MIS Risk Management

MIS Risk Management

2.0 Models and Methods for Managing Information Risks of Projects Implementing Management Information Systems (MIS) In an Organization

2.1 Statistics on IT Projects

Evaluating the current IT project situation, it can be revealed that, even though most projects are lead to successful completion, most of them fall under poor completion status. Therefore, we try to investigate whether there is room for improvement in this field. We first examine various ways proposed for prioritizing and thorough evaluation of possible other alternatives that can be employed to bring less cost quality Systems. We also discuss multiple ways currently used by companies to track different costs resulting from emerging from the IT project life cycle. Most companies adopt a similar approach to Jeffery and Leliveld 2004, that most companies using an analogous method to make their cost evaluation. The plan is questionable and non-visible since most firms are involved in non-profitable activities during process assessment.

Underperformers and Champions

When it comes to IT projects, Champions are those organization which considers 80% of their projects being completed within the set schedule, budget, and meeting the set initially objectives. Organizations observing the championship approach ensure great benefits realization maturity. The plans in this section provide that the expected outcomes are achieved. According to the findings from different scholars, there is a considerable development gap in terms of the initial project plan and the actual project outcomes. 70% of organizations undertaking various projects do not meet the expected project requirements due to poor project risk management at all levels. As a result, some organization estimates 60% of their current projects, not meeting the expected timeframes, budget, and goals. 30% of the organizations which do not observe good risk planning strategy end up ruining the entire project leading to tremendous losses.

Comparing the projects under these two broad categories, it has been observed that, 6% of the Champions have experienced project failure compared to 24% of the underperformers. The current project statistics show that at least 20% of the total money wasted on project development has been reduced for the last five years (Pollio, 1999). According to the global project delivery study, at least, 97 million dollars was wasted for every 1 billion dollars invested for a given project in 2016 compared to a 122 million dollars being spent on projects in 2015. Research conducted by the PMI reveals that 14% of projects undertaken by various organizations have failed from 2015 and 2016 (Pollio, 1999).

Digital Drivers on IT Projects

The issue of Digital convergence has resulted in a gap bridge between the IT and the business. For the last decade, the main discussion has been on how to improve the IT projects to align with the various business goals. As a result, most businesses are shifting their focus on how to ensure IT projects being undertaken lead to the success of the business goals and objectives. Most companies are changing the number of projects to be conducted from 75% to 30-45% (Pollio, 1999). At least 70% of the organizations have realized lower risk by managing a reasonable number of projects to be undertaken at a given time. Studies have revealed that at least a 90% success rate is achieved when a small number of projects are executed compared to a 50% success rate when a large number of projects are run simultaneously (Pollio, 1999). Project management factor has been realized by most Champion organizations to be the determinant factor in project success.

Talent

Just as the performance and digital drive, expertise play an essential role in project management. Leadership and technical skills have high priority, according to 32% survey respondents. A 3% success rate has been observed for the last three years after perfecting professional and leadership skills. Most successful projects focus on utilizing all their potential talents to achieve maximum returns. Leadership skills have been a critical point in improving organizational success for the last few decades (Pollio, 1999). Nowadays, most organizations are focusing on aligning project managers with current business trends.

How evaluation of critical issues on current IT projects such as urgency, alignment, and interdependencies among various activities is not carried out more visibly. Other companies use conventional methods such as balanced scoring cards and weighted approaches to quantify various vital issues as well as qualitative measures (Ben Mahmoud, Larrieu, & Pirovano, 2013). The focus is mainly on the development stage through qualitative means while despising the risk benefits availability. Despite most work focused on project evaluation techniques, the precise results obtained are not mainly used to make sound decisions on which project to undertake. Most research conducted earlier demonstrates that key stakeholders do not make the relevant decision towards ascertaining specific projects (Sherman, 2015). In most cases, the decisions made fall under, “strategic” approach rather than risk-benefit results from the earlier obtained results. Most decisions are reached by the top executive who does not necessarily trust a specific convention on benefit assessment methodologies applied. Studies show that almost 59% of companies regularly track their project risk benefits throughout their life cycle. 25% of the companies, on the other hand, make financial risk-benefit analysis during the completion phase, which is generally the worst-case ((LIENTZ, 2006). This section focuses on various risk analysis models that should be put in practice to ensure project quality is guaranteed while realizing the risk benefits at the right time.

