This is the first in a series of posts on IT resilience. In this post, we introduce the seven-point manifesto that can help organizations build resiliency. We will explore several points in depth in subsequent posts.

In late January 2021, investors across the United States logged on to brokerage platforms as shares of GameStop skyrocketed. Amid the frenzy, however, millions of customers were unable to access their account information and make trades, as many of the brokerage platforms suddenly failed. Outages and unstable IT are not just a concern in the financial sector. In September 2019, Slack’s stock fell 14 percent after the quarterly earnings report revealed that the company took an $8.2 million revenue hit after giving credits (money previously allocated to cover future bills) to customers following service-level disruptions.¹

These situations underscore the need for organizations to address IT resilience—a company’s ability to handle a technical disruption. To be sure, poor IT resilience is not an outcome of the COVID-19 pandemic, though the crisis certainly exacerbated it. The influx of online traffic as a result of the pandemic, however, strains already rigid legacy on-premises IT systems, resulting in outages and service delays.

So why aren’t companies strengthening their IT resilience? In short, because their CEOs and boards often don’t view IT resilience as a business problem until it has a financial impact through customer attrition or they are called out by regulators. Consider the former CEO of the Tokyo Stock Exchange who stepped down amid regulator pressure following a daylong outage of the trading platform.² To increase IT resilience, therefore, we recommend companies take a comprehensive approach grounded in seven core beliefs that address both IT and business outcomes (exhibit).

The case for resilience

In the past, companies could mitigate outages in physical channels through manual business-continuity processes, such as a customer-care agent using administrative access to enter an order. But as more customers increasingly migrate to digital channels, the traditional ways of addressing stability issues no longer apply. In addition, the underlying dependencies of IT systems also complicate the quest for resiliency. As an example, some businesses are integrating with application-programming-interface (API) ecosystems, an approach that can create value by allowing them to build new applications through an API portal or gain access to rich customer data, but one that can also introduce a new failure point.

Add the continued complexity of IT to outdated processes and operations, and it’s no wonder that the frequency of severe outages is increasing. A 2020 survey of infrastructure and operations leaders revealed that 76 percent experienced an incident during the past two years that required an IT disaster-recovery plan, and 50 percent experienced two such incidents. In another survey, 88 percent of respondents reported that an hour of critical server downtime costs them more than $300,000, and 40 percent reported such costs at more than $1 million. These incidents with high costs of downtime have motivated more organizations to boost investments in disaster recovery. These investments are critical, as many IT projects have minimal controls designed into new processes, underdeveloped change plans (or none at all), and scant design input from security, privacy, risk, and legal teams. As a result, companies are creating hidden nonfinancial risks in cybersecurity, technical debt, advanced analytics, and operational resilience, among other areas.