KPMG says businesses do not take IT risks seriously enough

UK businesses are paying out £410,000 per year for unplanned IT problems, a study from KPMG has warned

UK businesses are paying out £410,000 per year for unplanned IT problems, a study from KPMG has warned.

An average of 776,000 individuals were affected and around four million bank and credit card accounts were compromised by each IT failure.

Over 50% of IT problems were caused by coding errors or failed IT changes, according to a study from KPMG.

KPMG’s Tech Risk Radar highlighted the case of a utility company facing a £10m fine when technical glitches occurred during the transfer to a new billing system. Customers did not receive bills for months; were then sent inaccurate payment demands; and refused prompt refunds when the company eventually acknowledged the errors.

In November 2014, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) jointly fined the Royal Bank of Scotland (RBS) ₤56m for an IT outage that left customers unable to access their bank accounts, but said underinvestment was not the cause.

IT at the heart of business

Commenting on the challenges facing the banking sector, KPMG partner David DiCristofaro said: “Banks are under pressure. Rationalising relationships by cutting numbers and consolidating external suppliers can help. Banks should also focus on the underlying contracts related to supplier relationships.”

Jon Dowie, partner in KPMG’s Technology Risk practice, said: "Technology is no longer a function in a business which operates largely in insolation. It is at the heart of everything a company does and, when it goes wrong, it affects an organisation’s bottom line, its relationship with customers and its wider reputation."

The study found 7.3% of reported events resulted from human error. KPMG said this shows that basic investments in training are being ignored – at the employers’ expense.

Dowie said: "With ever greater complexity in IT systems – not to mention the challenge of implementing IT transformational change – companies are running to stand still in managing their IT risks. 

"The cost of failure is all too clear. It is crucial for both public and private sector organisations to understand the risks associated with IT, and how they can be managed, mitigated and avoided."

Matching risk assessment with investment

Data-loss related incidents continued to be a major problem for all industries. KPMG found a significant number of those (16%) were unintentional.

As Computer Weekly previously reported, the Information Commissioner’s Office (ICO) served a £180,000 penalty on the Ministry of Justice for “serious failings” in personal data protection at prisons in England and Wales.

"Investment in technology will continue to rise as businesses embrace digital and other opportunities, but this needs to be matched by investments in assessing, managing and monitoring the associated risks. At a time when even our regulators have shown themselves to be vulnerable to technology risk, no-one can afford to be complacent," Dowie said.

In a warning to the insurance sector, Dowie said: “I believe there is a real threat that resources and management will once again be distracted and diverted by the final stages of the implementation of Solvency II in time for January 2016.

Read more on IT consultancy