2.2.1 The architecture of scientific research

In this regard, there is an essential and urgent task, conditioned by a practice request, and aimed at realizing the various driving factors to project success and failures. The purpose of this v dissertation to form a basis of multiple risk factors related to IT project management. The various organization, as observed from the above analysis shows that failure to take the necessary risks has resulted in uneven project success for the last few decades. The following dissertation paper tries to analyze various risk management strategies as proposed by multiple models and standards.

2.2 Research methodology

As observed earlier on IT project statistics, there is a void on current project development. This section covers the different development models and standards development to increase the project success rate. Different evaluation models are carried out to ensure IT projects meet the international standards for risk management. According to the Coso, risk management technique, financial fraudulent is the primary cause of project failures (“Recognized Control Frameworks: COSO-IC and COSO-ERM,” 2015). Therefore, the standards seek the ultimate leadership skills towards the development of a work plan and correct allocation of resources to IT project modules to improve the company’s performance while significantly minimizing the fraudulent extent. The technique provides internal control measures for risk assessment and management through its defined framework. The approach has a significant role in companies that are prone to scandals and money fraudulent hence a welcoming tool in streamlining various operations. The structure investigated in this case is the ERM model, which is clearly defined for IT project risk assessment. The enterprise risk management (ERM) framework developed by COSO is getting widely spread in current IT projects globally (Selim, Hagag, & Yousef, 2018). The flexibility of the model makes it useful in almost every IT field. The cube representation of the framework demonstrates clear interrelations between various conceptual ideas needed to reach the desired project objectives. The top section describes the multiple links between the various purposes presented in the face section. The sideways of the cube show different needs for achieving the defined goals.

Figure 1 ERF framework

Retrieved from https://www.coso.org/Pages/erm-integratedframework.aspx

Internal environment

The internal environment aspect encompasses various organizational tone currently affecting risk-taking, ethical issues, and the stakeholder’s attitude towards risk management. Thorough research is carried on how the board sets the tone in this case. The assessment criteria used in this filed investigate various aspects within the IT board, which determines the final decision of a given project. If the board is not unified with specific common characteristics such as everyday experience, strength, and dependent voices, the right tone towards risk management may not be achieved. It is essential to carry out risk committees and regular audits, which significantly contribute to setting the mood. The other dimension on the internal environment is on how well the management supports the modularization of project modules (“RISK MANAGEMENT,” 2017).

In some cases, the board may portray an excellent job, which is always turned down by a lack of proper segmentation of business units leading to failure. Sometimes, the external environment may outweigh the internal factors; hence the model may not necessarily address the organizational needs. It has been observed that most IT projects do not focus on return on investment aspect considering the underlying environmental factors such as culture and competition. Therefore, for a successful risk analysis to be carried out, a good base should be established.

Setting Objective

Considering the risk appetite, the board members should come up with compelling ideas and objectives which align with the organizational mission. The board should ensure proper objectives controls are set to ensure every risk which may arise in cases where different objectives are pursued is catered for. Various dimensions of organizational culture are evaluated in this case, such as risk acceptance, and risk tolerance is within acceptable risk dimensions. An organization needs to ensure any variation and individual objectives are within the acceptable range.

Identification of an event

The company should readily identify any event, either external or internal, which affects objective achievement. The risk assessment standards, such as COSO, ISO, and Ferma, make a clear view of events that brings either a negative or positive impact on project success. If a particular event eventually leads to failure of the project, a loopback mechanism is needed to return to the initial strategic setting ((“SCENARIO-BASED RISK ASSESSMENT,” 2019). Some organization has a culture of ignoring any adverse impacting event hence lacking a defined process for event identification. A given company needs to ensure operational and strategic risks are correctly evaluated before implementation. At the event identification phase, the company should consider both dangers associated with objective diplomatic achievements as well as any event which may lead to chaos. Prior analysis for identifying potential events should be carried out to ensure any possible future dangers are mitigated early enough before they happen.

