Risk management

People have a strange relationship with risk. Most of us prefer to avoid it – consistently choosing a sure outcome over a gamble with equal or higher expected value. Yet success in nearly everything involves taking risk.

“Most people would rather not lose a little than win a lot,” says Marsha Reppy, Global and Americas’ Governance Risk Compliance Technology Leader at Ernst & Young LLP (EY). For a business that hopes to grow and thrive, taking calculated risks is essential, as is defining the risk appetite befitting its internal culture.

The topic of risk is especially delicate for CIOs. When it came to risk, historically their role has been focused on avoiding it by protecting the business. The digital transformation and innovation mandate has put the pressure on CIOs to think more boldly.

However, they are not mutually exclusive. “Risk management is not the same as risk aversion,” Reppy says. Managing technology risk is about aligning investments and initiatives in ways that make risks proportionate to rewards.

Common language

Understanding and evaluating risk starts with using a standard framework and common set of definitions. This will allow you to do an “apples to apples” comparison, establishing a consistent approach across a spectrum of variability. “Have a clear framework and standard definitions of what risks are, how to rank them, what’s important to the business, and how to manage and mitigate those risk factors,” Reppy recommends.

She also suggests asking questions that balance value with risk vs. those focused solely on risk aversion. For example:

  • What’s the risk of our using waterfall vs. agile methodology on a project?
  • What’s the risk of pumping the brakes on an implementation to address controls and security?
  • What’s the risk to my revenue of a 24-hour outage of my e-commerce platform versus my human resources application?

It’s also important to understand that risk management is a probability equation. Heading into 2020, many businesses had contingency plans for short-term supply chain disruptions, but few considered the consequences of a global pandemic that would close borders for months. Some were able to tolerate the impact for longer than others.

Risk evaluation, therefore, should consider the likelihood of an event and its impact on the business from a timeline perspective – both the short and long term, as well as the overall risk tolerance specific to your business.

“Define the broader risk appetite and tolerance for the organization and for IT, and then use that to right-size your actions,” Reppy says.

The risk of doing nothing

Keep in mind that risk can encompass inaction as well as action. Organizations with obsolete technologies can fall victim to nimble upstarts before they realize how much their legacy technologies are holding them back. In the same vein, failure to act on a promising new technology such as blockchain or machine learning can cause a company to fall far behind its competitors.

Risk can also lurk in seemingly safe events. For example, underestimating the complexity of merging systems following an acquisition, or decoupling them after a divestiture, can set the IT organization’s schedule back for months, causing more strategic projects to fall behind.

The risk of failing to manage talent proactively can also kill innovation in its tracks, Reppy said. “Look at the new technologies being introduced and think about whether you can grow talent with the appropriate skills or repurpose the talent you have.”

One way to mitigate risk at a structural level is to invest in technology solutions helping you manage it. Organizations that had moved operational systems to the cloud, automated manual workflows, introduced continuous monitoring, and invested in technology to virtualize physical processes fared much better during COVID-19 than those that had put such projects on the back burner. Machines are usually less vulnerable and more efficient than people.

Finally, be realistic about risk avoidance. Stretching for zero compliance errors or manufacturing defects may not be worth the cost. “It may not always be a good KPI because it could drive wrong behaviors,” Reppy says. “It’s not always about eliminating mistakes; often, it’s about identifying them and fixing them quickly. Taking a realistic and pragmatic approach enables people to do the right things.”

And isn’t that what the final goal is?

For more information about how Ernst & Young LLP can help you unlock long-term value for your stakeholders and thought-provoking content for technology professionals visit ey.com/CIO.

Disclaimer: The views expressed by the authors are not necessarily those of Ernst & Young LLP or other members of the global EY organization.