Beating IT Risks

Allie

About the authors

Ernie Jordan is Professor of Management in IT management at Macquarie Graduate School of Management in Sydney, Australia – currently ranked top in Asia and Australia, and number 50 in the world, by The Economist Intelligence Unit’s global survey of MBA programs, Which MBA? 2004.

Starting from a degree in industrial mathematics in the UK, the path led quickly to COBOL on IBM mainframes in Canada and a period as a lecturer in statistics. Dr Jordan accumulated some ten years’ experience in the development of information systems in commerce and industry before re-entering the academic world in Newcastle, NSW and then moving to Hong Kong.

During his eight years in Hong Kong, he made the transition from teaching systems analysis and design to IT strategy, while researching the strategy of a global bank for his PhD at the University of Hong Kong.

Over the last six years, he has carried out research that examines the reluctance of organizations in Australia to develop formal IT disaster recovery plans and his reports have been enthusiastically received by industry and practitioners.

His current research program includes IT governance, IT strategy, operational risk and business continuity. He is a sought-after speaker in the Asia–Pacific region, and can be contacted at Ernie.Jordan@mq.edu.au.

Luke Silcock consults extensively on all aspects of IT management for PA Consulting Group and its numerous major international clients. His twelve years’ management consulting experience in Australia, the UK and Asia have focused on:

•Reviewing and assessing IT capability and maturity.

•Designing and leading IT performance improvement initiatives.

•Assuring delivery, reducing risks and avoiding over-spend on IT-enabled business projects.

His assignments for PA Consulting Group – an independent global management, systems and technology consulting firm (www.paconsulting.com) – have assisted dozens of client organizations in different industries including banking, energy and telecommunications.

He has also worked for KPMG Management Consulting in Sydney and London, specializing in IT. Prior to his consulting career he studied Business Information Technology at the University of New South Wales as well as industrial training with three leading companies.

Foreword

In the old days, most of the risks with which each person had to contend were generally local and personal. As technologies pervasively continue to enter our lives, the risks are becoming universal and very far-reaching in terms of those who are affected. Computer-communication systems reach into almost every aspect of our existence, relating to the health and well-being of not only people, organizations and governments, but also of the global environment.

Our increased dependence on computers and networking is unfortunately rapidly tending to increase rather than decrease the associated risks. New applications are being created that are heavily dependent on automated systems whose trustworthiness is wholly inadequate for the given enterprise needs. Systems are becoming ever more complex without constructively being able to cope with the complexity. New vulnerabilities continue to appear faster than old vulnerabilities are being fixed. Threats from evil-doers are increasing. Furthermore, all of our critical national infrastructures are in various ways dependent on information technology – and on each other.

Risks are usually in the eye of the beholder, but are often seriously discounted or even completely ignored. Thus, much greater understanding is needed among everyone who must manage, prevent or remediate risks. Fortunately, Beating IT Risks is an extraordinary book that brings many diverse issues clearly before its readers, irrespective of their backgrounds. It is one of the most important, realistic and practical books on this subject ever written – particularly for IT managers.

Some people may tend to consider the wisdom of this book as ‘merely common sense’. But common sense is in actuality not very common. In retrospect, considering the historical evidence of flawed systems, wilful misuse, human errors, operational accidents, environmental hazards, many cases of mismanagement and many other causes (e.g. see Neumann 1995), common sense turns out to be extremely rare. Much too often, short-sighted management and system development decisions have ignored the risk implications, with some stupendously bad results – including deaths, injuries, huge financial losses, irreparable personal damages and losses of privacy.

One person’s risks are another person’s challenges. Indeed, this book presents us all with the opportunity to avoid or enormously reduce many of the

characteristic risks that have continued to plague us throughout the computer revolution. I hope you will read it carefully and pay careful heed to its recommendations – which if diligently pursued can save us all a lot of grief. Beware of overly simple solutions, because the problems are complex and the solutions require considerable thought, understanding, foresight and in some cases altruism. Please remember that there are no easy answers to risk avoidance. Risks abound and must be confronted.

Beating IT Risks is quite different in perspective from beating a drum – which tends to be monotonal. The book is more like a entire symphony in which all of the voices are in intricate interrelationships. Enabling the reader to learn to understand the big picture as well as the details is perhaps its most significant contribution.

Peter G. Neumann, Palo Alto, California, USA, 21 September 2004

Principal Scientist, SRI International’s Computer Science Laboratory, Moderator of the ACM Risks Forum, Associate Editor of the Communications of the ACM (for the Inside Risks column) and regular contributor to the ACM Software Engineering Notes. http://www.csl.sri.com /neumann

Acknowledgements

The authors would like to offer great thanks and appreciation to the PA Consulting Group for taking on our proposal with such enthusiasm and commitment. In particular, we’d like to thank the PA Consulting Group team members who helped by contributing case study material, encouragement and insights. A special note of thanks is in order for Clare Argent, John Burn, Jonathan Cooper-Bagnall, Karen Crothers, Frank Decker, Neil Douglas, Dean Evans, Polly Ferguson, Ian Foster, Guy Gybels, Kerry Harris, Greg Jones, Fons Kuijpers, Geoff Larbalestier, John Lunn, Nuala MacDermott, Rob McMillan, Christian Nelissen, Bernie Robertson, Jason Robson, Dawn Whitmore and Nick Woodward.

