Best practice risk management for IT projects
Today’s IT projects usually represent a major deliverable of a wider enterprise program and their success or failure can have a massive impact on the business.
Many failures in IT projects have their roots in poorly defined requirements, lack of stakeholder engagement, changes in staffing and technology with the passing of time and unsolicited changes that move the goal posts—yet these issues are nothing new. The challenges of long, complex IT projects are well known.
The concept of risk management is gradually seeping into organisations’ approach to IT projects. However, rather than being a bolt-on, it needs to be an integral part of the organisation’s culture. Current best practice is to treat ‘risk’ as an uncertainty that could either be a positive opportunity or a negative threat.
IT projects face a number of challenges in addressing risk and too often there is no clear link between the project and the organisation’s key strategic priorities, including agreed measures of success.
An absence of clear senior leadership, combined with a failure to engage with stakeholders to understand their requirements and perceptions of risk, have presented challenges to many IT projects from the start. Lack of training, knowledge and formal risk tools and techniques are also major challenges; as a starting point it is essential to have an understanding of the organisation’s level of maturity in its management practices and to identify areas where improvements are required.
Best practice risk management
IT projects are notorious for coming in too late or costing too much. Lack of defined objectives is another common cause of project failure. If objectives are ill-defined, this in itself is a source of risk. The process of risk management addresses that; as a starting point, it requires documented objectives. Once objectives are defined, the next step is to look at the threats that would cause those objectives to be defeated or the opportunities that would support the completion of them.
A risk-aware organisation should create a risk framework that includes a defined risk management process enabling IT projects to be implemented with a full understanding of the inherent risks.
The M_o_R Guidance for Practitioners, derived from the ISO310002 guidance on risk offers advice and practical techniques to help develop a best practice approach to risk management. It emphasises setting clear goals and objectives right at the start of a project and agreeing these with sponsors. This is part of the first step in the process, ‘identifying context’, which also includes gaining a clear understanding of stakeholders’ requirements, setting expectations and planning how to maintain the engagement of sponsors.
IT projects can be long and complex, which could give rise to risks caused by the inevitable turnover of resource and loss of pace as new technologies emerge. The guide offers an approach to deal with these types of risks and many more. Commonly at the beginning of a major IT project the sponsor is excited about the project but their interest may wane as other issues capture their attention. Continued commitment is key.
There are also likely to be disagreements at a later stage between suppliers, users or other stakeholders. Someone has to make the call and this is just one of many of the responsibilities of the sponsor. To address this, the M_o_R Guidance provides a complete list of generic risk management roles and responsibilities that can be tailored to suit the project size and complexity.
Change control
IT projects also suffer from the risk of uncontrolled changes in scope. Often when software solutions are in development stakeholders will ask for what may look, superficially, like a small tweak. But the change may be complex to code or have wider repercussions. An enlightened organisation will put in place a clearly defined change control procedure that assesses the impact of a change request on time and cost etc. But often they forget to ask, ‘does this present a risk?’—a threat or opportunity.
Poor estimation of time and cost has torpedoed many an IT project. Appropriate estimating techniques should be clearly documented in each project risk management strategy. With risk at the heart of IT project management, supported by practical risk management tools, CIOs will be in a good place to bring in projects painlessly, on time and on budget, whatever life throws at them on the way.