Board Directors The Growing Risk of IT Failures and How to Be Accountable

With high-profile cyberattacks and service outages making headlines, including the infamous Crowdstrike incident, the pressure on Board Directors to manage these risks has never been greater. Directors are now held accountable for more than just their organisation’s bottom line – they’re responsible for preventing and mitigating the fallout from catastrophic IT disruptions that can wreak havoc on reputation, finances, and service delivery. So, what are the hurdles to Board oversight and how can Directors rise to the challenge?

IT failures are of increasing scope and duration, but remediation is hindered by the lack of systematic data which is in place for other utilities. Following a recent roundtable on the topic, the BCS has called on the UK government to take the lead in data sharing in the public sector. The ICO already uses a NIS framework for reporting on data breaches by Relevant Data Service Providers and the fines which have been levied. The adoption of this framework across other sectors would bring it into line with other utilities: for instance the rail industry publishes the cost to users of service failures.

Traditional economic assessments of IT failures typically include internal costs of implementing changes. What’s often overlooked is the broader cost to users from the lack of services or the corruption of data.

The NIS framework provides four metrics for the impact of IT failure: lost user hours; loss of data integrity; damage to life or health; and financial repercussions on users. Now IT is widely recognised as a utility, organisations will need to insure against claims relating to lack of availability. These metrics allow Boards to assess the extent of the risk and take appropriate insurance.

A recent CEO survey found that 90% of top executives believe ‘it won’t happen on my watch’. This mindset is dangerously outdated. As businesses integrate more third-party software, the chance of failures stemming from external systems rises. The truth is that IT failures are inevitable, unpredictable, and can affect any organisation – no matter how well-prepared it thinks it is. Directors must let go of the ‘it won’t happen here’ myth and adopt a mindset of resilience and preparation.

Instead of simply focusing on preventing failure, organisations must now prioritise resilience – the ability to recover quickly and effectively when IT disruptions inevitably occur. In today’s world, uninterrupted service is an expectation, not a luxury. Building resilience isn’t about preventing every potential failure, but rather ensuring that when something does go wrong, the organisation can bounce back swiftly without causing irreparable damage. Directors must oversee the development of robust resilience plans, particularly those that address the impact on users who can be the most adversely affected by digital system failures.

To truly succeed in strengthening resilience, directors need to bring together teams from various departments – IT, business continuity, finance, and more – under a unified approach. One key to overcoming this challenge is developing a ‘common language’. By defining Important Business Services (IBS) and Impact Tolerances, organisations can ensure that resilience is aligned with strategic objectives and that the board fully understands the importance of IT infrastructure.

Risk management isn’t just about having a plan in place – it’s about fostering a culture where everyone feels safe to discuss service resilience. Creating ‘safe spaces’ for open dialogue on IT disruptions allows organisations to identify and address issues before they escalate into full-blown crises. In the same way that workplace health and safety urge individuals to flag potential hazards, organisations should encourage concerns to be raised about IT risks before they lead to catastrophic consequences.

Directors should create a culture of preparation by encouraging teams to run ‘pre-mortem’ analyses – simulated exercises where they examine what could go wrong and develop strategies to prevent or mitigate those outcomes. By balancing thorough analysis with automated reporting, organisations can stay ahead of potential threats.

Directors must not only be empowered to anticipate and mitigate IT failure risks but also to lead their organisations toward a culture of resilience. By doing so, they’ll safeguard their businesses against the growing threat of IT disruptions, ensuring the continuity of services, protecting their reputation, and fortifying the bottom line. It’s time to get serious about IT resilience – and the time to be accountable is now.

This is a guest blog and the views expressed here are not those of the IoD.

About the authors 

Gill Ringland

Gill is an Emeritus Fellow of SAMI Consulting. She is a Life Fellow of the BCS, an ICL Fellow Emeritus and a Fellow of the World Academy of Art & Science. She wrote the best seller Scenario Planning while responsible for strategy at ICL. She has over 150 publications. Resilience of Services is her 13th book, based on the work of the BCS IT Leaders Forum. She publishes thought pieces and blogs through the BCS, Long Finance, the apf and Radix, often with Ed Steinmueller. Contact: [email protected]

Ed Steinmueller

Ed is Professor Emeritus of Information and Communications Technology Policy, and of the Economics of Innovation, at SPRU (Science Policy Research Unit) in the University of Sussex Business School. He has published four books and more than eighty peer-reviewed journal articles and book chapters, mostly on the ICT industries as well as on science and technology policy and economic history. His books include most recently Resilience of Services: Reducing the Impact of IT Failures, (with Gill Ringland). He was co-chair (with Gill Ringland) of the BCS Service Resilience Working Group and is a Fellow of the BCS. Contact: [email protected]

Paul Reason

Paul is a Life Fellow of BCS with over 40 years’ experience in the IT industry covering Management, IT Architecture, Project Management, Consultancy and System Implementation. He has helped organisations to exploit the business benefits of information technology through:

• An understanding of the underlying technologies,

• An ability to communicate this at all levels from director to junior staff,

• A commitment to drive and manage the implementation, and

• The understanding of how financial management works for IT.

Contact: [email protected]