Appleton Greene – Risk Management
Importance of IT risk management in corporate governance
Appleton Greene The board and senior management must ensure that risk management activity is not carried out in isolation but is well-integrated throughout the organization. Senior management must promote the awareness and understanding of risks throughout the enterprise and ensure that risk management is embedded into information technology project methodology so as to enable employees to take into account risks and its impact on the organization in their business decision-making. This may include formal processes for authorization from independent risk management function for key business decisions. Appropriate governance processes will be established for new business opportunities or risk taking activities, such as new products modification to existing products, new lines of business or entry into new markets, as well as expansions through mergers and acquisitions, to ensure that project risks have been properly assessed and that the organization’s risk management systems are able to accommodate and support such activity. Project activities are managed through the project governance structures, ongoing operational or transactional activities are managed through the existing line management structures. Project governance involves the establishment of the appropriate project risk management framework. The processes within the framework will be applied in managing an IT project in order to ensure the delivery is within cost, scope, and schedule. The risk management framework shall enable the identification, measurement, and continuous monitoring of all relevant and material risks on a group and enterprise-wide basis, supported by robust management information systems that facilitate the timely and reliable reporting of risks and the integration of information across the enterprise. The sophistication of the organization risk management framework must keep pace with any changes in the corporate risk profile and the external risk environment. Reporting structures should promote adequate checks and balances such that deviations from the risk taking boundaries and parameters outlined by the board and senior management can be quickly identified and escalated to the appropriate level of management and the board as appropriate, for prompt corrective action. Our unique consulting services shall guide your project management team on the techniques and processes to embed risk management in corporate governance to reduce wastage and ensure timely delivery of IT projects. This is achieved through the establishment of a suitable risk governance structure and processes. Appleton Greene
Develop a risk management plan or project will fail
A clear definition and statement of the areas of impact and boundaries of a project should be established, no matter how small the project. What are the objectives of the project and what are the expected outputs from the project need to be defined and agreed with the project stakeholders. A project should be achievable within a relatively fixed time frame and resource constraints, and the scope of a project should take these factors into consideration. What will be the potential damages affecting the organization if the project is late? The most important areas to look at are the threats and how to manage them in order to minimize the risks to the business. It is difficult if not impossible to do this without a risk management plan. Risk management activities are project manager’s accountability, everyone’s responsibility and should be performed in a proactive way. The objective of risk management is to give the project manager the necessary knowledge and instruments to be able to face any events that might have an impact on the project objectives. Many problems that arise in software development were first known as risks by someone in the project staff. Caught in time, risks can be avoided, negated or have their impacts reduced. Proactively managing risks implies determining a strategy that will prevent the risk from becoming a problem or will limit its impact if it does. The strategy to manage risks typically includes reducing the negative effect or probability of the threat, transferring the threat to another party, avoiding the threat or even accepting it. There are always risks associated with a project. The purpose of risk management is to ensure levels of risk and uncertainty are properly managed so that the project is completed successfully. It enables those participants involved in a project to identify possible risks, the manner in which the risks can be contained and the likely cost of mitigation strategies. You definitely need a risk management plan to do this. Our risk management consulting team have the expertise to take you through each and every process required to develop and execute the risk management activities as defined in the risk management plan. When a company is proactive and creates a risk management plan, it sends a positive message about the business. Employees feel confident that they are working for a resourceful and responsible company, and customers have assurance they are doing business with a company that is proactive and professional. Overall, having a risk management plan shows that a company is reputable and holds itself to a high standard. Our professional risk management consultants with vast experience in IT risk management are always available to implement the appropriate risk management processes that will improve efficiency, reduce wastage, improve communications, and help you to deliver your project within the risk boundaries expected by the executive management. Appleton Greene
Make information security an integral component of risk control
