Why Risk Management? Why Now?

I was the one who recommended that CIPS (www.cips.ca) accept risk management as a basic IT professional responsibility. I chaired the Task Force that developed the CIPS Risk Management Practice Guideline. This is my explanation for why risk management is important for all professionals, and especially for IT professionals. It’s also an explanation of why this is the right time to add an explicit concern for risk management to the IT professional’s agenda.

The logical starting point is to begin with a definition of risk. A risk is triggered by an event that might happen in the future, leading to an outcome other than what was planned. Associated with a risk is a probability of the trigger event occurring, and a likely impact should that event occur. In the absence of a planned outcome, it’s not reasonable to talk about risks – there are no unplanned outcomes.

It is common to view risk as always leading to a negative impact, reducing or otherwise diminishing the value of the planned outcome. Indeed, this view of risk is the one most often found in IT literature. But logically, a risk triggered by a uncertain future event could also lead to an increase or augmentation of the planned outcome. I accept that there can be “good” risks, but recognize that most people will focus on “bad” risks.

Risk management is the process of analyzing the risks faced by an undertaking and putting in place the organizational capabilities required to respond appropriately should any of those risks occur. The process is on-going, constantly reviewing possible risks and assessing both how risks were faced in the past and will be faced in the future. The CIPS Risk Management Practice Guideline describes one approach that IT professionals can take in discharging their risk management responsibilities.

Risk management is important on a number of different levels. There is growing consensus that risk management is a central senior management responsibility. The Committee of Sponsoring Organizations, or COSO, views senior management as having a fundamental responsibility to determine how much uncertainty or risk the organization should accept in the pursuit of greater shareholder value. Risk management has been centrally important to financial institutions for some time; it’s becoming centrally important for all other major organizations in our society.

This concern for risk management at the top of our organizations is forcing risk management considerations to be taken seriously throughout organizations. It’s a responsibility that is expected of every manager and every professional within the organization. Everyone who has a scope of independent action is being required to practice risk management. When the Board and the CEO say that risk management is important, it’s important, … end of discussion.

Risk management also makes a great deal of personal business sense. One of the most serious mistakes I made as a manager was a failure to look closely at the risks associated with the project plan one of my people proposed. Had I examined the risks there would have been a few simple steps we could have taken. But the risks went unexamined – we focused on doing it right, not on what might go wrong. And some of the things that might go wrong, did. We had no plan for how to respond, and we were out of time. The project limped to conclusion, delivering much less than planned. It’s one of those moments I really wish I could relive – this time I would pay attention to risk management.

There is a clear personal need to achieve a happy balance. Under most circumstances, you should spend the majority of your time, and the time of your people, working to achieve planned outcomes. But you should also reserve some time to work on reducing the likelihood or likely impact of unplanned events. Ignoring possible risks isn’t “focusing on success”, it’s being unrealistic about how the world really works. Any action worth taking will be accompanied by some risk. Modest risk management efforts can have a very big payoff, … especially when the potential risks become immediate problems that must be solved.

So, risk management makes sense from a corporate governance point of view, and is being demanded of Board of Directors and executive management. It makes sense from a personal business perspective – modest steps can often provide very valuable risk mitigation. It has also become an increasingly important part of what the public expects of professionals. The Internet has had a significant impact on how the public views professionals. Now, when I consult a doctor or lawyer, I often go into the session with a substantial body of relevant factual information. My physician regularly asks me to send him a copy of the information I have found.

The professional isn’t there to give me the “facts” – those I can often acquire for myself on the Internet. The professional is important because he can help me interpret the facts and understand what would be involved in following a possible course of action. I trust a professional not because of the facts at his command, but because he has a much better understanding of the context and the likely consequence of possible actions.  The professional is trustworthy because he can help me realistically access risk as well as planned or desired outcomes.

There are two important aspects of the professional’s risk management responsibilities. Providing clients, customers, or patients with effective risk management advice is one of the necessary ingredients in winning the trust of those people. Being seen as trustworthy is key to winning new or repeat business. Trustworthy professionals are far more likely than their peers to have a healthy professional practice. There is another important aspect of the professional’s risk management responsibilities. Failure to advise clients, customers, or patients of possible risks exposes the individual to the possibility of a professional mis-conduct charge. Serious liabilities can result from a judgment that supports such a charge.

 It’s clear that there are important positive, and negative, reasons why professionals need to pay attention to risk management. This applies to applies to all individuals who present themselves as “professionals”. It applies with particular force to IT professionals. Let me explain …

Society can’t run without IT. IT has become an essential operating reality for virtually all organizations. Indeed, all G8 Governments, including the Government of Canada, have accepted that a society’s information infrastructure is its critical infrastructure – take down this infrastructure and all other key infrastructures will go down, sooner rather than later. This is a deep change in the social and organizational role for IT. “Keeping the lights on” has become a bedrock responsibility for those of charged with delivering and supporting IT applications, services, or networks. It’s no longer sufficient to be ready, willing, and able to respond to whatever problems may arises at 2 AM. Now, we are expected to have plans in place to minimize the exceptional 2 AM problems, and to have an automatic and automated response to all of the non-exceptional problems.

It’s not that long in the past when IT professionals were primarily rewarded for creativity and dedication to the job. Those characteristics are still important, but now managing and mitigating risk has become at least as important. The successful IT professional in the 21^st century will need to be trustworthy, applying dependable best practices and managing any residual risks. Risk management has moved to the forefront. It’s something that will be increasingly expected, and demanded, of IT professionals. The CIPS Risk Management Practice Guideline is a place to start.