Risk Management: From Adversity to Advantage
Many enterprises, and IT teams specifically, are implementing sophisticated risk-mitigation strategies that let them better understand and more effectively manage the risks they face.
- By Bill Curtis
- August 31, 2005
Risk is a powerful motivator for all of us. Failure to manage risk properly can result in unprecedented professional and personal lossfrom increased customer turnover and lost business partners, to heavy legal penalties, missed market or revenue opportunities, and in the worst cases, a complete loss of business operations.
With that in mind, many enterprises, and IT teams specifically, are looking to implement sophisticated risk-mitigation strategies that will allow them to better understand and more effectively manage the risks they facewhether the risks arise out of technology decisions, compliance mandates, or changes in business strategy. According to recent survey data from Forrester Research, 62 percent of chief information officers (CIOs) already have company-wide initiatives focused on enterprise risk and compliance management.
While the role of risk management is becoming more and more critical in an accelerated and geographically dispersed business environment, risk management itself is not a new discipline. The traditional risk-management strategies that many CIOs are implementing today have been around for decades and typically focus on controlling risks to minimize loss or failure.
Going forward, enterprises need to expand their view of risk management to encompass the concept of risk as a business enabler. This new perspective defines risk not only as a threat, but as an opportunity that can be leveraged to create new products, new services, new business models, and new ways to compete in the marketplace. Today, successful enterprises are building strategies that balance risk management with risk taking to increase innovation, advance operational excellence, and achieve market advantage.
Engage IT for Successful Risk Management
In most successful enterprises, IT plays a strategic role in competitive differentiationfrom revenue generation, to customer service, to business efficiency, to financial reporting and compliance. For this reason, IT management is in a prime position to drive and automate risk management across the enterprise.
With a seat at the executive table and a more direct role in broader strategic discussions, IT can not only help mitigate the risk of operational failure, but can also maximize the business value of technology investments by balancing the risks and rewards of those investments. By advocating a proactive view of risk management that balances both risk taking and risk mitigation, IT organizations can also protect the innovation needed to capitalize on emerging opportunities.
So, as an IT professional, where do you begin? The answer is by laying a solid foundation. You must walk before you can run.
Establish the Right Foundation
Risk management in ITthe combination of risk mitigation and risk takingcan happen only if IT teams have the right data, culture, and infrastructure in place. Successful risk management is the result of managing risks at the project level (where risks to an application's success are managed), at the broader IT level (where risk is managed across the entire application portfolio), and at the business level (where executive-level expectations impact opportunities, cost, schedules, and quality).
To capitalize on the opportunities presented by a balanced risk-management strategy, businesses must be ready to make three fundamental shifts:
- Risk management must be considered from an organizational and business perspective. Decisions occurring in the IT organization now ripple across finance, sales, marketing, and individual business units. Risk planning that balances the level of risk undertaken across the organization allows executives to forecast how minimizing risk in one area can enable the pursuit of a risky innovation in another. This organizational view balances the total risk exposure for the company and enables enterprises to better balance trade-offs between harming the business and creating new opportunities.
- Enterprises must look to risk management not only as a way to control threats, but also as a way to open new opportunities. Risk must be managed without unnecessarily restricting the productivity and creativity that fuel advancement and growth. Many organizations only manage risk to eliminate negative outcomes. This approach often leads to highly restrictive strategies and bureaucratic processes that unnecessarily restrict an enterprise's ability to compete. Organizations must identify risk mitigation and avoidance strategies that encourage positive risk-taking for competitive gains.
- Enterprises must establish a foundation that will allow them to execute successfully on risk strategies. Executive management must determine the level of risk to which the organization can be exposed based on its current business strategy and objectives. They must then make decisions about how risk will be spread across the components of the business, resulting in an organizational risk profile. Then they can create a risk-management strategy by examining how the skills of the project teams, the processes leveraged by the teams, and the products and infrastructure utilized by the IT organization all contribute to effective risk management. It is this intersection of people, process, and technology that creates the foundation for proactive risk management that advances the goals of the entire enterprise.
Transition From Reactive to Proactive Risk Management
The benefits of elevating risk to a senior management issue and establishing risk management as a discipline are clearbetter decision making, more complete opportunity assessment, and more realistic executive expectations. Executives armed with a risk analysis of the trade-offs between schedule, cost, and system scope are better able to adjust project objectives to control the level of risk involved. Project managers can move forward knowing they have met their obligation to provide executive management with accurate information regarding the challenges facing the project.
Proactive risk management gets the issues on the table up front, increasing communication across management levels and ensuring a shared understanding of the rationale behind decisions and the level of risk undertaken. Executives can help by determining the level of acceptable risk based on the organization's business strategy and objectives. They can then allocate levels of acceptable risk across the projects and operations and manage the organization's exposure to risk by adjusting trade-offs between project objectives and commitments across their entire application portfolio.
As the organization's application development capabilities mature, trade-offs between project objectives and commitments become less risky, which allows the organization to undertake greater challenges with greater upside, without being exposed to greater risk.
