First, a quick description of Peloton. It is an approach to fitness that uses current technologies to bring the gym into your home. Its main product is a luxury stationary bicycle that allows users to stream spinning classes from the company's fitness studio through a monthly subscription service. Live trainers streaming directly to your exercise equipment allowing you to work out in the comfort of your own home.
The idea has taken off. According to a New York Times article, Peloton became a $4 billion company in just 6 years.
However, this story of success has become a cautionary tale. In March, nine music publishers — important, significant, deep-pocketed music publishers — sued Peloton for more than $150 million. (You can find more details here.) It seems that the music part of the heart-pumping, music-driven experience Peloton users so enjoyed was the result of the company using thousands of unlicensed songs in its workouts.
I became aware of the lawsuit last month listening to a presentation to a group of internal auditors on the impacts of technology. The speaker used the Peloton story as an example of the evolving risks that develop because of constantly changing technologies. His contention was that, in this situation, new technologies led to a new risk, as evidenced by the $150 million lawsuit.
I do not disagree with his statement that we have to keep up on technologies and the evolution of risk. But I do disagree with his contention that these new technologies lead to new risks. In fact, I have what might be considered a rather heretical belief in what new technologies mean about risks, our understanding of those risks, and the constant pursuit of new risks.
If you look closely at the Peloton case, you are not seeing a new risk. The lawsuit (and the underlying risk) is based on copyright infringement, a risk that can be traced back to early-eighteenth-century England as the printing press made it easier and easier to “steal” the works of others.
Yes, Peloton is a new wrinkle in this battle — just as was radio and television and the internet and social media and almost every technological change that has occurred in that time period. But a new risk? No.
There is nothing new under the sun. And I would argue that, in most situations (in fact, nigh on over 99% of situations), there are no new risks.
It is not a “cloud,” it is a database. And what’s the deal with cybersecurity? Other than a new way to access a whole lot more information, the basic necessities for risk mitigation are not different than those we used to make sure no one could get in the file cabinet. (This is that heretical part I warned you about.)
Assuredly, new technologies require new skills to properly combat and mitigate associated risks. But let’s not get ourselves too wrapped up in the idea that we have brand new risks. We have new applications of the old risks, we have greater risk velocity, and we have greater volumes at risk. But it is important to understand the risk — the old risk — that lies beneath these concepts. Because the approaches and controls used in responding to those risks, while they will need to be updated to incorporate new applications, velocity, and volume, are still a fundamental part of the discussion and the solutions.
Ultimately, I would argue that, while internal auditors need to understand the new things that are going on — understand the technologies — it is just as important (if not more important) that they apply the old risks and mitigation to the new technologies.
We can spend forever trying to figure out new risks. That is until we realize that what we are really trying to do is figure out how new technologies will impact the risks we already know.