There is a paradox within large organisations - high value, complex processes are often managed with inappropriate and inadequate information and technology support mechanisms. It is not unusual for the only version of the software that can restore and recover process control equipment and information, to be lost or damaged. In fact, until a process fails and the daily downtime costs accrue, few if any beyond the process department are aware of the risk they are taking. There are a number of reasons why process critical software continues to be ineffectively managed:
- The risk of process downtime from ineffective IT-related procedures is not fully understood in terms of its impact on the wider-business, the risk is relatively unknown and as a result the measures employed are seldom commensurate.
- Specialist processes are not managed by staff with IT skills, knowledge or perspectives on IT-related risk.
- There is often a cultural and communication gap between process-related staff and IT-related staff.
- Processes are often managed by sophisticated Control and information technology systems. It is often (wrongly) assumed that all known risks are being managed.
- Processes are managed by automation and control equipment that is not easily managed by existing IT systems. File types are often incompatible.
- Processes often grow in a decentralised, non-planned basis as organisations enter new markets, regions or countries and acquire new businesses. New or disparate processes can take time to integrate with enterprise systems and procedures.
- IT departments and IT consultants review enterprise implementations in terms of time to implement, complexity and risk/reward. Extending enterprise implementations to manage process critical software may appear a lesser priority. The risk remains constant.
Elite Control help organisations to identify, quantify and manage the risks associated with process-critical software. This includes identifying risks and gaps across the following areas: software storage, application retrieval and disaster recovery policies and processes, management of process and asset-related communications, management of updates and work-arounds that impact software recency, relevancy, quality, versioning and control.
This also includes threat and non-compliance analysis (on an ongoing or one-off basis) and root cause analysis to ensure that the management of process critical software is part of a continuous improvement process. Recommendations may include training for process individuals, actions at an organisation-wide and department-wide level and the identification and if necessary implementation of leading management applications and tools such as Asset Guardian.