Friday, August 1, 2008

IT? Who needs it?

I bet you have asked yourself “Why do I need that IT guy”.

I know at first glance they seem to just sit around, order parts and pull shredded paper out of your jammed printer, but they are actually one of the most important people in your office. Why? Two dirty words: Risk Management.

In all my years sorting out the problems of multinational companies I have heard every excuse imaginable for skimping on the IT department. What they don’t seem to understand is that a vital aspect of risk management is ensuring the continuing functionality of their supporting IT systems. Often the worst offenders are technically-oriented workplaces who engage in software development themselves and should, more than anyone else, understand the value of having an IT specialist to take care of their computers, servers, and data security. But management didn’t want to spend the extra money. Why? Because they figured that among their 50 employees, there would be enough aggregate knowledge to serve as a kind of ad-hoc IT guy. What you end up with is an IT Frankenstein. Every problem was solved by a different person, using a different approach, often using shortcuts and workarounds that don’t actually solve the issue (which one would expect, since these guys were not hired to manage their office computer assets). So over time, the stitched-together network, the obsolete and malfunctioning components, and the willful negligence of management came together to create a monster that was a threat to the whole company. Luckily I showed up in time and set them straight. Creating effective processes to solve the problems that cropped up around the office allowed for proper solutions to be implemented, resulting in greater stability and much less frustration when that blue screen pops up.

Now I’m going to get controversial: DON’T RELY ON TECHNOLOGY.

That may seem like a bit ironic, since we are talking about Information Technology – but the key thing that I want to drive home is that it is not the hardware you have in place that will ensure the stability of your IT , it’s the people (specialized people, please) and more importantly – the processes that guide them. A computer will not maintain itself - quite the opposite; over time it will just become more and more chaotic if left uncontrolled. You need effective controls ensuring that the computer doesn’t end up erasing its own hard drive.

I was engaged as a process consultant at a company who made this mistake. They actually had an IT guy, but he was more interested in purchasing gadgets than setting up controls to mitigate the potential risk of relying on these gadgets in the first place. I remember when I first met him, he was one of those guys who never takes off their Bluetooth headset and ended up looking like a wannabe Star Trek regular. I can tell this guy loved Technology, and like any good circuit worshiper, he loved to spend money. And he spent big. He purchased a hyper-expensive fileserver to maintain all the data within his office, and when I asked him what his plan was for data loss – he acted like if the idea was preposterous. I pressed him harder and he came up with a strategy: Upgrade the brand-new server to something more expensive.

I could tell he didn’t take me seriously with my talk about Risk Management and Process Controls, but in the end I can never really force people to follow my advice… advice that they pay for. Months later, there was an electrical storm and a power surge killed his fancy server. His company ended up loosing 2 weeks of software development because his backup processes were not properly managed. As a result the company had to delay its product release by 3 months, lost its market advantage to inferior products and set in motion some destructive ripples that the company will feel for years. In the end they recovered, but at the expense of growth, profit, and customer satisfaction.

But you know what – I can’t find myself blaming this IT guy. Sure, he displayed a tragic hubris that would make the gods weep, but the real problem was not that he messed up – it was management that neglected to enforce effective risk management via business processes.

In the end, a computer is a dumb box, and lots of computers linked together in a network is just a disaster waiting to happen. Unless, of course, you understand the risks by documenting your processes, and eliminate those risks by implementing effective controls. They say that a computer is only as smart as the person using it – the same thing goes for your IT systems, they are only as smart as the people managing them. And the best way to manage them is via processes with a good understanding of the risks that can be encountered.

No comments: