What if I told you an F100 airline had planes that were five years past recommended life and that they had failed to perform maintenance on these planes regularly (or to include all recommended changes) for years at a time? Would you fly with that airline? Would you invest in it? Do you think the shareholders and public have a right to know about that? That’s basically what’s brewing beneath the surface of so much IT today and yet, because it’s lost in the noise, we’re content to pretend it’s not a risk.
I propose that we treat these scenarios the same way.
Many leaders today realize their dependence on tech. But you know who doesn’t know? Their balance sheets. Their investors. Their boards. If you peruse the balance sheet of a F100 company today, you’ll see lines for assets, depreciation and maintenance and yet, most of their software and systems remain off the books in the shadows. Companies consume massive amounts of home-grown and 3rd party software that is simply ignored by the accounting department and buried in various servers and (frighteningly) even desktops of employees. I knew a guy whose script was critical for running a job to transfer billing information into the billing system and it ran locally on his machine. He left one day, years after creating the script which he’d forgotten, and someone unknowingly turned his desktop into IT. While they did catch it before it was wiped, they didn’t catch it before a week’s worth of billing information was lost.
These risks exist everywhere in companies today as strapped IT departments do their best to keep the lights on while buying and building components to bridge legacy systems, new mergers, and rapid product launches. Even more risky, IT leaders and individual contributors regularly rotate through layoffs and promotions and no one is left with knowledge of how the systems were created in the first place. Even beyond the most risky but rarer “forgotten system” exists a larger threat: IT systems maintenance. Today, much IT is well beyond maintenance version or often, end-of-life date entirely. A cursory search on Shodan.io shows over 32,000 servers still running Windows 2008, a server OS that went EOL in January 2020 after multiple attempts by Microsoft. These systems, (homegrown, 3rd party and out of maintenance) present huge stability, security and data integrity concerns in the same way that faulty brakes on delivery trucks or poor building maintenance practices might.
Today, an airline must account for its fleet age in public financials because of the risk old planes present. They must estimate and record maintenance expenses and usable life of the asset. If they continue to use a known dangerous asset, they are often held culpable for accidents from such use. Most IT assets simply get installed and forgotten barring the occasional patch cycle. The economic and business risks of IT software “flies under the radar” because it’s often so prolific and so complex that accounting simply can’t keep up. This presents a risk to investors and to business leaders in the long term for their companies.
Here I must momentarily diverge for my fellow nerds into a cursory review of Financial vs Managerial accounting. Financial accounting exists for formal regulatory and banking concerns. It’s usually highly opinionated and very technical. Getting it wrong often has huge consequences through depressed stock prices from restating earnings or from SEC investigations, fines and jail time depending on how wrong. Managerial accounting is usually internal and designed to help leaders manage the business. It tracks cost to serve, product line profitability, etc. Both are important in any business.
My proposal is this:
- IT assets should be treated as crucial physical assets in financial accounting, applying the principle of “materiality” or “is it a big enough concern to record on the books?”
If a company depends on a fleet of delivery trucks for operations, those trucks are recorded with esimated maintenance and life. However, no one records the manila folders used by the HR department for personnel files. Both are costs but only one is material enough to warrant disclosure.
This could easily be accomplished by including steps during audit which map key software/hardware pieces, their age, useful life and a plan to either maintain or refresh the system. Some companies even do this today though I propose at least high level notes be disclosed in the statements as well.
- IT risks should be categorized and disclosed, applying the principle of “materiality”
So often we’ve seen the impact of poorly secured or old infrastructure. Often, these are due to failures by internal IT to maintain or upgrade old systems. Whatever the reason for those failures, they should be disclosed to the investing public. Sometimes these failures are simply missed but often companies have systemic failed processes that put them at risk. Auditing and notating those risks simultaneously better informs investors AND puts the focus on fixing those things internal to companies. If you own it publicly, you care about how it looks.
- Managers should track an overall estimate of their software and hardware ecosystem and specifically book the costs of maintaining (or risks from not maintaining) to internal ledgers.
Too often today IT leaders are unsure how to convince senior leadership of the business risk presented from aged or unsecured IT assets. Inevitably they then fail to get funding to fix or replace them and eventually one of the holes in the dam explodes, washing away revenue and time from the IT department picking up the pieces after. Tracking the estimated costs of these systems presents a like for like decision to senior managers who usually WANT to make the right decision but simply can’t put a dollar figure to potential risks. IT leaders can partner with internal accounting teams and bridge that gap. Everyone makes better decisions and IT leaders have less risk to manage.
Finally, the best thing about all of these moves is that it forces companies to think strategically about investing in IT. So often managers simply make a decision without considering the long term costs of that decision. Would we make such rash decisions in purchasing a new building or investing in a new manufacturing line? No. We’d consider the ROI, investment cost, maintenance cost, cash flow, etc. Why shouldn’t we do the same with technology?
