1

Conceptualizations of risk and control in business organizations relevant to the process of OSS adoption

Trial lecture Øyvind Haugeoyvind.hauge@idi.ntnu.no

2

53.3% of the respondents thought computer breakdowns was a major concern (Coleman, 2006)

The local hospital was in 2006 a full day without ICT support and a week without wireless phone

Denver Airport, Computerized Baggage Handling fails, 1995 -> costs up to 1$ million per day

Therac-25, 1985-1987, overdoses of radiation leading to three deaths

3

Table of content

1. The scope of this presentation

2. Risk and control

3. Ways of controlling risk

4. Risk and control related to OSS adoption

4

Present and discuss relevant conceptualizations of risk and control in business organizations relevant to the process of OSS adoption

Risk and control

OSS adoption

Business organizations

SE & IS

5

Business organization

• Is a legal entity (private or public)• Has a

– Mission to provide either goods or services– Owner– Budget

• Variations in– Size– Domain– Country– Organization form– Geographical distribution– …

6

Table of content

1. The scope of this presentation

2. Risk and control

3. Ways of controlling risk

4. Risk and control related to OSS adoption

7

Risk

• The effect of uncertainty on objectives– The effect may be positive or negative

• Risk=Probability*Cost– Involves uncertainty

ISO Guide 73:2009, Aven (2009)

EventCauses/threats Consequences

8

Types of risk Project level

IT-infrastructure level

Organizational level

External business context

Scott and Vessey (2002), Wallace et al. (2004), Karolak (1996)

• Technical• Cost• Schedule

• Organizational environment

• User• Team• Requirement• Project complexity• Planning and control

9

”Typical” software risks

Aloini et al. (2007) – ERP systems1. Inadequate product selection2. Ineffective strategic thinking and planning3. Ineffective project management techniques4. Bad managerial conduct

5. Inadequate change management6. Inadequate training and instruction7. Poor project team skills8. Inadequate Business Process Re-engineering9. Low top management involvement10. Low key user involvement

Baccarini et al. (2004) – IT projects1. Personnel shortfall2. Unreasonable schedule and budget3. Unrealistic expectations

4. Incomplete requirements5. Diminishing window of opportunity

Boehm (1991) – Software risks

1. Personnel shortfall2. Unreasonable schedule and budget3. Developing the wrong functions and properties4. Developing the wrong user interface5. Gold-plating6. Changing requirements7. Shortfall in externally furnished components8. Shortfall in externally performed task9. Real-time performance shortfalls10. Straining computer science capabilities

Chatzoglou and Diamantidis (2009) – IT/IS implementation

1. Management ability2. Information integrity3. Controllability 4. Exclusivity

10

Few risks are technical

Aloini et al. (2007) – ERP systems

1. Inadequate product selection2. Ineffective strategic thinking and planning3. Ineffective project management techniques4. Bad managerial conduct5. Inadequate change management6. Inadequate training and instruction7. Poor project team skills8. Inadequate Business Process Re-engineering9. Low top management involvement10. Low key user involvement

Baccarini et al. (2004) – IT projects1. Personnel shortfall2. Unreasonable schedule and budget3. Unrealistic expectations4. Incomplete requirements5. Diminishing window of opportunity

Boehm (1991) – Software risks1. Personnel shortfall2. Unreasonable schedule and budget3. Developing the wrong functions and properties4. Developing the wrong user interface5. Gold-plating6. Changing requirements7. Shortfall in externally furnished components8. Shortfall in externally performed task

9. Real-time performance shortfalls10.Straining computer science capabilities

Chatzoglou and Diamantidis (2009) – IT/IS implementation1. Management ability2. Information integrity3. Controllability 4. Exclusivity

11

Risks

• Negative impact on objectives

• May come from a number of sources

• The most important risks are not related to the technology

12

Control

• Measures that are modifying risk– Prevent– Reduce consequences

ISO Guide 73:2009

EventCauses/threats Consequences

13

Table of content

1. The scope of this presentation

2. Risk and control

3. Ways of controlling risk1. Risk management

2. Real Option Theory

3. Processes and standardization

4. Risk and control related to OSS adoption

14

1. Risk management

Avoid loss, accidents and

disasters

Cost/Explore opportunities

Aven (2008), ISO Guide 73:2009

• Coordinated activities to direct and control an organization with regard to risk

