Effective risk management - are we there yet?

Effective management of risk is increasingly recognised as a major contributor to the successful delivery of IT programmes.

Testing is just one small part of risk management. James Alevizos of Vizuri suggests an approach to the initial identification of risk and briefly details high-level principles to ensure risk management activities are embedded within an organisation.

Earlier this year I found myself sitting down to watch the DVD Shrek 2. Those of you who have seen the film should remember Eddie Murphy's entertaining yet annoying character Donkey.

When Shrek and Princess Fiona are on their way to visit Fiona's parents, the King and Queen of Far Far Away Land, Donkey continually pokes his head from the back of their horse-drawn cart asking, pleadingly, 'Are we there yet? Are we there yet? Are we there yet?'

After 15 years in IT, I have come to the conclusion that Donkey from Shrek 2 is the manifestation of key stakeholders of major IT programmes. With little interest in the intricacies and lower-level challenges of their many and varied IT journeys, key stakeholders, from the outset, simply want to know, 'Are we there yet?'

Often perceived as being annoying (like Donkey), these stakeholders have a right to know. Not just when they have arrived in their particular Far Far Away Land but also at every step of the way to ensure their horse-drawn cart is always heading in the right direction and at the right speed.

I'm constantly amazed that the closer IT programmes get to their expected Far Far Away Land equivalent, the greater the doubt and concern there is of getting there, either on time, to budget or to the degree of quality required. Surely the closer you are the more confident you should be of getting where you are going?

The way to make sure you stay on the right road is to identify and manage risk in accordance with your organisation's risk appetite. Get them out in the open up front and prosecute them aggressively otherwise there'll be a Puss In Boots coughing up a fur ball at every turn.

Risk can be defined as the uncertainty of outcome (either positive opportunity or negative threat) of actions and events. Risk appetite is the amount of risk that is judged to be tolerable and justifiable.

The management of risk involves identifying and assessing risks and then responding accordingly based on an organisation's risk appetite. Risk appetites may be different for each type of risk an organisation faces (e.g. operational, financial, reputational).

Risk needs to be properly identified at the outset of an IT programme and then managed continuously throughout the programme in order to identify new risks, changes to existing risks or risks which have ceased to be relevant.

The aim of risk management activities is to continually monitor whether or not risk profiles are changing in order to gain a degree of confidence and/or identify when further action must be taken.

Now we've all seen the standard risk registers that are passed on from one project to another.

Typical entries include 'Project may be late' and 'Not enough resources' or 'I might be on holiday then'. And we've all grappled with that old chestnut of 'Do I raise all my risks?' or 'Do I raise the ones I can't handle myself?' There is usually little value in the contents of such a register and often even less value in how it is used.

I think there are several reasons why early risk registers are sparse. Many people adopt a very positive view at the start of a major programme of work. Others are simply too busy focusing on the delivery of immediate tasks to deal with risk management properly.

Psychologically (and I'm no expert on this one) I think people fundamentally don't like being the bearer of (potential) bad news. The 'glass is half full' team should always be balanced by the 'glass is half empty' team.

An effective initial assessment of risk is a good way to avoid risk register 'hand me downs', sparse registers and the general 'ignorance is bliss' world most of us would prefer to live in.

After all the King and Queen of Far Far Away Land never had an issue with Shrek until they realised he was an Ogre. An Ogre in the family was clearly outside their risk appetite and so they acted accordingly.

A focused, objective health check at any stage of an IT programme - the IT equivalent of a check up at your local GP - will produce a rich and densely populated initial risk register. This initial health check can then be used as the catalyst for ongoing risk management activities.

Make such a health check broad in order to capture risks associated with every stage of a programme. Areas for consideration (in no particular order) should include, but not be limited to:

  • commercial arrangements with suppliers;
  • organisational issues (roles, responsibilities, skills, resources);
  • project planning;
  • change management;
  • requirements definition;
  • design;
  • build;
  • configuration management;
  • test and acceptance;
  • quality strategy;
  • risk management strategy;
  • go live and cutover plans;
  • licence agreements;
  • support contracts;
  • technical environments;
  • physical and electronic security;
  • business processes and continuity;
  • user training;
  • failover and redundancy.

Key (and often obvious) questions in each of these areas produces an immediate and accurate picture of a programme's health. Once this health status has been determined the correct course of treatment can then be prescribed.

Output from a health check activity should be a comprehensive risk register, with risks classified in terms of both the likelihood and impact of occurrence. The register can then be used to focus finite programme resources on those risks that fall outside an organisation's level of tolerability.

That's your initial risk assessment done. That's the relatively easy bit. The challenge then is to ensure that once identified, these risks remain at the forefront of standard programme and project management activities. That's the harder bit. To do this you need to create and support a risk management culture within your organisation.

Like any cultural change this requires commitment from senior members within the organisation, an increased awareness of risk management amongst employees and then a concerted effort by all to change existing behaviours.

The latter can only happen when individual employees understand the benefit to themselves. It's the classic 'What's in it for me?' scenario.

To encourage changes to existing behaviours link the importance of risk management to review and appraisal activities. Try to create a positive attitude to well-managed risk-taking.

Leaders should be clear about what they have high and low risk appetites for. Ensure there is awareness that individual roles and psychologies will affect how different people perceive risk. Actively encourage risk-based decision-making.

The key is not just the production of the initial risk register but the embedding of it at the forefront of regular programme discussions in order to ensure potential problems are removed using the appropriate amount of resource in the most cost-effective and timely manner.

Once existing behaviours change and risk management activities are embedded in core processes such as planning, performance management and project management, the likelihood of nasty surprises on the way is significantly reduced.

So don't be an Ogre. Help your Donkey get to their Far Far Away Land by ensuring risk is defined and managed properly - because every donkey deserves to be a stallion!

James Alevizos is a partner at Vizuri who specializes in risk management, risk-based testing strategies and test process improvement.

BCS Annual Review 2006

Blueprint for Cyber Security

Our vision is a world properly protected from cyber threat. This blueprint sets out how we can deliver that solution, starting in health and care.