Though
we've been trying to perfect it for hundreds of years, it appears
that the 1983 Tom Cruise film hit the nail on the head: Business is
risky. And with the increasing dependency of businesses on
technology to maintain and advance their organizations, the risks -
and the stakes - are greater than ever.
This begs the question: How should organizations manage their
risks?
Many Steps
According to analysts, effective risk management is a multistep
process.
"Having a really thorough understanding of what you have is the
most important step [in good risk management]," says Dennis Gaughan,
an analyst at AMR Research Inc. in Boston. "In a lot of cases, the
exposures that come up and bite you are because of things you
weren't aware of. So really just understanding what all the
different pieces are and how they all fit together is an important
component of mitigating risk."
For instance, a company plans to build a data center, but there's
a 90% chance that the project won't be completed on time.
The company then needs to look at the various costs associated
with mitigating that risk. It may choose to spend more money to pay
contractors who can get the job done faster. Or, if the risk of
completing the project late is deemed too great, the company may
decide to push back the deadline. That decision would force the
business to estimate potential lost revenue or productivity losses,
as well as calculate the costs associated with extending the
deadline for the project.
George Vrabel, senior vice president and senior director of
technology audits at Charlotte, N.C.-based Bank of America Corp.,
agrees that self-awareness is key. "You have to recognize what the
business is trying to do," he says. "I need to be able to look at
that broad picture. I like to think I need to look at the trees and
the forest at the same time."
But being self-aware is only the first step in effective risk
management for companies. Another crucial component is planning for
possible failures. It may sound simple, but analysts say that in the
course of operating and maintaining a business, it's an often
overlooked task.
"What a lot of people don't do is really plan for the inevitable
failure and really take steps in understanding what it's going to
take to recover from failure," says Gaughan.
Minimizing Downtime
From an information technology perspective, he says, risk
management includes minimizing an organization's exposure to
downtime or loss of service from its IT systems or processes.
From a business process standpoint, risk management is more about
managing a "portfolio of systems and projects" in order to maximize
financial returns on those investments and minimize the potential
for conflicts and delays, Gaughan says.
Once a business has recognized what its potential risks are, it's
equally important to evaluate how costly those risks can be - and,
therefore, how much time and money should be invested in mitigating
those risks. That process - known as business impact analysis -is
another crucial component of effective risk management for
companies.
"A business impact analysis really helps define what a company's
losses would be," says Chuck Wachter, manager of disaster recovery
at Carlson Cos., a Minneapolis-based company focused on travel,
hospitality and marketing. "If you were to have a power outage, even
as short as 15 minutes, what are your financial impacts, what are
your nonfinancial impacts, how are your customers affected, how is
your industry image affected?"
Cost Considerations
Once companies have determined what their risks are and what
their losses might be, they must then decide whether or not to
address each risk. To do so, companies consider the size of the risk
and its consequences to the organization.
"You might choose to accept greater risk of failure because
there's greater reward," says Frank Prince, an analyst at Forrester
Research Inc. in Cambridge, Mass.
For example, a mail-order gift business evaluates the risks of
launching a Web site in time for the holidays. Though there are many
risks involved with the project - including the possibility that the
Web site might not generate adequate sales volume and may result in
a loss on the project investment - the potential rewards of
operating an online business during the busy holiday shopping season
might be great enough for the company to decide to go forward.
If, on the other hand, a particular risk is relatively unlikely
but the potential cost to the company is great, then the
organization might choose to address the issue in advance. For
example, an Arizona-based IT service provider is unlikely to suffer
power outages due to hurricanes or earthquakes. But since the
company's financial losses or liability resulting from a power
outage could be significant, it might decide to install a backup
power system to protect itself.
In the end, many analysts and specialists agree that failing to
address risk management is perhaps the greatest risk of all for a
company.
"What you wind up doing is fighting a lot of fires," says Leonore
Abordo, a product process manager at Redmond, Wash.-based AT&T
Wireless Group. "With businesses, time is always of the essence, and
it is not uncommon, in my observation, to see the time consciousness
shortchange a lot of the planning.
"[People say,] 'Oh, we'll just figure it out as we go. We'll
cross that bridge when we come to it' - not recognizing that there
are multiple bridges, and some of them are already falling down,"
Abordo says.
Wieder is a freelance writer in Boston. Contact her at twieder@bigfoot.com.
Sites 
