Identifying and Preparing for Interruptions, Disruptions and Emergence

A beacon from a lighthouse or a buoy in the sea alerts passing ships of the presence of rocks or other dangers and guides the ships to safe harbor. Acts of guiding and alerting are embedded in the philosophy of information systems (IS) auditors. Dangers can be hidden, and guidance is required to reach destinations and achieve goals.

Just as ships face dangers, organizations may face different hardships that hinder their progress toward achievement of organizational goals. These hardships can broadly be categorized as interruptions, disruptions and emergence events. It is important for IS auditors to understand the nature of these interruptions, disruptions and emergence events to help their organizations mitigate their adverse impacts.

Figure 1 shows how interruptions, disruptions and emergence differ from each other with respect to various dimensions. Understanding these differences is crucial to being prepared.

Interruptions

An organization’s information systems are expected to be available and functioning optimally to enable all users, internal and external, to perform their necessary actions at all times. However, systems can become unavailable or can malfunction, causing inconvenience or damage depending on the nature of the interruption and the length of the outage.

Interruptions can be classified into six major categories:

1. Software malfunctions
2. Hardware failures
3. Network outages, congestion
4. Malware, cyberattacks
5. Natural disasters (e.g., floods, fires, earthquakes)
6. Infrastructure events (e.g., power supply or air conditioning issues, civil disturbances)

The potential for each of these types of interruptions is known and examples have already occurred; therefore, strategies, methods, processes and tools exist for mitigating or recovering from each of them.

A proactive, well-managed organization should be prepared for all categories of interruptions. Although interruptions can occur suddenly and without notice, a prepared organization is ready to quickly swing into action, mobilize its workforce and find a solution. Security and audit functions have built sound processes, technologies and methodologies to prepare for these interruptions and either to prevent them or recover from them swiftly.

The IS auditor’s role in dealing with interruptions is significant. The IS auditor should participate in the risk assessment to identify all possible interruptions and their impact on specific systems. The auditor should also review all the mitigating control measures put in place and verify that they all have been tested and will be operational at the time of need. In addition, the IS auditor should evaluate all recovery and business continuity plans to ensure that they will succeed in restoring systems when interruptions happen. This should be an ongoing process since systems and environments constantly change and plans must be updated accordingly. It is also necessary for the IS auditor to examine the preparedness of people—including staffing adequacy, staff training and staff ability to respond with agility during crises.

Disruptions

A disruption is not merely an interruption that temporarily halts operations. A disruption could potentially strike at the root of the very existence of something. It often goes beyond the technology and information systems and impacts the organization itself. Disruptions do not happen suddenly, such as with a cyberattack. Rather, they develop over a period of time and eventually cause change.

Emerging Technology Disruptions
Disruptions are often caused by the advent of new technologies. For example, banking in the 1990s required a customer to physically visit a bank branch to perform any kind of transaction. However, with advancements in network technology, the increasing reach and reliability of the Internet, and the creation of mobile applications (apps), banking account has changed dramatically. With the advent of online banking, customers can log in to their bank account and complete any transaction digitally. Banks that kept pace with technology and enabled their systems for online banking were successful, while those that did not had to play catch-up to survive.

The digital revolution has made mobile phones and their applications the mainstay of most business interactions and transactions. The Internet of Things (IoT) enabled products other than computing devices to connect to networks. Cars, household appliances, machinery and lights can now be fitted with the appropriate sensors to interact with networks. Manufacturers that failed to see this development and did not ready their products with these features were left behind by organizations that adapted quickly.

By preparing and training in the use of disruptive technologies using resources from industry leaders and educators, the IS auditor can effectively participate in designing appropriate controls to be built into these new solutions.

Technology developments in the fields of artificial intelligence (AI), machine learning (ML), automation, blockchain and the metaverse have led many organizations to implement these emerging technologies into their solutions and products to stay competitive. But emerging technologies can also become disruptors. While AI is already emerging as a disruptor in many fields, it remains to be seen whether the metaverse will converge the digital world with the physical in new ways. Will cryptocurrencies rule the world economy? Will blockchain become a more pervasive platform for transactions? As the world becomes largely digital, and interactions and monetary assets are predominantly digital, how is digital trust established? The risk associated with these emerging technologies needs to be understood and evaluated by IS auditors proactively so that they are not taken by surprise when large-scale deployments happen.

