How many mid-market and SME organisations are unknowingly risking the business because they have failed to actively consider the risks associated with IT? If you think the answer is ‘A few but definitely not you!’ you probably need to think again explains Mitesh Patel, Managing Director of outsourced technology infrastructure provider, Fifosys.

Many SMEs have not read or understood the service and support level that their IT contract provides. In many cases the IT department has not shared the risks or, even worse, is unknowingly jeopardising the business through a lack of understanding and insight. While most organisations now recognise that good technology is key to business success, from 24×7 access to e-mail, to robust storage of sensitive customer data, many have no idea that such core functions will not be immediately restored in the event of a disaster under their existing arrangements.

IT delusion

Most companies blithely assume that an IT support contract covers all the major issues? from e-mail failure to data loss. But that is simply not the case. Look more closely at the not so fine print and organisations will be stunned to discover just how vulnerable the business is to server failure, severed connections and software glitches.

How many organisations recognise that failure of an e-mail server could result in the business losing access to all e-mail for up to five days? Most assume that restoring the server within hours is part of the service contract?but is it? If the hardware fails, the onus is likely to be on the hardware provider, not the service company, to repair the fault or provide a replacement, a process that could take days.

Failure to read the contract means that when problems do occur, organisations put the blame firmly on the IT department or support organisation, while suffering significant business loss. But has anyone asked the right questions of the IT support team?whether internal or external? Getting the right IT support contract requires a real understanding of the risks associated with IT and demands technology service delivery and remediation is prioritised to match needs.

Failure to do so adds risk. Take a busy city centre bar. A brief power outage at 9am will have limited business impact: there are no customers and the till is not in use. Should that same failure happen at 10pm on a Friday night, when the bar has perhaps as much as £10,000 in customer tabs, a loss of till functionality will result is massive financial cost as the organisation has no way of checking customers’ charges and payments.

Risk assessment

To mitigate the risk associated with technology delivery, organisations need to identify the single points of failure across the IT infrastructure. Yet while businesses routinely assess the single points of failure in core operations, from manufacturing to distribution, they are patently failing to apply the same robust operational practices to IT. Take as an example a manufacturing company with 12 machines on the production line and, as a result, two machines?at £100,000 each?on system stand-by at all times in case of failure: a massive £200,000 investment that is rarely used.

Meanwhile this same organisation, with 150 employees, has only one e-mail server. The company is sending 1000s of e-mails daily both internally and externally to customers and suppliers, yet there is absolutely no e-mail resilience. If the single e-mail server, or any one of its key components, goes down the business will stop until it is fixed. It is clear that no-one in the organisation has asked the right questions about IT risk.

So why are SMEs failing to take steps to understand IT risk? In part the problem is one of culture: individuals within the IT team are neither encouraged nor, to be frank, have the skills to map business needs with IT risks and availability. But continued failure to consider IT requirements in isolation from business need will compromise business stability and undermine the value of IT investment.

IT insight

Mid-market and SME businesses face a real challenge: for any organisation with less than 250 employees, it is simply not possible to justify one full-time IT Director role. Yet far too many organisations of this size not only have an IT Director but also a team of up to three staff. More often than not these IT Directors are long term employees who have progressed to senior status through longevity and loyalty. As a result they may not have the strategic skills required and it’s unlikely that an IT team of this size has the breadth of skills needed to manage complex network and application infrastructure.

This expense of full-time employed, in-house IT staff is really not the best approach. Organisations should be considering best practice above all other factors. That means accessing the best skills as and when required in the most cost effective and efficient manner?from strategic direction to network support.

Organisations, of every size, need a team with the ability to deliver real risk assessment and strategic IT decision making. By opting instead to promote long term IT staff to a manager/director role, organisations probably end up with an individual who is overpaid to undertake the mundane day to day tasks associated with a small IT team, from plugging in cables and manning the help desk. In addition, the organisation is highly unlikely to have provided the support for this individual to have the resources, time or expertise to assess business risk or undertake strategic planning and long term IT budgeting.

This is simply not a viable model and is adding untenable risk to SMEs. Furthermore, unless organisations continue to invest in new technology, in-house skills will rapidly become out of date. In this fast changing technology environment organisations cannot possibly attain the breadth of skills required to support today’s complex IT requirements?from online order taking, to 24×7 e-mail services, local and wide area networks, as well as business continuity?within a one or two person IT department.

So just what value are these individuals providing to the business? They are not generating revenue nor providing an essential administrative role. Indeed, combining a lack of skills with the organisation’s inability to accurately define ongoing requirements, internal IT departments are incapable of effectively managing third party service and support contracts, adding both further risk to the business and unnecessary cost.

Business focus

As the recession looks set to continue towards the end of 2010, SMEs need to maintain and win as much business as possible, and can therefore not afford to take any risk at all. Businesses cannot continue to waste money on unfocused technology investments that fail to support short or long term business needs or mitigate operational risk. Nor can they justify third party supplier service contracts that fail to reflect true operational requirements.

A simple, but frank and honest IT infrastructure audit from a competent professional can provide immediate insight into the single points of failure. Now you need to translate that into simple statements, in business terms, that the board can comprehend. Put it plainly and clearly with real timelines. From the risk of how many hours or days of e-mail downtime, to the implications of the loss of access to data and premises? This enables directors and management to determine and prioritise IT needs and investment based on real business requirements.

With this understanding, it is far simpler for an organisation to attain an IT service and support contract with a relevant and, critically, measurable Service Level Agreement. And, once in place, SMEs can look to build on this relationship to attain quantifiable technology value, including advice on strategic investment and long term budgeting.

It is this shift in emphasis away from a grudge purchase towards a demand for value that is essential for mid-market and SME businesses. All IT service and support contracts are not the same. Cost is obviously a key consideration but too many organisations are actually spending too much money on contracts that are failing to reduce operational risk. The objective must be an effective solution that reflects the organisation’s appetite for risk based on real, in depth understanding.

It is only by taking a step back, assessing and understanding the current levels of risk associated with existing IT deployments, that an organisation can truly determine its ongoing IT requirements and then put in place the technology, skills and resources to reduce operational risk and transform IT from a cost centre to business enabler.