Very few companies have a fully integrated approach to managing their information technology and business risks together. The companies that do tend to manage and monitor their IT risks with a fragmented approach. A survey conducted by Arthur Andersen & Co. and The Economist Intelligence Unit found that more than two-thirds of the 150 chief executive offices, chief financial officers, and chief information officers admit that IT risks are not that well-understood in their companies. In fact, only one-third of the companies have methods to determine risk. A common problem cited was that few companies try to anticipate problems once systems are implemented. For example, security is a common threat to many electronic business systems; however, few companies can actually say what impact security problems and threats would have on their customers. As it turns out, crisis management is much more expensive and embarrassing than risk management.
SOURCE: Adapted from Thomas Hoffman, Risk Management Still a Wild Frontier, Computerworld, February 16, 1998. http://www.com-puterworld.com/news/1998/story/0,11280,29808,00. html only the nature of project risks but also how those risks interact and impact other aspects of the project throughout the life of a project. The PMBOK defines project risk management as:
The systematic process of identifying, analyzing, and responding to project risk. It includes maximizing the probability and consequences of positive events and minimizing the probability and consequences of adverse events. (127)
This PMBOK definition of risk management suggests that a systematic process is needed to effectively manage the risk of a project. In this section, an approach for risk management planning is introduced. It is illustrated in Figure 8.1.
The framework presented in Figure 8.1 outlines seven steps for managing IT project risk. Each of these steps will be discussed in more detail throughout the chapter.
Risk planning is the first step and begins with having a firm commitment to the entire risk management approach from all project stakeholders. This commitment ensures that adequate resources will be in place to properly plan for and manage the various risks of the IT project. These resources may include time, people, and technology. Stakeholders also must be committed to the process of identifying, analyzing, and responding to threats and opportunities. Too often plans are disregarded at the first sign of trouble, and instinctive reactions to situations can lead to perpetual crisis management. In addition to commitment, risk planning also focuses on preparation. It is important that resources, processes, and tools be in place to adequately plan the activities for project risk management. Systematic preparation and planning can help minimize adverse effects on the project while taking advantage of opportunities as they arise.
Once commitment has been obtained and preparations have been made, the next step entails identifying the various risks to the project. Both threats and opportunities must be identified. When identifying threats to a project, they must be identified clearly so that the true problem, not just a symptom, is addressed. Moreover, the causes and effects of each risk must be understood so that effective strategies and responses can
be made. A framework for understanding the sources and nature of IT project risks will be introduced in the next section; however, it is important to keep in mind that project risks are rarely isolated. Risks tend to be interrelated and affect the project and its stakeholders differently.
Once the project risks have been identified and their causes and effects understood, the next step requires that we analyze these risks. Answers to two basic questions are required: What is the likelihood of a particular risk occurring? And, what is the impact on the project if it does occur? Risk assessment provides a basis for understanding how to deal with project risks. To answer the two questions, qualitative and quantitative approaches can be used. Several tools and techniques for each approach will be introduced later. Assessing these risks helps the project manager and other stakeholders prioritize and formulate responses to those risks that provide the greatest threat or opportunity to the project. Because there is a cost associated with responding to a particular risk, risk management must function within the constraints of the project's available resources.
The next step of the risk planning process is to determine how to deal with the various project risks. In addition to resource constraints, an appropriate strategy will be determined by the project stakeholders' perceptions of risk and their willingness to take on a particular risk. Essentially, a project risk strategy will focus on one of the following approaches:
• Accept or ignore the risk.
• Avoid the risk completely.
• Reduce the likelihood or impact of the risk (or both) if the risk occurs.
• Transfer the risk to someone else (i.e., insurance).
In addition, triggers or flags in the form of metrics should be identified to draw attention to a particular risk when it occurs. This system requires that each risk have an owner to monitor the risk and to ensure that resources are made available in order to respond to the risk appropriately. Once the risks, the risk triggers, and strategies or responses are documented, this document then becomes the risk response plan.
Once the salient project risks have been identified and appropriate responses formulated, the next step entails scanning the project environment so that both identified and unidentified threats and opportunities can be followed, much like a radar screen follows ships. Risk owners should monitor the various risk triggers so that well-informed decisions and appropriate actions can take place.
Risk monitoring and control provide a mechanism for scanning the project environment for risks, but the risk owner must commit resources and take action once a risk threat or opportunity is made known. This action normally follows the planned risk strategy.
Responses to risks and the experience gained provide keys to learning. A formal and documented evaluation of a risk episode provides the basis for lessons learned and lays the foundation for identifying best practices. This evaluation should consider the entire risk management process from planning through evaluation. It should focus on the following questions:
• What lessons did we learn?
• What best practices can be incorporated in the risk management process?
The risk planning process is cyclical because the evaluation of the risk responses and the risk planning process can influence how an organization will plan, prepare, and commit to IT risk management.
Was this article helpful?
What you need to know about… Project Management Made Easy! Project management consists of more than just a large building project and can encompass small projects as well. No matter what the size of your project, you need to have some sort of project management. How you manage your project has everything to do with its outcome.