In 1995, FoxMeyer Drugs, the $4 billion pharmaceuticals distributor, embarked on an ambitious $100 million SAP implementation. Less than a year later, the company had crashed into bankruptcy, and was subsequently sold off to a rival for an anaemic $80 million. The SAP project, Delta III, was widely identified as the smoking gun.

With such hair-raising opening examples, the authors of IT Risk remind the reader that the risk associated with IT projects – opaque as it can be – needs to be taken very seriously. Much of that risk, say MIT research fellow George Westerman and Gartner analyst Richard Hunter, is rooted in the complex entanglement of legacy applications and infrastructure; the problem is that traditional risk analysis frameworks are incapable of gauging the levels of business risk associated with such infrastructure and, as a consequence, provide little guidance on how to mitigate against it. This being the case, few organisations have any hope of inverting the equation, the authors propose, and transforming the threat into competitive business advantage.

IT Risk presents a model specifically tuned for assessing and dealing with technology risk. Under the authors’ ‘4 As’ framework, project stakeholders can put IT risk in a clear business context. In the model, IT risk is defined as the potential for an unplanned event involving IT to threaten any of four key enterprise objectives: availability, access, accuracy and agility. To this extent, the authors provide a sensible and instructive environment in which both IT and business executives can discuss, understand and plan for potential IT risks, without conceptual conflict.

With the 4As deployed, managers are offered pointers on how to remove key elements of risk by what is essentially a legacy clean-up. The book’s impressive research base, drawing on more than 50 case studies, a survey of 130 firms and over 2,000 presentations with IT and business executives, grounds the book firmly in the empirical. Consequently, the authors provide often-unique insights, not only into how particular organisations have tackled the fiendish problem of rationalising legacy application infrastructures, but also into the surprising sticking points that can arise during this process.

But often such case studies stop frustratingly short of the detail necessary to serve as a genuinely compelling blueprint for IT and business executives hoping to transform their aged IT estates. Furthermore, the authors rarely, if ever, deliver on their promise to inform readers on how such risks can not only be mitigated, but transformed into competitive advantage. Even leading-edge technologies struggle to prove their worth beyond creating greater efficiency, making the argument for ‘legacy rationalisation as competitive advantage’ fairly flimsy. Nonetheless, for many organisations that find themselves in a state of near legacy paralysis, this book will provide plenty of useful pointers.

Further reading

Ernst & Young survey: Security divorced from strategy

Find more stories in the Security & Continuity Briefing Room