All information systems, including operational systems, systems under development, and systems undergoing modification or upgrade, are in some phase of a system development life cycle (SDLC). Requirements definition is a critical part of any system development process and begins very early in the life cycle, typically in the initiation phase. Security requirements are a subset of the overall functional and non-functional (e.g. quality, assurance) requirements levied on an information system and are incorporated into the system development life cycle simultaneously with the functional and non-functional requirements. Without the early integration of security requirements, a significant expense may be incurred by the organization later in the system development life cycle to address security considerations that could have been included in the initial system design. When security requirements are considered as an integral subset of other information system requirements, the resulting system has fewer weaknesses and deficiencies, and therefore, fewer vulnerabilities that can be exploited in the future. Early integration of information security requirements into the system development life cycle is the most cost-effective and efficient method for an organization to ensure that its protection strategy is implemented. Ensuring that information security requirements are integrated into the organization’s system development life cycle processes regardless of the type of life cycle processes employed, helps facilitate development and implementation of more resilient information systems to reduce risk to organizational operations and assets, individuals, other organizations. This can be accomplished using the well-established concept of integrated project teams and a well-defined risk management framework. Our professional risk management consultants with vast experience in IT risk management are always available to implement the appropriate risk management processes that will improve efficiency, reduce wastage, improve communications, and help you to deliver your project within the risk boundaries expected by the executive management. Appleton Greene
Apply quantitative risk analysis in budgeting
Preparing your project budget is a tedious and time-consuming task. How to get it right when you have all sorts of possibilities and uncertainties at the initial stage of the project where most of the things have not been finalized? To prepare for any possibilities you will need to estimate the cost should these uncertainties or threats hit the project. A risk contingency budget can be established to prepare in advance for the possibility that some risks will not be managed successfully. The risk contingency budget will contain funds that can be tapped so that your project doesn’t go over budget. The question is how do you know how much money to place into the risk contingency budget account? One of the techniques is to use the Expected Monetary Value (EMV) as to quantify the risk into budget terms depending upon the probability of the risk occurs and the impact on the project should the risk occurs. A particular risk is usually associated with a specific project activity that requires some level of effort by the project team. There could be some material and other associated expenses that may be required to execute the work including third party services. You need to identify the cost of the material, cost of the subcontracting services, cost of external consultants, any expenses that are expected to be incurred associated with the consultants, et cetera. So it is not that straightforward to compute the contingency cost unless you have the tool and the knowledge to do it. Our professional risk management consultants with vast experience in IT risk management are always available to implement the appropriate risk management processes that will improve efficiency, reduce wastage, improve communications, and help you to deliver your project within the risk boundaries expected by the executive management. Appleton Greene
Treat risk differently for each project
Every project is different. There are no two projects having the same risk although they both may look similar. For example, business requirements for a payroll system for a company ABC may share some common functionalities with company XYZ but their business processes could be different. Because of this differences, you will expect different types of risks affecting the payroll systems between these two companies. It is not feasible or advisable to respond to each and every threat identified in any project because avoiding all threats requires resources to be diverted away from the real project work. Furthermore, the cost that needs to be allocated for contingencies and mitigations will reach to the point where it will not make any sense to justify the implementation of the project. Risk strategy is the response we can make to dealing with the risk that we have identified during risk assessment process. In the case with ABC and XYZ companies, we cannot apply similar risk strategy to both payroll projects although we may have experiences implementing a similar project for a number of companies in the past. By applying the correct response to each risk you will save cost and reduce unnecessary wastage. Some risk mitigation plan cost less to execute while others may cost more. Our expertise in dealing with the different types of risk facing a software project will help an organization in decision-making, improved communications across project stakeholders, and improved effectiveness in risk management. Our professional risk management consultants with vast experience in IT risk management are always available to implement the appropriate risk management processes that will improve efficiency, reduce wastage, improve communications, and help you to deliver your project within the risk boundaries expected by the executive management. Appleton Greene
Monitor high impact risks during software testing
