SIDEBAR: Riding Herd on Risk

When Nicholas Carr said "IT doesn't matter", Robert Charette, director, Risk Management Intelligence Network, Cutter Consortium and president of Itabhi Corporation says, his remarks may have been somewhat inflammatory, but his underlying message was not. One of those underlying messages concerned the importance of ensuring the organization's operations are correct, which means managing your risks as well as managing your problems.

"If IT is so central to your business, then how can you not have risk management?" Charette says. "How can you not manage the operations? And so I think what's been missing from a lot of that debate is some of the things that he [Carr] is pointing out, such as that if IT is really important, then anything that goes wrong with that IT is going to affect the business.

"Furthermore, we have seen the increasing complexity of IT programs - IT shops are not being asked to do less complex things. If the applications you're building to get any type of strategic advantage are getting more and more complicated - and that's as an adjunct to normal IT operations - then you'd better be able to manage those risks extremely well."

Go to the leaders of many ERP projects and ask to see their risk assessments, and chances are that it will be - if they have done one at all - highly financially oriented, and will ignore issues of cultural change, business change and what the organization wants to get out of the project, he says. "So you have to take a look at finance. You have to take a look at strategy. You have to take a look at technology. You have to take

a look at politics. You have to take a look at the competitive environment that you're in.

"All of these things, all these different factors, are things that are going to affect the success of what it is that you are undertaking. The larger the project, the more strategic it becomes, the more important that all these risks need to be identified and managed. There are lots of organizations who identify risks, but there are very few who actually manage them."

Many project leaders claim such issues are out of their control. Rubbish, Charette says. There are some things that are outside your control, but even the impact of those things can be managed, and there are other things that are much more open to your control than you think. The danger is that if you believe issues are beyond your control, you are less likely to ask yourself if they really are beyond control, or if you just do not really understand what is going on.

"There are certain constraints that are self-imposed," he says. "How many people have you interviewed, especially in IT failures, when you're sitting there listening, and you're saying: 'Well they're making excuses for what an organization could actually have changed'? You know, one of the biggest complaints of CEOs and CIOs is that people give them problems rather than risks."

If you do not seize control, the chances are the competition will "do you in", Charette says.

SIDEBAR: The Onus of Uncertainty

By Tom De Marco and Timothy Lister

Corporate culture- whatever that means - poses serious challenges to the would-be risk manager. The most important of these is an attitude toward uncertainty, summed up as follows: It's OK to be wrong, but not OK to be uncertain. If that rule describes your company, you're sunk.

The rule says you may miss your promised delivery date, but in the months and days leading up to that date, you're not allowed to express any doubt that you will indeed deliver on time. Failure is tolerated as long as you don't commit the capital crime of admitting beforehand that you might fail.

This constraint may leave you prone to an infectious disorder called selective myopia. Projects that are stricken with this condition can see only small problems. Large problems may loom directly ahead - problems that would be in the centre of any healthy project's field of vision - but they go completely unseen.

People take elaborate care not to trip over the railroad ties, but nobody can see the oncoming train. Risks are identified, a risk list is published, risks are reported on status reports, and mitigation strategies are approved. Risks are monitored and tracked. If one only reviews the risk lists and records, it appears that the project is low-risk. All the risks enumerated are at the inconvenience or nuisance level. The risk-tracking proceeds without variance until the project is suddenly cancelled, often followed by a furious bone-picking of the corpse by litigation.

Fortunately, there's a vaccine. At the first go-round of risk identification, vaccinate everyone by naming all the catastrophic outcomes you can imagine. Ask for more catastrophes from the group. Speak the words failure, rejection and cancellation. See whether you can get others to speak them publicly as well. Now, work backward from your catastrophe list, asking for scenarios that could lead to each of the catastrophes. Take each scenario and try to describe the risk(s) that could bring it about. Now you have the beginnings of a risk list that might reflect future reality.

The essence of the technique is this: Attack your nightmares, not your petty worries; to discover the risks that really matter to your project, trace backward from effect to cause. Watch for oncoming trains.

Adapted from Waltzing With Bears, pp. 42-45, by permission of Dorset House Publishing Company Copyright 2003 by Tom DeMarco and Timothy Lister