Take a Chance on Me

Resellers that play their cards right by offering risk analysis canfind themselves crossing the line from simple IT supplier to consultant,wagers Annie Gurton

All resellers, if they know what they are doing, are looking to turn the relationships with their customers into cosy partnerships. Nothing achieves this better than a consultancy service which involves the re-seller having to become familiar with the nuts and bolts of the customer's business.

Risk management is such a service: it is specialised yet any reasonably bright salesperson can easily grasp the concepts and methodologies. It can be charged as a consultancy item on an invoice, and can be a unique differentiator to set you apart from other resellers. Hardly surprising that it is an increasingly crucial service for successful business management, according to companies that use it.

The trouble is, mention risk management and the response is likely to be: 'What's that?' It's a whole range of skills and techniques, explains Jeet Khaira, business consultant with Parity Solutions. Analysing the risks involved in a project is just the first stage of the process.

Khaira says: 'Having identified the potential risk you have to manage it using recognised techniques, and then provide business continuity strategies for what to do if the worst happens.'

Some definitions of risk management link it with disaster recovery, but the term is far broader. Risk management is more than just installing a UPS in case of power failure, according to Paul Barnes of Adam Associates.

'It's all about ensuring business development and continuity,' he says.

'You have to look at the wider issues of what will happen in a disaster or if a decision is wrong.' Adam Associates offers a matrix and methodology for evaluating the consequences of specified risks, and helps clients manage a business if the worst happens.

Physical security breaches and natural disaster avoidance form a major part of risk management consultancy, but in a wider definition, it also covers any business decision with an uncertain return: whether to open a branch office, whether to take on or fire staff, whether to take on a new product line or whether to engage in litigation.

In fact, most business decisions involve risk, and should be approached in a methodical way to establish what you are risking and what you would do if things go wrong.

Persuading clients that their IT supplier should be undertaking risk management for them is not always easy. But one way in is to start by using risk management techniques to close an IT sale. Explain that there are three ways to make a decision to purchase IT: one that ignores uncertainties and is based on a single view of the future; an educated guess based on gut feeling; and a calculated risk which weighs up all the possible outcomes.

Obviously, the last is the one to aim for. Approaching an IT sale in this way makes the benefits of running a business using these techniques clearer. It also becomes easier to suggest that you become involved in other decisions beyond the IT purchase, such as human resources and location changes.

Most firms know that better decisions mean more profit, as well as a more stable enterprise. There are many software products which assist in analysing and managing risks. Some are based on simple spreadsheets and others use complicated mathematical and statistical modelling, including those based on the government-approved Cramm methodology. One common technique is called the Monte Carlo simulation, which is a device for generating random numbers. It takes account of the likelihood of certain events, as well as their relative likelihood.

For example, you could define possible scenarios in different contexts with different meanings. Formally called scenario analysis, this means developing both a pessimistic and optimistic view of the future and testing a business plan or project against each. The technique provides for a range of possible outcomes as well as an opportunity to think about strategies for dealing with downturns.

Another technique is called sensitivity analysis which, at its simplest level, involves asking 'what-if' questions. For example, what happens if the interest rates go up to 20 per cent or your market share drops to five per cent? Manual or computerised spreadsheets make it fairly easy to explore this type of question, and it is possible to create diagrams that can show the outcome of two or three different variables changing in different ways. The problem with sensitivity analysis is making assumptions, and the danger of what Khaira calls, 'the biggest risk of all - something you haven't thought of'.

The Monte Carlo system assigns probabilities to various possibilities, and is particularly suited to multi-stage problems where different decisions are taken as the various uncertainties are resolved.

Risk analysis is only the first stage. Once the variables are pinpointed and evaluated you have to monitor their progress.

Khaira says: 'Risk management is an iterative process and risk analysis simply provides the means of exploring the trade-off between risk and return.

He adds: 'Once you have identified the main uncertainties you then have to reduce the risk by taking various hedging opportunities or by using better forecasting tools, including market research.'

Bill Buxton, manager of secure systems at Parity Solutions, says risk analysis is a form of insurance which, if ignored, can leave companies floundering. 'If disaster strikes, the slow-down or complete freeze of a business in the aftermath can leave companies in a state from which they never recover. Simple financial insurance cannot re-claim customer confidence or the market position lost in the time it takes to get back on their feet.'

