Managing IT Risks in the Real World
Several times in our previous articles here on this blog, I have referred to the challenges that come with managing disasters or threats in the IT world. cibsys is part of a group training Non Exec Directors (NEDs) on how to handle the risks and opportunities that come with IT at the executive level, in fact our next course for NEDs (and executives who want to know more about IT risks) is on 20th January in London, please contact me directly here for detailed information.
In compiling the NED training programme, we have compiled over 50 real world stories of the threats that have hit companies over the years into an IT Disaster Database of real world scenarios. What is interesting when I look through the entire IT Disaster Database is how similar the issues are when seen from the executive level. What mattered most in a huge proportion of the cases was not the event itself but how it was handled once it occurred. Most of the organisations had processes in place to try and avoid issues, but that did not stop an issue or disaster occurring. What really mattered was once the issue occurred how it was escalated and how were the decisions handled. In so many of the cases, we observed that a majority where initially fairly small events but with a quick escalation into major threats due to handling errors. These were sometimes due to management actions actually compounding the event and thereby making it worse.
From hindsight, looking at the lessons learnt on these 50 stories I can summarise two critical points that occur often:
Firstly, organisations always have a total disaster / Business Continuity Plan (BCP) or recovery plan but few (if any) plan what is most widely, namely a stepwise escalation of a smaller event in stages into a larger disaster but rarely triggering full and total business disaster processes. Thereby, planning for stepwise escalation and partial shutdowns is therefore critical as well as the all encompassing plan.
Secondly, the command and control structures around escalations often complicate the decision making rather than streamline it. The fine call between keeping customers happy and protecting the orgnisation is often not easy to make and rests with too many people
Looking at these two points and assessing critically your own plans could bring a lot of efficiency in case of an emergency or attack.