Latest Products

Tech Risk is Everyone’s Business

Thursday 18 January 2018

Derek Payne is the Governance, Risk and Compliance Officer for the Independent Education Union and member of the GRCI IT Compliance Risks Networking and Discussion Group. Last week, he took time to answer a few questions on technology risks and opportunities.

Payne will be presenting at the 2nd Annual Emerging Professionals Event next month, and will elaborate further on some of the key elements of technology risks and opportunities and the best ways to handle them.


Tell me a little about your career path
I graduated in the 1990s with a degree in Accounting & Finance and in Information Systems & Management Control.

Working as an accountant in commerce was an opportunity to gain experience in a number of industry sectors—including performing arts, financial services, corrections and mining development. These industries helped expose me to company compliance, secretarial and entrepreneurial acquisitions and mergers.
I am now a specialist adviser to the audit committee of a superannuation fund, and a GRC Officer for a medium-sized member-based organisation. This organisation has never had a GRC role, and the position remains somewhat unusual for a business of this size.


Why is looking technology risks and opportunities important?

Technology risks and opportunities were important before GRC was ever thought of. Imagine, for example, what it must have been like during the industrial revolution. Today, of course, technology is embedded in every business and expanding at a rate with which none of us can keep up. In addition to being a power for good, however, it also provides opportunities for the bad guys, many of whom spend all day, every day, trying to steal from anyone they can.
Yet this speed of change also provides businesses with opportunities, and risk managers need to keep up and help drive their company’s plans. This is not always easy and internal resistance is common.

Alongside the rest of the IT Compliance Risks Networking and Discussion Group, you worked to develop the Technology Risks whitepaper. While collating the paper, did any new risks or opportunities jump out that you had not considered previously?

Working with other GRCI professionals to compile the GRC Institute’s Technology Risks whitepaper has been a very valuable experience. It has been insightful to see on paper the sheer breadth of matters we need to consider and the difficulty in keeping up with new events. It has helped to validate some of my own thought processes, but also it has exposed me to other ways of considering a matter.
The most inspiring outcome for me was the challenge to my own thinking about cloud, or data centre storage, versus the ‘keep it in-house’ argument. This is a debate that will go on for some time I think, but there is no right or wrong answer. Organisations will need to evaluate their own circumstances and proceed from there.


Do you think technology risks and opportunities are generally understood or misunderstood?

Technology risks are not necessarily misunderstood, but the scope is so broad that some risks can easily be overlooked, inaccurately assessed or simply not recognised. There is a trap in accepting that one group, such as IT professionals, know best. Technical expertise needs to be considered alongside business considerations, human resource risk, and customer or marketing imperatives. No one discipline has all the answers, and a broad view needs to be canvassed. This comes back to the notion that risk is everyone’s business.

Any advice for emerging GRC professionals tackling the technology space?

When I think about how I approached risk management for the first time, I was fortunate to be sponsored by the Board and CEO. This support enabled me to engage with staff directly and to work on developing that culture of “risk is the responsibility of us all”. The organisational culture was sympathetic to these ideas, so my job was so much easier.
The degree of difficulty will vary for everyone, but my advice for risk managers is to do two things: firstly, to consider carefully what you might say and do, and to think critically; then, to stick to your beliefs and ideas to push through your recommendations. You will find you are right much more often than you are wrong, and that gives support to risk managers everywhere.

Speaker Biography

Derek Payne Governance,
Risk and Compliance Officer,
Independent Education Union