The case for carrying out risk analysis and developing a disaster recovery plan is compelling, Buxton says, but still only about a quarter of companies take this path. 'Companies are wary of spending money on risk analysis and management but are happy to spend on insurance,' he says. 'Yet a risk strategy is a form of insurance because it increases a company's chance of survival after a disaster, and can even help prevent one happening.'

A classic situation where risk analysis is relevant is when a business decides whether to build an intranet or to start using the Internet for trading. Buxton says: 'Business conducted across standard networks, intranets and the Internet is open to crime and espionage. A risk analysis plan would incorporate the fundamentals of data security. Physical location of network ports of entry and switches is critical, for example, but something which is ignored.'

A broad analysis of the options should be conducted, plus an analysis of the staff managing the communications system. Questions should be asked about what would happen if they were to leave or suddenly be unavailable for work.

Other risks which should be considered include projects running late; costs going over budget, an implementation that does not deliver what was required, qualitative problems in which expectations fail to be met, third parties failing to meet their obligations; and political problems, in which a decision is perceived as wrong because inappropriate criteria were established early on.

Theft, fire, flood and even bombing should also be covered by risk analysis, as well as questions about what would happen if a business' competitors introduced a revolutionary new product or if products had to be recalled because of a fault.

In many ways, performing risk analysis and management is like being a bookmaker, says Khaira. 'You have to think of every possible event and then develop a strategy for dealing with it.'

The key to successful risk management is repeated testing and re-analysis of the risks. That's why risk consultancy is such good business to resellers to provide for their customers. It means a close, long-term relationship from which product sales and other service transactions can result.

Shri Karve of MGE, a company selling UPS products, says that the reseller needs to take an objective view of the needs of every client 'because they are obviously all different'. Some have different risks according to their market speciality, or the type of product or service they provide.

'If you are selling to a dealing room, for example, there is a risk of millions of pounds being lost immediately if there is a power failure, and if you are selling to a company providing products for air traffic or road traffic control, the risks of their products failing are accountable in human terms.'

He adds: 'Whether the risk is loss of life or economic loss, strategies have to be employed to reduce the risk and keeping the business going should the worst happen. Many businesses do not think these things through, and the reseller can often see the risks more clearly than they can.'

Karve says the statistics show that companies which experience a major disaster typically take four years to recover - by which time they are often bankrupt. He says: 'Clients don't realise the effect of loss of confidence in the market, loss of customers and the phenomenal consequential loss of revenue which can result from a single event, particularly if it is a highly publicised disaster.'

Resellers wanting to provide risk management as a service undoubtedly face a challenge in gaining credibility. No client is going to hand over the analysis of its exposure to a computer supplier without question; that in itself would be a foolhardy risk. The first step is for resellers to start using the techniques themselves, so that they become familiar with them, and then start using the language of risk management in their sales closing meetings.

Persuading a customer that a purchase is low risk, and pointing out the high-risk alternatives of buying a different solution, can not only secure the sale but demonstrate the value of risk analysis methodology.

Using risk analysis techniques on IT purchasing and management strategies is a sensible idea which all companies, - suppliers and clients - should be using. Surveys have shown how much better and more profitably IT can be managed.

Many IT projects run over budget and time, but the risk of failure can be drastically reduced if a more strategic, disciplined approach is adopted.

Khaira says: 'There is no silver bullet which is going to eliminate risk.

He adds: 'All that risk analysis and management does is provide the tools and techniques for coping with a world in which just about everything is uncertain.'

Resellers are frequently in the unusual position of being able to point out what can be done to minimise or eliminate risk. It should be a consultancy service which more resellers use for themselves, as well as offering to their customers.

Most business decisions are taken against a range of possible outcomes and with incomplete knowledge of the status quo. Risk analysis and management aims to differentiate three paths: naive decision making, educated guesses and calculated risks.

The main techniques are sensitivity analysis (what-if tables), scenario analysis and decision analysis. However, at the end of the day, big doses of common sense and experience are required to draw up a plan which analyses all the possible variables and their outcome, and delivers a strategic plan to help keep the business on track.

Resellers able to provide risk analysis can find themselves crossing the bridge from simple IT supplier to consultancy, privy to much confidential information about their client.