it risk management
DESCRIPTION
TRANSCRIPT
![Page 1: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/1.jpg)
CIO’s Guide to Risk Management
![Page 2: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/2.jpg)
Agenda
• Introductions• IT Management Basics• IT Risk Management• Managing Application Support Risks• Application Management Case Study• Managing Project Risks
![Page 3: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/3.jpg)
Agenda
Computer Aid, Inc
• 30 Years in IT Consulting Services Business• Privately Held Entrepreneurial Organization• 3,000 Associates Worldwide• $300 Plus Million in Revenue in 2011• Offices in 34 U.S. Metropolitan Areas• Global offices in Toronto, London, Sydney, and
Kuwait, Singapore • Off-shore delivery: Philippines, China, Argentina,
Ethiopia, and India• Headquarters: Allentown, Pa.
Introductions
![Page 4: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/4.jpg)
CAI Managed Services• Application Support Outsourcing
– Assume full responsibility for support– Fixed Price– Service Level Commitments– Continuous Improvement Commitments
• Application Development– Fixed Price Proposals– On-Time, On-Budget, High Quality, Warranty
• Help Desk Outsourcing– Service Level Commitments– Fixed Price
![Page 5: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/5.jpg)
CAI ClientsManufacturing
Retail
Services
Financials Transportation / Logistics
Insurance Utilities
Government
Education
![Page 6: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/6.jpg)
Agenda
• Introductions• IT Management Basics• IT Risk Management• Managing Application Support Risks• Application Management Case Study• Managing Project Risks
![Page 7: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/7.jpg)
IT Management Basics
![Page 8: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/8.jpg)
What is the mission of IT?
Deliver the Information Processing
Capability required by the business at
a cost that represents value
![Page 9: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/9.jpg)
IT Services• Implement, operate, and support
– Infrastructure (servers, mainframes, networks)– System software and Tools
• Operating Systems • Data Query and Reporting• E-mail and Internet Access• Application design, development, and support tools
• Design, build/purchase, install, operate and support application software to support the business
• Store, protect and provide secure access to business information
• Provide consulting services to the business
![Page 10: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/10.jpg)
Dimensions of IT Management• Strategy and Business Alignment
– Strategic Planning: Management Vision, Philosophy, and Objectives– Business Planning: Identify Business Needs– Portfolio Management: Initiate and prioritize projects– Budgeting: Authorize with budgets and funding
• IT Services – Technology Architecture: Languages, DBMS, Network– Infrastructure Operation: Operations Processes– Application Development: SDLC, Project Management, Standards– User Support and Services: Help Desk, SLA’s
• Administration and Control– Human Resource Management: HR Policies, Training– Supplier Management: Purchasing
![Page 11: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/11.jpg)
Dimensions of Project Management
• Cost• Schedule• Scope• Quality• Risk
• Integration• Communication• Human Resources• Procurement• Methodology
![Page 12: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/12.jpg)
Dimensions of Operations & Support Management
• Reliability• Availability• Capability• Timely• Responsive/Performance• Flexibility/Adaptability
![Page 13: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/13.jpg)
IT Risk Management
![Page 14: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/14.jpg)
What is an IT Risk?
The possibility that IT will not be able
to deliver the required capability
![Page 15: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/15.jpg)
SEI Service CMMI• Identify the “Commitment to Deliver”• Establish the “Ability to Deliver”• Deliver
Note: Risk identification and mitigation are ongoing activities … requirements change which results in new commitments.
![Page 17: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/17.jpg)
Risk Management (NASA)• Identify - scenarios for failure• Analyse - likelihood and consequence of failure• Plan - actions required to track and control risks• Track - program performance against plan• Control - risk issues and verify effectiveness• Communicate and Document
![Page 18: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/18.jpg)
Identify & Analyse Risks• Strategic
– Does the business strategic plan address information processing capabilities?
– Is there a reasonable budget? – Does the Information Processing strategy directly link
to business goals and objectives?
![Page 19: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/19.jpg)
Identify & Analyse Risks• Service Management Processes
– Do the services management processes adequately address the following areas?
• Change and Quality Management• Incident and Problem Management• Availability and Capacity Management
• Service Level Commitments– What type of commitments does IT make (by area)?– Are they reasonable?– What scenarios would prevent IT from meeting the
commitments?– Can IT respond to changing requirements?
![Page 20: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/20.jpg)
• Application Architecture– Is the technology obsolete?– Does the application provide flexibility to respond to changing
business requirements? – Is the application reliable and available when needed?– Does it handle spikes in processing volumes?
