IT risk is the ability of a failure to impact the business. Downed server, Internet connection, application bugs, etc. I just started reading this book to brush up on my ability to convey the risks involved in a business decision. The book opens with the story of when Comair couldn’t fly over the Christmas holiday in 2004. I remember that very well, because it was a nightmare to get into or out of Cincinnati. My Comair flight to visit family was canceled due to lack of enough deicing fluid, so they put a bunch of us on a 757 and flew us to Atlanta, where I caught another plane to the final destination. But my return flight back was canceled because Comair couldn’t get the scheduling computer to work, and I was lucky to catch an ASA flight back to Cincinnati.”Our research shows that most IT risks arise not from technical or low-level people issues but from the failure of the enterprise’s oversight and governance processes for IT” (p. 7). I’ve seen this happen more than I care to admit…and sometimes because of my own fault. We get into the mindset of supplying the solution to a problem quickly because business managers are breathing down our necks, and we don’t think about how one change or piece of software will impact the rest of the company’s systems. When I worked at a .com company, I felt this first hand. “Internet time” we used to call it. Changes that would normally have taken a month to spec out and develop and test and implement got done in less than a week. But we were fighting the wave of new entrants into the market and had to be the first to market with the new features. Luckily, a person was hired as CIO who understood the risks involved and began to mitigate those risks. I learned a lot from her over those two years. Now, I insist on adequate design and testing prior to implementation of a new feature to the software, and in the process, have kept downtime in the past few years to less than 15 minutes for each year (sometimes no downtime).

It’s a lesson I try to teach those who work for me: always think the situation through before acting. I’ll never “talk to” someone for insisting on a thorough needs assessment. Assumptions are too often overlooked during the “this is what I want” stage, and development is headed down the wrong path before it is discovered.

What is the key to mitigating most IT risk? Put the consequences in terms the business managers can understand. “The business perspective is essential when it comes to understanding the consequences of IT risk. To make effective trade-offs about IT risk, a business executive needs to know what happens to the business when technology fails or underperforms” (p. 19). We as IT leaders need to be adept at putting the risk in terms business executives can understand. It might be the risk is justified because they are weighing other risks more highly. Which is where assumptions can bite us again.

— Westerman, G. & Hunter, R. (2007).

IT Risk. Boston, MA: Harvard Business School Press.