Home >> Guidelines for Managing and Monitoring Major IT Projects [archived] >> Section 2 Strategic Alignment >> Risk Management Strategy
Guidelines for Managing and Monitoring Major IT Projects [archived]
Publication Home
Previous
Next
View all on one page

Contents

Risk Management Strategy

Last updated: 6 July 2002

The Australian and New Zealand Standard (AS/NZS 4360 1999) defines risk, as "the chance of something happening that will have an impact on objectives. It is assessed in terms of consequences and likelihood".

Risk management is the "systematic application of management policies, procedures and practices to the tasks of identifying, analysing, assessing, treating and monitoring risk".

Principle

  

Guideline

The risk management strategy sets out a process for identifying, documenting and treating potential risks.

  

A risk management strategy will be prepared for each project. The strategy will include:

  • Identified risks.
  • Impact if they occur.
  • Likelihood of occurrence.
  • A mitigation (or treatment) process.

Risks are associated with:

  • The business
  • Technology
  • The project
  • External (e.g. political).
  

Business risks to consider include:

  • The dependency of the department on the proposed system.
  • The management and other skills that are available to deliver the benefits from the system.
  • The ability to implement any necessary changes in departmental infrastructure.
  • Risks associated with links between the department and other businesses or operations.
  • Impact on 'business as usual' and people during transition and implementation.
   

Technology risks to consider include:

  • Adopting unknown, complex or changing technologies.
  • Inadequate existing skill levels.
  • The use of unproven hardware and/or software environments.
  • Implementing proven software in un-proven environments.
  • Changes required to the existing IT infrastructure and its interface with the department.
  • An assessment of the risks associated with potential suppliers and their services.
  • Rate of obsolescence.
   

Project risks to consider include:

  • Management commitment.
  • Project management expertise.
  • Resource capability and availability.
  • Cost variations (over/under).
  • Supplier relationships.
  • Inadequate planning for transition and implementation.
  • Inadequate training of staff in the new technology or system.
   

External political risks to consider include:

  • Possible impact of political change.
  • The effects of major changes such as restructuring of a department.
  • Changes in Government policy.
  • Impact on stakeholder groups/external users.

Quantitative risk analysis provides structure for assessing and treating risks.

  

Quantitative risk analysis involves:

  • Assessing the impact and probability of each risk.
  • Modelling the project outcomes on simulations of these risks, to produce an estimated probability distribution of total costs.
  • A final probability distribution, describing the range of outcomes and their relative likelihood.

Unless relevant Ministers agree that the size and nature of the project do not warrant this approach, quantitative risk analysis should be used as the basis for:

  • Appropriations.
  • Access to contingency funding.
  • Cash draw-downs for major IT projects.

Quantitative risk analysis (QRA) enables more accurate project costing.

  

QRA or risk modelling is an essential part of the approval process.

How it is operationalised will be determined on a case-by-case basis.

Common Risks Inherent in IT Projects

Strategic Alignment

  • Gaps exist in alignment with the business strategy from a planning and technology perspective.
  • The completed system does not meet required business outcomes.
  • The business cannot be sustained during the project lifecycle.
  • The department does not have the capability to deliver the changes.
  • Projects are not scaled from a risk perspective.
  • The justification for the project is not based on clearly identified business outcomes.
  • Risks are not managed as they arise.
  • All risks are not fully assessed and provision for them is inadequate.

Examples of business risk:

  • Restructuring the department, with direct impact on the project scope and business benefits.
  • Lack of visible senior management sponsorship and leadership.
  • Change of Project Sponsor or Chief Executive, and consequent change in commitment to the project.
  • Changes in key project staff, with the change of Project Manager the most critical.
  • Lack of capability of suppliers (more often the smaller suppliers) to resource projects over a long duration.
  • Failure to specify requirements clearly, or to focus on the business needs, exposes the department to major scope change.

Examples of technology risk:

  • The supplier withdraws support for a major component.
  • The system specification was based on the functionality of a component that did not perform as expected (which can apply to hardware, packaged software or the features of the software language being used).
  • Functionality can be developed as specified but the time or expertise needed was underestimated.
  • Resource or expertise for particular technical components cannot be obtained easily.
  • Obsolescence - the technology is out-of-date before it is fully implemented.

Examples of project risk:

  • 'Risk of disclosing risk', the predilection of project team members to understate risks and difficulties in order to protect the status and morale of a project.
  • Reporting that seems to suggest that "everything's fine", even when other project indicators do not support this position.
  • Inexperienced project manager and poor communication within project team.
  • Lack of practical business knowledge skills on the project team.
  • Failing to execute a planned programme of regular communication (internally and externally) about the progress of the project.

Examples of political risk:

  • Legislation is passed affecting the scope of the project without consideration of its impact on the current project plan, with the expectation that the original business case will be maintained.
  • Public exposure of project problems diverts resources from dealing with the problems to reducing the fallout from the publicity.
  • Short-term political imperatives may be in conflict with longer-term business and project objectives, and may trigger changes in project scope, with potential unacknowledged impacts on the project.
Publication Home
Previous
Next
View all on one page