Karl Wachs, CIO at global industrial chemical company Celanese Chemical, had a problem and it was making him very nervous. After an 11-month approval process, the board had given him just 21 months to roll 13 SAP systems scattered across five data centres into a single instance of the enterprise software.

In the interim the company had bought firms, sold firms, changed the scope and changed the number of business units that were set to continue. Now, a couple of months out from the deadline, it was pretty clear he wasn't going to make it. This was a new and uncomfortable thing, since under the previous corporate culture teams had routinely padded their budgets and schedules enough to ensure projects came in on time and on budget.

We spend a lot of time talking about how to make IT issues real to the business, because so much of IT risk management is about making business trade-offs

George Westerman — research scientist, MIT

His choices were stark. He could lay low and hope to somehow turn things around. Or — since his estimates had purposely eliminated the padding — he could risk telling the board something they had never heard before: the deadline was looking unobtainable if they wanted a quality implementation, and he needed more money and time to make things right.

"Luckily this project was part of a whole culture change in the organization and Wachs had said to the board when he started: 'You know, this is a realistic estimate and I don't know whether I am going to make it or not, but we are going to do our very best,'" says George Westerman, a research scientist at MIT's Center for Information Systems Research.

"Now he had to go back to the board and say: 'Listen, I need lots of money, I need extra time to do this, here are all the reasons why, but I wanted to tell you now rather than give you a surprise later.'"

Wachs's people were unsure what would happen. They didn't know if everyone would survive the conversation. But as it turned out the board gave him the money, they gave him the extra time, and they said: "Thanks for coming in. This is the way we want you to manage things: we want honest estimates and we want to know that you are managing risk, even if you sometimes fail." They said: "This is exactly how we want people to act", and then he and all of the other executives in the firm were able to use that as an example as they tried to change the risk mentality of the whole firm.

That new awareness, Westerman says, can be a powerful change agent. With a new culture in place, the concept of "bubbling up the risks from all over the organization, making decisions and bubbling them back down to be taken care of" is eminently feasible, because it has become acceptable to talk about risks. It's a good start on the path to turning business threats into a business edge. Westerman's new book, co-authored with Richard Hunter, and titled IT Risk: Turning Business Threats Into Competitive Advantage, is based on research conducted by MIT's Center for Information Systems Research and Gartner, (built on interviews with more than 50 companies and surveys of another 130) that helped the authors develop and test their frameworks for how to think about IT risk.

Designed to help organizations identify their most pressing IT-related risks and then leverage the advantages of vigilance, the book argues managing IT risk the traditional way can not only leave a business exposed but cause it to miss real opportunities for making a profit. A major focus of the book is how IT can raise awareness in the business about the business risks of IT. It is the CIO's job to make those risks real in business terms.

"That's kind of our sweet spot," Westerman says. "We spend a lot of time talking about how to make IT issues real to the business, because so much of IT risk management is about making business trade-offs. With the risk research we took exactly the same ideas: that we heard a lot about security issues, heard a lot about business continuity issues, but we didn't have a good overarching management framework of thinking about risk and talking to the business about risk. That's why we started this project.

"(CIOs) can scare people with security issues and get some funding, they can scare people with business continuity issues and get some funding, but how do they make IT risk management an ongoing program, and how do they get all the risks surfaced together as an important part of what they do in IT management? I don't see it there in many companies yet."

"If IT risk is framed as business risk, then it's something IT managers can discuss with business executives — in fact, something that has to be discussed," Hunter adds.

"Take legacy systems as an example. Lots of IT managers think of legacy systems in terms of the difficulties they create for the IT organization. But the real issues are the constraints those systems place on the business, and the potential for catastrophic failure of critical business processes. Those issues are far more important to the business than an IT system that's marginally more difficult and expensive to run. And CIOs can do a lot to move the discussion towards those issues."