iStock 000003636606XSmall

In December 2013, Avon announced it was halting a multiyear project to revamp their order management system and provide access to the salesforce on iPads through a set of new apps. After the new system was rolled out in Canada, reps there found the technology so difficult to use that many of them voted with their feet. For Avon, the choice came down to either doing business without a salesforce or cutting their losses and getting rid of the new solution. Not surprisingly, Avon stopped further rollout and wrote down over $100 million.

How does one manage to overlook the user in such an expensive undertaking? Judging from how often this happens, it must be easy. When projects span years, technology changes so much that people lose site of what the ultimate deliverable will look like when it finally gets put in the hands of the end user.

Part of the problem is that users are more demanding these days. Most use a smartphone or tablet every day for personal entertainment, and for social media. As a result, professionals have gone way beyond just expecting a decent interface to IT systems. Nowadays they want to be seduced.

Unfortunately, failure to delight end users, or to even gain user acceptance, is just one of dozens of risks CIOs need to identify, assess, and manage if they want to protect their companies from disaster. What's more, the list of risks continues to grow as the industry undergoes multiple shifts in form factor, and as the trend towards consumerisation continues to rattle IT departments around the world.

IT risks in 2014

It's worthwhile to sit down and identify the risks your organisation might be facing in the next year or two. Here is my short list of major risks I think CIOs are likely to confront in 2014 and 2015. Some are old and some are new, but all of them could spell trouble to those who fail to understand risk management:

  • Hidden costs. As IT directors roll out the latest and greatest technology in hopes of leaping out ahead of the competition, they are likely to run into a number of hidden costs. The first few versions of products in any new category of technology tend to be buggy, which makes estimating total cost of ownership (TCO) much more difficult.
  • Schedule overruns. All major projects - even those that don't involve new technology - are fraught with traps that could cause schedule overruns. IT directors need to apply standard rules of project management to minimise the chances of runaway delays.
  • Disinterested users. As Avon learned the hard way, users have become more demanding. When they go into work they expect user interfaces to mimic what they get as consumers. Try getting the average user to use an old 3270 (green screen) interface and you'll see what I mean.
  • Departure of your best people. Staff members want to stay up on the latest technology as much as possible. Aside from pure interest in learning, engineers like to stay up on things, because it increases their marketability. With all the new technologies coming out in 2014 the problem will be exacerbated.
  • Bankrupt vendors. Neither Apple nor Samsung are likely to go belly up in the next few years. However, many IT solutions depend on more than just the big name vendors. Usually some of the key components are provided by small, relatively new companies, who may not be on solid financial ground. Those components could prove to be the Achilles Heel of your favourite new workforce productivity solution.
  • Faster competitors. These days many companies depend on technology for competitive advantage. If you let your competitors get ahead of you on IT, your company may lose market share.
  • Compromised security. Coca-Cola is just the latest of many organisations making headlines because company notebooks got lost or stolen with unprotected sensitive data on the devices for anybody to take. Financial services have run into the same problem, but the costs was even higher, since the data included financial information on clients.
  • Misalignment with business partners. Business leaders often don't know what's possible. Some see the fanciest new toys at a conference, or used by employees of another organisation, and then come in to ask IT directors why those toys aren't used in their company. On the flip side, sometimes IT directors have trouble getting business leaders interested in new gadgets that might improve their bottom line.
  • Non-compliance with regulation. Companies working in financial services have had to comply with Sarbanes-Oxley for some time now, but more recently data privacy legislation has made the CIO's job more difficult. Now companies have to make sure data is stored in the right country - a task that is not always easy when data is on the cloud. You have to specifically state in contracts with cloud providers that data is to be kept in certain geographical locations.

Fundamentals of enterprise risk management

IT directors who want to avoid problems like the ones recently experienced by Avon or Coca-Cola may want to bone up on risk management. Traditional approaches to risk management call for four major activities:

Risk identification. One way of spotting risks is to consider the categories of risks (for example, project management risks, technology risks, or weather-related risks). For each category think of all the things that might go wrong. Project management risks would include cost overruns, schedule overruns, and misunderstood requirements.