• Hardware and System Software– What scenarios would impact this area?– What is the required capacity, availability, and security?– Do we have visibility of availability, reliability, and performance?– Can faulty components be replaced? – Can we identify trends?
Identify & Analyse Risks
![Page 21: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/21.jpg)
• Application Operations and Support– Do the applications provide the required capabilities?– How often to they need to be enhanced?– How often do they need to be fixed?– What knowledge is required to operate and support?– Are they reliable, flexible, easy to use?– Is the technology obsolete?– Can they be easily updated to support changing
requirements?– What do they cost and what value is provided?
Identify & Analyse Risks
![Page 22: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/22.jpg)
• Define success or the “commitment to deliver” (SLA’s, dates, estimates, scope)
• Analyse the “ability to deliver” including processes, tools, infrastructure, applications, staff, and knowledge
• Identify gaps or scenarios where the ability to deliver will not be able to meet the commitment
• Identify prevention or response actions
Risk Planning
![Page 23: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/23.jpg)
• Is the available capacity for processing and services aligned with the demand to meet business needs without wasting resources?
• Are SLA’s being met? • Are processes being followed?• What is the level of quality and the reason for
defects? • Is the staff size and their knowledge level
adequate to meet the service demand?
Track Progress
![Page 24: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/24.jpg)
• Is there a formal risk management process?• Are all risks logged?• Who owns the responsibility for ownership for
mitigation or prevention been assigned? • Are problems analyzed to determine the risks
that have not been addressed? • Is there a problem management process for
permanently fixing problems and eliminating risk?
Control
![Page 25: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/25.jpg)
• Is there a formal risk management plan?• Are known risks communicated to the staff so
they can be aware of the risks? • Does the business participate in the prioritization
and mitigation of risks? • Are the causes and impacts of problems
communicated?
Communicate
![Page 26: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/26.jpg)
Scenario:
Managing Application
Maintenance Risks
![Page 27: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/27.jpg)
Application Risk Areas• Do the applications provide the required capabilities?• How often to they need to be enhanced?• How often do they need to be fixed?• What knowledge is required to operate and support?• Are they reliable, flexible, easy to use?• Is the technology obsolete?• Can they be easily updated to support changing
requirements?• What do they cost and what value is provided?
![Page 28: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/28.jpg)
Plan and Manage• Inventory applications and their capabilities, availability
requirements, and redundancies. • Implement application management processes to track
costs, changes, quality, and value to business.• Identify missing or deficient capabilities and how
often they need to be enhanced. Initiate enhancements to provide user-controlled configuration.
• Eliminate recurring problems by implementing fixes. • Document required knowledge and facilitate
orientation or cross-training of staff.• Identify solutions for replacing obsolete technologies.• Develop a retirement strategy.
![Page 29: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/29.jpg)
Management CapabilityVisibility• What services are needed?• What services are provided?• When are they provided?• How often? • Why are they provided?• How much do they cost?
![Page 30: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/30.jpg)
Management CapabilityControl• Were the services authorized? • Did they deliver the correct result?• Were standard processes followed?• Were the services delivered on-time and on-
budget?• Did the customer receive value?
![Page 31: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/31.jpg)
Management CapabilityOptimization• Reduce Risks and Costs• Improve Quality• Improve Processes • Improve Customer Satisfaction• Increase Value to the Business
![Page 32: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/32.jpg)
Case Study:
Highmark Service Excellence Project
![Page 33: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/33.jpg)
Service Excellence ProjectObjective:
Improve IT’s ability to meet or exceed commitments to the businessYear 1 Goal:
Increase value to the business by increasing time spent on enhancements from 4% to 18%
Achievements• Time spent on enhancements increased to 22.5% in 9 months and 36%
after 18 months• Enhancement backlog was eliminated• Application Problems and Support costs were reduced• Business management received increased visibility and control of their
requested services, required hours, and cost• Increased Customer Satisfaction
![Page 34: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/34.jpg)
• Service requests were not logged
• Service Level Goals are not formally defined
• Most of the available resource hours are spent resolving incidents resulting in a large backlog of projects
• Customer satisfaction was not measured but it was assessed as poor based on informal feedback
• Most of the support management processes were informal and team specific
• Knowledge was undocumented resulting in a dependence on “hero experts for each application
• “Reactive” management because of limited visibility and control
Risk Assessment Results
![Page 35: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/35.jpg)
Solution Framework
Visibility• Services• Resources• Performance• Metrics
Control• Implement Processes• Commitments/SLA’s• Enforce Processes• Authorize Services
