Carraghyn - Chartered Directors

Is IT Too Risky?

Seems like a daft question, we all use and depend upon IT in business, to be deprived of it would be like going back to the stone ages, but recent incidents have highlighted that IT risks must be understood and considered in the boardroom. 

There is an old adage in IT: "To err is human, but to really screw up you need a computer". Given the increasing dependence of businesses on IT this is probably more true today than ever before.


The RBS IT failure in June this year is likely to have cost RBS in excess of £100 Million in rectification and compensation, without accounting for customer defection and reputational damage that will hinder new customer acquisition for many months.

Also in June, a few days earlier, BT denied broadband access to millions of homes and businesses across the UK due to "equipment failure" which took customers offline from Scotland down to Southern England.

Amazon, one of the world leaders in cloud computing, also had a bad June, taking out global web businesses such as Netflix, Pinterest and Instagram with the failure of two major data centres on the East coast of the USA.

In May the UK Border Agency introduced a postal visa system for foreign nationals wanting to enter or remain in the UK due to IT failures which prevented their applications from being processed and created a major backlog and extensive delays.

The previous December, in the run up to Christmas on one of their busiest trading days of the year, the UK Post Office suffered a computer crash affecting thousands of branches and causing a major backlog in the Christmas mail.

And in August 2011 Lloyds Bank traders were forced to resort to telephone, pen and paper because their trading system failed on one of the busiest trading days in the year, in a week which saw 8% wiped off the FTSE as the global economy crashed.

I could give many, many more examples, but this diverse selection shows that IT failures can and do happen to all types of business operations - even to very large organisations which spend tens or hundreds of millions of pounds on IT each year. Each time they happen they cause significant commercial embarrassment, customer dissatisfaction, and result in significant recovery / cleaning-up and potentially compensation costs.

Risk is a consideration that should be on the table in every boardroom. Determining the organisation's balancing of risk vs. reward is one of the primary responsibilities of a board of directors. Managing risk is another, clearly laid out in corporate governance codes.  Boards of larger organisations will have an audit committee, and the scope of their audit activities will generally be to ensure accuracy of financial reporting, detection of waste / fraud, and identification of financial risk. Financial risks figure high on the boardroom agenda. 

Most boards also address resource risk, particularly HR risk. In most organisations resource risks are less dynamic than financial risks, but they are their and routinely dealt with as a matter for boardroom consideration. Employee relations are a very important matter.

So what of IT risks? They are demonstrably the most volatile of all, able to materialise out of the blue and have massive impact within hours, seconds even. Some IT risks are susceptible to long-term management, but others happen so quickly that managing the risk once it has emerged is not an option, the only valid strategy is pre-emptive risk mitigation. How does the board address IT risks? Does the board address IT risks? How can it be as sure as reasonably possible that the organisation's unexpected IT failure will not be the lead headline in the next issue of Computer Weekly? More relevant perhaps; how can it be sure that it will be serving customers next week instead of having a majority of employees sitting idle whilst the IT department struggles to repair whatever has broken?

It is easy to spend lots of money on IT, but expenditure is no guarantee of either IT resilience or swift recovery. It is easy to apply financial pressure to the IT department, budget constraints and cost reduction targets, but in most cases the application of crude financial performance metrics to IT functions serves to reduce IT resilience and increase disaster recovery times - when cuts are applied the "optional" service factors such as resilience and disaster recovery are usually amongst the first to be degraded.

In summary; IT risks are amongst the most serious an organisation can face, they can disable the organisation in seconds. Many IT risks are highly predictable, they can be significantly mitigated by prior planning.Some IT risks are genuinely unpredictable, they cannot be foreseen or prevented.

In considering risk in the boardroom it is therefore necessary to:

  • Explicitly consider IT risk
  • Determine which IT services would represent a significant problem for the organisation if lost for a period
  • Decide which potential IT service failures can be affordably mitigated to reduce risk
  • Develop action plans for coping with the loss of key IT services, including how employees will engage with and serve customers during the non-availability of those services
  • Ensure that mitigations and action plans are implemented, communicated to staff and tested.
  • Consider ring-fencing those parts of the IT budget necessary to maintain service continuity, and understand that however desirable it may be to change and enhance IT to support new or improved business processes, continuity of service to customers is a higher priority.

Follow Us:

  • Facebook: Carraghyn
  • Google+: 107302261143529823760
  • Linked In: company/carraghyn-ltd
  • Twitter: carraghyn


You are here: Home Carraghyn's Blog Is IT Too Risky?