3 minute read 17 Sep 2021
Male balancing highline in mountains

Effective risk management is not risk avoidance

By Marsha Reppy

EY Global and EY Americas Governance Risk Compliance Technology Leader

Harnessing the power of technology to gain business insights and simplify governance, risk and compliance. Mom to Ella. Outdoor and golden retriever enthusiast.

3 minute read 17 Sep 2021
Related topics Risk Consulting Technology

Managing technology risk is about aligning investments and initiatives in ways that make risks proportionate to rewards.

In brief

  • For a business that hopes to grow and thrive, taking calculated risks is essential, as is defining the risk appetite befitting its internal culture.
  • A realistic risk management approach doesn’t avoid risk, but instead invests in governance and technology solutions that make risks more transparent.

Most people would rather not lose a little than win a lot. The topic of risk is especially delicate for CIOs. When it came to risk, historically their role has been focused on avoiding it by protecting the business. The digital transformation and innovation mandate has put the pressure on CIOs to think more boldly.

However, they are not mutually exclusive. Risk management is not the same as risk aversion. 

Common language

Understanding and evaluating risk starts with using a standard framework and common set of definitions. This will allow you to do an “apples to apples” comparison, establishing a consistent approach across a spectrum of variability. Have a clear framework and standard definitions of what risks are, how to rank them, what’s important to the business, and how to manage and mitigate those risk factors.

Ask questions that balance value with risk vs. those focused solely on risk aversion. For example:

  • What’s the risk of our using waterfall vs. agile methodology on a project?
  • What’s the risk of pumping the brakes on an implementation to address controls and security?
  • What’s the risk to my revenue of a 24-hour outage of my e-commerce platform versus my human resources application?

It’s also important to understand that risk management is a probability equation. Heading into 2020, many businesses had contingency plans for short-term supply chain disruptions, but few considered the consequences of a global pandemic that would close borders for months. Some were able to tolerate the impact for longer than others.

Risk evaluation, therefore, should consider the likelihood of an event and its impact on the business from a timeline perspective – both the short and long term, as well as the overall risk tolerance specific to your business.

Define the broader risk appetite and tolerance for the organization and for IT, and then use that to right-size your actions.

The risk of doing nothing

Keep in mind that risk can encompass inaction as well as action. Organizations with obsolete technologies can fall victim to nimble upstarts before they realize how much their legacy technologies are holding them back. In the same vein, failure to act on a promising new technology such as blockchain or machine learning can cause a company to fall far behind its competitors.

Risk can also lurk in seemingly safe events. For example, underestimating the complexity of merging systems following an acquisition, or decoupling them after a divestiture, can set the IT organization’s schedule back for months, causing more strategic projects to fall behind.

The risk of failing to manage talent proactively can also kill innovation in its tracks. Look at the new technologies being introduced and think about whether you can grow talent with the appropriate skills or repurpose the talent you have.

One way to mitigate risk at a structural level is to invest in technology solutions helping you manage it. Organizations that had moved operational systems to the cloud, automated manual workflows, introduced continuous monitoring, and invested in technology to virtualize physical processes fared much better during COVID-19 than those that had put such projects on the back burner. Machines are usually less vulnerable and more efficient than people.

Finally, be realistic about risk avoidance. Stretching for zero compliance errors or manufacturing defects may not be worth the cost. “It may not always be a good KPI because it could drive wrong behaviors,” says Marsha Reppy, EY Global and Americas Governance Risk Compliance Technology Leader “It’s not always about eliminating mistakes; often, it’s about identifying them and fixing them quickly. Taking a realistic and pragmatic approach enables people to do the right things.”

It may not always be a good KPI because it could drive wrong behaviors. It’s not always about eliminating mistakes; often, it’s about identifying them and fixing them quickly. Taking a realistic and pragmatic approach enables people to do the right things.
Marsha Reppy
EY Global and Americas Governance Risk Compliance Technology Leader

Summary

People have a strange relationship with risk. Most of us prefer to avoid it – consistently choosing a sure outcome over a gamble with equal or higher expected value. Yet success in nearly everything involves taking risk.

About this article

By Marsha Reppy

EY Global and EY Americas Governance Risk Compliance Technology Leader

Harnessing the power of technology to gain business insights and simplify governance, risk and compliance. Mom to Ella. Outdoor and golden retriever enthusiast.

Related topics Risk Consulting Technology

Contact us

Like what you’ve seen? Get in touch to learn more.

Contact us