Strategy Execution for Risk Management

Các kết quả của quản lý rủi ro không đủ khoảng gam từ thiệt hại tài chính cho một mất mát của khách hàngthiện chí tốt có thể đe doạ khả năng tồn tại lâu dài và sự sống còn của công ty. Ngày nay, với ngày càngmôi trường pháp lý không hề khoan nhượng
Nội dung trích xuất từ tài liệu:
Strategy Execution for Risk Management Baselinemag - IT Management – Strategy ExecutionStrategy Execution for Risk ManagementBy Faisal HoqueRisk management and IT continuity are complex and critical disciplines.No investments can be effective in the long term without consideration of risk. The consequences of notdoing adequate business continuity planning can be potentially disastrous.The outcomes of inadequate risk management span the gamut from financial losses to a loss of customergoodwill that may well threaten the long-term viability and survival of a firm. Today, with an increasinglyunforgiving regulatory environment and legislation such as Sarbanes-Oxley that requires businesstechnology systems to function without error, executives need to be concerned about risk managementmore than ever before.Business risks can be both internal to the firm, such as rolling out an inadequately tested system, as well asenvironmental, in the form of an unanticipated natural disaster. This two-sided model creates a challengefor business and technology executives. The former type of risk is somewhat more recurring, predictableand perhaps controllable, and, therefore, the business case for investment in risk management is ofteneasier to justify. Meanwhile, the latter type of risk is unanticipated and episodic, and the typical firmquestions the outlay of resources to protect against such rare occurrences.At its essence, risk management involves three steps:(1) Identifying the nature of risks inherent in the situation(2) Assessing the likelihood of the risks manifesting themselves(3) Taking preventive and corrective action to reduce the firm’s level of exposure to the risk.The past three decades of business computing have contributed much to our understanding of risk in thetechnology context. Unfortunately, a dominant focus in this prior work has been narrow – on controllingand managing projects, rather than on the broader risks that executives face in firms where technology isdeeply and fundamentally embedded within the business. Indeed, the turn of the century has heraldedsignificant changes in the business technology milieu that have created a compelling need to expand thefocus of risk management from the micro project view to a broader enterprise perspective.These changes include an increasing emphasis on:(1) “Buying” and customizing packaged solutions rather than building systems in-house, i.e., onsolutions integration rather than software development(2) Partnering with a wide array of providers to acquire needed technical competencies and skills,including taking advantage of off-shore resources(3) Using business technology for systems that span organizational boundaries and help link customers,through electronic commerce and CRM systems, suppliers, through fully integrated electronic supplychains, and other business partners together(4) Deploying business technology as the platform upon which the entire business is run.The Faces of RiskIn this environment where business technology is pervasive, what is the nature of risk? Risks areclassified into three broad categories: systems, sourcing and strategy, based on where they originate. Somerisks are predominantly intra-enterprise in nature, such as systems and strategy, while others, notablysourcing, reflect the challenges that arise in inter-organizational settings. Note that although thesecategories are somewhat overlapping and not mutually exclusive, they nonetheless provide a conceptuallysimple framework that can be populated through conversations and interactions among executives fromboth technology and business.Effectively managing project risk requires that a structured process and organizational responsibilities beimplemented at both the project and program levels. A formal risk management plan should be developedto clarify risk management roles and responsibilities; risk management processes, procedures, standards,training and tools; the method and frequency of risk progress reporting; and what should be monitored todetermine if risks are occurring. A project should attempt to manage only the risks it can handle. Otherrisks should be elevated to the program level. Determination of whether to elevate should be made basedon examination of whether the mitigation action steps are within the control of the project team.Managing risk at a program level involves a review of project risks and program risks by an EnterpriseProgram Management Office (EPMO). The EPMO should analyze project risk across the entire programto see if the same risk occurs in different projects and requires concerted action. 1 Baselinemag - IT Management – Strategy ExecutionThe EPMO should document the inventory of risks, their assessment and mitigation plans in a database. Ifafter analyzing program risk the overall program risk level is deemed to be higher than originallydocumented in the cost/benefit plan (i.e., the business case), then the business case should be updated--reflecting the adjustment in the range of costs and/or benefits or a lower confidence measure. It isimportant that the EPMO collaborate with an Enterprise Risk Management (ERM) Group to ensure thatthe business impacts of project-related risks are well understood, and that a periodic evaluation can bemade concerning the impact of other enterprise risks on the project.Risks in ContextIn an Interview with the BTM Institute, Toby Redshaw, the CIO of insurance giant, Aviva Group, explainedthat he reduces risk by seeing to it that activity at the project level is guided by the strategic needs of theenterprise:“Before we go to the next program or the next phase, we take a very seri ...