Nontechnology Disruptions
There are also nontechnological disruptions. The most recent example is the global COVID-19 pandemic. The virus confined people from all walks of life inside their homes and prevented social contact amid an atmosphere of fear, stress, sickness and loss of lives.

It was digital technologies that enabled work from home (WFH), but not all organizations had the necessary technology infrastructure and processes in place to enable it. However, over time, remote work has become an accepted reality and hybrid models have been developed. Enabling security in the new work environment created challenges and resulted in losses for many organizations. A disruption of this nature and at this scale is severe. Although it had not been encountered previously, it led to lessons learned and the world is more prepared for the future because of it.¹

Natural Disaster Disruptions
Disruptions also happen due to large-scale natural calamities such as earthquakes, fires and floods. These are often localized to a geographic area and a limited period of time, and recovery is often possible for organizations that have business continuity plans in place.

Man-Made Disruptions
Man-made events, such as wars, also cause disruptions and are more difficult to handle. The war in Ukraine is one such example that has had an impact far beyond its geography, impacting the energy sources and supply chains of many countries and enterprises.

Disruptions do cause distress, but organizations that have a forward-looking vision, organizational strengths and operational agility to innovate and respond to change have overcome disruptions and emerged stronger.

The Role of the IS Auditor
The IS auditor’s work with respect to disruptions can be contributory and advisory. When the disruption that is happening in the industry is visible but the organization is not putting in effort to prepare for the disruption, the IS auditor can leverage relationships with senior management and the board of directors (BoD) to bring the issue to their attention and request guidance in terms of recommended action. By preparing and training in the use of disruptive technologies using resources from industry leaders and educators, the IS auditor can effectively participate in designing appropriate controls to be built into these new solutions. Hence, learning, training and keeping pace with technology are key requirements for IS auditors to make effective contributions toward dealing with disruptions.

Emergence and Global Trends

Technologies and the business scenarios in which they are applied have evolved in a mostly gradual manner, albeit with periodic abrupt changes. Certain trends can be seen in their nascent form but take some time to mature, become powerful forces and make an impact. Often these forces become pervasive and make their impact across geographies, industry sectors and technologies.

Such trends can be termed as emergence, for when they are first noticed, they are considered emerging. At any point in time there may be many trends that are somewhat visible, but not all of them will mature to make a significant impact. Identifying which of these will grow and mature is not easy and may sometimes differ by sector or geography—or some may have a global impact. It is the difficulty with identification that makes preparing for these trends challenging.

Given that they take a long time to play out, preparation for these trends requires a long-term vision and strategic planning.

Many consultants and research bodies publish global trend reports aimed at trying to make predictions in different areas as to what the world will look like a decade or two into the future.² However, this is not an easy task, and the conclusions of different studies vary depending on the focus and vision of the authors and their organizations. As the famous Danish physicist Niels Bohr said, "Prediction is very difficult, especially if it’s about the future."³

By identifying emergence and preparing for it, organizations can minimize surprises.

But notwithstanding this, it is necessary and prudent to attempt to study, evaluate, imagine and prepare. As famous science fiction author and futurist Karl Schroeder said, "Foresight is not about predicting the future; it’s about minimizing surprise."⁴

By identifying emergence and preparing for it, organizations can minimize surprises.

Many trend reports identify several major areas of change and impact, including climate change; urbanization, inequality and inclusion; and demographic change. These examples give indications about the nature of emergence and how to prepare for it, but they are not exhaustive. Organizations need to watch trends and global reports and start preparing early to address these issues.

