by Paul Proctor | April 26, 2013 | Comments Off
On 25 April 2013 the Chicago Board Options Exchange was out for half a day preventing trading on two very important stock indexes. IT risk is not just a technical problem, handled by technical people, buried in IT. Many executives still have not gotten the message.
On 1 August 2012, test application code was run in a live production environment at the trading firm Knight Capital in New York. In 45 minutes, $440 million was lost and the firm almost had to close its doors. These incidents demonstrate that IT risk has business consequences.
As we note in our report: IT Risk Has Real Business Consequences; Lessons From Knight Capital
· Non-IT executives do not generally understand the impact of IT risk on business outcomes.
· IT organizations do not always apply appropriate controls to address reasonably anticipated IT risks.
· Good risk management practices are not sufficiently formalized in many organizations, reducing their effectiveness.
· Develop a business case and appropriate communications plan to help non-IT executives understand the business impact of IT risk.
· Develop appropriate controls to address reasonably anticipated IT risks.
· Integrate risk management and corporate performance in a formal IT risk program to appropriately manage IT risks.
Using the incidents at Knight Capital and the CBOE as examples, there are several lessons to be learned that apply universally to all organizations, especially those with heavy technology dependence.
· Do not run test code on production systems.
· When IT and business process failures, occur you have an opportunity to strengthen controls and institutionalize good practices.
· Preventative controls can limit damage.
· Compensating controls can be powerful protection if applied jointly and severally.
· Process controls must work in concert with technical controls.
· Application development should embed controls to protect against reasonably anticipated risk.
· In highly complicated and complex environments, risk management should be appropriately aggressive, comprehensive and applicable.
Good risk management should influence better business decision making. Organizations must separate IT operational risks that should be kept within IT from IT risks that have genuine business impact. This can be done by identifying business outcomes, related business processes and IT dependencies.
Creating risk-adjusted value chains will embed risk thinking in management decisions, and surface IT risks like those suffered by Knight Capital (see "Improve Business Decision Making With Risk-Adjusted Value Management: Creating Risk-Adjusted Key Performance Indicators").
Formalizing a risk program with a charter, a process catalog, a risk assessment methodology and a risk register, and linking these aspects to the performance potential of the firm, will provide a foundation to promote the benefit of risk management to the non-IT parts of the business (see "Six Required Elements of Effective Risk Management").
You need to be a Gartner client to read the Gartner reports.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.