IT Deployment Risks

Revised 2014

Content

Risks associated with IT deployment in an organization:

1. IT Strategic Planning

2. IT Project Management

3. Software Applications

a) Acquisition

b) Development

c) Change Management

d) Implementation

CIS

B424, Sulfeeza

1. IT Strategic Planning

• Strategic planning describes where you want your company to go, not necessarily how you're going to get there, and thus begins with a vision

• Serves as primary guideline for allocating resources

• Keeps the organization headed in a profitable direction

• By having an effective strategic planning, organization is able to manage risk in an effective manner

CIS

B424, Sulfeeza

IT Strategic Planninga) Strategic planning –

An organizational management activity that is used to set priorities and focus resources in ensuring that employees and other stakeholders are working toward common goals, establish agreement around intended results, and assess and adjust the organization's direction in response to a changing environment

(Source: Balanced Scorecard Institute)

b) Strategy –A general direction set for an organisation and its various components to achieve the desired state in the future

(Bryson, 1995)

c) Strategic plan –A document used to communicate with the organization the organizations goals, the actions needed to achieve those goals and all of the other critical elements developed during the planning exercise

(Source: Balanced Scorecard Institute)

CIS

B424, Sulfeeza

IT Strategic Planning

IT Strategic Planning

The process of creating a strategic plan that defines how IT goals will contribute to the enterprise’s strategic objectives and related costs and risks

(Source: ISACA)

CIS

B424, Sulfeeza

Mapping of Corporate Strategic Planning with IT Strategic Planning

CIS

B424, Sulfeeza

Mission

Objectives

Strategy

Policies

IT Strategic

Planning

IT Planning Process

• Planning process increases the likelihood that the company is making the most efficient and effective use of IT throughout the organization

• Due to the changing nature of the business, organization has been leveraging IT in their business process re-engineering

• Thus, effective planning process must take into accounts the motivation of business process re-engineering

CIS

B424, Sulfeeza

IT Planning Process• Motivation and indicators for business process re-

engineering

a) Survival Outgrowing capacity Value added versus revenue

b) Elimination of competitive disadvantage Losing market share Performance lag

c) Generating competitive advantage Stable market share Stable industry

d) Creating a breakthrough Declining market New industry opportunities

CIS

B424, Sulfeeza

Example of IT objectives of an organization

1. Create an atmosphere that embraces innovation and change

2. Apply computer hardware and software technologies to opportunities that promote prosperity

3. Incorporate an enterprise-wide information system to facilitate the intra-company coordination of business activities

4. Develop a technology-based communications network capable of linking suppliers, customers, and employees into a seamless, virtual and extended enterprise

CIS

B424, Sulfeeza

IT Strategy• IT Strategy is an iterative process to align IT capability

with business requirements• The key is:

The alignment of business and IT capability rather than designing IT to address business requirements• The former assumes that both capabilities drive

each other• The latter assumes that business drives IT and not

vice versa• IT Strategy sets direction for IT function in an

organization• Ensures that maximum IT dollars are spent on value

creation activities for the business• Ensures that these dollars create the maximum value

• IT Strategy helps create shareholder value. In other words, it helps maximize the return on IT investments

CIS

B424, Sulfeeza

IT Strategic Plan Drivers

• Is consistent with business objectives• Strategic objectives and associated accountabilities are clear and understood by all parties

• IT strategic options are identified, structured and integrated with the business plans

• Reduce likelihood of unnecessary IT initiatives

• Strategic IT plans are complete and usable(Source: COBIT 4.1 by ISACA)

CIS

B424, Sulfeeza

IT Strategic Plan Risks• Business requirements are not understood or addressed by IT management

• No regular and formal consultation between IT management and senior management

• IT plans are not aligned with business needs

• Unnecessary IT initiatives and investments• IT plans are inconsistent with the organization’s expectations or requirements

• IT is not focused on the right priorities(Source: COBIT 4.1 by ISACA)

CIS

B424, Sulfeeza

IT Strategic Plan Control Practices

1. Establish a process to translate business strategy, business expectations, and current and future IT capabilities into an IT strategic plan

2. Ensure that IT has established a process to identify, document and adequately address organisational changes, technology evolution, regulatory requirements, business process re-engineering, staffing, in- and outsourcing opportunities, etc., in the planning process

3. Define roles and responsibilities of the stakeholders involved in the strategic planning process

4. Develop IT capabilities to support the business requirements and contribute to expected benefits as included in the enterprise’s strategic plan

5. Identify and document the implications on the business strategy in terms of risk and cost of the required IT capabilities. Resolve negative implications appropriately in co-ordination with the business.

(Source: COBIT 4.1 by ISACA)

CIS

B424, Sulfeeza

IT Strategic Plan Control Practices6. Define and document the IT goals and objectives

necessary to cost-efficiently: a) Achieve the benefits and manage the risks of the

capabilities required of IT b) Establish the current and future performance

required to respond to business expectations c) Provide transparency on capabilities delivered by IT

and their contribution to strategic objectives7. Translate the business-derived IT objectives into

outcome measures represented by metrics (what) and targets (how much) that can be related to business benefits. Obtain appropriate stakeholder approval.

