Keeping IT transformation on track

By Rosanna A. Fajardo

First published in Business World (05/26/2014)

NOWADAYS, businesses are trying to remain competitive by making substantial investment in information technology (IT). This is particularly true for large organizations where the use of IT is essential to deploying effective business strategies, enhancing productivity and developing increasingly innovative products and services. Top executives from around the world understand that any transformation agenda requires the effective use of IT, particularly to ensure cost competitiveness.

As IT investments are set to increase significantly in the coming years, IT programs are expected to not only be delivered on time and on budget, but also to produce multiple, high-level business benefits, which translate into business success. There is, however, a very real risk that IT program success rates may fall below expectations. In fact, an Ernst & Young (EY) publication, “Building confidence in IT programs”, disclosed that success rates for most IT programs are only between 30-50%. When programs fail, it is often due to issues that are not identified properly until after they have occurred. By the time an issue is identified, it has reached the crisis level, and options are limited to damage control.

It is therefore necessary for business leaders to consider their own organization’s IT environment and analyze how they can manage the potential risks from underperforming programs and to ensure that the transformation process delivers sustained benefits. IT program risk management (PRM) can help increase the success of strategic IT initiatives by helping protect organizations from common problems that can lead to increases in program costs, reputational damage, loss of customers and disruption of day-to-day activities.

THE IT PROGRAM RISK UNIVERSE
IT programs do not fail or underperform due to only one reason; there is usually an amalgamation of reasons. It is therefore crucial that management be aware of the organization’s specific IT program risk universe and implement strategies up front to manage the most likely risks to program success. The most common causes of complex IT program failures fall under the following:

1) Vision and Initiation, including (a) lack of management support for the program, (b) unclear business objectives, (c) inadequately defined project scope and business requirements, (d) unclear critical success factors and risk assessment, (e) unclear or absent governance and decision framework, and (f) inappropriate communication and user group involvement.

2) Planning, which encompasses (a) aggressive schedule commitments restricting proper planning, (b) inappropriate skills, resources and processes in place, (c) inadequate understanding of complexities and accounting for factors necessary to succeed, (d) mismatched balance between time, cost, quality and benefit attainment, (e) incomplete project charter, (f) poorly defined contractual terms and conditions, and (g) lack of defining appropriate performance metrics.

3) Execution, which covers (a) inadequate risk assessment, quantification and allocation of project risks, (b) incomplete or unrealistic cost information, (c) shifting budget, scope and timetables, (d) lack of accountability, (e) adversarial team and supplier relationships, and (f) lack of skills or resources in program and project management.

4) Business Acceptance, composed of (a) lack of appropriate accountability and approvals, (b) ineffective deployment strategy, (c) ineffective change management, (d) unresolved problems and disputes, (e) incomplete operating and maintenance information, (f) insufficient user satisfaction, (g) missing warranties and guarantees, (h) scale and volume of defects (e.g., data, test), and (i) no project go-live review.

5) Measuring and Monitoring, including (a) ineffective project management systems, (b) lack of continuity in project staff, (c) ineffective communication with stakeholders, (d) lack of situational awareness, (e) ineffective control of change orders, (f) incomplete design information and changing design and scope requirements, (g) lack of independent progress monitoring and executive reporting, and (h) lack of tracking.

IT transformation is always a complex undertaking, which is, in fact, the main source of risk. The greater the complexity, the greater the uncertainty and ambiguity that, in turn, increases the need for diligent IT program governance, risk management and project control. It is crucial that business leaders understand how vital effective IT PRM is to the organization. When IT programs fail to deliver the business results anticipated by a company’s stakeholders, the risk that this will have an impact on the overall business operations is significant.

IT PRM — BUILDING LINES OF DEFENSE
One of the proven ways to bring order into a disorderly IT program risk universe is to use IT PRM to build multiple “lines of defense” against the threat of risk. The internal IT PRM group must form these lines of defense from various groups, such as experienced risk managers, a risk committee, the project management office, and audit committee. It should also engage an independent or external IT PRM provider to deliver different insights and best-practice experiences.

The first line of defense is the most crucial layer. Normally it includes the executive leadership team, program steering committee, program risk committee, technical design authority, project management office, system integrators and project work stream leaders.

The second line of defense is the independent IT PRM. This can come from an external party, or it can be a combination of internal and external providers. These can include an independent (external) program risk/quality assurance provider, operational risk and compliance functions, external auditors, and may also include software providers.

The third line of defense is usually the audit committee and internal audit function of the company. In a sense, this is the last line of defense tasked to detect errors and waste in organizational activities. However, the need for these groups to exercise control and oversight may be reduced with the support of a strong independent IT PRM team since this group will be in charge of communicating program and project delivery activities to both executive management and the stakeholders operating as the third line of defense. It is also advisable for the leader of the IT PRM function to join the steering committee in an independent capacity so as to challenge and advise the group on the progress and status of the program.

Ultimately, IT PRM is about building confidence with key stakeholders on the integrity of the program and its projected business benefits. It means that decision-makers are more likely to have the right information at the right time, so that the IT transformation project will be more likely to proceed on track, on budget, and on time. It also means that, with an experienced IT PRM team, the most common project issues can be anticipated and addressed early, allowing the project management team to focus on program-critical issues as they occur.

Rosanna A. Fajardo is the Head of IT Risk and Assurance of SGV & Co.

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co.