How to Create a Risk Analysis Process

As the director of foreign exchange at Merck, Art Misyan uses statistical risk analysis for evaluating the impact of foreign currency volatility. Like Sanchez, he's puzzled by IT's laissez-faire attitude toward risk analysis. "Risk gives you the ability to look at a whole range of outcomes, but IT looks at only two possible outcomes," he says. "Either you hit deadlines or budgets, or you don't."

IT needs to think in probabilities, Misyan says, not ones and zeros. The best way to start is for the CIO to formalize the risk process. "First you have to set up a process to determine and track risks," he says. The good news is that much of the risk process is built into project management methodologies CIOs have been adopting anyway, so it should be familiar. Here are the basics for developing a risk analysis process.

Gather experts to determine project risks. These brainstorming sessions should be free and creative. "You want the pessimist in the group, the dark cloud," says Anne Rogers, director of information safeguards at Waste Management, who teaches risk analysis. "You want the person that will ask, What if a truck ran into the building?"

When you don't ask the off-the-wall question, you run the risk of smacking into it. "Motorola gambled on developing Iridium satellite phones and charging $7 a minute," recalls DeMarco. "No one seemed to wonder what would happen if cell phones came along offering similar service for 10 cents a minute and free nights and weekends."

Assign researchers to uncover known risks. "We came up with 20 or 30 risks we knew we'd face by research," says Sandy Lazar, director of key systems for the District of Columbia, who is overseeing a five-year, $71.5million administrative systems modernization program. "If you read up, you realize ERP has failed over and over for the same reasons for 15 years now." In fact, there are five typical risks to software projects that every CIO should include in a risk analysis.