Understanding IT Risks

Most IT risk comes from failure of the enterprise to properly oversee or govern its projects, not from technical or low-level people issues. Hani Elbeyali of Dell writes on how to further your understanding of IT risks to lead to better management of potential issues.

Hani Elbeyali is a technology strategist for Dell. He has 19 years of IT experience and is the author of Business Demand Design methodology, which details how to align your business strategy with your IT strategy. His previous post was Demonstrating IT Value, Illustrated.

Hani_Elbeyali_DellHANI ELBEYALI
Dell

Businesses are always trying to minimize risk to the enterprise, but smart leaders realize that profits are sometimes the rewards earned for taking educated risks.  Once a manager understands that risks and rewards (or benefits) are positively correlated, the next step may be to expect that the higher well-calculated risks, the higher expected returns are going to be. This concept applies to the IT organization because it’s part of the overall process of any enterprise's need to "get things done."

What is IT Risk?

Risk, according to financial theory, refers to the unpredictability of outcome. “While financial measures of risk, such as volatility and standard deviation, measure the upside and downside of deviations from the expectations, only downside variability to be the true measure of risk", states Mukul Pareek, in his article “Information System Control Journal." What we infer from this statement is the risk is only represented by the downside of the expected return, and not the upside. In contrast, IT risk or downside is represented by the measurement of the potential for an unplanned event, internal or external; resulting into a failure or misuse of IT to threaten an enterprise objective; and it is no longer confined to a company’s IT department.

What are Risk Types?

Planning for risks can be huge undertaking. Because the risk permutations count are beyond the capabilities of one article, I wanted to give an illustration of an Enterprise Resource Planning (ERP) risk failure, and the volatility of an enterprise risk for taking on such project. ERP potential risks can be measured in two stages: during implementation and post deployment.

During Implementation: Internal factors

Risks:

  • Delay due to the rise of an internal event, which could be beyond the control of IT, examples: business priorities change, dependencies out of line, budget constraints, and unexpected cost overrun
  • Siloed IT focus due to aligning IT to serve specific line of business
  • Lack of alignment between business strategy and IT strategy
  • Not enough time, money, and effort spent on assessment, plan and design
  • No executive sponsorship
  • Lack of process to implement an enterprise governance

Results:

  • Significant harm to the organization stakeholders and stockholders. This could result in financial loss, with the organization may be able to recover.

Example:

  • In December 2003, the United Kingdom’s Inland Revenue put a new system for managing tax credits into production. Pre-production testing had been limited to four weeks rather than the planned 20 weeks because the project was behind schedule. It is estimated that over £2 billion in erroneous tax credits were paid out by the system before errors were recognized and corrective measures taken.

Post Deployment: Internal and External factors

Risks:

  • Ineffective implementation of enterprise governance, this is especially important in today’s times of rapid strategic business change
  • Loss of service due to broken process flow or vendor services failure
  • Data leakage, theft, or misuse of information
  • Complex and uncontrolled IT environment, this manifest as complex asset inventory, many IT overlapping management tools, poor documentations, and lack of unified change management procedure

Results:

  • The risk exposes bad enterprise management to customers, ineffective implementation of compliance, and governance, not only in IT but throughout the entire organization
  • Significant harm to the organization stakeholders and stockholders. This  could result in financial loss, the organization may be able to recover. But, with negative Net Present Value (NPV) and Return on Investment (RoI)
  • Damage the reputation of the organization, over time, the organization my never be able to recover

Example:

  • In 1996, a failed implementation of SAP’s enterprise resource planning software at FoxMeyer, a $4 billion pharmaceutical distributor, allegedly led to the company’s bankruptcy. The company’s trustees filed suit against SAP (the software vendor) and Accenture (the systems integrator for the project), asking for $500 million in damages from each. The case was settled out of court in 2005.1

What are the Sources of Risks?

According to a Harvard and Gartner “IT risk” research report, “Most IT risks arise not from technical or low-level people issues but from the failure of the enterprise’s oversight and governance processes for IT. Such failures produce a series of poor decisions and badly structured IT assets that are manifested as ineffective IT governance, uncontrolled complexity, and inattention to risk. Many of the risk factors are symptoms of common condition, ineffective implementation of IT governance."

Risk and Return Relationship

Figure 1. Click to enlarge.

Figure 1. Click to enlarge.

Everyday decisions that managers make commit their organizations to different levels of risk for which they must seek appropriate rewards. Figure 1 (above) reflects the positive correlation between risk and return in four stages:

  • The (X) line represents the value over time, and the (Y) represent the investment size.
  • When the risk curve is low, and the return curve is at safe investment, this frame is called “low return and low risk,” the expectations from the IT project is “low value.”
  • While the risk curve starts to rise to mid-point, the return curve rise proportionally to reach the point of optimum investment, this frame is called “med return and med risk,” the expectations from the IT project is “med value.”
  • When the risk reach the high point, the return curve rise proportionally to reach the risky investment, this frame is called “high risk and high reward”, the expectations from the project is “high value.”
  • Finally the two curves converse, at this point, the risk factors are two great in some or parts and will destroy the value of the project.

Each accepted project will increase or decrease the overall risk of the organization by quantities that may appear insignificant in the larger context, but aggregate to determine the overall risk of the organization. Holistically, this drives the entire organization up or down the risk and reward curves.

IT needs to Align with the Organization’s Risk Portfolio

Effective implementation of enterprise IT projects requires alignment of IT management decisions with the organization business strategy, and risk governance. Overall, governance achieves three goals: effective use of IT by people, IT decisions properly processed among various IT departments, and tracking and reporting projects in a structure. IT governance, governs what decisions must be made based on the organization appetite to risk, who should make the decisions, this provides checks and balances, and finally, structuring how decisions are made.

Turn Risk into Competitive Advantage

An IT risk incident has the potential to produce substantial business consequences that touch a wide range of stakeholders. Once an organization starts to invest wisely in IT, it will turn IT into competitive-advantage weapon, but equally, it will grow its dependency on IT. As a result, IT becomes part of the organization fabric of business risk; therefore. It’s required that, when IT executives make decisions they need to understand the organization’s risk portfolio and the organization’s appetite to risk. In short, IT risks matters—now more than ever.

Please note the opinions expressed here are those of the author and do not reflect those of his employer.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.

 


1 Harvard Business School, Turning Business Threat Into Competitive Advantage 2007.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish