Unless you haven’t picked up a business magazine in the past eight years, chances are you’ve at least heard of Enterprise Risk Management. And if you’re reading this, there’s a good chance that you’re intimately familiar with it.

Not to be confused with that other ERM familiar to IT types (Enterprise Resource Management), risk management falls under the umbrella of yet another acronym that’s reached buzzword-status among IT managers: GRC, short for Governance, Risk and Compliance. After all, what has taken down some of the greatest names in business recently? Lousy governance, failure to predict risk and sloppy adherence to regulatory requirements.

Proactively and prudently managing these challenges, which include an assortment of technology-related risks, has become part of the financial responsibilities that make up fiduciary duty.

What’s more, scenarios that several years ago may have seemed outlandish to most businesses – a terrorist attack or a calamitous natural event — now warrant straight-faced consideration. In a post-9/11 world, overlaid with threats of rapidly shifting climate patterns, it seems that nothing can be ruled out.

As a result, virtualization merits consideration under any comprehensive ERM strategy. For disaster recovery, for instance, it’s a no-brainer. And virtualization’s distributed nature also offers some advantages in scalability, dramatically reduced IT capital and operating costs, along with many other efficiency initiatives.

But virtualization has potential drawbacks, too, most notably a unique and well-documented set of security challenges, but also the following:

 

1.  The virtual layer expands more rapidly than physical IT assets, making it hard for security to scale up proportionately (even as other functions become easier to scale up).
2. Virtual servers can “disappear” during periods of disuse, only to reappear when needed, but they may have missed crucial security updates in the interim.
3.  Attacks on the software supporting virtualization and virtual machine proliferation raise risks that don’t exist in the solely physical server world.

 

Despite these concerns, adoption of virtualized solutions appears to be headed nowhere but up. One measure: Virtualization leader VMware, which releases its fiscal year 2008 earnings later this month, had a remarkable 3^rd quarter in 2008 — with sales up 32%, to $472 million.

So, how much should companies worry about low-probability events — those disaster recovery scenarios with the potential to wipe out a data center, such as natural catastrophe or terrorist attack?

They should at least get realistic probability assessments and make decisions based on those assessments, say Wharton professors Howard Kunreuther and Michael Useem. The problem is, it often doesn’t even get to the assessment phase, the professors say. Kunreuther is co-director of Wharton’s Risk Management and Decision Processes Center. Useem is director of Wharton’s Center for Leadership and Change Management.

 

“Most executives tend to avoid thinking about low-probability events until after they occur,” the professors wrote in a December op-ed piece that appeared in The Philadelphia Inquirer. “They fall into a trap of believing such events will not take place — at least, not on their watch. The implicit principle is ‘NIMTOF’: Not in My Term of Office.” And yet, “The art of leadership is anticipating the unpredictable,” they write.

In the corporate context, one remedy to “NIMTOF” is effective governance, according to Kunreuther and Useem. “Good governance implies appointing forward-thinking directors with long-term perspective, who will guard against low-probability, high-consequence events.”

Throughout history, we’ve experienced life through increasingly greater layers of abstraction. We created language to represent physical objects. Then we applied it to those ephemeral yet enduring patterns of thought known as ideas.

The industrial economy of manufacturing things gave way to the knowledge economy of trafficking in information. And of course, computing has seen an accelerating progression toward the miniaturization — and the ephemeralization — of tangible hardware.

Which brings us to today, when organizations are virtualizing their enterprise computing infrastructure for any number of reasons: risk management, disaster recovery, high availability, reduced energy consumption and cooling requirements, smaller facility footprint, reduced maintenance costs, and the list goes on.

Kartik Hosanagar, professor of operations and information management at Wharton, thinks virtualization could have an even bigger strategic impact on organizations — the near disappearance of the internal data center, at least as we’ve come to know it.

“One can envision a scenario wherein firms will have no or small-scale internal data centers and most of enterprise computing infrastructure is provided as a utility,” says Hosanagar,, whose research focuses on e-commerce, Internet marketing and a host of overlay infrastructure topics.

Hosanagar cites Amazon’s S3 and EC2, Microsoft’s Azure and Google’s App Engine as “utility” examples, and notes they offer a taste what could be in store for much of enterprise computing. He adds, “However, we will probably get there in stages, with hybrid solutions dominating in the near future.”

According to IDC, which does market research in the field, the installed base of physical virtualized servers — in other words, the number of physical units serving as virtualized platforms — will grow from 8% of total server capacity in 2006 to 18% in 2011. The share of virtualized logical units — the abstract machines-within-the-machine — will jump from 22% of total logical units in 2006 to 54% in 2011.

