framework for managing it risk

HeadquartersForrester Research, Inc., 400 Technology Square, Cambridge, MA 02139 USA

www.forrester.com

For CIOs

EXECUTIVE SUMMARYThere is no shortage of articles, reports, and blogs on the topic of IT risk; however, they almost always focus on security-related risks, including computer viruses and worms, denial of service attacks, and theft of data, or infrastructure-related risks, including network or server outages. Little attention has been paid to IT investment risk, yet given the importance that IT plays today and is expected to play in the future, it is arguably at least as important. IT investment risk managed correctly is an enabler facilitating the use of technology to help the business exploit new opportunities to create value for the enterprise. Managed incorrectly, its an inhibitor leading to value destruction. Organizations must incorporate IT investment risk within their overall business risk framework.

IT INVESTMENT RISK IS UNDERESTIMATED OR IGNORED BY MANY

Ask someone about IT risk and more often than not you will hear something related to computer security like viruses or theft of customer data. Rarely will you hear anyone talk about risk at it relates to IT investments. This is evident in current definitions of IT risk by the ISO and NIST respectively:

IT risk: the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of an event and its consequence.1

IT-related risk: The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to: unauthorized (malicious or accidental) disclosure, modification, or destruction of information; unintentional errors and omissions; IT disruptions due to natural or man-made disasters; failure to exercise due care and diligence in the implementation and operation of the IT system.2

With the average IT organization spending 30% of its total budget on new initiatives and many of these focusing on new, strategically aligned projects, the impact of ignoring or inadequately accounting for IT investment risk can have as much or more of a negative impact on the organization. Therefore, a workable definition of IT risk requires a broader focus that includes not only security-related risks but IT investment risks as well. The IT Governance Institute is currently developing an overall IT risk framework to complement its existing COBIT and Val IT frameworks. It has proposed the following definition of IT risk:

A Framework For Managing IT Investment Riskby Craig Symonswith Sharyn Leaver and Tim DeGennaro

2009, Forrester Research, Inc. Reproduction Prohibited

2A Framework For Managing IT Investment Risk For CIOs

IT risk: the business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise. IT risk consists of IT-related events that could potentially impact the business. It includes both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives as well as uncertainty in the pursuit of opportunities. IT risk can be categorized in different ways including: IT service delivery risk; IT solution delivery/benefits realization risk; and IT benefits realization risk.3

It is important to note that IT risk is defined within the context of business risk and that it includes not only risks to existing IT assets and services but also the risk of IT not being able to satisfy the business needs in the future the realm of IT investment risk. Incorporating IT investment risk into an IT risk framework and a broader IT governance framework is essential to adequately protect the business from adverse outcomes now and in the future.

MANAGING IT INVESTMENT RISK REQUIRES A FRAMEWORK

While most of the current efforts aimed at IT risk are focused on threats or other adverse events related to existing services and infrastructure, IT investment risk focuses on the future and includes both failures of omission (recognizing and exploiting opportunities) and failures of commission (execution). Managing IT investment risk requires a framework that identifies and catalogs risks, assesses their impact and likelihood of occurring, and prescribes a response when an IT risk event occurs (see Figure 1).

Figure 1 An IT Investment Risk Framework

Source: Forrester Research, Inc. 48041

Identify and catalog risk

Deliveryrisk

Benefitsrealization risk

Assessrisk

Riskimpact

Riskprobabilities

Respondto risk

Avoid

Mitigate

Share/transfer

Accept

Step 1 Step 2 Step 3



Step 1: Identify And Catalog Delivery And Benefits Realization Risks

Investments are made in IT-enabled business-change programs to benefit the business by positively influencing business outcomes like revenue growth, cost structures, asset efficiency, and customer relationships. IT investment risk can be characterized by two types: delivery risk and benefits realization risk. Delivery risk is primarily concerned with ITs ability to execute projects and deliver the information technology component required by the business including any necessary infrastructure as well as applications software. Delivery risk has multiple dimensions, which include:

Delivered functionality will be less than required. The business (or other IT customer) requires a certain set of capabilities in order to use the new system to positively influence business outcomes. A risk exists that IT will not be able to deliver the full scope of functionality required due to any number of reasons. If IT fails to deliver all of the required functionality, the end users may not be able to attain the expected or required benefits.

The project or program will be late. IT may not be able to deliver the new capability in the time frame agreed to. Often, there is a direct correlation between time-to-market and the size of the benefit. By delivering late, the overall expected benefits may be diminished, or in the worst case, the window of opportunity may close, forfeiting any potential benefits and rendering the investment worthless.

