Managing IT-Related Risk: A 6-step framework for preventing business disruption
By Gary Lynam, Head of ERM Advisory at Protecht
The phrase ‘cyber risk’ can mean many things to many people and there is much confusion about where cyber risk ends and IT risk starts or vice versa. Simply put, information technology is the ‘stuff’ that enables a business to store and transmit information; cyber relates to the information itself.
While many of today’s organisations will have justifiable concerns about cyber attackers accessing systems and causing data breaches, decision makers cannot afford to overlook the wider issue of IT risk. Because the failure of IT platforms or resources puts the achievement of key strategic and operational business objectives at risk.
For this reason, understanding and assessing IT-related risk and its potential impact on organisational performance is a must have for any digitally enabled business. To identify, quantify and get to grips with these issues, business and IT teams will need to work in close collaboration so that appropriate management strategies can be articulated.
Step 1 – Visualising risk and causal components
To capture the key components of risk and its consequences, IT representatives will need to work with business leads to understand the relationship between business disruption and causal risks.
For example, the impact of a CRM or phone system failure in a contact centre will result in reputational damage and will have consequences for customers that will require a remediation strategy. Plus, the loss of the CRM system may have a business impact on other departments, such as sales and marketing. It could also result in the failure of other business services such as customer-facing apps, e-commerce websites and billing processes.
To effectively manage the risk of a CRM crash, IT teams will need to assess options for dealing with all potential technical root causes. For example, a configuration error, or third party provider failure. Next, IT teams need to understand how these risks could cascade to affect multiple other departments, creating bow ties that link how one event in one department (the main event) translates to an impact (a failed business objective) in an IT risk bow tie.
To understand the relationship between IT related risks and their potential impact on broader business needs, IT representatives should engage in business unit risk workshops. Insights gained will help inform how IT plans to manage and respond to IT-related disruptive events.
Step 2 – Evaluating IT as a business enabler
As technology advances, what was once considered ground-breaking becomes the minimum standard expected from related services. For example, today’s employees now expect to be able to work securely from home, using a single log-in to all the resources they need.
To stay ahead of the game and retain a competitive edge, many organisations are now looking to leverage cutting-edge technologies like machine learning, AI generated content, virtual reality, 3D printing and more.
Deciding whether to get off the blocks and become an early adopter will require a careful evaluation of the potential risks versus potential opportunities any new tech innovations will offer the business, so that all identified risks can be managed appropriately at adoption.
Step 3 – IT as a driver of operational risk
While IT undeniably delivers numerous benefits, there can be significant consequences when systems go offline or are no longer fit for purpose, or the availability or integrity of data is compromised.
In today’s hyper-connected workplaces, a minor failure or oversight in one area will cascade across multiple interconnected services and require significant effort to resolve. In October 2021, a faulty configuration change at Meta meant that Facebook, Instagram, WhatsApp and Messenger went offline for six hours. Worse still, as these failed services also supported access to Facebook offices, staff were prevented from entering the premises to address the problem.
Right now, many organisations are assessing the optimisation opportunities made possible by algorithms, machine learning and AI. Alongside ensuring regulatory compliance, organisations will need to ensure the right monitoring and governance is put in place to avoid potential pitfalls like poor data leading to poor outcomes or discriminatory bias and more.
To this end they will need to assess a multitude of potential risks. These include how and if data is sanitised, has the data been assessed for bias, how reliable is the external data used, is there an interpretable and auditable record of how the model uses inputs to create outputs, what happens if unintended consequences result following the implementation of an algorithm model, are identified following an implementation?
Step 4 – IT as a strategic risk
Business growth or diversification objectives won’t be achieved if sufficient IT resources are not in place to support these evolving needs. Business initiatives on the horizon may need an upscaling of hardware or compute power or there may be a need for new integrations. But without an appropriate roadmap or planning cycle for how technology will support these changing needs, the result may be delays, disruption or service degradations that will impact service users and customers.
Involving the Chief Technology Officer and Chief Information Officer early in the corporate business planning process will ensure that timelines can be set appropriately and that senior and board level decision makers can be made aware of any emerging technologies or opportunities that might influence these plans.
For some initiatives and sectors there may also be regulatory oversight, approval or reporting requirements that will need to be considered before an organisation can progress its strategy. Similarly, questions need to be asked around whether IT budgets and skilled personnel will be adequate to meet the technology needed to support the new business initiative.
Step 5 – Digital transformation risk
As many organisations have found to their cost, the journey to transformation can be fraught with danger and delay and there are numerous examples of major investments in digital transformation that failed to achieve their objectives or were rolled back.
The longer the timeframe and the more complex the existing environment or business model, the more likely it is that a project will suffer from budget or schedule delays or fail to meet all the anticipated benefits. In November 2022 the Australian Stock Exchange had to pull the plug on a blockchain solution intended to replace its system for trades and settlements. The resulting $250 million write off attracted condemnation from the regulator.
Creating a high level transformation blueprint to assess any potential risk causes events that might influence a planned transformation project will help ensure that everything goes as planned. As part of this process, any legacy systems that operate in silos and challenges aggregating or integrating business data will need to be assessed and managed.
Step 6 – The people side of IT risk
Having the right people with the right skills in place to respond quickly to unplanned disruptions or system glitches is just the start. The outlook and the culture of the organisation will need to ensure that people are empowered and confident about speaking up about potential risks and issues. When incidents occur, the focus should be on capturing valuable learnings rather than looking for individuals to blame.
Similarly, organisations need to be on the lookout for Key Person risks – this could be a visionary leader, or someone with a particular technical skill or institutional knowledge – whose loss could stall a project or leave the organisation open to risk. Alongside evaluating internal people resources, including who owns individual systems and assets, key contacts that manage IT-related third parties should be documented. This will enable the production of a skills/knowledge matrix for the IT team so that people related risks can be mitigated either through cross-skilling programmes or engaging contractors or suppliers with specialist skills to supplement the existing workforce.
Finally, with 58% of IT staff suffering from burnout – which in itself is a potential contributing factor to errors and oversights – HR strategies can also be enabled to protect employees from burn out.
Taking a wider view
Understanding how internal and external customers rely on IT and how IT contributes to the overall achievement of organisational objectives is the critical first step to viewing IT risk within a wider enterprise risk management (ERM) framework.
To manage IT risk proactively, effective reporting and escalation plans will need to be in place to address issues together with mechanisms that enable staff to speak up. Similarly, implementing a controls testing and assurance programme to provide assurance to stakeholders that IT-related risks are being effectively managed will be critical for providing appropriate reporting to the Board and senior management. It will also support the development of a blueprint for improvement.
When everyone in the business understands the importance of managing IT-related risks and how future business aspirations depend on ensuring the right systems and processes are in place to achieve these goals, organisations will be better equipped to dynamically manage business transformation without compromising operational resilience.