Latest Products

Governance and Technology

Friday 13 April 2018


The responsibility of technology and strategic technology risk rests in the domain of governance. Yet less than 10% of board members in Australia and Canada have technology experience.

“That means 90% of the people who are making decisions about future strategies have no real background in technology,” said Patrick McConnell, in a recent conversation with the GRC Professional

McConnell is a visiting fellow at Macquarie University Applied Finance Centre and the author the recent publication, Strategic Technology Risk.

A cursory glance at McConnell’s LinkedIn profile reveals his experience in the information technology and financial services’ space—particularly pertinent, as a sound understanding of both IT and finance is becoming increasingly relevant.

“One of the reasons I keep going on about blockchain is that I think it’s a diversion, a digression, from some of the major technological changes coming down the road,” McConnell said.

For him, understanding the relationship between technology and risk means not lobbing technology issues over the fence to the IT department, but removing the fence all together. And, if we look beyond blockchain, says McConnell, innovation and technology is nothing new, nor does the innovation ever truly stop.

Why is technology important?
“Technology, in particular, affects financial institutions because, fundamentally, financial institutions are all about moving information,” McConnell explained. “They don’t deal in money anymore, and very few of them deal in hard cash.”

Indeed, one of the major driving trends is having smaller and more powerful computers with the ability to communicate with just about anywhere, and that has changed communication between businesses.

“In particular, it has affected banks and their customers. It used to be the customers with whom banks decided to do business, including when they did it, and where they did it. They did it at a branch from 9-to-5 or they did it at an ATM. The financial institutions were determining the rules of the game. But all that has been turned around. Now, the customer determines when they interact with the bank, where they interact with the bank, and how they interact with the bank.”

According to McConnell, the whole value proposition has undergone a major shift. In other words, firms have to react to changes in technology and, ultimately, the change in the power dynamic, which has switched from the firm to the customer.

McConnell’s observations reflect some of the regulatory consultations happening at the moment. Nor, does he believe, are such consultations just an attempt to make the banking sector more competitive by lowering the barriers of entry; it is also about the role the Australian Competition and Consumer Commission (ACCC) has when it comes to ensuring consumers’ rights regarding their own data.


Has there been a regulatory impact?
“Despite the regulatory shifts, I don’t see the regulators playing a big role in the power shift between consumers and banks,” said McConnell.

Regulators did not ‘make’ the royal commission happen. Similarly, when it comes to the frameworks being set up around fintechs, the regulators are just trying to keep a hold of it.
“There are cycles of regulation—from re-regulation, to de-regulation, to re-regulation, and back again. After the GFC, for example, we were in a period of regulation, and after Donald Trump and few other things, we are in a period of deregulation again. And there will be another regulatory wave some point in the future.”

Despite the efforts of ASIC and the work of the Australian Transaction Reports and Analysis Centre (AUSTRAC), however, regulators are not ‘technology people’.

Thus, regulation is more of a secondary factor than a primary one. Like the boards, regulators are also hoping for a magic wand to fix it all.


What will technology look like in the future?
McConnell believes this is not an answer one can really know. “You can’t pick a particular piece of technology and know it’s going to be a winner,” he said.

“Immediately, that means if we are doing anything strategic, we are in world of really high risk.”
At some point, the core systems will need to be changed. And, at that stage, organisations will have to make an enormous investment in technology.

“There used to be a model of technology that said the board develops the strategy and then technologists try to build the systems into that strategy, but of course that is too late now. What has to happen is that the technology has to be embedded into the strategic decisions, which of course begs the question: are boards capable of doing that?”

Thus, we come full circle, since according to the current ‘bottom up’ scenario, it really needs to start with the board.

The reason why strategy and technology need to be considered together, and are integral to the financial system, is because if the technology that a bank is using starts to fail, it has implications for the entire financial system.

“When regulators are looking at firms, one of the first questions they should ask is: how good is your governance?” said McConnell.

What they are not doing, therefore, and what they should be doing, is asking themselves whether they understand the technology and whether they understand cyber risk. 

Boards in Europe, for example, are beginning to understand that this is important, if they want to be compliant with the General Dara Protection Regulation.

“So, it’s not just the banking regulators, it’s the corporate regulators as well,” said McConnell. “They are saying that privacy is no longer an option. Privacy has to be built into everything you do. At some stage, however, we need to turn that around so it comes down to ‘people implications’, organisational implications, technology implications and compliance implications, and so on.”