Advanced Software (return to the homepage)

Risk versus reason

12/06/2018 minute read Marc Beder

There’s a concept gaining momentum which is that every organisation could, or should be seen as a technology company, simply with the appropriate license, where necessary, to operate in a particular sector such as banking or retail. The fourth industrial revolution is driving this change and requires businesses to be bold, brave and act with pace by rebooting, recharging and reshaping how they work to unlock their potential.

But with this comes a ripple effect. If technology is essentially at the heart of a company’s operations, it’s reasonable to assume it then becomes a fundamental element – more than a business enabler, it becomes business critical. So critical in fact that, if the technology failed, it could in theory (and increasingly in reality) bring the organisation to its proverbial knees – financially and/or from a brand reputation perspective.

The immediate reaction to that quite stark proposition is often a bit of scepticism but also usually a reality check – how likely is that to happen? Could it happen to my organisation?

In the very first instance, there are a couple of key questions that can be asked to provide an indication of a business’ vulnerabilities. It starts fairly simply by looking at one individual technology-based system failing:

  • What would the full impact of this be on the operations of your business?
  • What would be the risks associated with this?

Multiple considerations quickly fall out of these top line questions. For example, when looking at the areas of impact on operations:

  • Would there be an impact on revenue?
  • Is the system external facing? In other words, could it affect customers, or is it internal and therefore there’d be no effect on customers or partners?

Clearly, if it turns out that technology system failure is massively business impacting and carries significant financial risk, it must be treated differently. So we begin the debate around risk and reason. As more and more businesses operate as technology-centric organisations, selling services and products delivered online, the questions of risk and impact become greater as does the rationale for increasing the considerations.

This applies more to established companies facing the danger of industry disruption – often from shiny new competitors that have started their operations with a digital-first, Cloud-first ethos. These often high profile, long-standing traditional businesses face the danger of technical debt. A concept of the ‘debt’ comes from choosing an easy, often lower-cost solution now rather than using a better approach or technology solution that might take longer or cost more, but which in the longer run would be more effective and flexible.

So in the rush to transform, upgrade existing infrastructure and or carry out major Application Modernisation projects from legacy systems to more modern infrastructure, it can be easy to ‘cut corners’ by not fully appreciating the impact or risks associated with that decision.

And this has never before been so evident than in the area of Application Modernisation projects. Principally, any change of any major infrastructure carries potential risk and associated impact. And if these haven’t been fully considered, there’s a real danger of going in blind in the way in which such projects are handled. Pressures on the IT function are often not fully understood by the people driving the changes. It’s important to recognise that there is always a choice when you apply risk versus reason. You can either think more cautiously, make sure you’re more considered, and hence take fewer risks – or you can consider it low risk and take the easy option.

We call this ‘understanding your risk profile’ – which is typically less about the technology and more about the business – coming back to the first top line questions that should be asked to ensure you understand the consequences of ‘acceptable risk’.

Here are a few obvious ways to mitigate risk:

  • Gain a thorough understanding of your technology stack. Often legacy systems are interlinked with other business systems and a simple tweak in one area could have an greater impact somewhere else.
  • Carry out full assessments of the impact and the risks
  • Carry out a schedule of trials
  • Validate any changes and have parallel runs
  • Gain lessons learnt from the process and re-assess
  • Have different testing phases that happen in sequential steps
  • Involve more people

There are various frameworks that can be considered, which have typically been enforced in more industrial and manufacturing projects, primarily where there are potential safety issues. For example, RAMS: reliability, availability, maintainability and safety. Are we now at a state where technology failure should be treated with the same degree of caution as safety concerns?

When we consider the consequences of consumers not being able to access online services – from money held in personal bank accounts through to critical health and care provision – the risks associated suddenly seem very high.

The reality is that a more cautious, considered approach always impacts timescales, usually increases costs and can’t provide absolute guarantees of success but, it undoubtedly reduces the potential negative impact and goes a long way to eradicating the risks. And when you consider the risks from brand reputation damage, the tally of compensation claims and the loss of loyal customers when it goes wrong, we’d argue that giving due diligence of that process of reason versus risk is worth it – every single time.