Many of my contacts in the industry indicate that there is an increased focus on operational risks now. The development is probably due to the scarcity of internal losses, not as you might expect an increased number of them. Many institutions lacked the statistical data on reported losses to determine whether they would benefit from adopting the Advanced Measurement Approach (AMA) on operational risks when they launched their Basel II-program. The condition that you cannot revert to the basic Standardized Approach had institutions to focus on credit and market risks where they had the statistical data at the time. Now, five years later when they have the data on operational risks, they see the opportunity to drive down the capital requirements by adopting AMA and improving the management of operational risks. But there are limitations to a risk management approach that is restricted to historical data, especially in a rapidly changing IT-environment. In many cases, it is hard for IT management to explain their gut feel on the magnitude and escalating nature of inherent risks in the IT platform to top management. In this blog post, I will present a sales tool that may help the IT department in selling in the need to mitigate platform risks to top management.
The business and IT intersection
One of my clients had a clear vision on how to explain to top management that they have to address the inherent risk with several mission critical applications that are based on the unsupported Visual Basic 6 platform. It was evident to him that the risk in the platform increased every year when developers and 3rd party vendors left the platform. Though not as evident, he saw that the clock was ticking on the outdated architecture where the business logic cannot be re-used and the run-time prohibits the client from upgrading to the latest software versions that promise performance improvements and support from Microsoft and other software vendors.
The intention was to challenge top management with this increased risk and ask them about their risk appetite as presented in the graph below. When the intersection has been identified, it would be easy to back track the latest possible time when they have to start the risk mitigation project.
The graph is probably one the best illustrations of a burning platform that I have seen in my 20 years as an IT-consultant. But how do you support the graph with indisputable facts? What is the common denominator to use to be relevant to top management?
Let’s face it. We have always been evasive on the IT-side when talking about risks. We are confident in plotting risks based on probability and impact using 3 *3 (low/medium/high) matrices that we have in our standard toolbox. But we are not as comfortable in quantifying the impact of a risk on the income statement, even if that is the denominator that top management uses. So how do you quantify the potential loss when you have to work your way through all layers from the technical infrastructure to the Profit/loss? One way could be to leverage a sales tool that we sales reps use when trying to estimate the customer value of our offerings. The “Pain Chain” is a simple but powerful tool in the Solution Selling-methodology to understand how “pain” flows throughout an organization. The example below illustrates the concept where the IT Manager’s pain with a Visual Basic 6-lock in ripples through the organization as reasons to other stakeholder’s pain.
In this fictive case, we can quantify the platform risk to 120 mSEK in opportunity costs. This quantified cost will make it easier for you to have a discussion with top management on their risk appetite. It might be that they do not make a decision on mitigating the risk, but you can take some comfort in the fact that it will be an active decision to accept the inherent risk. You have covered your back by linking your platform pains using the pain chain all the way to top management.