On 25 April 2013 the Chicago Board Options Exchange was out for half a day preventing trading on two very important stock indexes. IT risk is not just a technical problem, handled by technical people, buried in IT. Many executives still have not gotten the message.
On 1 August 2012, test application code was run in a live production environment at the trading firm Knight Capital in New York. In 45 minutes, $440 million was lost and the firm almost had to close its doors. These incidents demonstrate that IT risk has business consequences.
As we note in our report: IT Risk Has Real Business Consequences; Lessons From Knight Capital
· Non-IT executives do not generally understand the impact of IT risk on business outcomes.
· IT organizations do not always apply appropriate controls to address reasonably anticipated IT risks.
· Good risk management practices are not sufficiently formalized in many organizations, reducing their effectiveness.
· Develop a business case and appropriate communications plan to help non-IT executives understand the business impact of IT risk.
· Develop appropriate controls to address reasonably anticipated IT risks.
· Integrate risk management and corporate performance in a formal IT risk program to appropriately manage IT risks.
Using the incidents at Knight Capital and the CBOE as examples, there are several lessons to be learned that apply universally to all organizations, especially those with heavy technology dependence.
· Do not run test code on production systems.
· When IT and business process failures, occur you have an opportunity to strengthen controls and institutionalize good practices.
· Preventative controls can limit damage.
· Compensating controls can be powerful protection if applied jointly and severally.
· Process controls must work in concert with technical controls.
· Application development should embed controls to protect against reasonably anticipated risk.
· In highly complicated and complex environments, risk management should be appropriately aggressive, comprehensive and applicable.
Good risk management should influence better business decision making. Organizations must separate IT operational risks that should be kept within IT from IT risks that have genuine business impact. This can be done by identifying business outcomes, related business processes and IT dependencies.
Creating risk-adjusted value chains will embed risk thinking in management decisions, and surface IT risks like those suffered by Knight Capital (see "Improve Business Decision Making With Risk-Adjusted Value Management: Creating Risk-Adjusted Key Performance Indicators").
Formalizing a risk program with a charter, a process catalog, a risk assessment methodology and a risk register, and linking these aspects to the performance potential of the firm, will provide a foundation to promote the benefit of risk management to the non-IT parts of the business (see "Six Required Elements of Effective Risk Management").
You need to be a Gartner client to read the Gartner reports.
Category: Uncategorized Tags: