Risky Business

Risky Business

The Millennium Bug, aka the Year 2000 problem, will carry implications forward well into the new century. In fact it will probably initiate a number of important changes to how we approach IT-based business systems development.

The biggest impact of this issue is that it has focused the full glare of mass publicity on corporate computer systems. For the first time, a systems problem has made the six o'clock news. It has highlighted the possible legal perils facing companies with faulty systems. But also, it has hopefully brought the whole subject of risk management to the forefront of the minds of both CIOs and their senior management colleagues.

The Millennium Bug is nothing remarkable in itself. There have been numerous glitches before caused by faulty date-time arithmetic in programs, or by software that mishandled daylight saving change-overs or leap years. What is new is that this latest potential problem is so widely publicised. No systems manager of corporate management will be able to plead ignorance come January 1, 2000. Quite a few companies whose systems fall over and inconvenience trading partners or customers will be successfully sued.

But the more systems exposures, from whatever causes, that come to light, and the more court cases that ensue, the more pressure there will be on the IT function to guarantee "safety". Once a few heads start to roll, minds will be concentrated wonderfully. This will without a doubt lead to risk audits being conducted at various stages of the system building process. It may also produce confrontations in which you'll have to stand up and assert the need for this extra cost and delay.

At present there is lamentably little awareness or interest in potential IT risk issues. From time to time, of course, one reads about the odd computer-related disaster. But too easily our awareness of these recedes with the flow of succeeding events. That's why it helps to brief oneself with a kind of history of this sort of event. Peter Neumann, who started the Internet newsgroup The Risks Forum, wrote a fascinating book called Computer-Related Risks (Addison-Wesley, 1995) which does just this.

Many of the hundreds and hundreds of computer-related snafus and glitches recorded by Neumann are problems that affected space or defence systems, ships and planes, or power stations. But there are also many more prosaic ones that have hit typical commercial businesses. The overwhelming majority are not criminal attacks but rather accidents or human actions that a system hasn't catered for.

For instance, the Australian man who received a $335,000 windfall when a bank displayed the wrong exchange rate for Sri Lankan rupees (he ended up keeping the money). Or the $US32 billion overdraft that the Bank of New York suffered when a 16-bit counter overflowed. That cost BoNY $US5 million in interest, since to cover itself the bank had to borrow billions for a day.

An expensive type of risk is exemplified by failed systems development efforts.

We're all aware of examples of large, complex projects that have cost tens or hundreds of millions, but never achieved their goals. If these projects had been properly audited the disasters would likely not have occurred.

What we really need is a new attitude to risk. It is after all very much a business issue. Business executives need the ability to take a global view of a system to identify areas of potential failure. They need an understanding of the most common types of system risk and of ideas like "defensive design". They need to be able to spot tactical threats to systems as well as the more strategic threats.

Left to themselves, few executives would devote much time or even money to this. But they won't be able to ignore it in future. The bottom line is that the notoriety of the Millennium Bug is giving increased prominence to the business implications of computer systems errors. There will be less tolerance of failure in future, more lawsuits, and a far greater need to audit your systems for potential risks.

Steve Ireland is publisher of ComputerWorld newspaper

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Addison-Wesley

Show Comments