Information Systems
_____________
Quantitative risks can be measured in quantities. Time, money, and the number of resources lost due to risk can be measured. For example, a company may lose $25,000, 50-man hours, or 5 computer systems due to geological, physical, or cyber-risks and vulnerabilities.
Quantifying risks can be a very useful tool when a manager is trying to determine whether or not the cost of a control (a counter-measure to the risk) outways the cost of the potential risk itself.
Qualitative risks are more so generalized means of measure. “Qualitative risk assessments typically give risk results of 'High', 'Moderate' and 'Low' "[1]. Although qualitative measures may have a less consistent method of gauging risk than quantitative means, it can still be a useful way of communicating concerns to other company representatives.
One method risk managers use to visualize and analyze risk is by assigning values and weights of importance to each potential risk to calculate a reasonable probability that the risk will occur.
“The risk management process that is being advocated by major professional organizations is a rational, beneficial, and sensible approach that project managers actually should go through from the start to the end.”
“At the beginning of this process you identify risks, you assess risks. That includes the assessment of the probability of the impact of the risk, and then you attach a response to that specific risk.”
Introduction
Introduction
Risk assessment and management are nothing new to the business world, but accurately dealing with risks is not such an easy task. Resource limitations and a constantly changing arsenal of potential threats to an operation can make it difficult for a manager to come to a conclusive and confident decision.
Businesses rely on balancing the projected gains and costs of an operation to avoid possible catastrophes. This balancing act can sometimes feel more like juggling, especially when some risks are unquantifiable, relying only on qualitative means of assessing risk. An ideally balanced risk management solution needs to consistently perform, be cost-effective, and reduce the overall risk of an operation if otherwise left uncontrolled.
This page will explore the issue of risk management in its generality as well as with respect to information systems (IS). It will seek to answer the following questions by analyzing the benefits and drawbacks of managing high risk vs low-risk projects through research-based case studies:
- Identify the characteristics of a high-risk project and a low-risk project. What makes an IS project risky or how is risk defined in IS? How do you define a high-risk project versus a low-risk project?
- When is risk avoidance a disadvantage? When can risky management decisions benefit a company?
- What can real world case studies tell me about precautions to take as a future manager? What are some techniques or strategies that a manager in IS can use to deal with risk?
_______________________
Quantity Over Quality?
Quantitative risks can be measured in quantities. Time, money, and the number of resources lost due to risk can be measured. For example, a company may lose $25,000, 50-man hours, or 5 computer systems due to geological, physical, or cyber-risks and vulnerabilities.
Quantifying risks can be a very useful tool when a manager is trying to determine whether or not the cost of a control (a counter-measure to the risk) outways the cost of the potential risk itself.
Qualitative risks are more so generalized means of measure. “Qualitative risk assessments typically give risk results of 'High', 'Moderate' and 'Low' "[1]. Although qualitative measures may have a less consistent method of gauging risk than quantitative means, it can still be a useful way of communicating concerns to other company representatives.
One method risk managers use to visualize and analyze risk is by assigning values and weights of importance to each potential risk to calculate a reasonable probability that the risk will occur.
“Mathematically, quantitative risk can be expressed as Annualized Loss Expectancy (ALE). ALE is the expected monetary loss that can be expected for an asset due to a risk being realized over a one-year period.
ALE = SLE * ARO
Where:
• SLE (Single Loss Expectancy) is the value of a single loss of the asset. This may or may not be the entire asset. This is the impact of the loss.
• ARO (Annualized Rate of Occurrence) is how often the loss occurs. This is the likelihood.
Mathematically, this gets complicated very quickly, involving statistical techniques that are beyond the scope of this discussion [1].”
_____________________________________
Characteristics of a High-Risk Project
Characteristics of a High-Risk Project
Quantitatively, a threat may be labeled “high-risk” if its likelihood of occurring or ARO within the time-span of a year has a success rate of 76%-100% [1].
Qualitatively, negative political exposure, unwanted change to the core company, and threats to ability to deliver are three examples of characteristics that can be regarded as “high-risk” [2].
Political Exposure
Companies rely on the satisfaction of their customers. It is only reasonable for a company to desire to appear favorable in their eyes.
“Rebuilding the Space Shuttle program in the face of the Columbia disaster was a project with significant political exposure. Like the Space Shuttle program, high-risk projects face an entangled web of political stakeholders with individual agendas, challenging business cases, and, often, a hostile public perception [2].”
Company credibility is essential for consumer confidence, so careful attention must be paid to its political and media appearance.
Change to the Core Company
Companies have to take cautionary action when a decision can alter the core values and qualities of a company to make sure that it stays on its intended path of development.
