Despite numerous high profile IT glitches and failures within organisations, IT risk is still not considered high enough priority, according to a UNSW academic.
IT systems have been giving organisations headaches across a wide range of verticals, with recent high-profile cases including the security breach at retailer, Lush Cosmetics - granting hackers a significant number of customer credit card details, Vodafone's privacy breach, and Virgin Blue's system failures.
Overseas, the Wikileaks fallout showed that even the likes of MasterCard and Visa are not impenetrable, and yet, despite IT being a clear operational risk, the concern just isn't there as yet at a board level, according to Australian School of Business (part of UNSW) associate professor and head of school, Actuarial Studies, John Evans.
"I think what's becoming quite clear is that IT in terms of risk management is a fairly serious area that needs to be cleaned up," he said.
The costs involved in something going wrong with IT systems are significant. Regulatory bodies can impose fines, but of greater concern is the damage a system meltdown can do to the company brand.
"I find that a lot of organisations regard the cost of a backup system and testing it as an unnecessary cost. They don't quite see it as risk management," Evans said. "With other kinds of financial risk management, they're fine."
Part of the problem remains a lack of proper communication between the IT departments of organisations, and the senior management or board members. The latter may well not understand IT, and so project management is often poorly executed as a result.
Evans cited a simple example of this lack of communication: "There was a case where a relatively small financial institution shut everything down on the Saturday to test the systems, and the plan was to restart it on the same day, but someone forgot to decide who would ring who. So for two hours everyone sat there waiting for their phone call to go and do things."
However, IT risk management should improve into the future. The weight and cost of IT failures within organisations is quickly becoming too significant to ignore.
"A board's responsibility is to decide how much risk to take on," Evans said. "And businesses do take on risks, but you should only take on calculated risks, and I would have thought damage done in some of these cases would have been huge.
"It is a risk that management should understand. It's not some weird thing like dealing with an alien landing. These risks are the kinds of things that we know exist, and what exactly they are."