Magazine article Risk Management

Technorisk: Who's Responsible?

Magazine article Risk Management

Technorisk: Who's Responsible?

Article excerpt

The day started uneventfully enough until worried employees started reporting difficulty getting into the company's computer network. A short time later, usually productive staff members were standing around in groups wondering when the system might return. Unfortunately, the problem wasn't confined to just one office; similar reports were pouring in from facilities along the entire East Coast.

By noon, the problem was attracted to a computer virus that had been distributed across the network during system maintenance the previous evening. While the employees tried to find the few tasks that could still be carried out, the information systems (IS) manager convened a teleconference to discuss the options and decide on a recovery plan. By the end of the day, most of the offices were able to restore their files from backups, losing only the previous day's entries. Other offices were less fortunate and had to restore from the previous week because the daily backups had not included all of their critical files.

This scenario is an example of a technology-related loss that could happen to almost any organization (if it hasn't already happened to yours). Like other exposures, technology risk must be managed effectively to protect a company from potentially dire consequences. Despite its importance, it may not be part of your company's overall risk management program. This is not surprising since the importance of technology is relatively new to corporate organizations--a growing number of functions once completed manually are now handled by sophisticated systems that permeate an organization's entire operations.

In many companies, responsibility for managing technology risk has fallen between the purview of two functions: The IS unit, although well-versed in technology, is not trained to assess organizational risk. Similarly, the risk management department, while experienced in exposure identification and mitigation, may lack the technical expertise to address technology issues. Given this potential gap, whose problem is it to worry about the potential effects of technology-related exposures?

Managing Information Risk

The potential effects of a technology-related business interruption can be catastrophic. A study by the University of Minnesota at Rochester found that although 20 percent of the Fortune 500 companies could be put out of business by a 48-hour system or network outage, the average time it takes to recover from such a disaster is three days to five days. Because virtually every business relies on technology, this is an area that would clearly benefit from the same rigorous risk assessment, control and management efforts applied to other exposures.

Technology risk goes beyond bits, bytes and hardware to include operational and personnel issues. Overall, a wide array of organization risks are related to the use of technology:

Business risk--A systems-related loss can affect an organization's ability to achieve its financial and operational objectives. Tremendous financial consequences may result from the loss of operational data, client account records, contractor or employee information, or other proprietary information (see Figure 1). Consider, for instance, a mail order company that can't process orders because of a computer malfunction. The loss of sales for that day will be compounded by the number of potential customers who can't get through, the failure of an automatic inventory system that communicates with suppliers and an inability to send out catalogs.

Figure 1 Financial Implications

The costs associated with a technology-related loss may included:

* Repairing or replacing equipment

* Recovering, replacing or recreating the operating system, application and network software

* Recovering and recreating lost data

* Business interruption costs

* Long-term damage from lost customer goodwill

* Damage to supplier relationships

* Lost business opportunities

* Liability awards from damaging electronic evidence or injury caused by a computer-related malfunction

Infrastructure risk--A range of property/casualty- or equipment-related exposures can affect the availability of systems (including computers, electronic equipment, software and data) that are vital to an organization's ability to continue operations. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.