A big portion of the CIOs time are spent on the risk mitigation. Common risks are security breaches, disaster scenarios and the relevant financial risks of implementing/not implementing certain technologies. However, there are also some risks that are undercover (or considered low-importance) but have the potential to turn into major headaches, or sometimes disasters.
Let me start with the no-brainer of all risks: Communication. All of us have a very busy schedule and our calendars are full with appointments, meetings and deadlines. Under such pressure we neglect communication. Over time, the communication gets unclear, fragmented, misunderstood, garbled or incomplete, resulting in lower morale, disastrous projects or losing personnel. If you do not have the time to communicate effectively now, schedule for later. If the communications is urgent, leave your work aside and concentrate. You may lose 1 hour of work but save weeks of it.
One of the worst things is the loss of a key personnel that is a winner figure in the end-user area. There is always someone in the IT staff that has strong bonds with the end users; be it a specific application or a specific implementation. When this person leaves, things may come a little rough (every one of us have heard “there were no problems with this when X was there”). It is not always the mail admins or storage admins that are to be watched. Don’t forget the end user champion.
Putting an unbearable burden on an employee is another risk. Overloading a staff member by engaging him in every project until he errors by “not enough memory to accomplish this operation” blue screen is an invitation to missing deadlines. Every project meeting will be waiting for him, every mail will be waiting for his reply and everything will be waiting for his input. When these are not received by the others, the projects will slow down and sometimes halt completely. It is not this employee’s fault by being a skilled staff member. It is his manager’s to try to overutilize him by putting him in such a situation. Be careful.
One of the biggest problems in corporate IT is their exclusion from long-term decision making. Still, many boards see the IT departments as a collection of tech-guys who are there to play with computers all day (I was asked why this DBA over there cannot set the e-mail account of this executive on his iDevice; at least wasn’t he a computer guy?) IT is essential in every part of the business, from the online transactions to the supply chain management, therefore IT should be inside every decision making process.
On the other hand, the board should not be overly engaged with IT. Knowing how to install apps on her iDevice does not mean she can decide on which vendor should be chosen for the new storage system. Nor the IT has to accept and sign the agreement with an inadequate consultant. Accepting the interns from the board’s and “known people”s children generally is harmless, but should be monitored briefly.
Not paying enough care to vendor agreements is an invitation for a contract-long disaster. I agree that no company can have a deep understanding of the vendors out in the market. Suppose that you have chosen vendor B because vendor A did not meet your expectations, or simply did not honor the agreement. What happens when vendor B is acquired by vendor A ten months later? Of course you are not a clairvoyant, but putting a clause that gives your company the right to terminate the contract if the management/ownership changes in the vendor will save you from big headaches.
From a data center perspective, one of the risks are the servers in remote locations. These servers may not be kept in a good condition: I saw remote data centers that are branch manager’s personal depot (his personal belongings were kept there after the divorce), that the office people thought the air conditioner there does nothing to the servers and changed the blowing direction to the office because they thought they need cooler air. These conditions bring additional spending, both on the data center and maintenance. Rather than keeping servers there, think about virtualizing them and moving to the cloud. Simply less headaches.
Having no or improper documentation is one of the most common item on the IT projects. The focus is always on the deadline and documentation is just an item on the deliverables list, just because it should be there. In any case of going back to the project, the system, to work on it, you see that it is an unholy chest: someone has written the code/made the implementation some time ago and no soul knows how it is working. Imagine this scenario in mission-critical systems. An open door to failure.
Disaster recovery is a subject that is on every IT executive, manager and staff’s list, which nobody absolutely takes any step to deal with. Even if something is done some time ago, nobody can say that it is reasonably up to date or the recovery plan can actually work. Some person(s) should be assigned a task yearly to review the documentation and the plans and ensure that things will reasonably work out if a disaster strikes.
What are the risks that you see in your environment? Hit the comments below!