How well are you doing on pinning down the Yellow risks? CIOs appreciation of and mastery of risk management has evolved considerably over many years, but Robert N. Charette, Director, Risk Management Intelligence Network, Cutter Consortium and president of ITABHI Corporation, says it's the CIOs who know how to handle the Yellow Risks - those that offer no certain course of action - that are going to do best in the race for further advancement.

In a recent e-mail exchange, Charette told me CIOs need to understand that in the push for further promotion, it is how well they make decisions that matters most.

"I have interviewed many CEOs and Board Members on what they use as criteria for hiring/promoting folks to the very highest levels of the company," Charette says. "Since almost everyone has a resume a mile long and most are similar, the question they end up using is, 'How well will this person make difficult decisions - i.e., how will they make the ones filled with risk and uncertainty?' in other words, the Yellow Risks".

It's what senior executives get paid for - the "Yellow Risks", Charette says. Red and green risks are easy; it is the Yellow Risks that are toughest to handle, but which offer CIOs a real chance to excel. The senior executive management's job is risk management, he says. Even if you are hired to pursue new opportunities, it is the downside of the opportunities that need to be managed most.

In his view - and a pretty well nuanced and researched view it is - many CIOs lack good risk management skills. They don't know how to manage resource allocations - which is as much about what you don't do as what you do - at all well. They don't know how to calculate opportunity costs, especially in framing the decisions they need to make.

He believes most CIOs could benefit from a really good course in decision making, which would improve their chances more than anything else if they aspire to occupy the "big chair" in the future.

Charette believes every CIO must be extremely involved in the aggressive management of IT risks. The IT organisation can't afford to view risk management as some pro forma process that CIOs only give lip service to. CIOs need to continuously ask themselves and their project managers for the risks that the IT organization and its systems create for the corporation, and how they can best be managed.

One way to further your credentials as a true business executive able to confront and master such Yellow Risks may be to accept the need to go beyond compliance and risk management as it is traditionally practised in the project governance space.

Raymond Young, lecturer at Macquarie University's Department of Accounting and Finance, points out that a business is not nearly as interested in projects coming in on-time and on-budget as it is in actually delivering the expected business benefits. Since an IT project seldom just delivers business benefits, but is rather an enabler of change, the sponsor, and by implication the CIO, must go well beyond the project as it is traditionally defined and embrace all the organisational issues that need to be dealt with to bring in change. Since said changes tend to take far longer than the implementation date of a typical IT project, it's no use the executive concerned putting up artificial boundaries and claiming their responsibility stops at the point of handover.

"My research suggests that a capacity for real project governance (by focusing on the delivery of business benefits) can improve project ROIs from around 30 per cent to between 135 and 240 per cent," Young says. "In dollar terms an organisation that spends $160M pa on IT and 15 per cent of this on projects can realise an additional $20m pa of business benefits."

But Young says in the course of his research he's found the IT person who is comfortable with this kind of discussion is a rare beast indeed because it takes them outside their area of expertise. He suspects there is a need for a good MBA or equivalent to help them cross this boundary.

"Once a technology executive can engage fully in the business issues of how to improve competitiveness they are the equal of anyone around the top management table, but there is still an inferiority complex that has to be dealt with (which tends to cause them to fall back onto 'unimportant' and alienating technological reasons whenever they are challenged to justify their opinions)," he says.

Its a hard thing, overcoming an inferiority complex without help, but fortune favours the bold (and probably loves yellow, too.)