Last Friday's IT Nightmare: Why Risk Management Can't Be an Afterthought

Last Friday, we woke up to a world in digital chaos.

A CrowdStrike update inside Microsoft failed, taking down computers globally.?

Hospitals, hotels, banks, and airlines - all ground to a halt.

I have no inside knowledge of what really happened.

But having led multiple implementations, large and small, it got me thinking about a crucial aspect that often gets overlooked: formal risk management.

In our rush to embrace agile methodologies and meet preset timelines, dealing with risks often takes a backseat.

Here are three major blindspots I learned to see the hard way:

1. The "Ad Hoc” Approach

Many teams lack a formal framework for discovering and assessing risks.?

It's hit or miss - if someone thinks about a risk, great. If not, you're exposed.

2. The "It Probably Won't Happen" Fallacy aka “It Was Ok the last 5 times we did it”

Low probability, high impact events often get discounted or not even considered.?

As the chance of them happening is so low, it’s easier to ignore them due to shrinking budgets, tighter timelines, and expanding scopes.

But when these unlikely events do occur, the impact can derail our company, our customers and customers of our customers enormously - e.g. last Friday.

My approach to these risks is to rate them as medium risks (not low as most risk management frameworks do) and approach the mitigations accordingly.

3. The "We'll Wait and See" Mindset

Even when risks are identified, mitigation actions are often not thought through.?

"We'll wait and see" - is not a strategy.?

Be it technology, operational or organizational - there has to be a mitigation strategy that you can define and and deploy.?

So, how do we address these blindspots?

During my time at Citi, I was incredibly privileged to be part of a small group led by an exceptional and very senior executive. Working with him? taught me many things, and formal risk management was one of the biggest.?

I have always done some kind of project risk management, after all, by that time I have spent more than 10 years delivering tech and data initiatives.

But he took it to another level:? formal weekly meetings to review risk, issues, dependencies, and our mitigation plans and actions.?

And, key difference: he was always in these meetings and he was very present.

He asked in-depth questions. He kept pointing out the things we’ve missed and haven’t thought enough about. He kept expecting follow ups on every mitigation we’ve trotted out in front of him.?

I'll be honest - at first, I dreaded these meetings. I felt like I was always wrongfooted and could never say the right thing. And I so wanted to shine in front of the big boss!??

But the results were undeniable: smoother delivery, fewer last-minute scrambles, and better outcomes.

When I implemented this at Voya, it was the most hated meeting by my team. They called it a downer and everyone felt drained. However, it worked.?

Over four years, it became an integral part of our process and saved many a delivery.

The secret sauce? Structure, discipline, and unrelenting C-level focus.

There's no magic formula here. It's all about putting a structure in place and being disciplined about enforcing it.

Make time for formal, structured risk management. Adapt it to your project delivery methodology, be it waterfall, agile, or anything in between.

Your projects, your customers - and your peace of mind - will thank you.

What’s your take on this? Share your experiences in the comments below.

Click here and subscribe to the Leading with Data newsletter.

Every Friday morning, I'll email you 1 actionable tip to accelerate the business potential of your data & make it an organizational priority.