How to decide when a risk is worth taking

Risk management requires an understanding of where projects fit in the investment portfolio

Whole libraries have been written about managing risk on IT projects. Unfortunately, these tend to focus too much on the technology aspects of risk management and miss most of the big issues. We need to recognise that the benefits of risk management do not come from the technology itself ­ they come from how the technology enables people to do things differently. The focus of risk management must be benefits realised, not technology delivered.

Let me give you some examples from our recent research on business transformation projects.

The first involves an IT director who started at the organisation in question when it was due to sign a major contract. He had seen similar deals before and knew the quote was too high, so he called a halt to the deal. Despite being threatened with legal action by the supplier he stood firm and succeeded in renegotiating the contract. Result? A saving of £250,000 on software and £250,000 on consulting, out of an original tender of £2m.

In this case, a risk management approach focused solely on timetables and budgets would have resulted in the company wasting £500,000 and still declaring the project a success.

A second example involves another £500,000 saving, this time thanks to the initiative shown by a project manager. She spotted an overlap between two projects being initiated in different parts of the organisation. It was fortunate that she was able to follow this through and get one of them stopped.

Elsewhere, a director of IT strategy at a financial services firm told us that he had seen a number of great opportunities for innovative projects aimed at creating value for customers go begging because they didn’t get approval. He said the investment appraisal process was focused mainly on cost benefits, and as such it was easy to get projects approved if they had the potential to save money, but much harder to get approval for innovative, higher risk projects aligned to strategic objectives.

Any discussion of IT-related risk management needs to address these sorts of issues. Therefore when we approach managing risk we focus on the IT investment portfolio and not just individual projects.

The IT investment portfolio aligns projects with the strategy of the organisation. Each project should be scoped to fit in one of the following categories:
Strategic: investments in IT applications that are critical to sustaining future business strategy. Strategic investments are often confused with large and expensive projects ­ in fact it should about projects that contribute to strategy.
Key operational: investments in applications on which the organisation currently depends for success, such as supply chain or warehousing.
Support: investments in IT that is valuable but not critical to success. There may be dozens or hundreds of these systems and they often soak up far too much time and money.
High potential: investments in IT projects that may be important in achieving future success.

Once a portfolio view is established and all projects are allocated to one of the quadrants and a core set of information is available on each project, it provides the basis for a much more strategic approach to risk management.

For example, key operational projects affect the core of the organisation ­ it is like changing the engine without stopping the car. So with these projects there has to be a strong focus on mitigating risks.

High-potential projects are very different. This is the place for innovation and taking risks ­ but limiting the potential damage by keeping the budgets and resources small. It also means recognising, and accepting, that some of these projects will fail.

The portfolio is an incredibly powerful and fairly straightforward element of the IT management toolkit. It is also an area where many organisations can quic kly make improvements.

Colin Ashurst is a senior teaching fellow in MIS at Durham Business School