Increase in Risk Adverse Cultures in IT

I was reading an interesting article on InformationWeek.com, and it spurred some thoughts on risk adverse cultures in IT organizations. You can find the original article here.

I don't think it is just CIOs that are becoming more risk adverse, but IT departments in general. Even when CIOs encourage their reports to take risks, and even when they have the right attitude when people take risks and they don't work out, it still seems that senior folks below the level of CIO are not taking risks. Why is this?

I can think of a couple of reasons:

1. They have gotten burned or have seen others burned in past lives taking risks. This is where the CIO may encourage risks, but then takes punitive measures when the risks don't pan out.

2. They don't believe the CIO when he says that calculated risk taking is acceptable. They have to have confidence that when the CIO says it is acceptable, he means it.

3. They don't know how to measure risk, so the thinking becomes every risk is too big, or just big enough to get them in trouble. This is a lot more common then I believe people understand. I have watched many projects where there isn't even a pause to consider if there ARE risks, never mind to measure them. And even when risks are put down on paper, there is no contingency planning.

4. They truly just don't know how to take a calculated risk, it just isn't in their psyche. These are the people who have to have everything planned and exactly right before they will move on to the next step. There is a corollary to this, called "analysis paralysis", that I will hold for another blog post :-)

Of course, taking a lot of risk is just as bad, if not worse, to taking no risk at all. Those people that just throw caution to the wind and jump right in are just the "b" side of a bad record.

So how can a CIO encourage calculated risk taking? I think there are several ways:

- Lead by example - this is the best and most obvious answer. He needs to also take risks, with his organization, with his strategy, and with his interactions with other parts of the business. And he needs to make sure his directs see these risks, and understand how he came to the conclusion that this was a calculated risk worth taking.

- Add it to the goals and objectives of his department and his direct reports. Yes this can be subjective (did you take the right number of risks and were they well calculated) but it will certainly encourage people to think about risks at the very least.

- Celebrate risk successes and discuss risk failures openly. Both need to done to show that you can succeed when you take risks, and that risks sometimes do fail and here are examples of how they do.

- Be supportive, not vindictive, when well calculated risks do fail. There is a reason it is called a risk. No matter how well you think you have covered all the contingencies, sometimes it just doesn't work out. This is when the CIO has to show his backbone, correct the mistake, and perhaps even take the fall for the risk taker.

Taking calculated risks, in technology, in projects, and on people, are what in my opinion seperate out good IT organizations from great IT organizations. And by stretching what we can do, and how we use technology, we help the business move forward faster. Which after all is what a great IT organization can bring to the table...