Optimise• Improve Processes• Reduce/Prevent
Problems• Increase Value
![Page 36: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/36.jpg)
Resulting Business Value• Increased quality, reduced rework and application problems, and
reduced support costs
• Improved process maturity
• Implemented metrics to support ongoing improvement initiatives
• Increased staff effectiveness and productivity
• Reduced risk
• Improved performance against commitments which improved customer satisfaction
![Page 37: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/37.jpg)
Case Study
Pa. Department of Transportation
Application Management and Outsourcing
![Page 38: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/38.jpg)
PennDOT Introduction Provides Transportation Management for
the Commonwealth of Pennsylvania
Created in 1970 to streamline transportation management Annual budget of over $6 bn of state and federal funds Total 121,000 miles of state and local highways Total 55,000 state and local bridges Manage 40,000 miles of highway and 25,000 bridges 12,000 employees 11.3 Million vehicle registrations 8.7 Million driving licenses Safety and Emissions control inspection programmes
![Page 39: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/39.jpg)
Commonwealth Directive “Do more with less”
Commonwealth Budget 2011-12
Balance budget with no tax increases Refocus investment in core functions of government Reduce general fund budget by 4% ($1.17 billion) State spending overall reset to near 2008-09 levels State agencies are directed to focus on delivery and reduce
administrative overhead
![Page 40: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/40.jpg)
Success
76,500 Function Points added0.2% defect rate
![Page 41: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/41.jpg)
Scenario:
Managing Project Risks
![Page 42: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/42.jpg)
Risk Analysis: Why Projects Fail?Standish Chaos Report
• Incomplete Requirements 13.1%• Lack of User Involvement 12.4%• Lack of Resources 10.6%• Unrealistic Expectations 9.9%• Lack of Executive Support 9.3%• Changing Requirements 8.7%• Lack of Planning 8.1%• Didn't Need It Any Longer 7.5%• Lack of IT Management 6.2%• Technology Illiteracy 4.3%• Other 9.9%
![Page 43: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/43.jpg)
The solution begins with accountability
• Who is responsible for managing project risk?
• Who is responsible for project success?
• Who is to blame for project failures?
• Does the IT project team have unrealistic expectations of the business?
• Does the business have unrealistic expectations of the IT project team?
![Page 44: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/44.jpg)
Mitigating Project Risks• Cleary defining Requirements minimizes changes and
re-work
• Establish an achievable Scope based on available resources, budgets, and expected completion date
• Plan the project to avoid Resource downtime and minimize schedule disruptions
• Identify Issues early to prevent problems and avoid the resulting re-work
![Page 45: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/45.jpg)
Will you be successful?Effective Risk Management answers this question
• Required Information– Timely and accurate project performance data– Opinions/feedback from all participants– Status of all open issues
• Risk Analysis– Is the project on-time and on-budget for completed tasks?
– Is the project on-time and on-budget for active tasks?
– Has anything changed (scope, resource availability, customer satisfaction, levels of overtime)?
– What is the reason and impact of the change?– What is the impact of open issues?
![Page 46: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/46.jpg)
Information Requirements• Stakeholder and Team Communications
– Requirements
– Status
– Issues/Concerns
• Project Performance data– Actual effort/cost vs. estimates
– Total Changes and the impact of changes
– Total Re-Work by reason (requirements changes vs. errors)
– Lost time due to schedule disruptions
![Page 47: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/47.jpg)
Solutions• Improve communications with all project
participants without disrupting progress
• Ensure compliance with processes
• Collect and analyze project performance metrics to identify trends and new risks
• Efficient staff orientation to the project and the management processes to enable agile staffing
• Establish accountability
![Page 48: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/48.jpg)
How does CAI succeed?• Repeatable Processes are used to manage requirements,
scope, schedules, risk, issues, changes, quality, and resources
• Tracer Service Management Tool provides visibility (metrics) and status into all assigned activities across projects and support
• Automated Project Office Answers the question “Will we succeed?”
– Early identification of risks by conducting project health assessments to analyze project performance metrics and surveys of participants and stakeholders
– Validates compliance with processes
![Page 49: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/49.jpg)
Automated Project Office Visibility of Issues
![Page 50: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/50.jpg)
Automated Project Office Visibility of Issues
![Page 51: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/51.jpg)
How can CAI help you?• Fixed price Application Development services
• Application Support Outsourcing to allow your staff to work on projects
• Project Management and Transformation consulting to improve effectiveness
• Automated Project Office tool to enable a rapid project office implementation
• ITMPI – IT Metrics and Productivity Institute provides access to resources and knowledge from world-renowned experts in various fields
![Page 52: IT Risk Management](https://reader035.vdocuments.us/reader035/viewer/2022081602/547cf2ff5806b5db3f8b47dd/html5/thumbnails/52.jpg)
Thank You.