enabling trust in the technology revolution · 2020. 9. 1. · 02 technology risk management...

Enabling trust in the technology revolutionTechnology risk management drives business value in the new reality

KPMG Technology Risk Management ServicesWe build trust.

kpmg.com

http://kpmg.com

02 p.6Technology risk management defined

01 p.4The technology risk management imperative

03 p.8Relevancy presents a big opportunity for technology

risk management

04 p.12How KPMG helps transform technology risk management

05 p.15Why KPMG?

06 p.16TRM services at a glance

07 p.18 Client success stories

Contents

Enabling trust in the technology revolution KPMG Technology Risk Management Services2 3

© 2020 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.


The technology risk management imperative In today’s business environment, technology is continuing to move at a rapid pace. Automation drives efficiencies at a massive scale. Cloud computing creates new ways of working and provides increased agility, scalability, and flexibility to collaborate and serve customers. Data insights—unleashed by the growing adoption of artificial intelligence and connected devices—enable organizations to see around corners and develop products and services fit for a future that hasn’t even arrived yet. As a result, not innovating presents a strategic risk across all industries.

The exponentially increasing rate of technology change over the last several years is not a one-time phenomenon or trend; rather, it represents a paradigm shift in how businesses must adapt, evolve, and remain relevant. We have also learned that unprecedented global events, such as the COVID-19 pandemic, continue to influence corporate decisions, drive all industries to reimagine business models, and elevate the importance of a sustainable, scalable, and future-ready technology environment.

As with any transformation, the rapid deployment of new processes and technologies without appropriate risk perspective and standards raises important questions that organizations need to consider.

— What if the technology we rely on becomes obsolete?

— What if our technology service providers can’t keep up?

— What if an entirely new platform replaces large swaths of our current estate?

— What if our customers, or worse, competitors move faster with digital than us?

— What if we don’t have the skills or knowledge to effectively deploy technology?

— What if our technology investments don’t align to core business objectives?

— What if we add technology so fast we fail to keep up with evolving laws and regulations or update our security posture?

In this new reality, dynamic and well-managed technology deployment is a clear competitive advantage, enabling businesses to control key technology risks without stifling innovation. Without a doubt, technology risk management (TRM) is now an organizational imperative.

A comprehensive integrated TRM program addresses the risks driven by enterprise technology solutions, sourcing, and services. Organizations that deploy TRM more as a component of their decision-support system than just for the sake of regulatory compliance mandates are positioned to achieve better operational results, empowered by prudent use of technology.

Strategic, effective, and flexible TRM programs help organizations:

— Use technology to achieve business objectives

— Build stakeholder confidence in technology spend

— Earn customer trust in data protection

— Capitalize on new solutions and emerging technology

— Allocate capital to ensure resources are spent on those areas of highest value

— Enhance the risk, control, and compliance equation.

— Explosion of data

— Growing digital complexity

— New regulations and standards

— Emphasis on data protection

— Reliance on connected devices

— Accelerated cloud adoption

— Shift to remote work environments

— Increasing use of collaboration tools

— Evolving cyber threats

Trends increasing the importance of TRM

According to the 2020 KPMG Global Emerging Technology Survey Report, 59% of technology and business executives say that the pandemic has created an impetus to accelerate their digital transformation initiatives.

According to the KPMG 2018 Tech Risk Management Survey, 50% of technology risk executives say emerging technologies within their industry will spur an explosion of technology risk efforts.

What could happen?

How could it happen

Why you don’t want it to happen

Scenario

Triggers

Consequence

The simple technology risk equation

Likelihood How often

Impact How bad? How fast?

KPMG Technology Risk Management Services 5Enabling trust in the technology revolution4



https://advisory.kpmg.us/content/dam/advisory/en/pdfs/2018/disruption-is-the-new-norm-emerging-teck-risk.pdf


Next-generation TRM programs are emerging.While most organizations already possess the talent and tools to manage technology risk, and are even actively doing so, what’s missing is the strategic organization of key skills and capabilities into a well-managed program.

