Mastering Opportunities and Risks in IT Projects (Book Excerpt)

Identifying, anticipating and controlling opportunities and risks: A model for effective management in IT development and operation.

Management systems show the management objectives (in relation to a specific purpose), proven methods for achieving the objectives and the associated control and monitoring mechanisms. The purpose can be the management of a company, an IT project or just compliance with a quality, environmental or information security standard. This book uses a model to describe how the fundamentally necessary core process of risk management works within such a management system. Its main feature is the cyclical repetition of the identification and evaluation of opportunities and risks, which leads to necessary control measures influencing them and to the subsequent implementation of measures to improve the effectiveness and efficiency of the management system.

Each cycle begins with the definition of key goals for the purpose intended and a review of the decisions already made. This is followed by the identification of influencing factors that threaten or even favor the achievement of goals - and their assessment. As the basis for focusing on key goals and acute threats, this step is an important prerequisite for economic risk management. 

In order to find influencing factors that favor or threaten the achievement of the selected goals, the combination of a methodical cause-and-effect analysis with own empirical values is recommended. The risk portfolio comprises the set of all influencing factors. After an assessment of their probability of occurrence as well as of the amount and type of potential damage that may occur if a goal is not achieved, this enables the focus to be placed on a subset of the threats, which in the model described is referred to as the risk profile.

Model for managing opportunities and risks

The risk profile reassessed in the respective cycle forms the basis for management decisions on the treatment of risks. This treatment can, for example, consist of taking out insurance (risk transfer), outsourcing risky areas from the IT project under consideration to other parts of the organization (restructuring) or implementing and following up measures to actively reduce risk. If, in individual cases, the risk owners do not consider it necessary to reduce the risks by means of a transfer, restructuring or measures, this must be documented as acceptance of the residual risks.

In the final step of each cycle, the measures that can be taken to improve the effectiveness of risk management and its cost/benefit ratio should be examined. This includes a review of all components of the model such as processes, methods, metrics and scales for evaluation, documentation, etc.

Considerable potential for improving the management model lies in making knowledge about general or organization-specific threats to the goal types explicit - and in permanently adapting this explicit knowledge to changes in the threat situation, for example. One way of implementing this explicit knowledge is the creation and maintenance of sets of rules that submit questionnaires to the people responsible for risk analysis and from whose responses corresponding entries in the risk profile result. However, these suggested values must be validated and possibly corrected on the basis of own human judgment and intuition. A further improvement is foreseeable as soon as machine learning systems can be used for risk analysis purposes.

It is possible to carry out risk management both effectively and efficiently: With good methodology, threats can be noticeably mitigated. Thereby risk management becomes effective. The avoided damage results in a benefit that can be calculated and placed in relation to the required effort. This results in a measure of efficiency. As with any other management process, both effectiveness and calculability of efficiency are an essential basis for optimization.

The book is available as e-book, paperback and hardcover (directly in the Tredition book shop incl. reading sample - or in bookstores).