IS+Project+Risk+Management

=IS Project and Risk Management= Monday, October 11, 2010 <>

**Topic overview:**
In class today we will introduce basic //risk analysis// and //risk management// concepts in the context of information systems projects. In particular, we will discuss some basic techniques for identifying and sizing project risks, doing contingency planning, and tracking the status and likelihood of major project risks throughout the SDLC.

We will spend the last part of today's class going over expectations for the midterm exam on Wednesday October 13. Please bring questions you have regarding the exam or the material we have covered thus far, as there will be plenty of opportunity for questions and discussion.

At the completion of today's class you should:
 * Be able to apply basic risk management techniques to your information systems projects
 * Understand how the following four tasks work together within a project risk management process:
 * Risk assessment
 * Risk reduction
 * Risk tracking
 * Risk reporting
 * Be able to put together a basic risk management plan and tracking sheet for an information systems project.
 * Understand the format, structure, and expectations for Wednesday's exam

**Preparation for class:** Prior to class you should read the following white-paper, which provides a good high-level introduction to the concepts of risk management in information systems projects.
 * Rob Thomsett, Project Management: Risk in Projects, The Total Toolset, 2004
 * @http://www.its.monash.edu.au/staff/projects/project-management/risk/risk-tool-set.pdf

Reference materials:
Slides:

**Pre-class exercise:**
As a class, let's try to identify many different common risks that information systems projects face. Prior to class, you need to post to the wiki at least one common type of risk, identify which SDLC stages or tasks in which that risk is most likely to appear, and identify at least one way that an IS project team can take to mitigate (reduce) that risk from turning into a major problem for the project.


 * [Bob Monroe**]
 * Risk**: Database selected for use in new system development turns out to be incompatible with existing database technologies used by the company (and the existing company databases contain data that the new project needs to integrate with to be successful).
 * SDLC stages**: Design, Implementation
 * Mitigation strategy**: Create simple prototype that proves that the new database technology under consideration can be integrated with existing company databases during Design phase. If the prototype proves that the can not be integrated, select a different database for the project.


 * [Aeshah Anani]**
 * Risk:** Internet connection fails due to a disconnection in electricity, causing current users to lose their uploads/data.
 * SDLC stages:** Design and implementation
 * Mitigation strategy:** Have a backup power system, a backup system for retrieving lost data.

====** [Rawan]: ** Risk: If one system architect is handling a small IS project in a company and this person then decides to quit or leave the company, then his associated knowledge is also lost. ====

** SDLC stages: Design, Implementation **
====** Mitigation strategy:The company should have a team of system architects and not just one person handling the system architecture of the project. **====

**[Amna Al Mazroei]: Risk:** Lack of user participation in the design and an adequate user training to use the system. User management usually regards systems training as an addition to the regular job requirements rather than giving users sufficient time away from their job responsibilities to learn the system. ** SDLC stages ** : Design, Implementation **Mitigation strategy**: Establish ownership among systems users, and provide a sufficient training as part of learning their job.

** [Abdulrahman] **Risk: **Sensitive secret material from the Ministry of Interior IS project is leaked during the implementation stage because of an IT staff theft.**
**SDLC:** Implementation **Mitigation:** The information should be encrypted by other (more trusted/in-house) group of IT staff and broken down to smaller meaningless batches of data. [Ahmad Al-Thani]: **Risk**: A technical failure occurs during the testing stage. **SDLC**: Implementation and Testing. **Mitigation**: Training the companies team to be ready to solve such a failure. [Mohamed Hussain]: **Risk**: A bug is found after an electronic game has been launched and sold to customers. **SDLC**: Implementation **Mitigation**: A patch can be released and given to customers in order to solve the problem. [Saoud Faiadh] **Risk**: lack of internal staff capabilities which result a non-complete or inaccurate system that dose not meet the expectations. **SDLC**: Design and implementation. **Mitigation**: This risk can be avoided by training of the staff to do the work as required or looking for outsourcing experts to save time. [Sarah Allouba] <span style="direction: ltr; display: block; font: 12px Helvetica; letter-spacing: 0px; margin: 0px; padding: 0px; text-align: left; unicode-bidi: embed;">**Risk**: Blackberry users are faced with a problem of not being able to change their blackberry messenger profile pictures after downloading the latest version of BBM**SDLC**: Implementation**Mitigation**: Go back to the testing stage and discover what the issue is of why BB users are not being able to change their photos and after discovering the problem maybe they will need to go back to the design of the system to fix the problem, then re-test it again before implementing the final corrected version of BBM. [Maria Khan]: **Risk:** The employees of the company for which the IS is developed find it too complicated or difficult to use. **SDLC:** implementation **Mitigation**: Create a prototype of the system and allow employees to get used to it before the implementation phase. Another solution could be to spread the project development process over a good span of time which allows employee training of the IS to properly occur. [Shazia Haq] **Risk**: If the new IS project requires faster response and processing time, upgraded CPU and capabilities to process and sort high volume of data; this would require large investments in both hardware and software for making the new project functional, if the existing hardware and software combination is not sufficient to run the new IS system. **Mitigation**: Prototyping can help to identify any additional hardware and software requirement of the new IS system beforehand and also identify any potential risks associated with this system. If the current hardware/software is unable to handle the prototype of the new system causing it to process data at a low speed during the Design phase, it would be hard to implement this on a larger scale too. Therefore, acquire a suitable and compatible configuration of the hardware/software.
 * SDLC stages**: Design, Implementation

**<span style="font-family: 'Arial','sans-serif'; font-size: 10pt; line-height: 115%;">[Mohammad Dauleh] ** **<span style="font-family: 'Arial','sans-serif'; font-size: 10pt; line-height: 115%;">Risk **<span style="font-family: 'Arial','sans-serif'; font-size: 10pt; line-height: 115%;">: Upon the release of a device, people discover technical problems such as the one faced by the Apple’s Iphone, in that if you place your finger on the antenna, the signal gradually fades. <span style="font-family: Arial,sans-serif; line-height: 14px; margin-bottom: 10pt; margin-left: 0in; margin-right: 0in; margin-top: 0in;">**<span style="font-family: 'Arial','sans-serif';">SDLC stages **: Design, Implementation <span style="font-family: Arial,sans-serif; line-height: 14px;">**<span style="font-family: 'Arial','sans-serif';">Mitigation strategy **: Create a tool or software that can directly tackle this technical issue and provide it to all users of that device in an easy and accessible way.

