[Reading time: 3 minutes]

Forget about IT as an enabler.

Forget about IT as a constraint.

Let’s talk about IT as a risk.

Technology as a risk blind spot

As a company director, you are made aware of the mains risks in the organisation and how these risks are being monitored and managed. “Risk Management” is likely to be a standing item on the Board agenda.

But technology risk is a common blind spot in these Board-level discussions.

There are two potential reasons:

  1. The organisation has a very effective IT function, with a well-resourced IT Risk team.Because risks are being identified and managed, there are no significant technology risks that need to be presented to the Board.
  2. The Board does not have the full picture.The organisation is not thinking about technology as a risk. It’s just not on the risk radar.

When I start to work with Boards, I usually see evidence of the latter.

Why does this happen?

Risk ≠ Likelihood. The Past ≠ The Future.

When most people think about “risk”, they focus on the likelihood of something happening.

And when assessing the likelihood, they use past experience to decide the likelihood of the event occurring in the future.

Everything has worked fine up to now, so it will be fine into the future.

If technology has provided 100 days (or 10 years) of flawless service, many assume the technology will continue to provide flawless service.

And if they believe likelihood is low, they believe the risk is low.

Just like a turkey that assesses the ‘risk’ of Christmas as low because its past 300 days of a good life suggests the ‘likelihood’ of such an event in the future is low.

The likelihood of the technology failure may be low.

But it is probably not as low as they think.

And the likelihood is seldom zero.

Risk = Likelihood x Impact

As a director, you know risk is more than just likelihood. It’s also about impact.

And it’s when we think about the ‘impact’ of a technology failure that we start to pay attention.

What’s the impact if the organisation has no email system for 3 days?

What’s the impact if the organisation loses all historical emails forever?

When an organisation sees that the impact of an event could be catastrophic (even if the likelihood of its occurrence is low), it will work hard to reduce both the likelihood and the impact of the event.

Only then can it say it is truly managing its risks.

Two simple questions to ask about your organisation’s IT and risk management:

  1. What are we doing to minimise the likelihood of a failure in our key technology (e.g. email / file shares / CRM / ERP / Accounting)?

    [Red flag: An answer that assumes Microsoft or another cloud provider won’t have a failure]
  2. What are we doing to minimise the impact of such a failure?

    [Red flag: An answer that mentions backups but doesn’t mention a recent successful test of those backups]