As shown in the previous blog about risk, risk identification, assessment, and management are different for services owned and managed by IT (TCS risks) compared to assets owned by IT (TCO risks). The Total Cost of Service– Risk Management (TCS-R) is the identification, assessment, and visualization of an organization’s service-based systems and project portfolio.
This goal of this blog is tell you the top TCS-R approaches that can be used to quantify digital business services risk. I will focus on how to measure risks – and not list common digital business project risks of which there are many sources (pick your # of risks such as 5 here, 6 here, 7 here,).
A representative high-level risk assessment process is:
But how do you assess and measure risk? We will look at the top techniques, using a sample digital business project – create an online product catalog – for example risks.
Top Techniques To Identify and Manage Digital Business Risks
A risk map is a heat map visualization of risk, typically using axes of “impact” and “probability of occurrence”. The axes are generally delineated into high (red), medium (yellow), and low (green) regions.
Risks are listed in a list and assessed quantitatively as high, medium, or low along with other pertinent information.
ROI, TCO, NPV, Payback Period
Though most organizations use one or more of these metrics to measure the viability of an IT investment, few use a systemic process to understand the involved risk. A positive ROI (or TCO, etc.) does not mean the investment will be successful.
These metrics are financial not risk measurement metrics. The investment risk in achieving (or not) your organization’s favorite metric can be estimated by performing a sensitivity analysis of the major investment cost and benefit drivers. If there is a sufficient ROI for the baseline case and for all potential major changes in the cost and benefit drivers, the project is low risk.
Following is a chart showing two investment options and the breakeven point. For each investment, calculations are:
Return On Investment: (net profit)/investment cost
Total Cost of Ownership: sum of all direct and indirect costs, e.g. purchase costs, operating expenses, indirect (support) costs
Net Present Value: each cash inflow and outflow discounted back to its present value based on an opportunity cost of capital. NPV = sum of (Rt/(1+i)t ) over time, where t is the time of the cash flow, Rt is a cash flow at time t, and I is the discount rate.
Payback Period: The period of time at which the benefits of an investment match the funds expended. Below, we can see two alternative investments available to an organization– Building an online catalog using vendor tools will yield lower income but faster payback period (lower risk) while building a catalog by creating custom catalog management tools will produce higher income but have a longer payback period (higher risk).
Real Options Analysis (ROA)
Applying real option analysis to IT capital budgeting can result in what most people would consider a better decision than simply using NPV or ROI. Real options analysis can support decisions relating to topics such as the order of investments, timing, scale-up, IT development flexibility, benefits / revenue expectations, and continuation / termination opportunities. ROA assumptions regarding outcome probabilities, value of the various alternatives, and discount rate makes it is difficult to understand. Black-Scholes is one mathematical technique to calculate ROA value.
The following graphic is a representation of a real options analysis show the NPV of various alternatives. We can see in this example that there are several potential alternatives – Build Catalog V1 and stop, or continue Build Catalog V2 with 2 different options – each with varying NPVs. This provides more information than a one simple NPV calculation per alternative, but is more complex to create and understand.
Simulation (Monte Carlo)
By assigning probabilities to decision events, a probability distribution can be created by randomly modeling event occurrences. For example, each NPV value in the above options analysis could be given three values – average expected, high, and low – with a probability associated with each value. The simulation probability distribution can be summarized to show the expected value and probability risk. While mathematically based, results can be very sensitive to the assigned values and probabilities, which are often a SWAG.
Expected Value Analysis (EVA)
The expected value – probability of occurrence times the value of the alternative – of each alternative is evaluated, with the highest expected value being the recommended choice.
With all these techniques, what to do?
For portfolio analysis, risk maps, risk registers, and expected value analysis are all good. A combination is best:
Risk maps for visualization
EVA for value quantification. Create several EVA scenarios to create a range of expected values.
Risk register to capture the details.
Except for specialized situations, real option analysis and simulation are too complex for typical project risk analysis. Use an NPV map – not just the NPV number itself – to measure expected return and to quantify project risk. The risk probabilities and financial impact of the risks associated with each probability need to be highly visible.
Peter Brooks has over 20 years of successfully providing business and IT solutions to clients, quantifying the business value of technology products and solutions, identifying competitive advantage, and developing product strategies. Peter has worked as a consultant in large companies such as IBM, PWC and Wipro, in startups and at his own consultancy.
Peter provides industry thought leadership. He is a co-author of several Harvard Business School Working Papers, co-author of Data Warehousing: Practical Advice From the Experts, and is a certified project manager (PMP). He was a Contributing Editor to DBMS / Intelligent Enterprise magazine, has authored numerous articles, and has been quoted in industry publications.
The opinions expressed in this blog are those of Peter Brooks and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.