We have recently seen some very high-profile failures of IT systems – whether by Cyber Attack (WannaCry and Varients [LINK]) or by poor operation risk control [LINK]. Something is wrong in the way things are managed
Insurance companies are starting wake up to their potentially unexpected liabilities around this risk [LINK]. They will certainly start to price this risk; this will mean that risk-reduction investment will have an immediate identifiable financial benefit. Perhaps it’s time to take a different approach
For years, I have railed against the distinction between “IT and the Business” [LINK]. I think the time has come for this gap to be finally put to rest. They are now truly inseparable.
Statoil has recently announced its response to the 4th Industrial Revolution (or Digitalisation). [LINK]. The most significant part of this is that the initiative is led by the COO. Of course it is!
If we were to take any other industrial process technology in Oil and Gas (say compressors) the management line looking after these runs up through the COO. There is not a Chief Compressor Officer who reports through the CFO and imposes compressor decisions (or delays) onto operations.
In that case, why would computerised operations technology report through the CFO via the CIO as is the case in many organisations. This should be part of the COO role. This recognises that IT is now central to operations. This is how it should be, because it is now at the heart of the current automation of operations [LINK].
In line with this I propose that the COO needs to own a new risk – Automation Risk. One of the advisors to the COO would be an Automation function – responsible for assessing and managing benefits and risks as well as defining policy across the organisation. Operational assets should comply with policy and work with Automation function around standards, risks and controls. Assurance functions can then audit compliance via the Chief Risk Officer – the right checks and balances would have saved a few hundred million dollars across the airlines in the last 12 months, perhaps a billion dollars across the industries hit by the WannaCry virus.
Automation risk planning means that the COO knows what risk sources there are that cause automation systems failure and what is the consequences of that failure would be. Importantly, he also knows what actions could be taken to reduce the likelihood and impact of a failure.
Then he can approve a business decision to choose which reduction measures are implemented. The COO must then know the real-time status of the mitigation measures – are they ready to work in case they are called upon and what is the current risk status of the organisation, is it acceptable and – if not – what is being done about it?
Contact me if you want to know about planning using Bow-Tie models and how you might be able to monitor current compliance in real-time, set-up alerts and manage your automation risk.
[Image credit: https://smlrgroup.com/universal-cyber-risk-model-part-1/ ]