About Social Media Today
In my Getting to Know You post, the category for next blog topic receiving the second highest vote total was “IT Project Failure.”
Ask and ye shall receive.
I have been giving quite a bit of thought lately to the topic of enterprise risk management. In large part, this stems from the fact that I recently completed a project in which my client’s risk tolerance was off the charts. I mean crazy. In this post, I discuss three types of organizations with respect to risk tolerance:
- The Zero Risk Organization
- The Oblivious Organization
- The Acceptable Risk Organization
The Zero Risk Organization
Several years ago, I worked on a project for an organization that would not do anything if there was even the smallest risk. To that end, it employed a full-time internal auditor to carefully monitor all IT projects. He would report his findings to the CIO.
So, you may ask. What’s wrong with this?
In the abstract, nothing. But IT projects are never abstract. Actions have consequences. The project consistently suffered as the implementation team attempted to address his concerns, and he had a bunch. Sure, many of them were well-founded, but how do you concurrently assuage an auditor’s concerns and make up time on a delayed project?
You don’t.
Simon Says
If your organization is not ready to take on some level of risk, then don’t start a major systems or IT initiative. Ever. All projects come with some degree of risk. It’s that simple.
The Oblivious Organization
Now, let’s turn to the other end of the spectrum. This type of organization is perhaps best epitomized by my most recent client. The mentality could be described as:
There was no such thing as risk. Period.
Here’s the crazy thing, though. The company routinely addressed IT projects in this manner. According to lifers, every system that the company implemented in the last ten years was managed the same way. Proceed as if nothing is wrong. Ever.
This was a shock to just about every consultant on the project. You see, good consultants have been trained to identify and attempt to minimize risks throughout projects. Sadly, the CIO did not want us “editorializing.” Translation: keep your mouths shut. We don’t like naysayers.
Simon Says
From a consultant’s perspective, you can’t win on projects like these. If you broach a legitimate issue, you’ll be silenced and possibly removed from the project. If you don’t, then you’ll invariably be asked, “Why didn’t you tell us about this?” Organizations like these have a high employee rejection rate; it takes a certain personality type of accept the risk of lawsuits, audits, and generally appearing foolish as you expose yourself and others to excessive levels of risk.
The Acceptable Risk Organization
Ah, I can’t tell you how much I enjoy working with companies and people who understand risk and possess a modicum of perspective. Serious risks are actually taken…seriously. Further, key people understand the time-sensitive nature of many problems. They understand that, as my friend Bob Charette has told me, risk is always a function of information, time, and money.
Simon Says
Of course, no organization has unlimited information, time, and money. Trade-offs need to be made. Fortunately, “acceptable risk organizations” understand this and are likely to make the right calls. Things won’t always go perfectly, but these realists create contingency plans in the event that things go awry.
Feedback
I have a few questions for you.
- What’s your organization’s risk tolerance?
- What causes some organizations to accept so much risk?
- Can people with one risk tolerance be successful at organizations with vastly different risk tolerances?
Related posts:
- Blog Bout I: Risk or Monopoly – Which is the Better IT Project Metaphor?
- The Chopping Block: Cutting Features from an IT Project
- Google and Failure-Tolerant Cultures
