2.5 Project & Program Management
· It is very important for a risk practitioner to monitor the risk related to the management of the projects.
· Some of major reason for failing of IT projects are:
§ Scope creep i.e. requirements are not properly defined at the initial phase.
§ Lack planning resulting into over budget and unavailability of skilled resources.
§ Lack of structured project management process.
§ Systems not tested before implementation
§ Compliance or regulatory issues
· Root cause for the system failure is to be determined so the learnings can be applied to all the future projects.
· Major cause for a project failure is delay in completion. It may happen to make for the time lapsed, critical steps of projects (like testing) is skipped. This can lead to major failure of the project.
Project - Risk Tolerance
Projects frequently go over time or budget due to various reasons. However, risk tolerance for project delays should be documented. Risk tolerance is the acceptance deviation from the expected project budget or timelines. For example, originally a project was scheduled for 10 months. However even if project is completed within 12 months there will be no major impact on the performance and it is acceptable. This extra 2 months is known as risk tolerance. Similarly, there can be acceptable deviation from originally approved budget and this acceptable deviation is referred as risk tolerance.
Phases of SDLC
Risk practitioner should be aware of the following system development life cycle (SDLC) phases:
Phase 1 – Initiation/ Feasibility/Design
Phase 2 – Development / Acquisition
In this phase, alternatives are evaluated and system is developed or acquired from third party.
Phase 3 – Implementation
In this phase, system is tested and migration activities are carried out.
Phase 4 – Operations / Maintenance
In this phase, regular updates and maintenance is carried out for upkeep of the system.
Phase 5 – Disposal
In this phase, obsolete systems are discarded by moving, archiving, discarding or destroying information and sanitizing the hardware and software.
Risk Assessment & SDLC
· Risk practitioner should be involved in all the above phases of SDLC and security requirements should be integrated into all SDLC phases. Performing risk assessments at each stage of the system development life cycle (SDLC) is the most cost-effective way to address the flaws at the earliest.
· Security requirements should be validated and tested to ensure that it addresses the risk associated with confidentiality, integrity and availability. Project members should be made aware about the risk implications on the project.
· Following aspects to be addressed during risk assessment of the project:
§ What level of confidentiality is required for the system?
§ What level of availability is required for the system?
§ Impact of any laws or regulation on the project (for example: privacy laws)
§ Architectural and technological risk
§ Use of a secure information systems development process
§ Security training for the developers and staff members
Earned Value Analysis
Best way to monitor the progress of the project is terms of scope, schedule and budget is through Earned Value Analysis (EVA).
Earned Value Analysis (EVA) is a method of measuring a project's progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds EVA determines and evaluates following factors on periodic basis:
· What is actual spending till date as compared to budget?
· What will be estimate completion time?
· What will be estimated total expenditure?