«VOLUM E 1 1, N UM B E R 1 I S SN 2 1 6 8 - 0 6 1 2 F L ASH DR I V E I S SN 1 9 4 1 - 9 5 8 9 ON L I N E T h e In s t it ut e f o r Bu s i n e s s an ...»
2015) have now developed solutions to manage IS project risk management. This paper provides a review of current literature on information system development that may prove useful for management professionals interested in initiating project risk management efforts within IS projects. An overview is provided of the underlying philosophies and principles of IS development, followed by a brief overview of the literature on risk mature organizations/projects. This body of knowledge may be useful in future efforts to investigate and document current practices in IS development project risk management.
NEED FOR SYSTEMS RISK MANAGEMENT
The role of IT in business activities has been more and more important; besides, the amount of its investment is also increasing. The key of operating businesses more effectively is to base on the operating principles and to play the role of IT systems. The application of IT systems can not only apply to business operations and maintenance, but also to social services and business competition (Zhe, Yunfei, Maosheng, 2010).
With the proliferation of computers and near universal network connectivity, the field of information technology has continued to shift from a focus on standalone personal computing to developing solutions to support people and the systems within which they work in collaboration activities. Network technology and global information systems have provided the opportunity for people to conduct work GCBF ♦ Vol. 11 ♦ No. 1 ♦ 2016 ♦ ISSN 1941-9589 ONLINE & ISSN 2168-0612 USB Flash Drive 464 Global Conference on Business and Finance Proceedings ♦ Volume 11 ♦ Number 1 in a variety of locations continuing to further increase the appeal of IT initiated collaboration and communication. As well, organizational systems have expanded, moving from a localized to an increasingly global presence.
According to Laudon and Laudon (2014) organizations should take actions that produce the least harm or the least potential con (Risk Aversion Principle). Some actions have high failure costs like building a nuclear plant in an urban area. They recommend avoiding high-failure cost actions, paying greater attention to high-failure-cost potential of moderate to high probability.
The unpredictable and nature of software development creates risks to organizations. The Standish Group (2009) reports that only 32 percent of information systems projects are successful base on success criteria
1. Completed on time
2. Completed within budget
3. Completed with the required functionality Laudon and Laudon (2014) state to develop an effective systems development plan an organization must have a clear understanding of both its short and long term information requirements. Companies should look at the portfolio of their projects in terms of benefit verses risk. Certain projects should be developed rapidly while others should be avoided.
According to Turbit (2013) risk need to be quantified in two dimensions. The impact of the risk needs to be assessed. The probability of the risk occurring needs to be assessed. For simplicity, rate each on a 1 to 4 scale. The larger the number, the larger the impact or probability.
The figure below by Laudon and Laudon (2014) show a method of doing Portfolio Analysis.
Laudon and Laudon (2014) also state a scoring model can be useful where many criteria must be evaluated.
The model assigns weights to features of the system then calculates the weighted totals. According to Turbit (2013) risk need to be quantified in two dimensions. The impact of the risk needs to be assessed. The probability of the risk occurring needs to be assessed. For simplicity, rate each on a 1 to 4 scale. The larger the number, the larger the impact or probability.
The current direction of the risk management field is to promote learning and creative ways to conduct project risk management for organizational learning. Project management efforts have led to a growing GCBF ♦ Vol. 11 ♦ No. 1 ♦ 2016 ♦ ISSN 1941-9589 ONLINE & ISSN 2168-0612 USB Flash Drive 465 Global Conference on Business and Finance Proceedings ♦ Volume 11 ♦ Number 1 conceptualization and understanding of the process of assessing and identifying risks to be used in the introduction of experience-based solutions for avoiding and preventing risk damage. According to these authors, the risk knowledge bases are expected to grow as experience about risks and potential risk responses are recorded during project executions. The resulting knowledge base will eventually provide assimilated information to organizations and those engaged in project risk management with access to information and understanding about risks in real time.
According to Achimuga, Babajide, Oluwaranti, Oluwagbemi, Gambo (2010) the outcomes of an IS project are identified as the success of 1) IS implementation, 2) IS investment, and 3) IS functionality. IS Evaluation should not work only as a justification mechanism but as a tool for experience learning. During the IS development process, feedback from the evaluation process should lead to corrective actions if necessary.
These actions might include, for example, a change in the information system development or procurement strategy, or a change in the resources that are given to the project.
As IT has continued to grow rapidly, there has been an increasing demand for IS development innovation to be driven by inter-disciplinary research. This need, according to Rasegard (1997), has been brought about by the desire to achieve higher usability. As such, information systems need to be able to satisfy
requirements in several dimensions, including:
1. Appropriate functionality: the system solves the right problems, communicate its purpose, and performs the work that has to be carried out.
2. Ergonomic: appropriate physical fit, feel, shape and size.
3. Cognitive fit: the product provides functionality, feedback, support for learning, and accessible understanding.
According to IEEE Standard 1540 for software management (2001) to evaluate the risk management process this activity should include the capture of risk management information, have the ability to access and improve the process and create lessons learned.
GCBF ♦ Vol. 11 ♦ No. 1 ♦ 2016 ♦ ISSN 1941-9589 ONLINE & ISSN 2168-0612 USB Flash Drive 466 Global Conference on Business and Finance Proceedings ♦ Volume 11 ♦ Number 1
DEVELOPMENT APPROACHESAccording to Laudon and Laudon (2014) information technology can promote various degrees of organizational change. The four types include: automation, rationalization, redesign and paradigm shifts.
