Business technology management is about constantly balancing the opportunities brought by technological innovations and dealing with the possible risks when deploying them. When selecting new technology to be deployed, the choice can prove to be either successful or unsuccessful. Building organisation-specific solutions can equally turn out to be a bad investment instead of bringing further business benefits. In the run phase, the risks can concern solutions that are heavily used by the business but have severe security and maintenance issues. The level and amount of risks the company is willing to accept is ultimately a decision that needs to be made by the business management.
Organisations have many alternatives to deal with risks. They can mitigate the risk by taking actions that make risk probability and impact smaller, therefore lowering the overall residual risk to an acceptable level. They can also decide not to take the risk, accept to live with the risk or even transfer the risk somewhere else. Another good practice is to calculate the costs of a risk and use the calculation as basis to either reduce an investment’s priority or boost the implementation of an enhancement.
Business technology risks can be divided into three categories: quality, business continuity and compliance risks.
Figure 3.4.1 Business technology risks
Business continuity risks
Risk management is a wide-spread responsibility, and the Business Technology Governance Officer (BTGO) should have an overarching accountability to organise adequate risk management control points.
Quality can be considered as an attempt to minimise waste. Anything exceeding the minimum amount of time, required material and effort or certain level of costs is basically waste that could be eliminated. Using key suppliers, empowering staff, having extra capacity and being patient, flexible and comprehensive is a good start for eliminating the waste.
Quality problems usually stem from systemic faults, not from people or tools. Quality management implies good communication between the stakeholder and the provider, resulting in delivering the solution that meets the stakeholder’s expectation. A common way to ensure that the provided services are meeting the quality standard is to use sanctions in case of deviation. However, positive reinforcement, such as rewarding positive accomplishments have been proven to work even better.
For information systems and data processing, it is advisable to state and control the principles of business practices, systems and data processing integrity and protection. Business practice principles describe how products and services are delivered, and how to respond to claims and complaints. System and data processing integrity principles describe the controls guaranteeing the correct completion and invoicing of orders. Information and data protection principles describe controls to ensure that the information and data is available for the intended users and use only and disposed securely when no longer relevant.
Products and services consist of supplier chains that require recurring reviews as agreements, processes and systems. Formal change control is necessary to understand the impact and avoid waste in the implementation. It tells who makes the changes, what changes, when, why, and how and where the changes effect and in that way, guides the design and implementation of resources in the most optimal way.
As quality is about waste minimisation, it is about assessing effectiveness. In systems engineering, effectiveness is assessed at each phase, from discovering the needs to implementing the system. It should not be a gate at the end of the line but present at each phase and on everyone’s job description.
Compliance refers not only to conformity in fulfilling official requirements, such as being compliant with laws and regulations, but also to operations and processes to comply with policies, agreements and licence terms.
Regulatory compliance refers to the act of being compliant with a binding ruleset issued by a public or private authority which also supervises the set rules and can apply sanctions in response to rule violations.
The rules and sanctions can vary a lot by country, location and industry. For example, there are different regulations for financial, healthcare and manufacturing industry sectors and regulatory structures in one country may be similar but with different nuances in another country.
As the guidelines can change from year to year, the compliance governance should be an ongoing process. Larger enterprises usually have their own compliance structures built in their company structure. Small and mid-size organisations should also establish corporate compliance programmes to help to govern policies and compliance and to make sure that the company and its employees follow the laws, regulations, standards, and ethical practices that apply to the organisation.
Commercial compliance is mainly related to licences and is typically carried out by:
Ethics in business has become a popular discussion topic lately, especially because artificial intelligence (AI) and machine learning are quickly becoming an integral part of many innovative solutions. The debate concerns transparency, accountability and fairness, and how they are calculated and coded in the software and who eventually makes decisions on how the algorithms operate, considering basic human values.
Responsible development of technology solutions and services requires clear processes and a formal code of ethics from design to operating the services. In practice, the required transparency and better accountability of automated tools can be addressed considering at least the following:
Products, solutions and services contain countless lines of code which make algorithm-based decisions difficult to trace back. Clear and transparent processes with shared ethical stands promote responsible development of services and help to reduce the risk of violating human rights or legislation.