Risk Assessment

Risk assessment establishes whether there is a likelihood of a risk to occur. Once the risk occurrence is determined to be likely, the best management technique is the device to counter them. The top managers also try to establish the extent of individual risks while creating the inter-dependent among them. Both qualitative and quantitative methodologies are used to assess risks. Other actions involve evaluating the residual risk level i.e.; the dangers left after the actual risk management has been executed. However, sometimes, the risk approach gives room for an over-simplified approach to risk assessment. Some researchers conclude that it encourages the materialization of a single entity resulting in the expected results or a worst-case scenario (Ajam, 2018). Other standardization techniques such as ISO and Ferma ensure the risk assessment is carried out in a more advanced manner ensuring materialization of a single entity within an MIS is avoided.

Responding to risks – the evaluation during this phase ensures the four main approaches are employed, such as accept, reduce, transfer, and avoid. However, sometimes, the risk being identified within this stage is isolated without the holistic consideration of an organization. Diversity consideration and managing portfolios are carried at the organization level. The main stressed idea, according to Ferma and COSO, is considering the portfolio risk view (Ben Mahmoud, Larrieu, & Pirovano, 2013). The various response decision should be realistic enough by considering response cost as well as the risk impact.

Activity control – procedures and organizational set policies v should operate to ensure effective risk response. After the policy has been formulated, it should be established within the workability program to ensure proper functioning. The set controls should operate and all functional units within the organization. Research has shown that, for a successful risk assessment for the MIS project, all the functional groups within the organization should operate within set control for uniformity (“DIN ISO 21500:2016-02, Leitlinien Projektmanagement (ISO_21500:2012),”).

Communication and Information

For any Management information system to work correctly, the critical raw data should be identified, captured through correct means, and c communicated expertly. The whole communication process should result in the proper functioning of both employees and the managing staff ((LIENTZ, 2006).  Any information being communicated should be appropriate and relevant, covering the various set objectives, according to COSO (“Recognized Control Frameworks: COSO-IC and COSO-ERM,” 2015). Communication within the origination creates awareness of risk areas within the staff’s minds. Effective communication acts as a strengthening tool towards internal factors of an organization. Failing to convey information and communication effectively can easily result in tremendous effects. Some basic example of poor communication is the late realization of future problems (Dubitskaya, 2019). The top management may not be aware of the future risk when the functional managers fail to report issues in time.

The final phase, according to the international standards, is the Monitoring stage. Any information system should be closely monitored, and modifications done to the system is necessary. During the development phase, it is essential to carry out annual and regular assessments of risk management. A periodic review should be emphasized to avoid the degradation of unmonitored controls. Whenever a weakness is identified within the system, a corrective mechanism should be carried out. An extensive report should be generated, identifying the root cause of and the corrective measures taken. Both internal audit and the audit committee carry out separate evaluation or the periodic risk assessment (“IEEE Guide–Adoption of the Project Management Institute (PMI(R)) Standard A Guide to the Project Management Body of Knowledge (PMBOK(R) Guide)–Fourth Edition,”).

Standards and Methodologies Used In Project Management

Sometimes most companies do not focus on ensuring proper controls are set to deal with any emerging risks to the system. Instead, the main focus is on schedule and cost i.e., timeliness project delivery and meeting the set budget delimitations. However, it is not usually the best criteria for project management. The critical role of a project manager is to ensure controls are set to regulate any occurring risks. The leading international standards developed to counter this project development failure include the PMBOK (project management body of Knowledge). The PMBOK standards ensure the seven critical stages of project development are followed by risk management. The main processes involved include risk management planning, qualitative risk analysis, quantitative risk analysis, risk response planning, implementing risk response plan, and risk monitoring ((Munier, 2014). At each step of the PMBOK, various inputs are supplied, resulting in either corrective mean or go ahead.