15

16

Not all risk can be controlled

Risk

Control/ Technology

Complexity

Technological risk and side-effects

Hanseth and Ciborra (2007), Forester (1989)

17

The norm of risk management

ALARP (As Low As Reasonably Probable) GALE (Globally At Least Equivalent)

Stålhane and Skramstad (2006), Aven (2009)

18

Traditional risk analysis

Baskeville and Stage (1996), Karolak (1996), Boehm (1991), Holmgren and Thedéen (2009)

1. Identify risks

2. Assess probability and consequence of

risks

3. Prioritize risk4. Avoid or mitigate risk

5. Monitor risks

19

Risk identification: What can go wrong?

• Group discussions• SWOT analysis• Brain storming• Expert panels• Earlier experiences• References• Checklists

McManus (2004), Boehm (1991)

20

Risk avoidance/mitigation

1. Find root causes of risks

2. Deal with root causes or reduce consequences– Sell risk to 3rd party– Expertise (train/hire)– Introduce barriers– Design the risk out of the solution– Buy information e.g. proof of concept

Lane (1998), Boehm (1991)

21

2. Real Option Theory

Add flexibility and options proactively

Benaroch et al. (2007), Erdogmus and Favaro (2002)

Options may be used but they don’t have to

22

First date at a steakhouse

The date is a vegetarian

Menu option 1.Steak

First date at a restaurant serving

different dishes

The date is a vegetarian

Menu option 1.Steak

Menu option 2.Salad

Menu option 2.Fish

23

Options for IT projects

• The option to:– Defer – Explore– Stage– Change-Scale– Abandon– Outsource– Lease– Strategic-Grow

Benaroch et al. (2007), Erdogmus and Favaro (2002)

24

3. Processes and standardization

• Processes• Tool support• Techniques• Standards

• In software development– RUP, CMMI, Cleanroom, …– Revision control, issue tracking, automated building, …– Design patterns, code refactoring, pair programming, …– For code, documentation, requirements, …

25

Just in time – lean – agile

• Earlier value and more options

Karolak (1996), Stober and Hansmann (2009), Erdogmus and Favaro (2002)

26

Table of content

1. The scope of this presentation

2. Risk and control

3. Ways of controlling risk

4. Risk and control related to OSS adoption

27

OSS Adoption

Business organizations leverage Related Research Fields

OSS products1. Deploy (OpenOffice.org, MySQL)2. CASE Tools (Eclipse, Maven, SVN)3. Integrate (Hibernate, Spring)

Deploying/diffusing IS and ICT, SE, CASE tools, CBSD, legal, SPI

OSS communities4. Participate (IBM - Linux, Sun - OpenOffice)5. Provide (JBoss, MySQL, Qt)

Legal/IPR, marketing, community management, CoP

OSS development practices SPI, distributed/global software development

28

OSS AdoptionBusiness organizations leverage

Potential risks

OSS products Licenses (Lawsuits, unable to distribute derivate products)Easy to adopt (Diverse technological portfolio)Not free (requires resources)Source code (Modification, maintenance responsibility)No provider (Lack of support, no contracts, no one to “blame”, uncertain future)

OSS communities Unable to get influence community/productCommitment may require (significant) resourcesNo clear market (Hard to do marketing)The product is free (No paying customers)Attracting a community (No users, customers, or contributions)

OSS development practices

Practices inappropriate for the company

Hauge et al. (2010)

29

Risk, control and OSS adoption

• Non-technical risks are the most important– OSS risk are therefore not the most prominent ones

• Relevant to IT adoption and development also relevant to OSS– Risk management– Alternatives– Standards, tools, and processes

• OSS experience: to analyse the use of OSS in the context

30

"software risks can be best managed by combining specific risk

management considerations with a detailed understanding of the

environmental context and with sound managerial practices,

such as relying on experienced and well-educated project

managers and launching correctly sized projects" (Ropponen and

Lyytinen, 2000, p.98).