The project or program will cost more than expected. IT organizations incur costs in providing new capabilities to its customers. These costs include infrastructure costs, software procurement costs, labor costs, etc., and are reflected in a project budget. A risk exists that the actual costs may exceed the budgeted costs due to a variety of reasons. In the worst case, the costs will exceed the expected benefit leaving the organization with a negative ROI. In any case, exceeding the budget will reduce the overall expected benefit by at least a like amount.

The project or program will have flaws. Implementing IT products or services requires some degree of human involvement to provision infrastructure, write programs, configure software, and so on. At any point in time, this human intervention can introduce errors that manifest themselves in defects. A risk exists that these defects will remain undetected until they surface at a later time at which point they may create disruptions or downstream errors that could have far-ranging consequences from mere inconvenience to financial impact and even damage to an organizations reputation or brand.

Benefits risk is the other side of IT investment risk. Even if IT executes flawlessly and delivers on time and on budget a new capability with full functionality and zero defects, it doesnt guarantee that the organization will realize any benefit from the investment. Benefits dont just happen; they must be proactively managed. Risks to realizing benefits can come as a result of internal or external events. Benefits realization risk can be characterized as follows:



Internal risks. IT investments can fail to realize their benefits as a result of the organization not taking the necessary steps to leverage the investment. These steps include making required changes to business processes to adapt to the new capability, training users how to effectively use the new capability, or making organizational changes to accommodate the new capability or incent people to use it. All of these steps have an impact on the rate of adoption, which directly affects the benefits stream.4

An additional source of benefits realization risk is an overoptimistic forecast of expected benefits. Often times in order to get an investment approved, business cases are tweaked either by lowering the estimated costs or increasing the expected benefit in order to exceed the hurdle rate.

External risks. Even when everything goes right internally, benefits may not be realized due to external events beyond the control of the organization. These events can include changes in the economic environment (e.g., recession), actions by competitors that reduce or eliminate the opportunity (e.g., new product launch or price reductions), or some other event (e.g., acquisition, supplier failure, labor strike, etc.).

Fully understanding all of the risks that IT investments are susceptible to is the first step in managing these risks.

Step 2: Assess Risk Impact And Probability

Once potential risks have been identified and catalogued the next step is to assess them. IT investment risk is neither inherently bad nor good. Risk is merely uncertainty about an event that could have an adverse impact on an expected outcome. Risk assessment is done in two dimensions: the probability that the risk event will occur, and the impact that the risk event will have on the expected outcome.

Assess risk probabilities. Since risk is essentially uncertainty about an event that could have an adverse impact, we dont know if it will occur or not. Some risk events may be more likely to occur than others. To manage risk, it is important to try to understand the probability that a risk event may occur. There are a number of qualitative and quantitative methods including real options theory and Monte Carlo simulation to assess risk.5

For example, if an IT organization has a history of delivering 30% of its projects late, then it should assume that for a new IT investment program that there is a 30% probability that it will be delivered late. This assessment could be further developed to provide probabilities around the degree of lateness (e.g., 20% probability of being one month late, 50% probability of being three months late, etc.).


A Framework For Managing IT Investment Risk For CIOs

Assess risk impact. The other dimension of risk assessment concerns the potential impact to the organization if the risk event occurs. For each potential risk, the impact needs to be quantified to provide perspective on the level of risk.

For example, if the project is delivered late the benefits stream will be pushed out by the length of the delay, depending on the type of project and benefit expected this may have a minor impact or it could have a major impact. In some cases, the window of opportunity may close leaving the investment worthless.

The combination of risk probabilities and risk impact enables the organization to classify the risk level. Since risk has a tightly coupled relationship with return (the higher the risk, the higher the return), some level of risk is tolerable or even desired. The benefit of portfolio management is that it enables an organization to take on a range of IT investments with differing risk/return relationships as long as the overall portfolio risk is within the firms threshold of acceptable risk (see Figure 2).

