Following on from our report on IDG Connect research into resilience in our Spring issue, we explore the subject more deeply with a newly published book and video examining the differences of opinion between the IT department and C-suite.
The survey of 100 IT decision makers working for large UK organisations conducted by IDG Connect concludes that to achieve operational resilience, companies must also develop risk management strategies which accommodate the human factors that affect the decision-making of individual employees.
Psychological research suggests that we humans are bad at estimating risk. We pay most attention to current dangers right in front of us rather than those that may or may not surface at a later date, irrespective the magnitude of the disruption these could cause. Furthermore, that attitudes and approaches to risk management vary according to specific job roles.
The contrast is particularly acute when we compare attitudes of those working in the IT department compared to C-Level executives. This is despite the obvious need for close co-operation between the two groups to develop companywide resilience frameworks across the whole organisation rather than fragmented measures for individual business departments.
The study provides a good illustration of this divide at the most basic level: employees' awareness of the risk management policies that have actually been implemented by their employers.
Looking at the IT department in particular, just 30% of staff reported their organisation had appointed a board level champion for resilience, compared to 53% of Chief Information Officers (CIOs), Chief Technology Officers (CTOs) and Chief Security Officers (CSOs) and 50% of vice presidents, executive vice presidents and senior vice presidents (the VP group).
This disconnect suggests that broader organisational resilience frameworks that extend beyond technology may either be hidden from the IT department, or isolated into separate management frameworks with little or no integration across departmental silos.
Expecting the Unexpected
Boardroom executives cannot fail to be aware of IT related risks that can result in customer losses, reputational damage and falling stock prices. The hacking attack suffered by TalkTalk in late 2015 is a case in point, with the UK broadband provider reputedly facing a £60m bill for cleaning up after the cyberattack, comprising £15m lost revenue and £45m in exceptional costs (including a £3m fine from the regulator). Then there is the VW emissions test scandal, which will cost the vehicle manufacturer an estimated $20 to $30bn and, of course, the running sore that is the Deepwater Horizon oil spill, which has already cost BP $60bn in fines and pay-outs.
Failure to adequately prepare for the unexpected means these three businesses have seen around one-third wiped off their capital value – and that's in addition to the eye-watering cost of putting the situation right.
Often, how an organisation handles a disaster can be more important than the incident itself. Resilience policies based predominantly on prevention and reaction are unlikely to either guard against unanticipated challenges or enable a company to quickly bounce back from any crisis or period of adversity.
The survey shows that C-Level executives (35%) and Vice Presidents (25%) are far more likely to judge their organisation's approach to anticipated challenges as reactive compared to IT managers and IT directors (10%). Conversely, more of those in the IT department think their organisation has more of a proactive approach (75%) compared to 42% of executives.
This again points to a mutual lack of visibility into data security-based risk management practices implemented by IT departments and their operational equivalents, with little or no communication or integration between them.
And while the number of defeatists judging there is little or anything they can do to meet unexpected challenges amongst IT managers and IT directors is small (5%), that figure jumps to 16 percent for C-level execs and 25 percent for VPs. This indicates senior management may be less willing to spend time and resources preparing for unknown and unexpected outcomes that they do not believe they can properly prepare to meet in the first place.
These differences of opinion may be rooted in the IT department's involvement in supporting company-wide resilience initiatives. There are tinges of underlying resentment here, with those in senior management feeling that IT is not doing as much as it could to evaluate and implement technology platforms and policies that may help improve levels of resilience.
Silos Obstruct Companywide Resilience
In many cases, different business units will be assigned one particular aspect of risk management, which undermines the design and implementation of a single, company-wide resilience framework.
For instance, we often see Chief Risk or Compliance Management Officers in charge of operational risk management focused on enterprise, third party, policy and business continuity risk management. Yet security risk management comes under the remit of the Chief Information Officer (CIO) who will focus on threat and vulnerability management, continuous monitoring, data protection compliance and incident management, reporting upwards to the board.
Consequently, business operations and IT departments often work in separate silos with each relying on their own data and software. But there are often multiple areas of overlap and duplicate processes which could be effectively streamlined if brought together under a single, companywide risk management framework.
IT departments are less likely to think their employers attach any great importance to breaking down these silos than their colleagues. Around a quarter of the IT managers and IT directors polled (23%) said their employers viewed this as the least important approach to establishing effective resilience, and only 40% felt it was given the highest priority. In contrast, the vast majority of C-Level executives (88%) felt this issue was important to their organisations.
A similar pattern was seen with stress testing plans, which were perceived to be far less of a priority for effective resilience by IT managers and directors compared to boardroom executives and vice presidents.
Board executives were more likely to consider effective leadership on risk management strategies something that needs to be addressed, possibly because they attach more importance to that leadership or are better placed to see where improvements could be made.