We would also like to thank Macquarie Graduate School of Management’s Bob Hunt and Dave Musson who reviewed the early drafts and gave us valuable feedback.

We have been delighted by the skill and professionalism of the staff at Wiley, with special mentions to Sarah Booth, Lorna Skinner, Rachel Goodyear, Amelia Thompson and Trisha Dale.

Luke would like to give special thanks to his wife Louise and his sons Sam and Rowan for their support and understanding while this book was written.

Ernie would like to thank Amy and Alex whose love and encouragement made all this possible.

Allie

1 Thriving on risk

Every time we take a plane we are riding on a pinnacle of risk. The 400 tons of ‘impossibility’ takes off, gets to our destination and lands – almost always! We take the risk for business opportunities, recreation or just the fun of it. The world is one where we take risks, all the time. It is part of the human condition. It is also part of the business condition. Some of the risks come to the front of our radar; others fade into the background, of others we remain unaware. Logically, we would expect the higher risks to be up on the radar, and the lower risks to be in the background, but that is often not the case.

We need to take risks in every business venture. There is always a possibility that things won’t work out as expected. But it is essential that we do take risks. Any active strategy involves clear risks – that may make it unattractive – but a passive, do-nothing strategy also has risks. Typically these are not as clear and so are not as daunting. The important thing is to know what the risks are, to be aware of them and to have options available when the unfortunate eventuates.

This chapter is an executive summary of the book that gives the reader in a hurry access to the ideas, challenges and solutions that we offer. It also serves as a guide to the structure of the book, allowing you to identify your areas of most urgent need and proceed directly there. Of necessity detailed arguments and references are deferred to the later chapters. Chapters 2 and 3 present the IT governance framework and the IT risk portfolio – our two key tools. The subsequent chapters need not be taken sequentially but can be addressed on an as-needed basis. Bon voyage!

One of the challenges of dealing with risk is that there are inconsistent interpretations of the word. We will be using ‘risk’ to represent both an unwelcome outcome and the possibility of such outcomes occurring.

Risks aren’t weighed up and dealt with rationally. The squeaky door gets the oil – and the risk that pesters gets the attention. So we end up with disproportionate responses to different classes of risk and often completely ineffectual responses to some of the most severe.

The legal, social and financial penalties for driving while uninsured are sufficient to ensure that most people carry car insurance. But our driving behaviour may

be the higher risk and this is addressed only indirectly. We can imagine that only a very low percentage of risky or dangerous driving manoeuvres are detected.

And so it is with information technology (IT). IT has brought enormous benefits to business over the last 40 years. Directly through electronic products and IT-based services, and indirectly through efficient inventories, supply chains, labour productivity and customer awareness. But against the successes of on-line stockbroking, retail distribution centres, flight reservation systems and the like, there is a pantheon of failures ranging from the London Stock Exchange Taurus project cancellation in 1993 to the strategic flop of the UK’s eUniversity in 2004.

These ill-starred initiatives can be ranked alongside some classic infrastructure failures: Auckland’s six-week electricity outage – massive alongside the shortlived but extremely serious disruptions in New York and Italy (Hinde, 2003). Information assets also represent a risk – ask CD Universe whose 300 000 customer credit card details were stolen, and extortion attempted. Some of these risks we guard against, but others are disregarded, knowingly or otherwise.

Responses to IT risk are patchy. There is a much higher likelihood that organizations carry out standard back-up procedures to save data, than have IT projects that succeed. Yet the project may cost many millions – and the data that is safeguarded may not be the most valuable or critical. The risk in selection of projects is also high – boards and senior management are seldom well equipped to make these decisions. IT has become an essential part of doing business but organizations seldom are fully prepared for disruptions.

We aim to give you, in this book, ways of weighing up the risks and opportunities in IT and techniques to enable you to find the risks you want to take, and thrive on them.

The challenge

Businesses have got into a situation where IT is significant both to enterprises themselves and to business managers. What’s more, there are many risks. IT spans a spectrum from strategic decisions to operational continuity and projects bringing organizational change.

The importance of IT to the modern enterprise screams out through high investment, the pervasiveness of the technology, our reliance on its continuing operation and the pain we suffer when it doesn’t work. But above all we see the strategic importance of IT through its critical role in building efficiencies and the ways in which IT enables business to make its strategic moves.

But you can’t survive simply by fighting yesterday’s battles. IT continues to develop rapidly and to provide opportunities to improve every facet of business. Innovations are not just in terms of computing, but increasingly in dramatic changes to communication and collaboration technology, linking directly and instantaneously to customers and suppliers.