Weighting the Risks

Smart companies ensure that they have balanced portfolios of low-, medium- and high-risk projects.

When people plan to sock away money for college or retirement, financial advisers typically recommend developing a balanced portfolio of investments. It would be a mistake to have too many low-risk investments, because the portfolio would just trudge along with marginal growth and not meet its investment potential. Investors are also warned not to make too many high-risk investments so that they can be reasonably assured of moderate growth with lower-risk funds in case their higher-risk investments end up tanking.

IT management experts offer similar advice for striking a balance with IT project investments. Yet few IT and corporate executives make a conscious effort to ensure that their organizations have an adequate balance of low-, medium- and high-risk IT projects in the pipeline at any given time.

"I think companies do a good job on an individual project level of evaluating execution risk. But I don't think they do a good job of evaluating project portfolio risk," says San Retna, former chief portfolio officer at San Francisco-based AAA of Northern California, Nevada and Utah.

Lack of Experience

Part of the problem is that most IT and business staffs are inexperienced at reviewing risk, says Jack Duggal, a principal at Projectize Group, an Avon, Conn.-based project management consulting firm. Duggal points to an insurance client he helped a few years ago with a risk assessment on a troubled CRM implementation. "The irony is that an insurance company's job is to manage risk but their IT organization couldn't even spell risk," he says. So Duggal and other consultants from his company trained members of the IT organization to identify and analyze risk on both qualitative and quantitative levels.

Despite recent advances in IT governance at some companies, Retna says there's still a lot of confusion about whether project risk management should fall upon individual project managers or on a project management office (PMO) or some other independent entity.

A big problem for many executives is that they frequently confuse risk management with problem management, says Keith Walters, vice president and general manager of global program management at Keane Inc., a Boston-based business and IT services company. They don't understand the difference between identifying and mitigating risks in a project and resolving problems that pop up during a project, he says.

And despite the hype about the benefits of using IT portfolio management to evaluate and rank projects, few Fortune 1,000 companies actually do this, Walters says. And for the handful that do, it's typically a one-time project-prioritization exercise. "I don't know if anybody comes into this and says, 'Let's organize IT-business projects by low, medium and high risk,' " says Dan Demeter, CIO at Korn/Ferry International, a Los Angeles-based executive placement company.

One at a Time

Like most companies, Korn/Ferry assesses risk on a project-by-project basis as part of project planning.

The company has an IT steering committee for each of its three major business units, plus a corporate IT steering committee. These committees work together to define project requirements, assess risks and approve projects for funding. The groups don't rely so much on formal IT portfolio management techniques as they do on discussing a project's merit "to ensure that everybody has some input," says Demeter.

Barry Cohen, vice president of applications management at Wells Real Estate Funds Inc. in Norcross, Ga., says his company's IT department has "a pretty primitive process" of looking at IT project risk. Cohen says risk is discussed as part of each project and is factored into the timeline and cost estimates. "Our ability to handle risk allows us to work on one or two high-risk projects at a time," he says.

Wells' IT department takes a more ad hoc approach to balancing risk in the company's IT project portfolio, says Cohen. But that doesn't mean it's disregarded. His group is typically working on two high-risk projects and five to 10 medium-risk projects at any given time, plus 100 low-risk projects during the course of the year. High-risk projects include those where failure could adversely affect business processes, end users, or the company's affiliates or investors, says Tammy White, director of IT governance.

Although Korn/Ferry and Wells seem satisfied with these less-formal approaches, Bob Charette, director of enterprise risk management services at Cutter Consortium in Arlington, Mass., says that companies that do an exceptional job of managing project risks are often also adept at using portfolio management techniques.

The Portfolio View

Portfolio risk management is a high priority at Aflac Inc. Gerald Shields, senior vice president and CIO, works with members of the company's U.S. steering committee to ensure that the company has adequately balanced risk throughout its project portfolio. "I try to get the steering committee to approach it the way that you'd manage a financial portfolio. You don't want all of your investments in low-risk, low- return financial investments or in high-risk, high- return" vehicles," Shields says.

At any time, Columbus, Ga.-based Aflac tends to have a higher percentage of high-risk projects than lower-risk projects in the works. That's because IT is trying to meet key business requirements to improve service to policyholders and other customers it supports, says Shields, and Aflac assigns a higher degree of risk to a project when it touches policyholders or other customers.

Traditionally, insurance companies have been risk-averse, and that was also true at Aflac until several years ago, says Shields. That changed as his predecessor, Jim Lester, demonstrated to senior management the kinds of returns that technology projects could deliver. This fostered a "revelation" among senior executives that the only way to support consistent growth was to invest in advanced technologies, Shields says. And those come with inherent risk.

Once the overall risk portfolio has been agreed upon, Aflac has a couple of ways to monitor risk within its IT-business projects. Aflac's PMO assembles monthly reports on each project and assigns red, yellow and green markers to indicate whether a project is on schedule or at risk, says Shields.

The executive steering committee also receives monthly reports from Aflac's software quality assurance group about a project's status "as a sort of independent verification," he adds. So the PMO may report that a project is on schedule, but the software quality assurance group might disagree because of a set of conditions it has uncovered. "Then we sit down and determine the course of action we want to take," says Shields.

Lowe's Cos. is one of a few companies that do an exceptional job of tying strategic planning to balancing risk in project portfolios, according to Walters.

Lowe's enterprise risk management group uses a prioritization matrix for every new project it considers. The group, which comprises the company's top seven executives, examines four components of each project: business returns, strategic alignment, proc-ess impact and risk. Risk is a negative score, so the greater the technological or other risk, the lower the overall score will be, says Steve Stone, CIO at the Mooresville, N.C.-based home-improvement retailer. Therefore, a risky project needs to score high points in the other categories to get a green light.

For Lowe's, the riskiest projects are those whose failure could hurt market share and revenue. The flip side is that if those projects succeed, they will likely have a positive effect on those metrics. Some of the higher-risk projects that Lowe's has worked on over the past few years involved expanding support for products that aren't normally available in its stores. Lowe's has beefed up information about those products on its Web site to make it easier for building contractors to learn more about the costs, features and differences between those products, says Stone.

"From a technology standpoint, we try to focus on a blend [of risk-weighted projects] that focuses on the top line but also provides us balance" between driving revenues higher and lowering expenses, says Stone.

Managing risk effectively requires seasoned IT and business people who know how to balance risk throughout a project portfolio. Says Keane's Walters, "If you try to put risk management practices into place in low-maturity organizations, you're not likely to get much value out of it."

Copyright © 2006 IDG Communications, Inc.

Shop Tech Products at Amazon