The challenge of managing risk when IT budgets tighten - CIO Symmetry
Home > IT Blogs > CIO Symmetry > The challenge of managing risk when IT budgets tighten
« Why cybersecurity awareness is everyone’s responsibility
Pervasive BI scenarios, from search technology to the cloud »
» VIEW ALL POSTS Oct 9 2009   2:10PM GMT

The challenge of managing risk when IT budgets tighten



Posted by: Linda Tucci
Midmarket CIO, Strategy for CIOs, Risk management

I see an interesting sea change when it comes to risk: Thanks to the recession, as IT risk management is constrained by tightening IT budgets, the risk of doing business goes up.

As part of my security, compliance and disaster recovery coverage this year, I’ve listened to a lot of experts talk about the how-tos of risk management, such as, how CIOs need to stop taking a checklist approach to regulatory mandates and forge a risk-based strategy for compliance. Or how security officers still taking a buy-another-gadget approach to security will lose their jobs if they don’t focus on risk management. All this sounds good, as it implies that a rational scrutiny of risk can save companies money by focusing the available dollars on the most likely scenarios. But the reality is much worse.

A CIO I talked to this week has seen his IT budget cut by more than 50% over the past few years. He’s in the newspaper business, an industry whose business model has been beat up worse than most in this recession, so the necessity to cut costs is not unexpected. To help keep the company afloat, he’s dropped maintenance contracts, including on some mission critical systems. He’s walked away from a premier — albeit difficult-to-work-with — longtime database vendor to save more than $100,000 for his company.

“Sometimes the gamble has paid off, and other times we have paid for it,” he said.

A few months ago, he had some equipment fail. Under his higher service level agreement, the components that failed would have been replaced almost immediately, in two hours at most. In the new reality, the provider had to fly the parts in from a neighboring state. “We were down for about 12 hours, and it was mission critical,” he said. These were the internal networks for about 40% of the company. People affected couldn’t use email or store files.

Risk management makes these decisions all sound so, well, manageable. As the recession shows, however, CIOs can research the IT-related risks to their enterprise, plotting out every what-if scenario in the IT playbook, and still be surprised or, worse, undone by elements unimagined and unimaginable based on past experience. That’s when the person in charge has no choice but to be a risk taker. And be brave.

Reblog this post [with Zemanta]
AddThis Social Bookmark Button     Comment     RSS Feed     Email a friend

Comment on this Post


You must be logged-in to post a comment. Log-in/Register

BPetrovic  |   Oct 9 2009   4:03PM GMT

Risk management does not imply taking every risk possible. CIO are highly compensated for the judgment capabilities, which includes right decision about what to pay for and what not.. Anyone can make decision to pay for every safeguard available in the market..


 

KevinBeaver  |   Oct 20 2009   11:38AM GMT

Good blog Linda. CIOs with a clear focus on what’s best for the business were managing IT (especially compliance) this way well before the recession. CIOs, and especially their CxO counterparts, who reactively cut critical budget items often find out the hard way that it didn’t really pay off. It’s about seeing the big picture having long time perspective and being prepared for these cycles that come and go.


 
Visit Midmarket CIO Home |   Midmarket CIO News  |  Midmarket CIO White Papers  |  Midmarket CIO Videos  |  Midmarket CIO Resources