Mega-projects

IT Risk Management: A step-by-step guide

The word risk has an inherently negative connotation to it. But what most folk don’t realise, is that anticipating risks is a sign of proactive management. A positive spin on risk can alert you to alternatives, create better opportunities, justify contingency plans and ultimately win you more business.

 

Every invention falling under the Information technology umbrella is hailed as the next generation breakthrough. Disruptive technology, in particular, is ushered in with great fanfare in those areas that have a sustained and strong consumer base, such as healthcare, advertising, biometric intelligence and multifunctional devices.

 

Technologies, no matter how superior they’re touted to be, are not entirely flawless. The inability to meet increased expectations leads to angry customers who take their business elsewhere. The risk here? Losing out on those clients and valuable custom even before you’ve had a chance to go back to the drawing board to figure out what really went wrong!

 

Creating a structure to a one-size-fits-all risk management framework does not promise the same results as tailoring it to suit the techniques and methodologies used by different companies. Here’re a few useful pointers to fast track you into risk management.

 

Risk Evaluation

 

The term scope creep applies to projects that have no clear definition and outline. With this lack of clarity comes several risks and no suitable action plan in place.

 

The risk register documents every risk, probability and scale of occurrence. It helps project managers brief their IT teams on possible threats and create contingency plans corresponding to its severity. The risks can be human, environmental, non-technical and technical in nature and are classified by likelihood and actions to be taken. Whilst likelihood provides the statistics and chances of any or all of the risks taking place and a record of their occurrences at prior projects, actions define how well the risk was handled and contained.

 

Evaluating the risk based on its impact on work undertaken previously is a learning experience from the mistake of overlooking it the first time around. Risk evaluation can be performed in four simple steps.

 

  1. Identify and prioritise assets– The credibility of information depends on the source. Factor in every data source and verify their credibility by testing the software application’s responsiveness and sensitivity.This will help identify its usage and order of importance in a technical context and immediately highlight those areas where damage control may be required.
  2. Locate assets– This is where that initial inventory during IT set up has to be pulled out. Run through the list of updates, additions and changes to every technical and non-technical asset which gives information on its robustness and longevity since the organisations’ inception.
  3. Perform a threat modeling exercise– Similar to the common SWOT analysis exercise, create a rating chart of all identified risks with more than one option on countering them. Involve your team for a wider input spread on how to enhance the features of this exercise.
  4. Consolidate and finalise data– The evaluation can be continuously updated and reflected back on the master data in order to tackle the most critical risks first.

 

Contingency Measures to Mitigate Risk

 

It is natural for systems created by science and human effort to have a few kinks in them. Contingency plans prepare you to investigate alternate routes towards ensuring seamless integration of different elements in an information ecosystem.

 

Based on the type, likelihood and frequency of occurrences, mitigation can be initiated by routine and continual testing. Besides objective data, configuration management plays a key role in estimating the far-reaching consequences of a potential risk.

 

For any risk, qualitative analysis can be performed by systematically breaking the process into:

 

  1. Categorising information systems
  2. Selecting and implementing the appropriate security control
  3. Assessing the effectiveness of the applied security control
  4. Authorising relevant systems to be secured
  5. Monitoring threat levels on the security controls themselves.

 

Planning will help you understand your competition and avoid situations where trade secrets are exploited to create duplicate or superior products and allow you to make informed decisions before products are released into the market.

 

Risk Monitoring and Control

 

Some of the numerous permutations involving risk include an old risk occurring periodically, a new risk replacing the threat of an old one or several risks overlapping with each other. Risk monitoring is required to ensure that the risk plan deemed fit for execution is the right one in place. Monitoring also identifies trigger conditions for contingencies and investigates residual risk before updating organisational processes. Tools commonly associated with risk monitoring and control are risk registers, change requests, team meetings and work performance reports.

 

The risk register helps in controlling the monitoring process by surveying how effective the contingency plan initiated was and if the need to implement an alternative was required. Change requests reflect scheduling updates, conflicts that rose, resolution sought and success rates.

Team meetings are just as effective due to the uniform involvement of everybody associated with the project.

 

Risk Identification Efficiency Measurement

 

Metrics are pivotal to identifying risks and the efficiency with which they are contained. When a system’s vulnerability is tested by threats, metrics documented towards project closure provide an analysis of the number of times and risks identified. The severity of the risk and how the project was impacted draws a direct proportion that can be compared with the help of statistics and figures.

 

The risks can be ranked on the basis of the forecasted versus actual risk recurrence in order to dismiss their future appearance with a sufficient contingency measure.

 

Internal or externally outsourced auditing creates customised checklists for the management to review and act upon. Audits, whilst traditionally conducted annually, can reduce both the impact and probability if performed more routinely. Rather than leaving software maintenance and testing to the team, leadership can benefit from being actively involved in the end-to-end software development lifecycle. With experience comes the ability to accurately spot risks, obtain granularity on the identified risks, sharpen and update original contingencies and connect to the business objectives.

 

Information technology, as with any other dynamic environment demanding versatility and quality, benefits from a risk radar. The strategies to keep risks at bay are enhanced over time and by the wealth of experience contributed by project managers who have been in the eye of the literal storm. Risk management applies to projects of any methodology and scale, with the only change being in the maintenance and updating of the documentation created.

 

If this information helped you learn more about risk management, share the love! Help that friend out who is en route to becoming an IT project manager!

 

About the Author

As the subject-matter expert for Saviom’s resource management tool, Aakash Gupta champions for best management practices through various publications and webinars. You can reach him here.

Leave a Comment

Your email address will not be published. Required fields are marked *