Strategy Execution for Risk Management

No investments can be effective in the long term without consideration of risk. The consequences of not doing adequate business continuity planning can be potentially disastrous.

The outcomes of inadequate risk management span the gamut from financial losses to a loss of customer goodwill that may well threaten the long-term viability and survival of a firm. Today, with an increasingly unforgiving regulatory environment and legislation such as Sarbanes-Oxley that requires business technology systems to function without error, executives need to be concerned about risk management more than ever before.

Business risks can be both internal to the firm, such as rolling out an inadequately tested system, as well as environmental, in the form of an unanticipated natural disaster. This two-sided model creates a challenge for business and technology executives. The former type of risk is somewhat more recurring, predictable and perhaps controllable, and, therefore, the business case for investment in risk management is often easier to justify. Meanwhile, the latter type of risk is unanticipated and episodic, and the typical firm questions the outlay of resources to protect against such rare occurrences.

At its essence, risk management involves three steps:
(1)    Identifying the nature of risks inherent in the situation
(2)    Assessing the likelihood of the risks manifesting themselves
(3)    Taking preventive and corrective action to reduce the firm’s level of exposure to the risk.

The past three decades of business computing have contributed much to our understanding of risk in the technology context. Unfortunately, a dominant focus in this prior work has been narrow – on controlling and managing projects, rather than on the broader risks that executives face in firms where technology is deeply and fundamentally embedded within the business. Indeed, the turn of the century has heralded significant changes in the business technology milieu that have created a compelling need to expand the focus of risk management from the micro project view to a broader enterprise perspective.

These changes include an increasing emphasis on:
(1)    “Buying” and customizing packaged solutions rather than building systems in-house, i.e., on solutions integration rather than software development
(2)     Partnering with a wide array of providers to acquire needed technical competencies and skills, including taking advantage of off-shore resources
(3)    Using business technology for systems that span organizational boundaries and help link customers, through electronic commerce and CRM systems, suppliers, through fully integrated electronic supply chains, and other business partners together
(4)    Deploying business technology as the platform upon which the entire business is run.