Spent several hours yesterday with a brokerage firm, consolidating various financial accounts. I’ve worked for various corporations over my career naturally choosing to take the 401k investment options that each had offered. My belief is if the place is good enough to work at why wouldn’t you invest in it also. On the surface the logic makes sense. However, as I’ve delved deeper in Portfolio Management and Enterprise Risk Management (ERM) concepts the past several months I’ve gained a deeper appreciation of the concepts of diversification and attention capacity or economics.
Most modern portfolio management discussions introduce the topic of diversification as a means of risk mitigation. The theory suggest that having a broad set of investments reduces one’s risk as if one element in the portfolio crashes or under performs it will be made up by others. This only hold true if each investment is independent of the others. That is to say, there is causal relationship between the two components. However, if there are causal relationships then these components are not truly independent and the portfolio you’ve create still has risk exposure. Take the most recent financial meltdown of the economy. Stocks, Bonds, Real Estate, and other investment all tanked crashing the economy. In theory this should not have occurred as these are separate asset classes, independent of others. However, as the laws, rules and regulations changed regarding banks, brokerage houses, Real Estate Mortgages, and other financial vehicles subtle interconnections between these components were established. These connections were either not well understood or completely ignored. Investment vehicles such as collateralized debt started to appear. These created the linkage between other assets which established the potential for what eventually happened.
Collateralized Debt has as its root a portion of Portfolio Management. That is investing in multiple elements to reduce risk, in many cases high risk mortgages. The theory being that may be one or two mortgages might fail but overall the majority of these would not. However, the conditions that created failure for several of these mortgage failures where the same for most of the others. This when one failed it was only a matter of time for the others. As such this pool was a collection not a managed portfolio. Add to this other investment vehicles such as derivatives which further linked real estate to other types of investment in the economy and the causal chain was completed with few people realizing the risk that was just created.
ITSM’s relationship to Investment Management
ITSM seeks to create an ecosystem for the enterprise where the Information Technology function creates a catalog of services for the rest of the enterprise to consume either to perform its knowledge work or provide to its external customers. One the surface this is a great concept. In practice creating an catalog of services that are tightly integrated brings to it the same risks to the enterprise as tightly linking the various financial vehicles did in the general economy. This serious strategy and due diligence in risk management and mitigation is called for least an enterprise crash like the economy over an IT failure. Consider if your network infrastructure failed for several days and you just recently migrated all your voice (phones) to voice of IP (VOIP): Your financial functions can not access your general ledger, not billing can go out, nor paying vendors; Your in house sales staff either cannot call prospects or have to use their personal cellphones to make calls, further expense and they can’t enter orders anyway your systems are down; other negative effects propagate throughout the enterprise and compound the situation. In a very short period of time an enterprise could be so overwhelmed with the consequences it could take years to recover or might never recover.
Some vendors might say move to the cloud that will solve the problem…but will it? What happens if your cloud provider fails, or access (your internet connection is down), or both. You are back to that same perfect storm scenario. So is the answer go back to a paper based system? Not likely, the scale and speed of business today prevents going back to such methods. The answer I believe lays in a more comprehensive approach to the strategy and design of enterprise. An approach the unifies Executives, Line of Business Management and Information Technology is an effort to view and manage the risk in a coherent and conscious manner. This suggest enhancing current portfolio management practices advocated by vendors that only prioritize investment by ROI (gain) to include the downside aspects (i.e., Risks such that ERM typically works to mitigate).
The problem with such an approach is that it requires greater attention to detail and in an age where businesses have caught AD/HD, this is a hard practice to employ. Its easy to ignore the risks as did the investment and economics communities prior to the financial meltdown. Many corporations are focused on multiple targets and this one is left to the IT function, typically without effective governance or oversight my the executive suite. Possibly due to the fact that discussions often arise around the technology’s structure rather than the capability ad risks of applying. This tends to overwhelm the attention span of the rest of the business as those not involved with IT capability creation and management don’t have the time to learn the details. This is where Enterprise Architects and Technology Strategist should play a role, however, oft times they are used for designing applications rather than helping to guide technology application for the enterprise. A subtle difference but critical to understand if your EA function is to provide the highest value to the corporation.
The one leverage point that may eventually cause corporations to focus on this arena -in spite of all the standards and methodologies out there– is that Corporate Executives are now held responsible for governance actions. And whether they understand the ramifications or not of new laws and regulations such as SOX, Patriot Act, HIPA, and others not understanding how to govern corporate information and information processing will eventually put both a business at risk and executives out on the street or worse.