Climate Change
The tremendous developments made by humankind in areas such as infrastructure, industrialization, energy, transportation and farming over the last 300 years have dramatically improved quality of life. However, it has come at a high cost for the environment in terms of the effects of climate change, including rising temperatures, rising sea levels, the depletion of the ozone layer, and the pollution of air and water.⁵

This crisis affects the entire world, and it is imperative for everyone to do their best to act responsibly to minimize the effects of climate change. The United Nations Sustainable Development Goals Report 2022 notes that:

As the world faces cascading and interlinked global crises and conflicts, the aspirations set out in the 2030 Agenda for Sustainable Development are in jeopardy. With the COVID-19 pandemic in its third year, the war in Ukraine is exacerbating food, energy, humanitarian, and refugee crises—all against the background of a full-fledged climate emergency.⁶

Therefore, it is necessary for all organizations to address these issues no matter their business sector. Are they ready with a plan to become carbon neutral? What are they doing to consume energy more efficiently? Are they taking measures to stop pollution caused by their activities? Are they manufacturing products that support these causes? Are they publishing a verified environmental, social and governance (ESG) report that demonstrates their commitment to protecting the environment?⁷

The answers to these questions are important because customers use these considerations when choosing the types of organizations with which they wish to interact. Although these considerations may seem like a means to enhance an organization’s image, in the future, such factors may determine their very existence.

Addressing this shift requires vision, strategy and commitment from the very top, including setting goals, declaring them, and making investments and efforts to achieve them. This is long-term work, but it should begin now.

The IS auditor needs to evolve from being an examiner, reviewer and verifier to becoming one who advises and guides as an expert.

Urbanization, Inequality and Inclusion
Populations are rapidly moving from rural to urban areas. This introduces both problems and opportunities for enterprises. More than half the world’s population now lives in cities and towns, and by 2030, this number will reach 5 billion.⁸ The increasing population density in urban areas strains the available infrastructure, but it also creates business opportunities for serving the burgeoning populations of cities with various goods and services.

However, the rapid pace of development has not showered benefits on everyone around the globe equally and uniformly. Disparities in standards of living vary grossly across populations. Including every person around the globe in development and its benefits regardless of race, color, caste, gender, nationality or any other criteria is an imperative for the world today. Society can sustain progress only together, not in pockets.

These issues have many social implications, and they will also impact organizations and their employees.

Demographic Changes
The global population is aging in most countries, and it is estimated that 22 percent of the global population will be older than 60 years of age by 2050—up from the current 12.3 percent.⁹ Life expectancy is increasing due to better living conditions and healthcare services. The aging population decreases the share of people working and can lead to a shortage of resources in addition to the responsibility of caring for the aged.

Areas of Development
Some areas of development that could make an impact on enterprises and their use of technology include:

• Quantum computing—An emerging area of significant interest where much research effort is being expended is quantum computing. When quantum computing becomes technically viable and economically feasible, it will have the potential to completely revolutionize the world of computing. This new approach to computing will not only significantly increase the speed and capacity for problem solving, but also transform how computers work. However, it will pose new risk areas and dangers as well. Will all existing encryption and cryptography become powerless at the hands of this brute compute power?¹⁰ How will this change the technology that is currently used? It is important to stay aware of these new advancements.
• Genetic and life sciences research—Research in the areas of genetics and other life sciences aided by AI are heralding new advancements in healthcare. The benefits of this are better health and longer life expectancy. As mankind delves deeper into this domain, the risk of irresponsible use of some of the discoveries remains, which may impact many sectors and countries.

Role of the IS Auditor

Emergence should be addressed by senior leadership and the BoD. The role of the IS auditor in this area can be limited. The IS auditor needs to evolve from being an examiner, reviewer and verifier to becoming one who advises and guides as an expert. An IS auditor who evolves to this level is then given a seat at the table. An auditor has become a confidante of senior management and a valued adviser can participate in conversations or help develop processes regarding emergence issues for the organization.

Conclusion

The work and life of an IS auditor is exciting because the environment of business and technology in which auditors perform their work is changing dynamically—sometimes gradually but also sometime dramatically.

Recognizing this change is fundamental to the IS auditor’s attitude, and preparing for this change is imperative for survival and success.

Interruptions, disruptions and emergence will continue to pose challenges to organizations, and IS auditors need to do their best to overcome these challenges. The weapon to fight interruptions is knowledge of existing technology, systems, processes and current methods and tools for prevention and mitigation. Disruption can be countered by learning about emerging technology and new innovations and tools. Continuous learning is an IS auditor’s companion in the journey to keep pace with business and technology advances. An IS auditor who combines knowledge and their planning to keep pace with current events and trends with an attitude of being a partner in the organization, will get a seat at the leadership table to guide the organization on emergence issues as well.

