Blog

IT risk can strike like a nuclear explosion

You might be surprised at some of the responses I’m getting in my current research. In the examples I use in this blog,  I can pinpoint the participants almost exclusively to older, more traditional board members. But not always.

 There’s a small but vocal slice of the population convinced that technology governance isn’t any different from other technical domains such as ‘talent management or marketing’. I suggest, having have worked in HR and in close association with marketing, that these domains differ markedly from technology, especially in the area of risk.

Granted, different forms of technology and some of these other technical areas of managing the business have been around for hundreds, if not thousands of years. It’s the explosion of computer-based technology over the last 40 years, its pervasiveness and game-changing impact on society and how businesses operate, that makes technology different.

So let’s follow an example through, using ‘there’s really no difference’ logic, and compare an HR risk issue and a technology risk issue in an airline.

Yes there are risks associated with the failure of either to perform. However, from an HR standpoint, there’s not much impact if a flight attendant slops the coffee or a pilot is unable to fly because he’s ill, or even if one of the pilots falls ill while flying a passenger aircraft.  But if any aspect of the computing systems go wrong, pretty much anywhere in the aviation value chain, there can be serious, even deadly consequences.

Drop the freight, reservation or passenger check-in system for a few hours and the impact ripples into millions of dollars in a very short time. It’s felt within the airline and out into multiple areas of the community such as the tourism, business, fast-moving-consumables or export sectors.

The reality is that a technology foul-up in any high tech industry such as aviation, hospitals, or in areas of manufacturing and primary industries can take out a business, kill someone or cause a disasterous ripple effect. And potentially all in milliseconds.

As Steve Kaye commented on one of my blog postings, ‘traditional approaches to risk start to fall apart [where] a risk which may emerge and be fully instantiated / materialised within the time it takes to draw a single breath. Risk mitigation and avoidance is probably more critical in the ICT domain than in any other aspect of business. And if an incident occurs, the solution is unlikely to be further risk management...the immediacy means that the incident response needed [instantly] bypasses the risk management phase and moves into full-blown disaster recovery.’

So I get pretty worried when, in my research, I’m told by experienced directors that their board is now much more tech-savvy ‘because they all get their board papers via their ‘tablet thingies’. And when you ponder Steve’s comments and realise that in 2012 most boards were still managing technology risk by exception, if at all.

It’s the sometimes instantaneous nature of the consequences including the social media impact (right or wrong) which differentiates IT/ICT risks. Steve Kaye again: ‘take your ICT governance seriously because if it really goes wrong it can be the equivalent of a nuke; no warning, total disaster and no second chances’.