It is rare to scan through today’s headlines and not find mention of artificial intelligence or an array of other cybersecurity threats affecting organizations of all types and sizes. With all this buzz and an ever-evolving landscape of risks, you might be wondering how you can add value and insight to your organization or audit client. The “Navigating the Evolving Risk Landscape” workshop at the 2024 GRC Conference in Austin, Texas, is going to arm attendees with knowledge and tools needed to address these complex risks. But I thought I’d give you a sneak peek here to get you started.
With rapidly changing risks, it can be challenging to stay educated and to effectively identify exposures, and design new or modified controls. However, while the technologies are new and evolving, the fundamental approach toward governance, risk management and controls is the same. Whether you are an IT, information security or audit professional, you’ve already got a solid baseline skillset that can serve as a starting point. Skills in critical thinking, problem-solving, process mapping and research are invaluable and should be used as you explore these technologies and how they impact your organizations.
When it comes to evolving technologies and their associated risks, governance is key. I see a lot of parallels between today’s landscape of artificial intelligence and complex multicloud environments, and the rapid adoption of cloud computing in the decade after the launch of Amazon Web Services’ first mass-market cloud product in 2006. It is critical for organizations to evaluate the potential current and future use of these technologies, even if they are not yet fully understood. This includes building strategies, defining risk tolerances and developing acceptable use policies.
It should continue with education and awareness initiatives throughout all levels of an organization. Starting with a governance framework for oversight allows for a more proactive approach to evaluating new technologies and adopting appropriate risks and controls. We should be advocates for this approach, as it can add a lot of value to our organizations and minimize the likelihood of significant missteps along the way. It also means we as IT, information security and audit professionals can have a seat at the table as these considerations are made.
Complex technologies such as artificial intelligence and multicloud environments remind us of the need to fully leverage the three lines in our organizations. By taking a collaborative approach that builds on the defined roles and responsibilities of each line and the unique skillsets of frontline risk owners and risk management specialists, it is more likely that we can provide a robust framework of assurance. This assurance can cover a variety of risks including data privacy and information security while being efficient with resources. Collaboration is key – we all have limited resources to operate with and working together promotes maximum efficiency and effectiveness, and minimizes unnecessary duplication of effort.
Evolving technologies also highlight the need for strong third-party risk management processes. Most organizations are faced with a substantial amount of risk exposure through third-party relationships. In addition to the fundamentals of effective third-party risk management, promoting strong governance and the use of the three lines specific to new and evolving technologies such as artificial intelligence and multicloud environments can help to set a framework to more effectively identify, evaluate and monitor potential vendors to be used for these technologies. Absent an effective framework, there may be a disconnect between the organization’s strategies and objectives, and the capabilities or appropriateness of a third party.
A final thought is to encourage you to be aware of authoritative guidance that is being published around evolving technologies such as artificial intelligence. Resources such as the draft NIST AI Risk Management Framework, the European Union’s European AI Strategy and Japan’s AI Guidelines for Businesses are all examples of guidance that has been issued and will continue to be developed. Groups such as ISACA and the IIA have published toolkits and frameworks that build off this guidance and provide leading practices for individuals and organizations to consider. You do not have to be overwhelmed by the headlines – equipped with foundational knowledge in governance, risk management, and controls and staying apprised of published guidance will go a long well in helping you to build your knowledge and add value to your organization.
Editor’s note: Find out more about this workshop and other 2024 GRC conference programming here.