This is a less than ideal take on risk. No one can eliminate all risks.
A real world example: Lets say that you have a recent fault with a process you are responsible for. You get upset, maybe chastised and you go back to your desk and think... "well, I am never letting that happen again!". So, you get your team together and amidst all of the resentment, you make a permanent change to your process. You introduce steps to insure that one instance NEVER happens to you again. Now fast forward 2 years. You have been promoted or moved on and virtually no one knows WHY this process change was implemented. In fact, it's disguised as "that's just how we do it" to the new comer.
But the lack of documentation is just the symptom of a larger problem. What you did was risk avoidance, not risk management. A policy of Risk avoidance as the only response to risks such as these follows the basic belief that all risk can be eliminated by "fixing" the process. In fact, this is impossible. You cannot ever truly eliminate all risk.
But it gets worse than just a behavioral problem. In the case above, you most likely increased the effort, money or time it takes to perform that one process. Multiply that times all the processes you run into and then you see the plight. Things grow too lengthy and too costly all too quickly.
Now imagine your the CIO. You say... "We have to reduce our time to market!"... You are really saying: "We have to re-accept some of those undocumented risks we previously avoided!". Yeah, right. This is why re-orgs become the de-facto "improvement" idea. They institute the mentality to rethink it all and start over "fixing" the process. It just delays the inevitable downsides to the above approach.
So what do you do? Educate your IT peers on the following:
Risk Assessment:
- Identification
- Quantification (probability, Impact, expected monetary value)
- Prioritization
and
Risk Responses:
- Acceptance (accept the consequences against the likelihood)
- Avoidance (eliminate the cause, not the symptom of the risk)
- Transfer (pass the risk on to a vendor/other team better suited to manage it)
- Mitigation (reduce the probability or the impact of the risk)
- Contingency (plan what to do if the risk does happen, a fallback plan, an exception plan)
Always consider the costs in effort time and money for any and all risk responses. Consider this for all stakeholders & customers, not just your own team and your own needs. By informing IT managers on the merits of risk management and encouraging them to take a Risk Management class, you encourage EDUCATED, and less frequent, process change.
