3.4 Risks, Quality, Compliance and Ethics


Business technology management is about constantly balancing the opportunities brought by technological innovations and dealing with the possible risks when deploying them. When selecting new technology to be deployed, the choice can prove to be either successful or unsuccessful. Building organisation-specific solutions can equally turn out to be a bad investment instead of bringing further business benefits. In the run phase, the risks can concern solutions that are heavily used by the business but have severe security and maintenance issues. The level and amount of risks the company is willing to accept is ultimately a decision that needs to be made by the business management.

Organisations have many alternatives to deal with risks. They can mitigate the risk by taking actions that make risk probability and impact smaller, therefore lowering the overall residual risk to an acceptable level. They can also decide not to take the risk, accept to live with the risk or even transfer the risk somewhere else. Another good practice is to calculate the costs of a risk and use the calculation as basis to either reduce an investment’s priority or boost the implementation of an enhancement.

Business technology risks can be divided into three categories: quality, business continuity and compliance risks.

Figure 3.4.1 Business technology risks


Quality risks

  • Non-vital technology usage: The organisation is dependent on technology that is no longer succeeding in the market and is in decline. The risk is that an organisation falls behind the competitors in development and functionality. The Business Technology Management Officer (BTMO) and Chief Enterprise Architect have the risk governance accountability.
  • Bad implementation: The organisation fails in efficiently implementing the technology into business, the implementation runs heavily over budgets and leaves the business in a difficult situation living between old and new. The Business Technology Portfolio Officer (BTPO) has the risk governance accountability.
  • Errors in technology: The technology, typically the software, has errors resulting in unwanted behaviour and/or incorrect data. Errors in technology are costly to detect and correct, but more importantly, they may risk the organisation’s reputation. Service owners have the risk governance accountability.


Business continuity risks

  • Security threat: The organisation’s personnel, network, data, systems and devices are vulnerable to security threats that may damage or even destroy some valuable assets. It should be noted that approximately 80% of all security threats can be avoided with employees’ correct actions and only 20% with technology. The Chief Information Security Officer (CISO) has the risk governance accountability.
  • Operational failure: Includes major issues in technology operations that may cause business downtime which in turn can cause a negative impact on costs, revenue and reputation. The Business Technology Operational Officer (BTOO) has the risk governance accountability.
  • Unsupported technology: Technology which is no longer supported and therefore more likely to have major issues. Usually the recovery of unsupported technology takes more time than with supported technology. The Business Technology Management Officer (BTMO) has the risk governance accountability.


Compliance risks

  • Legal non-compliance: If the organisation is not compliant with legal and regulatory rules, it takes a major risk of legal case or costly sanctions. The Sourcing Lead has the risk governance accountability.
  • Commercial non-compliance: The organisation must have a licence to use the third party technology. If not, the organisation is in a commercial non-compliance situation which might have costly effects. The Service Owners and Sourcing Lead have the risk governance accountability.

Risk management is a wide-spread responsibility, and the Business Technology Governance Officer (BTGO) should have an overarching accountability to organise adequate risk management control points.



Quality can be considered as an attempt to minimise waste. Anything exceeding the minimum amount of time, required material and effort or certain level of costs is basically waste that could be eliminated. Using key suppliers, empowering staff, having extra capacity and being patient, flexible and comprehensive is a good start for eliminating the waste.

Quality problems usually stem from systemic faults, not from people or tools. Quality management implies good communication between the stakeholder and the provider, resulting in delivering the solution that meets the stakeholder’s expectation. A common way to ensure that the provided services are meeting the quality standard is to use sanctions in case of deviation. However, positive reinforcement, such as rewarding positive accomplishments have been proven to work even better.

For information systems and data processing, it is advisable to state and control the principles of business practices, systems and data processing integrity and protection. Business practice principles describe how products and services are delivered, and how to respond to claims and complaints. System and data processing integrity principles describe the controls guaranteeing the correct completion and invoicing of orders. Information and data protection principles describe controls to ensure that the information and data is available for the intended users and use only and disposed securely when no longer relevant.

Products and services consist of supplier chains that require recurring reviews as agreements, processes and systems. Formal change control is necessary to understand the impact and avoid waste in the implementation. It tells who makes the changes, what changes, when, why, and how and where the changes effect and in that way, guides the design and implementation of resources in the most optimal way.

As quality is about waste minimisation, it is about assessing effectiveness. In systems engineering, effectiveness is assessed at each phase, from discovering the needs to implementing the system. It should not be a gate at the end of the line but present at each phase and on everyone’s job description.



Compliance refers not only to conformity in fulfilling official requirements, such as being compliant with laws and regulations, but also to operations and processes to comply with policies, agreements and licence terms.

Regulatory compliance refers to the act of being compliant with a binding ruleset issued by a public or private authority which also supervises the set rules and can apply sanctions in response to rule violations.

The rules and sanctions can vary a lot by country, location and industry. For example, there are different regulations for financial, healthcare and manufacturing industry sectors and regulatory structures in one country may be similar but with different nuances in another country.

As the guidelines can change from year to year, the compliance governance should be an ongoing process. Larger enterprises usually have their own compliance structures built in their company structure. Small and mid-size organisations should also establish corporate compliance programmes to help to govern policies and compliance and to make sure that the company and its employees follow the laws, regulations, standards, and ethical practices that apply to the organisation.

Commercial compliance is mainly related to licences and is typically carried out by:

  • Licence compliance and management, which is an iterative process of maintaining processes and policies making the assets controllable and manageable
  • Clearly defined roles and responsibilities that outline who can authorise the purchase, how the licensing arrangements are agreed, who carries out the implementation and how these processes are communicated to the employees or users. If procurement is not centralised and businesses acquire services or solutions independently, there is always a higher risk of being non-compliant
  • Well-maintained documentation in order to efficiently maintain and optimise licences and acquire information such as: business needs, purchased items, valid entitlements, solutions, services or software in use, lifecycle data, usage policies, etc.




Ethics in business has become a popular discussion topic lately, especially because artificial intelligence (AI) and machine learning are quickly becoming an integral part of many innovative solutions. The debate concerns transparency, accountability and fairness, and how they are calculated and coded in the software and who eventually makes decisions on how the algorithms operate, considering basic human values.

Responsible development of technology solutions and services requires clear processes and a formal code of ethics from design to operating the services. In practice, the required transparency and better accountability of automated tools can be addressed considering at least the following:

  • Establishing ethical guidelines, including the principles and ways of handling ethical questions related to the development of services
  • Establishing a role that oversees that the ethical questions are raised and taken care of
  • Proactively raising awareness and concerns related to ethical questions, across all businesses and organisations
  • Training stakeholders such as software developers or managers to consider the ethical stand in their respective organisation
  • Identifying possible harm or damage that could be caused by technology innovation and how to remediate its consequences

Products, solutions, and services contain countless lines of code which make algorithm-based decisions difficult to trace back. Clear and transparent processes with shared ethical stances promote responsible development of services and help to reduce the risk of violating human rights or legislation.