The Faces of RiskBy Faisal Hoque | Posted 2009-05-05 Email Print
Risk management and IT continuity are complex and critical disciplines.
In this environment where business technology is pervasive, what is the nature of risk? Risks are classified into three broad categories: systems, sourcing and strategy, based on where they originate. Some risks are predominantly intra-enterprise in nature, such as systems and strategy, while others, notably sourcing, reflect the challenges that arise in inter-organizational settings. Note that although these categories are somewhat overlapping and not mutually exclusive, they nonetheless provide a conceptually simple framework that can be populated through conversations and interactions among executives from both technology and business.
Effectively managing project risk requires that a structured process and organizational responsibilities be implemented at both the project and program levels. A formal risk management plan should be developed to clarify risk management roles and responsibilities; risk management processes, procedures, standards, training and tools; the method and frequency of risk progress reporting; and what should be monitored to determine if risks are occurring. A project should attempt to manage only the risks it can handle. Other risks should be elevated to the program level. Determination of whether to elevate should be made based on examination of whether the mitigation action steps are within the control of the project team.
Managing risk at a program level involves a review of project risks and program risks by an Enterprise Program Management Office (EPMO). The EPMO should analyze project risk across the entire program to see if the same risk occurs in different projects and requires concerted action.
The EPMO should document the inventory of risks, their assessment and mitigation plans in a database. If after analyzing program risk the overall program risk level is deemed to be higher than originally documented in the cost/benefit plan (i.e., the business case), then the business case should be updated--reflecting the adjustment in the range of costs and/or benefits or a lower confidence measure. It is important that the EPMO collaborate with an Enterprise Risk Management (ERM) Group to ensure that the business impacts of project-related risks are well understood, and that a periodic evaluation can be made concerning the impact of other enterprise risks on the project.