Who Owns the Risk?

This audio was created using Microsoft Azure Speech Services


Some time ago, my colleague Joseph Reele wrote of the risk implications of various data centre choices that might be made.

In that article Reele identified a (possibly simplistic) trade-off between features and cost; observing that there were significant risks in a cheaper option which may or may not be apparent when attempting to reduce implementation costs.

But the key question here is “who owns that risk?”

In any large organisation there are a significant number of “coal face” IT workers who work to minimise harm to corporate infrastructure.  They might be working in hardware service, in software assurance/testing or perhaps in Internet threat mitigation.  Or somewhere else entirely.  No matter what, from an IT perspective, these people are the first line of defence against any and all risks to the business.

Their work will serve to identify and reduce risk.  But they don’t own that risk.

Middle management will recruit suitable “coal face” staff, they will engage in support and maintenance contracts to protect their facilities and to have alternates available in the case of outages.  They will also enter into a variety of insurance-based risk minimisation strategies.

Their work will serve to identify and reduce risk.  But they don’t own that risk.

Senior management and CxOs will oversee all this activity and ensure that the work to ameliorate risk does not cost more than the risks being defended against.  Frequently however, they don’t necessarily understand the risks they are managing.

Their work will serve to identify and reduce risk.  But they don’t own that risk.

The risk is owned by the Board of Directors.

Of course the board is delegating the management of the risk back down through the layers I described previously, but it is only the management of that risk; not the ownership.

The problem is that there is very limited understanding of IT-based risks at such a senior level.  In many cases, those people making significant decisions have no comprehension of the more subtle implications of their decisions.

In the past, a large mine might spend a few million dollars on some 200 tonne dump-trucks.  The risks were easy to understand and to manage.

But spend the same money on a new web-based server application (software, servers, connectivity etc.) and the risks are much harder to understand.  They are well outside the expertise of the average company director.

Principally, this is an education problem; and a problem that is only going to grow.

Tags: , , ,