Baselinemag - IT Management – Strategy Execution 1 Strategy Execution for Risk Management By Faisal Hoque Risk management and IT continuity are complex and critical disciplines. No investments can be effective in the long term without consideration of risk. The consequences of not doing adequate business continuity planning can be potentially disastrous. The outcomes of inadequate risk management span the gamut from financial losses to a loss of customer goodwill that may well threaten the long-term viability and survival of a firm. Today, with an increasingly unforgiving regulatory environment and legislation such as Sarbanes-Oxley that requires business technology systems to function without error, executives need to be concerned about risk management more than ever before. Business risks can be both internal to the firm, such as rolling out an inadequately tested system, as well as environmental, in the form of an unanticipated natural disaster. This two-sided model creates a challenge for business and technology executives. The former type of risk is somewhat more recurring, predictable and perhaps controllable, and, therefore, the business case for investment in risk management is often easier to justify. Meanwhile, the latter type of risk is unanticipated and episodic, and the typical firm questions the outlay of resources to protect against such rare occurrences. At its essence, risk management involves three steps: (1) Identifying the nature of risks inherent in the situation (2) Assessing the likelihood of the risks manifesting themselves (3) Taking preventive and corrective action to reduce the firm’s level of exposure to the risk. The past three decades of business computing have contributed much to our understanding of risk in the technology context. Unfortunately, a dominant focus in this prior work has been narrow – on controlling and managing projects, rather than on the broader risks that executives face in firms where technology is deeply and fundamentally embedded within the business. Indeed, the turn of the century has heralded significant changes in the business technology milieu that have created a compelling need to expand the focus of risk management from the micro project view to a broader enterprise perspective. These changes include an increasing emphasis on: (1) “Buying” and customizing packaged solutions rather than building systems in-house, i.e., on solutions integration rather than software development (2) Partnering with a wide array of providers to acquire needed technical competencies and skills, including taking advantage of off-shore resources (3) Using business technology for systems that span organizational boundaries and help link customers, through electronic commerce and CRM systems, suppliers, through fully integrated electronic supply chains, and other business partners together (4) Deploying business technology as the platform upon which the entire business is run. The Faces of Risk In this environment where business technology is pervasive, what is the nature of risk? Risks are classified into three broad categories: systems, sourcing and strategy, based on where they originate. Some risks are predominantly intra-enterprise in nature, such as systems and strategy, while others, notably sourcing, reflect the challenges that arise in inter-organizational settings. Note that although these categories are somewhat overlapping and not mutually exclusive, they nonetheless provide a conceptually simple framework that can be populated through conversations and interactions among executives from both technology and business. Effectively managing project risk requires that a structured process and organizational responsibilities be implemented at both the project and program levels. A formal risk management plan should be developed to clarify risk management roles and responsibilities; risk management processes, procedures, standards, training and tools; the method and frequency of risk progress reporting; and what should be monitored to determine if risks are occurring. A project should attempt to manage only the risks it can handle. Other risks should be elevated to the program level. Determination of whether to elevate should be made based on examination of whether the mitigation action steps are within the control of the project team. Managing risk at a program level involves a review of project risks and program risks by an Enterprise Program Management Office (EPMO). The EPMO should analyze project risk across the entire program to see if the same risk occurs in different projects and requires concerted action. Baselinemag - IT Management – Strategy Execution 2 The EPMO should document the inventory of risks, their assessment and mitigation plans in a database. If after analyzing program risk the overall program risk level is deemed to be higher than originally documented in the cost/benefit plan (i.e., the business case), then the business case should be updated-- reflecting the adjustment in the range of costs and/or benefits or a lower confidence measure. It is important that the EPMO collaborate with an Enterprise Risk Management (ERM) Group to ensure that the business impacts of project-related risks are well understood, and that a periodic evaluation can be made concerning the impact of other enterprise risks on the project. Risks in Context In an Interview with the BTM Institute, Toby Redshaw, the CIO of insurance giant, Aviva Group, explained that he reduces risk by seeing to it that activity at the project level is guided by the strategic needs of the enterprise: “Before we go to the next program or the next phase, we take a very serious look at the business. Did this deliver the benefits we said it would? What is the benefit realization picture of this? We have to get better at that here. I've seen many IT shops where this is non-existent, but that's the game. We've here to do things for the business and to deliver certain business. That sort of dialog and that sort of hard stare at ourselves will help us to become better and better at that. If technology’s real job is to have an impact on the profit and loss statement, then we need to have good discipline around portfolio demand management. Benefits realization is very important to us. From a technology perspective, we look at both internal customer satisfaction and external customer satisfaction. One of the biggest gaps that technology has is the connection back to the profit and loss statement. We often ask our front-line IT leaders who work on key projects to tell me or the other divisional CIOs how that project relates back to the profit and loss statement. How does that project affect earnings per share? What is the linkage in what they're doing to the overall business value?” Risks and threats emanating from strategy represent the dangers a firm faces when its management of business technology is poorly executed. Such systemic risks are manifest, for example, when business technology strategy is developed without the involvement of key business stakeholders, when project portfolios are constructed with a short-term orientation and with little or no consideration of strategic goals and priorities, and when sourcing decisions are made in a vacuum without sufficient understanding of the hazards of a lean in-house capability. The net negative result of not managing strategy risks is twofold. One, the firm is unable to extract the maximum value from its technology assets and business technology capabilities; over time the ability of the firm to deploy business technology effectively declines. Two, there is a potential for business sub- optimization due to either insufficient or inappropriate investment in business technology management. Although technology investments can be strategic and rational, very often they succumb to normal human tendencies. Many companies go from one extreme to the other. When things are good, the CIO promotes the idea of technology being a strategic enabler. When the business is in a downturn, the CIO is back to running technology as a cost center and trying to outsource as much as possible. Two years down the road, these organizations realize they've lost many capabilities and need to regroup. In today’s economy, the days of reward outweighing risk are a thing of the past. . Baselinemag - IT Management – Strategy Execution 1 Strategy Execution for Risk Management By Faisal Hoque Risk management and IT continuity. controllable, and, therefore, the business case for investment in risk management is often easier to justify. Meanwhile, the latter type of risk is unanticipated