There is potential for a lag in security technology as the 5G rollout occurs and, at the same time, wider use of IoT devices will enable a new range of services. However, these services will also bring increased risks given the often incomplete security processes currently associated with many IoT devices and applications. Taken together, 5G rollouts and IoT vulnerabilities elevate the risks associated with each technology.


Organizations must learn how to anticipate the combined impact of new technologies, rather than assess the consequences of each technology on a stand-alone basis, both in-house and with third party providers. Outsourcers will expect their third party providers to be able to adapt quickly and respond to new technology challenges and will hold third parties accountable for sub-par use of new technologies.


Another of the paper’s highlights is a discussion of the sometimes headline grabbing risks, stemming from quantum computing, specifically the fear that today’s standard encryption techniques could be defeated leading to an increased vulnerability of confidential. Indeed, NIST says that “the successful development of quantum computing could also have a considerable negative impact on cybersecurity. It risks rendering useless most of our existing data security and critical infrastructure systems, including military networks, email and power grids.” Yet, most experts agree that quantum computing is a decade or two away, and as a result few organizations are paying attention to the important activity underway to protect assets in the quantum era.


One of the most important efforts is at NIST, which launched in 2016 a program that seeks to identify algorithms resistant to quantum computing attacks. The goal of NIST’s Post-Quantum Cryptography (PQC) work is “to develop cryptographic systems that are secure against both quantum and classical computers and can interoperate with existing communications protocols and networks.” This work is expected to complete by 2024 after which there will be a roadmap for organizations to begin planning their approach to next generation cryptography. In the meantime, boards should be educated about the risks associated with quantum computing and organizations should stay close to the NIST PQC standardization effort.


You can find this important new paper on ERM Managing Risks in New Technology here.