CIO Symmetry

Oct 9 2009   2:10PM GMT

The challenge of managing risk when IT budgets tighten

Linda Tucci Linda Tucci Profile: Linda Tucci


I see an interesting sea change when it comes to risk: Thanks to the recession, as IT risk management is constrained by tightening IT budgets, the risk of doing business goes up.

As part of my security, compliance and disaster recovery coverage this year, I’ve listened to a lot of experts talk about the how-tos of risk management, such as, how CIOs need to stop taking a checklist approach to regulatory mandates and forge a risk-based strategy for compliance. Or how security officers still taking a buy-another-gadget approach to security will lose their jobs if they don’t focus on risk management. All this sounds good, as it implies that a rational scrutiny of risk can save companies money by focusing the available dollars on the most likely scenarios. But the reality is much worse.

A CIO I talked to this week has seen his IT budget cut by more than 50% over the past few years. He’s in the newspaper business, an industry whose business model has been beat up worse than most in this recession, so the necessity to cut costs is not unexpected. To help keep the company afloat, he’s dropped maintenance contracts, including on some mission critical systems. He’s walked away from a premier — albeit difficult-to-work-with — longtime database vendor to save more than $100,000 for his company.

“Sometimes the gamble has paid off, and other times we have paid for it,” he said.

A few months ago, he had some equipment fail. Under his higher service level agreement, the components that failed would have been replaced almost immediately, in two hours at most. In the new reality, the provider had to fly the parts in from a neighboring state. “We were down for about 12 hours, and it was mission critical,” he said. These were the internal networks for about 40% of the company. People affected couldn’t use email or store files.

Risk management makes these decisions all sound so, well, manageable. As the recession shows, however, CIOs can research the IT-related risks to their enterprise, plotting out every what-if scenario in the IT playbook, and still be surprised or, worse, undone by elements unimagined and unimaginable based on past experience. That’s when the person in charge has no choice but to be a risk taker. And be brave.

2  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • BPetrovic
    Risk management does not imply taking every risk possible. CIO are highly compensated for the judgment capabilities, which includes right decision about what to pay for and what not.. Anyone can make decision to pay for every safeguard available in the market..
    20 pointsBadges:
  • Kevin Beaver
    Good blog Linda. CIOs with a clear focus on what's best for the business were managing IT (especially compliance) this way well before the recession. CIOs, and especially their CxO counterparts, who reactively cut critical budget items often find out the hard way that it didn't really pay off. It's about seeing the big picture having [A href=""]long time perspective[/A] and being prepared for these cycles that come and go.
    27,505 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: