Baselinemag - IT Management – Strategy Execution
1
Strategy Execution for Risk Management
By Faisal Hoque
Risk management and IT continuity are complex and critical disciplines.
No investments can be effective in the long term without consideration of risk. The consequences of not
doing adequate business continuity planning can be potentially disastrous.
The outcomes of inadequate risk management span the gamut from financial losses to a loss of customer
goodwill that may well threaten the long-term viability and survival of a firm. Today, with an increasingly
unforgiving regulatory environment and legislation such as Sarbanes-Oxley that requires business
technology systems to function without error, executives need to be concerned about risk management
more than ever before.
Business risks can be both internal to the firm, such as rolling out an inadequately tested system, as well as
environmental, in the form of an unanticipated natural disaster. This two-sided model creates a challenge
for business and technology executives. The former type of risk is somewhat more recurring, predictable
and perhaps controllable, and, therefore, the business case for investment in risk management is often
easier to justify. Meanwhile, the latter type of risk is unanticipated and episodic, and the typical firm
questions the outlay of resources to protect against such rare occurrences.
At its essence, risk management involves three steps:
(1) Identifying the nature of risks inherent in the situation
(2) Assessing the likelihood of the risks manifesting themselves
(3) Taking preventive and corrective action to reduce the firm’s level of exposure to the risk.
The past three decades of business computing have contributed much to our understanding of risk in the
technology context. Unfortunately, a dominant focus in this prior work has been narrow – on controlling
and managing projects, rather than on the broader risks that executives face in firms where technology is
deeply and fundamentally embedded within the business. Indeed, the turn of the century has heralded
significant changes in the business technology milieu that have created a compelling need to expand the
focus of risk management from the micro project view to a broader enterprise perspective.
These changes include an increasing emphasis on:
(1) “Buying” and customizing packaged solutions rather than building systems in-house, i.e., on
solutions integration rather than software development
(2) Partnering with a wide array of providers to acquire needed technical competencies and skills,
including taking advantage of off-shore resources
(3) Using business technology for systems that span organizational boundaries and help link customers,
through electronic commerce and
CRM systems, suppliers, through fully integrated electronic supply
chains, and other business partners together
(4) Deploying business technology as the platform upon which the entire business is run.
The Faces of Risk
In this environment where business technology is pervasive, what is the nature of risk? Risks are
classified into three broad categories: systems, sourcing and strategy, based on where they originate. Some
risks are predominantly intra-enterprise in nature, such as systems and strategy, while others, notably
sourcing, reflect the challenges that arise in inter-organizational settings. Note that although these
categories are somewhat overlapping and not mutually exclusive, they nonetheless provide a conceptually
simple framework that can be populated through conversations and interactions among executives from
both technology and business.
Effectively managing project risk requires that a structured process and organizational responsibilities be
implemented at both the project and program levels. A formal risk management plan should be developed
to clarify risk management roles and responsibilities; risk management processes, procedures, standards,
training and tools; the method and frequency of risk progress reporting; and what should be monitored to
determine if risks are occurring. A project should attempt to manage only the risks it can handle. Other
risks should be elevated to the program level. Determination of whether to elevate should be made based
on examination of whether the mitigation action steps are within the control of the project team.
Managing risk at a program level involves a review of project risks and program risks by an Enterprise
Program Management Office (EPMO). The EPMO should analyze project risk across the entire program
to see if the same risk occurs in different projects and requires concerted action.
Baselinemag - IT Management – Strategy Execution
2
The EPMO should document the inventory of risks, their assessment and mitigation plans in a database. If
after analyzing program risk the overall program risk level is deemed to be higher than originally
documented in the cost/benefit plan (i.e., the business case), then the business case should be updated--
reflecting the adjustment in the range of costs and/or benefits or a lower confidence measure. It is
important that the EPMO collaborate with an Enterprise Risk Management (ERM) Group to ensure that
the business impacts of project-related risks are well understood, and that a periodic evaluation can be
made concerning the impact of other enterprise risks on the project.
Risks in Context
In an Interview with the BTM Institute, Toby Redshaw, the CIO of insurance giant, Aviva Group, explained
that he reduces risk by seeing to it that activity at the project level is guided by the strategic needs of the
enterprise:
“Before we go to the next program or the next phase, we take a very serious look at the business. Did this
deliver the benefits we said it would? What is the benefit realization picture of this? We have to get better
at that here. I've seen many IT shops where this is non-existent, but that's the game. We've here to do things
for the business and to deliver certain business.
That sort of dialog and that sort of hard stare at ourselves will help us to become better and better at that.
If technology’s real job is to have an impact on the profit and loss statement, then we need to have good
discipline around portfolio demand management. Benefits realization is very important to us.
From a technology perspective, we look at both internal customer satisfaction and external customer
satisfaction. One of the biggest gaps that technology has is the connection back to the profit and loss
statement. We often ask our front-line IT leaders who work on key projects to tell me or the other divisional
CIOs how that project relates back to the profit and loss statement. How does that project affect earnings
per share? What is the linkage in what they're doing to the overall business value?”
Risks and threats emanating from strategy represent the dangers a firm faces when its management of
business technology
is poorly executed. Such systemic risks are manifest, for example, when business
technology strategy is developed without the involvement of key business stakeholders, when project
portfolios are constructed with a short-term orientation and with little or no consideration of strategic
goals and priorities, and when sourcing decisions are made in a vacuum without sufficient understanding
of the hazards of a lean in-house capability.
The net negative result of not managing strategy risks is twofold. One, the firm is unable to extract the
maximum value from its technology assets and business technology capabilities; over time the ability of the
firm to deploy business technology effectively declines. Two, there is a potential for business sub-
optimization due to either insufficient or inappropriate investment in business technology management.
Although technology investments can be strategic and rational, very often they succumb to normal human
tendencies. Many companies go from one extreme to the other. When things are good, the CIO promotes
the idea of technology being a strategic enabler. When the business is in a downturn, the CIO is back to
running technology as a cost center and trying to outsource as much as possible. Two years down the road,
these organizations realize they've lost many capabilities and need to regroup.
In today’s economy, the days of reward outweighing risk are a thing of the past.