“Like the break-up of AT&T in the 1970s, high-risk projects contain direct and indirect effects that transcend the organization and sometimes shake up an industry’s ecosystem. The AT&T break-up not only fractured the organization but spawned an entire new ecosystem of companies, technologies, and strategies [2].”
Change can sometimes be for the better, but the fact that changes could go against foundational intentions of the company makes it a significant risk consideration.
“Like the break-up of AT&T in the 1970s, high-risk projects contain direct and indirect effects that transcend the organization and sometimes shake up an industry’s ecosystem. The AT&T break-up not only fractured the organization but spawned an entire new ecosystem of companies, technologies, and strategies [2].”
Change can sometimes be for the better, but the fact that changes could go against foundational intentions of the company makes it a significant risk consideration.
Ability to Deliver
Arguably the most important risk to consider is whether or not the project is even feasible. If the resources are not available to deliver a final project, the risk of the project is already bound to fail.
“For example, the 2002 Olympic Winter Games posed significant threats to Salt Lake City’s ability to deliver. Infrastructure capacity, increased security requirements, funding availability and a time-boxed schedule posed seemingly insurmountable challenges that Salt Lake City overcame [2].”
Evaluation of the company’s current resources and what is needed to deliver a project is critical to its success.
[6] |
___________________________________
Characteristics of a Low-Risk Project:
Characteristics of a Low-Risk Project:
Quantitatively, a threat may be labeled “low-risk” if its likelihood of occurring or ARO within the time-span of a year has a success rate of 76%-100%.
Qualitatively, projects may be labeled as “low-risk” if its characteristics are well-defined, organized, systematic, and lead to happy employees and customers.
[6] |
_____________________________________
Risks Can Be Healthy
It is a common cliche that, “You will always miss 100% of the shots you don’t take”. This perspective can also definitely be held by a risk manager. Indeed it is very true that in some cases not taking a risk at all can be damaging to a business. In other words, if the projected cost of taking risk is less than the projected cost of not taking the risk, it would be ill-advised to just sit back and not make a move.
_____________________________________
General Risk Management Strategies
The following strategies are drawn from the Youtube Video “Does risk matter?” (Cranfield University School of Management) featuring Dr. Elmar Kutsch as the interviewee.
Dr. Kutsch opens by describing what an ideal risk management process should be like:
“The risk management process that is being advocated by major professional organizations is a rational, beneficial, and sensible approach that project managers actually should go through from the start to the end.”
Dr. Kutsch then goes on to describe this sensible process:
“At the beginning of this process you identify risks, you assess risks. That includes the assessment of the probability of the impact of the risk, and then you attach a response to that specific risk.”
As sensible as the process may seem, people still turn away from it. In the video, Dr. Kutsch offers us one of his five beliefs as to why people turn away from following a routine risk assessment/management process. He explained how often managers view risk as a fictional entity because it has not manifested itself as a reality--yet.
So one wise management strategy would be to simply treat potential risks as realities, because it very well may become one if not appropriately responded to. A second strategy would be to consistently follow a routine process when dealing with risks to avoid overlooking threats that may potentially lead to a disaster within the business.
__________________________________________________
Risk Management Strategies in IS: Looking Back
What are some examples of businesses that have successfully implemented risk managements strategies in the field of information systems, specifically?
As mentioned previously, a risk management plan should be a part of your overall project plan and followed methodically. Once you have your risk management plan outlined, you can begin by adding tasks to your project plan for helping mitigate or eliminate risk. In the instance of Lockheed Martin, a large-scale information technology company and “the largest provider of IT services, systems integration and training to the US Government” [4], it was clear that some risk management system and strategy would be essential to making successful administrative decisions during the defense contracting of the F-35 Lightning II, a fighter jet used primarily for, “intelligence, surveillance, reconnaissance, and electronic attack missions” [5]. During this time the F-35 was “the largest defense contract in history” [4].
[An F-35 courtesy of Lockheed Martin's Website] |
To deal with the surefire intricacies and complexities associated with overseeing an extensive project such as the production, organization, and distribution of the F-35, Lockheed Martin used an integrated of all risk-related data into a common system called the Active Risk Manager (ARM).
The ARM handled a greater number of risks efficiently for less expense by allowing business partners and suppliers to input their concerns regarding potential risks in the project, limiting the time and manpower required to sort through the threats in all areas of the project by hand. This communication between associates gave Lockheed Martin a more complete and realistic picture of the project. Security concerns were also taken into account when integrating the ARM into the project process by only allowing data relevant to each worker to be available to them through the use of code-based locks.
The ARM handled a greater number of risks efficiently for less expense by allowing business partners and suppliers to input their concerns regarding potential risks in the project, limiting the time and manpower required to sort through the threats in all areas of the project by hand. This communication between associates gave Lockheed Martin a more complete and realistic picture of the project. Security concerns were also taken into account when integrating the ARM into the project process by only allowing data relevant to each worker to be available to them through the use of code-based locks.
