IT risk can have serious consequences for an organisation, even an entire industry, therefore IT risk management should not be delegated solely to the IT department. This was the message given to delegates at last month’s Gartner IT Security Summit.
Richard Hunter, a Gartner analyst who was presenting his new book IT Risk at the event, defined IT risk as anything that poses a threat to any of four interrelated business objectives: availability, access, accuracy and agility.
Agility risk sits at the top of the “IT risk pyramid”, the concept Hunter uses in his book to demonstrate the hierarchies of the risk factors. “The importance of the pyramid is that each factor in a tier influences not only the risks in that tier but also risks in tiers above it,” he explains in his book.
Business agility can be affected by accuracy risks, which are linked to how reliant an IT system is in providing correct and timely information. Access risk relates to the accessibility of data and can lead to accuracy risk, Hunter said. Availability risk, which sits at the bottom of the pyramid, occurs if IT systems are interrupted.
Agility risk is the most serious of all the IT risks because it can constrain a company’s ability to compete, Hunter explained. It is also the most difficult risk to quantify, creates the most organisational difficulties and requires the largest cross-section of the business to help manage it, he said.
Hunter gave two examples of agility risk: the customer data loss incident at CardSystems Solutions, which caused the firm’s two largest customers, Visa and MasterCard, to defect; and the problems with the tax-credit management system at the Inland Revenue, which meant the organisation paid out over £2bn in mistaken tax credits.
When threatened by a risk of this type, a company might not be able to continue competing in the market, Hunter explained. Besides the serious consequences this holds for the individual business, the perceived threat could also mean regulations are introduced for the entire industry, he argued.
Hunter also cited an incident involving a failure with Comair’s crew scheduling system. Although the problem began in IT, it ended up grounding planes for five days and caused serious consequences for senior management, including the resignation of Comair’s president. The system had been scheduled for replacement five times and if this had been efficiently communicated and acted on, the incident would not have happened.
To avoid incidents like this, IT managers need to exchange information on risk with executives across the business so that they know the consequences technology failures can bring. If business managers do not take an interest, they could be punished by the market and fall further and further behind, Hunter said.
“To make effective decisions about IT risk, business executives need to know what happens when technology fails or underperforms. Any IT risk must be understood in terms of its potential to affect all of the company objectives that are enabled by IT,” Hunter added.