Skip to content

Technology: the good, the bad and the 3 lines of defense

Ellen Davis
Ellen Davis
Ex-Director of workflow proposition marketing, Thomson Reuters Financial & Risk
A technician is silhouetted as he works on power lines supplying electricity in Karachi July 30, 2011. REUTERS/Athar Hussain (PAKISTAN - Tags: SOCIETY EMPLOYMENT BUSINESS ENERGY IMAGES OF THE DAY) - RTR2PGSP
REUTERS/Athar Hussain

Nothing polarizes opinion in organizations quite like technology. You may view technology as a risk or an opportunity, but should it depend on which line of defense you sit in?

Our survey on FinTech and RegTech for financial services organizations highlights something already suspected — that technology has a way of bringing out dualistic thinking.

The problem of technology being perceived either as “good” or “bad” is not limited to any one type of organization.

All industries today are caught between the promise of technological advance and the sheer terror that these evolutionary steps can evoke.

Lines of defense

As a case study, the financial services industry is particularly interesting.

The survey shows globally that these organizations are beginning to fall into two camps — those who are embracing FinTech, and those who are ignoring it.

At one end of the spectrum are the 21% of organizations whose risk and compliance functions have fully engaged with FinTech.

At the other end are the 16% of compliance and risk practitioners who reported that they did not need to be involved with assessing the implications of FinTech to their business.

It’s common for things like FinTech — and the equivalent in other industries — to be the provenance of the first line of defense alone.

After all, it’s the business that is at the coal face every day that can “justify” technology spend to drive profits — on “good” technology.

Data breaches

It’s easy for the second line of defense — risk and compliance executives — to bury their collective heads in the sand when technology can seem so very “bad”.

Many of the negative headlines that we read about focus on how technology has damaged an organization, its customers, employees, and shareholders.

And it is often risk and compliance people who have to sweep up the mess afterwards.

Data breaches are a case in point.


Our infographic shows that while 42% of data breaches are due to a malicious or criminal attack, an additional 30% are the result of human error.

Often this human error is entirely preventable with the right education and training in place. Suddenly ignoring technology seems like a less viable strategy for the second line of defense.

IT understanding

If ignoring technology is not a good idea for compliance and risk executives, it’s even less of a good idea for the third line of defense — internal auditors.

Another survey by Thomson Reuters shows that 39% of internal auditors — across industries and around the globe — feel that their departments only have a basic understanding of their organization’s IT environment.

A further 15% reported insufficient or limited knowledge of that environment.

The second and third line of defenses are just as bad at considering technology that could help them do their jobs better.

Some 62% of internal auditors considered their own use of technology to be basic, limited, or insufficient. Nearly one-quarter of compliance executives said their firms lacked the budget for RegTech solutions.

Technology solutions

Applying a governance framework to technology — the Future Challenges for Compliance report on RegTech offers one best practice example — is one step the lines of defense can take to improve their approach to technology.

Such a framework, with its multiple perspectives and touch points for evaluation, moves technology away from being either “good” or “bad”.

Instead, it helps organizations explore how FinTech and RegTech, and other technology solutions, can be a part of their own, ongoing evolutionary story.