Person looking at laptop while holding their cellphone.

Risk Trends in 2024 and Beyond: IT/OT Governance

Risk Trends in 2024 and Beyond: IT/OT Governance

Synopsis
4 Minute Read

Limited resources and budgets make it challenging for organizations to invest in information and operational technology upgrades and transformation initiatives. However, continuing to use legacy systems beyond their useful lifespan can lead to risks and inefficiencies.

The challenge is how to prioritize technology investments and drive the greatest value — and how to reach those decisions before they start being made in an uncoordinated fashion within operational silos.

Leaders must set a tone from the top that breeds confidence that the right updates will occur at the right time and have the appropriate processes in place to ensure the chosen upgrades will be the best fit for the organization.

Read more
Drew Buhr, CISSP, CISA, ISO 27001 LA
Partner
Hash Qureshi
Partner
Insight
Confidence Whitepaper Manufacturing Energy Public Sector Real Estate and Construction Enterprise Risk Internal Audits and Controls Cyber Security Technology Risk Energy and Utilities Services

This insight is one of 15 risks in our 2024 Risk Trends Report. Navigate back to the main page for the full list of risk trends that you should be monitoring for in the year ahead.

Are you optimizing value from limited resources and budgets?

Organizations have limited budgets to invest in information (IT) and operational (OT) technology, physical infrastructure, and security. Executives may be tempted to answer this challenge by foregoing necessary upgrades and transformation initiatives. But just as there are costs to innovation, there are risks to allowing legacy systems to continue beyond their useful lifespan.

The question isn’t whether to resist or embrace digital transformation; rather, it’s deciding which initiatives to prioritize right now and how to get the best return on the technology investment. Inefficient systems and processes are a drain on morale and productivity. Restricting innovation and transformation will only lead to individual departments making unilateral technology decisions without considering the impact beyond their operational silos.

Arriving at the best answer as to which technology investments should be prioritized and drive the greatest value requires proper governance — with input across the organization, including IT, finance, operations, internal audit (or risk officer), and other relevant stakeholders. Conversations need to consider the current business challenges, the effectiveness of existing systems, and any threats (existing or emerging) to security and privacy. Leaders must also have a strong grasp of the innovation pipeline and the areas where disruption and business interruption are most likely.

All infrastructure will eventually come to the end of its useful life. Every replacement option will eventually include some cloud solution and, eventually, AI-enabled upgrades. Recognizing this, leaders need to set a tone from the top that breeds confidence that the right updates will occur at the right time. They also need the appropriate processes in place to ensure the chosen upgrades will be the best fit for the organization and advisors provide due regard to the opportunities and risks each option brings to the table.

Related risks

  • Suboptimal IT/OT decisions reducing control effectiveness
  • Lack of / insufficient supervision of third parties and related controls
  • Insufficient policy, progress, contracts, and training on the proper/expected use of IT and OT
  • Ineffective communication between leadership and the board

""Key questions to ask

  • Has your organization made sub-optimal investments in technology, and has a root cause analysis been completed to determine why?
  • Does your organization rely on third parties to maintain effective control over IT and OT? What is the vetting process for third-party suppliers, and what risks need to be managed?
  • Do you have sufficient training and tabletop exercises with leadership to discuss how to respond to and manage a ransomware attack?
  • Is the IT/OT budget sufficient to cover the most critical needs of your organization?
  • Do you foresee any significant changes to your data or system architecture that might disrupt controls, processes, or policy related to IT and OT?
  • Has a strategy been established to guide technology investments to ensure technology is renewed on a timely basis and is optimizing the business?

""Red Flags

  • History of sub-optimal IT/OT decision making (i.e., excessive spending)
  • IT/OT third parties seen as the root cause of issues
  • Employees with no knowledge of acceptable and unacceptable technology practices
  • Operational issues related to system failures

Internal Audit Project Opportunities

IT/OT Strategy and Alignment Audit
This audit assesses how well the IT and OT strategies align with the overall business objectives and goals of the organization.
IT/OT Asset Management Audit
This audit reviews the organization's processes for managing and maintaining IT and OT assets, including hardware, software, and industrial control systems.
IT/OT Change Management Audit
This audit evaluates how changes to IT and OT systems are managed, documented, and approved to minimize risks and disruptions.
IT/OT Security Audit
This audit assesses the security measures implemented for both IT and OT systems, ensuring protection against cyber threats and unauthorized access.
IT/OT Risk Management Audit
This audit examines the organization's risk management practices related to IT and OT, including risk identification, assessment, and mitigation strategies.
IT/OT Incident Response and Business Continuity Audit
This audit assesses the organization's preparedness to respond to IT and OT incidents, as well as its ability to maintain critical operations during disruptions.
IT/OT Compliance Audit
This audit reviews whether IT and OT practices comply with relevant laws, regulations, and industry standards.
IT/OT Vendor Management Audit
This audit evaluates the management of IT and OT vendors, including contracts, security assessments, and performance monitoring.
IT/OT Performance Measurement and Reporting Audit
This audit examines the organization's metrics and reporting mechanisms to measure the performance and effectiveness of IT and OT activities.
IT/OT Training and Awareness Audit
This audit assesses the training and awareness programs provided to employees regarding IT and OT governance, security, and best practices.
IT/OT Integration Audit
This audit evaluates the integration between IT and OT systems to ensure seamless communication and cooperation between the two domains.
IT/OT Budget and Resource Allocation Audit
This audit reviews the allocation of budget and resources to IT and OT initiatives to ensure alignment with business priorities.
IT/OT Documentation and Documentation Management Audit
This audit examines the documentation practices for IT and OT systems, including policies, procedures, and system documentation.
IT/OT Governance Committee Effectiveness Audit
This audit evaluates the effectiveness and efficiency of governance committees responsible for overseeing IT and OT activities.
IT/OT Cloud and Third-Party Services Audit
This audit assesses the use of cloud services and third-party providers for IT and OT functions, including security and compliance considerations.

Risk Trends in 2024 and Beyond

View all the risk areas featured in this year’s report. 
Read more

Insights

View all
  • Performance

    April 26, 2024

    How can small business owners navigate the people puzzle?

    How can you address people issues as a small business owner? These steps can help you overcome obstacles and give you more time to focus on your business. 

    Read more

  • Performance

    April 24, 2024

    How monitoring your results can help you make informed decisions for your manufacturing business

    How can you make informed decisions to support the future of your manufacturing business? These tools can help you achieve the right results.

    Read more

  • Confidence

    April 17, 2024

    Following these steps will protect your practice value if emergency strikes

    You can’t predict the future, but building a plan helps to keep your business protected.

    Read more