The difficulty in assessing the cost to the institution of an IT outage was raised by a number of IT directors as a problem. UCISA responded to this issue by securing funds to commission a piece of work to establish formulae to estimate the costs of outages for certain scenarios. The problem was highlighted because the IT directors were concerned that institutions were spending money either on insuring against failure at critical times or building resilience into their systems without really knowing whether the spend was justified since the impact of the outage had not been assessed.
Today I met with the lead consultant on the project. The initial project definition included a number of sample scenarios; since then a number of IT Directors in the higher education sector have highlighted further scenarios that might merit further investigation. Naturally, given the diversity in the sector, the scenarios varied greatly between institutions. There was some commonality – failure during clearing was picked out as a particular risk by a number of institutions – but in many cases the scenarios reflected the institutional missions. Over the next few days I’ll be working with the consultant to refine the list. This will involve identifying the underlying causes of the failures outlined to determine what the root cause of the failure might be. For example, the reason for a loss of access to e-journals (which are largely held off-site) may be a failure of authentication services which will have far greater impact than e-journals alone. So loss of authentication services may be a more appropriate scenario to study. We also want to identify those scenarios that will impact institutions across the sector and those that will impact the whole institution and not an individual department.
The project is due to complete in March. Before then there will be a period of information gathering from the sector as a whole before a number of more detailed studies are carried out to define and test the defined formulae. This should hopefully result in a useful resource for the whole community that will allow IT directors to identify whether or not insurance against failure or investment in resilience is merited.