Interview with a Chief Risk Officer
Welcome to The Tech Show. My name is Aziza and I’m here today with Focus GTS.
Focus GTS, a niche IT staffing and recruiting firm focusing on four areas of technology, being; Business Intelligence & Analytics, Data Science & Artificial Intelligence, Digital Marketing Technology, and Cloud Technology.
We provide you with sought out in-demand talent and we help you fill those hard to fill roles in IT.
We’re here today with Carlos Urrutia, a Chief Risk Officer previously at Swiss Re and we’re going to be talking all about project risk management, and how to minimize project failure and increase ROI.
Hi, Carlos, and welcome to The Tech Show. We’re so happy to have you today.
First of all, thank you very much for inviting me.
For every guest that comes on our show. We’d have to have to absolutely know. Are you team Nike or team Adidas?
That’s an interesting question, actually. I am a team Asics.
Oh, that’s interesting. I don’t think I’ve ever heard of that before.
Well, is my preferred brand for running shoes actually.
Project Risk Management Is A Marathon
Since you’re into running, would you say that IT Project Risk Management a sprint or a marathon?
Risk Management is certainly a marathon, not a sprint. Is something that you have to do consistently from beginning to end. During the entire career and during the entire project or whatever you are doing.
Managing IT Project Risk Can Help You Maximize ROI
So let’s start off by talking about why it is important to do project risk management?
A few years ago, The Project Management Institute, identified what a successful project is…
And they said a successful project has to meet 3 functionalities that it was designed for.
It has to be on a budget, and it has to be on time. It has to meet the business goals, and it has to be used by the users.
That’s how they define a successful project.
Then, they did a survey of hundreds of projects in IT.
And they found out that 14% of the projects were what they call a “total failure”, meaning they did not use them at all – 14%. So you can say, well, that’s only 14% – it is not that bad, because that means 86% were successful.
Not necessarily. Of those 86% were not a total failure, 49% were late from the original timeline. 42% were over-budget and about 30 to 32% did not meet the business goals. So when you see those types of numbers, you can see that WOW companies are investing a lot of money in IT and in projects. They have to be very careful about how they spend their money.
So you have to try to maximize the return of investment as much as you can.
And managing a project’s risk will help you tremendously in minimizing those negative effects of any of those potential risks, materializing, and affecting the outcome of your project. And that’s why it is extremely important.
So what you’re saying is most of the projects that get started in IT actually don’t make it through the threshold of, actually doing what they had planned originally for it to be.
Most projects are not a hundred percent successful. And that would represent a waste of resources for the company. From personnel to money, and investment.
So that’s why it’s critical.
Manage Risk From The Very Beginning
I remember a few years ago I was called to be on the board for the project. This was a large integration project. It was a multi-year multi-million dollar project. And the first thing I did was I said – “Well, can I see the latest status report?”. And when they showed me this big report
It had a timeline, it had the original budget, actuals, and how they were consuming that budget. They had diagrams of the team, all the issues – It had everything.
As I went through the project’s status report, I said – “I can’t find a section on risks, not even one page. So I called the project manager and I said, where are your project risks in your report?
I was really surprised by the answer – “we don’t have risks in this project”. And I said, “multi-year multi-million dollar project, and we don’t have risks?”. What about your schedule? Your scope of the functionality in your project? You’re managing vendors? What about them failing, potentially? What about your development team?
I mean, there are so many things that can go wrong in a project that is imperative that you manage risk from the very beginning.
Identify Project Risks That Are Critical
So, as you come in as a Chief Risk Officer into an organization, what are the most important things would you look at? What are the first steps would you take with project risk management?
Of course, the Chief Risk Officer has very, very wide responsibilities. I mean, you look at all sorts of risks. But see, we’re talking about project risks specifically, and more specific IT project risks. What I would say is, you need to have a meeting with all your stakeholders. And not only the development team, but involve your project sponsor, involve people from the organization that might be impacted by this project, and the project manager. And you can just start with a brainstorming session. Start thinking about all the potential risks that could affect the project.
And remember, risks are things that have not happened, but that could impact your project.
Some people confuse risks with issues or already existing problems.
So identify those potential risks. And then what I would say, do something very simple. Assign the probability of each of those risks. Define what will materialize or will happen, and then assign the scale of what will be the impact if that happens.
And it could be as simple as a low, medium, and high for impact. And low, medium, or high for probability. Or you can go a little bit more sophisticated. But by doing that, at least you will be able to identify those risks that are more critical. Or if they happen, they will have a bigger impact on your project.
So let’s review your brainstorming session. You might identify 30 risks in your project, but maybe only 5 are in the category of high probability – high impact. So for those 5, design specific mitigation actions. Write them down and agree with the team, what is what we would do to try to minimize the impact of those risks?
It’s not a difficult exercise, it’s very simple. But then every, let’s say every two weeks, or when you have your meetings with your project sponsor and your team, you review that list. Review the probability and impact. Analyze if there are any projects that are no longer relevant. Maybe they materialized already, or they’re just not relevant – take them off the list. Or ask yourself, do we have any new projects that we need to add? And that’s a very simple way to manage your project risk. Document those things in your project status report, and it will make a big difference in the success of your projects.
