There is a constant pressure not only on IT but all areas of organizations to reduce costs. However, that frequently ends up with higher risks and potentially higher costs due to these risks. The problem is: Most organizations, especially in controlling and management, think much more about cost than risk. But cost savings (which are not necessarily negative) without a risk view are a risk - somewhat of a tautology, I know...
That is why Risk Management should be a standard and central element in management, as well for business as IT.
First of all: From an enterpreneurial perspective, it's always about profit. That might be short term, that might be long term (the value of the enterprise). Profit is, simply spoken (and I've studied economics thus I could even do it in more detail, but without value for this blog entry), determined by revenues and costs. Thus it is about reducing costs or increasing revenue - without either reducing revenue or increasing cost disproportionately.
Probably everyone will have examples in mind where cost reduction lead to quality issues, customer loss, and in fact decreases in revenue. That happens in virtually any industry. Obviously, there occured a risk which either hasn't been understood before, which has been underestimated, or which just has been ignored. The problem is that it is pretty expensive to mitigate this.
To provide an example: Yesterday evening I experienced the consequenes of what appears to me as another example of not fully understanding the relationship of risk and cost. I'm a frequent traveller by railway (and, by the way, a convinced user of the European railways - an, despite all issues, convenient way to travel...). Thus I'm unfortunately somewhat experienced in delays caused by technical problems. Yesterday, when travelling back home the train stopped due to a complete breakdown of the computers at a railway control center. I've learned through some little research that the Deutsche Bahn (which I had been using) has centralized many of these into larger units controlling large areas of their tracks. Thus the impact of such an event affects relatively large regions - in that case, the train had to travel back some dozen kilometers and take another road. That meant some 50-100 extra kilometers - and close to two hours of delay.
When I look at this from the cost/risk view, things are pretty easy to image. Costs had to be reduced. Someone came up with the idea of centralizing railway control centers. Lower costs, thus a fine thing from management. Probably some people at the operational level had complaints about the availability but remained unheard. The risk was probably just ignored. When not ignoring but understanding the risk there might have been some potential actions:
- Taking the risk because it is cheaper to annoy customers and to pay them a little back at large delays. And taking the additional costs for the extra kilometers of trains.
- Not changing the former concept with less availability risks - and not reducing costs.
- Changing the concept and thinking about some well-known IT concepts like redundancy to mitigate the risks.