Technology risk management definedTRM is a risk management discipline focused on identifying, assessing, managing, monitoring, and reporting on operational, financial, and regulatory risks related to the ownership, deployment, and use of technology.

The TRM program considers the top technology-related risks in an organization, and the various triggers and consequences of those risks, to help organizations understand:

— Risks, vulnerabilities, and threats to the organization

— Data and technology asset value

— Fact basis and actionable insights

— Cost versus benefit of technology and controls

— Control alternatives (technical and manual)

— Priorities for technology-related funding.

The TRM program is enabled by technology, data, and people and serves as a component of larger enterprise risk management (ERM) and operational risk management (ORM) programs. A robust TRM program also provides a comprehensive strategy and roadmap for implementing, operating, and evolving the organization’s TRM capabilities over time.

While most organizations already have the ability to manage technology risk, and are even actively doing so, what’s missing is the strategic organization of key skills, capabilities, and tools into a well-managed program that effectively leverages and extends existing talents.

The view of KPMG is that leading TRM programs expand on legacy compliance–oriented activities to also support businesses in adopting technology in an accelerated yet meaningful manner. Further, leading TRM programs recognize that technology in itself doesn’t introduce new risks, and in fact, technology can be exploited to aid in mitigating information protection, business continuity, and other traditional technology risks.

Software development

Obsolete technology

Security of systems and data

Data quality and management

Regulations and compliance

People and skills

Third-party technology and services

Failed technology strategy

Emerging technology

Services and availability

Top technology risks to manage

COVID-19 put technology risk management on the front linesCOVID-19 impacts are fundamentally changing countless aspects of business, and technology risk management is no exception. As social distancing forces more people than ever to work remotely, the technology capabilities of businesses are being stretched to the limit, and businesses are increasingly exposed to variety of existing and emerging technology risks.

During the initial COVID-19 response phase, businesses rapidly accelerated the deployment of remote working and collaboration tools but often without adequate governance and controls. This swift action—and the very nature of remote work, too—is creating additional technology risk for business to manage. Risks include:

— Inadequate technology systems and support to enable employees to do their jobs virtually, such as video conferencing, internet connectivity, and bandwidth issues

— Security control deficiencies due to access permission changes and employee noncompliance

— Compromised security monitoring due to unprecedented VPN usage.

As businesses move forward with our new reality, technology risk teams are leveraging initial learnings to optimize and secure technology. They are rolling out new policies, activities, and controls to ensure our way of working is safe, secure, and effective. This includes:

— Developing a centralized process for the deployment of remote working tools

— Enhancing security operations, especially de-risking remote access to sensitive data or environments

— Developing remote working protocols and threat identification and escalation processes for employees

— Applying controls as in response to how employees now want to use technology

— Accelerating cloud migration strategies to manage current and future spikes rapidly and cost effectively

— Digitizing technology risk and controls activities

— Implementing new operating models for technology risk.

What’s on the mind of technology and business risk professionals?

Source: KPMG Survey of Technology Risk Professionals on COVID-19 (May, 2020)

According to the 2020 KPMG Global Emerging Technology Survey Report, 57% of technology and business executives say COVID-19 has significantly changed their organization’s strategic priorities for emerging technologies.

Also, more than 80% of the companies are investing or planning to invest in emerging technologies.

KPMG surveyed a group of over 150 risk professionals,* all of whom hold various risk roles at their organizations, and discovered that

74% of technology risk teams are evolving with the COVID-19 situation in at least one way to deliver new impact and value, including:

— Advising the business on the risks of response efforts

— Cosolutioning with the business

— Providing assurance for implementations

— Redeploying resources.

