Actu
Brian Barnier, ISACA: 440 million reasons to learn three IT risk lessons
August 2012 by Brian Barnier, risk advisor with ISACA, principal analyst of ValueBridge Advisors and author of The Operational Risk Handbook
You might wonder when lightning will strike your IT shop, but it’s easier to prevent than you might think. When lightning struck Knight Capital, it hopefully was a one-time event. Yet, why has this bolt struck so many times elsewhere? To prevent, leaders need to take three key lessons to heart.
On 1 August 2012, an installation problem in Knight’s software blasted out a gusher of erroneous stock trade orders. After trading out of all those errors, Knight suffered a pre-tax loss of about US $440 million. That’s an Olympic-sized loss that happened almost as fast as a star athlete’s stumble in London.
US Securities Exchange Commission Chairman Mary Shapiro remarked, “Reliance on computers is a fact of life not only in markets everywhere, but in virtually every facet of business. That doesn’t mean we should not endeavor to reduce the likelihood of technology errors and limit their impact when they occur.”
Endeavor how? Should we do more of the same? Recall high-profile software release errors – stock exchanges in Germany and Japan (twice), bank in Canada (twice) and a leading wireless network. These headline-grabbing failures are just a fraction of broader IT-related business risks that include: investment/portfolio, program/project and operational (operationally stable, available, protected and recoverable). What must change?
Olympic athletes change when a technique isn’t working, and so must we. Companies can change their game to better:
• Prevent incidents
• Enable faster business value creation
• Avoid the wasted time and money that too often accompany risk management
Three Lessons:
First, focus on the objective. Manage IT-related risk to business performance objectives. In team sports, it’s not just about defense; it’s about more safely moving on offense. This scores in sports and creates growth in the economy. Further, with focus on performance, risk management can more deeply engage the organization, embedding in every decision and process needed to reach the objectives.
Second, learn from history. Companies caught in the frenzy of “now” ignore the methods and painful lessons of the past. For example, nearly 100 years of refined method in reducing both process and hazard risk is largely unknown in most risk management organizations. Instead, the wheel is reinvented, often drawing on post-Sarbanes-Oxley financial reporting and compliance-based approaches that structurally don’t fit in changing and complex environments such as IT. That’s like each year’s Olympic swimmers starting with the dog-paddle stroke.
Third, properly frame the problem. IT is a complex and changing system. Dependencies must be understood. Typical collections of controls and compliance bandages leave companies forever shocked and rocked by the latest incident. The expectation should be that problems (malicious, natural, accidental and volume-related) will arise and plan B must be ready (if only London Mayor Boris Johnson had one of those for his zip wire act). In short, a systematic fix for a system is needed to avoid painful surprises.
In summary, leaders must act to shift from:
• Compliance/control-driven to performance/systems-driven risk mgmt
• Reinventing the wheel to learning from history (situations and methods)
• Conducting tick-box exercises to rigorously asking "what if?"
• Compliance overlay activities to embedding risk-awareness in daily decision-making and processes
To speed this shift, ISACA’s COBIT 5 and Risk IT guidance can provide a more systematic roadmap to avoiding gaps and focusing on risk to business objectives.
http://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=226
