In my interviews for last week’s piece on the new ISO 31000 risk-management standard, risk expert Brian Barnier pointed out that one of the standard’s salient features is its concept of risk. ISO 31000 defines risk as the “effect of uncertainty on objectives,” acknowledging both the positive opportunities and negative consequences associated with risk.
I asked Brian if he could expound on this idea. I reached him at his home in Connecticut where a morning snowstorm was proving more ferocious than forecast. Schools that had opened were sending out word they were closing early. There were the sudden, predictable runs on milk and staples at local convenience stores. A good scenario, in other words, for our discussion.
One way to think about risk, Barnier said, is as variance from what is expected. Having too much milk is bad for a convenience store; too little milk is also bad, especially on a snowy day. Dealing successfully with risk depends on how prepared you are for the change.
“That word is very important in risk discussions,” Barnier said. “Some people think of preparedness as locking everything down. If you are coming out of the SOX [Sarbanes-Oxley] environment, you want to lock everything down, so your numbers are correct.” A big pharma company will want to lock everything down so it’s not slapped with a major recall of, say, its most popular painkiller.
“But for everybody else, risk is a lot more about being prepared for that snowy day — having the right tires on your car, driving defensively, having an emergency kit if your car goes off the road,” Barnier said. The convenience store with plenty of milk on hand is able to make hay on a snowy day.
Companies must be agile to take advantage of risk. Management guru Tom Peters, Barnier pointed out, was talking about opportunity risk 20 years ago in Thriving on Chaos” Barnier noted.
For IT departments, being prepared for risk opportunities calls for risk management at three levels, Barnier said:
- The investment portfolio: Are you investing in capabilities that will help you cope better with business change, whether that’s an acquisition or move into a new geography?
- The program and project-management layer: In addition to controlling budgets and meeting deadlines, are you prepared to take advantage of an upside opportunity — a pricing change or being able to step in when a competitor falters?
- Operations and service delivery: How can you take advantage more efficiently of opportunities that come your way?
How does your IT organization prepare for risk? Does preparing for the upside factor into your risk management? Or is it all about the lockdown?