Risk Denial from the Top?

Senior finance executives affirm that information technology — computer hardware, software, systems, applications, networks, and other related services — plays a central role in executing business strategy. But it is as much the implementation of technology — the delivery of the right solution tailored to a business problem and aligned with business strategy — as the core technology itself that delivers real value to companies.

That is one major finding of a study, conducted by CFO Research Services in the summer of 2005, to explore executives' views on the business risk posed by complex IT systems and services delivery. Through an email survey, we gathered more than 200 respondents, 52 percent of which were from $1 billion+ companies. The respondents cover a broad cross-section of the U.S. economy, with strong representation from the manufacturing, financial services, energy, and business/professional services industries.

Other findings:

IT is vital, but poor implementation kills value. More than 40 percent of respondents say that their IT systems are "fundamental strategic assets that enable our company to compete," while another 32 percent describe IT's role as the "operational backbone" of their companies. While this role for technology comes as little surprise, 65 percent of survey respondents say that their companies adopt technology only at about the same rate as their peers, and another 14 percent say they lag behind their peers in adopting new technology. So while IT has a central role, few companies — only one in five — lead the way and adopt new, leading-edge technology ahead of others.

We infer from this that the well-established, strategic role of IT grows as much from how companies adopt, implement, and retire technology as from a commitment to adopting leading-edge systems. The logical question is: if successful implementation of technology — on time, on budget, to specification — is the key to deriving value from IT investments, when do companies succeed and when do they fail in delivering IT projects?

To explore this question, we queried senior finance executives on their perceptions of the performance and business risk of their companies' IT project and service delivery. We defined business risk broadly to include risk to operating performance, financial performance, regulatory compliance, and competitive strategy, as well as customary IT risk categories such as system security, privacy, technical failure, and cost overruns.

Risk and performance vary though the IT delivery process. Respondents report their best performance in the early stages of IT project delivery, when they articulate business problems, specify solutions, and build business cases for investment. Their performance drops, they report, when selecting implementation partners, installing technology, managing process change, and measuring the results of their investments. On the risk side, respondents see greatest risk to business performance in articulating the business problem, selecting implementation partners, delivering the project, and managing the organizational and process changes required to get sustained value out of new systems.

After comparing high-risk elements of IT project and service delivery with performance in these same categories, it is clear that companies do not perform especially well in the following high-risk categories:

• Selecting implementation partners

• Delivering the project (implementing hardware, software, and process redesign)

• Change management and training staff

From these results, we infer that, in many cases, companies' ability to deliver IT projects effectively — while minimizing the risk to business performance — is in jeopardy.

Delegating work while retaining risk. These high-risk, low-performance elements of project and service delivery have something in common: they usually involve third-party service providers such as consultants, systems integrators, and outsourcing vendors. By engaging these service providers for reasons of cost, expertise, or timing, companies delegate tasks to third parties — but they still retain the business risk of their work. And although nearly 80 percent of executives say their companies conduct business risk analyses for both IT-related capital investments and ongoing maintenance, fewer than 30 percent of respondents evaluate the risk of IT investments made by third parties at their request. Such investments include those made by consultants, partners, and outsourcing vendors. Companies would be well advised to close this risk-performance gap through broader, more rigorous scrutiny of risk.

IT Needs Help with Business-risk Analysis and Governance
How should companies bridge the gap between business risk and their performance on IT projects and service delivery? By focusing more rigorously on analysis of all business risk from IT — both within the company and among partners and strategic vendors. In many cases, the ideal candidate to lead this effort is the finance team, in partnership with the IT team.

• 1
• 2
• next »