System testing and acceptance are one of the major milestones in software development life cycle during which the focus of system validation efforts shifts from those team members responsible for developing the application to those who will ultimately use the system. This is the critical phase of the system development life cycle where all the components of the applications will be tested together following the system test plan developed during the system design phase. This process which is commonly known as the system integration testing (SIT) shall observe any component that failed during SIT will be sent back to the development team for rectification and these components will be re-tested until they are error-free. One of the major risk facing SIT is the execution of the testing activities that are dependent upon the result of another testing activity that precedes it. More time and cost will need to be allocated for this kind of testing because the testing environment cannot be shared during execution of this process. Other risks include the readiness of the SIT environment, migration of test data, the technical configuration of the computer system that needs to be identical to the production environment, and much more. The system testing and acceptance phase also include user acceptance testing which is the testing of the functional components by the business users. Failure to manage risk during system testing and acceptance phase will result in an increase in cost, extended project schedule, and affecting the quality of the project. Our professional risk management services will assist customers to monitor and control risk in their IT projects, improved effectiveness in controlling risks, improved assessment of critical risks, and improved project governance. Our professional risk management consultants with vast experience in IT risk management are always available to implement the appropriate risk management processes that will improve efficiency, reduce wastage, improve communications, and help you to deliver your project within the risk boundaries expected by the executive management. Appleton Greene
Consult and communicate regularly
Without communication management, the implementation time frame, budget, and scope can easily become derailed by any number of risks arising from unforeseen changes in customer requirements. It’s incumbent upon a risk manager to stress the importance of communication through the entire process. Only through proactive communication will a team be able to assess and plan for the short and long term impacts and benefits of risk management on a user’s productivity, job satisfaction, and connection to the rest of the organization. Communication is key to building trust and effectively managing expectations. Effective communication and consultation are essential to ensure that those responsible for implementing risk management, and those with a vested interest, understand the basis on which decisions are made and the reasons why particular treatment options are selected. Once risk is understood, risks and risk management strategies must be clearly communicated to organizational management in terms easily understandable to organizational management. Risk management is enhanced through effective communication and consultation when all parties understand each other’s perspectives and, where appropriate, are actively involved in decision-making. Our professional risk management consultant will implement the appropriate risk management processes including communication and consultation with internal and external stakeholders during any and all stages of the risk management process, particularly when plans are being first considered and when significant decisions need to be made. Our professional risk management consultants with vast experience in IT risk management are always available to implement the appropriate risk management processes that will improve efficiency, reduce wastage, improve communications, and help you to deliver your project within the risk boundaries expected by the executive management. Appleton Greene
Risk management requires commitment by all stakeholders
To be successful, project risk management requires a commitment by all project stakeholders. In particular, the project sponsor or client, senior management, the project manager, and the project team must all be committed. For many organizations, a new environment and commitment to following organizational and project processes may be required. For many managers, the first impulse may be to shortcut or sidestep many of these processes at the first sign that the project is in trouble. A firm commitment to a risk management approach will not allow these impulses to override the project management and risk management processes that the organization has in place. Project stakeholders must be committed in all aspect of risk management functions from the initiation phase of the project until completion. Risk planning is the first step and begins with having a firm commitment to the entire risk management approach from all project stakeholders. This commitment ensures that adequate resources will be in place to properly plan for and manage the various risks of the IT project. These resources may include time, people, and technology. Stakeholders also must be committed to the process of identifying, analyzing, and responding to threats and opportunities. Too often plans are disregarded at the first sign of trouble, and instinctive reactions to situations can lead to perpetual crisis management. Our professional risk management consultants with vast experience in IT risk management are always available to implement the appropriate risk management processes that will improve efficiency, reduce wastage, improve communications, and help you to deliver your project within the risk boundaries expected by the executive management. Appleton Greene
Not understanding the benefits of risk management
Often the project sponsor or client demands results. They may not care how the project team achieves its goal and objectives just as long as it does! The project manager and project team may rely on aggressive risk taking with little understanding of the impact of their decisions. Conversely, project risks may also be optimistically ignored when, in reality, these risks may become real and significant threats to the success of the project. Unfortunately, risks are often schedule delays, quality issues, and budget overruns just waiting to happen. Risks can result in substandard productivity and higher than average project failure rates. Project risk management is becoming an important sub-discipline of software engineering. It focuses on identifying, analyzing, and developing strategies for responding to project risk efficiently and effectively. It is important, however, to keep in mind that the goal of risk management is not to avoid risks at all costs, but to make well-informed decisions as to what risks are worth taking and to respond to those risks in an appropriate manner. Our professional risk management consultants with vast experience in IT risk management are always available to implement the appropriate risk management processes that will improve efficiency, reduce wastage, improve communications, and help you to deliver your project within the risk boundaries expected by the executive management. Appleton Greene
