Seven aspects of inadequate IT risk management
1. Piecemeal approach
Organizations do not take a holistic approach to IT risk, where risks are determined throughout the organization and then assembled into a corporate score sheet. Most commonly, strategic risks will be assessed at the time that a project is initiated – and then forgotten. Project risks will be assessed only by those responsible for carrying out the project – a guaranteed conflict of interest. Partner risk will be assessed only at contract rollover, if at all. Degrading infrastructure assets are seldom formally valued. And so the story goes on. Each risk component has its own ad hoc treatment, if anything. [Beating IT Risks, Ernie Jordan and Luke Silcock]
2. Communication failure
Technical risks discovered by the network manager or a project manager may well be incomprehensible to the board, where decisions must be made and accountability ultimately resides. The challenge of communicating an issue from technologist to IT manager or business manager and then to a director will be similar to the challenge when the concern is travelling in the other direction. In addition, those responsible for finding risks may not be rewarded for communicating them, giving them a ‘whistle-blower’ pariah status.
3. Surprises and reactivity
We are continually surprised at how managers are continually surprised when things go wrong. Things do go wrong! Hardware breaks down, software bugs get discovered, staff and customers engage in fraud, telecommunications and electricity stop from time to time – and sometimes for very long times – projects get mired and then go backwards, critical staff leave, and then regulators and lawmakers tighten the screws. All predictable – admittedly very difficult to predict, but predictable nevertheless. So when something goes wrong, the standard approach is one of reacting to the event and finding someone to blame. A one-off – often ill-considered – response to the situation. Seldom are post-mortems held so that real learning can take place – so much for learning organizations.
4. Career damage
In the end blame will be dealt out and an individual manager will be the recipient. At the minimum this is disappointing and embarrassingbut ultimately it is potentially career limiting for individuals who are in management and governance roles. Track records hang around for a long time, and anyone who has presided over a major project failure or corporate IT breakdown will have to carry the burden.
5. Evolving, moving subjects
The nature of IT risks continues to evolve and offer up new challenges. Every day new defects are found in Internet-facing technologies and, almost as often, toolset and middleware developers propose upgrades. Each change means that risks are changed, and until the potential consequences have been worked out, the level of uncertainty is heightened. The impact of a change in one innocuous component can be anywhere between nil and total catastrophe – and ignorance ain’t bliss.
6. Creeping goals
Corporate governance and risk management standards are being raised on a regular basis. The Bank of International Settlements’ Basel II framework is imposing new operational risk reporting and control requirements on participating banks, which is having serious implications worldwide on banks and some financial services providers. Stock markets are imposing tougher risk reporting requirements for listed organizations, including in some cases explicit requirements for business continuity management. Expectations of other stakeholders are also increasing – such as supply chain partners, customers and stockholders. So not only does IT risk management need to be done, it needs to be continually improved upon.
7. Consistent competitive underperformance
IT failure saps the business’s potential to compete, undermining other endeavours; more, it can lead to reputation loss and detrimental effects on the brand of the organization. Outsiders will see any failure as indicative of an underperforming company, perhaps unfairly, but competitors can gain ground merely from the absence of any catastrophes on their part.