IDC also notes in a white paper (sponsored by Intel) that “[w]hile virtualization is now considered a mainstream technology in servers, it is still a mystery to many IT shops. This is slowing down adoption, especially in the midmarket.”

Virtualization has been evolving into its present form since the dotcom bust of 2000. From an initial desire for datacenter consolidation, to a later focus on sandbox testing and development, to a yet-later emphasis on consolidating production applications, virtualization technology has developed in open view, although many remain reluctant to embrace it.

“It’s not a slam dunk,” Hosanagar says.  “But I’d say that there exists a pretty good ROI (return on investment) case for server virtualization. The main factor impeding widespread adoption of server virtualization is security issues. For example, it is harder to secure a virtual machine, even if it is an on-site virtualized solution. That said, a well-trained IT team can manage the security issues associated with the transition to a virtualized sever solution.”

As mentioned in an earlier post, purchasing decision-makers will want to know the projected return on investment (ROI) of any major IT proposal. But since ROI can be such a slippery and subjective measure, they may also consider other financial metrics, such as total cost of ownership (TCO) over the life of the asset and how much a project impacts the capital expenditure budget (Capex).

The on-the-ground impact of IT on a business can sometimes be underestimated. It directly affects a wide range of stakeholders: customers, employees, investors, business partners and more. Often, IT is the first and primary interface that stakeholders have with an organization. Their interaction can be efficient and satisfying, or in some cases, confusing and frustrating.

Investors recognize this and will want to know that an organization’s IT spend is well considered and not a frivolous boondoggle. So the case for shifting to a different model with something as impactful as IT infrastructure needs to be clear and compelling.

In addition to following the medical practitioner’s creed of “Do no harm,” new implementations should provide overwhelmingly clear benefits (which, sadly, is often not the case). In the case of IT virtualization, the general value proposition seems pretty clear.

Kartik Hosanagar, a professor of operations and information management at Wharton, points out a number of business reasons for the growing popularity of IT virtualization — all of which eventually translate into to lower costs.

“I see three main advantages of virtualization,” Hosanagar says. These include the following:

 

1. Maintenance: “For example, desktop and app virtualization allows firms to set up thin clients which require minimal maintenance (including simplifying the process of managing upgrades, software patches, etc.), thereby reducing the TCO of managing desktops.”
2. Overall more efficient use of resources: “For example, server virtualization allows better utilization of computing resources, which in turn helps reduce enterprise Capex.”
3. Facile access from any remote location.

 

Hosanagar researches e-commerce, Internet marketing and a wide range of overlay infrastructure topics.

It’s nearly impossible these days to overstate the importance of keeping company data secure. The implications range from preserving hard-earned client trust to protecting in-house intellectual property. Compliance needs, such as staying on the lawful side of protecting private health records, also provide strong incentive to zealously guard the gold in the company database.

For example, improper handling of private health information, under the Health Insurance Portability and Accountability Act (HIPAA), could result in up to $250,000 in fines and 10 years imprisonment.

Whether it’s brand damage, weakened competitiveness or headaches with regulators, inadequate security has the potential to be quite costly. End-users might see IT managers as cranky and overly restrictive. But IT shops see strong security procedures as a fiduciary duty.

Off-site virtualization solutions then — for all their advantages — do raise legitimate questions about security: Who are these people, exactly, that we’re about to entrust with our organization’s data? What types of systems and processes do they use to safeguard customer data? What do we know about their track record?

Kartik Hosanagar, a professor of operations and information management at Wharton, envisions a day when almost all data center and enterprise computing functions take place as offsite, virtualized, hosted functions. But until then, he says, IT managers are wise to take a measured and graduated approach.

Hosanagar’s research involves e-commerce, Internet marketing and a gamut of overlay infrastructure topics.

“The key issue is that of securing one’s data when it resides in a third-party location,” Hosanagar says. “Senior management would be rightly concerned about this issue. CIOs can help to allay these concerns in a number of ways” as follows:

1.     Start with virtualizing non-mission-critical data and applications. That way you can learn about the nature of an ongoing working relationship with the vendor on a non-threatening trial basis.

2.     Be clear about the benefits of a hosted solution as opposed to an on-premise solution: If there are limited in-house IT resources or expertise, a hosted solution may dominate. Also, it is easier to add or remove resources on an on-going basis (i.e., to scale up or down) with a hosted solution. Further, a third-party provider may ensure higher reliability through redundant machines and other means.

3.     Go with a proven vendor.

4.     Conduct reference checks and consult third-party reports.

On the evolutionary continuum of server side technologies, virtualization obviously stands out as the next macro-trend up for widespread adoption. But that alone isn’t what persuades corporate decision makers to make room in the capital expenditures column for large IT platform migrations.

