Risk Management - It's role in strategic planning

Table of contents

Management Summary

List of abbreviations

Table of figures

1 The concept of risk management
1.1 Steps of application
1.2 Its role in strategic planning

2 Practical Situation
2.1 Phase 1 ± Risk Identification
2.2 Phase 2 - Risk Quantification
2.3 Phase 3 ± Risk Management/Government
2.4 Conclusion

List of literature

3 Addendum

Management Summary

In organizations are plenty of IS/IT investments to choose from. All of these opportunities compete for the limited resources of the organization. The process of risk management which can be divided into the four phases of Identification, Quantification, Management/Government and Containment helps to analyze possible risks. This is necessary because every forth IS/IT projects fails¹, because of non identified risks. The aim of Risk Management is to increase the probability of success of IS/IT investments², so that the investments drive to the desired outcome and benefits for the organization. In the following the four steps of risk management will be illustrated with an example of a logistic company which has to decide on two investments. Additionally the role of risk management in strategic planning will be examined.

List of abbreviations

illustration not visible in this excerpt

Table of figures

Figure 1 - Investments comparison

Figure 2 - Risk Identification of investments

Figure 3 ± Kind of change

Figure 4 - State of readiness

Figure 5 - Likely reaction

Figure 6 - Contextual change

Figure 7 - Quantification of example

1 The concept of risk management

When it comes to the decision of investing in new developments or significant enhancements in exist- ing IT/IS (Information Technology/ Information System) systems, the expected benefits of the invest- ments have to be established, the costs of the systems have to be justified, the involvement of technol- ogy and business changes and the priorities to individual developments across the portfolio have to be allocated.³ Apart from that one of the main issues of the investment decision in IT/IS systems, is the assessment of the risk. Risk, which is in the failure oriented definition the negative deviation from ex- pectancy⁴, has to be assessed in order to revise the viability of the investment to deliver all of the bene- fits which were expected⁵. The reasons for failure of an investment in IT/IS systems can be divided into five domains. Beside the technical, data and user failure there are organizational failures⁶ and fail- ure in the business environment which this paper focuses on⁷, because they are the factors with the highest risk⁸. Organizational failures occur if ISs satisfy the functional needs but do not satisfy the organizational or business needs⁹. For example, a storage-IS, which contains the amounts of goods in a storage, fails to meet the needs of accounting because it does not contain monetary values for the goods. Failures in the business environment result if systems do not assists internal and external busi- ness requirements. This lack of support could be ascribed to changing business practices or changes in the business strategy which cause a gap between target state and actual state of the IS/IT portfolio.¹⁰

These two facts comprise the most potential risk in IS/IT projects. But in most of the projects organizational failures and failures in the business environment are not considered as risky. This is due to the disability to address and identify risks in these categories which could threaten the achievement of the desired outcome. Especially in strategic investments of IS/IT the consequences of failure are significant and the assessment of risks is becoming more difficult.¹¹

1.1 Steps of application

The process of risk management, which is defined as the systematical handling of risk¹², can be di- vided into four phases: Identification, Quantification, Management/Government and Containment¹³.

During the phase of Risk Identification the risks are defined and categorized¹⁴. IS/IT investments have to be reviewed if they satisfy the organizational functions and are appropriate to the business environment and strategy of the organization. This step is the basis of the following steps and has a high importance. The risk quantification conduces to assess the extent of risk. This step can be executed with the help of a checklist which divides the investment into the four parts of

a. Which changes are involved?¹⁵
b. Is the organization ready for the change?¹⁶
c. How will the organization react for the change?¹⁷
d. How dynamic is the context of the change?¹⁸

Constitutive on the risk quantification, decisions have to be made how to deal with risk. Liermann mentions four possibilities, avoiding, decreasing, transferring and taking risk by oneself, to deal with risk.¹⁹ Avoiding risk denotes that the decision maker abdicates the IS/IT investment. This could be reasonable if the investment in an IS/IT project is rated with a high risk and the damage caused by a fail is huge. The second choice is to reduce risk with retaliatory action. This could be for example war- ranties, contracts or insurances for investments in IS/IT. Beyond that it is possible to transfer risk by outsourcing IS/IT systems to an external provider which is responsible for it. At least organizations can take the risk by themselves, if the costs for the other arrangements are too high, if arrangements do not exists or if the risk is acceptable.

