IT’s latest survival skill: Embracing risk

If you’ve spent your career in IT, you’ve probably gotten really good at making sure nothing goes wrong. Outages are unacceptable, even if they’re only a few seconds long. Cybersecurity is a constant worry. Success is measured in reliability and availability. Your most important skill is anticipating issues and fixing them before they occur.

There’s just one problem. In this time of rapidly changing technology and upstart industry disruptors, making risk avoidance your top priority will only help you get left behind. You can’t play it safe, because there’s no such thing as safe. In today’s digital business world, IT leaders must accept and even embrace a certain amount of uncertainty and risk. Even more challenging, they must help the people who work for them embrace it as well.

“Risk is always relative,” says Scott Buchholz, CTO of Deloitte Consulting’s government practice. “Getting out of bed in the morning and taking a shower is taking a risk. But when we talk about risk in IT, what we sometimes mean is doing things that have a higher than normal chance of failure. And the reason that’s important is that technology is changing very quickly and there are fewer and fewer people who understand all the implications. Being able to handle risk becomes increasingly important.”

Taking risks and sometimes accepting failure is also a necessary aspect of innovation and digital transformation. C-suite executives know this, and they also know that risk-taking may not be in IT’s DNA. This is why many organizations separate innovative and riskier initiatives from traditional IT, handing them off to a chief innovation officer or chief digital officer instead.

But that’s the wrong approach, says Bob Worrall, CIO of Juniper Networks. “It’s a cop-out from two different perspectives,” he says. “First, I would venture to say that if you asked our C-level staff who our chief innovation officer is, they would answer that every top executive is a chief innovation officer; identifying a single person who can lead innovation across the whole company is a crazy notion.”

The second reason is that IT will necessarily be deeply involved in any new technology that gets deployed. “I’ve seen this: You come up with a chief innovation officer and that person creates a byzantine application that requires a lot of work from IT,” he says. “Pretty soon, you’ve created a gap between IT people who have to support the function and the people living in this glass palace. If you’re looking to the CIO to be chief innovation officer and he or she isn’t accomplishing that task, replace the CIO. Don’t create an organizational mess because you have the wrong person in that chair.”

The message is clear: IT has to get out of the risk-avoidance business and into the risk-taking-and-innovation business, at least some of the time. How do you make that transition, especially when accepting risk may not come naturally to long-time IT employees? Experts who’ve been there have some advice:

Be honest about the need for change

When Worrall joined Juniper Networks as CIO in 2015, the company was in the middle of a seven-year transition from on-premises IT to the cloud. Juniper completed the transition and closed its last data center in December 2018. It was a bold move and not everyone in IT was comfortable with the changes or risks. “IT people are pretty risk-averse,” he says. “There were definitely people who were concerned about moving critical applications to the cloud, and generally speaking IT people like repetitive, predictable, comfortable and secure environments.”

So Juniper’s IT employees were offered a choice, Worrall says. “Either choice is fine, but the choices were: ‘I like the predictable nature of the IT work I’ve historically done; I’m uncomfortable with this newfangled technology.’ But if that’s the case, Juniper probably isn’t the right place for you, long term. The other choice is that you might not be comfortable with the idea of changing technology and a little bit more risk, but think of it from a career development viewpoint. Think of the added credentials. We tried to sell it to people that way.” He estimates that about 75 percent of Juniper’s IT employees stayed in IT after the transition to cloud, and 25 percent left, in some cases for other parts of the company.

Learn to celebrate failure

There’s no getting around it: If you adopt a risk-taking mindset and a less risk-averse approach to technology, more will go wrong. But experts say that’s a feature, not a bug. “Failure sounds like the F word,” Buchholz says. The problem with this is that if you treat failure as a disappointment or as something that shouldn’t have happened, you may not want to dwell on it or examine it. And then you miss the benefit of having failed.

“Let’s say we have a hypothesis that if we apply machine learning to a customer retention problem, we will be able to improve customer retention,” Buchholz says. “You try it out and you don’t get the result you expected. It doesn’t necessarily mean the whole idea was a failure. It could be that the technology wasn’t ready, or that the data wasn’t good enough, or not in the right state. Unless you figure out why you didn’t get the result you were expecting it’s really hard to learn from that experience. We have a tendency to run away from things that didn’t go our way a lot faster than is good for us. That’s why celebrating failure is important. We should celebrate that someone tried their hardest and didn’t succeed.”

