Risk management is a lot like gambling. It essentially comes down to knowing when to hold 'em and when to fold 'em.
Business seems to instinctively "get" this; IT not so much. That's what Michael Harris, owner and president of David Consulting Group and one of three authors of "The Business Value of IT: Managing Risks, Optimizing Performance and Measuring Results" told me when I interviewed him earlier this year. (Read an excerpt of The Business Value of IT in IT Business Edge's Knowledge Network.) As Harris described it:
Management comes into the engineering office and says, "I need X by Y date." And the first reaction is, "We can't possibly do that." It's like when you take your car into the garage. You get the same kind of a reaction. Yet at the same time, software is always 90 percent complete. I think at the core of it, IT hasn't been trained to do risk management. To some extents, the risks with software development in particular but with IT in general are extremely complex.
IT and business must come to terms on what constitutes an acceptable risk, Harris added:
You can pay $15 million to totally secure a piece of hardware from potential security threats, or you can accept the fact that some (threats) are so unlikely we don't need to worry about them. I think the key thing is to have a risk management strategy in IT, not necessarily a complex one, and to have it informed by techniques like risk mitigation, probability against impact, those sorts of things.
Most important, risk management needs to become a standard part of IT governance, with IT and the business discussing it on a regular basis, not just when the business pushes it, Harris advised.
I looked up Harris' remarks after reading a blog post titled "The Betting CIO" by Linda Cureton, CIO of NASA/Goddard Space Flight Center. Like Harris, Cureton contends risk taking is a key part of IT leadership. Her key takeaways:
And my personal favorite: Learn from babies, who mostly strike the right risk-taking balance. As Cureton notes, they observe an object, put it in their mouths and taste it, then finally try to see what they can do with it. She advises CIOs to use a similar approach:
The Betting CIO should be observant, try some things and set up safe sandboxes; but should not be reckless, scared or paralyzed.