The decision which of the arrangements to choose, depends upon the result of the quantification process. If 50% of the category factors are 4 or 5 or the average for any category is 4 or 5 the risk should not be taken by oneself²⁰. The decision maker should then pick one of the first three arrangements or he should change the development approach in order to reduce the risk.

Unlike the preceding phases before the risk containment is an ex-post analysis to evaluate the deci- sions and assumption in the former phases²¹. It has to be evaluated if all of the risks have been assessed correctly, if the chosen arrangements have been appropriate and if the investments have been success- ful. Beyond that stakeholders and the management have to be informed about the success of the in- vestment²².

1.2 Its role in strategic planning

As a part of the "mananaging investment systems and Technology process",the aim of risk management is to increase the probability of success of IS/IT investments.²³ Organizations dispose over a portfolio of different IS/IT investments which are considered as new and useful developments. Before money is invested into these opportunities the expected benefits of the investments have to be established, the costs have to be justified, the technology and business changes involved have to be defined and at last the risk of the investment has to be assessed.²⁴ The last step is necessary to identify the threats and implication which threaten the achievement of the desired benefits of the investment. This enables to initiate appropriate arrangements to reduce the risk to successfully implement the new IS/IT project into the application portfolio.

For most of the IS/IT investments exists opportunity costs. This implies that the money used for an investment could have been used for another and that different investments compete for funds and oth- er resources like time and labour.²⁵ Additionally the fact that every forth IS/IT project fails²⁶, increases the demand for an effective risk management to evaluate the critical risks ex-ante and to invest the resources of an organization in those projects which are most promising to deliver the desired outcome and whose risks are manageable. Considering this, risk management can be seen as a process which helps decision makers to pick those investments which will be successful and deliver the desired out- come.

2 Practical Situation

In this chapter a practical situation will be described in which risk management is useful: The CIO (chief information officer) of a half-inferior logistic organization has to decide which of the following two investments he wants to choose. Inside, the organization possesses the needed capabilities and experience to execute the projects. But the willingness of the stakeholders is lower for investment 1 then for investment 2, because the actual solution is still appropriate to fulfill the internal needs. At first the costs, benefits, business and technological changes have to be identified. After this step the risks can be identified, quantified and managed/governed (see chapter 1.2). The Risk Containment is excluded.

illustration not visible in this excerpt

Figure 1 - Investments comparison

2.1 Phase 1 ± Risk Identification

illustration not visible in this excerpt

Figure 2 - Risk Identification of investments

[...]

¹ C.f.: [Pütt2009].

² C.f.: [WaPe2002] p.462.

³ c.f.: [WaPe2002] p.420.

⁴ C.f.: [ScLi2002] p.183.

⁵ C.f.: [WaPe2002] p.455.

⁶ C.f.: [LyHi1987].

⁷ C.f.: [WaPe2002] p.455.

⁸ C.f.: [EwPr1994].

⁹ C.f.: [WaPe2002] p.456.

¹⁰ C.f.: [WaPe2002] p.456.

¹¹ C.f.: [WaPe2002] p.456f.

¹² C.f.: [AhMa2008] p.11.

¹³ C.f.: [Höls2002] p.13; [Schi2001] p.13; [Fais2009] p.4.

¹⁴ C.f.: [FaPW2007] p.514.

¹⁵ C.f.: Figure 3 in abbendum.

¹⁶ C.f.: Figure 4 in abbendum.

¹⁷ C.f.: Figure 5 in abbendum.

¹⁸ C.f.: Figure 6 in abbendum.

¹⁹ C.f.: [Lier2009].

²⁰ C.f.: [WaPe2002] p.461.

²¹ C.f.: [Höls2002] p.16.

²² C.f.: [ScLi2002] p.192.

²³ C.f.: [WaPe2002] p.462.

²⁴ C.f.: [WaPe2002] p.420.

²⁵ C.f.: [WaPe2002] p.462.

²⁶ C.f.: [Pütt2009].