The Agile Manager
Sunday, June 24, 2007
  Strategic IT Does More than Assume Technology Risk, it Mitigates Business Risk

Risk management, particularly in IT, is still a nascent discipline. Perhaps this is because there are an overwhelming number of cultural norms that equate “risk management” to “defeatism.” To wit: “Damn the torpedoes, full speed ahead!” is intuitively appealing, offering a forward-looking focus without the encumbrance of consideration for that which might go wrong. This notion of charging ahead without regard to possible (and indeed likely) outcomes all too often passes for a leadership model. And poor leadership it is: sustainable business success is achieved when we weigh the odds, not ignore them entirely. Thus leadership and its derivative characteristics - notably innovation and responsiveness - are the result of calculated, not wanton, risk taking.

How risk is managed offers a compelling way to frame the competitiveness of different business models. A recent report by the IBM Institute for Business Value1 forecasts that Capital Markets firms engaged in risk mitigation have better growth and profit potential than firms engaged in risk assumption. According to this report, risk assumers (such as principle traders or alternative asset managers) may do a greater volume of business, but it is the risk mitigators (notably structured product providers and passive asset managers) who will have greater margins. Since Capital Markets firms are leading consumers of IT, and as IT tends to reflect its business environment, this has clear implications for IT.

Traditionally, IT has been a risk assumer. It provides guarantees for availability, performance and completeness for delivery of identified, regimented services or functionality. This might be a data centre where hardware uptime is guaranteed to process transactions, a timesheeting capability that is available on-demand, or development of a custom application to analyse asset backed securities. Being asked to do nothing more than assume risk for something such as availability or performance of technology is appealing from an IT perspective because it’s a space we know, or at least we think we know. It plays directly to that which IT professionals want to do (e.g., play with shiny new toys) without taking us out of our comfort zone (the technology space versus the business space). Worrying with the technology is familiar territory; worrying about the underlying business need driving the technology is not.

IT can only provide business risk mitigation if it is partnering with the business for the delivery of an end-to-end business solution. If it is not – if IT maintains the arms-length “you do the business, we do the technology” relationship - IT assumes and underwrites technology risk, nothing more. The trouble is, this doesn’t provide that much business value. Technology itself doesn’t solve business problems, so the notion of managing technology – be it to optimise cost, availability, performance or completeness – is no different from optimising, say, the company's power consumption.

This defines IT's business relevance. Being a provider of utilities is not a strategic role. Energy offers a compelling parallel: while it is important for a business to have electricity, most businesses don’t think of the power company as a strategic partner, they think of the power company as just “being there.” The concern is far more utilitarian (e.g., are we turning off the lights at night) than it is strategic (e.g., nobody measures whether we're maxmising equity trades per kilowatt hour.) Worse still, businesses don’t think of their utilities whatsoever. They're aware of them only when they're not there. Awareness is negative, at best escalation, at worst a disruption to the utility’s cash flow.

In any industry, risk assumption is the purview of utility providers. Software development capacity, IT infrastructure, and software as a service are all examples of risk assumption. They are useful services to be sure, but of low business value. They compete on cost (through, for example, labour arbitrage or volume discounts) as opposed to differentiation on value (that is, as drivers of innovation or invention.) For IT as a whole to have business value it must not be viewed as a technology risk assumer but a mitigator of business risk.

The latter role has been historically de facto granted because business systems are substantially technology systems, hence IT has had a direct (if unforseen and unofficial) hand in business process re-engineering, partner management, and compliance certification. In the future, defaulting into this role is not a given: while business solutions have a significant technology component they are not solved entirely by technology. The actual business solution is likely to involve increased regulatory compliance, complex process changes, constant training, ongoing supplier and customer management and integration, and so forth, all of which are increasingly complex due to multiplicity of parties, tighter value chain coupling, and geographic distribution, amongst other factors. Clearly, the technology component is but one piece part of an overall business solution.

Here lies the point-of-pivot that defines IT as strategic or tactical. If IT subserviates itself to a role of technology sourcer abdicating responsibility for success of the end-to-end business solution, so shall the business cast IT as nothing more than an interchangable component to the solution to the business problem. Conversely, when the business and IT both recognise that the technology piece is the make-or-break component of the overall business solution (that is, the technology bit is recognised as the greatest single controllable factor in determining success), IT has strategic footing. It achieves this footing because it mitigates risk of the business solution in business terms, not because it assumes risk for services that the business can competitively source from any number of providers.