*Source: KPMG Survey of Technology Risk Professionals on COVID-19 (May, 2020)

Enabling trust in the technology revolution6 7



KPMG Technology Risk Management Services

A new vision for technology risk management

With technology advancing at an accelerated pace and increasingly touching nearly every aspect of the business, TRM programs have a significant opportunity and need to evolve. Change and modernization are required for TRM programs to provide comprehensive technology solutions, address a broader set of strategic and operational risks, add greater business value, and meet stakeholders’ demands for TRM transformation.

So what will the future look like?

Next-generation TRM programs will continue to address compliance but will be more proactive, business relevant, and flexible. We recognize resources are limited in every environment, and an efficient TRM program must identify, contemplate, and action those risks of highest importance and pervasive impact.

This means identifying and deploying the right resources across the right risks by leveraging dynamic risk assessments, data insights, and knowledge sharing across the organization’s lines of responsibility.

TRM professionals will collaborate on important business initiatives from the beginning, sharing critical insights and perspectives on potential risks based on meaningful metrics that are aligned to business objectives. By investing in new skills and tools and reorienting programs to focus beyond compliance, TRM teams earn a seat at the leadership table, where they can support and even drive the organizational strategy forward. And as-a-service delivery models, supported by investments in automation and analytics, will enable programs to work more efficiently, effectively, and strategically.

Relevancy presents a big opportunity for technology risk management

Current technology risk management must evolve.

As industry trends increase the importance of technology risk management to the business, today’s TRM programs must evolve. Similar to the rest of the organization, TRM must keep pace with the business to provide insights and influence the strategic, operational, and administrative nature of technology adoption.

For one, many TRM programs were established and developed to solve a specific regulatory, compliance, or audit challenge. The programs are narrowly focused on compliance and not considering what the business truly values. People and processes are fragmented into separate compliance initiatives operating independently.

Often the goal is to allocate resources to routine and repetitive tasks, leaving little appetite for investment to improve or be strategic or proactive.

Skills gaps also prevent TRM programs from expanding their scope beyond compliance. Teams are often composed of generalist IT professionals brought on to meet a compliance mandate. Although risk analytics are seen as a key component of effective TRM, many teams lack specialists with advanced data mining and analytics skills needed to take a data-driven approach to effectively manage risks. Also missing are people with deep knowledge in emerging technologies that will be increasingly relevant to the business, as well as strategic thinkers with the experience, confidence, and relationships to drive a partnership with the business.

Finally, current TRM programs are challenged by outdated processes, technology, and data. Per the 2018 KPMG Technology Risk Management Survey,1 50 percent of organizations are using stale IT risk data collected through ad hoc means rather than through real-time data from systems of record. Many activities that could be automated are still performed manually. Data sources are unreliable, untapped, or both. Such issues limit the depth, breadth, and relevance of insights teams deliver to the business.

Maintaining the status quo isn’t an option. Given the rapid acceleration of digital innovation across functions and industries, organizations that don’t change how they approach technology risk management risk falling behind. In the new reality, TRM transformation is required to remain relevant and accelerate technology adoption, gain confidence in critical business decisions, and earn stakeholder, customer, and partner trust.

1 https://advisory.kpmg.us/content/dam/advisory/en/pdfs/2018/disruption-is-the-new-norm-emerging-teck-risk.pdf






Smarter technology risk decision makingLarge foreign bank optimizes its risk reduction

The future of TRM Case StudyCommon TRM challenges

Challenge

For a large foreign banking organization that deals with large, complex transactions, protecting sensitive data and other enterprise and customer assets is paramount to serving its markets and competing in international finance. However, the processes the organization used to gather and aggregate data and calculate enterprise wide technology risks were disparate and difficult to industrialize.

The organization wanted to reduce the most risk for the least dollars. But technology risk is an uncertain world. Without strong data-driven insights, the organization had only a general understanding of its technology risk exposure and could not determine which risk mitigation investments would deliver the greatest returns.

