Confidently Answering the “What ifs…” Effective Risk Management Planning Helps Businesses Reach Their e-Business Goals

Strong leaders in any industry are willing to go out on a limb for things that will advance their company or their industry. Good managers balance this mindset with a realistic assessment of risks, reevaluating their ideas and constantly measuring their actions. A risk management plan is similar to a financial portfolio that realistically shows a company’s liabilities, as well as its assets and income. However, a risk management plan only shows the liability side of a project. When it is combined with the overall project plan, a realistic risk assessment provides the executive team with a balanced view of the overall picture and increases the probability of a successful software installation project.

By definition, risk speaks to human expectations, and indicates that a change in a current process or future event could have a negative impact that should be considered. In software implementations, a risk management plan helps organizations to assess, prepare for, and mitigate risks at every point in the process. There are many benefits to digitizing a company’s corporate information and automating business processes that make it a smart business decision. Despite the benefits, we have to recognize that risk is inevitable in the process of change, especially if the project is a large undertaking that involves diverse systems or multiple business units. Risk assessment, when executed by the right people at the right time and in the right manner, helps managers evaluate the probability of negative events and the impact each would have on the company or project. This information helps management to proactively manage the risks. No one wants to be out on a limb, alone, with a project or idea that is destined for poor or untimely execution, or in a worst-case scenario, failure.

Company risks versus project risks

Executive management must be able to differentiate between risks that could affect the entire company (company risks) and risks that could sabotage the specific project (project risks). Within each of those broad categories, the management team needs to assess each risk and understand its potential impact on the company or project. Sometimes, people in different positions will rate the risks differently; discussion of these differences is essential so consensus can be reached and priorities determined. The main focus for the remainder of this article is on project risks, but the process, components, and requirements are very similar for risks of each type.

Defining risks in IT projects

The potpourri of potential risks in a software installation is extremely varied. Five common risks include:

• unrealistic timelines for project completion;
• haphazard and incomplete testing of the solution as it is intended to be used before going “live”;
• insufficient technical infrastructure and staff resources to support the project;
• poor and irregular communication internally and between the vendor and client;
• and a lack of training for management and end users.

These risks are explained in more detail in the ensuing sections:

Evaluating the risk of changes to the project timeline

Unfortunately, it is a common mistake for managers to insist on meeting pre-established timelines for the project, even in the face of unforeseen obstacles. This mindset is easy to understand; multiple projects within the company may rely on all milestones being met. Yet strict adherence to unrealistic timelines can carry a high cost, resulting in hasty or improper testing and slowdowns in the project. If a company discovers two months into a project that it will be upgrading to a different database version, for example, significant time could be wasted by having to update the plans and change the infrastructure or configuration accordingly. Thorough questions during the risk assessment process could prevent this from happening.

Understanding the implications and impact of incomplete testing

Testing is the project’s gardener, determining what needs to be treated, pulled, or otherwise changed to ensure that the company’s goals can be met. Each person who will ultimately use the system (or, when this is not feasible, each type of user with a specific intended use of the software) should test it to make sure that it performs every operation correctly. Although this may seem to be a monstrous undertaking, it is far more cost effective to discover potential weaknesses in the solution before going “live”.

Assessing current and future infrastructure and the impact of change

Establishing the compatibility of current systems and the planned software installation takes place early in the planning process, but the follow-up to this step is often overlooked. Thorough risk assessment involves considerations such as:

• evaluating the potential risk of upgrading servers;
• understanding the risks that upgraded database versions or updates to other critical software or hardware can have on the system;
• and testing the software against new or upgraded systems.

Although the software vendor is responsible for supporting the product, the project can be at risk if the IT staff at the site is not able to provide adequate support for the network and other products that integrate with the solution. This is often overlooked.

Reducing disruptions by planning communications

Poor or irregular communication can sabotage any project. A non-existent communications plan, or one that insufficiently delineates what should be communicated, by whom, to whom, in which form (call, site visit, or e-mail), and how often, can pose a significant risk to the project. Detailing who needs to be present at certain phases and milestones during the project minimizes delays.

Providing sufficient training to ensure effective use of the technology

Insufficient training is a common problem in any job, and IT projects are no different. A well thought-out training program is preventive maintenance that reduces user errors and potential slow-downs in a project. Management who may be using robust capabilities such as employee productivity and system monitoring tools needs adequate training and time to adapt, as do end users who may be expected to scan documents or review and process them electronically. These and all other risks are surmountable if they have been carefully thought out and an appropriate plan has been developed.

Who should be involved in risk assessment?

Key players from the intended installation site and the vendor’s project consultant need to be involved in the risk assessment process. On the company side, the CEO and COO (or their upper management designees) need to evaluate the risks from an organizational and financial point of view. They need to understand potential strategic risks for the company, such as unforeseen natural disasters and risks to other departments if their project does not succeed, regardless of the cause. They should also understand liability risks in relation to government regulations, contract risks, and operational risks such as information security and business continuity. The CIO, other technical staff, and the site project leader should also be involved in evaluating the project risks so that potential network and infrastructure problems can be unearthed early in the process. A good vendor should be able to assist the client in asking the right questions to guide the risk assessment. The vendor also needs to conduct a thorough risk analysis to make certain that the required tools and environment are in place to make the project successful.