8. Formally approve and communicate the IT strategic plan and ensure that it is clearly understood by those who need to translate it into budgets, tactical plans, sourcing and acquisition strategies, processes, and organisational structures

(Source: COBIT 4.1 by ISACA)

CIS

B424, Sulfeeza

The IT Auditor Roles in Strategic Planning

• The IT auditor should look for evidence of a prescribed, documented IT strategic planning process.

• The existence of an ongoing process of this nature indicates that the company is constantly and diligently seeking an optimal “fit” between the IT infrastructure and the organization’s overall goals.

CIS

B424, Sulfeeza

IT Strategic Plan Audit

CIS

B424, Sulfeeza

(Source: Ackerman, Rucker, Wells, Wilson, Wittmann; http://jupapadoc.startlogic.com/manuscripts/09163.pdf)

Understand the Business

Define the IT Universe

Perform Risk Assessment

Formalize Audit Plan

2. IT Project Management

What is a project?• A project is a temporary endeavor undertaken to

create a unique product or service (Source: Project Management Institute)

What is IT project management?• IT project management is the process of planning,

organizing and delineating responsibility for the completion of organizations' specific information technology goals

(Source: http://searchcio.techtarget.com/definition/IT-project-management)

CIS

B424, Sulfeeza

2. IT Project ManagementIT project can be any type of project that deals with IT infrastructure, information systems or computer technology. This can include a) software development activities (such as programming a

simple mobile app or a programming large scale software system.

b) web development (including updating a web page, creating an online shopping site, or developing an entire Web infrastructure)

c) other common examples of IT projects include designing an organization’s IT infrastructure, deploying systems and software, and employing IT security measures.

The following represent a few IT project categories:a) Researchb) Servicec) Software developmentd) System deploymente) Change managementf) Infrastructureg) Needs assessment

(Source: http://www.attask.com/resources/blogpost/beginners-guide-it-project-management/)

CIS

B424, Sulfeeza

2. IT Project Management• Main causes of IT project failure:

a) Lack of user inputb) Incomplete requirementsc) Changing requirementsd) Lack of executive supporte) Technology incompetencef) Unrealistic expectations

• Risks related to project managementa) Scopeb) Schedulec) Resources

This could lead to projects that are:a) Late deliveryb) Cost overrunc) Lack of functionsd) Poor quality

CIS

B424, Sulfeeza

IT Project Risks Red Flags

1. Management does not use a formal project management methodology.

2. Project leaders:a) are not adequately experienced at project managementb) have insufficient domain expertise.

3. Project teams:a) are unqualified to handle the project size/ complexity.b) are dissatisfied and frustrated.

4. Projects:a) do not have management support.b) do not include input from all affected parties.c) taking longer to develop than planned.d) are costing more than budgeted.

5. Project recipients are dissatisfied with project outcomes.

CIS

B424, Sulfeeza

IT Project Management Control Practices

1. Ensure that the project management framework is consistent with the organizational program management framework

2. Ensure that the project management framework includes:1. Guidance on the role and use of the program or

project office2. A change control process for recording, evaluating,

communicating and authorizing changes to project scope, requirements and system design

3. Requirements for integrating the project within the overall programme

3. Ensure that the project management method covers the initiating, planning, executing, controlling and closing project stages, as well as checkpoints and approval

(Source: COBIT 4.1 by ISACA)

CIS

B424, Sulfeeza

IT Project Management Control Practices

1. Prior to each project initiations, establish a project management governance structure

2. Assign each IT project one or more sponsors3. Define the responsibilities and accountability of

the programme sponsor, the project manager, steering committee and project management office

4. To track the execution of a project, put in place mechanisms such as regular reporting and stage reviews (that are the responsibility of the project manager) to complete the project in a timely manner

(Source: COBIT 4.1 by ISACA)

CIS

B424, Sulfeeza

IT Auditor roles in IT Project

• Safeguarding capital investments - Auditors should evaluate controls within the project management processes and proactively make recommendations to mitigate risks that may hinder achieving project objectives and goals.

• Proactively recommend internal controls - Auditors should ensure that adequate controls are incorporated during the development phases of business and system processes before they are introduced to the business operation

CIS

B424, Sulfeeza

IT Auditor tasks in IT Project

Some of the key tasks that IT auditor may perform during a project development process:a) Gain the support and cooperation of the users

and IT professionals.b) Check project management tools for proper

usage.c) Perform project reviews at the end of each

phase.d) Assess readiness for implementation.e) Present findings to management.f) Maintain independence in order to remain

objective.

CIS

B424, Sulfeeza

IT Project Management Audit

CIS

B424, Sulfeeza

Preparation

Project Management Process Review

Project Management Review

Build Positive Communication

environment

Recommendations