Risks to System Implementation

Subject Paper #0001 Return to Subject Index top Risks to System Implementation ? Categories of Risks ? Impact of Failure to Manage Risks ? Assessment and Counter Measures Risk assessment and risk management are regarded as key activities during preparation, critical reviews and implementation of a major application system like a VAT system. The risks that may impede the implementation covers a much broader spectrum than that of the information system itself as depicted below.

The scope of the implementation strategy should reflect this fact in order to safeguard the system implementation. Categories of Risks Risks are categorized in three major groups: * Requirement risks * Organizational risks * Technical risks The section also briefly describes impact, assessment and counter measures or contingencies which may reduce the likelihood and/or cushion the impact. Requirement Risks * General uncertainties * Acceptance criteria not described, or with no links to requirements * Requirements not defined as mandatory or preferred Formal description are used instead of prototypes to document requirement * Requirement-writers lack of understanding of the business area * Poor structure of requirement description * Uncertain level of user acceptance of requirements * Uncertain or unfeasible functional requirements * Legal framework unclear or unsettled * Administrative procedures/user handbook not drafted * Scope of information system (in scope/out of scope) unclear * Evolving requirements * Interfaces to other systems unclear Application standards (if any relevant) not prescribed * Unclear or missing implementation requirements * Implementation and roll-out strategy unclear * Training requirements not defined * Unclear responsibility for administrative procedures and forms * Documentation and help requirements unclear * Implementation flexibility and maintainability not defined * Quality assurance measures unclear * Use of interim systems and/or conversion or data take-on unclear * Unclear or missing operational requirements Technical standards unclear * Data entry concept unclear * User interfaces (users, operators, system administration) not defined * Security, reconciliation and auditability – requirements unclear * Volume of transactions, users and locations unclear * Distribution and service availability concept unclear * Service levels (availability/continuity, response time, turn-around times) not defined * Service level monitoring not specified * Storage and archives requirements not defined Unclear or missing contents in contract agreement and conditions * Roles and responsibilities unclear * Delivery plan unclear * Delivery and payment not tied together * Acceptance procedures unclear * Quality assurance procedures unclear * Dispute escalation and settlement unclear Organizational Risks * Customer participation unclear * Customer and other stakeholders not defined (right parties involved ? ) * Customer involvement in specification and test not agreed * Preparedness of user organization unclear General acceptance by stakeholders unclear * Expectation management unclear * Expectations (requirements, parties and tasks) not clearly described * Schedule not clear and acceptance by parties (stakeholders) unclear * Unclear if all parties are informed and involved (including taxpayers) * Project resources uncertainties * Project office and facilities not described * Computer development and test environment not described * Human resources available to the project not specified * Project management uncertainties Project Manager(s) (management team) not capable * Project Organization (roles, authorities, responsibilities) undefined * Project Plan lacks quality (is not comprehensive, feasible, or with unrealistic schedule) * Subcontractor management shaky or non existent * Management of other externally performed tasks critical to the implementation shaky or non existent * Quality management not specified * Operation and support uncertainties * Strategy for operation of the system unclear Strategy for maintenance and support unclear Technical Risks * Technology and infrastructure uncertainties * Use of unproven technology * Use of outdated system software or hardware * Stance on technical standards (use of commercially viable standards) untenable * Level of integration to other systems and/or other platforms untenable * Technical infrastructure unavailable * Buildings and premises not ready * Technical skills and resources – uncertainties * Use of unfamiliar methodologies and tools Skills within implementation project and user organization questionable * Skills and abilities of vendors and subcontractors questionable * Availability of spare parts questionable Impact of Failure to Manage Risks * Loss of control of project * Unpredictable costs * Delays in the implementation * Waste of time and resources * Wrong or not working information system * Business implications of project failure * Loss of revenue * Loss of credibility with taxpayers * Loss of credibility for Department within Government * Loss of credibility for sponsor and consultants

Assessment and Counter Measures Each identified risk has to be assessed for: * Likelihood * Likely impact period * Severity of impact Counter measures or contingencies to minimize the likelihood and severity also have to be described as: * Counter measures in project plan (agreed action) * Other counter measures Planned counter measures will typically be expressed in tasks and their related deliverables for inclusion in the project plan. As an example, the formulation of a policy for operation and support will deal with a number of organizational and technical risks. Top of Page