ISO 21500 standards, on the other hand, complies with the project risk management PMBOK standard. According to ISO project definition, “a project consists of a unique set of processes consisting of coordinated and controlled activities with start and end dates, performed to achieve project objectives ((Purwanggono & Margarette, 2017).’ Therefore, by adopting a series of steps involved in PMBOK standards, project objectives can be realized. Project failure risk can be reduced by selecting a series of steps. The project development teams are supposed to make a selection on a set of processes leading to the realization of the project object (“RISK ASSESSMENT SOFTWARE”). After object steps identification, the team members should come up with a relevant plan on how the set objectives should be met.

The project to be undertaken should readily comply with both internal and external needs to minimize any emerging potential risks. Regular support from the organizational executive is needed for the effective execution of the project team process to evade any possible dangers. Another approach to PMBOK standards developed by japan seeking to expand the concept by incorporating the 3s approach (“RISK MANAGEMENT,” 2017). The idea behind the P2M rule is that various projects exist. The different project consists of multiple aspects such as scheme, system, and service model. The P2M approach focuses on profit realization to all dimensions such as the company and society as they fulfill the user needs. Therefore the MIS project should ensure the right development phases are followed to ensure future risks are controlled early enough (“Risk Management—A Project Imperative,”).

“PRINCE2 (PRojects IN Controlled Environments)” is one of the greatest extensively cast-off approaches for handling Plans In the domain. It is an organized scheme running technique founded on skill beginning on or after thousands of programs and after the assistance of uncountable systems Backers, scheme directors, Project teams, instructors, instructors without leaving behind the advisors. “PRINCE2” has remained situated planned to be general with the intention of it to be practical to any scheme notwithstanding of scheme gauge, kind, group, natural features, or ethos.  To achieve this, some things are essential, as discussed and named below.

I am straightening out the supervision of scheme work after the professional donations, for instance, project or building. The expert features of at all types of schemes are with no trouble combined using the PRINCE2 technique and, cast-off in conjunction with PRINCE2, make available of safe as houses general background for the scheme effort. They are concentrating on relating what requirements to be completed, somewhat than recommending how the whole kit and caboodle is completed.

Prince 2 is founded on well-known as well as established best rehearsal and Supremacy for scheme organization or administration. Also, the prince two can be custom-made to encounter the exact requirements of the association and climbed to the extent and involvedness of different schemes. Another way can be practical for any sort of project. It can, with no trouble, be applied in conjunction with professional, industry-specific models, for example, manufacturing replicas’ or progress developments). It is besides far and wide documented and assumed or understood and make available mutual expressions for all scheme contributors. In so doing, it encourages constancy of scheme exertion as well as the aptitude to use again the project properties. It also eases staff freedom of movement as well as reducing the influence of employee’s ups and downs or Deliveries. Prince 2 makes sure that members concentration on the feasibility of the scheme in relative to its commercial circumstance or situation or case

Purposes, somewhat than just sighting the finishing point of the system as a conclusion on the job. It ensures that the interested party or the stakeholders ( guarantors and resource deliver) are appropriately signified in preparation and decision-making. The Prince 2 indorses inclined from scheme skill as well as repeated development in system of government. Prince 2, without leaving, is reinforced by a universal system of inspection organizations, credited working out as well as the consultancy system of government and AXELOS referring associates, who can stock skilled sustenance for PRINCE2 schemes or method of government preparation to accept PRINCE2.

Since the Prince 2 is a general as well as the founded on established principals adopting the ways and means as a normal can substantially advance their system of government taking on the system as a normal can considerably improve their managerial skill as well as the major of life crossways numerous areas of commercial activity, such as the commercial alteration, building, IT, unions as well as achievements, investigation without leaving behind product growth.

The PRINCE2 method talks about the scheme organization with four combined fundamentals of philosophies, that is themes, processes as well as the project environment as indicated on (figure 1.1)

Prince 2 principles are supervisory responsibilities and well performs, which control whether or not the scheme is honestly being accomplished using prince 2. Prince 2 themes, on the other hand, are the themes that define features of scheme organization that are obligation repeatedly talked as well as in corresponding during the project. The seven refrains do clarify specific action essential by PRINCE 2 for several project organization punishments as well as why they are crucial. PRINCE 2 procedures define a development on or after the pre scheme action of in receipt of starting over and done with the phases of the scheme life series, to the last performance of the scheme end. Each procedure has or comprises specification of suggested doings, crops as well as linked errands. Lastly, the scheme setting group frequently want a reliable method of handling scheme as well as to adapt PRINCE 2to make their scheme organization project running technique.