Editor’s Note

The concept of emergence can have more than one definition. ISACA^® defines emergence within its Digital Trust Ecosystem Framework (DTEF) as the arising of new business opportunities, new behaviors, new processes and other relevant items as the subsystems between people and processes evolve. As spontaneous new ways of doing things emerge within an organization, they may be regarded as positive or negative. In some cases, emergence creates order out of chaos in unpredictable ways. For more information on emergence and the DTEF, go to www.isaca.org/digital-trust.

Endnotes

¹ World Health Organization (WHO), "Weekly Epidemiological Update on COVID-19," Edition 114, 19 October 2022, https://www.who.int/publications/m/item/weekly-epidemiological-update-on-covid-19---19-october-2022
² Koulopoulos, T.; "Four Megatrends Expected to Change Everything by 2050," Inc., 11 March 2020, https://www.inc.com/thomas-koulopoulos/4-megatrends-from-healthcare-to-changing-demographics-that-are-expected-to-change-everything-by-2050.html
³ Anker, D.; "Forecasting—Prediction Is Very Difficult, Especially If It’s About the Future," 7 October 2017, Crainfield University, https://blogs.cranfield.ac.uk/cbp/forecasting-prediction-is-very-difficult-especially-if-its-about-the-future/#:~:text=Niels%20Bohr%2C%20the%20Nobel%20laureate,model%20out%2Dof%2Dsample
⁴ Schroeder, K.; "After Prediction," https://www.kschroeder.com/weblog/after-prediction#:~:text=Foresight%20is%20not%20about%20predicting,not%20about%20predicting%20the%20future
⁵ United Nations, "What Is Climate Change?" https://www.un.org/en/climatechange/what-is-climate-change
⁶ United Nations, The Sustainable Development Goals Report 2022, USA, 2022, https://unstats.un.org/sdgs/report/2022/The-Sustainable-Development-Goals-Report-2022.pdf
⁷ Tocchini, F.; G. Cafagna; "The ABCs of ESG Reporting: What Are ESG and Sustainability Reports, Why Are They Important, and What do CFOs Need to Know," Wolters Kluwer, 9 March 2022, https://www.wolterskluwer.com/en/expert-insights/the-abcs-of-esg-reporting#:~:text=What%20is%20ESG%20reporting%3F,organizations%20to%20do%20the%20same
⁸ United Nations Population Fund, "Urbanization," https://www.unfpa.org/urbanization
⁹ United Nations Population Fund, "Ageing," https://www.unfpa.org/ageing
¹⁰ Khader, D.; H. Siddiqui; "Making and Breaking Data Security With Quantum Machines," ISACA^® Journal, vol. 4, 2022, www.isaca.org/archives

ANANTHA SAYANA | CISA, CISM, CIA

Has experienced the evolution of IT since its early days in the 1980s. After conducting information systems audits for more than a decade across systems in banking, finance, manufacturing, supply chain and project management in a variety of IT infrastructure landscapes, Sayana moved to a leadership role in core IT. He managed the implementation and maintenance of many solutions, including enterprise resource planning (ERP), web portals and the related IT setups used to build and manage information security in different software and domain environments. He has led digital transformation, including the implementation of new digital technologies such as the Internet of Things, augmented reality, virtual reality, mobile applications, big data analytics, machine learning and artificial intelligence for various solutions in engineering, manufacturing and project management. Four decades of experience have given him tremendous insight into managing, securing and auditing IT systems. Sayana is now retired and is currently involved in mentoring and teaching activities. He has volunteered with ISACA^® for many years, including as a founding coauthor of the IS Audit Basics column in the ISACA^® Journal and as a past Journal article peer reviewer. He was one of the founders of the ISACA Mumbai (India) Chapter and served as its president. He has also been a member of the CISA Test Enhancement Committee. He has spoken at numerous conferences and written many articles. He can be reached at asayana@gmail.com.