Leading-edge concepts and technologies are frightening to many executives: Risk of a botched implementation or miscalculation of projected benefits is high; rewards of a successful transition can be difficult to trace and measure. Meanwhile, there’s always the comfort of knowing that if the technology is in fact the real deal, it will continue getting cheaper and richer with features over time (a la Moore’s Law, even as competitive advantage vanishes with increasing adoption rates).

In Data Center Decisions 2008 Purchasing Intentions survey of 600 IT professionals, 61% said they already use some form of virtualization in their organization. Another 29% plan to test, evaluate or deploy it this year. And a mere 10% reported no plans for virtualization. Meanwhile, IDC predicts 2009-2010 will see the tipping point of logical virtualized servers for the first time outnumbering physical, non-virtualized units.

That suggests plenty of market opportunity for virtualization solution vendors if they can successfully address the pain and pleasure points of those responsible for evaluating strategic purchases.

So just what is it that triggers companies to break away from institutional orthodoxy and embrace unfamiliar systems? For instance, while virtualization has gained solid traction, enough difficulties around performance management, capacity planning and troubleshooting remain to give even some IT shops pause.

Paul J.H. Schoemaker, research director for the Mack Center for Technological Innovation at The Wharton School of the University of Pennsylvania, says traditional valuation and return on investment (ROI) models have their place. But reaping the biggest competitive advantage from technology will always require moving before a technology is proven “safe.”

“Since true innovation entails uncertainty, as opposed to quantifiable risk, there will always be an element of vision, entrepreneurship and faith involved,” says Schoemaker, who has authored and co-authored several books and research papers on managing business risk.

“The C-suite recognizes that business is about taking risks and that not everything can be analytically proved or supported when venturing into the unknown. Too often companies focus on incremental innovation – since it is more predictable and less disruptive. But the largest gains in business come from more daring innovations that challenge the paradigm and challenge the organization.” 

In saying “no” to projects that may seem worthy to technologists, managers with budgetary discretion are seeking to minimize downside risk.

“[One] risk is that the market does not reward the initiatives at first, especially if it is already skeptical about the company’s strategy or the caliber of its management team,” Schoemaker notes.

Here’s a scenario that IT professionals managing older networks might recognize: Your team keeps the corporate network functioning for a broad user base, yet the aging infrastructure’s inadequacies show. Precious time is lost every day helping users recover from flooded e-mail inboxes and from terminals frozen by insufficient processing resources. Clearly, migrating to a more adroit, configurable and modern infrastructure is the logical thing to do. But even in good times, getting management buy-in on large capital expenditures can feel more like the 12 Labors of Hercules.

So how exactly do you pitch a virtualization project to those people with the three-letter titles and three-second attention spans?

You communicate the benefits very clearly. Let’s face it, IT and the C-suite can and do speak completely different languages. So if you’re in IT and you’re interfacing with purchasing decision-makers, make sure to speak the lingua franca of business: ROI (Return on Investment). In this corporate dialect, financial data rule. Facts trump best-case scenario projections. On the flip side, over-reliance on anecdotes or meaningless (to them) tech specs could earn you a curt, “We just don’t have the budget for that.”

So whether you’re the CIO or a bit further down in the org chart, communicating effectively across business functions could make the difference between a successful or failed implementation — or no new implementation at all.

Wharton School researchers Felipe Csaszar and Eric Clemons say as much in a research paper that studies how different forms of IT decision-making affect business performance. The paper is titled, “Governance of the IT Function: Valuing Agility and Quality of Training, Cooperation and Communications.”

“Our model shows that the communications skills of the CIO do matter; without good communications skills, the technical capabilities of the CIO may not contribute to effective organizational decision making,” Csaszar and Clemons write.

And that includes decisions about whether or not to sign off on new projects.

Clemons is a professor of operations and information management at The Wharton School of the University of Pennsylvania. Csaszar is a PhD student in Wharton’s management department.

It helps, they said, for the CIO to have some business savvy and for the CEO to possess tech savvy, though obviously this is often not the case.

The Wharton experts also take aim at one oft-promulgated argument that says IT has been commoditized and is, therefore, no longer of strategic business importance. They point out in their research that: “Under most conditions: (1) IT does matter to the performance of the firm; (2) the governance of the IT functional area does affect the performance of the firm; and (3) the CIO’s business savvy and ability to communicate with the rest of the senior management team will affect performance by determining the quality of consensus decisions reached and the speed with which consensus is achieved.”

In other words, brush up on your business communication skills — it will affect not just life in the IT shop, but the performance of the entire organization.