Managing the Cost of IT Risk in the Enterprise

Spending for IT inevitably includes the cost of risk. A common problem for enterprise IT management is how to estimate and budget for the cost of risk, how to avoid or mitigate these costs when possible, and how to provide guidance to the people who plan, budget, and manage IT investments.

Financial horror stories are widely publicized, particularly in the public sector where IT budgets and spending are more accessible to the media. Most of us have read about major systems that overrun estimates by millions of dollars, fail to meet business requirements, or become very expensive to operate and maintain.

However, estimates are just that, and actual costs, schedules, and outcomes may vary. The cost of risk may encompass cost overruns, the financial impact of schedule delays, diminished performance of the delivered system, unexpected training or support costs, or failure to achieve financial benefits—to name a few.

The Problem

The cost of risk is poorly understood at the enterprise level in many organizations, and underlying reasons for this vulnerability often encompass the following:

1. Cost estimates and risk assessments are often performed on a piecemeal basis at the individual project level, rather than the overall investment level
2. Most major IT investments actually involve multiple projects throughout the system lifecycle, and inadequate attention is given to a holistic review of costs and risks at the planning, development, deployment, and maintenance steps
3. The corporate Knowledge Base is fragmented, meaning that investment managers may not have access to past experience with the cost of risk within the enterprise
4. Inadequate attention to establishing, validating, and managing the Performance Measurement Baseline at the beginning of projects greatly increases the risk of unexpected costs
5. The enterprise has insufficient standards, guidance, and governance for estimating, tracking, and controlling the cost of risk.

Another problem is that the cost of risk is an unpopular item in budget reviews. If an investment estimates an overall cost of risk of 14 percent, for example, there could be push back from budget reviewers. “Can’t you manage better so there is less risk to the budget?” they may say. In such an environment, investment planners will be tempted to cover up the cost of risk by using various fudge factors and reducing the publicized risk to more palatable levels.

However, the problem with covering up some of the risks is that the enterprise never really knows the true cost of risk. Failure to identify and acknowledge risks is actually an unacceptably expensive game:

• If you don’t identify and acknowledge all risk costs, you can’t develop enterprise policies and processes that might avoid or mitigate them
• Understated risk costs are misleading for planning and budgeting future investments—so that the enterprise remains locked into a continuing cycle of unexpected overruns.

Published Earned Value Management (EVM) data, such as that appearing in the OMB IT Dashboard, is at a high level. While these data provide useful overall performance indicators, they seldom pinpoint the detailed risk issues. If the EVM data are truly maintained according to the 32 criteria of the 748-B standards, a much better understanding can be obtained by drilling down into the details, reviewing the Corrective Action Plans, and analyzing the changes to the Performance Measurement Baseline (and/or re-baseline requests).

There may also be situations where reliable corporate experience isn’t available to a new investment (such as a huge system or new areas of cloud or mobile computing). In these cases, it may be necessary to have a policy of developing external case studies to document the experience of outside organizations that have implemented investments of similar scope and functionality. As we have stated in our newsletter articles, it is best to get the data from a host organization rather than a vendor. Even highly-respected vendors are trying to make a sale, offer optimistic estimates, minimize risk, and may not be aware of all costs or risks which are experienced by a host organization.

In addition to specific investment risks, the enterprise should also consider the impact of risks on the organization as a whole, its mission, and its strategic plan. Failure to support the core mission or accomplish strategic objectives can be a disaster.

The Solution

The Quick Task solution seeks to achieve the following:

• Increase consistency in estimating, budgeting, and reporting the cost of risk throughout the enterprise
• Strengthen the focus on risk assessment and management at the IT investment level (program or multi-project system level) in addition to project-level risk
• Improve the corporate Knowledge Base about the cost of risk
• Identify risk patterns in the enterprise that may be avoided or mitigated—to reduce the cost of risk
• Strengthen enterprise-wide policies and processes for estimating, reporting, and overseeing IT investment risks.

The task will require involvement of IT leadership, key personnel responsible for risk and performance metrics, and representatives of program and project management. Information will be needed about policies, practices, performance data, and supporting documents. The task will include detailed analysis and discussions. The output will be a Plan of Action for Enterprise-Wide IT Investment Risk Management.

What’s New

For Federal agencies, there is sharply increased scrutiny of IT budgets. Strengthened enterprise-wide oversight of investment risks is essential for maintaining credibility with OMB, GAO, and Congress.

QT Plan

This task will require 3 – 4 months, depending on the availability of information and the schedule of the Leadership Team. Milestones are as follows:

1. Entry meeting to discuss task and scope, and to collect background documents
2. Draft the Quick Task management plan
3. Form the Leadership Team for the task and review draft Quick Task plan
4. Finalize Quick Task task plan
5. Review the current enterprise-level policies, processes, and knowledge bases for overseeing and documenting the cost of risk
6. Identify a representative cross-section of major investments to review in detail, and:

6.1. Review current risk assessment and cost estimating practices at the project and investment levels

6.2. Drill down into risks encountered by representative investments

6.3 Conduct group interviews with selected investment managers and PMs

7. Analyze and categorize investment risks, seeking opportunities to avoid or mitigate risks
8. Present findings to the task Leadership Team
9. Conduct additional fact-finding
10. Develop a draft Plan of Action for Enterprise-Wide IT Investment Risk Management, covering:

10.1. Enterprise policies, processes, and governance

10.2. Guidance for documenting and reporting cost estimates, cost of risk, Performance Measurement Baseline, Earned Value Management, risk management, and re-baselining

10.3. Enterprise Knowledge Base for project, program, and investment risks and cost of risks

10.4. Opportunities for cost cutting through avoidance or mitigation of investment risks

10.5. Other actions

11. Conduct workshop for task Leadership Team to refine the plan of action
12. Finalize the Plan of Action for Enterprise-Wide IT Investment Risk Management
13. Conduct a Closeout Briefing for all participants and outline follow-up steps (including assignment of roles and responsibilities).

Reference

GAO Cost Estimating and Assessment Guide, Best Practices for Developing and Managing
Capital Program Costs. See especially Chapters 13 Sensitivity Analysis and 14 Risk Cost and Uncertainty. Government Accountability Office, GAO-09-3SP, March 20009.

2008 NASA Cost Estimating Handbook; see especially Volume 2 Cost Risk.

See PMBOK Guide(© 2013 Project Management Institute), Fifth Edition:  11. Project Risk Management.

See The Standard for Program Management (© 2013 Project Management Institute), Third Edition: 8.7 Program Risk Management.

See The Standard for Portfolio Management (© 2013 Project Management Institute), Third Edition: 8. Portfolio Management.

Using Risk-Adjusted Costs for Projects, P2C2 Group, Inc.

Smarter Enterprise Management with Earned Value Management, P2C2 Group, Inc.

Managing the Project Risks of Federal Initiatives, P2C2 Group, Inc.

Financial Models for IT Investments, White Paper, P2C2 Group, Inc.

Make Better Decisions Using Case Studies, P2C2 Group, Inc.

Seven Steps to Smarter CPIC, P2C2 Group, Inc.

Enterprise-Wide Corporate Knowledge Base for IT, QT Blog, Jim Kendrick.


More Help

Jim Kendrick and the P2C2 Group, Inc. provide management consulting and Subject Matter Expert services in this Quick Task area: kendrick@p2c2group.com.

Last Word

The objective of portfolio risk management is to accept the right amount of risk commensurate with the anticipated reward to deliver the optimum outcomes for the organization in the short, medium, and longer term.
–PMI, The Standard for Portfolio Management.