You might wonder when lightning will strike your IT shop, but it’s easier to prevent than you might think. When lightning struck Knight Capital in the US, it hopefully was a one-time event. Yet, why has this bolt struck so many times elsewhere? To prevent a strike, leaders need to take three key lessons to heart.
On 1 August 2012, an installation problem in Knight Capital’s software blasted out a gusher of erroneous stock trade orders. After trading out of all those errors, Knight suffered a pre-tax loss of about US $440m. That’s an Olympic-sized loss that happened almost as fast as a star athlete’s stumble in London.
US Securities Exchange Commission chairman Mary Shapiro remarked: “Reliance on computers is a fact of life not only in markets everywhere, but in virtually every facet of business. That doesn’t mean we should not endeavour to reduce the likelihood of technology errors and limit their impact when they occur.”
Endeavour how? Should we do more of the same? Recall high-profile software release errors – stock exchanges in Germany and Japan (twice), bank in Canada (twice) and a leading wireless network. These headline-grabbing failures are just a fraction of broader IT-related business risks that include investment/portfolio, program/project and operational (operationally stable, available, protected and recoverable). What must change?
Olympic athletes change when a technique isn’t working, and so must we. Companies can change their game to better prevent incidents, enable faster business value creation, and avoid the wasted time and money that too often accompany risk management.
Three lessons in managing risk
First, focus on the objective. Manage IT-related risk to business performance objectives. In team sports, it’s not just about defence; it’s about more safely moving on offense. This scores in sport and creates growth in the economy. Further, with focus on performance, risk management can more deeply engage the organisation, embedding in every decision and process needed to reach the objectives.
Second, learn from history. Companies caught in the frenzy of “now” ignore the methods and painful lessons of the past. For example, nearly 100 years of refined method in reducing both process and hazard risk is largely unknown in most risk management organisations. Instead, the wheel is reinvented, often drawing on post-Sarbanes-Oxley financial reporting and compliance-based approaches that structurally don’t fit in changing and complex environments such as IT. That’s like each year’s Olympic swimmers starting with the doggy-paddle.
Third, properly frame the problem. IT is a complex and changing system. Dependencies must be understood. Typical collections of controls and compliance bandages leave companies forever shocked and rocked by the latest incident. The expectation should be that problems (malicious, natural, accidental and volume-related) will arise and plan B must be ready (if only London Mayor Boris Johnson had one of those for his zip wire act). In short, a systematic fix for a system is needed to avoid painful surprises.
In summary, leaders must act to shift from:
- Compliance/control-driven to performance/systems-driven risk management;
- Reinventing the wheel to learning from history (situations and methods);
- Conducting tick-box exercises to rigorously asking "what if?";
- Compliance overlay activities to embedding risk awareness in daily decision-making and processes;
To speed this shift, Isaca’s Cobit 5 and risk IT guidance can provide a more systematic roadmap to avoiding gaps and focusing on risk to business objectives.
Brian Barnier is risk advisor with Isaca and principal analyst at ValueBridge Advisors.