Is it Worth the Risk?

Stephen Gold discusses IT’s approach to “risk management” at CVS Health

steve gold CVS Health

In my last blog with Stephen Gold, EVP of Business and Technology Operations and CIO of CVS Health, we discussed Gold’s approach to continuity of value, a process that Gold uses to make sure he and his business partners make the right IT investments. 

No doubt, you have a process that you use to tie investments to value.  Once you’ve spent all of that time making sure you are investing wisely, wouldn’t it be great if your projects were successful? That’s where “risk management” comes in.

Problem Seeking, Not Problem Solving

“CIOs and IT leaders often don’t pay as much attention to risk as they should because it goes against human nature,” says Gold. “By nature, people are optimistic; we tend to assume the positive, even when we develop software.  We test to make sure our functional designs work. But are we planning, building, and testing for the ‘negative’ use cases? Generally not as often, and it’s not because we are technically deficient.  It’s because that kind of thinking puts us out of our comfort zone. Most people think about problem solving; ‘risk management’ is about problem seeking – anticipating problems and searching for them proactively – it’s a different mindset.”

According to Gold, most project management literature addresses several critical aspects of managing a project: charters, project membership, status reports, cadence and metrics. “These topics are all important and necessary, but they are not sufficient,” says Gold. “I have noticed throughout my career that the skills and tools we are missing the most are those which deal with managing risk.”

If risk management is not already a part of your organization, then CIOs would be wise to adopt a formal risk management program to embed a more complete perspective into the IT team’s every day thought.

Risk Management: a Five Step Process

At CVS Health, risk management is a five-step process that includes planning, identification, quantification, response, monitoring and control.

“Our formal risk management practice starts in the earliest stages of portfolio planning and continues through to project execution and post-project review,” says Gold.

“If you look at a work breakdown structure, there is a whole laundry list of risks that should be a part of every project,” says Gold. That laundry list might include:

  • Availability of resources
  • Newness of technology
  • Lack of familiarity with technology or processes
  • Lack of training
  • Critical path tasks
  • Tasks with several predecessors
  • Optimistically-estimated tasks
  • Tasks reliant on external resources
  • Tasks in parallel
  • Tasks with many people assigned
  • Qualifications and skills
  • Holidays, vacations, illness and turnover

Key to risk management is the formula that states “risk equals the function of probability x impact”. “If a risk has a low probability and low impact, you might be able to accept the risk,” says Gold. “But if a risk has a high probability and a high impact, you have to pay attention.” Depending on the probability/impact equation, you can accept, avoid, transfer, share, reduce or ignore the risk.

Post Go-Live Review

To Gold, one of the most critical components in a risk management process is immediately following the launch of a project. “We look back at what went well and what didn’t go well,” says Gold. “Where did we miss the risk?”  It’s the continuous improvement aspect of the program.

Throughout the year, Gold and his team turn a lessons learned inventory from project post mortems into a checklist for every single project. “If issues show up often enough, they should become part of our risk management process,” he says.

One lesson learned that Gold and his team rely on is looking at the percentage of time that someone is assigned to a project along with what else they are working on. “If I am assigned to four projects with 25 percent of my time allotted to each, the probability that I can do all of those on time, on budget, and high quality is very low,” says Gold. “What are the odds that every project will demand my time without a collision? It’s zero.”

This means that whenever people are assigned to projects less than full time, Gold and his team include a proactive conflict analysis to understand what else that person is working on and the probability that there will be a collision.

To Gold, “The key point is that risk management is less about process and communication, and more about the depth and rigor of risk identification and remediation strategy at the outset of a project. Some people will just check the risk management box and then wonder what went wrong. After projects fail, you will then get a thesis on what went wrong, but that’s after the event. How do we anticipate and plan for this before we start?”

It is more fun to go full-steam ahead with a project than stop to think about potential pitfalls, but when your business is more dependent than ever on good technology, a culture of risk management is your next horizon.

About Stephen Gold

Stephen Gold joined CVS Health in July 2012, and is the company’s Executive Vice President of Business and Technology Operations and Chief Information Officer. In this role, Stephen is the company’s senior technology executive and has responsibility for all information systems and technology operations, including information technology strategy, application development, technology infrastructure, and business and technology operations. Before coming to CVS Health, he was Senior Vice President and CIO for Avaya. Prior to that, Stephen was EVP, CIO and Global CTO with GSI Commerce, and VP and CIO with Merck. He has an undergraduate degree in computer science from Saint John’s University, and currently serves as a member of their advisory board.

About CVS Health

CVS Health (NYSE: CVS) is a pharmacy innovation company helping people on their path to better health. Through its 7,800 retail drugstores, nearly 1,000 walk-in medical clinics, a leading pharmacy benefits manager with more than 70 million plan members, and expanding specialty pharmacy services, the company enables people, businesses and communities to manage health in more affordable, effective ways. This unique integrated model increases access to quality care, delivers better health outcomes and lowers overall health care costs. Find more information about how CVS Health is shaping the future of health at

Copyright © 2015 IDG Communications, Inc.

Download CIO's Winter 2021 digital issue: Supercharging IT innovation