Former US President John F. Kennedy once said, “There are risks and costs to action, but they are far less than the long-range risks and costs of comfortable inaction.” He was speaking about ways to decrease antagonism among nuclear powers, but I think there’s a lesson in what he said for those of us in the business world as well. Specifically, sometimes things arise that seem risky in the short term; we’re nervous about doing them because of potential short-term risks or disruption to the organization. But when these potential downsides are weighed against the status quo (i.e., the “comfortable inaction” Kennedy was talking about), taking the short-term risk might very well be the more optimal path when viewed over a longer horizon.
This can be seen very acutely when it comes to adoption of new technologies. New technologies have the potential to be transformative to the organization—in both positive and negative ways. Positive benefits vary depending on the technology, but possible negative impacts could be disruption to business operations, potential erosion of the value of existing technology investments (for example, adopting a new technology would decrease the value of what we have in place now), and potential new technical risks as “kinks” are ironed out of the technology and organizations figure out how to safeguard usage of it.
Despite all this, pulling the trigger and adopting a new technology is often still the optimal path. Consider two hypothetical organizations competing in the same niche market. One organization implements a change that enables it to produce goods faster at lower cost; the other decides that it cannot or will not implement that same change because the short-term risks are too high. What are the logical consequences should the first organization adopt successfully?
Clearly, the organization that realized potential benefits becomes more competitive: it can satisfy more of the market, has the option to reduce price given the lower overhead, and can potentially focus attention and resources on other areas. In short, it has an edge. Even if the change carries with it some degree of potential risk initially, the potential upside trivializes the short-term downside risks by comparison.
The point I’m making here is that looking solely at the technical risks associated with a particular change misses a huge part of the equation. In evaluating the holistic risk to our organizations and making recommendations, we absolutely need to consider risks that may be introduced through adoption of new technologies, but we need to consider the risks of inaction as well. Nowhere is this more true than when it comes to Big Data analytics.
Big Data analytics is the use of advanced analytics techniques to operate on large sets of business data. This could be data derived from existing business processes and tools, data that exist independently of the organization such as social media, or new sources of data entirely. For many in the ISACA community, we know this can present risks. We know, for example, that there are privacy and security risks that can occur as a result of the adoption of big data analytics; in fact, ISACA has published quite a bit of guidance on exactly these issues. However, to evaluate risk holistically, we need to weigh these risks against the risks to the business should we choose not to adopt and adapt. Do the business gains outweigh the technical and other risks? Do the risks to competitiveness eclipse in the long term the short-term additional risk we take on? Good questions.
To help organizations answer them, ISACA evaluated Big Data Analytics—along with a number of other business trends—using anew methodology that attempts to objectively score risk and value impacts of business trends. The goal: find a reproducible and systematic way to find out what “megatrends” have the highest value potential in light of possible technical and other risks. Much like measurements such as “signal-to-noise ratio” or “earnings-per-share” provide an objective unit of measurement that organizations can use to inform data-driven decision-making, the goal here was to find a way that organizations can systematically assess and analyze these tough questions.
Of all the trends we investigated, Big Data analytics scored the highest in terms of business value created relative to potential negative risk impact.
Now, obviously every organization is different, so your particular organization may have unique factors that impact either the risk or the value side of that equation. You’ll certainly want to examine that data point through the lens of your particular organization’s needs, circumstances and business context. That said, given that it could be so impactful, it’s almost certainly a good idea to—at a minimum—ensure that strategic discussions are taking place about the role that Big Data analytics has in your organization.
There are some key questions you should be asking about how you might use this to forward your business goals and how your competitors might be using it to gain a competitive edge. We’ve tried to distill down the most critical questions that you might want to ask in our report covering the findings from our analysis, with the hope being to provide one potential framework around which those conversations can be built and those questions can be asked.
Director, Emerging Business and Technology, ISACA
[ISACA Now Blog]