Our world is increasingly dependent upon technology. With this dependence, comes enormous risk. The risk of failure. The risk that technology will fail in some way, and not do the job we depend upon it to do. In this collection, we will consider information technology risk and how we can reduce and manage this risk for our organization.

Information technology risk is now everywhere, because computers and code are everywhere. Your television has a computer in it, as does your washing machine, your car as well as your microwave oven. Many traditional businesses are now largely electronic, run mostly by software. This includes much of the financial industry and retail banking, where most products, except the most exclusive ones for the richest customers, are indeed just manifestations of software at play. Think about the last time you applied for a credit card. In all likelihood, everything went through your bank’s website without needed a human.

When we speak of technology risk, cyber-attacks, data breaches and hacking come to mind. These are a very important category of technology risk. So much so that information security and cybersecurity budgets can be the largest component of the technology risk spending in an organization. However cyber-attacks are not the only type of technology risks. There are various ways technology risks can let us down, and it is important to think about those for a bit.

In the last twenty years, we have seen large portions of our economy, work, and personal lives get digitized. Social interactions are electronic, invoices are exchanged electronically, our kids study electronically and entertainment is mostly delivered through electronic means. Most white collar work is now done in front of a computer and the output produced is nearly all digital. Our money, retirement savings, all are often just pixels on a computer screen. In the coming years, this move to digitization, and having a computer in everything we touch in our daily lives, will continue. Even traditional blue collar jobs depend heavily on the ability of operators and craftsmen to use and leverage computers and digital tools.

Most of these computers are connected, and rely upon the network for providing us the services we demand of them. This connectivity gives them their power and utility, and as it turns out, is also a key weakness.

Risks and Controls

Enterprises exist to achieve certain objectives. For example, making profits, or serving customers, or staying compliant with the law, or protecting the nation if you are the armed forces, are all examples of organizational goals. Technology risks need to be thought of and understood in terms of these goals. The question to ask is – what kind of technology failures can get in the way of the enterprise achieving its goals? And asking and answering this question honestly and effectively holds the key to effectively managing technology risks.

Following the above line of thinking, the first question to answer is how dependent the enterprise on technology, and in what forms? Often, the answer is ‘extremely dependent’. But before we go there, let us think for a moment about the impact of technology risk on our personal lives. Technology risk affects our personal lives and livelihoods just as it is something for companies and businesses to think about. Let us consider a hypothetical work-from-home worker. Her internet connection is absolutely necessary for her to be able to do her job, and by implication, earn a living. She is also incredibly dependent on her laptop to connect to her work. What happens if someday her ISP, which to her is a third-party, fails her and the internet goes down? Can she switch to the hotspot on her cell phone? Or what happens if her power goes out? Does she have access to a backup power source to get her back online? If her hard drive crashes, does she have a spare laptop to use while the primary one is repaired? How about recovering her spreadsheets and slides if the hard drive has to be replaced? Could she accidentally pilfer data through her file sharing app making her company look bad in the newspapers, potentially leading to her losing her job? How about her accidentally clicking a malicious link and having her laptop become victim to ransomware? The list of these dependencies, and the risks that arise from them may not be very long, but these are analogous to the risks any enterprise faces.

Companies normally plan and very systematically prepare for such scenarios. They also put in place extra processes, additional hardware, checks and other capabilities to avoid the harm if any of the harmful scenarios were to become real. These extra efforts – called “controls” – do not come free. They cost money, because someone has to think about them, then implement them and keep them running. Controls offer protection against risks, and in the rest of this collection of articles we will consider the controls and the mechanisms enterprises have to put in place to take care of technology risks.

Controls do not offer a guarantee that bad things will not occur. In spite of an enterprise’s best efforts, harm can still occur. It is important to realize that implementing controls to manage risks helps one alter the odds of things going wrong. By the way, ‘risk’ can be understood as things going wrong in a way that adversely affects the enterprise’s ability to realize its goals. Managing risk reduces the odds of the risk being realized, but often does not completely eliminate the risk (though sometimes it can). As was noted earlier, risk management, primarily implemented through controls in the form of processes, oversight, technical tools, code etc, costs money. Generally, if done right, the more money a business spends on risk management, the less is the probability of bad things happening.

So risk management is really about playing with odds. Spend more on risk management, and the odds improve in your favor. Beyond a point, even large amounts of effort (of which money is a proxy) may only bring about very slight improvements in odds and it may not be worth it to expend that level of effort. The question then becomes as to where is the point, the sweet spot, where we can draw a line to say that this is the extent to which we would like to reduce our risk, and no more, because beyond that point it is too much work for too little reward.

Unfortunately, the sweet spot that tells us the precise location of the trade-off between the expense of risk management and benefit from reduced risk has to be determined separately for each enterprise (and person). Every enterprise, indeed every person, has a different capacity to stomach risk. Quite appropriately, this ability to live with a certain level of risk is called ‘risk appetite’. Risk appetite doesn’t stay constant, it can, and should, vary with time and be responsive to the external environment.

For our hypothetical work-from-home worker, she might assess the risk of her internet going down to be very low, because it has never happened in the past many years. She may choose to not pay another ISP for a different ‘just-in-case’ internet connection. But her assessment of the power situation, which she has lost several times after storms in the past few years may be different. She may choose to buy a UPS system that could see her through several hours of an outage, or even a portable generator that could keep her on for days.

To reduce her risk further, she may choose to remove the peer-to-peer file sharing application from the computer she uses for work. She may also just decide to be a little extra careful when clicking links that arrive in unknown emails.

All of these decisions are risk decisions. These reflect how she assesses risk, and how she chooses to manage it. All of these cost money, time, or convenience. None of these offer a complete guarantee against failures, but help her be better prepared should something bad happen.

Enterprises make risk decisions relating to technology applying a similar way of thinking – consider what can go wrong, would it be okay if it did, what can be done to mitigate impact, and what investments do need to be made to be better prepared. But enterprises are far more complex creatures than our hypothetical work-from-home worker because they are a collection of dozens, and sometimes hundreds of thousands of people spread across locations that need to march in the same direction to meet their goals. Risk decisions need to then make sense for not just the individual, or the team, but for the entire enterprise. Therefore risk management and risk decisions for these are complex and require extensive thought and effort that may take months of upfront work just to assess the situation and identify the risk management options. Quite unlike our simple work-from-home worker’s situation where she only had to consult herself for her decisions.

In the remainder of this eBook, we will look at the main functions of a technology risk function, the key programs and projects that most organizations need to have in place, and how to represent to management the benefits from the money spent on technology risk.