Technology risk includes cybersecurity risk, but it is much wider in scope than that. Cybersecurity is about protecting oneself from attack - essentially the equivalent of making sure no one steals your data, and no one gets into your network unauthorized.

Technology risk however is more extensive in scope than just cybersecurity. It includes the controls that need to be in place to protect against the entire range of technology failures - from ensuring adequate capacity, to managing against outages, and making sure planned changes go in smoothly.

Generally, Technology Risk includes the following programs:

1. Managing policies

   • Technology risk management framework

2. Managing the control framework

   • Building and maintaining the control framework

   • Control self-assessment/testing

   • Technology risk appetite

   • Measuring policy compliance

   • Building a control framework

3. IT governance

   • Managing risk committees

   • Managing to and reporting on risk appetite

4. Risk assessments:

   • Application risk assessments

   • Infrastructure risk assessments

   • Process risk assessments

5. Issue Management - including managing policy & control exceptions

6. Disaster recovery and business resilience

7. Identity and access management

8. Third party risk

9. Change management

10. Production control and security incident management

11. Project management risk

12. Legacy hardware and software (EOL)

13. Privacy and compliance program support

14. Emerging risk reviews

15. Employee training and awareness

16. Shadow IT/End user computing

17. Audit management

18. Others:

    • Hardware and software inventory maintenance

    • Software license compliance

    • Emerging risk reviews

    • Remote workplace infrastructure

    • IT Inventory maintenance (h/w and s/w)