This is also why you should have a frank discussion about risks and the possibility of failure at the outset of every project, says Sandeep Londhe, chief competency officer and former CIO at IT managed services and consulting firm ITPeopleNetwork, LLC. “Obviously, we will have issues up front,” he says. “The technology won’t work, or the right people won’t be in place, the talent pipeline might not be there, or the partnerships that are needed may not be working in the right manner. If people are told everything should work right from the get-go, and everything should be clean all the time, no one will bring up that question about risk. People won’t have the incentive or the fortitude to bring those issues forward because they believe the issues won’t be solved, and they’ll be seen in a bad light.”

When something fails, it’s especially important to recognize that fact and deal with it as early in the process as possible — in other words, to follow the adage first attributed to Thomas Edison, “Fail fast.” Unfortunately, the culture of most organizations makes fast failure very difficult, says Irving Tyler, vice president on the CIO Research Team at Gartner.

“The real difference between an innovation portfolio and a traditional asset portfolio is uncertainty,” he says. “You have to be willing to kill things, to constantly take things out of the portfolio. But in a traditional business approach, once things are approved and associated with someone’s name, they never die. That person will do everything possible to make sure that initiative lives on forever.”

Instead, he says, CIOs and C-suite executives should be more like venture capitalists. “If you look at the hit rate of a VC, their hit rate is bad. But they’re good at getting rid of things before they get too expensive.”

Make sure your management practices encourage risk-taking

In IT, as everywhere else, actions speak louder than words. So there’s no point asking employees to be open to innovation and failing fast if they know they’ll have a career setback if things go wrong.

“Most leaders aren’t necessarily aware of the incentives and counter-incentives affecting employees,” Buchholz says. “I work with a number of large bureaucracies, and in bureaucracies the punishment for failure is always disproportionate to the reward for things going right.” If this is true in your organization, you’ll have a tough time getting anyone to try anything new.

At the same time, make sure to reward employees who are more open to innovation and risk-taking. “For the part of the population who want things to always stay the same, no amount of persuasion is going to change their minds,” Buchholz says. “On the other end of the spectrum are people who like trying new things and making changes and the easiest place to start is with them.” Encourage these employees to take the lead on new projects, and then make sure to highlight their efforts to the rest of the team, he says.

“As you create an environment where you encourage teams to take risks, give visibility to those success stories where someone might have taken a risk,” says Vijay Sankaran, CIO at TD Ameritrade. “When that’s the culture, people become less and less afraid, and they gain the capacity to take on risks as well.”

Start with pain points

Where’s the best place to start creating innovation and encourage risk-taking? Look for systems that aren’t working as needed, where frustration levels are high, and there seems to be little to lose.

That’s the approach Sankaran took when he became TD Ameritrade CIO in 2016. At the time, he says, IT was struggling with uptime and with completing projects on deadline. He knew that a move from waterfall to agile would make a big difference, but it meant taking many IT employees out of their comfort zone. “There definitely was a fair amount of change management that had to happen,” he says.

To make the transition easier, he started with what wasn’t working. “We really tried to focus on pain points, places where people were dissatisfied with the status quo,” he says. “For example, we had no ROBO [remote office/branch office] solution. If we wanted to get into that, it would have taken two years the waterfall way, and the market was moving much too fast. So it became a good example of a risk worth taking.”

Buchholz recalls a recent conversation with a healthcare CIO who said he was having trouble getting employees to explore new ideas. “Basically, he was saying, ‘How do I get people to take more risks?’ In his case, it was tone at the top. The interesting thing is his customers, the physicians who run this healthcare provider, all wanted more innovation.”

Healthcare, of course, is an example of a highly regulated industry where many executives routinely reject new technologies for fear of violating HIPAA (Health Insurance Portability and Accountability Act). But it’s also an area where innovative technology could potentially do a great deal of good. “Can you use AI and voice recognition and computer vision to figure out if people are following proper handwashing procedure?” Buchholz asks.

“Or you might have some sort of virtual assistant in the operating room so you could say, ‘Please page doctor so-and-so,’ and it knows how to do that so you don’t have someone running to the pushbutton phone in the corner in the middle of surgery,” he adds. “Even in the best hospitals today, operating rooms make mistakes, so anything you can do to reduce the number of mistakes made is helpful and useful. Is that a risk? Yes, in that you’re spending money on something that might not work. But if you’re trying to improve patient outcomes, maybe it’s riskier not to do it.”