CIOs who had responsibility for managing year 2000 remediation activity found themselves experiencing the reversal of Executive Attention Deprivation Syndrome. Instead of struggling to get the attention of the executive, they found their executives and boards hungry for knowledge of how the remediation activity was proceeding. Year 2000 risk management became part of the lexicon of executives and directors and provided a great springboard for executive engagement through ongoing risk-management processes.
It might be argued that risk management is not a new topic for the executive. It has, after all, been part of executive and board responsibilities in some form for many years via presentations by auditors, corporate treasurers and credit managers. The executive has learned how important it is to prepare for risks early in the investment cycle and to be able to extricate funds quickly if the probability of failure looms.
Coincidentally, as the time to market for new technology has shortened and the option of using easily available software from the Internet accelerated, CIOs and executives have had to reassess their risk-management policies and options more frequently. They have also learned the importance of assessing risks early in the system life cycle.
This article examines the need for sound collaborative risk-management practices and why the focus must be on the impact the risk events could have on expected final outcomes. In particular, the article highlights why risk assessment must be done early and often in the systems life cycle — from opportunity management through to system replacement activity. A seven-step risk assessment process is outlined that executives can use to review their processes.
COLLABORATIVE RISK MANAGEMENT
Because IT-related investment assists business managers in securing the benefits expected from their initiatives, it is critical that executives, including the CIO, collaborate to ensure that the benefits are realized and risks associated with non-achievement are minimized. For the collaboration to work effectively there must be a risk-assessment process in place and clear governance roles.
The governance roles and activities need to be formalized, and cover both demand and supply functions as described and depicted in the diagram ( Figure 1).
The governance roles envisaged are:
• Demand management, involving pursuit of a business opportunity from concept to the realization of expected net benefits, i.e., gross benefits minus costs. This is typically the overall responsibility of the business sponsor and is often delegated to line managers.
• Supply management, as it relates to the acquisition of resources to construct and process the application systems solution on a continuous basis — typically the responsibility of the CIO.
IT infrastructure investment is typically the responsibility of the CIO, from investment proposal to harvesting of expected benefits. In other words, the CIO is involved in both supply and demand management activities.
RISK ASSESSMENT PROCESSES
A summary of the processes of a risk-assessment life cycle for collaborative risk management is shown in the next diagram ( Figure 2). Successful implementation of risk-management processes in the enterprise will be predicated on: early identification of risks; continuous and objective assessment of the risks; the executive accepting ultimate ownership of the impact of the risk aand activities associated with its minimization; and line management sharing responsibility for implementing risk minimization strategies.
The governance function, which might be carried out by the IT Council or board sub-committee or equivalent, must be linked to both demand and supply management activities. It must focus on risk situations that might compromise the realization of expected benefits, and it must develop risk minimization strategies — activities that will negate the risk or reduce its potential impact.
This focus will include existing business systems, business systems under development, and business systems being considered for approval.
The Council should report frequently to the executive or board of the organization and alert them to the major risk events, their consequences, and efforts to eliminate or minimize them. The Council will be initially responsible for approving processes for risk categorization, business impact assessment weightings, risk probability determination guidelines, and finally, the probability/impact index threshold, i.e., when the probability is high and potential impact is so serious that it must be reported to the executive.
Risk governance practices have to include guidelines for the following:
• Discontinuing the funding for the program/project if the likelihood of realizing expected benefits is low (e.g., the differentiated services being developed are no longer in demand by the market);
• Postponing the program/project until the risks are lower (e.g., legislation is clarified or industrial activity has abated);
• Postponing the program/project (e.g., until dependent software has been proven by the vendor or other clients, or critical technical resources have been secured);
• Reducing the scope and funding of the program/project because the expected market or opportunity has shrunk slightly; and,
• Continuing development as per schedule while regularly monitoring risks in the knowledge that the cost of doing nothing is itself too high to contemplate.
Members of the Council will need to have considerable grasp of the impact of implementing aspects of the guidelines above when, for example, discontinuing a program/project and having to determine the breakage costs. The Council needs to be asking questions such as: Have the risks been objectively assessed? Are the risks overstated? Has management tried to implement all risk minimization options? Who will be adversely impacted if the program/project has to be cancelled or postponed?
It is typically in the audit process — not necessarily the function — that the above questions are considered, and that escalates the matter to the Council for deliberation and action. Membership on the Council should include those who have a broad understanding of the ramifications of the risk event being considered and can make an informed contribution to the assessment of the options. This means that it should be restricted to senior managers, including the business sponsor, CIO, program/project manager and other stakeholders. We have observed that much organizational learning takes place at Council meetings when all aspects of the risk event are canvassed, business impact assessed, scenarios presented and a course of action determined.
