Insurance premiums may soon become a large component of every organization's information technology budget.

Insurance is critically important for our civilization to function. Without insurance, airplanes may not fly, automobiles must stay in the garage, X-ray machines may shut down, chemical factories may close and buildings may not get construction permits. Complex machinery and facilities are insured because their risk of failure is widely recognized and requires the protection insurance offers.

Insurance delivers social and economic value by asking the insured parties to weigh the costs of potentially excessive premiums against the exposure to losses. In this way, insurance puts in place a market mechanism for judging a technology's reliability. In the absence of insurance, government regulators and inspectors step in, often with solutions that are worse than the situations they try to remedy.

Insurance is already available for business interruption risks from year 2000 failures. If computers fail despite your best practices and efforts, the insurance policy would cover damages in excess of a deductible. There's no reason similar coverage can't apply to other computing situations.

I believe business executives will be buying insurance for computer-caused interruptions not only to minimize the losses, but also for the added assurance it will give them about the trustworthiness of their IT staffs. Operators of computer networks, particularly those serving electronic commerce, will be required by customers and their legal counsel to maintain third-party liability and business interruption insurance coverage.

The simple fact is that risks from IT malfunctions now rank with earthquakes (a mere $30 billion to $60 billion exposure) and hurricanes (only $5 billion to $15 billion per incident) in potential economic losses. If you also believe the various surveys that suggest that more than 50% of all major computer projects experience material cost and schedule overruns or get canceled, that chalks up untold billions of dollars in losses suffered by organizations every year.

And if one contemplates various failure scenarios, such as a global Internet-borne software plague or deliberate acts of information terrorism, the financial damage estimates approach those from an accident at a nuclear power plant.

The Principle of Fortuity

All insurability is based on the principle of "fortuity," which states that a risk can't be insured when a loss is certain. Moreover, a risk can't be insured if it could have been avoided by taking generally known and easily available preventive measures. The principle of fortuity shows that computer risks are insurable -- if practitioners practice their craft in a more prudent manner. How then would fortuity apply to the management of computers?

Companies pursuing overambitious and reckless projects, such as massive, rapid, enterprise re-engineering projects, would find that they aren't insurable. Firms that can demonstrate consistent delivery of high-quality software and secure and reliable services will enjoy lower insurance premiums -- and management will get an independent confirmation that the IT staff isn't doing something foolish.

Projects with documentation of the precautions taken to protect everyone affected by an information system would be insurable. That would encourage IT managers to get their houses in order and accumulate records of on-time, on-budget, secure and quality results.

Management Implications

Information managers will have to think about the long-term impact of their systems. Otherwise, they will fall prey to the long memories of litigation lawyers who will try to do their best to demonstrate negligence -- not fortuity.