In fact, according to Forrester Research VP and principal analyst Chip Gliedman, "of all investments within an organization, investment in IT is generally assumed to have the most risk associated with it. Yet, it is surprising that IT investment has traditionally received the least amount of attention when it comes to risk management," Gliedman writes in a new report "Quantifying Technology Investment Risk."

The process of risk measurement has been "confounding decision-makers within IT for some time," Gliedman asserts. As a result, companies rely on weak qualitative analysis that only loosely ties to enterprise-application project outcomes, he says.

Gliedman breaks down IT risk factors into two categories: implementation and impact risks. Implementation-based risks relate to areas such as project size ("the larger the project, the higher the level of uncertainty about the outcome") and the technology and vendor (will they both deliver on the intended benefits?). Impact-based risks include cultural, training and managerial factors that all can significantly affect any project's outcome and benefits.

Most IT departments today could use help in the ongoing struggle to align IT with the business and vice versa: business execs are frustrated by application uptime challenges and their significant costs to the company's bottom line, though IT isn't fully aware of that; the business side is also not at all excited about long-term enterprise projects; and as a consequence of both, they're feeling animosity toward IT.

Providing more risk transparency to the Mahogany Row on all IT projects could be a huge win for IT departments right now.

Gliedman offers what he terms a "simple but powerful" method to determine the value of any IT investment's costs and benefits. It's called "triangular distribution," and he does a good job explaining how to do it (subscription required).

Gliedman provides an interesting example, using a classic buy-versus-build scenario on an enterprise application that all IT departments face today. Using the triangular distribution methodology, Gliedman shows that adjusting for risk on the buy-versus-build example (whether its for ERP, CRM, supply chain or BI application) reveals that initial ROI estimates were too high, and the "more expensive" alternative may actually not be more expensive in the long run.

"While the risk analysis cannot on its own point to the best course of action, it can provide the additional shading to management so that the eventual decision is an informed one," Gliedman concludes. "Likewise, expectations can be set properly, avoiding overly rosy ROI projections that will lead to inevitable disappointment."

Do you Tweet? Follow me on Twitter @twailgum. Follow everything from CIO.com on Twitter @CIOonline.