Starting Point

With 25 years experience in a wide variety of software, systems and management positions, Charette is an internationally acknowledged authority and pioneer in IT management and engineering, business and technical risk management, and the lean development and management of large-scale software-intensive systems. He serves as a senior adviser to a wide variety of Global 100 companies, high-tech consortiums and government departments. He is on the advisory board of the Project Management Institute's special interest group on risk management and is the author of more than 40 articles on software, systems and management. He also wrote The Foundations Series on Risk Management, a three-volume set of CD training tools.

Charette's company, Itabhi Corporation, provides information and telecommunications systems management consulting and conducts high-value risk management. Most recently he helped the UK government develop their risk management programs.

Companies such as Rockwell Collins have applied formal risk management on hundreds of their projects, yielding significant and measurable returns of investment for the effort. The US government has also mandated its use on most information technology projects. That said, recent surveys by the Project Management Institute also show that risk management continues to be the least used of all project management disciplines.

Charette says perhaps less than 3 percent of organizations worldwide are effectively applying aggressive enterprise risk management practices. Most of the enterprise risk management work and focus has revolved around the issue of governance or ways to make money from risk management practices, he says. Organizations have tended to take what he considers a "top down kind of governance [and] financially-oriented approach". Enterprise risk management, he believes, is that plus much more: taking in program and project management and their integration.

"There are very, very few companies where you can actually go and track risks from project and program level all the way up and then have those connected to the business strategy," he says.

3D Models

An effective three-dimensional risk management strategy starts with the understanding that risk management is designed to help you to make decisions, Charette says. But it also recognizes that risk is prevalent in everything you do. If you have a choice, then you have a risk. That is just a "fact of nature".

"I think from a three-dimensional standpoint, [aggressive risk management] is trying to integrate all the various views of risk that may affect your project. Now you want to be careful of not getting to the point where you get paralysis by analysis; but you have to be aware of what's going on," he says.

There are private methodologies that can help the organization achieve this awareness: Charette's own company has one, although he is not about selling that. He also recommends organizations pay heed to the COSO Treadway Model of Enterprise Risk Management (www.coso.org/publications.htm). Its limitations are that it fails to give any guidance of how it might be implemented in "real space", Charette says, and that, having come out of the governance area, it began as a top down, command and control type of approach.

"A lot of the enterprise risk management requires behavioural changes within the organization, so if you try to impose it from just the top down kind of command and control framework approach, which is driven by audit committees and "thou shalt do this", that's not likely to really change the behaviours that you need to get the working level people to buy into it," he says

The UK government began creating frameworks for risk management with Charette's help in 1993, and has some data available, but he says their comprehensive frameworks are fairly high level and theoretically based. If you really want to see an example of aggressive enterprise risk management in practice, he says, you should take a look at the work he has been doing with Iowa-based Rockwell Collins, recognized as a world-class provider of aviation and information technology for government, the world's aircraft manufacturers and more than 400 airline customers.

Named this past year as one of the Forbes best managed companies in the aerospace industry, Rockwell Collins is, Charette says, among the world's leading practitioners of enterprise risk management. "For instance, they brought in an ERP system - SAP - and probably have had amongst the fewest problems for an implementation that you would find," he says. "They don't go bragging about all this stuff, because for them it's just what they do, but if you talk to the CIO, he'll tell you that if it wasn't for risk management, they wouldn't have succeeded as well as they have."