7 Types of Enterprise Risk from a Poorly Managed Application Portfolio

The risk from inadequate application portfolio management is significant and too often overlooked or ignored. In this post we present seven types of enterprise risk from a poorly managed application portfolio.

Unused and outdated applications carry risk.

Organizations may have between 1.5 and 7 (or more) applications per employee. It’s hard enough keeping core applications functional, but what about the thousands of peripheral ones?

When you leave unused and outdated applications in a portfolio, you carry significant risk. But what are the areas of risk? And how can you understand that risk in order to retire outdated and unused applications?

The seven types of enterprise risk from a poorly managed application portfolio are:

  1. Legal
  2. Privacy
  3. Regulatory
  4. Security
  5. Operational
  6. Cost
  7. Business

1. Legal risk is always top of mind.

Lawsuits are top of mind because of legal expenses and the reputational risk involved. Companies of all sizes tend to spend significant dollars on litigation and associated e-discovery costs. Yet despite this awareness, most organizations are unaware of the legal risk posed by unused or outdated applications, including over-retained sensitive customer data.

2. Privacy risk has entered the mainstream consciousness.

The recent uptick in data breaches from the likes of Target, Anthem, Experian, and Marriott is now top of mind for most large organizations. Add to that the plethora of privacy regulations—from GDPR in Europe to the California Consumer Privacy Act. The cost of a breach can be enormous—up to nearly $8 million in the United States.

3. Regulatory risk is about reasonableness and responsiveness.

When it comes to managing regulatory risk, the two markers are: reasonableness and responsiveness. Reasonableness means that corporate policies, procedures, and guidelines are “good enough.” Responsiveness means that a company can provide relevant, up-to-date and accurate information requested by regulators in a timely fashion.

4. Security risk takes into account both external and internal actors.

The name of the game for Information Security (InfoSec) is keeping external and internal bad actors from causing breaches by maintaining the latest security patches and upgrades on every corporate system. That’s not easy if you have thousands of outdated or unused applications.

5. Operations risk prevents a company from reallocating resources.

Basic IT operations prevent organizations from shifting resources to strategic projects that deliver business value. If you have unused or outdated applications, you have more systems to maintain.

6. Cost risk of unused or outdated applications

The sheer number of unused and outdated applications drives the annual cost of maintenance into seven or eight figures for most large organizations.

Costs of maintaining applications include:

  • Annual software maintenance
  • FTEs to maintain the software
  • Hardware to run them
  • Resources to back them up

7. Business risk of delivering the wrong information

When business-critical information is maintained in outdated or unused applications, getting the right information to the right person at the right time is somewhere between difficult and impossible.

Want to learn more? Download our comprehensive guide to application portfolio management for information governance.

If you want to see precisely why it’s important to reduce risk in these seven key areas because of outdated or unused applications, you will want to download our white paper, Using Application Portfolio Management for Information Governance.

Download the Using Application Portfolio Management for Information Governance White Paper

Rich Medina
Doculabs
Doculabs consultants offer in-depth expertise in information management and information security across a number of industries, including financial services, insurance, energy, manufacturing, and life sciences. Our recommendations are based on our experience and empirical data from hundreds of consulting engagements over more than 25 years. As trusted advisors, we provide our clients recommendations that are completely objective.