Figure 2 IT Portfolio Risk Profile

Source: Forrester Research, Inc. 48041

2

AAA BBB

2%

10%3%

15%

30%

26% 2%

12%

1 3 4Risk exposure

0

+

-

Netpresent

value

AAA Prime, best qualityBBB Higher risk, good qualityCCC SpeculativeDDD High risk, poor quality

Risk rating1: Low risk2: Fair risk3: Material risk4: High risk

Ratings based on bondmarket classifications

Source: Forrester Research, SeaQuation, and IT Governance Institute

CCC DDD



Step 3: Respond To Risk Events

A risk management approach requires a plan to respond to any risks that may arise during the life cycle of the investment program. Responding to risk must be influenced by the importance of the risk (impact) and the cost of the response. For example, it doesnt make a lot of sense to spend $1,000 responding to a specific risk that only has an impact of hundreds of dollars or only has a 1% chance of actually occurring. In the event that an identified risk does occur, it triggers a response based on the risk management plan that is in operation. Responding to risk can take one of four approaches:

Risk avoidance. When a risk assessment discovers that the probability of the risk occurring is high, organizations can avoid the risk by simply not making the investment. This is why it is important to factor risk into a business case to produce a risk-adjusted rate of return. When risk is taken into consideration and its impact quantified, it will lower the expected return. At some level the return does not meet the hurdle rate and the investment would not be made.

Risk mitigation/reduction. Another approach is to take steps to reduce the probability of an adverse event occurring or reduce its impact or both. This can be accomplished by establishing proactive measures for early detection. For example, increasing the frequency of project reviews or stage gates would provide for earlier detection of problems enabling corrective action to be taken.

Risk sharing/transfer. Another method for reducing or eliminating risk altogether is to share the risk with another party or transfer the risk completely. The most popular method for transferring risk is through insurance. For example, an IT organization could purchase insurance in the event it fails to deliver a project. Outsourcing is another way to transfer risk.

Risk sharing can be accomplished through contractual arrangements with contractors and vendors. For example, a fixed-price contract puts some of the risk on the vendor by making them responsible for project budget overruns. Another approach would incorporate penalty payments for late delivery.

Risk acceptance. Some risk events lead organizations to accept the risk impact. This is still a response in that a conscious decision was made to accept risk impact rather than an act of ignoring it. This happens frequently with respect to IT projects that are behind schedule or over budget. Organizations decide to keep the project going in anticipation that the benefits will still be realized.

Another example of risk acceptance occurs when a project that requires a specific skill or resource is started even though that resource or skill isnt available anticipating that by the time it is actually needed, it will be available.


Forrester Research, Inc. (Nasdaq: FORR) is an independent research company that provides pragmatic and forward-thinking advice to global leaders in business and technology. Forrester works with professionals in 20 key roles at major companies providing proprietary research, customer insight, consulting, events, and peer-to-peer executive programs. For more than 26 years, Forrester has been making IT, marketing, and technology industry leaders successful every day. For more information, visit www.forrester.com. 2009, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email [email protected]. For additional information, go to www.forrester.com. 48041

R E C O M M E N D A T I O N S

IT INVESTMENT RISK MUST BE MANAGED

IT investments remain one of the riskiest investments that organizations can make. While they may have medium to high returns, they are high-risk, have no liquidity, no residual value, and can result in writing off the entire investment. By using an IT investment risk management framework organizations can improve their odds by eliminating the riskiest of projects while reducing or mitigating other risks. For best results, the three-step approach outlined above should be couched in broader risk management efforts:

Determine the organizations risk tolerance. Any approach to managing risk starts with an understanding of how much risk the organization is willing to endure. This is a business

Incorporate IT investment risk with enterprise risk. Dont ignore or underestimate the

joint process for identifying, assessing, and responding to risk.

Integrate IT investment risk management with business case development. Most organizations are using some form of business case as part of their investment proposal

business case, and the financial analysis should include a risk-adjusted rate of return.

ENDNOTES1 Source: International Standards Organization, ISO/IEC 13335-1, 2004.

2 Source: Gary Stoneburner, Alice Goguen, and Alexis Feringa, Risk Management Guide for Information Technology Systems, NIST, July 2002.

3 Source: From the exposure draft of Enterprise Risk: Identify, Govern and Manage IT Risk, IT Governance Institute.

4 The first step in improving IT business value is to stop thinking in terms of IT projects and begin thinking in broader terms about IT-enabled business change programs. See the April 30, 2009, Programs, Not Projects, Deliver Business Value report.

5 For additional information on quantitative methods for assessing risk, see Douglas W. Hubbard, How to Measure Anything, John Wiley & Sons, 2007, specifically chapter 6, Measuring Risk: Introduction to the Monte Carlo Simulation. See also Michel Beneroch, Managing Information Technology Investment Risk: A Real Options Perspective, Journal of Management Information Systems, Volume 19, Issue 2, May 28, 2002.

framework for managing it risk

Documents