Despite continued economic uncertainty, more and more organizations are deciding to move forward with large and previously deferred IT projects. These initiatives may include long-overdue upgrades of legacy systems, the implementation of new solutions such as enterprise resource planning (ERP) systems, as well as the adoption of emerging technology to improve the business.
Technology touches almost every aspect of business today, which means organizations must ensure each IT project is executed well. However, overall failure rates for major IT projects are high – and resources are wasted – because risks are not managed effectively from the outset. A risk management approach that focuses not only on traditional considerations such as schedule and budget, but also other aspects, like strategic alignment and delivery of expected benefits, is required.
Challenges and Opportunities
Any significant change in technology presents risk – both positive and negative. Costly delays due to unforeseen issues and risks are common for large, complex IT projects. So too are failure rates related to generating positive results for the organization over the long term. As more businesses move to accelerate their technology investments, they should make an honest assessment of their project delivery capabilities, especially if there is an uneven history of success for such initiatives.
Senior management can no longer delegate the responsibility for success of the company’s technology initiatives solely to IT. A frequently cited reason for a large IT project’s failure or distress is inadequate executive engagement – from senior leadership, including the chief information officer, to business owners whose operations and teams will be affected directly by the IT investment. To determine where best to invest their time relative to key projects, senior leadership must have better information, processes and tools to assess project risks.
Our Point of View
The successful execution of a major investment such as a large IT project – from planning to implementation to launch, and even beyond – requires proactive, effective oversight by the organization’s executive team. Too often, company leaders assume a reactive role, stepping in only after trouble arises and focusing their energy on trying to save the most distressed projects, or practicing “management by exception” by actively engaging with a project only when it does not produce desired results.
Senior executives should instead become involved early on in the life cycle of any high-risk, significant project to provide guidance and needed support. By adopting a risk-based approach to project oversight, they can proactively assess possible issues in project portfolios before they become significant. This approach also will help senior executives determine what the extent and nature of their involvement should be at the project, program and portfolio levels.
Risk-based project management should begin with a macro assessment of overall portfolio risk. Portfolio risk factors can include:
- The project’s potential impact – positive and negative – on critical business objectives
- Regulatory concerns, such as noncompliance with data security standards like the Health Insurance Portability and Accountability Act (HIPAA)
- The maturity of technology delivered (i.e., the general rule is that the more cutting-edge – and therefore, unproven and unfamiliar – the technology, the greater the risk to the business)
- The size of the investment
- Use of third-party vendors to deliver and support critical business and IT capabilities
The assessment of portfolio risk should result in a commensurate level of risk oversight by senior executives. This includes defining which projects in the portfolio should receive the most attention and focus by executive management, and improving governance to enable more timely and informed decision-making. The risk assessment and ongoing monitoring process should be linked to enterprise risk management efforts being undertaken by the organization, providing overall insights that executive management and the board of directors should understand and assess.
In addition, an overall assessment of portfolio risk should lead to improved project standards at both the program and portfolio levels. Ongoing project risk management efforts should be aligned to the portfolio risk assessment by adjusting the level of detail and the frequency of project reviews. In other words, the maturity of project management functions, the level of talent assigned to the project, and the amount of ongoing oversight should all be calibrated based on project risk.
How We Help Companies Succeed
Protiviti provides a variety of services to assist companies with their major IT projects. We perform detailed, independent, project risk assessments on key initiatives. Our teams also assist in the development of ongoing project risk management functions. Additionally, Protiviti can help clients manage risk via services that develop, improve and even staff program management offices.
A major financial services company was engaged in a multiyear technology and business transformation effort. Because of the size, complexity and sheer number of initiatives being executed, executive management felt that project oversight and project risk management capabilities needed to be greatly enhanced. Protiviti assisted the organization by:
- Developing a standardized, repeatable process to assess the high-level risk profile of each project in the portfolio
- Conducting detailed project risk assessments on several of the highest risk initiatives
- Training client staff on the execution of project risk assessments using Protiviti’s methodology and framework
- Assisting the client with developing an internal organization to perform project risk assessments on an ongoing basis
The company’s senior executives and project leaders cited Protiviti’s risk assessments as a key factor in improved project outcomes and governance; as a result, they authorized a doubling of the current investment in risk assessment efforts.