How does the level and nature of risk in IT and service management in the pre-digital business era compare to today?
The IT risks faced by our forebearers were significant: for example, failing to meet internal customers’ expectations, missed service level agreements (SLAs), budget overruns, time overruns on projects, etc. However, I’d argue such risks were less significant than those relating to digital business activities today.
IT leadership was often aware of risks, but proactively dealing with them was a different story. With SLAs, many IT organizations were hesitant to set and document them for fear of not achieving them!
Numerous organizations buried their heads in the sand rather than tackle risk – but this is really no longer an option.
Digital business – opportunities and risks
Typically, the first risk that comes to most people’s minds with digital business is cyber security (as defined by the Digital Risk Management Institute).
However, in the ITIL® 4 Digital and IT Strategy module, we’ve highlighted a range of risks with a handy acronym – DICE – which means:
D = disruption: the fact your competitors are using new, digital technologies and ways of working to engage differently with customers is probably the biggest risk. Operational efficiencies that transform your competition’s internal processes and customer relationships can put you out of business.
I = innovation: companies need to disrupt themselves and innovative enterprises are willing to change what they do now, even if it works currently. However, this risk is double-edged; customer demands change on a whim and you can spend too much time and money on innovation that doesn’t help the bottom line.
C = cyber security: in a digitalized business, engaging with customers frequently and more intimately affects data security and confidentiality.
E = engagement: within the ITIL 4 service value chain, “engage” is one of the activities. So, how do you engage with stakeholders including employees, customers, partners and suppliers? Will it involve a cultural shift or present other problems?
In one engagement example, a digital marketing team hired an offshore company for IT development rather than its internal IT organization, which introduced problems of time zone, culture and language. It also posed an intellectual property risk because of what the third party knew about the development work.
Responding to digital risk
Risk can be scary, which is why organizations need to develop a risk mindset and engage people in understanding the concept.
This needs open discussions to identify your key risks and take action before you’re caught off-guard. One approach is to compile a risk register; prioritizing risks that you will regularly evaluate against a model like DICE or VUCA (volatile, uncertain, complex, ambiguous risks).
Ultimately, we need to balance what our customer wants with the new ways of working and what our competitors are doing. This might mean looking at adjacent industries that we haven’t seen as competitors before; but could become so.
ITIL 4 – thinking about risk beyond IT
All of the guidance in ITIL 4 raises the bar and expectations of managing risk – not just for IT but for entire organizations.
Part of the purpose in ITIL 4 Digital and IT Strategy is helping business executives understand more about digital technology and how it can alter their business models.
It’s also about embracing risk: not as a negative thing, but as a way to gain control over your own destiny. Companies develop either a tolerance for risk or an aversion to it. However, with a more mature perspective they can address risk head on; giving them a greater sense of what they’re up against and being better prepared to respond.
Though traditional IT risks still exist, the big ones today in the digital era are disruption and innovation and you need to be flexible in your approach to meet what’s coming down the line.