Project Risk Management Helps You Make The “Conscious” Decision
And I see in the back you have that picture that says “take risks”.
So I absolutely, absolutely have to ask: since we are talking about risks. Obviously, a lot of companies bring in new projects and of course, everything has risks. But after analyzing and perhaps taking the strategy you have just talked about, it doesn’t mean that they don’t have to take the risk. Right?
So at what point do you decide whether you take that risk or completely eliminate the project or what not?
Exactly, and you said it right and correctly. You don’t have to, but when you are analyzing your top risks and you’ll define your mitigation actions.
You can agree with your team. Maybe you say – “you know what, we’re not going to do anything. We know that risks exist. We’re just going to monitor the project closely.” But you’d be missing the opportunity to decide where you’re willing to take the risk. At least then it’s a conscious decision, and you know what could happen, and you know what impacts it could carry.
So at that point, you can decide, ok – we’re not going to do anything, or we’re going to have this plan B in case something happens. Or we’re going to be doing these other controls or these other precautions to minimize the risk. That’s where you identify what you need to do.
Well, in the country that I’m from, they have this saying among the general population. They say that “people who don’t take risks, don’t drink the champagne”. Would you agree with that?
The Biggest Risk Is Not Taking A Risk At All
Well, you know, when I had this poster done, I also thought about getting a quote that says “the biggest risk in life is not taking any risks”.
So sometimes risk management is not just trying to avoid all risks. Sometimes from the risk management, you can say, you know what, you’re not taking enough risk. We might need to be a little bit more risk. Proactive risk, but you have to find the right balance.
Find A Balance In Your IT Project Risk Management Strategy
So what would your advice be regarding that balance? Where do you stop? Where do you go? What do you look and say, “okay, this needs to, this needs to have more risk – or this needs to have less”.
I would say, when you define where you go and where you stop, it certainly depends on every risk and every project. There are such a wide variety of projects, you know. In IT, I mean, you can have risks like for example, the risk from your vendors.
If you are doing a project where you have external vendors, they might go out of business. They might not have the right resources. The resources could go someplace else. There are so many risks from being late in your project, being over budget, and not meeting the right expectations.
There are some projects from the IT perspective – are done beautifully.
The architects and the software developers are great people and they do marvelous things. They can do almost anything in IT. But I have seen projects that got done and completed in IT – but they are not used by the users, or they’re used maybe 20% of the time.
And that is because we failed, and now we have to do what is called an “Adoption”.
I’m pretty much training the users and convincing them of the advantages of that new system, what it is going to carry for them. I mean it’s just the way they do their job.
But, going back to your question, I mean, it varies. And I would say when you analyze your top risks and you decide what actions you need to take, that’s the point where you’re saying, “okay, here, we’re going to do a little more or here we’re not going to do anything”.
Of course, you cannot just cover all the risks and put these big amounts of control, because that means your project cost is going to go up. Because then you will have too many resources working just on risks. So you have to find that balance, and it totally depends on your project and the team.
The Higher The Project Risk Management, The Higher The Contingency
So, we work with a lot of the vendors that get like a new CMS in, right? Like something like Adobe Experience Manager and they always say that their projects are almost a hundred percent of the time, take longer, and cost more. And what they had failed to kind of get into is that talent, when they initially purchased the initial CMS, the talent is hard to find. There are not many individuals that are specialized in that specific technology. And it takes them longer to actually find somebody until they do.
And from that perspective, what would your advice be for a company bringing on a new CMS and knowing that the talent is not out there, or maybe not knowing how to put yourself in a situation that you come out ahead instead of behind?
Set The Right Expectations
Well, I will say that you have to set the right expectations for your executives or for the board, whoever is your project sponsor, you have to set the right expectations. It is very common for developers, project managers, and people that are in the projects to over-promise and then under-deliver.
Analyze Your Risk
But what has happened, if you really analyze your risk, and you realize that maybe for this specific technology or for this specific system, that there are not too many qualified resources, there is already a risk. If that vendor loses some other developers or experts or subject matter experts, then he’s going to be in trouble.
Take Some Contingency
So if there is a risk, then in your estimations for the timeline of how long it’s going to take, you need to add some contingency. The higher the risk, the higher the contingency. I have guided projects where I have 40% additional more time because of the number of risks that we manage. It is different.
If you’re going to design a website – it needs a template. You have done it many times and it’s very simple. So your risk is small. But is it a new technology? There are not too many resources. You have several vendors. Your risk increases, and that’s why it’s very common that they’re usually late.
I would say if you have a lot more risks and you can prove it. Your contingency factor in your estimations is going to be higher. And that’s why I’m estimating that the timeline is going to take a year and a half instead of a year. And you provide the effect of more realistic expectations. So, executives can decide.
Do we want to do this project? Do we want to invest or not? That’s the value that you can bring.
That’s very good advice. Again, thank you for coming on to The Tech Show and we appreciate having you, Carlos. I think you brought a lot of value to our listeners.
I expect that they will take the recommendations and that they will improve the outcome of their projects.
So thank you very much for inviting me. It has been a pleasure.