It is not likely for prince2 to shelter every single feature of the scheme organization. There are consequently three wide-ranging topics groups that are purposely well-thought-out to be outdoor the possibility of PRINCE 2. One of the thought topics is the specialist aspects PRINCE 2’s forte is in its extensive applicability. It is entirely general and rejects manufacturing exact or type-specific doings. The second of them is detailed techniques there are numerous confirmed preparation as well as the switch methods that can or may be cast-off in the provision the PRINCE 2 refrains, and approximately of its instances may comprise serious path investigation (used in preparation) as well as received value examination which is (used in development switch) Such procedures are well recognized somewhere else. Lastly, is the management ability? The management, motivational services as well as other relational services are hugely significant in scheme organization but unbearable to organize in a technique. Management flairs differ significantly, and a panache that operates in one condition might be completely unsuitable in another.

Identify and analyze risks in MIS projects

From the three distinctive project risk management standards, there are defined structures on how risk should be identified and the right mitigation strategy employed to counter the threat. The initial stage of risk management using the PBOK risk management approach is Risk identification. This step entails providing the right control or avoiding risk if possible. If the initial start for identifying risk is not defined, then predictable approaches are preferred in this case. The main predictable models include business impact, development environment, product size, and experience. Several methodologies are used to identify project risks, and organization can refer to a given scenario, which is the best approach for risk identification. By using a scenario approach, the analysts come up with a brainstorming idea then highlights its following advantages and disadvantages.

Another strategy for risk identification involves using an experiential approach. The experience approach consists in taking the past project development, then comparing their advantages and disadvantages extent compared to the current scope. The experience can involve issues such as the team members’ fitness in project development. Sometimes the experience approach helps in providing the right corrective measure at the initial stage before committing to the main project. The latter approach towards risk identification is the objective-based scenario. In an objective-based approach, the project team members try to relate past experiences then develop risk assessment in terms of goals to be achieved. The objective based approach has the highest return value for positive risks compared to the other methods.

To complete the risk management process, several tools are needed, especially the three discussed approaches for risk identification. The primary tool in risk management is coming up with a formula to rank the risk. Once a risk ranking formula has been developed, a clear formatted risk management document is presented to the respective clients.

Carrying out Qualitative Risk Analysis

In the qualitative Risk analysis phase, issues such as experience and judgment. This is a crucial phase since any actions taken by the organization determine the extend of risk alternative forgone. The critical project managers should seek different results from the organization’s knowledge management system. Another option would be consulting experienced Project managers. Other theoretical questions which assist in carrying out qualitative analysis involve brainstorming problem developed to assess several project areas such as the team members, stakeholders awareness, and other related fields.

Quantitative Risk analysis

After the project team has evaluated the critical qualitative analysis issues, it should present a handy formula demonstrating the extend or risk ranks.  The main variables required for quantitative analysis include the impact of the risk once it happens, and the probability of the risk occurring. The variable is then rated using the scorecard method, such as a defined set of ratings for each variable. A good example is measuring the variables on a scale of five. Using the qualitative formula, the first variable is called then added the second variable, then divided by the total number of ratings. Once all the possible risks have been evaluated using the formula. They are ranked in descending order. This step is critical in risk planning since it prepares the project team members on the possible solutions to undertake.

Risk Response

This phase is involves brainstorming of the project team members by gathering all the harmful risks and positive risks. Since the aim of risk planning is developing a strategy to counter threats once they happen, this phase is crucial since it allows for the right response to threats once identified. This phase usually goes together with the final input for risk management, monitoring, and control. Risk monitoring and control involves taking the correct measures once a change is identified during the risk build-up. The project team members should be aware of the dynamic nature of risks. The monitoring and control phase involves “diagnoses and treatment” analogy. Any resulting risk changes have the right corrective measures.

