Jim Buckle is managing director of LoveFilm, the DVD-by-post and video streaming service owned by Amazon (he was previously its CFO and then COO). And you'd be hard pushed to find anyone more acutely aware of the risks of emerging technology.
"We know that our business, as it currently stands, won't exist in the future," he says. His vision is prescient. DVD is currently the dominant format for movies, but in 10 or even five years it's unlikely to be the case. Content will be delivered online. And who knows how subscription or payment methods will work then.
"So we need a framework for making key decisions about its evolution. How will we invest in digital services? How will we maintain our distinctiveness in the market?"
Buckle is lucky in that respect. His team knows for certain that emerging technologies are going to disrupt the business – they even know how it might happen. So managing the risk around those new approaches is seared into their thinking.
But for many chief financial officers, those same risks exist – but they aren't as visible. In Donald Rumsfeld's legendary quotation, they're "unknown unknowns". And that's just one reason why emerging technology is considered a top five risk in an Ernst & Young global survey of senior executives.
"This risk really falls into two categories – IT and non-IT," says Craig Glindemann, partner at EY. "The non-IT risks are around organisations failing to take advantage on innovation at the same rate as their competitors. IT, on the other hand, is about a host of issues within organisations – such as consumerisation or digital security."
But in both cases, it's those "unknown unknowns" that can really trip up any organisation. Take social media: even just the proliferation of new sites – like Yammer, a kind of Facebook for the enterprise which already has 100,000 organisations registered – means it's almost impossible to set appropriate controls and policies that will ensure you're not exposed.
Employees simply don't realise the risks they're creating when they use networks – sometimes to their own cost.
Take the case of John Flexman, a HR manager at BG Group. He was fired for ticking the "interested in career opportunities" box and uploading his CV to his LinkedIn profile. BG claimed this constituted a breach of a new company policy on conflict of interest. (Ironically, Flexman worked in graduate recruitment – and one of the chief risks in this area is adapting technology approaches to meet the demands of tech-native workers coming into the business, as we'll see.)
My data's bigger than yours
But the organisational risks from IT are many faceted. The trend for "big data" (massive amounts of semi-structured data a company creates, which until recently couldn't be analysed and used) creates a whole new set of risks around privacy, for example. Data protection laws – as Google found out when it changed its privacy rules – create regulatory risks as technology starts to take on its own momentum.
"You need to be able to allow flexibility in customer, supplier and employee interactions in a multi-channel environment while maintaining security and privacy – and protecting the integrity of the overall IT architecture," Glindemenn says. "But it's really a question of opening up the opportunities and targeting engagement and productivity – then working out how to manage the downside risks."
A great example of that need for balance is the consumerisation of IT. On one level, this means making corporate systems work more like the kinds of hardware and software people use in their personal life. But over the past five years, that personal technology has, in many cases, leapfrogged the technology with which businesses provide their staff. The result? Employees want to adopt a "bring your own device" (BYOD) to work policy.
The trend for BYOD can pose a huge upside risk for business if not well managed. "Many IT functions haven't kept up with the times," says Justin Pirie, cloud strategist at email specialist Mimecast. "The reality is that many people much prefer to use the devices they've chosen to buy, especially when they're better than company-bought ones. Employees are saying, I want to work more effectively – and using my own device helps me to do that."
Familiarity with technology boosts productivity – and it means employees are centred around a single device rather than (as was commonly the case a couple of years ago) juggling their iPhone and a work Blackberry, plus a laptop and perhaps a PDA. A clear win then?
No. Downside risks abound, from the cost of ensuring every different device can support corporate functions and applications, to the all-important security and privacy issues. Governance, risk and compliance (GRC) in emerging technology is a minefield, as corporates like Sony can attest after losing millions of Playstation Network accounts to hackers.
And if you try to manage it by refusing to sanction non-standard kit? "We're starting to see this become an HR risk," warns Pirie. "Even in companies where there's no formal BYOD policy, people will continue to use their own devices anyway. And if IT tries to come down hard on that, they're often ready to make it a reason for leaving the company." In other words, it's hard to find the delicate balance that will deliver flexibility, efficiency, productivity and control – all at the right price.
It's not just internal risks
If all that wasn't headache enough, many organisations – like Jim Buckle's – also face the threat of emerging technology disrupting their business model. "A good example is the way emissions regulation is affecting the oil, gas and utilities sectors," Glindemann says. "They have an urgent need to address these risks with new technology."
The problem is threefold. First, there's a major cultural hurdle to overcome. According to the EY survey, continuous innovation in both manufacturing (in its broadest sense), as well as products and services, are seen as two of the top three mitigating steps around these risks. But in many organisations, that culture of innovation is missing.
"So can you change your internal cultural barriers and become more innovative?" Glindemann asks. "It means developing cross-functional teams, innovation centres and other ways of creating a fertile environment for coming up with completely new ideas."
There's a strong role here for CFOs. "Just by the nature of the role, you get linkages into so many different parts of the business," says Siva Shankar, former corporate finance director at SEGRO plc. "The CFO has access to large volumes of data, to which they can apply their own analytics to generate insights. You've also broad commercial knowledge thrown into the mix. When you bring all of that together, you can come up with the kind of insights that really open up the minds of other people in the business."
Getting the mindset right is a huge issue. "CFOs familiar with strategies like continuous improvement can draw on those initiatives," Glindemann adds. "Often that means bringing in new people. Teams seldom destroy the things they have created – so new people or new teams might be needed to come up with disruptive approaches yielding innovative solutions."
Second, that cultural shift has to be matched by process change. "In many organisations, you don't have a dedicated function to look at competitor strategy, for example," Shankar says. "It tends to be an add-on for the strategy function or even the marketing department. But the CFO can bring to their work a whole new dimension. For example, how well do your systems allow for the sharing of third-party data and ideas?"
"That's one of the reasons global organisations are looking at data services," Glindemann says. "Data is the critical commodity for the future, and sharing it across the organisation is the key to arriving at genuinely innovative developments." And while knowledge management (KM) was written off as something of a fad in the late 1990s – when perhaps the technology wasn't able to live up to the hype – systems that allow for that softer, more creative analysis and sharing of data are back in vogue.
"That can be a hard sell for CFOs – the business case for KM technology is often unclear," Glindemann says. "But it's strategic, rather like email. You just have to do it. With the emergence of so much unstructured data [social media, email content and so on], it's doubly important."
So perhaps companies have to learn to take a punt occasionally. Which brings us to point three: managing emerging tech risks through smarter investment appraisal.
"CFOs need to think of investment appraisal as a continuous process, not just a one-off," Glindemann says. "It pays to stage-gate investments in innovative areas, not just set a budget at the outset and hope for the best. That means compartmentalising project appraisal and validation on a periodic basis – because, after all, with emerging technology, you can't wait for 80 percent confidence that there's going to be a return. In many cases, you need to get going with just a 40 per cent. Piloting and proof of concept investment is key."
New ways of working, potential radical changes to the operating environment, new competitors operating with innovative business models ... These emerging technology risks are among the hardest to pin down. But unless they're managed, for better or for worse, using these softer mitigation strategies, you can have major problems.
"I was talking to a head of risk who was wondering how they put processes in place to catch 'Black Swan' events before they floor the company," concludes Shankar. "And I asked: who's keeping their eye on the 'White Swans'? Who's monitoring the big opportunities that can enable the company to up its game? If you miss them, it won't floor the company – but over 10 or 15 years, it will make you second rate."
Only a culture of innovation internally and open-mindedness externally – directed with discipline and creativity by the CFO – can ensure both sides are managed.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.