Tuesday, October 13, 2009

Assignment # 2 - Risk associated with business and IS/IT change

Based on the organization(s) that you visited, what do you think are the risks associated with business and IS/IT change? (1000 words)

Change is inevitable in any aspect of life. When it comes to business and IT, change is constant. According to the company that we have interviewed which is Concentrix, undergoing change is not that easy. A feasible study should be done first before modifying their system and according to their MIS Manager the probable risk are the following:
  • Security
  • System failure
  • Loss of data
  • Cost


In organizations without a formal information technology (IT) change management process, it is estimated that 80% of IT service outage problems are caused by updates and alterations to systems, applications, and infrastructure. Consequently, one of the first areas to address to improve service reliability is to track all changes and systematically manage change with full knowledge of the risks of the change and the potential organizational impact. While tracking change events is fairly well understood and is a common practice, consistently and reliably predicting the impact of change requires a disciplined, standards-based approach to assessing risk and likelihood of impact, a technique not usually found in off-the-shelf change tracking tools.

The automated process for determining composite risk assessment is broken into two standardized evaluations: the organizational criticality of the system to be changed and the likelihood of adverse impact resulting from the change. First, on an annual basis, the criticality of the system is appraised in order to establish its relative value to the enterprise. The standardized criteria for this assessment are:

  • Number of users that could be impacted by a service interruption
  • Financial impact of an extended service outage or unrecoverable loss of data

Likelihood that a system/service failure could result in:
-Disclosure of sensitive information that needs to be protected
-Misuse of client-owned resources
-Malicious interruption of services or research operations
-Possibility that a system/service failure could result in an event or condition that may have adverse safety, health, security, operational, environmental, or mission implication
-Potential future impacts based on prior system/service interruption experiences

Secondly, when a change is proposed, each request is graded against the following criteria:
-How many users will be visibly affected by the proposed change?
-What is the anticipated difficulty for user and support personnel to learn the new or modified system/service?
-What is the stability and supportability of the technology or vendor products utilized by the system?
-In the event the change implementation fails or adversely impacts other systems or services, what will be the impact of executing the implementation contingency plan?
-Based upon past experience, what is the likelihood of failure or adverse problems resulting from the change?

The criticality appraisal blends with the change risk evaluation to produce a composite risk assessment that is used to pre-populate an automated release plan that guides the implementation of the change. Depending on the level of the composite risk, requirements of the release plan such as testing rigor and end-user communications are strengthened to mitigate higher levels of risk. Conversely, a lower risk score results in a reduced scope of change implementation requirements.

In an era of dynamism the only thing that remains constant is change. Organizations execute change programmes to implement strategic, regulatory and other such business drivers. Whatever the organization and in whichever sector it exists in, be it Public or Private, and howsoever it may be structured, it has to witness and face an ever increasing rate of change. These business transformation changes can be implemented and managed effectively by using Programme Management methodologies. As is inherent within any organizational activity successful delivery of these Business Change Programmes lies to a large extent in successfully managing the risks that are being faced while executing the programme.

The paper attempts to focus on the Risk Management activities that need to be considered in such a Programme environment. It tries to present a framework that could be tied into the practices of Programme Management to effectively manage the loose ends presented by Risks.
Risk is defined as the uncertainty of outcome, whether positive opportunity or negative threat, of actions and events. The risk has to be assessed in respect of the likelihood of something happening, and the impact, which would arise if it actually happens. Risk management includes identifying and evaluating risks and then suitably responding to them. Risk management enables informed decisions. Managers at all levels in an organization such as programme managers, project managers, general managers and executive managers make multiple decisions each day as a primary function of their jobs. Apart from having access to factual information, knowledge of potential risks faced can improve the decision process by allowing the decision maker to weigh potential alternatives or trade-offs in order to maximize the reward/risk ratio.

Risk management brings a level of predictability to the dynamic environment within which programmes of business change operate. By understanding and bounding various uncertainties faced by the programme, the programme manager is able to manage the risks effectively.


(i) Risks that would lead to Programme not being implemented. These would be risks to Strategy that initiated the Business Change. These could also be risks to Operations that would undergo this change depending upon the type and criticality of change.


(ii)Risks created by the programme. These are Business Change Risks that need to be mitigated by proper planning at Strategic Level and fed back into the same Programme by changing its scope or another Business Change Programme in case it’s related outside the scope of current change.


(iii)Risks to the programme itself. These are risks internal to the Programme and could be due to one or more of the projects that fall under the umbrella of programme or any other transformational activity that the programme is undertaking.

With the interview that we had and all the articles that I have read, I’ve learned that “You have to risk it, to take the biscuit”. Just like in IT and any organization, it won’t grow and develop unless you try and take the possible risk.

Posted by at

1 comment:

Anonymous said...

Hi there!
I was looking for information about Executive assessment and I’ve found a company called Ascentador. I certainly recommend it.
Zach

October 16, 2009 at 10:26 AM

Post a Comment

Subscribe to: Post Comments (Atom)