know before they code conducting critical it risk assessments

Know Before They Code

Conducting Critical IT Risk Assessments

© Solitaire Interglobal Ltd. 2

Kat LindMs. K.R.E. Lind (Kat) is the Chief Systems Engineer at Solitaire Interglobal, Inc. (SIL). She has more than 45 years of experience in risk, analysis, general analytics and the management, design and implementation of large scale, high performance database systems. Kat is a frequent guest speaker at conferences and symposiums, spanning technical and user perspectives. She teaches a full curriculum relating to the design, implementation and tuning of database deployments at a graduate level. Ms. Lind’s expertise has been acknowledged by published interviews in nationwide and international magazines, typified by a recent interview for IBM Systems Journal. Published extensively, Ms. Lind has authored articles, books on technical subjects and papers covering a wide range of topics.

Ms. Lind has been instrumental in developing SIL’s predictive performance modeling (PPM) which uses applied chaos theory and catastrophe mathematics. Under her direction, SIL has widened the scope of PPM beyond IT to areas such as marketing, general analytics, operational forex and more. Her in-depth, broad experience spans many industries such as finance, manufacturing, health care, government, transportation, etc. Ms. Lind’s technical expertise is considerable, as it has grown and evolved for more than 45 years of working with analytics, business intelligence, risk and large masses of data.


Session Objectives• Discuss the demonstrated patterns of

pivotal decision points, scope control, information needs and process isolation for IT risk assessments.

• Illustrate each section with supporting analysis from other organizations’ successes and failures.


Expected Outcomes• Understanding of the critical functionality

and the controls that are present in an IT risk assessment

• Knowledge of task flow and dependencies in an IT risk assessment effort

• Insight needed to build a basic project plan for IT risk assessment


Risk and SIL

SIL performed 300,000+ risk assessment models in 2014, of which 76% dealt directly with IT risk analysis. Risk assessment for IT goes beyond normal risk and exposure considerations.

SIL’s methodology covers areas that have been shown to be critical to effective risk evaluation in the IT arena.


IT Risk – Definition and Scope• Business disruption due to IT failures

• Component failure• Budget or timeframe overrun• Security incursions (subject unto itself)• Social engineering integration

• Potential exposure to budget or timeframe

• Possible consequences• Probability of an event


IT Risk – Why does anyone care?

• Lost revenue• Increased cost• Damage to reputation• Loss of customers, clients and users• Reduced productivity• Erosion of stakeholder confidence • Staff churn• Reduction in market share• Endangered organization viability


IT Project Landscape• IT risk assessment is designed to mitigate risk• Increasing exposure and risk translate to a

need for greater scrutiny and planning• Over 63% of IT projects fail to meet planned

functional requirements• Over 89% of IT projects fail to meet planned

budget• Over 92% of IT projects fail to meet original

schedule


Critical Components• Patterns of pivotal decision points

• Complexity• Timing dependent• Integration• Volatility

• Scope control• Information needs• Process isolation• Risk identification


Case Study #1• Arena: New application development• Client: Government transportation

department• Background: Previous three projects failed,

loss of over $15M CDN• Risk profile: High due to complex

environment, varying definitions of objectives, lack of success metrics and monitoring


Case Study #1 - Results• Risk assessment: Identified 15 actionable steps to

mitigate risk (areas of design, infrastructure, consultant management)

• Areas of focus: • JAD held and resulted in joint buy-in and responsibility

matrix• Targeted CPCM – adjudicated RFP with bonding• Oversight on development

• Results: Project ran 3 days over schedule and $15K under budget. Performed without violation of performance bond for three years


Case Study #2

• Arena: Functionality expansion• Client: Government healthcare agency• Background: Regulation changes forced

rapid modification to existing systems• Risk profile: High due to aged system,

deprecated tools, confusion on objectives, elasticity of budget and staffing


Case Study #2 - Results• Risk assessment: Identified 28 actionable steps to mitigate risk

(areas of code analysis, infrastructure, change management, testing)

• Areas of focus: • Fourdham analysis performed to identify targeted code changes• Targeted CPCM to better allocate resources• Modeling oversight on development and testing• Tracked success metrics

• Results: Code analysis took 8 weeks, but code remediation completed successfully in 3.2 weeks. Project completed in 5 weeks less than regulated timeframe. No additional infrastructure required. Organization was one of only 1.6% to meet deadline and did so with less than 23.5% of the budget required by any of the other organizaqtions.


Case Study #3• Arena: Additional user base• Client: Financial services organization• Background: Competition drove need for

rapid function enhancement, while acquisition increased user base by 322%

• Risk profile: High due to multi-level complexity, cultural assimilation, lack of clear executive sponsorship, varying sources of budget and staffing


Case Study #3 - Results• Risk assessment: Identified need for further analysis and scope definition• Final risk assessment: 31 actionable steps to mitigate risk (areas of

scope definition, project management, development control, staff supplementation, social engineering)

• Areas of focus: • Further analysis and prioritization of enhancements and deployment • Definition of executive sponsor and management structure• Creation and execution of social engineering plan for messaging, training and

collaboration among users and developers• Deployment structured in agile phases• Oversight on development, training and performance

• Results: Deployment varied from plan by less than 6% by phase. Budget variance was -4% to plan. User feedback was 91% positive after 4 month period. Final review from CEO was that it was the best deployment that he had seen in 37 years.


Risk Assessment Process

• Evaluate possible impact • Determine risk profile (calibration useful)• Decide if further investigation necessary• Define scope and view• Identify success metrics• Create process flow diagrams for

mitigation and management of risk• Monitor metrics during development


Contacts

Kat Lind

Chief System Engineer

Solitaire Interglobal Ltd.

[email protected]

Dianne Almand

Relationship Manager

Solitaire Interglobal Ltd.

[email protected]

770-367-5746

know before they code conducting critical it risk assessments

Documents

risk analysis

risk definition

normal risk

risk assessments slide

risk assessment models

solitaire interglobal

effective risk evaluation

risk assessment effort