• United States



by Chip Gliedman

Managing IT Risk With Portfolio
Management Thinking

Jan 25, 20023 mins
CSO and CISOData and Information Security

Minimizing risk and maximizing reward is at the very core of any investment, whether financial or technological. For technology, IT has faced a steep uphill struggle balancing these two forces. Historically, IT has done a poor job quantifying both the risk and return on technology investment in financial terms and, as a result, has not been able to convincingly demonstrate the value to the organization. As such, organizations have tended to think of technology investments as delivering little bottom-line value to the company.

As a result, most analysis of risk and reward is qualitative in nature, if done at all. The problem is compounded by the fact that a CIO typically does not have to decide on a single investment, but rather faces a whole portfolio of different investments to evaluate, each with their own perceived level of risk.

Therefore, IT is typically not judged on a project-by-project basis; instead, they are judged on a whole portfolio of different investments whose total value is the determinant of success or failure. In this environment, qualitative measurements fail to accurately predict the risk within a portfolio – a portfolio with which the ultimate success or failure of IT rests. IT must have an effective plan to quantitatively measure the risk and reward of any technology investment. Once that is built, IT can then begin the process of building a portfolio-based model to look at the value of the investments as a whole and not as discrete units.

To think of technology investments as a portfolio, IT can borrow several tools from the financial community. One of those tools is diversification to meet your company’s economic outlook. If the company’s strategic plan is for aggressive growth, the IT portfolio may consist of a higher percentage of riskier projects. In hard economic times, invest in lower-risk projects and leverage your existing technology base.

If the outlook is uncertain, invest in projects that give the company future flexibility options. IT must also be concerned about the relationship between investments. No portfolio risk management plan should be without a measure of both the spread of each individual investment and some quantitative measure of the relationship between investments.

Thinking in terms of a portfolio of different investments forces IT to consider the balance between investments that can deliver a high potential reward but at the same time a possible downside, and those investments that are considered a “safe bet” – low risk/low reward investments. Without proper analysis of how risk directly effects each investment along with the portfolio as a whole reduces IT to looking for a shiny needle in the proverbial haystack.

© 2002 Giga Information Group, Inc.