In my last blog with Stephen Gold, EVP of Business and Technology Operations and CIO of CVS Health, we discussed Gold's approach to continuity of value, a process that Gold uses to make sure he and his business partners make the right IT investments.
No doubt, you have a process that you use to tie investments to value. Once you've spent all of that time making sure you are investing wisely, wouldn't it be great if your projects were successful? That's where "risk management" comes in.
Problem Seeking, Not Problem Solving
"CIOs and IT leaders often don't pay as much attention to risk as they should because it goes against human nature," says Gold. "By nature, people are optimistic; we tend to assume the positive, even when we develop software. We test to make sure our functional designs work. But are we planning, building, and testing for the negative' use cases? Generally not as often, and it's not because we are technically deficient. It's because that kind of thinking puts us out of our comfort zone. Most people think about problem solving; risk management' is about problem seeking anticipating problems and searching for them proactively it's a different mindset."
According to Gold, most project management literature addresses several critical aspects of managing a project: charters, project membership, status reports, cadence and metrics. "These topics are all important and necessary, but they are not sufficient," says Gold. "I have noticed throughout my career that the skills and tools we are missing the most are those which deal with managing risk."
If risk management is not already a part of your organization, then CIOs would be wise to adopt a formal risk management program to embed a more complete perspective into the IT team's every day thought.
Risk Management: a Five Step Process
At CVS Health, risk management is a five-step process that includes planning, identification, quantification, response, monitoring and control.
"Our formal risk management practice starts in the earliest stages of portfolio planning and continues through to project execution and post-project review," says Gold.
"If you look at a work breakdown structure, there is a whole laundry list of risks that should be a part of every project," says Gold. That laundry list might include:
- Availability of resources
- Newness of technology
- Lack of familiarity with technology or processes
- Lack of training
- Critical path tasks
- Tasks with several predecessors
- Optimistically-estimated tasks
- Tasks reliant on external resources
- Tasks in parallel
- Tasks with many people assigned
- Qualifications and skills
- Holidays, vacations, illness and turnover
Key to risk management is the formula that states "risk equals the function of probability x impact". "If a risk has a low probability and low impact, you might be able to accept the risk," says Gold. "But if a risk has a high probability and a high impact, you have to pay attention." Depending on the probability/impact equation, you can accept, avoid, transfer, share, reduce or ignore the risk.
Sign up for CIO Asia eNewsletters.