In large organizations the Council might delegate the role of administering risk management processes to a subcommittee comprised, for instance, of representatives from the IT function and business units. The subcommittee should ideally conduct workshops to air and assess the risks and present options to the Council.
THE PROBABILITY INDEX
The convenor or facilitator of the workshop must ensure that there is a shared understanding of the issues surrounding the risk event and get consensus on the probability of the event occurring. To simplify the assessment when several events are involved, participants should assign a score from 1 to 10, where 10 reflects certainty of occurrence. For the purposes of this article, this score is known as the probability index.
Ideally, opinions expressed on the nature of the risk and the probability of the event occurring should never be accepted at face value, but challenged openly before the assessment is made. It is axiomatic that participants contributing to the debate will need to be well informed on the probability of the event occurring.
In the accompanying table ( Table 1) are descriptions of possible risk (of failure) events that might occur during the systems life cycle and the circumstances in which failure might occur. Events are classified from low (might happen) to high probability of occurring. The list of events is indicative and not exhaustive. Editorial license has been used when assessing the probability of occurrence.
In addition to probability, the Council will also need to consider the likely business impact of the event — its potential to compromise final outcomes. Again, informed business judgement in assessing the impact will be required. Before making the assessment, the Council will need to endorse the criteria for weighting and scoring the impact. Ideally, weighting should be based on the degree to which the risk event will compromise achievement of one or more corporate goals ( see below). The score, expressed as the impact index, should be from 1 to 10, where 10 reflects a devastating and widespread impact.
Whether criteria should be based on the premise all corporate goals are of equal value or some are more critical to the viability of the organization than others is a judgement the Council must make.
Typical corporate goals might be:
• Achievement of planned profit or surplus in the public sector, or return on shareholders’ funds or equivalent in the private sector;
• Minimization of working capital required;
• Provision of services as required by statute and consistent with occupational health and safety parameters;
• Maintaining a safe workplace with no major accidents; and,
• Compliance with statutory reporting obligations and without audit qualification.
In order to give the executive an idea of the order of magnitude of the risks and their potential impact, a combined probability/impact index should be developed. A simplistic example of how the index might be determined is set out below ( Table 2). The threshold for reporting risk events with an abnormally high index will also need to be agreed to by the Council. The premise in the example shown on the right is the executive should be engaged when the aggregate index is greater than 10 out of a possible score of 20. Before engaging the executive, the Council should develop risk-minimization strategies and present them when providing details of the risk event and its impact.
When developing risk-minimization strategies, special emphasis needs to be given to matters outside the control of the organization, e.g., impact of pending legislation. It is often executives who first become aware of these matters and alert line management of their impact. Risk events must be continually monitored in case the probability of the event occurring increases suddenly and without warning.
PREDICTABILITY AND COMPLEXITY OF RISKS
It is self-evident the more predictable the business outcome, the lower its risk and degree of complexity. The expected result is clear and the process is easy to administer. Conversely, the more complex the process and the unpredictability of the outcome, the higher the risk and the need to identify it early in the system’s life cycle to forestall an increase in problems.
In practice CIOs tend to concentrate on activities or situations they understand and over which they have a high degree of control. These activities tend to be on the left-hand side in the accompanying diagram ( Figure 3) and are usually part of the supply management role.
The more abstract areas, such as benefits realization, on the right in the diagram, are typically less developed and not well understood. They are also usually an aspect of the demand management role and difficult to implement because they are not everyday activities and often lack empirical data to measure.
Benefits realization should be the responsibility of the business managers with input from the CIO. They will need to work collaboratively to minimize the risks while maximizing the benefits. The other stakeholders, who can make an informed contribution, are typically in staff roles such as IT architects, auditors and strategic planning staff.
CIOs and business managers now have a window of opportunity in which to get the attention of their executives and engage them in macro risk-management activities. Before doing so, CIOs and line management must implement comprehensive and collaborative risk-assessment processes accompanied by guidelines for developing risk minimization strategies. If the processes and guidelines are sound and put into practice, the output should get unqualified acceptance at the executive level.
Based in Australia, Alan Hansell is a Director in Gartner’s Executive Programs Worldwide. For further information about Gartner or this article, contact Albert “Ally” Motz, Country Manager-Canada, at [email protected]