A project introducing a financial lending product to poor credit borrowers will increase the risk profile of the organization.
If you are opening up your systems to allow internet-based access to records, regardless of the security controls you are putting in place, you are increasing your organization's corporate risks.
The decision to increase the corporate risk profile is not yours as a project manager, but this increase needs to be identified and acknowledged.
Every organization has its own 'risk appetite' -- the level of risk they are happy or willing to tolerate.
Some organizations have undertaken a formal risk analysis to identify their overall risk exposure, generating a corporate risk profile and areas requiring attention. Find out who 'owns' this risk analysis within the organization (easy if you have a Chief Risk Officer) and go to see them with your project sponsor and identify if there are any areas where your project will or could potentially increase corporate risk.
You may find your project is reducing the organization's risks in some areas, this is then a risk-reduction benefit you can include in your value proposition.
If no such corporate risk analysis has been conducted the potential risk does not go away, it merely is more difficult to quantify.
Ideally the Enterprise PMO will generate a list of pseudo Corporate Risks to be used. We show you how to generate such pseudo-corporate risks at www.beingaPMO.com (to be launched soon).
Otherwise you may have to identify whether your project will increase the ongoing corporate risk exposure of the corporation in conjunction with the PMO, business and governance team.
First discover any recent projects that intentionally or inadvertently increased the risk profile of the organization. Is you project likely to impact these or associated/similar areas?
Meet with key stakeholders and ask them if they can identify any outcomes from the project that could increase the organization's overall risk profile.
Think in terms of, for example:
- are you going to disadvantage any set of customers that may cause them to move their custom elsewhere? (Customer loss risk)
- are you replacing like with like functionality making you vulnerable to competitor action that improves their service, leaving you competitively disadvantaged? (Competitive position loss risk)
- are you implementing a product that makes your customers more self-sufficient and, therefore, reduces your services revenue stream? (Revenue loss risk)
- are you implementing a system that supports current, unchanged processes that may, therefore, not be capable of meeting future demands? (Operations flexibility loss risk).
Identifying potential corporate risks needs you to think big, in strategic impact terms.
For most projects the net result will be that no corporate risks are impacted or made worse. But you need to go through the exercise to ensure no surprises at the end of the project (for which, most likely, you'll be unfairly blamed!)
Click here for the first in this series How to Manage Project Risks
Or to read Jed's previous column, How to Manage Project Risks: 3 Design Risks click here Jed Simms is CIO magazine's weekly project management columnist. Simms, founder of projects and benefits delivery research firm Capability Management, is also the developer of specialized project management and project governance Web site www.project-sponsor.com
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.