Action

Leveraging KPMG Technology Risk Intelligence, a robust risk quantification solution, KPMG technology risk professionals helped the organization leverage deeper risk analysis, improve risk decision-making, and optimize risk reduction activities.

One component of the tool ingested historical financial data, publicly reported financial information, and relevant risk and control metrics to quantify the organization’s technology risk exposure. The results were fed into dashboards, helping the organization assess which technology risks posed the greatest financial threats.

Another component simulated the impact of investments in risk and control activities, helping the client address risks more strategically based on expected funding and returns.

Results

Working with the client, the KPMG team piloted the tool on a specific business unit. By aggregating the relevant data, the KPMG team saw that the business unit was already mitigating 55.3% of its technology risk by simply executing its control portfolio and processes for risk reduction. However, that left an additional 44.7% in residual technology risk exposure.

Leveraging the KPMG Tech Risk Intelligence solution, additional risk and control activities, which, if undertaken by the business unit, would reduce the most risk for the least investment. The activities were prioritized through the solution’s optimization engine by simulating over 100,000 risk reduction scenarios and their financially backed risk decisions. The activities would require the business unit to spend approximately $3.98 million dollars in future investment, but would reduce by approximately $13.62 million in technology risks—a return on investment of 242%.

Based on these initial results, the organization was able to further develop its risk quantification capability, which will enable it to consistently prioritize and optimize its risk reduction investments and improve future enterprise wide risk decision making.

“Engaging KPMG Technology Risk Intelligence platform and team allowed us to prioritize our investment decisions based on the best risk/return.”U.S. technology risk leader for a large foreign banking organization

Narrowly focused

Limited insights

Skills gaps

Reactive to issues or mandates Absorbed with responding to a regulatory or audit directive

Business misalignment Programs are narrowly focused on compliance

Generalist IT skills Lack subject matter knowledge in emerging tech risk

Caught in the tactical Budgets exhausted with routine, repetitive tasks

Risk measurement black hole Criteria for risk measurement not defined or understood

Lack of business acumen Little experience linking TRM to strategic business objectives

Fragmented or siloed Multiple initiatives not operating under a common strategy

Unreliable data sources Data for risk analysis and correlation not available

Ineffective use of technology Activities performed manually or using spreadsheets

Data analytics novices Inability to use data to quantify risk and model threat scenarios

Proactive

Flexible

Business relevant

Real-time engagement TRM teams collaborate on transformation projects and new initiatives

As-a-service Operates efficiently using sourcing, offshoring, automation, and analytics

Strong business case Business risk assessments drive investments in TRM capabilities

Cross-organizational alignment TRM is integrated with other business risk programs

Agile risk assessment Balances risk appetite of the business with adoption of new technologies

Emerging tech skills Technical proficiency in emerging technologies

Meaningful metrics Effective KRIs, not one-off issues, serve as a measure of risk

Risk intelligence Leverages data and technology to make risk-informed decisions

Seat at the table Leaders seek TRM perspective for knowledge of both technology risk and organizational strategy A technology risk intelligence pilot for one business unit demonstrated

a risk reduction return of 242%.

— Technology risk mitigated by existing controls and processes: 55.3%

— Residual technology risk: 44.7%

— Investment in existing processes and controls: ~$3.98 million

— Technology risk mitigated by investment ~$13.62 million

— Risk Reduction Return: 242%

KPMG Tech Risk Intelligence is a risk quantification tool that gives organizations operating in any industry the precise information they need to make informed, defensible technology risk decisions.

Learn more at https://advisory.kpmg.us/articles/2020/tech-risk-intelligence.html




https://advisory.kpmg.us/articles/2020/tech-risk-intelligence.html

How KPMG helps transform technology risk managementHow do you make this future vision a reality in your own organization? Transforming your TRM program is a multi step process that involves building the business case, driving timely capability improvements, and continuing to invest in higher levels of impact and value over time.

