Download (direct link):
Positive risk can occur in IT. For example, projects can be ahead of schedule, or greater than expected e-business activity can occur. Both of these positive risks can result in negative risks downstream. If there are dependencies in project resources or if operational bottlenecks in supporting operational systems develop as a result of increased e-business activity, many negative risks such as resource contentions and customer dissatisfaction can occur.
Risk must be evaluated for individual investments and assessed across the entire portfolio. In IT, operational risk is usually managed via a business continuity plan or disaster recovery plan. For IT projects, however, only half of global 2000
182 CHAPTER 5 BUILDING THE IT PORTFOLIO
organizations do a risk assessment prior to starting the project; of those, only 50% ever look at the risk assessment again throughout the life of the project. Thus, only 25% of IT projects proactively do risk assessment. An example of risk categories and risk factors is shown in Appendix 5B.
Business and IT management must reach consensus as to the allowable boundaries and risk thresholds. Companies evaluate risk based on a range of scenarios (high/medium/low, short term/long term, etc.), or for financial measures they adjust hurdle rates (the higher the hurdle rate, the less attractive the net present value) based on a multitude ofparameters such as geography, business unit, or type of investment.
Exhibit 5.3 shows the steps for identifying risks, risk tolerance levels, and risk types; gathering and evaluating alternative risk mitigation/elimination strategies; and determining residual risks. Risk assessment and management processes within IT and the business must be standardized and instituted. Information stemming from the risk assessment and management processes must roll up into the IT portfolio and must be further consolidated into the enterprise risk management program. Leading organizations factor project risk into their budgets and plans as processes for risk assessment and risk management become more quantitative, incorporating historical metrics, much the way actuarial information is used in the insurance industry. Failure to incorporate adequate risk assessment and management into the enterprise solution portfolio will likely lead to undesirable outcomes as companies take on overlapping initiatives.
Financial constraints (i.e., IT budgets) are a major limiting resource facing companies when evaluating IT investments. Miscalculating the procurement, development, integration, and execution costs for a potential IT investment, as well as incorrectly estimating the total cost of ownership (e.g., upgrades, maintenance and support, management, enhancements, increase in rates) for new and existing IT investments, could have devastating consequences. Redundant investments, poor prioritization of investments, and unwillingness to retire existing investments or kill IT projects create a tremendous drain on IT costs, essentially suffocating IT investments that could add significant value and competitive advantage to a company.
As previously mentioned, costs are correlated with the value delivered by an investment. Business and IT must carefully monitor the cost aspects of the IT portfolio, assuring that cost savings (e.g., as a result of retiring existing assets or canceling IT projects) are accounted for and reinvested back into areas such as grow the business and transform the business. Employees must be held accountable to assure this reinvestment cycle is efficient and effective.
EXHIBIT 5.3 RISK AND IT PORTFOLIO MANAGEMENT
1. Determine the company's position on risk.
a. Rate the organizations relative tolerance for risk that is consistent with the company's culture.
2. Identify risk categories. For example:
a. Conditions—internal or external changes (e.g., geopolitical, legislative, economic) will occur in a manner that negatively impacts the portfolio.
b. Culture—the culture of the company will not embrace change imparted through the portfolio.
c. Complexity—complexity of the portfolio or its components will lead to higher probability for rejection of failure.
d. Cooperation—questionable cooperation of key stakeholders, internal or external, leading to change in expected results.
3. Inventory IT risks, IT risk mitigation strategies, and impact of the IT risk. a. CobiT, described in Chapter 3, is a process used to audit risks.
4. Assess risks and validate alignment with company risk threshold levels (individual investments as well as entire portfolio).
a. Risks are assessed based on evaluating the threat (deliberate or accidental), the vulnerabilities, and the business impact to the company.
b. Identify all statutory and contractual requirements.
c. Determine unique set of risks (security, other requirements) to the company's assets.
d. Identify the nature, business purpose, and environment of business information and systems.