What needs to be assessed?

In addition to the potential risks cited above, both the vendor and site managers who are responsible for the risk assessment should evaluate the following items for other potential trouble spots:

• Does the team at the site work well together? If there are hidden agendas, or the team does not work well together, poor communication could result and place the project at risk.
• Are there enough people to complete the project successfully? If not, timelines may not be met, and the project could be at risk. This could potentially affect other projects as well, if their implementation is contingent on the timely implementation of the specified project.
• Do the members of the staff involved respond to e-mails and other inquiries in a timely fashion? If they are poor in responding during the pre-project planning phase, this may be an indication of poor future communication; at any level, that is a risk.
• If the site is running many applications, will the system be able to handle the vendor’s product as well? If the network is not able to handle all the applications, the project may be at risk for untimely completion while the needed upgrades or adjustments are made.
• Could potential technical problems arise if the software needs to pass data to and retrieve data from one or more systems? If requirements for passing data from one system to another are not specified to the vendor from the beginning, this could put the project completion date in jeopardy and result in unforeseen costs in vendor services.
• Will the project require hardware or software upgrades at any point during the implementation? If so, the project plan must be adjusted to reflect this, or the project may be at risk for untimely completion.
• Is there a requirement for specific kinds of reports to be generated, and is there a cost or training factor that needs to be assessed to address this need? If management does not outline the types of reports that need to be created to draw data from the new system, or if staff has not been trained how to generate the reports, a cost analysis for added training or services may be needed. This could put timely implementation at risk.
• What are the technology skills of the site staff? There is a risk if they are not familiar with computers and basic computer training is not provided prior to installation of the software solution.
• Are the project milestone dates and end date flexible or inflexible? If those dates are not adjustable, the completed parts and end solution may be hastily tested and put the project performance at risk.

As the project begins implementation, the vendor might also evaluate new risks, such as:

• Does the client report issues that affect the performance of the software solution? If not, the vendor may not have an accurate picture of what is happening at the site, and this may compound over time, potentially and unnecessarily costing the company time and money in additional vendor services.
• Are all of the reported errors centered on the same theme? For example, insufficient knowledge of SQL querying or improper use of a specific part of the software? If so, the project timeline may be at risk unless proper training is provided.

Knowing that there are so many risks, why would you consider engaging in an ambitious technology project? Because the benefits of well-planned technology projects vastly outweigh the risks. A new technology implementation can give your organization great advantages over your peers and help you to be successful in a highly competitive environment. Risk assessment planning can help IT staff save face with management by dramatically increasing the probability of meeting project deadlines. It can also prevent the site from enlisting hours of added services from the vendor that were not predicted in the initial cost analysis. A risk assessment plan carries costs, but the costs to a company are far greater if it is not carried out thoroughly or is not conducted at all.

When should risk assessment begin?

The precursor of risk assessment, called readiness assessment, should ideally begin before the project plan is written, with a true risk assessment taking place concurrent with project planning. The readiness assessment should be done by a team of managers and IT staff for the intended installation site. It should help management to determine whether the infrastructure, staff, resources, and other basic requirements are sufficient to support the intended project with the chosen vendor before the detailed planning begins. The risk assessment is far more detailed and must be created during the project design phase. It requires constant review and reevaluation as project milestones are approached and met.

What steps are needed to put a risk assessment plan in place?

Although each project requires very different assessments, the following steps are standard and should be part of your risk assessment system:

• Identify the areas of vulnerability (including skills, management, hardware, software, networks, data conversion, integration, user acceptance of the technology, and training);
• Categorize the concern as a company risk or project risk;
• Assign a tracking number that identifies the specific risk;
• Establish the likelihood of the event occurring;
• Determine the impact such an event’s occurrence could have on the organization, either with a numeric rating, ranking events as having a high/medium/low impact, or whatever works best for your team;
• Assign the item a risk rating based on the likelihood and impact of the stated risk (multiplying the probability by the impact if you are rating the risks numerically);
• Identify the management approach or appropriate action;
• List who will be responsible for the stated actions should the event occur;
• and outline any warning signs to look for that might indicate that the undesirable event may be taking place, so staff can be ready to act.

After each member of the risk assessment team has completed this process using a spreadsheet, database, or other tool, compare the results. (A sample of a possible risk assessment format is shown below.) Then, initiate dialogue between the members of the team and adjust the assessment to reflect the consensus. This will help your organization to prioritize actions in the event that new elements, such as upgrades, are introduced into the project picture.

When the risk assessment plan is in place, what comes next?

If an organization has conducted a thorough risk analysis, the hardest work has already been done. A clear assessment of the project risks and action plans that show how each potential risk will be addressed will prepare an organization for effective project management. Taking the time to answer “What if…” with confidence is time well spent; the visionaries with a dream should no longer have to risk their necks to ensure the project’s success.

For more information or to schedule a demonstration, please Contact DocFinity now.