Is it Worth the Risk?

15 Jun Is it Worth the Risk?

In my last blog with Stephen Gold, EVP of Business and Technology Operations and CIO of CVS Health, we discussed Gold’s approach to continuity of value, a process that Gold uses to make sure he and his business partners make the right IT investments.

No doubt, you have a process that you use to tie investments to value. Once you’ve spent all of that time making sure you are investing wisely, wouldn’t it be great if your projects were successful? That’s where “risk management” comes in.

Problem Seeking, Not Problem Solving

“CIOs and IT leaders often don’t pay as much attention to risk as they should because it goes against human nature,” says Gold. “By nature, people are optimistic; we tend to assume the positive, even when we develop software. We test to make sure our functional designs work. But are we planning, building, and testing for the ‘negative’ use cases? Generally not as often, and it’s not because we are technically deficient. It’s because that kind of thinking puts us out of our comfort zone. Most people think about problem solving; ‘risk management’ is about problem seeking – anticipating problems and searching for them proactively – it’s a different mindset.”

According to Gold, most project management literature addresses several critical aspects of managing a project: charters, project membership, status reports, cadence and metrics. “These topics are all important and necessary, but they are not sufficient,” says Gold. “I have noticed throughout my career that the skills and tools we are missing the most are those which deal with managing risk.”

If risk management is not already a part of your organization, then CIOs would be wise to adopt a formal risk management program to embed a more complete perspective into the IT team’s every day thought.

Risk Management: a Five Step Process

At CVS Health, risk management is a five-step process that includes planning, identification, quantification, response, monitoring and control.

“Our formal risk management practice starts in the earliest stages of portfolio planning and continues through to project execution and post-project review,” says Gold.

“If you look at a work breakdown structure, there is a whole laundry list of risks that should be a part of every project,” says Gold. That laundry list might include:

• Availability of resources
• Newness of technology
• Lack of familiarity with technology or processes
• Lack of training
• Critical path tasks
• Tasks with several predecessors
• Optimistically-estimated tasks
• Tasks reliant on external resources
• Tasks in parallel
• Tasks with many people assigned
• Qualifications and skills
• Holidays, vacations, illness and turnover

Key to risk management is the formula that states “risk equals the function of probability x impact”. “If a risk has a low probability and low impact, you might be able to accept the risk,” says Gold. “But if a risk has a high probability and a high impact, you have to pay attention.” Depending on the probability/impact equation, you can accept, avoid, transfer, share, reduce or ignore the risk.

Post Go-Live Review

To Gold, one of the most critical components in a risk management process is immediately following the launch of a project. “We look back at what went well and what didn’t go well,” says Gold. “Where did we miss the risk?” It’s the continuous improvement aspect of the program.

Throughout the year, Gold and his team turn a lessons learned inventory from project post mortems into a checklist for every single project. “If issues show up often enough, they should become part of our risk management process,” he says.

One lesson learned that Gold and his team rely on is looking at the percentage of time that someone is assigned to a project along with what else they are working on. “If I am assigned to four projects with 25 percent of my time allotted to each, the probability that I can do all of those on time, on budget, and high quality is very low,” says Gold. “What are the odds that every project will demand my time without a collision? It’s zero.”

This means that whenever people are assigned to projects less than full time, Gold and his team include a proactive conflict analysis to understand what else that person is working on and the probability that there will be a collision.

To Gold, “The key point is that risk management is less about process and communication, and more about the depth and rigor of risk identification and remediation strategy at the outset of a project. Some people will just check the risk management box and then wonder what went wrong. After projects fail, you will then get a thesis on what went wrong, but that’s after the event. How do we anticipate and plan for this before we start?”

It is more fun to go full-steam ahead with a project than stop to think about potential pitfalls, but when your business is more dependent than ever on good technology, a culture of risk management is your next horizon.