The challenge of managing risk when IT budgets tighten
I see an interesting sea change when it comes to risk: Thanks to the recession, as IT risk management is constrained by tightening IT budgets, the risk of doing business goes up.
As part of my security, compliance and disaster recovery coverage this year, I’ve listened to a lot of experts talk about the how-tos of risk management, such as, how CIOs need to stop taking a checklist approach to regulatory mandates and forge a risk-based strategy for compliance. Or how security officers still taking a buy-another-gadget approach to security will lose their jobs if they don’t focus on risk management. All this sounds good, as it implies that a rational scrutiny of risk can save companies money by focusing the available dollars on the most likely scenarios. But the reality is much worse.
A CIO I talked to this week has seen his IT budget cut by more than 50% over the past few years. He’s in the newspaper business, an industry whose business model has been beat up worse than most in this recession, so the necessity to cut costs is not unexpected. To help keep the company afloat, he’s dropped maintenance contracts, including on some mission critical systems. He’s walked away from a premier — albeit difficult-to-work-with — longtime database vendor to save more than $100,000 for his company.
“Sometimes the gamble has paid off, and other times we have paid for it,” he said.
A few months ago, he had some equipment fail. Under his higher service level agreement, the components that failed would have been replaced almost immediately, in two hours at most. In the new reality, the provider had to fly the parts in from a neighboring state. “We were down for about 12 hours, and it was mission critical,” he said. These were the internal networks for about 40% of the company. People affected couldn’t use email or store files.
Risk management makes these decisions all sound so, well, manageable. As the recession shows, however, CIOs can research the IT-related risks to their enterprise, plotting out every what-if scenario in the IT playbook, and still be surprised or, worse, undone by elements unimagined and unimaginable based on past experience. That’s when the person in charge has no choice but to be a risk taker. And be brave.