Leseprobe
Table of contents
Management Summary
List of abbreviations
Table of figures
1 The concept of risk management
1.1 Steps of application
1.2 Its role in strategic planning
2 Practical Situation
2.1 Phase 1 ± Risk Identification
2.2 Phase 2 - Risk Quantification
2.3 Phase 3 ± Risk Management/Government
2.4 Conclusion
List of literature
3 Addendum
Management Summary
In organizations are plenty of IS/IT investments to choose from. All of these opportunities compete for the limited resources of the organization. The process of risk management which can be divided into the four phases of Identification, Quantification, Management/Government and Containment helps to analyze possible risks. This is necessary because every forth IS/IT projects fails1, because of non identified risks. The aim of Risk Management is to increase the probability of success of IS/IT investments2, so that the investments drive to the desired outcome and benefits for the organization. In the following the four steps of risk management will be illustrated with an example of a logistic company which has to decide on two investments. Additionally the role of risk management in strategic planning will be examined.
List of abbreviations
illustration not visible in this excerpt
Table of figures
Figure 1 - Investments comparison
Figure 2 - Risk Identification of investments
Figure 3 ± Kind of change
Figure 4 - State of readiness
Figure 5 - Likely reaction
Figure 6 - Contextual change
Figure 7 - Quantification of example
1 The concept of risk management
When it comes to the decision of investing in new developments or significant enhancements in exist- ing IT/IS (Information Technology/ Information System) systems, the expected benefits of the invest- ments have to be established, the costs of the systems have to be justified, the involvement of technol- ogy and business changes and the priorities to individual developments across the portfolio have to be allocated.3 Apart from that one of the main issues of the investment decision in IT/IS systems, is the assessment of the risk. Risk, which is in the failure oriented definition the negative deviation from ex- pectancy4, has to be assessed in order to revise the viability of the investment to deliver all of the bene- fits which were expected5. The reasons for failure of an investment in IT/IS systems can be divided into five domains. Beside the technical, data and user failure there are organizational failures6 and fail- ure in the business environment which this paper focuses on7, because they are the factors with the highest risk8. Organizational failures occur if ISs satisfy the functional needs but do not satisfy the organizational or business needs9. For example, a storage-IS, which contains the amounts of goods in a storage, fails to meet the needs of accounting because it does not contain monetary values for the goods. Failures in the business environment result if systems do not assists internal and external busi- ness requirements. This lack of support could be ascribed to changing business practices or changes in the business strategy which cause a gap between target state and actual state of the IS/IT portfolio.10
These two facts comprise the most potential risk in IS/IT projects. But in most of the projects organizational failures and failures in the business environment are not considered as risky. This is due to the disability to address and identify risks in these categories which could threaten the achievement of the desired outcome. Especially in strategic investments of IS/IT the consequences of failure are significant and the assessment of risks is becoming more difficult.11
1.1 Steps of application
The process of risk management, which is defined as the systematical handling of risk12, can be di- vided into four phases: Identification, Quantification, Management/Government and Containment13.
During the phase of Risk Identification the risks are defined and categorized14. IS/IT investments have to be reviewed if they satisfy the organizational functions and are appropriate to the business environment and strategy of the organization. This step is the basis of the following steps and has a high importance. The risk quantification conduces to assess the extent of risk. This step can be executed with the help of a checklist which divides the investment into the four parts of
a. Which changes are involved?15
b. Is the organization ready for the change?16
c. How will the organization react for the change?17
d. How dynamic is the context of the change?18
Constitutive on the risk quantification, decisions have to be made how to deal with risk. Liermann mentions four possibilities, avoiding, decreasing, transferring and taking risk by oneself, to deal with risk.19 Avoiding risk denotes that the decision maker abdicates the IS/IT investment. This could be reasonable if the investment in an IS/IT project is rated with a high risk and the damage caused by a fail is huge. The second choice is to reduce risk with retaliatory action. This could be for example war- ranties, contracts or insurances for investments in IS/IT. Beyond that it is possible to transfer risk by outsourcing IS/IT systems to an external provider which is responsible for it. At least organizations can take the risk by themselves, if the costs for the other arrangements are too high, if arrangements do not exists or if the risk is acceptable.