<span style="display: block; font-family: Arial,sans-serif; font-size: 10pt; line-height: 115%; margin-bottom: 10pt; margin-left: 0in; margin-right: 0in; margin-top: 0in;">[Abid Shirzai]:
 * Risk**: The experience (low) or professional abilities (low) of the project team and the complexity of the system.
 * SDLC stages**: Design, and Implementation
 * Mitigation strategy**: Hire and train your staff professionally before launching any project. Doing this will push your team to design a less complicated, but efficient system.

<span style="direction: ltr; display: block; margin-bottom: 0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 0cm; text-align: left; unicode-bidi: embed;"> [Abdallah Darwish] <span style="direction: ltr; display: block; margin-bottom: 0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 0cm; text-align: left; unicode-bidi: embed;"> **Risk**: a PS3 game glitch found out during the testing. **SDLC stages**: Design and implementation **Mitigation strategy**: the concerned group should find out the cause of the glitch, correct it, and then test it again to see if everything else in the game works according to plan.

<span style="display: block; line-height: normal; margin-bottom: 0pt; margin-left: 0in; margin-right: 0in; margin-top: 0in;">** [Marie-Joe Khachan] ** **Risk:** The company will not be able to meet the deadline of launching the system, since it took a lot of time in the analysis phase. Hence, the project’s launch will be delayed and a lot of costs will be incurred. **SDLC stage:** Analysis and Implementation **Mitigation Strategy:** The company should not plan out the design until they get the most applicable, but instead should start building prototypes of the system, test them and improve accordingly in order to meet the deadline.

[Layal Ishaq] **Risk**: a security issue that the bank’s website could face such as "Hacking the customers accounts" while they are accessing their bank accounts online such as what happened with QNB couple of months ago **SDLC Stages**: Implementation **Mitigation Strategy**: The bank (QNB) has informed the customers immediately not to use their bank accounts online because of security issues through SMS, emails and even phone calls while they were trying to fix the problem. This problem could have been avoided through creating better security programs and "hacking" testing run by the bank itself.

[Farha Al Kuwari] **Risk** : Privacy issue **SDLC**: Design and implementation **Mitigation strategy** : Design appropriate security system in order to prevent breaches of security.

[Ushna Amer] **Risk**: A virus has entered into the system and starts growing, replicating and imposes a load onto the system. **SDLC**: Implementation **Mitigation**: Install anti-virus software on all computers and update regularly.

[Batoul Khalife] **Risk**: Project management team decides to radically change some of the business requirements for the project, after the implementation phase has started **SDLC** stage: Implementation **Mitigation Strategy**: Allocate enough time and resources to ensure that all stakeholders are on the same page in terms of deciding what the system is going to do. Generate prototypes to be able to easily measure if implementation meets expectations of the business team.

[Fatima Nadeem]
 * Risk:** Due to time constraints, or new government laws that a business needs to meet, the company needs to start running the system immediately; need to implement the system using ‘direct changeover;’ which adds a lot more risk, as this particular system will change the way every department of the company functions and runs.
 * SDLC stages:** Implementation
 * Mitigation Strategy:** Thorough testing, that tests all system functions. Make sure data from previous system is compatible with the new system, and make sure testing takes into account the magnitude of data that will run through the new system once in progress.

[Aliah Dehdary] **Risk:** a bug or system malfunction in ATMs where customer cards are being swallowed and no cash is dispensed, causes a reputable bank like QNB to panic and face a dilemma on their hands.
 * SDLC stages:** Implementation
 * Mitigation Strategy:** ATM system Experts and the software system experts need to re-check the entire system, find the glitch, fix it and then either reprogram or change the system to avoid this problem happening again. Perhaps further testing of the system is necessary to prevent this occurring again.

[Rand Aga] **Risk:** A system break-down after functioning for several years. **SDLC:** maintainance **Mitigation:** require m aintenance every 6 months

<span style="font-family: Arial,Helvetica,sans-serif;">[Maryam AL-Buhendi] <span style="font-family: Arial,Helvetica,sans-serif;">**Risk**: if the server of the system crashed due to overload of work or more data than expected <span style="font-family: Arial,Helvetica,sans-serif;">**SDLC**: Design <span style="font-family: Arial,Helvetica,sans-serif;">**Mitigation**: they must define exactly what data will be stored and where, in order to be able to restore data in this case, and must create a backup system to prevent data loss.


 * [Amal Alsulaiti]**
 * Risk**: the system is not working because too many people are trying to access it at the same time.
 * Stage**: implementation
 * Mitigation**: during testing and design, it must be made sure that the system can handle serving more that one person at a time and the information saved must be saved for all people using the system at that time.


 * [Waleed Ali Khan]**
 * Risk:** Deskilling of employees - will lead to demotivation due to job insecurity and a feeling of inadequacy.
 * Stage:** Analysis (Feasibility Study)
 * Mitigation:** Offer an extensive training program to help employees become accustomed to the new computerized system. Also have a phased implementation to ease the transition between the two system.