Understanding IT Risks

Hani Elbeyali is a technology strategist for Dell. He has 19 years of IT experience and is the author of Business Demand Design methodology, which details how to align your business strategy with your IT strategy. His previous post was Demonstrating IT Value, Illustrated.

Hani_Elbeyali_DellHANI ELBEYALI

Businesses are always trying to minimize risk to the enterprise, but smart leaders realize that profits are sometimes the rewards earned for taking educated risks.  Once a manager understands that risks and rewards (or benefits) are positively correlated, the next step may be to expect that the higher well-calculated risks, the higher expected returns are going to be. This concept applies to the IT organization because it’s part of the overall process of any enterprise’s need to “get things done.”

What is IT Risk?

Risk, according to financial theory, refers to the unpredictability of outcome. “While financial measures of risk, such as volatility and standard deviation, measure the upside and downside of deviations from the expectations, only downside variability to be the true measure of risk”, states Mukul Pareek, in his article “Information System Control Journal.” What we infer from this statement is the risk is only represented by the downside of the expected return, and not the upside. In contrast, IT risk or downside is represented by the measurement of the potential for an unplanned event, internal or external; resulting into a failure or misuse of IT to threaten an enterprise objective; and it is no longer confined to a company’s IT department.

What are Risk Types?

Planning for risks can be huge undertaking. Because the risk permutations count are beyond the capabilities of one article, I wanted to give an illustration of an Enterprise Resource Planning (ERP) risk failure, and the volatility of an enterprise risk for taking on such project. ERP potential risks can be measured in two stages: during implementation and post deployment.

During Implementation: Internal factors


  • Delay due to the rise of an internal event, which could be beyond the control of IT, examples: business priorities change, dependencies out of line, budget constraints, and unexpected cost overrun
  • Siloed IT focus due to aligning IT to serve specific line of business
  • Lack of alignment between business strategy and IT strategy
  • Not enough time, money, and effort spent on assessment, plan and design
  • No executive sponsorship
  • Lack of process to implement an enterprise governance


  • Significant harm to the organization stakeholders and stockholders. This could result in financial loss, with the organization may be able to recover.


  • In December 2003, the United Kingdom’s Inland Revenue put a new system for managing tax credits into production. Pre-production testing had been limited to four weeks rather than the planned 20 weeks because the project was behind schedule. It is estimated that over £2 billion in erroneous tax credits were paid out by the system before errors were recognized and corrective measures taken.

Post Deployment: Internal and External factors


  • Ineffective implementation of enterprise governance, this is especially important in today’s times of rapid strategic business change
  • Loss of service due to broken process flow or vendor services failure
  • Data leakage, theft, or misuse of information
  • Complex and uncontrolled IT environment, this manifest as complex asset inventory, many IT overlapping management tools, poor documentations, and lack of unified change management procedure


  • The risk exposes bad enterprise management to customers, ineffective implementation of compliance, and governance, not only in IT but throughout the entire organization
  • Significant harm to the organization stakeholders and stockholders. This  could result in financial loss, the organization may be able to recover. But, with negative Net Present Value (NPV) and Return on Investment (RoI)
  • Damage the reputation of the organization, over time, the organization my never be able to recover


  • In 1996, a failed implementation of SAP’s enterprise resource planning software at FoxMeyer, a $4 billion pharmaceutical distributor, allegedly led to the company’s bankruptcy. The company’s trustees filed suit against SAP (the software vendor) and Accenture (the systems integrator for the project), asking for $500 million in damages from each. The case was settled out of court in 2005.1

Pages: 1 2

Add Your Comments

  • (will not be published)