The benefits of incorporating risk management into the DNA of your IT Projects are huge.
However, I have been asked to consult on a number of IT projects where inadequate risk evaluation has led to delays, extra costs and even potential project failure.
Sadly, it isn’t just my anecdotal experiences.
A report in the UK has found that 17 major government ICT programmes are at risk of failure. The Infrastructure and Projects Authority’s annual report also concludes that of the of the 143 projects it looked at, with a combined lifecycle cost of £15.8 billion, only two achieve the best, green rating.
It would be interesting to see what rating each of the projects would have been given at the outset. You would imagine that the view of the road ahead would have been more optimistic, but would that optimism have been realistic or justifiable? My hunch is that it may have been misplaced.
That hunch is backed up by a recent report from the US Government Accountability Office (GAO).
When GAO examined 95 IT Projects across agencies including Homeland Security, Health and Human Services, Veterans Affairs and Defence, it concluded that CIOs were too optimistic when assessing risks associated with big IT projects.
Not only could this impact on project outcomes, it also reduces the effectiveness of machinery put in place to provide early warning of potential issues.
Back in 2009, the US government launched an IT Dashboard to provide transparency in cost and performance of federal IT Projects. CIOs would code IT projects green for low risk, yellow for medium and the riskiest projects would be coded red. The GAO re-evaluated risks using the agencies’ own data and almost two-thirds of the projects showed more risk than originally assessed by CIOs. Of the 95 Projects singled out, CIOs had coded 61 of them ‘low-risk’ but GAO analysis concluded just 15 warranted a green marker and many should have been given the high-risk red assessment.
Any machinery for assessing risk is only as good as the data put into it, that much is obvious, garbage in, garbage out. You know the mantra! It’s especially true of IT Project risk assessment.
I wonder how many of us can relate to this. A Project delivered over budget or late or not delivered at all because of events that were not on your radar at the start.
How often have you wished for the gift of foresight?
Could a better, more cautious assessment of risk lead to fewer IT Project fails?
Even more beneficial, I think, would be increasing the frequency of ‘in life-cycle’ risk assessment. Between making that initial ‘green’, ‘yellow’ or ‘red’ call and the post-project debrief many IT Projects would benefit from risk health checks based on live data. Your project is creating truckloads of data that could give you an early warning of problems – it’s like listening to the heartbeat of your project and it could be as good as foresight.
The US GAO report found that agencies were updating data on the IT Dashboard too infrequently, concluding that, “Such practices limit the transparency and oversight of … IT investments.”
Often far too little attention is paid to ‘active’ threats and risks. The UK report, for example, highlights that some red ratings were down to delays in a cross-government programme going live and the costs of running on existing systems for longer than anticipated. Often an external force like this can wreak havoc on the effective delivery of your project. Part of your risk assessment should be to evaluate the capability of your team to react to such eventualities.
As well as better preparing you for fire-fighting, robust risk assessments also alerts you to what I like to call “good risks”. The opportunities that arise serendipitously during the project can make all the difference and through detailed analysis of the roadmap for landmines, you start to notice the gold mines too.
Also, by preparing for risks you create time to recognise and deal with the opportunities thrown up by your project, even if it is only a few hours a week. The likelihood is that opportunities with high payoff will arise for the benefit of your project without much extra expenditure of time, money or resources.
The conclusion of the US Government Accountability Office is probably worth us all taking away.
Make ‘active risks’ a key part of your risk assessments and update your IT Project risk ratings more often.
Maybe sometimes we are just too brave for our own good, perhaps we don’t wish to seem over cautious.
Moving forward IT won’t just support your business, it will BE your business.
Our attitude to and assessment of risk needs to become a sixth sense and be embedded in EVERY IT Project.
Find out more about Stoneseed’s Project Management as a Service, project management staff, resources and tools at a flexible and predictable cost.