Risk management essentials for SAP S/4HANA projects

This blog post was authored by Chris Hanson - Managing Director, Business Platform Transformation on Protiviti's technology insights blog.

An SAP S/4HANA transformation project has many risks that need to be managed and often, it is difficult for the project team operating day to day on detailed tasks to “see the forest for the trees.” Enter the Program Risk Management process.

  • The PMO has intimate knowledge of the key processes and risks associated with the project and, as such, is in an ideal position to develop mitigation strategies in collaboration with the system integrator and the business.
  • This ensures that key business concerns are appropriately communicated to the system integrator and limits potential interruptions to the business and system integrator during critical project phases.

Typically, the PMO reports to the project sponsor and steering committee but can also have communication lines with internal audit and compliance functions.

  • A strong PMO typically monitors and assesses two main types of risk: Risks associated with program execution and governance and those associated with business process and technology.
  • There are several different areas of risk to be monitored in each of these areas, but for the purposes of this blog we will focus on a few key items in each area.

Program execution and governance risks

Implementation governance – Governance structures fail to enable timely decision-making, issue identification and issue resolution at the right levels in the organisation.

  • We frequently see programs with governance structures that do not have empowered teams to make decisions or effective escalation paths.
  • The inability to make decisions related to design or issue resolution quickly and efficiently or the revisiting and rehashing of previously made decisions (when no new information is available) will almost always impact a project’s timeline.
  • To resolve issues and make decisions effectively, it is critical to establish an empowered team and to have clear escalation paths with well-defined roles and responsibilities.
  • Capturing issues at the source with concise descriptions, developing realistic and well thought out alternatives and establishing recommendations with a distinct understanding of impact to resources, timeline and scope can help this process run smoothly.

Project planning and oversight – Ineffective project and resource planning leads to delays in project execution, missed dependencies and key activities lacking ownership or resource delivery capacity.

  • Establishing a detailed project plan and resourcing plan is critical.
  • Monitoring the plan and resource commitment is paramount to effective execution and delivery. We have all seen projects where resources that are expected to be full-time cannot disengage from their day job to support the project. It is also common for the business to dedicate resources they can most afford to do without. Either of these scenarios will create problems with program execution and delivery.
  • Project planning that is too high-level and without built-in dependencies can give the team a false sense of being on time.
  • Developing an effective plan includes a clear line of sight to critical path activities, clear linkages between predecessor and successor tasks, visibility of resource contention and the impact of delays in the completion of activities.

This visibility will help the PMO to monitor and proactively address issues with the schedule and resourcing.

Stakeholder support – A lack of focus on building user and management support, adoption and readiness lead to ineffective and inefficient processes and post-go-live disruptions, regardless of deployed system quality.

  • The PMO needs to establish an effective stakeholder management process and assess the various stakeholders to gauge change readiness and support for the initiative.
  • It is also important to establish a clear sense of “what is in it for them” for the various stakeholder groups.
  • Stakeholders must be communicated with consistently and effectively and they must be given adequate access to project information, key design decisions and issue resolutions.
  • Building and managing stakeholder support for the program is a significant effort but will pay large dividends when the new system goes live.

Business process and technology risks

Evolving design – one of the major drivers of scope creep, project delays and inadequate testing is the risk of evolving design.  This risk materialises when the requirements and design of the future solution emerges over time, leading to rework, changes, delays and missed user expectations both pre- and post-go-live.

  • The PMO has good visibility to these types of issues as they will often be the areas that are delayed or where new requirements keep surfacing. The “fit to standard” approach that many implementations use may help minimise this risk, however, we often see this happen when gaps are identified or in integrations.
  • When these design delays drift down the project timeline (often creating additional requirements) they can wreak havoc on testing and system go-lives.
  • The PMO must drive these design decisions to closure and ensure that all necessary stakeholders are engaged and bought in to the finalised design.
  • The design should also be played back to the business to ensure the requirements and capabilities needed are met by the design.
  • This takes a focused effort, but any impact to other workstreams can be made up through better system stability and readiness earlier in the program.

Data conversion and governance risk is caused by ineffective planning and resourcing with respect to the data workstream. There is a significant amount of work in this area, and it is typically not well organised or staffed.

  • Data conversion and governance is one of the biggest causes of project delays and post live issues.
  • A clear data conversion and governance strategy should be developed and implemented early in the program.
  • The PMO can help to mitigate this risk by pulling key activities forward. This includes performing a data quality assessment, establishing cleansing and remediation plans, and identifying the data elements that will need to be converted along with the right data owner.
  • Clarity around the scope of the effort and taking a hard look at the resourcing necessary to execute the activities will help to highlight gaps which the PMO can then pro-actively address.
  • On a recent engagement our PMO pulled the data cleansing activities forward several months prior to the program kick-off.
  • This gave good visibility to the work effort, and we were able to pull in the appropriate staff and have the data workstream in good shape by program kick-off.

The key is to make sure that this conversion effort with its associated cleansing and data preparation is maintained over the long term by establishing the right governance model and processes to keep the data clean in the new environment. This is best done in parallel so that the governance process is operational and functioning effectively as the new system comes online.

The final risk in this category is related to quality assurance; specifically, focused on testing as opposed to third party quality assurance which can be used as a second set of eyes to help manage risk.

  • This can lead to inadequate testing scope and resources. We have used personas, capabilities inventory (or the Business Process Master List – BPML), requirements traceability and several other methods to help mitigate this risk.
  • The key is to establish the strategy and approach early and define how many cycles of each form of testing will be performed as well as establishing entry and exit criteria for each cycle.
  • It is also important to ensure comprehensive test scripts are created and maintained and leveraged for end-to-end processing is critical.
  • This, coupled with the data conversion process, should ensure there are mock data loads ahead of each cycle of system integration and user acceptance testing to minimise the risk of having to use perfect curated data which can hide data issues that are discovered when converted data is used.
  • It is also critical to understand the dependencies between test scripts so that as issues are resolved adequate regression testing can be performed.

This can be a significant effort, so resourcing plans should be developed early and staffed appropriately with people who are dedicated to doing thorough testing.  Automation tools can also be deployed here as well as testing as a service (TAAS), and each should be assessed early in the program to make sure that all necessary activities can be completed to keep the program on track.

While there are several other high-level risks, the risks highlighted above can have significant impacts to the program.

  • If these risks are not monitored and mitigated it can lead to big delays, costly overruns and even project failures.
  • The PMO plays a key role in driving the risk management process and an effective governance model and focus on risk management can help to identify these risks early, mitigate them and drive the program to a successful outcome.

Read the results of our 2023 Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.

To learn more about our SAP consulting services, contact us.


Leslie Howatt
Leslie is a managing director, and Protiviti’s technology consulting solution and diversity, equity, and inclusion lead. She specialises in digital and technology strategy as well as transformational change with over 25 years’ experience across consulting, industry, and ...
Rupesh Mahto
Rupesh is a senior director specialising in strategy, technology assessment and enabled execution, digital transformation, cloud migration, and application of emerging technology to business demands. He successfully leads interactions with CXO, focusing on increasing ...