Seventy-one per cent of IT projects either fail or are seriously challenged (delivered late, over budget, or don’t deliver required functions). This failure rate has grown two per cent annually (Standish Group). Forty per cent of IT projects fail to achieve their business case within one year of going live (Conference Board Survey). Fifty-one per cent of organizations that attempted ERP implementations viewed theirs as unsuccessful (Robbins Gioia).
Risk management requires identifying, measuring and assessing risks. Risk assessments involve prioritizing risks based upon probability of occurrence and potential effect of occurrence. Risk assessment results empowers program management with knowledge needed to make key decisions regarding program resource allocation and develop strategies to avoid program failure.
Independent risk assessments ensure that program management leadership receives unbiased critical information regarding the health of their program. Independent risk assessments also keep IT product and service providers free from organizational conflicts of interest. Understaffed program management should avoid offers by system integrators to conduct their own risk assessments. Independence and objectivity helps keep honest people honest. Congress has repeatedly legislated mandates that testing be accomplished by independent testing agencies separate and apart from the program management organization and the service / product provider.
IT risk management is a prevalent mandate in Federal regulatory guidance. Federal Acquisition Regulations (FAR) requires an analysis of risks, benefits and costs, prior to entering into a contract for information technology and throughout the procurement process. OMB Circular A-11 requires agencies demonstrate strong program and project management for IT investments including identification of risks, controls, and the management risks associated with the investment. Sarbanes Oxley requires publicly traded firms to identify IT risks, design and implement controls designed to mitigate identified risks and monitor them for continued effectiveness.