Managing risk in a risky business

Change – it’s hard to find a systems article nowadays that doesn’t refer to the pace of it, the inevitability of it, the need to embrace it if we are to survive.

Change implies risk and since few fields of endeavour are changing at the speed of information technology, ours is one of the riskiest. Further, since change is rarely linear (consider Moore’s law) quantifying our risk is a challenging task.

IT professionals must manage risk to ensure decision-makers understand the nature of exposures — whether for purchasing PCs, establishing an e-commerce site or implementing a multi-million dollar ERP system. In general most experienced IT professionals and project managers understand the need to anticipate problems and quantify costs of potential scenarios.

But what about the broader context – the attitudes to risk within the organization as a whole? Is the organization a risk-taker or is it risk-averse? Is the current situation in the company consistent with the culture (as perceived by the leadership) and if the answer is no, how are your projects influencing the environment – and vice versa?

The answers will enhance understanding of your organization.

In a recent Harvard Business Review article, Robert Simons poses the question “How Risky is Your Company?” and describes a tool called the Risk Exposure Calculator. Simons identifies three areas of internal pressure which affect the risk profile of an organization – Growth, Culture and Information Management. Based upon a scoring system one can assess whether the company is in the safety, caution or the danger zone.

Why is this important? Because you want to know what risk level the leadership is comfortable with, the actual risks the company is exposed to, and whether you are contributing to the gap.

Appreciating different tolerance levels for risk can pay big dividends. For instance:

Developing relationships. Successful project managers will always emphasize the importance of trusting, open relationships with the client. By understanding the willingness to take risks and acting accordingly, the likelihood of sustained relationships increases. A colleague of mine once said, “People don’t care what you know until they know that you care.” Few things say that you care as much as appreciating your partner’s appetite for risk.

At a large engineering consulting company there had been significant disagreement regarding the applicability of their project management methodology. This had affected the careers of several individuals. Once this was understood it was easier to appreciate their attitudes towards management of a major systems implementation and efforts could be made to modify the approach.

Maximizing the probability of success. If an organization is risk averse and a project is handled in a risk-taking manner, barriers are growing from the start.

Either projects will be terminated because they create unease, or uncomfortable news will be withheld. In a large public sector institution, an ERP system implementation had failed over a four-year period. The executive sponsor was under extreme pressure to deliver and an administrative renewal project had become a Y2K survival project. A proposal to change platforms for integration reasons was greeted frostily because there was a disconnect between the risk which the sponsors were prepared to tolerate and that which was necessary to achieve success. The loss of confidence between the sponsor and project manager cost the initiative several valuable months of progress.

Partnering with business units. Partnering means sharing risks. Risks are not presented in totality at the outset of a project but rather they emerge as initiatives progress. The way these risks are presented can vary greatly depending on the attitude of the client. By understanding the pressures which the organization is experiencing and the sensitivity of the client, the project manager can ensure that judgements are made based upon the whole picture and not a knee-jerk reaction.

In my current organization we have introduced a thorough project-chartering and risk-management process to manage the annual computer lab renewal/construction projects. Risks are identified and presented to faculty quickly and clearly, together with suggested actions. This gives a level of comfort and has resulted in significant increase in the trust level.

Recruiting the right people. At a time when staff are in short supply, proposing another constraint will not be popular. However, if IT staff are to act effectively and contribute, they must fit the organization. That means consistent values, and attitude to risk is a critical value.

In the end it’s all about values. Values are the “must” criteria of organizational decision-making. Shared values mean consistent decision-making, greater efficiency and increased trust. Understanding the risk culture and the current risk profile of your organization will allow you (and your profession) to become a stronger and more recognized contributor to its health.

As an IT professional, you should consider risk calculators and see if you can apply them to your company. If you can, it will provide useful insight. If you can’t, that highlights some important gaps in your knowledge base. And those gaps could spell risk to your career.

Byrne is the director of computing and network services at the University of Alberta. He is at