“The consequences of not managing risk have hit Americans square in the jaw.”--
Government Executive magazine, March 2009 Too often CIOs see themselves very literally as managing IT. What they need to do is manage risk along with all of the other key leadership issues such as innovation, information-sharing, collaboration, and so on.
Context
The IT environment today is part of a larger social, political, and economic context that is more fraught with risk than ever. The mortgage meltdown, the financial crisis, job losses, volatility in commodity prices (e.g. oil), and so much more—it seems like it will never end. I would add that recently we had birds collide with an airline in NY, satellites that collided in space, and submarines that collided from France and the U.K. Oh, let’s not forget Russia’s invasion of Georgia and the terrorist attacks in India in November that killed at least 173 and wounded 308 and the Asian Tsunami in 2004 that killed over 225,000 people from 11 countries.
This is scary beyond belief!
Is G-d punishing us, teaching us, ignoring us?
Expectations
Whatever is going on, people are crying out for help--they are praying, and they are also turning to their government for “recovery” (as in the Recovery Act), “bailout” (as in taxpayer bailout), “relief” (as in the Troubled Asset Relief Program). The CIO is operating in an environment in which risk management is increasingly something that the average citizen expects from their leaders (and IT is not immune):
--“Citizens are increasingly calling on government to prevent bad things from happening and to ride in to help when they do.” (Donald Kettl).
--“American want life to be less risky…[and so] without realizing it, federal officials are risk managers at their core.”
--“The public, not only demands that the government manage the consequences of risk, but that it deals with problems before they turn into catastrophes. Merely reacting to risk is eroding the people’s trust in government.”
Challenges
While risk management is clearly a critical need, it is also more difficult than ever, for the following reasons:
--Pace and impact—“the problem now is the rapid pace of the challenges—that whatever it is that happens punishes and punishes instantly.”
--Scope—“’we obviously don’t want to get to a state where the government is running everything.’ But with no clear definition of the limit, the number of public risks the government should manage appears endless.”
In my opinion, cost is a huge factor as well. Just the financial crisis so far has cost us trillions of dollars and added to our debt probably for generations to come, and at a time when we are already on the brink with unfunded social security and Medicare liabilities for the baby boomers that are quickly nearing retirement and is feared will overwhelm the system. How much more financial burden can the system take before there are dire consequences?
Framework
There are no easy answers to these trying times or to how we manage the incredible risk that we seem to face virtually every day. However, there are three common approaches to risk management set forth by Moss:
--Reduce it (or eliminate it, if possible)
--Spread it
--Shift it
We often reduce risk, by having a backup plan (such as in IT having backup and recovery), and we mitigate risk by spreading or shifting it (such as through insurance policies or government social programs, and so forth).
6 Tools for CIOs
These lessons in risk management are critical to professionals in information technology, a field that is always in rapid transition with changing products, skill sets, and practices and where the scope of IT impacts almost everything we do (from online finance, health IT, e-commerce, robotics, and more). And where the price of keeping up with Jones in technology is does not come cheap to any organization these days.
In IT, where more than half of projects are over budget or behind schedule and many end up cancelled all together, we need to manage project risk. Here is a suggested toolkit for CIOs to do so:
--First, we need an architecture plan to ensure that we are aligning to business requirements and complying with technical requirements. This helps reduce the risk that we are doing IT the “wrong” way.
--Second we need to have sound IT governance to manage the selection of our investments, the control of cost, schedule, and performance, and the evaluation for lessons for the future. This helps reduce and spread the risk that we are doing the “wrong” IT investments.
--Third, we need solid project management to guide projects from initiation through close out in a defined, repeatable, and measureable way. This helps reduce the risk that we doing projects the “wrong” way.
--Fourth, we need robust IT security that protects our data from manipulation, interception, interjection, or other malice. This helps reduce and spread the risk of our IT working “wrong”.
--Fifth, we need adept customer relationship management so that we are fully engaged with our customers in building solutions that meet their needs and solves their business problems. This helps spread and shift the risk that we are managing our IT customers the “wrong” way.
--And sixth, and not least, we need to focus on our human capital to ensure they have the leadership, motivation, tools, and training to perform at their peak. This helps reduce and spread the risk of human error.
Together, these six CIO tools are the keys to the kingdom when it comes to managing IT risk and we can never take risk management for granted.
6 CIO Tools for Managing IT Risk