KPMG Technology Risk Management professionals help guide successful TRM program transformations. We work shoulder to shoulder with organizations through the entire transformation journey to build, evolve, and operate TRM capabilities to deliver key business objectives.

Making a compelling case for change

Many TRM leaders are stuck between a rock and a hard place. Stakeholders are demanding they evolve to drive greater value and meet expanded mandates. But the budgets to make required changes are mostly fixed, if not reducing year on year. And even where an organization may hold the view that TRM adds value, existing programs are often underfunded to support a remit beyond compliance.

We help TRM leaders build the business case for change by understanding, articulating, and helping deliver four key outcomes that are mission critical for TRM functions. Further, we establish the foundation for timely, effective challenge to promote dynamic and well-managed solutions.

Validation and credible challenge

The ongoing critical evaluation and assessment of technology risk methodologies, execution components, and outcomes

Execution components

The collective activities to mobilize TRM methodology to achieve desired risk outcomes

Risk culture

Collective values, attitude, and understanding and commitment to TRM

Monitoring and analysis

Activities related to the analysis of technology risk and control information against risk appetite, forecasting, and quality assurance/quality control

Risk response

Activities related to the organization’s response to the nature, scope, and scale of technology risks (e.g., terminate, treat/remediate, transfer, or tolerate/accept)

Reporting and insights

Activities related to the production of accurate and insightful technology risk information, including ongoing data quality management

Strategy and advisory

Activities related to the setting and execution of strategic decisions related to the organization’s primary business objectives and risk and compliance consultation

Risk appetite

Activities related to establishing an organization’s risk-taking posture, translated into limits and tolerances, and breach protocols specific to technology risk

Identification and

classification

Activities related to the articulation of technology risks and controls and their organization around a common schema to ensure they are incorporated into the entity’s risk framework

Assessment and

measurement

Activities related to point-in-time and continuous assessments of technology risks and controls identified by the organization, including financial buffers for adverse outcomes

MethodologyPrinciples, standards, and approaches used in the TRM framework execution components

EnablersElements used to operationalize the execution components. These include data and taxonomies, tools and technology (GRC, automation,

modeling, and data repositories), organizational/operational model (governance and organizational design) and people (communication and change).

Finding opportunities for capability enhancement and continuous improvementAlong with helping deliver TRM transformation, we help organizations evolve technology risk services by identifying the most important capability enhancements across all areas of the TRM program.

Our detailed framework for assessing technology risk capabilities is both deep and broad, covering the key drivers of an organization’s program, how services are executed, how credibility is maintained, and the internal enablers used or needed to operate.

Compliance — Detailed inventory and

coverage for technology-related regulatory obligations across regions and regulators

— Sustainable approach for identifying and responding to regulatory changes

— Alignment with regulators and regulatory priorities

— Ability to enable business functions in their compliance initiatives through enhanced TRM capabilities

Effectiveness — Accurate, timely, and

actionable management reporting

— Defined and documented roles, responsibilities, and processes

— Timely closure of identified issues and risk events/breaches (inclusive of regulatory and audit findings)

— Continuous improvement initiatives related to the quality of technology risk management

— Inclusion and consideration of TRM in the development of business strategy

Cost and efficiency — TRM time and knowledge

focused on high-value/high-complexity items

— Automation leveraged for repetitive or manual tasks

— Contain costs through optimal use of technology, shoring, and outsourcing

— Streamlined taxonomies, processes, and standards that detect and reduce risk management duplicative activities

Adaptability and resilience — Data-driven and proactive

technology risk management reporting that aggregates risk events, near misses, and anticipated risks thematically to identify and respond to emerging technology risks

— Clear technology risk appetite and thresholds

— Defined, yet flexible, roles and responsibilities

— Technology risk management embedded across business functions




Why KPMG?Technology adoption is critical to any organization’s current and future competitiveness, but it also exposes the organization to risk. KPMG can help turn that risk into opportunity and help build stakeholder trust.Our TRM services team has deep experience supporting organizations in managing technology risk in the most complex, fast-changing, and global business environments.

