The Challenge

Complex IT environments can pose significant technical risk that, if not managed adequately, have the potential of major disruption to customers and critical business functions.

The overall reliance on Technology today makes technical risk management a number one priority in any organisation, but what is technical risk and how can it be mitigated. A very simple definition of risk is “The exposure to danger”. In other words, it is the likelihood of IT systems failing, putting the business into the position where it cannot provide services to customers for prolonged periods of time.

Risk is measured by the likelihood of occurring and the consequences that follow the risk event. This measurement allows technical specialists to rank and prioritise risk across the organisation to direct mitigation efforts and funds to applications or infrastructure with the highest exposure.   

Types of Technical Risk

The risks with the highest visibility are Security and failing systems due to Technical Obsolescence. Security risk measures; the likelihood of data being exposed or functions being denied that are critical to the running of the business. Besides to the obvious denial of service, the risk of data being lost can have legal ramifications as well as can create major trust issues for the brand.

The most obvious risk of technical obsolescence is hardware or software that fails because systems are out of support and/or cannot be easily replaced. Often organisations “sweat the hardware” beyond reasonable measures. This is due to budget decisions over the years that result in postponing initiatives to replace aging IT components.  Far too often organisations underestimate the effect system failure has on the continuation of business functions until it’s too late.

The Approach

There are many other technical risks in the organisation that need addressing. In order to manage the risks, a well-defined risk management framework is required that allows identification, measurement and mitigation of all risks across the technical landscape.

Two approaches of managing technical risk are possible. In a more decentralised IT organisation, risk should be addressed by the BAU teams that support individual business domains. Here, risk mitigation is built into the KPIs of domain owner. This works well for all decentralised functions and specific applications within a business domain. The drawback of this approach is that centralised functions and strategic technology initiatives often are underfunded causing the organisation to fall behind the state of the art technology choices.

The second approach to deal with risk is to establish a centralised risk function and/or risk management programme. This programme can address all technical risks based on priority. Depending on the size of the organisation and the exposure to security risks it might be advisable to separate cyber security from the overall risk management programme. The reason for this is that, the prioritisation of security risks always takes higher priority with the consequence of other risks not being adequately addressed.

The Programme

The programme in the airline industry used the second risk mitigation approach with a central risk mitigation process. For all risks other than Cyber Security where a Group wide risk programme was established. This programme was running on an annual budget that was estimated based on expected effort for technical components in the priority list.

Fusion Professionals provided architectural guidance and governance in the process. The Primary outcome was a risk prioritisation framework that was modelled around the Cobit 5 (https://cobitonline.isaca.org/) Risk Management framework. This process assembled all available risk measures into a single review and weighting process.

The outcome was a process that allowed objective vetting and prioritising of applications and infrastructure components across multiple business domains.

The main challenge in developing this framework was to get the correct input data from the various stakeholders and systems. The next significant challenge was to develop correct weightings across the different technology components.

A second major deliverable was the oversight in the delivery of the mitigation initiatives. Fusion Professionals provided Leadership in the architecture space to guide the different delivery teams and vendors to a coordinated delivery of the different technologies.

The challenge in this space lays in the vast variety of different technologies and the understanding disconnect between the business stakeholders and the technology specialists. The team had to work very closely and utilise a number of different skills in order to develop the best technical solutions and risk visualisation models to rally the support of a diverse range stakeholders.

Conclusion

Risk management is essential for long term successful delivery of IT services to enterprise business’ and the Airline industry particularly. As a rule the KPI of having functioning IT should be part of any business domain leadership role. This way the business is directly responsible for all functions including IT within the business which fosters a greater sense of ownership.

Strategic Initiatives must be part of a centralised function that delivers the future framework and addresses the risk of using obsolete technical solutions. The aim is to improve and keep the overall IT processes and frameworks current. This optimises the IT delivery within the domains and ensures the technology stack is state of the art.