The press makes hay when technology products or services have problems… currently big businesses that are smeared all over the headlines are Sony’s PlayStation compromise and temporary closure, and Amazon’s (AWS) services outage. All businesses large and small need to assess “technology risk” of any application/service whether they are developing, hosting and managing their own applications or whether they are procuring their applications by licensing software or renting services in a public cloud. There are five categories of IT risk that should be assessed in the decision about applications/services:
- Can our organization select application/service solutions that will meet our needs and fit into the enterprise plans both today and into the future?
- Can we implement that solution?
- Can we keep that solution running?
- Can we fix it when it breaks?
- What is the downside if the systems is compromised?
I am surprised at how many organizations take this lightly. There are penalties and losses whenever your organization fails to prepare for any of the categories of IT risk. One of my favorite examples is the popular DVD service NetFlix. All too frequently their servers go offline for days, during which time the company virtually stops. The IT risk of keeping it running (3) or fixing it when it breaks (4) has not been fully addressed. With smaller businesses, the ability to develop applications like NetFlix is not an option. They must select applications/services from among many alternatives, but they still must assess the IT risk like big companies.
Most smaller businesses do not have the luxury of big IT departments or have IT experts on staff. Most smaller businesses have little idea what their demands are… and are quickly willing to select some unproven solution based solely on the least cost model. The chances for an effective solution with a low IT risk is just about 0%.
Every business should have both a IT plan and an IT risk assessment. These are not big documents. They are, in fact, just a roadmap and a feasibility assessment of the events that could possibly happen along the way. I work with lots of businesses on IT issues. I can tell within five minutes if they have a plan (and not having any IT plan strongly suggests that they have no clue about IT risk)…
So where do you start? Ask your selves the questions:
- How can we work to fulfill our objectives by using information technology?
- What is the plan to make it work?
- What can possibly go wrong?
- What do we do then?