Skip to main content

2.5 Project & Program Management

2.5 Project & Program Management

·         It is very important for a risk practitioner to monitor the risk related to the management of the projects.


·         Some of major reason for failing of IT projects are:


§  Scope creep i.e. requirements are not properly defined at the initial phase.

§  Lack planning resulting into over budget and unavailability of skilled resources.

§  Lack of structured project management process.

§  Systems not tested before implementation

§  Compliance or regulatory issues


·         Root cause for the system failure is to be determined so the learnings can be applied to all the future projects.


·         Major cause for a project failure is delay in completion. It may happen to make for the time lapsed, critical steps of projects (like testing) is skipped. This can lead to major failure of the project.


·       Most important factor for implementing a risk-based approach in a project management is involvement of business representative. This ensures accurate assessment of risk and subsequent mitigations.

Project - Risk Tolerance


Projects frequently go over time or budget due to various reasons. However, risk tolerance for project delays should be documented. Risk tolerance is the acceptance deviation from the expected project budget or timelines. For example, originally a project was scheduled for 10 months. However even if project is completed within 12 months there will be no major impact on the performance and it is acceptable. This extra 2 months is known as risk tolerance. Similarly, there can be acceptable deviation from originally approved budget and this acceptable deviation is referred as risk tolerance.  


Phases of SDLC


Risk practitioner should be aware of the following system development life cycle (SDLC) phases:




Phase 1 – Initiation/ Feasibility/Design

  •        Objective, purpose and scope of the system is discussed, finalized and documented. In this phase system design is finalized and approved. 
  •        Internal controls should be incorporated during initial design stage. 
  •        During the feasibility phase (planning or initiation), the process for change management should be defined. It is very important to prevent a scope creep.

Phase 2 – Development / Acquisition

In this phase, alternatives are evaluated and system is developed or acquired from third party.

Phase 3 – Implementation

In this phase, system is tested and migration activities are carried out.

Phase 4 – Operations / Maintenance

In this phase, regular updates and maintenance is carried out for upkeep of the system.

Phase 5 – Disposal

In this phase, obsolete systems are discarded by moving, archiving, discarding or destroying information and sanitizing the hardware and software.


Risk Assessment & SDLC


·         Risk practitioner should be involved in all the above phases of SDLC and security requirements should be integrated into all SDLC phases. Performing risk assessments at each stage of the system development life cycle (SDLC) is the most cost-effective way to address the flaws at the earliest.


·         Security requirements should be validated and tested to ensure that it addresses the risk associated with confidentiality, integrity and availability. Project members should be made aware about the risk implications on the project.


·         Following aspects to be addressed during risk assessment of the project:


§  What level of confidentiality is required for the system?

§  What level of availability is required for the system?

§  Impact of any laws or regulation on the project (for example: privacy laws)

§  Architectural and technological risk

§  Use of a secure information systems development process

§  Security training for the developers and staff members


Earned Value Analysis


Best way to monitor the progress of the project is terms of scope, schedule and budget is through Earned Value Analysis (EVA).

Earned Value Analysis (EVA) is a method of measuring a project's progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds EVA determines and evaluates following factors on periodic basis:


·         What is actual spending till date as compared to budget?

·         What will be estimate completion time?

·         What will be estimated total expenditure?

Key aspects from CRISC exam perspective

CRISC Question

Possible Answer

Availability of skilled resources should be addressed during which phase of SDLC?

Design Phase

Migration risk should be addressed during which phase of SDLC?

Implementation Phase

Internal control should be incorporated during which phase of SDLC? 

Design Phase

A business case should be retained till

Application's end of life.

Which tool is used  to evaluate a project in terms of project scope, schedule and cost? 

Earned Value Analysis (EVA)

In which phase of SDLC risk assessment is conducted? 

During each stage of the system development life cycle (SDLC)

To prevent scope creep, the process to change and approve any requirement or deliverable should be defined in which phase of SDLC?  

Feasibility Stage / Design Phase 

Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: Acceptance deviation from risk appetite

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statistical methods are us

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with lates