Gartner Blog Network

Blunderfunding: How Organizations Use Failure as a Basis for Budgeting

by Doug Laney  |  January 17, 2012  |  3 Comments

A major Wall Street securities ratings firm ignores the recommendations of a consultant report it paid for on rating collateralized debt obligations (CDOs)–contributing to the collapse of the mortgage industry, near-collapse of the banking industry and a multi-year global recession requiring $trillions in government (tax payer) dollars to avoid a full-blown Depression.

A major video game maker has millions of user IDs and credit card numbers pilfered, and spends many times more than was actually lost in revenue on bolstering its online security.

Thousands of credit cards belonging to Israeli citizens are exposed resulting in an actual military build-up in response.

A major retailer gets slammed by a Twitter and Facebook barrage then decides to implement a social media program.

A shipping line suffers numerous attacks by pirates off the Somali coast. They spend millions paying ransom, beefing security and reconfiguring routes.

The US Post Office continues to borrow from government coffers to run at a financial loss without making changes to its business model. Raising postage rates only exacerbates the problem.

And a an online shoe retailer announced yesterday the potential exposure of account information for as many as 24 million customers. What level of investment will they have to make to prevent this kind of event, let alone to identify and tie-up other loose ends?

True, major snafus are a part of business life, but knee-jerk budgeting in their immediate aftermath to prevent similar future incidents shouldn’t be.  In a recent online discussion of the topic I referred to this kind of behavior as “blunderfunding.” So let’s make it official:

blunderfunding [BLUHND-er-FUHND-ing]

1. basing the level of investment in a business initiative upon the amount of loss incurred from a recent mistake or mishap
2. making a hasty outlay for a project to deflect or cover up for those responsible for a mistake
3. allocating monies or budget to fix a problem symptom rather than its actual cause

Tweet by Gartner analyst Doug Laney on 13 Jan 2012

“blunder”: n. a mistake, v. to make a mistake
“funding”: [fund] n. a collection of money for a specific purpose, v. to allocate money for a specific purpose

While examples of enterprise-scale blunderfunding make regular headlines, it is also pervasive throughout lower levels of most organizations.  E.g. Buying “caution cones” to place when recently washed floors may be slippery–only after a hurried person or two did a back-side plant, or the overhaul of server farm air conditioning after overheating resulted in degraded online customer response times.

Some of these blunderfunded investments may be perfectly justified. That is the outlay is less than the risk-adjusted cost of their re-occurrence, and addresses the actual cause. In other cases the risk-adjusted loss (financial loss X the probability of re-occurrence) is much lower than the budget allocated to prevent any such problems in the future. Worse, and perhaps more frequent, money is allocated to fix, repair or even hide the symptom rather than resolve the root cause of the problem.

Organizations tend to compound the damage by neglecting to:

  • calculate the actual economic loss
  • estimate the likelihood of re-occurrence
  • identify similar possible incidents
  • compute the risk-based loss potential of future incidents
  • discover the factors that led to this incident
  • deal directly with the root cause(s), and avoid funding their resolution

What we’ve got here is also a recipe to avoid blunderfunding.

So why is it that we tend to see most blunderfunding is related to information mishandling, misappropriation and misuse? I believe this is because information asset are more easily accessed, more often in-movement, more easily transported. In addition, since information “theft” or “usage” almost never actually involves its depletion in any way (I.e. it’s merely copied not deleted), instances of information breach are that much harder to recognize. Finally, because information assets are not regularly covered by property rights laws, perpetrators if caught can get off easier than if they’d stolen actual “balance sheet” assets.

Just imagine, if you’re a criminal, what kind of loot would be better to heist than one in which:

  • You steal it by sitting at your desk rather than scaling walls, dealing with armed guards or blowing up safes
  • After you steal it, it still remains in place (as if nothing happened)
  • You don’t need a fast truck to carry it off
  • It is the kind of asset that increasingly makes up a large part of a company’s overall valuation
  • Companies don’t measure its economic value, so they typically fail to manage or secure it with the same discipline as their traditional assets
  • You can sell it multiple times to multiple black-market buyers (even on Amazon-like marketplaces)
  • The courts only sometimes consider it to be covered under property laws

I’m not advocating cyber crime, just merely stating why organizations need to be proactive rather than reactive in securing their information assets, and to do so based on these assets’ actual computed value. The alternative is blunderfunding…and potentially more unwelcome headlines.

You can follow Doug on Twitter @doug_laney

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


Tags: asset-management  data-security  funding  infonomics  information-assets  information-security  investment  

Doug Laney
VP and Distinguished Analyst, Data & Analytics Strategy
12 years at Gartner
30 years in IT industry

Doug Laney is a research vice president and distinguished analyst with Gartner. He advises clients on data and analytics strategy, information innovation, and infonomics (measuring, managing and monetizing information as an actual corporate asset). Follow Doug on Twitter @Doug_Laney...Read Full Bio

Thoughts on Blunderfunding: How Organizations Use Failure as a Basis for Budgeting

  1. The phenomena of “blunderfunding” is due to the industry’s inability to predict blunders. Since we don’t know how to predict when a “blunder” (such as a security breach) will occur, our only alternative is to react after the blunder has occurred.

    There are two problems with blunderfunding. First, it is much more expensive to fix a blunder than to prevent a blunder. Second, there is often considerable collateral damage due to the blunder event that is not fixable, such as loss of customer good will.

    The alternative to blunderfunding is blunder prevention. Blunder prevention focuses not on the blunders themselves, but on the underlying cause of those blunders. Blunder prevention is an intentional IT strategy to identify and eliminate the cause of blunders.

    There is overwhelming evidence that the direct cause of most categories of IT blunders is IT complexity. If this is true, then we can institute a blunder prevention strategy by instituting a complexity management strategy. But such a strategy needs to be more than a platitude. It needs to be a realistic approach to treating simplicity as a key IT deliverable, one that deserves planning and resources.

    Blunders are not the disease. They are merely symptoms of the disease. The disease is complexity. Preventing the disease is not easy or cheap. But it is much easier and cheaper than rehabilitating the patient after the disease has run its course.

    – Roger (Twitter: @RSessions)

  2. Doug Laney says:

    Thanks for the read and the great comment Roger. Yes “blunders” are often less costly to fix before they happen, that is if you don’t need to spend a lot of time and money discovering the root cause. Sometimes, an error is actually easier & cheaper to repair (e.g. software) after it’s been discovered, rather than over-engineering for error prevention…especially if you’ve indemnified yourself.

    The point of this post though is that orgs shouldn’t base their prevention budget upon the cost of an actualized blunder, but rather on an risked-adjusted cost of its recurrence (especially after they’ve fixed it!). This is usually overkill and shows a lack of rationale.

  3. The problem is that blunders are like roaches. Where there is one, there are a bunch more behind the wall. Best to get rid of the garbage that feeds them.

    Dealing with complexity is easiest early on in the project. The longer you wait, the more it costs and the more you will spend fixing preventable blunders. We can’t predict how complexity will cost us money. But we can predict with certainty that it will cost us money.

    So my main point is, don’t worry about the cost of cleaning up the symptoms, Take preventive medicine before the symptoms appear.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.