Risk: Now You See It, Now You Don't

By Rob Austin

In business, you have to take on risk to obtain reward. Great managers don't flee from risk but seek opportunities to take it on and achieve more than commensurate benefits as a result. When Cisco undertook a big-bang ERP project in the early 1990s and aimed to complete it in nine months, management knew it was taking a big chance -- installing such systems is far from trivial even now. But execs also knew a success would position the company for explosive growth throughout the decade, and that's exactly what happened. Risk begets reward.
 
Or risk knocks a company to its knees or out. FoxMeyer Drug was a $5 billion company before its managers implemented an ERP system. When they switched to the new system, they could process only a small percentage of the firm's vital business transactions. Not enough of them, it seems, to survive. And so FoxMeyer went bankrupt.
 
How do we achieve Cisco-like outcomes and avoid the FoxMeyer one? The conventional answer focuses on one category of project risk: risks you can anticipate. Many risk management "systems" confront managers with lists of questions about factors associated with risk (e.g. "Does the project require technologies your team has never used?"). Such an approach aims to inform managers about the level of risk associated with the project they are about to undertake, and to jog managers' thoughts about specific risks they may have overlooked or underemphasized. If you help managers plan more thoroughly and identify potential risks, they can develop contingency plans. I heartily approve of such efforts.
 
But risks we can anticipate constitute only one category of risk -- the least troubling, in fact. More difficult are risks we have no chance of anticipating. Usually, numerous significant risks lurk within complex IT projects, risks that, no matter how thoroughly we plan, we won't see coming.
 
In some organizations, to suggest that something might happen that you can't anticipate is to risk being accused of incompetence. When companies encounter complications they won't admit were out there...well, that's where disasters come from.
 
Anticipate
So how do you manage what you can't see coming? You build the capability to make midcourse adjustments. Knowing they would not anticipate all problems, Cisco execs staffed their project with the best people from each of their business areas. They relied on "rapid iterative prototyping," to try things, flushing out unforeseen problems as early as possible. They employed rigorous change management to separate out and prioritize the really important unexpected problems from the ones that were not so critical. A lot of management activity focused on the second category of risk. As a result, although there were many serious problems, they were ready for the unanticipated.
 
You don't have to anticipate the specific nature of a problem to prepare to deal with it. But you do have to admit that unanticipated complications will arise. Contrary to a mistaken but oft-held belief, failure to anticipate a problem does not necessarily indicate that preparations were inadequate. Until managers abandon this belief, they'll never really be good at managing project risk.
 
Rob Austin is a professor at Harvard Business School and chair of "Delivering Information Services," the school's CIO Executive Education program.