The risk-taker CIO paradox

CIOs are driving organizational strategies now more than ever. The more a CIO’s success is tied to business outcomes, the more risk they assume. Traditionally, CIOs have been responsible for KPIs like uptime and system availability to support internal productivity and operational efficiency. But suddenly—now that all industries are becoming digital—there is much more at stake.

This shift from “playing for keeps” to “playing to win” means organizations are actively seeking out CIOs who are willing to take on more risk. Placing bets (taking risks) at the right tables (in certain functions) is the best way to maintain reliability while experimenting to win in the long run.

A “risk-taking CIO” is not an oxymoron, it is the new norm.

Where and how to take risks

There are different risk appetites commonly found within each area of IT responsibility:

• IT infrastructure is expected to be very reliable and secure; the appetite for risk is low.
• IT service functions carry moderate risk; some risks can be neutralized by objective measurements and others can be shared with the business.
• Strategic IT investments carry the most risk, often in the form of tactical execution blunders and change resistors.

Here’s how to manage risk within each domain:

Fundamental technology must work

Hardware, operating systems, back office applications, and other established technologies have an established expectation for reliability. Security is another area where performance expectations are high.

One way to mitigate risks related to these fundamental technologies, where reliability expectations are high, is to outsource with appropriate SLAs. But not all technologies can or should be outsourced. Plus, even if they are, IT is still seen as the guardian. So when the business identifies functionality or performance gaps, they will always blame IT.

The best method to address technology complaints is to establish a continuous improvement program for IT systems, and require that the business prioritize and sponsor all complaint resolutions.

Service risk is manageable if performance targets are objective and project ownership is shared with the business

If service quality is only defined by internal customer satisfaction, you’re aiming for a moving target.

One of our clients used to send out annual IT department satisfaction surveys to the entire business community. The results were a crapshoot because the measures were subjective and greatly affected by recent events. When the CIO came to an agreement with his business counterparts on a finite set of KPIs, such as employee productivity, response time, budgets, hourly costs, etc., suddenly the year-over-year changes were objectively measurable and visible.

Establish objective performance measures and consider implementing internal SLAs as another helpful risk-reduction strategy.

Some IT services naturally share risk with the business, but that can be a risk in itself. Say your finance department requests a new BI solution. They prepare a business case and choose an off-the-shelf product. On the surface, the finance team should assume the responsibility for the success of the implementation. In reality, if the project misses the mark, IT could easily become a scapegoat.

With shared risk, both parties are exposed to the full brunt of responsibility. The most constructive approach to risk sharing is through a partnership mindset: If we win, we win together. If we fail, let’s fail fast and both own up to it.

Strategic risk is not with the vision, but with the execution

Organizations are asking CIOs to drive strategy. After all, the bulk of strategic investments today is in technology. This implies risk. Assuming and mitigating risk is the only way to succeed here. All too often, a CIO with a great vision falls victim to poor execution.

Here are some approaches to consider:

Enlist a champion from the business. Working with an effective champion greatly increases the chances for success, plus shares any project risk with the business unit.

Fail fast. Create an environment where it’s ok to try and fail. For any innovation to occur, failing fast is the key ingredient. When individuals feel they can safely experiment on a small scale, the organization as a whole will be more successful at embracing change.

Establish an IT governance function. When IT is overcommitted, every activity is at risk. If everything is promised to everyone, and nothing is prioritized, you are set up to fall short of expectations. Governance is the mechanism for agreeing to what is (and what is not) on IT’s plate. The primary purpose of an IT governance team is to optimize IT’s workload. This team is responsible for establishing prioritization criteria, and for ensuring each project delivers the intended strategic benefits.

Optimize project resource allocation. Execution risk is lower with an Agile, heterogeneous resourcing model. This is where resources are cross-trained for maximum flexibility and dedicated to just one project at a time. This approach reduces switching costs and greatly increases individual productivity. 

Replace change-resistant employees. The biggest risk of all is keeping subordinates on your team who are uncomfortable taking on risk. Surround yourself with risk-taking managers, directors, and VPs. This may require a high-stakes move such as laying off a longtime team member. But if resistance to change is coming from within your team, you don’t have a chance. Build a team that wants to take on the risks necessary to succeed.

These are just a few techniques great IT leaders employ to mitigate strategy execution risks.

Raising the stakes is difficult—but necessary

It is not always easy for an old-school CIO to start taking on more risks. Expectations around risk aversion have been formed and reinforced over time. Staying relevant requires a shift in expectations by other top executives. Newly-hired CIOs have an advantage because they can build new expectations for a higher risk appetite. But even then, they still have to keep taking new risks as their role continues to evolve.

That’s what playing to win is all about. Not raising the stakes at the right time is a CIO’s real threat.