This creates a challenge for business and technology executives in that while the former type of risk is somewhat more recurring, predictable and perhaps controllable and, therefore, the business case for investment in risk management is often easier to justify, the latter type of risk is unanticipated and episodic, and the typical firm questions the outlay of resources to protect against such rare occurrences. Yet, the consequences of not doing adequate business continuity planning can be potentially disastrous.
The outcomes of inadequate risk management span the gamut from financial losses, which can potentially be overcome, to a loss of customer goodwill that may well threaten the long-term viability and survival of a firm. Today, with an increasingly unforgiving regulatory environment and legislation such as the Sarbanes-Oxley Act that requires business technology systems to function without error, executives need to be concerned about risk management more than ever before.
The past three decades of business computing have contributed much to our understanding of risk in the technology context. Unfortunately, a dominant focus of this work has been on controlling and managing projects, rather than on the broader risks that executives face in firms where technology is deeply and fundamentally embedded within the business. Indeed, the turn of the century ushered in significant changes in the business-technology milieu that creates a compelling need to expand the focus of risk management from the micro project view to a broader enterprise perspective.
These changes include an increasing emphasis on:
In this environment where business technology is pervasive, what is the nature of risk? Based on where they originate, risks are classified into three broad categories: systems, sourcing and strategy. Some risks are predominantly intra-enterprise in nature, such as systems and strategy, while others, notably sourcing, reflect the challenges that arise in inter-organizational settings. Note that although these categories are somewhat overlapping and not mutually exclusive, they nonetheless provide a conceptually simple framework that can be populated through conversations and interactions among executives from both technology and business.
Risks originating from systems are typically intra-organizational, although in some instances when external partners are used for system development and integration, they may be inter-organizational in nature. The risks emanate from all aspects of systems deployment, including project planning and control; human capital and staffing; inadequate user requirements; changes in technology; the complexity, scope, and structure of systems; and inadequate support from senior management.
When these risks are not managed, the firm leaves itself open to dissatisfied users and failed implementations, cost and budget overruns, and the inability to achieve the strategic objectives. In addition to these immediate negative consequences, a longer-term undesirable outcome of inadequate attention to systems risks is an increasing lack of credibility for the IT function and growing distrust between IT staff and users.
Sourcing risks, which are inter-organizational in nature, are inherent in the partnerships and relationships that firms develop with outsourcers and span the gamut from deciding what to outsource, to selecting the right partner, to crafting and negotiating the right contract. Further, as the vendor marketplace matures in offshore locations that offer relative cost advantages, senior executives have the additional option of using partners that are not located within the same country. Although the value proposition of offshoring can be quite compelling, managing offshore relationships escalates the level of sourcing risk.
Finally, risks and threats emanating from strategy represent the dangers a firm faces when its management of business technology is poorly executed. Such systemic risks are manifest, for example, when business technology strategy is developed without the involvement of key business stakeholders; when project portfolios are constructed with a short-term orientation with little or no consideration of strategic goals and priorities; and when sourcing decisions are made in a vacuum without sufficient understanding of the hazards of a lean in-house capability.
The net negative result of not managing strategy risks is twofold. One, the firm is unable to extract the maximum value from its IT assets and business technology capabilities, and over time the ability of the firm to deploy business technology effectively declines. Two, there is a potential for business sub-optimization due to either insufficient or inappropriate investment in business technology management.
Although technology investments can be strategic and rational, very often they succumb to normal human tendencies. Many companies go from one extreme to the other. When things are good, the CIO promotes the idea of technology being a strategic enabler. When the business is in a downturn, the CIO is back to running technology as a cost center and trying to outsource as much as possible. Two years down the road, these organizations realize they've lost many capabilities and need to regroup.
In todays economy, the days of reward outweighing risk are a thing of the past.
Faisal Hoque is an internationally known entrepreneur and author, and the founder and CEO of BTM Corporation. His previous books include Sustained Innovation and Winning The 3-Legged Race. BTM innovates business models and enhances financial performance by converging business and technology with its products and intellectual property.