You Aren’t In a Digital & IT Lake Wobegon

You Aren’t In a Digital & IT Lake Wobegon

Big Miss 2: Failure to Manage Risk

A Tale of Caution for Boards and Senior Executives
or Do the Board & Senior Executives Have the Wisdom To Demand Risk Assessment

Remember how NPR’s Garrison Keillor described living in mythical Lake Wobegon where:

  • All the women are strong
  • All the men are good-looking
  • And all the children are above average

Our Prometheus Endeavor Digital and IT (D&IT) Management Team continually encounters enterprises imagining they are in a D&IT Lake Wobegon where:

  • All Leaders are all above average at Managing D&IT Endeavors
  • All Vendors, Consultants are fully knowledgeable about enterprise context, transparent about concerns, truthful about implementation ease
  • All Stakeholders completely support the Endeavor, know exactly what they want, don’t change requirements
  • All Technologies are robust, stable, mature

In reality, no such place exists. The D&IT Endeavor landscape is littered with countless failures caused by BIG Miss # 2: Failure to Identify, Understand, Mitigate and Manage Risk.

Beginning any D&IT Endeavor with a Robust Risk & Readiness Management Assessment (RR&RA) significantly increases the likelihood of success. It is an inexpensive way to identify and mitigate potential problems. A RR&R Assessment is not designed to derail the effort. Rather the objective is to improve the likelihood of success by forcing the team to create a mitigation approach for each major risk identified during the RR&RA. 

When asked why a D&IT Endeavor was delayed, over budget, failed, or produced no benefit, we found the enterprise had no robust risk management process. Such a process entails an initial risk assessment, mitigation of those risks and adaptation for inevitable changes over time.

After one fiasco, the CEO lamented “I should have seen we were being misled. The consultant presented a ten point “Risk Assessment” designed to minimize their risk, not ours. They actually had the audacity to declare the biggest risk was not to engage them.”

Most organizations attempting significant D&IT efforts view them as Projects. Our last Blog, Big Miss # 1 Digital Endeavors are Not More of the Same Old IT Projects, asserted that such efforts are likely undefined sets of Programs or even very broad, aspirations or Endeavors. However, without a formal, robust, and disciplined Risk and Readiness exercise, the plan becomes a trap and your organization is flying blind in the face of risks.

Want to Test If You Have a Robust Risk & Readiness Assessment (RR&RA) Process?

Any proposed RR&RA frameworks should be examined for both Process and Content.

Use this checklist to score the degree to which your organization deploys a proper Robust Risk Readiness Assessment Exercise for significant D&IT efforts.

  1. Have the RR&RA administered by a neutral, objective, friendly but probing third party?
  2. Have typically around a half dozen engaged provisioners and stakeholders participated in the RR&RA Workshop?
  3. Timebox workshops to ensure all considerations are covered and interest maintained?
  4. Have the RR&RA look for quick, top of mind responses rather than slowing for deep dives?
  5. Document  unanswerable, complex or controversial considerations for analysis and agreement after the workshop?
  6. Pause, ask…. “To what degree were we confident of our responses?” at the end of each section of the R&R Assessment Workshop.
  7. Have the risk considerations been judged individually and weighted for impact, likelihood and/or severity?
  8. Have consensus or range of responses been achieved for each consideration?
  9. Develop mitigation strategies, plans, actions for lowering overall risk and mitigating the highest and most likely severe considerations?
  10. Have periodic reviews of mitigation actions assessing their impact on lessening risk or increases Readiness?
  11. Have periodic or ad hoc, as needed, updates of the RR&RA landscape?

  12. Content: To what degree does or did the RR&RA examine a thorough set of at least a hundred broad potential risk considerations drawn from actual failed or problematic efforts such as:

    1. Fully understanding the Context of the Enterprise and Endeavor?
    2. Fully defining all aspects of the overall Endeavor?
    3. Identifying the needed skills, resources and how they will be engaged?
    4. Identifying Management, Governance, inspection plans, structures, practices, disciplines, organization?
    5. Identifying  Stakeholders’ role, involvement, and nuances?
    6. Analyzing financial foundations, funding, cash flow, ROI, expectations? Is there a plan to achieve the benefits?
    7. Identifying  how  the effort will be “Chunked” into phases, pilots and projects as the enterprise develops the experiential learning required?

    8. Your score as to how well you did a proper RR&R Assessment won’t predict exact success. But our experience looking at the degree to which an RR&R Assessment foretells likely success:

      Fascinating reasons often given why enterprises didn’t do a robust RR&R Assessment include:

      • Our people are so busy they didn’t have the time for this foolishness
      • We have the best people who certainly know the risks and what to do
      • We had to start quickly and are now busy fighting fires
      • We aren’t capable of answering those questions, but are fully behind this effort
      • Our vendor says they have this effort under control
      • We can’t get the right people in one room or virtually and they’d never agree on the considerations

      Most RR&R Assessment Workshops take LESS THAN A Day!!! There is no excuse for not doing them. Boards of Directors and/or senior management must demand this essential practice. And the analysis must be kept current else evolving exposures will be missed and resources poorly allocated.

      You Mean We Need To Do This Again?

      Healthy, wise enterprises refresh the RR&R Assessment with a Mitigation Update every three to six to nine months throughout  the Endeavor based on situation. RR&RA structured reviews of less than a day’s effort are often more powerful than just reviewing milestones and progress.

      What’s the Positive Message?

      Increasingly, we encounter sponsoring executives who warn us to “not be so negative. We’re an optimistic enterprise looking to the bright side.” When undertaking large, complex D&IT Endeavors “the bright side” includes preparing for and thwarting dangers.. Anticipating what can go wrong and having a ready approach is a management imperative and is creating success.  You will be happier knowing you have caught the problems in advance and taken steps to prevent or mitigate their impacts than being caught on the blind side.

      It is up to the Boards of Directors and senior leadership to recognize their D&IT Effort is not being done in Lake Wobegon. You must demand a formal, structured, robust RR&R Assessment and Mitigation or else you will have another Big Miss. Big Misses typically lead to Big Messes.


      [i]  “Manage Risk” sounds deceptively simple.  It is NOT! In this article Manage Risk means a formal process that defines, captures, identifies, understands, mitigates, and resolves root causes of any risks of success for your Digital and IT Endeavor.

      Author

      1 Comment

      1. Gonzalo G Verdugo

        Practical, well-written and concise enough. Congratulations!
        Gonzalo

      Leave a Reply

      Your email address will not be published. Required fields are marked *