By Tad Leahy
Every day, IT departments at Fortune 1000 companies can find themselves overwhelmed by new initiatives requested by business units in their organizations. Without a formal discipline for evaluating IT projects, CIOs may see their departmental resources stretched to the breaking point. Understanding the level of risk attached to each project will give CIOs a way of prioritizing the ever-growing list of new initiatives.
To begin, CIOs should develop a checklist designed to rate a new project's degree of risk within key areas, recommends Bill Rosser, vice president and Gartner Fellow at Gartner Inc. Items on the list may include:
- Clarity of functional requirements
- Availability of IT staff
- Level of adherence to enterprise standards
- Level of adherence to business processes
- Degree of change in procedural requirements
- Size of user population
- Required maintenance procedures
- Number and type of departments involved in providing resources
- Number of tasks outside IT's control
- Duration of project
With this list in place, the next step is to set benchmark levels for low, average, and high risk. For example, if the CIO determines it has taken an average of six months to complete all previous projects, and the new project will take at least one year, then the new project would receive a higher than average risk rating within the "duration of project" category.
Naturally, some risks impact the business more seriously than others. Rosser believes CIOs should identify which of a new project's risks are the most potentially harmful, as well as the likelihood of different risks occurring.
"If the probability of a risk actually happening is only about 5%, but its impact would have dire consequences if it did occur, the CIO needs to decide if that's a risk worth taking," says Rosser. Other risks may have little adverse impact, but may be much more likely to occur. "Manage those risks by taking steps to reduce or eliminate them," says Rosser.
Sometimes a project must be completed despite its risk level. Mark Lutchen, senior partner in the IT Effectiveness Group at PricewaterhouseCoopers, suggests creating a risk mitigation framework to manage this situation. The framework would address quality, speed, and change management requirements in an organization. This framework allows CIOs to take a more nuanced approach to meeting goals by understanding the degree of importance for each category. For instance, in a new health care system where lives are at stake, quality is important. However, notes Lutchen, if a new project is a faster, more streamlined marketing data system, perhaps costs could be reduced because it does not impact patients' lives. In this case, the CIO could look for areas to slightly lower quality if it also lowers costs.
In another case, a risk may lie in meeting completion deadlines. The CIO might campaign to allow for more time, suggests Lutchen. Or, if the new project has high risk associated with end users' acceptance, the CIO might focus on change management initiatives to help those end users understand how they'll benefit from the new project.
A new project's overall risk can also be weighed against its anticipated value within the organization. The following questions may help determine the value versus the risk:
- Will the new project lead to greater market share?
- Faster speed to market?
- Improved business performance?
- Fewer product returns?
- Lower inventory?
- Improved infrastructure?
- Better decision-making?
- Faster, more reliable information?
- How well will the new project support strategies?
Rating the new project against past projects enables the CIO to envision the new project's relative potential value to the business.
Of course, CIOs will also have to maintain constant vigilance on the project's impact on enterprise-wide availability and security of information. But with a clear strategy for evaluating risks, CIOs can better manage the never-ending list of new projects and keep the IT team ready and responsive to all requests.
Tad Leahy is a freelance business writer based in Tampa, Fla.