“The insurance industry has long refused to take on unlimited liability on a number of perils (nuclear power, nanotechnology, terrorism). This is not only because you can’t calculate exposure and thus risk-based capital, but also because the extent of the liability is fraught with political risk – and then there’s always moral hazard in the picture.”
“This is the nuclear option. They can only ever sue a contractor once, unless they’re shutting down. After that, noone sensible will work for them.”
Actually, Lloyds of London used to ask its “names” to accept on unlimited personal risk exposure but in the mid-1980’s this almost destroyed the Lloyd’s.
It has also been suggested that if one bank is doing this the others may follow soon. If this happens, then it will only take one bank to sure one contractor and everything will be exposed.
Of course, its entirely possible that this is all a storm in a tea-cup. The bank in question may have simply written the clause into the contract to give them a big stick with which to beat their contractors. So either the bank has an overly simplistic view of risk, or it has an overly simplistic view of IT. Neither option is particularly heart warming.
There might be a silver-lining here. If banks are really asking the IT suppliers to take full responsibility then it might alter the shape of the industry. In the short term the likes of Accenture, Logica, CSC, etc. will probably benefit as they are better able to take on these risks. It might also force IT suppliers to take on more responsibility and actually deliver systems which work, and which are usable. Unfortunately I’m not sure many, or even any, of the big suppliers are able to do this.
I’ve also been sent some interesting links which, unfortunately I’ve not had time to read in detail – nor am I likely to get the time in the near future. A quick scan did produce this interesting quote:
“The declining role of manufacturing makes physical activities and risks less critical to many firms, reducing their need for ‘bricks and mortar’ coverage. Meanwhile, new, harder-to-quantify risks have emerged for both service and manufacturing companies. Liability risk is one important example.” (Swiss Re Sigma publication 4/2005 – and in other languages)
Ever since I did my PRINCE2 certification earlier this year it has been clear to me that the IT industry does not have a good toolbox for coping with risk. Last weeks seminar added to that impression and gave me some ideas. However, what I perhaps didn’t appreciate is that even the present, limited, tools are wearing out too.