Being a mitigator of business risk does in fact require that IT has robust risk management of its own capabilities. That is, internally, IT effectively and competently insures delivery. Here, we run directly into the fact that risk management is not a particularly strong suit of IT, and for the most part is primitively practiced in the IT space. Certainly, it is not simple: executive IT management must be able to analyse risk factors of individuals and teams (e.g., staff turnover, knowledge continuity, individual skill, interpersonal factors.) It must do so across a broad spectrum of roles (quality engineer, developer, DBA, network engineer) with regard to a wide variety of factors (e.g., are we a destination employer / destination account for our suppliers, are we giving people stretch roles with proper mentoring or simply tossing them in the deep end filling out an org chart?) These people factors are critical, but are but one source of risk: IT must be able to manage service availability, requirements accuracy, security and performance across software and infrastructure. Furthermore, this risk spectrum must be presented in a portfolio mannner that assesses risk factors on in-flight and potential fulfillment alternatives, both at this moment and forecast over time. A trivial task it is not.

Regardless of the complexity, technology risk assumption does not provide business value. In Hertzberg’s terms, keeping one’s house in order does not provide satisfaction to one’s partners, even if the absence of order creates genuine dissatisfaction with one’s partners. Successful assumption of risk – maintaining uptime within tolerance, or being “on time and on budget” - are nothing more than basic hygiene. We have allowed these to masquerade as providing “business value.” They don’t. The absence of hygiene – reliability, performance, continuity, completeness – relegates IT to a tactical role because it gives the appearance that IT is incapable of keeping its house in order. At the same time, the presence of hygiene – making deliveries on schedule, or meeting conditions of SLAs – does not entitle IT to a strategic role, it merely contains dissatisfaction.

To become a strategic capability, IT must offer motivators to the busisiness. To accomplish this, IT must focus specifically on activities that mitigate business risk. The core opportunity lies with people. IT is still very much a people-based business; that is, code doesn’t write itself, projects don’t manage themselves, network topographies don’t materialise, solution fitness dosesn't just happen, etc. A key differentiator in what makes IT strategic versus tactical is the extent to which people are leveraged to create business impact: the developer who creates a clever solution, the analyst who connects a complex series of support issues and expressed business requirements, the project manager who brings business solutions to fruition. This requires an outward view that includes domain knowledge and business intimacy on the part of IT professionals. A greater, outward looking context core to each person’s day-to-day is how IT is provides satisfaction to the business. The absence of this - reverting to the “you do the business we’ll do the technology” approach - relegates IT to a utility service, at best a department that doesn't let the business down, at worst something that does. Conversely, an outward-looking, business-engaged capability that is focused on the business problems at hand is what distinguishes a strategic as opposed to a tactical IT.

An efficient, risk-assuming IT capability is a superb utility that contains cost. It is well regarded by the business until a less expensive alternative presents itself, at which time that same IT capability becomes an under-achiever, even a nuisance.2 By comparison, an effective, expansive and business-risk-mitigating IT is a superb driver of business value, in touch with the environment such that it anticipates change and adjusts accordingly. In so doing, IT is not in the minimising business – minimising downtime, minimising cost, minimising catastrophic failures – but in the maximisation business – specifically, maximising business returns. A risk-assuming IT defines tactical IT; a risk-mitigating IT defines strategic IT.



1IBM's Institute for Business Value offers a number of interesting research papers. On the whole they have much more of a consumer-oriented view of IT and offer different market perspectives on the role of IT. Look for another Capital Markets paper in July 2007.
2Michael Porter made the case in Competitive Strategy that competition on price isn't sustainable; we should expect nothing different for an IT utility.

Labels: ,

  1:39 AM
Comments: Post a Comment



<< Home
Agile approaches to IT leadership, governance and management

About Me
    Name:
      Ross Pettit
    Location:
      Worldwide
 
Recent Work
  • alphaITjournal, 13 May 2009: Governing IT Restructure
  • Baltic Dry Posse, 11 May 2009: Stress Test Grade Inflation
  • Webinar, April 2009: Restructuring IT
  • alphaITjournal, 24 February 2009: Restructuring IT: Changing Fundamentals In-Flight
  • alphaITjournal, 21 January 2009: Come the Hour, Come the Leaders
  • The Cerebral Dad, April 2009: Extraordinary Accomplishments

    • Previous Posts
  • Just as Capital Has a Static Cost of Change, So Mu...
  • Patterns and Anti-Patterns in Project Portfolio Ma...
  • Agile under Sarbanes-Oxley
  • Corporate Mental Health
  • An "Innovation Maturity Model?"
  • Aligning for Innovation
  • The Aptitude to Innovate
  • It might make the car go faster, but does it make ...
  • The Leading Indicator of IT Relevance
  • The Governance Gap