With 1,500 U.S. and more than 6,000 global practitioners, we deliver TRM services to more than 500 U.S. organizations and to hundreds more with our network of member firms worldwide.

We also help organizations build compliant, effective, efficient, and scalable technology risk services with technology and automation to enable the TRM program.

— More than 500 U.S. and global clients served

— 1,500 U.S. technology risk practitioners

— All major U.S. markets covered

— Deep risk management and technology knowledge

— Specialization in key industry and functional areas

— Advanced technology and automation capabilities

In addition to our technology risk management services, we offer holistic integration with other risk professionals across the KPMG Risk Advisory Solutions network, as well as collaboration with our Consulting and Strategy Advisory professionals, to provide extensive support beyond technology risk management.

Our knowledge and experience set us apart

Our multidisciplinary teams have deep risk management and technology skills, with specialization in key industry and functional areas, including:

Risk management

Information technology (IT) and operational technology integration

IT compliance

IT audit

Emerging technologies

IT management

Transformation management

IT program management

Third-party risk

Information security

Business continuity

Technology resilience.

— Utilizing risk intelligence solutions to quantify technology risk for management decision-making

— TRM closely integrated with strategic decision-making

— Accelerated and risk-based adoption of emerging technology trends to enable business

— Identify a suitable framework to adopt

— Identify and execute quick wins to demonstrate value

— Established vision and purpose for the TRM program

— Established risk measurement techniques using metrics and KRIs

— Established threshold triggers

— Perform trend analysis

— Integration of TRM with operational and enterprise risk frameworks

— Automated controls and monitoring

— Leverage data for analytics — Established governance

framework

— Established risk and control taxonomy

— Perform risk and control self-assessments

— Conduct periodic testing of controls

— Management of risks and issues

Maturing and optimizing capabilities Transforming a TRM capability is a journey that starts with quick wins and matures over time. We advise clients at every stage, providing knowledge, insights, perspectives, and tools to support the continuous improvement and evolution of their TRM program.

1

2

3

Integrate these five stages below and achieve:

— Funding and continuous improvement — Integration and automation — Value impact and partnership techniques.

2. Developing

1. Elementary

3. Mature

4. Elevated

5. Connected, Powered, and

Trusted

5

4

KPMG Technology Risk Management Services 15


Enabling trust in the technology revolution14


TRM services at a glance

Technology risk strategy and governance

Aligning TRM to business goals

— TRM capability assessment

— Target operating model and roadmap for transformation

— IT policy, standards, and framework adoption

— IT risk training and awareness

Risk-based IT audit

Flexibly staffing and scaling leading IT audit plans

— IT internal audit plan development

— IT internal audit outsourcing and cosourcing

— IT process, program, and technology audits

— Real-time technology transformation assurance

Technology risk assessment

Bringing a proactive view of risk and solutions that fit

— IT project or program risk management

— New or emerging technology platform assessment

— Compliance risk assessments

— Data or asset criticality assessment

— IT risk and control assessments and due diligence in M&A and pre-IPO

Technology risk intelligence and automation

Perspectives on technology risk exposure and measurement and reporting capabilities

— KRI design, build, and analytics

— Technology risk reporting and dashboards

— Technology risk quantification

— Control automation

— Continuous monitoring and risk assessment

IT risk and controls

Reducing transaction risk

— IT control program implementations

— IT controls optimization

— Self-assessment and controls testing

— SOX IT management services

— Audit response, issue management, and remediation




Beneficiaries Client challenge KPMG response Impact

Energizing risk management for a digital transformation program

— Chief Audit Executive

— Chief Financial Officer

— Chief Transformation Officer

A Fortune 500 food & energy organization invested $250 million in an enterprise digital transformation program. They wanted to manage the program risk proactively throughout the lifecycle of the program to ensure that the transformation would deliver promised business value and was within the organization’s risk appetite.

