In the first in a three-part series, Nick Denning, CEO at Diegesis, looks at the risks faced by company boards, with a particular focus on those confronting CIOs and CTOs who are managing and operating complex enterprise IT systems.

Few organisations are exactly where they want to be in terms of enterprise IT solutions to support their business. Technologies evolve, new applications become available but existing systems may have proven their worth over many years and can be costly to replace. However, the reality of the situation is much clearer and immeasurably improved with a full understanding of the risks faced by either replacing tried and tested solutions and/or implementing new technology. Only with that knowledge can the relevant strategies, action plans and appropriate partnerships be developed to drive the right changes at the right time.

Risk and opportunity
Opportunity and risk are two sides of the same coin. An organisation that manages its risks effectively also creates opportunities. This might be to reduce the operational costs of IT systems with the results flowing straight to the bottom line, or to use IT more effectively by adopting new features early to drive competitive advantage.

So… what is risk? We can articulate risk simply by thinking in terms of - if event X occurs then the impact might be Y.  We then consider the probability of each event occurring and the size or significance of the impact of the event. It is then possible to project any likely losses.

Mitigation and contingency
Having determined the probability of an event occurring and the impact if it does, then mitigation and contingency measures should be considered. Contingency measures can be taken to deal with an event if it does occur. However, a contingency plan has only limited value if it isn’t practiced, proven to work and kept updated.

Some events might be external and we may not be able to influence their probability of occurring; for example, weather related events, however, others can be influenced. Mitigation such as regular servicing of a vehicle to prevent breakdowns, or the installation of sensors to indicate if a part is wearing out and that it should be replaced before it fails, are examples of mitigation actions. In IT terms this means keeping enterprise systems up to date with all patches and security updates applied.  

Developing contingency plans makes it possible to assess the best balance between spending time and resources to:

  • minimise the probability of an event occurring;
  • minimise the impact if it does happen;
  • prepare and test plans to recover from the failure; and
  • review each of the events based on this probability.

Frequency and catastrophe risks
Some things happen regularly, we expect them, we may even accept them and the associated losses, as part of doing business, therefore they are dealt with as they occur. For example, there is a probability of theft from retail outlets. Such risks are often referred to as frequency risks and are accepted as shrinkage costs.

Other risks happen very infrequently but can have a high impact. These are potentially the most dangerous because we may not properly understand them, may not be training our staff to manage them or recover from them. If fire destroys a building and everything it contains this is high impact and called a catastrophe risk. An equivalent IT-related risk would be cyber criminals blocking access to vital systems and then demanding a sizeable ransom payment.

The role of insurance
Organisations may take out insurance to protect against losses. To calculate the insurance premium to quote, the underwriters will consider a combination of:

  • an organisation’s claims history;
  • expected losses across the market; and
  • the current financial return on investment and the extent to which they are seeking premium revenue or advisory fees.

Should a loss occur the insurance company will pay. Therefore, some organisations ask what is the point of employing people to manage the risk, reduce the frequency and the potential impact – if the insurance company will pay anyway?

An obvious answer is that if an organisation can reduce claims, it can reduce future premiums. However, it takes three years of claims history before underwriters will reduce premiums.

Another aspect is that if an organisation knows it is likely to have £1m losses next year it cannot accrue these losses in the accounts, but it can pay an insurance policy in this year’s accounts and reduce its corporation tax liability that way.

Taking a cynical view, an executive who has the responsibility to manage a risk may make little effort if they feel that they may not be in the same post in three years when the benefits can be seen.

Practising effective risk management
There are a series of good reasons to practise effective risk management. There are many things that an organisation cannot insure against. These include loss of reputation, loss of profits or the risk of going out of business. A catastrophic failure of enterprise IT systems could cause any or all three of these eventualities.

Just relying on insurance is simplistic. Claims for insured losses are generally only a fraction of the actual loss. For example, if a core system is out of action insurance might pay for the eventual replacement but not:

  • the cost of employees who are idle while a fix is sourced;
  • the uplift in overtime while people work extra hours to catch up with their work;
  • the cost of lost business, losing customers while orders cannot be taken, or the cost of acquiring replacement customers; and
  • most importantly, some risks are ‘black flag’ risks and if they occur there is a high probability that the company will go out of business.

Through effective risk management an organisation that reduces its level of potential losses can see the benefit flow straight to the bottom line, once the cost of risk management has been taken into account.

The obvious benefit is reduction in future premiums. Other benefits include recovery of losses from the insurances of others who caused the loss, but the biggest potential benefit is in reducing the uninsured losses. The challenge is that these are typically unknown and are not neatly annotated in the accounts and hence difficult to establish by simple inspection of records.

Project and operational risks
It is also worth reflecting on the difference between project and operational risk. Operational risk covers all the inherent risks that have the ability to impact the business when it is running in a steady state, carrying out its normal day to day business. Frequency risks typically fall into the category of operational risk, covering the things that go wrong on a day-to-day basis.

These risks are often the sort of risks that can be insured against, particularly where they are the risks that apply in common to most organisations.

However, if an organisation is trying to do something new then it is considered to be running a project to make change. There may not be a huge amount of expertise in running projects with an organisation, or in making the types of change necessary to deliver the project. Regardless of whether business leaders are managing operational risk or project risk, the principles of approach are very similar. The biggest challenge is often managing the people who are stakeholders in the related activities and this requires strong leadership.  Insuring against a project overrun is less common.

Risk categories
When analysing an organisation’s risk profile, we can make an assessment based on standard risk categories which have been developed over the years because they are faced, albeit in different ways, by many similar organisations. These provide checklists of what to consider and offer a starting place to highlight specific or unique risks to a business.

Here are some examples of the different categories of risks:

  • the threat of others seeking to harm an organisation;
  • site/environment integrity;
  • process and system integrity.
  • projects and change management.
  • security;
  • supplier risk;
  • capability and knowhow; and
  • business continuity/disaster recovery.

A range of organisations provide risk templates that can be used to support such risk analysis.

In conclusion
Managing risks and identifying opportunities is an integral part of doing business. Identifying and categorising the types of risk faced is an important component of senior management job roles. Luckily the risk management discipline provides common ways to categorise and mitigate risks that can also be applied to core enterprise IT systems.