Risk Denial from the Top?

Companies overlook and undermanage the business risks of IT project and service delivery.
CFO StaffNovember 30, 2005

Senior finance executives affirm that information technology — computer hardware, software, systems, applications, networks, and other related services — plays a central role in executing business strategy. But it is as much the implementation of technology — the delivery of the right solution tailored to a business problem and aligned with business strategy — as the core technology itself that delivers real value to companies.

That is one major finding of a study, conducted by CFO Research Services in the summer of 2005, to explore executives’ views on the business risk posed by complex IT systems and services delivery. Through an email survey, we gathered more than 200 respondents, 52 percent of which were from $1 billion+ companies. The respondents cover a broad cross-section of the U.S. economy, with strong representation from the manufacturing, financial services, energy, and business/professional services industries.

Other findings:

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

IT is vital, but poor implementation kills value. More than 40 percent of respondents say that their IT systems are “fundamental strategic assets that enable our company to compete,” while another 32 percent describe IT’s role as the “operational backbone” of their companies. While this role for technology comes as little surprise, 65 percent of survey respondents say that their companies adopt technology only at about the same rate as their peers, and another 14 percent say they lag behind their peers in adopting new technology. So while IT has a central role, few companies — only one in five — lead the way and adopt new, leading-edge technology ahead of others.

We infer from this that the well-established, strategic role of IT grows as much from how companies adopt, implement, and retire technology as from a commitment to adopting leading-edge systems. The logical question is: if successful implementation of technology — on time, on budget, to specification — is the key to deriving value from
IT investments, when do companies succeed and when do they fail in delivering IT projects?

To explore this question, we queried senior finance executives on their perceptions of the performance and business risk of their companies’ IT project and service delivery. We defined business risk broadly to include risk to operating performance, financial performance, regulatory compliance, and competitive strategy, as well as customary IT risk categories such as system security, privacy, technical failure, and cost overruns.

Risk and performance vary though the IT delivery process. Respondents report their best performance in the early stages of IT project delivery, when they articulate business problems, specify solutions, and build business cases for investment. Their performance drops, they report, when selecting implementation partners, installing technology, managing process change, and measuring the results of their investments. On the risk side, respondents see greatest risk to business performance in articulating the business problem, selecting implementation partners, delivering the project, and managing the organizational and process changes required to get sustained value out of new systems.

After comparing high-risk elements of IT project and service delivery with performance in these same categories, it is clear that companies do not perform especially well in the following high-risk categories:

• Selecting implementation partners

• Delivering the project (implementing hardware, software, and process redesign)

• Change management and training staff

From these results, we infer that, in many cases, companies’ ability to deliver IT projects effectively — while minimizing the risk to business performance — is in jeopardy.

Delegating work while retaining risk. These high-risk, low-performance elements of project and service delivery have something in common: they usually involve third-party service providers such as consultants, systems integrators, and outsourcing vendors. By engaging these service providers for reasons of cost, expertise, or timing, companies delegate tasks to third parties — but they still retain the business risk of their work. And although nearly 80 percent of executives say their companies conduct business risk analyses for both IT-related capital investments and ongoing maintenance, fewer than 30 percent of respondents evaluate the risk of IT investments made by third parties at their request. Such investments include those made by consultants, partners, and outsourcing vendors. Companies would be well advised to close this risk-performance gap through broader, more rigorous scrutiny of risk.

IT Needs Help with Business-risk Analysis and Governance

How should companies bridge the gap between business risk and their performance on IT projects and service delivery? By focusing more rigorously on analysis of all business risk from IT — both within the company and among partners and strategic vendors. In many cases, the ideal candidate to lead this effort is the finance team, in partnership with the IT team.

We queried companies on who analyzes the business risk of IT projects and services in their organizations, and how they do so. Nearly half of all respondents say their IT teams — not finance, not dedicated risk management teams — lead formal risk analyses for IT projects.

Risk analysis is too narrowly focused. What’s more, under the leadership of IT, most companies focus on the risks to operating performance, risk of technical failure, and risk to system security. Less scrutinized, say respondents, are the risks of misalignment with business needs, cost overruns, regulatory compliance, and HR/organizational risk. Charged with analyzing the risk of IT projects, information technology organizations focus on their own functional concerns and give less attention to the enterprise-wide impact of their decisions. Given the daily operational pressures faced by CIOs, this isn’t surprising.

Respondents say their companies usually give IT investments the same or less risk scrutiny as other major investments such as new product launches, non-IT plant and equipment, third-party partnerships, outsourcing, and M&A. At first glance, this level of scrutiny may make some sense. But since well-run IT plays a central role in strategy execution and contributes substantially to business results (and in fact enables companies to reap much of the value of partnerships, outsourcing arrangements, and M&A), companies should deepen their assessments of IT’s ability to deliver what it promises.

Who should be stepping up to closer review of the risk to business performance posed by IT investments? Given IT’s central role in modern enterprise and companies’ massive investments in technology, managing IT risk to the business is increasingly a general management responsibility, not a discrete corner of a support function.

Accordingly, such a role should be led by an objective, analytical function with broad organizational reach and experience in risk management: the finance function, under board supervision. But survey results suggest that many companies are a long way from fully managing the risk that IT poses to the business. We asked respondents how well their companies’ board of directors understands and monitors the business risk of IT. Only 26 percent of respondents say their board pays close attention — and a similar percentage say that their board pays little attention to these risks.

Information technology plays a central role in most businesses — often as a strategic asset that differentiates one company from another, and often as the operational backbone of the company. But a survey of finance executives shows that companies do not manage the business risk of IT investments with the rigor they devote to other major investments. Companies don’t manage the riskiest parts of their IT projects and services particularly well. The problem is particularly acute when companies call on third parties to perform IT-implementation tasks — especially because the company retains the business risk of failure.

One solid step toward better management of IT’s risk to the business may be to move accountability for business risk management of IT projects and services from the IT function to the finance function, and to engage the board of directors in a thoughtful and sustained review of IT’s risk to business performance. By doing so, companies will lessen variability in their operations, their performance, and, ultimately, their delivery of value.