    • Selected Articles and Publications
  • alphaITjournal, 19 November 2008: States of Governance
  • alphaITjournal, 22 October 2008: Volatility and Risk of IT Projects
  • Webinar, 19 September 2008: An Agile Readiness Assessment
  • alphaITjournal, 17 September 2008: Is Your Project Team "Investement Grade?"
  • alphaITjournal, 25 July 2008: Are You Marking IT Projects to Market, or Meltdown?
  • Press release announcing the launch of alphaITjournal.com, July 2008
  • ThoughtWorks CIO Update Video, June 2008: Taking Agile Maturity to the Next Step
  • Webinar, June 2008: Agile Made Us Better, but We Signed Up for Great
  • ThoughtWorks Studios Blog, June 2008: Metric-Driven Management versus Management-Driven Metrics
  • Webinar, June 2008: Agile Reporting and Metrics: Project Intelligence for Successful Software Delivery
  • Agile Journal, April 2008: Quality Assurance: Value Added Partner, not Blunt Instrument
  • The Wall Street Journal, Letter to the Editor, 25 March 2008: IT Leaders Must Change, Not the Business Side
  • Agile Journal, February 2008: Management Driven Metrics Versus Metrics Driven Management
  • Agile Journal, January 2008: The Dichotomy of Change
  • Agile Journal, December 2007: Building High Performance Capability
  • Agile Journal, November 2007: Mythical Agile Shortcuts
  • Agile Journal, June 2007: The Agile Organization
  • Agile Journal, January 2007: Business Value Applied: Aligning the Day to Day with Business Imperative
  • Agile Journal, December 2006: An Agile Approach to IT Governance
  • Agile Journal, October 2006: So You've Decided to 'Go Agile' - A Pragmatic Approach to Onboarding Agile Project Management
  • Agile Journal, June 2006: An 'Agile Maturity Model?'
  • Agile Journal, March 2006: Agile Processes: Making Metrics Simple
  • A complete listing of articles published on alphaITGovernance on alphaITjournal.com
  • A complete listing of articles published on The Agile Manager on Agile Journal
  • Translator (Spanish to English), 1999. Homestyle Recipes for Financial Management Candioti, Eduardo. 5th Edition (Bilingual). Universidad Adventista del Plata Press.

    • Presentations
  • Webinar, 5 November 2008: The Agile PMO - Real Time Metrics and Visibility
  • Webinar, June 2008: Agile Made Us Better, but We Signed Up for Great"
  • Webinar, June 2008: Metric-Driven Management versus Management-Driven Metrics
  • Zürich, March 2007: Swiss Testing Day 2007 - A Pattern for Continuous Testing in Dynamic Domains
  • Munich, January 2007: OOP 2007 - Forge behind the Firewall
  • San Francisco, December 2006: SDForum - The Future of Open Source Communities: The Impact of Exchanges, Forges and Marketplaces
  • Sydney, Melbourne, November 2006: ThoughtWorks Australia - Quarterly Technical Briefing
  • Toronto, October 2006: e-Financial World Expo - Trends in Financial Services Application Development
  • Webcast, July 2006: Agile Journal - Enabling Global Business Success

    • Blogroll and Links
  • Mike Ward's blog.invoke(m2ward);
  • Mike Ward's Waffle: A faster way to develop Java web apps
  • Paul Hammant's Inversionism
  • Paul Julius
  • Muness Alrubaie's Mundane Essays
  • Adrian's Tech Blog
  • Mike Roberts' Blogtastic
  • Miško Hevery's Testability Explorer
  • Brad Cross
  • Zoonabar
  • Joe Z's The Agile Project Manager
  • Sean Doran's IT is All About the Delivery
  • Shaun Jayaraj's What to do? We are like this only
  • Carl August Simon's Corporate Sex Therapy
  • Carl August Simon's Consulting Adventures
  • Tom Looy's Conversations with Andrew

    • Archives
    July 2006 / August 2006 / September 2006 / October 2006 / November 2006 / December 2006 / January 2007 / February 2007 / March 2007 / April 2007 / May 2007 / June 2007 / July 2007 / August 2007 / September 2007 / October 2007 / November 2007 / December 2007 / January 2008 / February 2008 / March 2008 / April 2008 / May 2008 / June 2008 / July 2008 / August 2008 / September 2008 / October 2008 / November 2008 / December 2008 / January 2009 / February 2009 / March 2009 / April 2009 / May 2009 / June 2009 /


    Content © Ross Pettit 2006-2008

    Powered by Blogger