Back to list
Risk culture is no longer a confidential subject within companies. Every day, the news reveals its share of threats, which can have serious consequences for the operation and survival of organizations.
Logically enough, as digitalization increases, CIOs are well placed to play a key role in managing these risks, especially since purely IT risks (cybercrime, datacenter failure, defaulting Contractor…) are credible and pose tangible threats.
But behind the general concepts, it’s the operational reality of all IT projects that needs to be analyzed and managed. Of course, not all IT projects are created equal.
So how do you effectively steer risk management in an IT department? From identification to analysis, from assessment to treatment of risk, how can we arm ourselves with pragmatism and discernment? Here are some answers.
What is a risk?
A risk is a potential problem in the execution of a project or activity, identified in advance. Put another way, a risk is a point of weakness whose occurrence could have a negative impact on the smooth running of a project, by taking it away from the initial scenario imagined when it was launched.
What are the possible risks involved in an IT project?
Risks can be grouped into 3 main categories:
- Product risks: the deliverables may inherently contain technical or functional difficulties, or security gaps, so we need to assess what these complexities are.
- Risks relating to the resources allocated to the Projects: these can be both human and material resources. Examples of classic risks: Budgets that get out of hand or are insufficient, skills shortages, lack of availability of Teams.
- Organizational change management (OCM) risks: implementation, availability, user management.
If, in these 3 categories, a point stands out during the analysis phase, it constitutes a potential risk. The challenge is then to assess its severity and the likelihood of its occurrence.
How do you assess risk?
There are numerous risk mapping and assessment methodologies, with the aim of ensuring that nothing is overlooked, and developing a scoring system for prioritizing risks. For a non-expert, Manage project risks can be a frightening prospect, as you quickly get the impression that it requires advanced skills that are difficult to master without dedicated training.
But should we bury our heads in the sand? Certainly not. Rather, we should bear in mind that there is no ready-made recipe for identifying the risks associated with an IT project, and no magic training program. By its very nature, a risk will depend on many factors, both internal and external to the company. It is above all a good knowledge of this context that will enable you to detect them with discernment, taking care not to miss anything.
So, short of perfect mastery of “certified” methodologies for mapping and assessing risks, let’s start by considering that, within a CIO, managing risks is first and foremost a matter of sound, concrete project management, open to the hazards that could have an impact on the course of things.
CIOs are ideally placed to carry out these tasks: “culturally”, a CIO naturally cultivates analysis and evaluation skills that are perfectly in tune with the Manage project risks approach. Thus, once a risk has been identified, it is essential to evaluate it on the basis of a scoring system. A risk with a high score should be tracked. A minor risk can be set aside. Knowing how to score a risk in order to prioritize it is not so different from knowing how to score a project in order to arbitrate it. Both situations call on the objectivity and pragmatism of mathematical models.
Example of a risk criticality matrix :
How to implement pragmatic Manage project risks?
Depending on its size, a CIO may manage a large number of projects, but not all projects are created equal: they are not all of the same sensitivity, criticality or scale (in terms of resources mobilized, duration, etc.). Manage project risks must thereforebe pragmatic.
All the more so as many CIOs, and more generally SMEs and ETIs, don’t have as well-developed a risk management culture as can be found in larger companies – with dedicated departments, or in regulated business sectors. It would therefore be pointless, not to say counter-productive, to consider tracking all identified and incurred risks over time. Only major risks should be tracked.
In concrete terms, it’s important to bear in mind that even a simple project is never free of risks, but that doesn’t mean you have to try to track them all. Identifying the 3-4 really salient risks is generally sufficient.
How do you steer risks?
The most critical risks must obviously be the subject of a dedicated action plan designed to deal with them and prevent them from occurring or worsening. Potentially, these actions will have an impact on the course initially envisaged for the Projects, and will modify the initial scenario. Objective: to defuse these risks.
But above all, it’s important to bear in mind that the risk scoring established at the start of the project is a dynamic and moving process: at every project review, at every new report, the entire initial list of risks has to be reviewed, and re-scanned to reassess the potential impact of each “danger” that could impact on the smooth running of the project. Is risk A, B or C still just as critical? How likely is it to occur?
It is also in the interest of this dynamic management to keep a record of the past, so as to be able to carry out a retrospective analysis if necessary. In this context, it makes sense to use Project portfolio Tracking tools which provide a common framework for all CIO projects. During project reviews, for example, this will enable you to identify drifts, risks and difficulties, thanks to common tracking KPIs and alert points explicitly raised by flash reports. Similarly, the more finely integrated project management is with the other components of IT management (budgets, teams, suppliers, for example), the better the ability to identify and track risks: budget slippage, over-staffing or a warning about a Contractor can be reported and shared in real time, so that decisions can be adapted immediately if necessary.
Towards macro risk management
Managing the risks inherent in each project is often the responsibility of the project manager. For the CIO, it is interesting to have a more macro view of all the risks identified and incurred at the level of a Projects portfolio, for example. This consolidated, cumulative vision can reveal themes that emerge frequently or almost systematically. They then reveal an underlying trend that is no longer cyclical, but structural. And which can then be the subject of a dedicated action plan to bring about more in-depth changes to a system.
The challenge of instilling a culture of risk awareness and empowering all stakeholders
Last but not least: a classic pitfall of risk management is to assume that because a risk has been identified, recorded and tracked, and because the right tools have been put in place to deal with it, the subject of Manage project risks has been properly and sufficiently addressed and mastered.
This is not enough. On the contrary, in the face of all the potential vulnerabilities and threats, vigilance must be the watchword for everyone in the CIO, and even beyond.
Every employee needs to be made aware of, and acculturated to, Manage project risks, which should not remain the prerogative of the Information Systems Department and absolve the company’s other departments from increased vigilance in this area.
So, while it’s normal for one person – often the project manager – to be responsible for risk mapping, there can be no good risk management unless it’s fully integrated into the operational reality of the project. And shared by the whole team. In concrete terms, this means that everyone involved in a Projects project must be aware of the stakes involved in these risks, and capable of modifying their actions or behavior accordingly. And that this awareness of risks is sufficiently shared, and forms part of an overall system of collaboration and communication, so that the project leader, the team manager and the CIO himself are able to pick up on the weak signals that may inflate, deflate or generate new risks. This ability to listen will play a key role in the CIO’s ability to manage risk effectively, both within the organization and beyond.
Let’s hear it…