“The most common forms of organizational change are automation and rationalization. These are relatively slow moving and slow changing strategies present modest returns but little risk. Faster and more comprehensive change – such as redesign and paradigm shifts – carries high rewards but offers substantial chances of failure.
With the growing recognition that IS plays a major role in insuring the success of virtually all organizations in business, government, and defense, awareness has also increased that such success is dependent on the availability and correct functioning of large-scale networked information systems of astonishing complexity. Consequently, the SDLC model has become the context for further development of IS development requirements that focus on system survivability (i.e., end products that survive).
The Carnegie Mellon Software Engineering Institute (2002) has developed an IS development approach, the Survivable Systems Analysis (SSA) method (formerly the Survivable Network Analysis method), that focuses on the application of requirements in development and implementation to insure an end product capable of survivability. According to the Institute, SSA is a practical engineering process that permits systematic assessment of the survivability properties of proposed systems, existing systems, and modifications to existing systems. As delineated by the Institute, the SSA process is composed of four steps,
1. System Definition: developing an understanding of mission objectives, requirements for the current or new system, structure and properties of the system architecture, and risks in the operational environment
2. Essential Capability Definition: identification of (as based on mission objectives and failure consequences) essential services (i.e., services that must be maintained during attack) and essential assets (i.e., assets whose integrity, confidentiality, availability, and other properties must be maintained during attack) as characterized by usage scenarios, which are traced through the architecture to identify essential components whose survivability must be ensured
3. Compromisable Capability Definition: selection of intrusion scenarios based on assessment of environmental risks and intruder capabilities and identification of corresponding compromisable components (components that could be penetrated and damaged by intrusion)
4. Survivability Analysis: analysis of IS components and the supporting architecture for the key survivability properties of resistance, recognition, and recovery; the production of a survivability map that enumerates, for every intrusion scenario and corresponding compromised component effects, the current and recommended IS architecture strategies for resistance, recognition, and recovery.
One such model is that known as the Prototyping model. According to the CTG (1998), the Prototyping model was developed as a means to compensate for some of the problems identified as associated with the SLDC model. The Prototyping model is based on the assumption that it is often difficult to know all IS requirements during the beginning phases of a project. Through the application of the Prototyping model in IS development, the developer builds a framework of the proposed system and presents it to the customer for consideration as part of the development process. The customer in turn provides feedback to the developer, who goes back to refine the prototype to incorporate the additional information. This collaborative process continues until the prototype is developed into a system that can be implemented. As GCBF ♦ Vol. 11 ♦ No. 1 ♦ 2016 ♦ ISSN 1941-9589 ONLINE & ISSN 2168-0612 USB Flash Drive 467 Global Conference on Business and Finance Proceedings ♦ Volume 11 ♦ Number 1 reported by the CTG, the Prototyping model is probably the most imitated IS development. Variations of the model include: Rapid Application Development (RAD) and Joint Application Development (JAD).
According to Jutte (2015) there are 10 golden rules of project risk management. The benefits of risk management in projects are huge. You can gain a lot of money if you deal with uncertain project events in a proactive manner. The result will be that you minimize the impact of project threats and seize the opportunities that occur. This allows you to deliver your project on time, on budget and with the quality results your project sponsor demands. Also your team members will be much happier if they do not enter a "fire fighting" mode needed to repair the failures that could have been prevented.
The 10 golden rules to apply risk management successfully in your project (Jutte, 2015):
Other vendors like Intaver (2015) have solutions for organizations IS project risk management RiskyProject: Project Risk Management and Schedule Risk Analysis that work independently or with
Microsoft Project. Their project risk management software has the following capabilities:
Project scheduling with risks and uncertainties Risk Register: threats, opportunities, and issues Monte Carlo schedule risk analysis Integrated schedule and cost risk analysis Risk probability vs. impact matrix Risk mitigation analysis, waterfall charts Integration with Microsoft® Project and Oracle® Primavera Sensitivity Analysis: critical Risks and crucial Tasks Risk correlations, probabilistic branching, probabilistic calendars
Intaver (2015) RiskyProject schedule risk analysis software has the following capabilities:
Schedule Risk Analysis is a method of analysis of uncertainties in the project schedules.
RiskyProject a comprehensive and easy to use schedule risk analysis software and integrates cost and schedule risk analysis and risk management in one package.
Includes Event Chain Methodology which is a project schedule risk analysis technique. Event chain methodology is the next advance beyond Critical Path Method and Critical Chain Project Management.
KNOWLEDGE AND STANDARDSConflict is a pervasive phenomenon during the information systems (IS) development process. The sources of conflict during the IS development process include hostility and jealousy, poor communication, user GCBF ♦ Vol. 11 ♦ No. 1 ♦ 2016 ♦ ISSN 1941-9589 ONLINE & ISSN 2168-0612 USB Flash Drive 468 Global Conference on Business and Finance Proceedings ♦ Volume 11 ♦ Number 1 resistance, frustration and low morale, lack of trust and understanding, personality diversity, and different expectations. The critical role played by conflict in IS development projects is widely acknowledged in the IS. Unfortunately, our understanding of the impact of conflict on IS project outcomes is still limited due to conflicting results reported in the literature (Liu, Chen, Klein Jiang, (2009).
Systems differ in their size, scope and complexity as well as their organizational and technical components (Laudon and Laudon (2014). The level of project risk is influenced by size, structure and technical expertise of the IS staff and project team.