Chief information officers (CIOs) face daunting challenges in establishing the technological direction of their organizations, managing its IT portfolio, and leading the efforts to transform business. Increasingly, CIOs are responsible for not only operational success, but also financial accountability. Given the breadth and importance of their roles, CIOs can significantly benefit from increased visibility to enterprise risks and new strategies to mitigate those risks.
The Project Management Body of Knowledge defines project risk as "an uncertain event or condition that, if it occurs, has a positive or a negative effect on a project objective." Within the context of a project, personnel typically evaluate these risks on the severity of their impact to project objectives. However, CIOs require a broader view of project risks and their interdependencies since the cumulative impact of IT project risks can often equate to enterprise risk. Faced with this challenge, CIOs have an increased need for Enterprise Risk Management (ERM).
ERM is the systematic process of identifying, analyzing, and responding to risks of the IT portfolio. The process considers enterprise risk in six categories:
- Project—Factors that have an impact on project scope, schedule, cost, and quality
- Resource—Misalignment of staffing levels, competencies, and experience of human resources
- Organizational/change management—Organizational resistance to change or standardization; lack of user buy-in, acceptance to policies and procedures, or training
- Business—Conflicts in investment priorities or business functions; acquisition risks; lack of operational continuity
- Strategic—Misalignment of business strategy; unrealized planned business benefits
- External (e.g., technology, political, legal, market)—Technology immaturity or lack of interoperability; political barriers; legal constraints; or adverse market conditions
To effectively manage enterprise risks, CIOs typically establish organizational policies, define risk tolerance levels, and determine a baseline risk management plan. These activities define an organization's risk management program and provide a formal mechanism to communicate risk management practices across the organization. Depending on the financial size of an organization's IT portfolio and its project management maturity level, CIOs can implement a broad range of software solutions to manage enterprise risks.
Enterprise portfolio management (EPM) tools provide CIOs with real-time visibility of prioritized risks and enable them to view detailed information on any specific risk event. Additionally, EPM software establishes a collaborative environment in which project teams can identify, monitor, and respond to risks continually throughout the project lifecycle. With these tools, CIOs can focus on risks that have the potential for the most severe impact on the IT portfolio and resulting business benefits.
At Booz Allen Hamilton, our IT organization employs commercial off-the-shelf software to manage projects from business case development through service management. The enterprise-class EPM solution, driven by the firm's proprietary project management methods, minimizes enterprise risks through process compliance and project controls (such as stage gates and formal acceptance). Additionally, the EPM solution provides stakeholders with transparency to a project's health and executive leadership with IT portfolio performance based on predefined scorecard metrics.
Along with automating risk management, it is critical for CIOs to define and communicate a change management plan that addresses risks introduced by change—whether in project scope, resources, technologies, or business strategies—to the IT portfolio. An effective change management plan defines both the process to manage project change requests and the formal mechanism—such as a change control board—for reviewing and approving those changes. The CIO's role in this process is to monitor the effectiveness of the change controls—helping to ensure alignment with current risk tolerance levels.
In today's competitive and fluid business environment, CIOs can no longer solely rely on internal risk management processes, plans, and software solutions. The rate of change and the injection of disruptive business models mandate that organizations employ risk management strategies that actively manage external risks, especially since external risks have an increasingly greater probability of occurrence and impact on project objectives. And they are often more difficult to mitigate when the risk is realized.
For example, the patent litigation case between Research In Motion (RIM), makers of the BlackBerry, and NTP, a small patent holding company, created the potential for cessation of BlackBerry service in the United States in early 2006. This external risk event had an initial profile of low probability and high impact. But the profile changed dramatically when a U.S. district court judge ordered that service and sales of BlackBerry devices be halted within in the U.S. In response, many organizations had to realign IT resources to develop mitigation strategies—resulting in increased costs and decreased value to the IT portfolio. While this risk had a negative effect on organizations that relied on the BlackBerry solution, it created opportunity for RIM's competitors. This patent litigation case highlights the importance of proactively managing external risks and demonstrates how risks can have both negative and positive outcomes.
Globalization is another significant driver of external risks. In 1995, the European Union adopted a mandatory and binding European Union Directive on the Protection of Personal Data on the Internet. The directive dictated that by 1998, all European Union member countries must provide privacy rights to individuals on their personal data. During the same period, many U.S.-based, Web development companies rushed to market with e-commerce solutions that relied on cookies to track personal data. While these software applications complied with U.S. privacy laws, they failed to meet the EU's more stringent laws. As a result, U.S. companies realized the negative effects—both political and legal—of external risks and were required to reengineer their solutions at additional costs.
Given the increasing frequency and severity of enterprise risks, the trend is for CIOs to draw upon multiple information channels when evaluating risks. Relevant new media sources include RSS news feeds, blogs, and structured queries. When analyzed in conjunction with internal data sources, such as enterprise portfolio management software and scorecard reports, CIOs can achieve maximum value from the IT portfolio by proactively monitoring and managing risks.
Bio: Bryan Padgett, an associate with Booz Allen Hamilton, brings more than 13 years' experience in managing enterprise IT solutions from business case development through implementation. His primary focus at Booz Allen is helping clients implement enterprise wireless and mobility solutions that transform business operations. Padgett possesses functional expertise in the areas of IT project management, workforce automation, and collaborative technologies. He has led multiple engagements for commercial and government clients in the United States, Canada, Europe, and Latin America.