KPMG designed a transformation assurance plan, which included independent measurements of program health and regular updates on potential risks.

The transformation assurance plan enabled the client to take action to remediate issues that were preventing the program from achieving desired outcomes.

Beyond compliance: Driving TRM value through automation

— Chief Information Officer

— Director, IT Compliance

The IT compliance team of a Fortune 100 power & utilities company wanted to expand its TRM program beyond SOX compliance, but its budget was constrained.

KPMG helped build and implement automation programs to replace manual TRM activities.

Automating certain TRM processes resulted $1.5 million in savings over a 3-year period, enabling the IT compliance team to reallocate budget to expand its advisory coverage to emerging technology and digital transformation projects.

Real-time control governance program to remediate SOX material weakness


— Head of IT Governance

A government-sponsored financial institution wanted to strengthen the IT control environment in order to remediate a SOX material weakness and build a sustainable IT SOX control environment that has its foundation on financial reporting risks.

KPMG redesigned the IT SOX controls, socialized the controls with various stakeholders (external auditors, regulators, internal audit, SOX committee, operational risk), and provided guidance and oversight during implementation. Further, KPMG designed an ongoing and real-time control governance and monitoring program to provide insights into the control effectiveness and helped address any deficiencies or inconsistencies.

The modified control catalogue enabled the client to effectively articulate the impact of deficiencies to financial reporting. Further, the ongoing oversight and governance program provided real-time data on control health and enabled the client to implement corrective actions in a timely manner.

Transforming technology risk management with quantification

— Head of Technology Risk Management

A global financial services organization wanted to enhance and integrate risk quantification in their existing risk management processes.

KPMG created the methodology to allow the FAIR methodology to scale across the enterprise and integrate into first line of defense risk operations. This included integration of methodology with second line of defense requirements; identification of risk and security systems to integrate into the risk quantification platform; and the development of an approach to consolidate assessments in order to calculate design and operating effectiveness. Furthermore, we helped formulate a method to align individual technology policy exceptions with overall risk posture; design dashboard and reporting visualizations; and create a roadmap and projects plans for risk quantification enhancements.

The client benefited from the following outcomes: a proactive approach to risk management with regulators; a revised risk management policies and standards to enable quantification; gaining business and technology buy-in based on benefits of quantification.

Designing the engine of a modernized risk and compliance program


— Chief Information Security Officer

— Chief Technology Officer

— Director, IT Risk Management

An automotive manufacturer was seeking an uplift of its information technology risk and compliance program.

KPMG facilitated stakeholder risk alignment workshops and process review sessions to provide several risk and compliance improvements. This included the development of a future state roadmap for governance, domain, and process structure champions network, and a risk committee formation; framework components / enablers; a maturity assessment; a common control set for applications and infrastructure; and risk prioritization rating system.

The workshops helped kick start a modern risk and compliance program by providing the initial building blocks and three year roadmap. Overall, the risk and compliance function improved its basic understanding of risk, alignment with the enterprise risk function, and communication and reporting of technology risk throughout the organization.

Client success stories




Cynthia IzzoService Line Leader Technology Risk Management KPMG LLP

T: 617-988-5613E: [email protected]

Nicole LauerPrincipal, Advisory Technology Risk Management KPMG LLP


Joshua GalvanPrincipal, Advisory Technology Risk Management KPMG LLP


The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.


The KPMG name and logo are registered trademarks or trademarks of KPMG International

Designed by CREATE | CRT128850 | August 2020

Connect with us

Learn more about how KPMG can help you transform your organization’s technology risk management program.

read.kpmg.us/TRM

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

http://read.kpmg.us/TRM

enabling trust in the technology revolution · 2020. 9. 1. · 02 technology risk management...

Documents