My colleagues at Gartner and I have recently been discussing the importance of IT risk, often in the context of Cloud adoption, where the discussion is usually about the extent to which risks in the Cloud will slow adoption. (Our basic take on that question is some,but not enough to significantly impede the march to Cloud.) Some of my colleagues are skeptics about the potential impact of cloud failures; being a risk maven, I’m pretty bearish on the topic. The question my more bullish colleagues often ask is: how bad could it get, anyway? Has any company ever failed because of an IT risk come to fruition?
The answer is yes, of course. Cardsystems Inc. lost 95% of its revenues within 3 weeks of the breach it announced in 2005, and was sold shortly thereafter for a fraction of its pre-incident worth. ComAir didn’t fail as a result of the December 2004 incident in which their crew scheduling system went down on Christmas Eve, stranding an estimated 30,000 passengers during the Christmas holidays; however, the company lost 7% of its revenue for the year, a pretty big deal for an airline, and was the subject of an FTA investigation, which no one much enjoys. And the president of the company lost his job; not the CIO, the president. Most businesses would consider that to be a pretty steep price for IT failure.
The interesting thing isn’t that some companies have failed when their IT failed; the interesting thing is that the risks are almost certainly increasing. Plenty of executives don’t yet understand that while IT spend only represents 5% or less (on average) of enterprise revenues, the impact of IT on revenues is far higher than that. To put it another way, many executives don’t yet realize that their businesses don’t run much, if at all, without IT, and when IT is misused or fails, the impacts can be very large indeed. The recent events involving the Knight Capital Group make it clear how far we’ve come in terms of the importance of IT risks.
According to this NY Times article, Knight Capital Group lost $440 million on Wednesday in a matter of a few minutes when a “computer glitch” resulted in the purchase of a very large pile of stocks on behalf of the company. (The losses were incurred when the stocks were sold.) I quote the Times:
“In its statement, Knight Capital said its capital base, the money it uses to conduct its business, had been ‘severely impacted’ by the event and that it was ‘actively pursuing its strategic and financing alternatives.'”
The Times added: “The losses are greater than the company’s revenue in the second quarter of this year, when it brought in $289 million.” The article goes on to quote Christopher Nagy of KOR trading as saying that this might be “the beginning of the end for Knight.”
So the basic story is that Knight put in a new trading system; the system went haywire; the malfunction produced $440 million in losses in less than 5 minutes; and the company may fail as a result. Let there be no doubt: in the modern era companies fail because of IT misuse or failure. Period. This is not the same as civilization failing, of course. But it’s pretty serious for the owners and employees (and maybe customers) of Knight Capital Group.
What this means is that it’s more important than ever for IT professionals to make the connection for the rest of the executive team between what IT does and what everybody in the enterprise does with IT–to identify clearly what business outcomes might result from an IT failure. It’s possible that doing so would not have prevented this incident; I have no idea how many tests would have been necessary to discover and eliminate the “glitch” that cost Knight Capital Group $440 million. But I wonder whether the executive team at Knight was fully aware of just how bad a “computer glitch” could be–and I know that executives at many other companies are not.