Risks and Benefits
|The other day I followed a link on a friend's site to an article about How to Clean up a Broken Compact Fluorescent Light (CFL) Bulb. Turns out that because these increasingly popular bulbs - which use far less energy than old-fashioned incandescents, are made with mercury, there is a small risk of exposure any time one of them breaks. The article gives detailed instructions on how to clean up after such an accident.|
So often a piece of technology which is a solution to some major problem brings new risk of its own. In deciding to adopt the new technology, we need to weigh the risks against the benefits. Is wind power worth the risk to birds caused by those rotating blades? But the need to manage the risk continues after the decision is made. I often try to talk to our clients about risk management for the Information Technology advances within their organization.
There are risks are attached to every positive step you make. Suppose your non-profit is emerging from a start-up period, where pretty much every department had its own little contact management solution, in excel, or access, or ACT. Now you're putting in a system that will provide integrated CRM and other functions for the entire organization. It's a great step forward for you. But it adds some new risks, because now you have a new single point of failure. Actually some of these possibilities could be disastrous. If the new system goes down, or becomes corrupt, or loses data, what will you do?
Risks management writers discuss three angles on confronting problems like this.
1) Mitigation: Lowering the likelihood that the unwanted condition will occur.
2) Monitoring: Detecting as soon as possible if an unwanted conditions has occured.
3) Resolution: Managing the situation if it does occur.
For example, suppose we identify the risk of accidental corruption of data through user error as something we are concerned about. Here's an example fresh on my mind - the other day a user of ours changed the last names of a good many of their contacts to LastName. Oops.
How can we address the risk of this kind of accident?
Mitigation might mean: making sure users are properly trained on risky database operations and that most users do not have access to perform them. Monitoring might mean maintaining a log of all database changes for a day that can be glanced at by the db admin for any peculiar activity. Resolution might mean having a plan and utilities in place for selective restoration so data can be loaded back from a backup without losing all the other valid data entry made that day.
Risk Management should be included as a part of the planning for each of your technology projects.
The book that many years ago sparked my interest in Risk Management is Waltzing with Bears, by Tom DeMarco and Timothy Lister.