Baselinemag - IT Management – Strategy Execution

1

Strategy Execution for Risk Management
By Faisal Hoque

Risk management and IT continuity are complex and critical disciplines.
No investments can be effective in the long term without consideration of risk. The consequences of not
doing adequate business continuity planning can be potentially disastrous.
The outcomes of inadequate risk management span the gamut from financial losses to a loss of customer
goodwill that may well threaten the long-term viability and survival of a firm. Today, with an increasingly
unforgiving regulatory environment and legislation such as Sarbanes-Oxley that requires business
technology systems to function without error, executives need to be concerned about risk management
more than ever before.
Business risks can be both internal to the firm, such as rolling out an inadequately tested system, as well as
environmental, in the form of an unanticipated natural disaster. This two-sided model creates a challenge
for business and technology executives. The former type of risk is somewhat more recurring, predictable
and perhaps controllable, and, therefore, the business case for investment in risk management is often
easier to justify. Meanwhile, the latter type of risk is unanticipated and episodic, and the typical firm
questions the outlay of resources to protect against such rare occurrences.
At its essence, risk management involves three steps:
(1) Identifying the nature of risks inherent in the situation
(2) Assessing the likelihood of the risks manifesting themselves
(3) Taking preventive and corrective action to reduce the firm’s level of exposure to the risk.
The past three decades of business computing have contributed much to our understanding of risk in the
technology context. Unfortunately, a dominant focus in this prior work has been narrow – on controlling
and managing projects, rather than on the broader risks that executives face in firms where technology is
deeply and fundamentally embedded within the business. Indeed, the turn of the century has heralded
significant changes in the business technology milieu that have created a compelling need to expand the
focus of risk management from the micro project view to a broader enterprise perspective.


2

The EPMO should document the inventory of risks, their assessment and mitigation plans in a database. If
after analyzing program risk the overall program risk level is deemed to be higher than originally
documented in the cost/benefit plan (i.e., the business case), then the business case should be updated--
reflecting the adjustment in the range of costs and/or benefits or a lower confidence measure. It is
important that the EPMO collaborate with an Enterprise Risk Management (ERM) Group to ensure that
the business impacts of project-related risks are well understood, and that a periodic evaluation can be
made concerning the impact of other enterprise risks on the project.

Risks in Context

In an Interview with the BTM Institute, Toby Redshaw, the CIO of insurance giant, Aviva Group, explained
that he reduces risk by seeing to it that activity at the project level is guided by the strategic needs of the
enterprise:
“Before we go to the next program or the next phase, we take a very serious look at the business. Did this
deliver the benefits we said it would? What is the benefit realization picture of this? We have to get better
at that here. I've seen many IT shops where this is non-existent, but that's the game. We've here to do things
for the business and to deliver certain business.
That sort of dialog and that sort of hard stare at ourselves will help us to become better and better at that.
If technology’s real job is to have an impact on the profit and loss statement, then we need to have good
discipline around portfolio demand management. Benefits realization is very important to us.
From a technology perspective, we look at both internal customer satisfaction and external customer
satisfaction. One of the biggest gaps that technology has is the connection back to the profit and loss
statement. We often ask our front-line IT leaders who work on key projects to tell me or the other divisional
CIOs how that project relates back to the profit and loss statement. How does that project affect earnings
per share? What is the linkage in what they're doing to the overall business value?”
Risks and threats emanating from strategy represent the dangers a firm faces when its management of
business technology