As discussed earlier, the main idea behind project risk planning is to ensure once the risk has been identified, the correct measures are taken. However, in some cases, decision making is not always perfect when it comes to deciding the correct project risks to undertake. Some project managers lack confidence in which projects to grant a charter. Fear of unknown usually leads to a wrong decision, especially when the greedy approach is made. This calls for a careful analysis of the project risks as defined in the above phrases and coming up with the correct decision depending on IT project selection techniques.

Once the project team members have analyzed the consecutive positive and negative impacts related to risks, they should continually familiarize themselves with them. The highest-ranked risks have the highest priority in a project set up. Prior familiarization with the project risks servers a significant role in preventing the risks from happening. In case a threat occurs, the team members have previous awareness of the healing response to take. Most projects fail due to poor project risk planning. This section of the PMBOK risk analysis is not always emphasized during project planning and has resulted in General IT project failed in the past when overlooked.

References

Ajam, M. A. (2018). ISO 21500 Overview. Project Management beyond Waterfall and Agile, 17-19. doi:10.1201/9781315202075-4

Ben Mahmoud, M. S., Larrieu, N., & Pirovano, A. (2013). Introduction to Information System Security Risk Management Process. Risk Propagation Assessment for Network Security, 1-15. doi:10.1002/9781118579947.ch1

DIN ISO 21500:2016-02, Leitlinien Projektmanagement (ISO_21500:2012). (n.d.). doi:10.31030/2157921

Dubitskaya, E. A. (2019). Development Of Principles Of Risk Assessment In Implementation Of Innovative Projects. doi:10.15405/epsbs.2019.12.05.88

IEEE Guide–Adoption of the Project Management Institute (PMI(R)) Standard A Guide to the Project Management Body of Knowledge (PMBOK(R) Guide)–Fourth Edition. (n.d.). doi:10.1109/ieeestd.2011.6086685

LENTZ, B. (2006). Analysis and Measurements of Issues and Risk. Risk Management for IT Projects, 33-49. doi:10.1016/b978-0-7506-8231-2.50005-x

Munier, N. (2014). Risk Assessment and Analysis. Risk Management for Engineering Projects, 113-167. doi:10.1007/978-3-319-05251-9_5

Purwanggono, B., & Margarette, A. (2017). Risk assessment of underpass infrastructure project based on IS0 31000 and ISO 21500 using fishbone diagram and RFMEA (project risk failure mode and effects analysis) method. IOP Conference Series: Materials Science and Engineering, 277, 012039. doi:10.1088/1757-899x/277/1/012039

Recognized Control Frameworks: COSO-IC and COSO-ERM. (2015). Enterprise Risk Management and COSO, 75-97. doi:10.1002/9781119203780.ch5

RISK ASSESSMENT SOFTWARE. (2019). Information Security Risk Management for ISO 27001/ISO 27002, third edition, 65-74. doi:10.2307/j.ctvndv9kx.9

RISK MANAGEMENT. (2017). Risk Assessment for Mid-Sized Organisations, 45-49. doi:10.1002/9781119449294.ch4

Risk Management—A Project Imperative. (n.d.). Bringing the PMBOK® Guide to Life, 129-149. doi:10.1002/9780470446324.ch10

SCENARIO-BASED RISK ASSESSMENT. (2019). Information Security Risk Management for ISO 27001/ISO 27002, third edition, 114-118. doi:10.2307/j.ctvndv9kx.14

Selim, A. M., Hagag, M. R., & Yousef, P. H. (2018). Risk allocation for infrastructure projects by PPPs – under environmental management and risk assessment mechanisms. International Journal of Risk Assessment and Management, 22(1), 89. doi:10.1504/ijram.2018.10017043

Sherman, R. (2015). Project Management. Business Intelligence Guidebook, 449-492. doi:10.1016/b978-0-12-411461-6.00018-6

Pollio, G. (1999). An Overview of Project Analysis and Financing. International Project Analysis and Financing, 1-26.