_________________
Looking Forward
Tesla, an American automaker, and energy storage company, has begun to draw in increasingly more skepticism surrounding its seemingly ever-increasing number of ambitious projects. “Tesla Motors Inc.'s chief executive officer, Elon Musk, is known for making the future come early. Yet somehow he's always running behind schedule. Some would call this a failure of management, but it might just be a business strategy.”[7]
Some examples of open projects currently being worked on at Tesla include, the Gigafactory (a supersized battery factory in Nevada where Musk intends to cut the price of batteries by 30% once it is fully operational in 2020), creating 500,000 electric cars per year by 2020, increasing the range of its automobiles to 1,000 kilometers per charge in three years, and having the cars be fully autonomous (self-driving) by 2018. All of the project goals are undoubtedly interdependent, making it essential to weigh the precedences of each task and their potential risks to make informed decisions on what actions need to be taken first.
For instance, to produce 500,000 cars per year by 2020, the Gigafactory needs to be well-established to mass produce the lithium ion batteries required to power these cars. There are undoubtedly risks involved when determining the order in which tasks are completed, so it is in a risk managers best interest to carefully assess priority (potentially through the use of automated systems that can assign quantitative weights of importance to each task). Otherwise, both the company, its customers, and shareholders could all take a turn for the worst. "Any setback to the production date could hit shares, as it will affect unit sales in 2017. Tesla and Musk have had a notorious history of promising one thing, only to then fail to deliver it in the timeframe laid out."[8]
However, despite its skeptics, Tesla still manages to attract the attention and support of many. Aaron E. Lebel, a current Machine Learning and Statistics major at Carnegie Mellon University discusses a more positive prospect on the company on his blog, mentioning two possibly overlooked projects (Tesla's solar roofs and Semi-Trucks) that could have a critical impact on the future of Tesla, as well as the global transportation and energy industries.
Link: http://www.alebml.com/blog/teslas-secret-revenue-weapon
Tesla takes innovative risks rather than playing it safe with a product that will eventually become obsolete. “I would say the most important driver behind Tesla’s disruption is its fundamental commitment to rapid iteration—thinking like software developers instead of commodity manufacturers,” says Brook Porter, a partner at the venture capital firm Kleiner Perkins Caufield & Byers who specializes in transportation [9]. For a company to survive long-term, it needs to be in-demand and available. Autonomous and electric cars are slowly integrating themselves into society and becoming more and more desired. With this growing desire to advance to new, technologically current, energy-sound modes of transport, companies like Tesla either have to jump into the future and hope their customers willingly follow, run the risk of being beaten out by competitors with newer and more desirable products.
Hopefully, enough consideration and attention are given to the many potential risks to the company. We will just have to wait and see whether or not Tesla's risky behavior and grandiose promises will successfully pay off.
Tesla's Model 3 |
However, despite its skeptics, Tesla still manages to attract the attention and support of many. Aaron E. Lebel, a current Machine Learning and Statistics major at Carnegie Mellon University discusses a more positive prospect on the company on his blog, mentioning two possibly overlooked projects (Tesla's solar roofs and Semi-Trucks) that could have a critical impact on the future of Tesla, as well as the global transportation and energy industries.
Link: http://www.alebml.com/blog/teslas-secret-revenue-weapon
Tesla takes innovative risks rather than playing it safe with a product that will eventually become obsolete. “I would say the most important driver behind Tesla’s disruption is its fundamental commitment to rapid iteration—thinking like software developers instead of commodity manufacturers,” says Brook Porter, a partner at the venture capital firm Kleiner Perkins Caufield & Byers who specializes in transportation [9]. For a company to survive long-term, it needs to be in-demand and available. Autonomous and electric cars are slowly integrating themselves into society and becoming more and more desired. With this growing desire to advance to new, technologically current, energy-sound modes of transport, companies like Tesla either have to jump into the future and hope their customers willingly follow, run the risk of being beaten out by competitors with newer and more desirable products.
Hopefully, enough consideration and attention are given to the many potential risks to the company. We will just have to wait and see whether or not Tesla's risky behavior and grandiose promises will successfully pay off.
__________
Summary
Risk Management is an integral part of a project and should continue to be an ongoing process throughout the project’s lifetime. Good managers anticipate crisis and manage risk by responding to risks they recognize using a regulated step-by-step process that can quantify threats in such a way that can be communicated to other project workers in the most time and cost efficient manner. By examining and following the actions taken by companies such as Lockheed Martin and Tesla, we can come to a better understanding of the types of steps that can lead to the success of a project. By using a systematic method of collecting and categorizing threats (e.g. automated system similar to Lockheed Martin's Active Risk Manager), listening to the concerns of associates and business partners, maintaining an understanding of project priorities (possibly through the use of automated systems that weight each task), and maintaining the mindset that risks really can become realities, risk managers can better ensure that their responses to these threats are accurate and truly beneficial to the business.