Not providing adequate time for risk management
Risk management and the ensuing processes should not be viewed as an add-on to the project planning process but should be integrated throughout the project life cycle. The best time to assess and plan for project risk, in fact, is at the earliest stages of the project when uncertainty for a project is the highest. Catastrophic problems or surprises may arise that require more resources to correct that would have been spent earlier avoiding them. It is better to reduce the likelihood of a risk or be capable of responding to a particular risk as soon as possible in order to limit the risk’s impact on the project’s schedule and budget. Project risk management also provides an early warning system for impending problems that need to be addressed or resolved. Although risk has a certain negative connotation, project stakeholders should be vigilant in identifying opportunities. Although many associate uncertainties with threats, it is important to keep in mind that there is uncertainty when pursuing opportunities, as well. Executive management must provide for sufficient resources in risk management to improve decision-making, process optimization, improve capital allocation, and cost-benefit realization. Our professional risk management consultants with vast experience in IT risk management are always available to implement the appropriate risk management processes that will improve efficiency, reduce wastage, improve communications, and help you to deliver your project within the risk boundaries expected by the executive management. Appleton Greene
Risk owner responsibilities need to be defined
It is important that each risk have an owner. This owner is someone who will be involved in the project, who will take the responsibility to monitor the risks in the project in order to identify any new or increasing risks, and who will make regular reports to the project sponsor or client. The position may also require the risk owner to ensure that adequate resources be available for managing and responding to a particular project risk. Ultimately, however, the project manager is responsible for ensuring that appropriate risk processes and plans are in place. The project manager is assisted by the risk owner called the risk manager who oversees the risk management aspect of the project from the initial phase until implementation. Large or medium scale projects require a risk manager to ensure that assessment of the risks and the responses for each risk are treated professionally following the adopted risk methodology and framework. A risk manager who is involved with e-business project has a challenging role including a must-have knowledge in data security risks and regulatory compliance. Our professional risk management consultants with vast experience in IT risk management are always available to implement the appropriate risk management processes that will improve efficiency, reduce wastage, improve communications, and help you to deliver your project within the risk boundaries expected by the executive management. Appleton Greene
Not identifying and assessing risk using a standardized methodology
Not having a standardized methodology to risk management can overlook both threats and opportunities. Consequently, more time and resources will be expended on problems that could have been avoided; opportunities will be missed; decisions will be made without complete understanding or information; the overall likelihood of success is reduced, and catastrophic problems or surprises may occur without advanced warning. Moreover, the project team may find itself in a perpetual crisis mode. Over time, crisis situations can have a detrimental effect on team morale and productivity. It is a lot easier to execute the risk management activities based on the order defined in the while still have the flexibility to skip those that are not applicable. Some tools and techniques used in risk assessment may be appropriate for a specific risk but not applicable to be applied to some other risk although they may belong to the same risk category. Our professional risk management consultants with vast experience in IT risk management are always available to implement the appropriate risk management processes that will improve efficiency, reduce wastage, improve communications, and help you to deliver your project within the risk boundaries expected by the executive management. Appleton Greene
Dr. Shamsuddin is an approved Senior Consultant at Appleton Greene and he has experience in information technology, management and e-business. He has achieved a Doctorate of Philosophy in Information Technology Management, a Master of Science in Project Management and a Bachelor of Science in Mathematics. He has industry experience within the following sectors: Consultancy; Banking & Financial Services; Technology; Education and Telecommunications. He has had commercial experience within the following countries: Indonesia; Thailand; The Philippines; Malaysia and Singapore, or more specifically within the following cities: Kuala Lumpur; Bangkok; Manila; Jakarta and Singapore. His personal achievements include: maintain risk exposure below budget; risk governance for software development; implement project risk management framework; IT and risk management integration and risk consulting & corporate governance. His service skills incorporate: risk management; project management; bid management; software development and training services.
To request further information about Dr. Shamsuddin through Appleton Greene, please CLICK HERE.
For More Information
If you would like to find out more about Appleton Greene’s Risk Management service, please CLICK HERE.
Appleton Greene & Co CLICK HERE.