In these fast paced times risk is a constant factor in business technology. Computing and software systems have become so complex and interconnected that errors are more likely to occur and harder to solve. This can cause downtime to the business resulting in heavy financial loses not only from lost business but also a loss of reputation
And the source of IT risk is not necessary what you’d assume. According to a 2016 Ponemon study on data centre outages, failing IT equipment accounted for only 4 per cent of outages. The biggest outage sources were power related with 25% unplanned outages stemmed from a dodgy power supply, followed closely by denial-of-service attacks (22%) and accidental or human error (22%).
So what can we do to protect ourselves from these risks? First you need to identify and quantify them. How likely is that particular risk? What would the damage be to the company if it happened? Can we make the risk less likely to occur? Are there actions we can take now to reduce the impact of the risk if it does occur?
Time and money spent on a quantitative, analytical approach to risk can help us to absorb risk and carry on.
The Register is a British online tech publication with more than nine million monthly unique browsers worldwide. Read their full article on Risk and IT here: Risky business: You’d better have a plan for tech to go wrong
Based on experience, it seems that the majority of companies in developing countries who are implementing risk management do not get the added value that they expect. This is often because they are attempting to import risk management from a different cultural setting, from developed to developing parts of the world.
In many cases, it makes sense to begin by bringing in a system from a developed country, rather than starting from the beginning to build something new. But how can organisations in developing countries avoid the threats that come with importing a risk management approach from elsewhere? These steps will help:
Projects hit the same risks over and over again:
- The requirements may not be adequately defined, causing re-work;
- The team members may not collaborate adequately, causing delays and cost overruns; and/or
- The client may prove mercurial, causing delays, cost overruns and re-work.
As you look at those three risks, you probably have a reasonably high confidence level that they’ve happened on your own projects. They’re common. They’re pedestrian. They happen on virtually every project. People are human and change their minds. Requirements are generally difficult to define. And yet, we still act surprised when these three things evolve on our own projects.
Assuming you are immune to common risks is like assuming you are immune to the common cold. It’s a lovely thought, but…
It is clearly important for us to understand the nature of a risk properly if we are to manage it effectively. Many people only consider a limited number of risk characteristics, leading to a limited ability to manage risk. Effective risk management requires a deeper understanding.
One way to improve understanding is to explore the “anatomy of risk”. Anatomy can be defined as “separating or dividing into parts for detailed examination.” If we separate and divide risk into its constituent parts, we find seven elements. Four of these relate to the nature of the risk itself, and three are connected to people.
Have you ever been asked “How risky is your project?” Most project managers find it hard to answer this question. Your Risk Register lists all the risks you’ve identified, and these are prioritised for attention and action, with responses and owners allocated to each risk. But how can a list of risks answer the “How risky” question? We need a different concept to describe the overall risk exposure of a project, which is different from the individual risks that need to be managed.
The Project Management Institute (PMI®) has addressed this in the Practice Standard for Project Risk Management, which has two distinct definitions of risk. The first is individual risk which is defined as “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.” It also defines overall project risk as “the effect of uncertainty on the project as a whole.” The UK Association for Project Management (APM) also has two similar definitions of risk in its Body of Knowledge.
The term Enterprise Risk Management (ERM) describes a comprehensive and integrated framework for managing risk at all levels within an organisation. Four organisational characteristics are required if ERM is to work properly:
Defined objectives at all levels. Risk is defined in terms of objectives and without clearly defined objectives it is not possible to identify or manage risk. Objectives exist at various levels in an organisation, forming a hierarchical structure. ERM requires these objectives to be clear (everyone knows and agrees what they are), aligned (all objectives contribute to the overall goal) and coherent (fitting together as a set, both top-down and bottom-up).
There is currently a hot debate about what the term “risk” really means, and whether it is always and only about negative things. The traditional position is to define risk as “an uncertainty that could have an adverse effect leading to loss, harm or damage”. This has influenced the scope of the risk management process, which aims to avoid or minimise potential problems by acting proactively. Indeed traditional risk management has been very successful in this aim, and it is now seen as a major contributor towards achieving project and business objectives.
However, using the risk process to deal only with the downside of uncertainty is an inevitable one-way street. If the process identifies only threats that could have an adverse effect, then responses designed to address these threats can only at best bring the project or business back on target. It is much more likely that recovery of any deviation will be partial at best, leaving a shortfall in performance.
Where is the physical universe heading? While there is no doubt that the universe is currently expanding, scientists disagree about what might happen next. Will our universe continue to expand indefinitely, or will it reach a maximum and then collapse, or will it cycle between expansion and collapse?
The universe of risk management has the same three possibilities:
Sustainability has become increasingly important to organisations across the world in recent years, as both a business objective and a necessary constraint. But what does it mean? And how should it be included in the risk process?
The word sustainability has changed its meaning significantly over time in the business world. At first it only referred to impact on the environment. Then in 1995 John Elkington from British consultancy SustainAbility introduced the idea of the “triple bottom line” of “Profit/People/Planet”, suggesting that an organisation needs to be sustainable financially, socially and environmentally. More recently, work on sustainability in 2007 by the Forum for the Future expanded this further, identifying five areas that contribute to the production of value by an organisation, and which need to be managed sustainably. They call these The Five Capitals of Sustainability.* They are:
Edward de Bono is famous for promoting creative thinking, and he has written many books to explain his radical ideas. Perhaps his best-known technique is the Six Thinking Hats®, encouraging people to adopt a range of different perspectives when thinking about an issue. Indeed the Six Thinking Hats can be very helpful in risk identification.
One of de Bono’s other thinking tools is the Six Value MedalsTM. These describe different types of value which are important to people and organisations, and against which we can perform a “value scan” when making decisions or determining courses of action. The Six Value Medals have many potential uses, as we seek to create and protect value. But they may also help us to think about risk in a new way.