Understanding the business risks of Shadow IT and Spreadsheet errors

When internationally renowned and respected US economists Ken Rogoff and Carmen Reinhart (R&R) made a simple spreadsheet error in modelling debt, GDP and unemployment, their key findings that high ratios of debt to GDP lead to a long periods of slow growth was thrown into doubt. These findings were not only influential in shaping US policy, but also was used in the publication of several papers derived from this research.

How does this relate to technology in business and, in particular, the phenomenon of Shadow IT? Is the humble spreadsheet another form of emerging technology that democratised technology for anyone needing to work with numbers?

Under cover of darkness, and most likely already thriving in your organisation, are Shadow IT departments.  These arise when users and department heads go it alone, provisioning and deploying IT systems (most often cloud services) that are sourced externally and funded from local discretionary budgets without the involvement of the IT department or even the knowledge of the CFO or CIO. New and emerging technology that is appealing and compelling plays into the hands of those trying to solve a problem.  Just like the spreadsheet.  Still viral and not necessarily subject to checking validation and rigour – yet still supports critical enterprise decision making?

A key risk associated with Shadow IT, as was the case in the R&R example cited above, is the short circuiting of effective validation and governance. If your organisation places importance on managing and mitigating future risk, costs and ensuring no governance or legislative breaches occur, then bring Shadow IT to the surface for scrutiny should be core to your enterprise governance. Once surfaced, and if Shadow IT is shown to produce net realisable value to the organisation and passes muster, then keep it out of the shadows. Moreover, the involvement of IT consulting firms in relation to Shadow IT needs to be identified and managed.

It doesn’t take much for Shadow IT departments to sprout up in the typical commercial organisation. The pressure to do things faster, cheaper, and more easily makes it almost inevitable in the current climate of austerity.  Conditions are ripe for the growth of Shadow IT when a combination of factors exist. The most obvious a poorly managed IT function in an organization with ineffective or inconsistent enterprise governance.  Other factors include

  • Broken IT-business communication
  • User frustration with being stuck waiting in the queue for corporate IT services, and
  • Vendor predation (including IT consulting firms ), by circumventing IT to pitch directly to line-of-business leaders, should not be understated. Vendor offers can be very compelling to someone with a short term sales or cost target to meet and an IT department that’s not helping him or her to meet it. The IT consulting game is highly competitive, and  filling pipelines and billable hours targets is a constant challenge for IT consulting forms .

So what’s so bad about Shadow IT? If it can help the business get its work done, what’s the harm?

Well, in its 2012 CIO New Year’s Resolutions, Gartner states: “Shadow IT can create risks of data loss, corruption or misuse, and risks of inefficient and disconnected processes and information”: a warning that should set off alarm bells in the boardroom.  What Gartner is talking about is not just an business technology problem but an organizationwide, systemic problem that requires an organizational response.

Typically, the CIO and CFO are both accountable for enterprise risk, but from different perspectives. CIOs are acutely aware of Shadow IT. Are CFOs?

If your organisation’s brand is important to you, if the reliability of your business processes matters, the Shadow IT phenomenon needs active exposure and management.

Not blocking (that’s futile), but active management.