How To Manage Digital Business Risks

As shown in the previous blog about risk, risk identification, assessment, and management are different for services owned and managed by IT (TCS risks) compared to assets owned by IT (TCO risks). The Total Cost of Service– Risk Management (TCS-R) is the identification, assessment, and visualization of an organization’s service-based systems and project portfolio.

This goal of this blog is tell you the top TCS-R approaches that can be used to quantify digital business services risk. I will focus on how to measure risks – and not list common digital business project risks of which there are many sources (pick your # of risks such as 5 here, 6 here, 7 here,).

A representative high-level risk assessment process is:

risk assessment Peter Brooks / IIIE

Typical Risk Assessment Process

But how do you assess and measure risk? We will look at the top techniques, using a sample digital business project – create an online product catalog – for example risks.

Top Techniques To Identify and Manage Digital Business Risks

Risk Map

A risk map is a heat map visualization of risk, typically using axes of “impact” and “probability of occurrence”. The axes are generally delineated into high (red), medium (yellow), and low (green) regions.

risk map Peter Brooks / IIIE

Risk Map

Risk Register

Risks are listed in a list and assessed quantitatively as high, medium, or low along with other pertinent information.

risk register Peter Brooks / IIIE

Risk Register

ROI, TCO, NPV, Payback Period

Though most organizations use one or more of these metrics to measure the viability of an IT investment, few use a systemic process to understand the involved risk. A positive ROI (or TCO, etc.) does not mean the investment will be successful.

These metrics are financial not risk measurement metrics. The investment risk in achieving (or not) your organization’s favorite metric can be estimated by performing a sensitivity analysis of the major investment cost and benefit drivers. If there is a sufficient ROI for the baseline case and for all potential major changes in the cost and benefit drivers, the project is low risk.

Following is a chart showing two investment options and the breakeven point. For each investment, calculations are:

Return On Investment: (net profit)/investment cost

Total Cost of Ownership: sum of all direct and indirect costs, e.g. purchase costs, operating expenses, indirect (support) costs

Net Present Value: each cash inflow and outflow discounted back to its present value based on an opportunity cost of capital. NPV = sum of (Rt/(1+i)t ) over time, where t is the time of the cash flow, Rt is a cash flow at time t, and I is the discount rate.

Payback Period: The period of time at which the benefits of an investment match the funds expended. Below, we can see two alternative investments available to an organization– Building an online catalog using vendor tools will yield lower income but faster payback period (lower risk) while building a catalog by creating custom catalog management tools will produce higher income but have a longer payback period (higher risk).

Breakeven Analysis Peter Brooks / IIIE

Breakeven Analysis

Real Options Analysis (ROA)

Applying real option analysis to IT capital budgeting can result in what most people would consider a better decision than simply using NPV or ROI. Real options analysis can support decisions relating to topics such as the order of investments, timing, scale-up, IT development flexibility, benefits / revenue expectations, and continuation / termination opportunities. ROA assumptions regarding outcome probabilities, value of the various alternatives, and discount rate makes it is difficult to understand. Black-Scholes is one mathematical technique to calculate ROA value.

The following graphic is a representation of a real options analysis show the NPV of various alternatives. We can see in this example that there are several potential alternatives – Build Catalog V1 and stop, or continue Build Catalog V2 with 2 different options – each with varying NPVs. This provides more information than a one simple NPV calculation per alternative, but is more complex to create and understand.

Real Options Analysis Peter Brooks / IIIE

Real Options Analysis

Simulation (Monte Carlo)

By assigning probabilities to decision events, a probability distribution can be created by randomly modeling event occurrences. For example, each NPV value in the above options analysis could be given three values – average expected, high, and low – with a probability associated with each value. The simulation probability distribution can be summarized to show the expected value and probability risk. While mathematically based, results can be very sensitive to the assigned values and probabilities, which are often a SWAG.

Monte Carlo Simulation Peter Brooks / IIIE

Monte Carlo Simulation

Expected Value Analysis (EVA)

The expected value – probability of occurrence times the value of the alternative - of each alternative is evaluated, with the highest expected value being the recommended choice.


eva Peter Brooks / IIIE

Economic Value Add


With all these techniques, what to do?

For portfolio analysis, risk maps, risk registers, and expected value analysis are all good. A combination is best:

  • Risk maps for visualization
  • EVA for value quantification. Create several EVA scenarios to create a range of expected values.
  • Risk register to capture the details.

Except for specialized situations, real option analysis and simulation are too complex for typical project risk analysis. Use an NPV map – not just the NPV number itself - to measure expected return and to quantify project risk. The risk probabilities and financial impact of the risks associated with each probability need to be highly visible.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the State of the CIO 2016 report