Technology risk radar

Recommendations

Info

21 Healthcare and pharmaceuticals (cont’d) What should pharmaceutical companies be doing to keep this data private and secure? The starting point is to understand what personal data is being collected. Then they have to understand data flows in transmission, such as from devices to databases. Next is how the data is being protected. This includes looking at regulations, such as the new EU rules on the protection and use of data from medical and monitoring devices. Meanwhile the health sector faces a legacy system problem. Most trusts have aging infrastructure, are using systems which are no longer supported, or have had consultants develop their own systems to work around the lack of appropriate systems in place. The health service is trying to replace its clunky old systems and remove stand-alone systems which have been added on by frustrated clinicians, moving towards more agile comprehensive digital systems which can better fit the needs of patients and staff. Such a major transformation must be business-led to succeed. It has to be more than replacing a part-manual, partcomputerised series of processes with a digital one – it needs to focus on how to make all processes better. New systems must keep the cultural impact and cultural change at the forefront. Only this way, once the system is fully implemented and people are comfortable and happy using it, can the health organisation reap the full benefits of the transformation. Another big issue within health is information sharing. The sector is looking at ways of joining organisations to come up with new care pathways, offering a holistic view of healthcare rather than a solid approach. This means sharing more information. Organisations need to understand how to do this while meeting legislation and regulations. Questions to ask include: “are we clear to patients about what information they are sharing, giving fair notice, disclosing what the information will be used for and getting the appropriate consents?” Robust risk management practices are vital. Boards need to make sure that there are processes in place to identify risks, to prioritise them, and to set their organisation’s risk appetite. Some mature organisations recognise the lasting damage done by IT failures and have strong governance in place over new programmes and projects. But we believe this approach needs to be more wide-spread than it currently is. The health sector only has so much money to invest. It rightly prioritises patient care. But organisations must consider the dangers of not investing in new technology or in appropriate risk management. Technology teams working in the sector might be unused to making a business case for changes. But only by having a robust case to justify new investment can they show boards why investment is needed – and what the real cost of not investing could be. “Questions to ask include: ‘are we clear to patients about what information they are sharing, giving fair notice, disclosing what the information will be used for and getting the appropriate consents?” © 2016 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member firms of the KPMG network are affiliated.
22 Energy and natural resources Nathan Cain Joshua Galvan 1 2 3 4 Poor risk management alignment across organisation and process Dependence on inflexible and under supported legacy systems Poor cyber security, cyber-crime and unauthorised access Non-compliance with regulation and legislation, e.g. privacy 7 4 1 2 5 6 However distinct the components of the energy and natural resources sector, with their very different processes and customers, we see them sharing various prevailing technology risks today. Consider first the risk of data loss and theft, particularly with respect to a company’s most valuable assets. For oil and gas companies, this translates to engineering specifications, reserves and reservoir data, and technical solutions and processes for extraction, manufacturing and distribution. For utilities this includes customer data, with all the privacy and reputational implications this brings. 5 6 7 8 9 Lack of IT strategy and lack of board representation Inadequate data quality and lack of capability to leverage data to manage risk Inability to deploy and exploit emerging technology Failure to deliver programmes and to build in control, resilience and security Reliance on, and poor security and control in, vendors/third parties HIGHEST RISK 11 3 9 10 9 8 7 6 5 4 3 2 1 8 10 12 LOWEST RISK ENR businesses can be incredibly complex and so another risk is that of shadow IT – solutions implemented, configured and managed by a non-IT competency in a business unit. Shadow IT introduces various risks such as security, integrity, software licensing obligations and unnecessary IT systems landscape and operations complexity. The aging computer platforms so common in the industry introduce risk in the platforms themselves and more often in their replacement. Too often the associated large projects aren’t well managed and the full remit of business and technology requirements are not properly understood. We have seen many problems with related system implementations causing significant operational and customer-facing issues. 10 11 12 Ineffective service management and delivery Ineffective IT asset management Inadequate resilience and disaster recovery capability The root causes are several and interlinked. To start, many companies in the sector have an increasingly complex footprint. International oil and gas companies, for example, can have more than 10,000 applications in production. Companies find it increasingly difficult to manage this footprint with sufficiently high standards that provide the needed continuity of performance, security and availability. © 2016 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member firms of the KPMG network are affiliated.
Page 1 and 2: Technology risk radar Third edition
Page 3 and 4: 2 Introduction What are the current
Page 5 and 6: 4 What happened? IT infrastructure
Page 7 and 8: 6 What were the causes? We found th
Page 9 and 10: 8 Sectors at a glance TOP 10 RISKS
Page 11 and 12: 10 Banking Michael Elysee David DiC
Page 13 and 14: 12 Insurance Jill Farrington Jon Do
Page 15 and 16: 14 Investment management and funds
Page 17 and 18: 16 Consumer markets and retail Andr
Page 19 and 20: 18 Technology, media & telecoms Ann
Page 21: 20 Healthcare and pharmaceuticals J
Page 25 and 26: 24 Industrial manufacturing Marceli
Page 27 and 28: 26 Central government Andy North Ge
Page 29 and 30: 28 Education Richard Archer Hannah
Page 31 and 32: 30 Our Data Analytics Methodology
Page 33 and 34: 32 Contact us © 2016 KPMG LLP, a U
Page 35: 34 kpmg.com/uk The information cont

Technology risk radar

Create successful ePaper yourself

Delete template?

Save as template?