The decision which of the arrangements to choose, depends upon the result of the quantification process. If 50% of the category factors are 4 or 5 or the average for any category is 4 or 5 the risk should not be taken by oneself20. The decision maker should then pick one of the first three arrangements or he should change the development approach in order to reduce the risk.
Unlike the preceding phases before the risk containment is an ex-post analysis to evaluate the deci- sions and assumption in the former phases21. It has to be evaluated if all of the risks have been assessed correctly, if the chosen arrangements have been appropriate and if the investments have been success- ful. Beyond that stakeholders and the management have to be informed about the success of the in- vestment22.
1.2 Its role in strategic planning
As a part of the "mananaging investment systems and Technology process",the aim of risk management is to increase the probability of success of IS/IT investments.23 Organizations dispose over a portfolio of different IS/IT investments which are considered as new and useful developments. Before money is invested into these opportunities the expected benefits of the investments have to be established, the costs have to be justified, the technology and business changes involved have to be defined and at last the risk of the investment has to be assessed.24 The last step is necessary to identify the threats and implication which threaten the achievement of the desired benefits of the investment. This enables to initiate appropriate arrangements to reduce the risk to successfully implement the new IS/IT project into the application portfolio.
For most of the IS/IT investments exists opportunity costs. This implies that the money used for an investment could have been used for another and that different investments compete for funds and oth- er resources like time and labour.25 Additionally the fact that every forth IS/IT project fails26, increases the demand for an effective risk management to evaluate the critical risks ex-ante and to invest the resources of an organization in those projects which are most promising to deliver the desired outcome and whose risks are manageable. Considering this, risk management can be seen as a process which helps decision makers to pick those investments which will be successful and deliver the desired out- come.
2 Practical Situation
In this chapter a practical situation will be described in which risk management is useful: The CIO (chief information officer) of a half-inferior logistic organization has to decide which of the following two investments he wants to choose. Inside, the organization possesses the needed capabilities and experience to execute the projects. But the willingness of the stakeholders is lower for investment 1 then for investment 2, because the actual solution is still appropriate to fulfill the internal needs. At first the costs, benefits, business and technological changes have to be identified. After this step the risks can be identified, quantified and managed/governed (see chapter 1.2). The Risk Containment is excluded.
illustration not visible in this excerpt
Figure 1 - Investments comparison
2.1 Phase 1 ± Risk Identification
illustration not visible in this excerpt
Figure 2 - Risk Identification of investments
[...]
1 C.f.: [Pütt2009].
2 C.f.: [WaPe2002] p.462.
3 c.f.: [WaPe2002] p.420.
4 C.f.: [ScLi2002] p.183.
5 C.f.: [WaPe2002] p.455.
6 C.f.: [LyHi1987].
7 C.f.: [WaPe2002] p.455.
8 C.f.: [EwPr1994].
9 C.f.: [WaPe2002] p.456.
10 C.f.: [WaPe2002] p.456.
11 C.f.: [WaPe2002] p.456f.
12 C.f.: [AhMa2008] p.11.
13 C.f.: [Höls2002] p.13; [Schi2001] p.13; [Fais2009] p.4.
14 C.f.: [FaPW2007] p.514.
15 C.f.: Figure 3 in abbendum.
16 C.f.: Figure 4 in abbendum.
17 C.f.: Figure 5 in abbendum.
18 C.f.: Figure 6 in abbendum.
19 C.f.: [Lier2009].
20 C.f.: [WaPe2002] p.461.
21 C.f.: [Höls2002] p.16.
22 C.f.: [ScLi2002] p.192.
23 C.f.: [WaPe2002] p.462.
24 C.f.: [WaPe2002] p.420.
25 C.f.: [WaPe2002] p.462.
26 C.f.: [Pütt2009].
Kommentare