31

References

• Davide Aloini, Riccardo Dulmin, and Valeria Mininnocial, Risk management in ERP project introduction: Review of the literature, Information & Management 2007:44, pages 547-567

• Terje Aven, 2008, Risk Analysis: Assessing Uncertainties Beyond Expected Values and Probabilities, Wiley• Terje Aven, 2009, Risk Mangement, in Göran Grimvall, Åke J. Holmgren, Per Jacobsson, and Torbjörn Thedéen (editors), Risks in

Technological Systems, Springer• David Baccarini, Geoff Salm, and Peter E.D. Love, Management of risks in information technology projects, Industrial Management & Data

Systems 2004:104(4) pages 286-295• Michel Benaroch, Yossi Lichtenstein, Karl Robinson, Real options in information technology risk management: an empirical validation of risk-

option relationships, MIS Quarterly 2006:30(4)• Yegor Bugayenko, 2009, Competitive Risk Identification Method for Distributed Teams, in Olly Gotel, Mathai Joseph, and Bertrand Meyer

(editors), Software Engineering Approaches for Offshore and Outsourced Development - Proceedings of the Third International Conference, SEAFOOD 2009, Zurich, Switzerland, Springer

• Richard L. Baskerville and Jan Stage, Controlling Prototype Development through Risk Analysis. MIS Quarterly, 1996:20(4), pages 481-504• Barry W. Boehm, Software Risk Management: Principles and Practices, IEEE Software, 1991:8(1), pages 32-41• Prodromos D. Chatzoglou and Anastasios D. Diamantidis, IT/IS implementation risks and their impact on firm performance, International

Journal of Information Management, 2009:29, pages 119-128• Les Coleman, 2006, Why Managers and Companies Take Risks, Springer• John Forester, 1989, Planning in the Face of Power, University of California Press• Hakan Erdogmus and John Favaro, 2002, Keep Your Options Open: Extreme Programming and Economics of Flexibility, in G. Succi, M.

Marchesi, L. Williams, D. Wells (editors) XP Perspectives, Addison Wesley

32

References

• Ole Hanseth and Claudio Ciborra (editors), 2007, Risk Complexity and ICT, Edward Elgar Publishing Limited• Øyvind Hauge, Daniela S. Cruzes, Reidar Conradi, Ketil Sandanger Velle and Tron André Skarpenes, Risks and Risk Mitigation in Open

Source Software Adoption: Bridging the Gap between Literature and Practice, in: Proceedings of the 6th IFIP Working Group 2.13 International Conference on Open Source Systems (OSS2010) - Open Source Software: New Horizons, May 30th-June 2nd, Notre Dame, USA, pages 105--118, Springer, 2010

• Åke J. Holmgren and Torbjörn Thedéen, 2009, Risk Analysis, in Göran Grimvall, Åke J. Holmgren, Per Jacobsson, and Torbjörn Thedéen (editors), Risks in Technological Systems, Springer

• ISO 31000:2009, Risk management -- Principles and guidelines, http://www.iso.org/iso/catalogue_detail.htm?csnumber=43170• ISO Guide 73:2009, Risk Management Vocabulary, http://www.iso.org/iso/catalogue_detail?csnumber=44651• Casper Jones, 1994, Assessment and Control of Software Risks, Yourdon Press • http://www.springerlink.com/content/q0j808/• Christel Lane, 1998, Introduction: theories and issues in the study of trust, in Christel. Lane and• John McManus, 2004, Risk Management in Software Development Projects, Elsevier• Janne Ropponen and Kalle Lyytinen, Components of software development risk: how to address them? A project manager survey, IEEE

Transactions on Software Engineering, 2000:26(2), pages 98-112• Reinhard Bachmann (editors), Trust within and between organisations, Oxford: Oxford University, pages. 1–30.• Marvin Rausand, 1991, Risikoanalyse Veiledning til NS 8514, Tapir• Judy E. Scott and Iris Vessey, Managing Risks in Enterprise Systems Implementations, 2002:45(4) Communications of the ACM• Thomas Stober and Uwe Hansmann, 2009, Agile Software Development , Springer• Tor Stålhane and Torbjørn Skramstad, Presentation for Workshop at EuroSPI 2006• Linda Wallace, Mark Keil, and Arun Rai, Understanding software project risk: a cluster analysis, Information & Management, 2004:42 pages

115-125