Why Most IT Risk Management Fails and How to Fix It

Every programme has a risk register. Almost none of them are actually useful. They are filled with generic risks that were captured during a workshop six months ago and have not been reviewed since. "Resource availability" rated amber. "Scope creep" rated amber. "Vendor dependency" rated amber. Nobody reads them. Nobody acts on them. They exist to tick a governance box. This kind of neglect is one of the reasons organisations fail at IT programme delivery.

Effective risk management looks completely different. It starts with identifying risks that are specific enough to actually manage. Not "vendor dependency" but "Vendor X has not confirmed availability of their lead architect for the migration window in March." Specific enough that you can do something about it.

It continues with active mitigation. Every risk that matters should have a named owner, a concrete mitigation action, and a date by which that action needs to happen. If the mitigation is "monitor the situation," it is not a mitigation. It is an admission that nobody is doing anything.

And it requires regular, honest review. Not the kind where you go through a 50 item register and confirm everything is still amber. The kind where you spend ten minutes on the five risks that could actually derail the programme and make sure the mitigations are working.

I build risk management into the fabric of programme governance. It is not a separate exercise. It is part of every steering committee, every workstream review, and every vendor touchpoint. That is how you make it work. When risk management fails, programmes stall, and recovering a stalled IT programme becomes far more costly than getting the fundamentals right from the start.

Contact Elisabeth to discuss governance and risk management for your programme.