I have been giving quite a bit of thought lately to the topic of enterprise risk management. In large part, this stems from the fact that I have worked on more than a few projects in which my client’s risk tolerance was off the charts. I mean cray cray. In this post, I discuss three types of organizations with respect to risk tolerance:
- The Oblivious Enterprise
- The Zero-Risk Enterprise
- The Acceptable Risk Enterprise
The Oblivious Enterprise
This type of organization is perhaps best epitomized by a client of mine (call it ABC here). The company’s mind-set could be epitomized as follows: There was no such thing as risk. Period.
Here’s the crazy thing, though. ABC routinely addressed IT projects in this manner. According to lifers, every piece of software and hardware that ABC deployed in the last ten years was managed the same way. Proceed as if nothing is wrong. Ever.
This was a shock to just about every external consultant who showed up to work at ABC. You see, good consultants have been trained to identify and minimize risks throughout projects–at least, as much as they can, anyway. Sadly, the ABC’s CIO did not want us “editorializing.” Translation: keep your mouths shut. We don’t like naysayers.
From the consultant’s perspective, you can’t win on projects like these. If you broach a legitimate issue, you’ll be silenced and possibly removed from the project. If you don’t, then you’ll invariably be asked, “Why didn’t you tell us about this?” Organizations like these have high employee rejection rates; it takes a certain personality type of accept the risk of lawsuits, audits, and generally appearing foolish as you expose yourself and others to excessive levels of risk.
The Zero-Risk Organization
Now, let’s turn to the other end of the spectrum. Several years ago, I worked on a project for an organization that would not do anything when faced with even the smallest risk. To that end, it employed a full-time internal auditor to carefully monitor all IT projects. He would report his findings to the CIO.
So, you may ask. What’s wrong with this?
In the abstract, nothing. But IT projects are never abstract. Actions have consequences. The project consistently suffered as the implementation team attempted to address his concerns, and he had a bunch. Sure, many of them were well-founded, but how do you concurrently assuage an auditor’s concerns and make up time on a delayed project?
If your organization is not ready to take on some level of risk, then don’t start a major systems or IT initiative. Ever. All projects come with some degree of risk. It’s that simple.
The Acceptable Risk Organization
Ah, I can’t tell you how much I enjoy working with companies and people who understand risk. They possess a modicum of perspective. Serious risks are actually taken, well, seriously. Further, key people understand the time-sensitive nature of many problems. They understand that, as prolific author Bob Charette has said, risk is always a function of information, time, and money.
Of course, no organization has unlimited information, time, and money. Trade-offs need to be made, as I point out in what I call the Enterprise Risk Pendulum:
Executives at acceptable risk organizations understand the relationship between risk and cost. As such, I’d argue that they are likely to make the right calls most of the time. Things won’t always go perfectly, but these realists create contingency plans in the event that things go awry.
I have a few questions for you:
- What’s your organization’s risk tolerance?
- What causes some organizations to accept so much risk?
- Can people with one risk tolerance be successful at organizations with vastly different risk tolerances?
I wrote this post as part of the IBM for Midsize Business program.