However, gaining executive support for IT risk-management goals and initiatives is a continuous process. Depending on the organization, several steps can be taken to help gain the support and visibility required to be successful, including:
- Considering company culture when building a risk-management program.
- Articulating IT risk scenarios in business terms.
- Demonstrating how risk information enables better management of the application portfolio.
- Understanding the competitive landscape and the risk factors impacting your most significant competitors.
- Tracking the historical data regarding the benefits achieved through risk management.
Conduct a Project Risk Assessment
Once you're comfortable that you have gained the executive support and visibility that you need, conduct a project risk assessment as a starting point to understand critical information needs and sources of input. A good place to start is to assess which insights are lacking for the decisions that need to be made.
Once you have identified a target project that would benefit from a proactive risk-management plan, follow these six project risk assessment steps, which have been proven effective with other organizations:
- Identify risks. Before developing a plan, first uncover the root causes of project risk and establish risk factors within high-level categories to assist with identification. Use this data to begin to establish a knowledge base; capturing results from past projects and identifying and recording risks at the start of project planning on new projects. To ensure meaningful decision making, it is important to ascertain appropriate levels of granularity underneath the main risk categories to the root cause. For instance, under the high-level risk category of "effort shortfalls" could be subcategories for "hiring shortfalls," "delayed availability from other assignments," and "holiday and vacation schedules."
- Develop a risk knowledge base. Effective risk management requires the establishment of a dynamic repository of project learning around risks and the results of different mitigation strategies. This is an area where an integrated software delivery platform can be a strategic advantage. The ability to track and manage software development activities, data, and assets by role, across phases, and in a centralized database provides a quick means to identify risks that might be relevant to specific projects. It eliminates the need to reinvent risk factors when ramping up new projects. Properly developed and maintained, this repository becomes a valuable corporate asset to project managers.
- Conduct risk analysis. Not all risks apply to all projects. Risk metrics can be used to determine which risks apply to a specific project. For example, the probability that a risk will occur might be expressed on a scale of 0 to 1.0, while the impact (loss suffered if the event described by the risk actually occurs) might be expressed using monetary units. Multiplying these two values indicates the potential impact of this candidate risk, and thus the risk to which it exposes the project. Only risks presenting significant exposures need to be managed, and the sum of these exposures provides an indicator of the project's total risk exposure. This analysis might result in a table that lists the top 10 risks, where the level of exposure presented by each risk determines its priority for risk mitigation and management.
- Develop the mitigation plan. Once each risk is identified, analyzed, and prioritized, develop a plan to mitigate their occurrence and impact on the project. This plan should include contingency actions in case the primary approach to mitigation is ineffective, as well as stipulate an owner and timeline for each risk mitigation activity. Metrics may be assigned to each risk to track its evolution throughout the development process (i.e., time elapsed, budget spent, and number of defects). For example, in the case of "risk associated with new technology adoption," the metrics could be defined as the number of defects discovered in design or code reviews related to the new technology. A threshold value can then be assigned to these metrics to trigger the execution of a contingency plan. For example, if the number of high-severity defects related to new technology discovered in a design review exceeds 7, provide additional training.
- Monitor risk. By tracking these risk metrics, the project manager can reprioritize risks periodically and determine when to activate mitigation and contingency plans. The project risk list should be a standard component of project status reviews with higher management. Team members should be encouraged to look for new risks that might arise as a project progresses. When new risks are detected, they should be immediately analyzed, planned for, and monitored using the risk-management plan. During both the planning and monitoring phases, integrated application lifecycle platforms, such as Borland's Core SDP, can simplify the risk-management process by providing capabilities for capturing, analyzing, and communicating risk information.
- Learn from risk. Throughout the process, management and the entire organization can benefit from continuous learning as new risks encountered during project execution are added to the knowledge base. In addition, the organization learns from tracking the results of different risk-mitigation actions to learn which are the most effective under different circumstances. Patterns and trends can be observed in recurring project risks that can be used to improve risk management on future projects, thus propagating learning across the IT organization.
Creating Competitive Advantage
The next step beyond conducting project risk analyses is to aggregate this information at the organizational level to manage risk across the IT portfolio. The CIO in conjunction with rest of the executive management team must determine the level of risk to which the organization can be exposed and the priorities for allocating this risk across the application portfolio. These priorities constitute a risk profile that justifies risk taking on applications where the organization has accepted high exposure in exchange for the potential high rewards of an innovative solution or an early position in an emerging market. However, this is balanced with low-risk projects that sustain the business.
Managing this kind of balanced risk profile helps improve the integration of IT with the company's business strategy, and can offer real competitive advantage. Any organization seeking to improve success ratios and decision making can get started with the customizable, standard risk-management process I outlined aboveeven on a project-to-project basis. This is clearly a first, pragmatic step to a more comprehensive risk-management strategy that should ultimately encompass both risk mitigation and risk taking.