Risk assessment. For each risk you identify think of the probably the event will occur and the cost if it does occur. One way of doing this is to rank the probabilities on an ascending scale of 1 through 5. You can do the same with cost. Multiplying your ranking of probability by your ranking of expected cost is a simple way of spotting the risks you need to deal with first.

Risk response. Given a ranking of the risks taken from your assessment, you can now come up with a response. You might choose to ignore the lowest priority risks. You could decide to raise the highest priority risks to the CEO. You might find ways of spotting the occurrence of some of the feared events early. In some cases, you can head of the problem before it rears its ugly head. In other cases, the best solution is to plan to minimize the damage should the problem materialise.

Risk monitoring. You should look for ways of spotting feared events as early as possible. You should also revisit your list of risks, the assessment, and the response. One of the most common mistakes in risk management (or in project management) is to not hold regularly-scheduled reviews to make changes as appropriate.

As they work through these four activities, the pro-active CIO makes is careful to do two other things: communicate with key stakeholders and build a culture of risk management.

It's not easy to communicate risk to the highest echelons of the organisation. As research firm Gartner points out, "IT executives can easily confuse and dismay the board of directors with IT risk information that's not relevant to their board's interests. Keeping it simple by focusing on outcomes makes it easier for everyone to see what matters most and why."

More than just perform steps to manage current risks, the most effective leaders work to push the message across the organisation that risk management is important. They make it part of their organisation's culture. Develop a vocabulary for talking about risk. Keep a list of risk categories to be considered during risk identification. Make sure all projects include documentation on risk assessment.

To communicate risk across the organisation, and to instill a culture of risk management, Steve Chambers, CIO of Visa Europe has a few words of wisdom. The first thing Chambers says is: "Make sure all impacts are expressed in business terms."

Then to raise awareness of risk management, Chambers advises, "Always ensure that there is a risk register that anybody can access. Make sure all risk entries are owned by their originator, so you can go back and ask them what they meant. The people who are actually carrying out the risk impact should have rights to post updates so a risk can be accepted or raised as requiring mitigation."

The CIO of Visa Europe also emphasises the importance of accountability and enablement. "Make someone responsible for risk and make that person senior enough that they can't be ignored," he says. "They should have at least a dotted or matrix line to the CIO."

Key measures all IT departments should take

Setting aside some of the fancier risk management techniques, IT directors can do a number of things right now to head off some of the biggest problems. These are the fundamentals of the game. If you want to be a player, you have to at least do these things. (Strangely enough, most mid-sized companies haven't yet taken all of these basic steps.)

The first thing to do is make sure you have policy statements clearly written out and signed by the appropriate users. Security policies, device usage policies, and network usage policies are three of the documents just about any organisation needs. Those businesses or governmental entities that store customer or constituent information should also have a record retention policy that includes storage of unstructured data, such as videos or pictures.

Every organisation should put in place procedures for regular backup. In any case where the information is of reasonable value, backed up data should be stored in more than one location.

Finally, review the service level agreements in your contracts with service providers. Consider the case of Ochsner (pronounced awsh-ner) Health Systems, one of Louisiana's largest health care providers. During hurricane Katrina - and when the flooding began just after the hurricane - the computers survived with no problem. However, what Ochsner hadn't adequately considered were the communication lines.

Chris Belmont, who was brought in as CIO just after Katrina, says AT&T had run cables underground - in New Orleans of all places. When the flooding began, circuits went dead. The computers were fine, but nobody could connect.

Ochsner assumed AT&T would have managed the risk by building redundant paths. They found out the hard way that good risk management means challenging your assumptions about your service providers.

This brings us to one final point about risk management. According to Chambers: "The underlying challenge is that you always know less than you don't know. One way of minimising this effect is to take empirical data from your organisation and start modeling the deviation between estimated and actual at various key stages of a programme."