When people plan to sock away money for education or retirement, financial advisers typically recommend developing a balanced portfolio of investments. It would be a mistake to have too many low-risk investments, because the portfolio would just trudge along with marginal growth and not meet its potential. Punters are also warned not to make too many high-risk investments so that they can be reasonably assured of moderate growth with lower-risk funds if their higher-risk investments end up tanking.
IT management experts offer similar advice for striking a balance with IT project investments. Yet few IT and corporate executives make a conscious effort to ensure that their organizations have an adequate balance of low-, medium- and high-risk IT projects in the pipeline at any given time.
"I think companies do a good job on an individual project level of evaluating execution risk. But I don't think they do a good job of evaluating project portfolio risk," says San Retna, A former chief portfolio officer.
Lack of experience
Part of the problem is that most IT and business staffs are inexperienced at reviewing risk, says Jack Duggal, a principal at Projectize Group, a project management consulting firm. Duggal points to an insurance client he helped a few years ago with a risk assessment on a troubled CRM implementation. "The irony is that an insurance company's job is to manage risk but their IT organization couldn't even spell risk," he says. So Duggal and other consultants from his company trained members of the IT organization to identify and analyze risk on both qualitative and quantitative levels.
Despite recent advances in IT governance at some companies, Retna says there's still a lot of confusion about whether project risk management should fall upon individual project managers, on a project management office (PMO) or some other independent entity.
A big problem for many executives is that they frequently confuse risk management with problem management, says Keith Walter, vice president and general manager of global program management at Keane, a business and IT services company. They don't understand the difference between identifying and mitigating risks in a project and resolving problems that pop up during a project, he says.
Despite the hype about the benefits of using IT portfolio management to evaluate and rank projects, few Fortune 1000 companies actually do this, Walter says. And for the handful that do it's typically a one-time project-prioritization exercise. "I don't know if anybody comes into this and says, 'Let's organize IT-business projects by low, medium and high risk'," says Dan Demeter, CIO at Korn/Ferry International, an executive placement company.
One at a time
Like most companies, Korn/Ferry assesses risk on a case-by-case basis as part of project planning.
The company has an IT steering committee for each of its three major business units, plus a corporate IT steering committee. These committees work together to define project requirements, assess risks and approve projects for funding. The groups don't rely as much on formal IT portfolio management techniques as they do on discussing a project's merit "to ensure that everybody has some input," Demeter says.
Barry Cohen, vice president of applications management at Wells Real Estate Funds, says his company's IT department has "a pretty primitive process" for looking at IT project risk. Cohen says risk is discussed as part of each project and is factored into the timeline and cost estimates. "Our ability to handle risk allows us to work on one or two high-risk projects at a time," he says.
Wells' IT department takes a more ad hoc approach to balancing risk in the company's IT project portfolio, Cohen says. But that doesn't mean it's disregarded. His group is typically working on two high-risk projects and five to 10 medium-risk projects at any given time, plus 100 low-risk projects during the course of the year. High-risk projects include those where failure could adversely affect business processes, end users, or the company's affiliates or investors, says Tammy White, director of IT governance.
Although Korn/Ferry and Wells seem satisfied with these less-formal approaches, Bob Charette, director of enterprise risk management services at Cutter Consortium, says companies that do an exceptional job of managing project risks are often also adept at using portfolio management techniques.