Risk Management is an integral part of a project and should continue to be an ongoing process throughout the project’s lifetime. Good managers anticipate crisis and manage risk by responding to risks they recognize using a regulated step-by-step process that can quantify threats in such a way that can be communicated to other project workers in the most time and cost efficient manner. By examining and following the actions taken by companies such as Lockheed Martin and Tesla, we can come to a better understanding of the types of steps that can lead to the success of a project. By using a systematic method of collecting and categorizing threats (e.g. automated system similar to Lockheed Martin's Active Risk Manager), listening to the concerns of associates and business partners, maintaining an understanding of project priorities (possibly through the use of automated systems that weight each task), and maintaining the mindset that risks really can become realities, risk managers can better ensure that their responses to these threats are accurate and truly beneficial to the business.
__________
References
[1] www.sans.org/reading-room/whitepapers/auditing/introduction-information-system-risk-management-1204.
[2] “Strategies for Tackling the High Risk/High Profile Project.” Strategies for Tackling the High Risk Projects, www.pmi.org/learning/library/strategies-tackling-high-risk-projects-7253. Accessed 16 June 2017.
[3] “Website Project Plan Checklist.”Capitalizing on Knowledge, 2001,pp. 284–286., doi:10.1016/b978-0-7506-5011-3.50018-4.
[4] ActiveRisk. “Lockheed Martin - Active Risk.” Active Risk, www.sword-activerisk.com/lockheed-martin-jsf-case-study/. Accessed 16 June 2017.
[5] “F-35 Lighting II.” F-35 Lightning II, www.f35.com/about. Accessed 16 June 2017.
[6] “Risk Chart Graphics.” Https://Www.google.com/Url?Sa=t&Rct=j&q=&Esrc=s&Source=Web&Cd=1&Cad=Rja&Uact=8&Ved=0ahUKEwj5kOD14bbUAhVM12MKHXaFBmEQFggrMAA&Url=Http%3A%2F%2Fextras.Springer.com%2F2003%2F978-1-59059-127-7%2F7.0InherentRiskFactorsChecklist.Pdf&Usg=AFQjCNEtHgYmSzKzwXXr6AQL-m54p3LSWQ&sig2=IfSkqvvljNDR5TWlzHUgWg.
[7] www.bloomberg.com/news/articles/2016-05-09/elon-musk-s-tesla-strategy-win-big-by-falling-short.
[8] “Tesla's Model 3 Launch Is The Most Important Event In Company's History.” NASDAQ.com, 15 June 2017, www.nasdaq.com/g00/article/teslas-model-3-launch-is-the-most-important-event-in-companys-history-cm803684?i10c.referrer=https%3A%2F%2Fwww.google.com%2F. Accessed 16 June 2017.
[9] Knight, Will. “Tesla Has Built Its Success on Moving Faster than the Industry's Incumbents, and Taking More Risks.” MIT Technology Review, MIT Technology Review, 12 July 2016, www.technologyreview.com/s/601876/teslas-strategy-is-risky-and-aggressive-but-it-has-worked/. Accessed 16 June 2017.
[6] “Risk Chart Graphics.” Https://Www.google.com/Url?Sa=t&Rct=j&q=&Esrc=s&Source=Web&Cd=1&Cad=Rja&Uact=8&Ved=0ahUKEwj5kOD14bbUAhVM12MKHXaFBmEQFggrMAA&Url=Http%3A%2F%2Fextras.Springer.com%2F2003%2F978-1-59059-127-7%2F7.0InherentRiskFactorsChecklist.Pdf&Usg=AFQjCNEtHgYmSzKzwXXr6AQL-m54p3LSWQ&sig2=IfSkqvvljNDR5TWlzHUgWg.
[7] www.bloomberg.com/news/articles/2016-05-09/elon-musk-s-tesla-strategy-win-big-by-falling-short.
[8] “Tesla's Model 3 Launch Is The Most Important Event In Company's History.” NASDAQ.com, 15 June 2017, www.nasdaq.com/g00/article/teslas-model-3-launch-is-the-most-important-event-in-companys-history-cm803684?i10c.referrer=https%3A%2F%2Fwww.google.com%2F. Accessed 16 June 2017.
[9] Knight, Will. “Tesla Has Built Its Success on Moving Faster than the Industry's Incumbents, and Taking More Risks.” MIT Technology Review, MIT Technology Review, 12 July 2016, www.technologyreview.com/s/601876/teslas-strategy-is-risky-and-aggressive-but-it-has-worked/. Accessed 16 June 2017.
Comments
Post a Comment