Building confidence in executing IT programs
1MvMFcE
1MvMFcE
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Program risk management is<br />
important for program success<br />
Us<strong>in</strong>g <strong>IT</strong> PRM to build additional l<strong>in</strong>es of defense<br />
The poor historical performance of <strong>IT</strong> <strong>programs</strong> and the magnitude of <strong>in</strong>vestments <strong>in</strong> <strong>IT</strong><br />
are forc<strong>in</strong>g organizations to take new measures to <strong>in</strong>crease the <strong>confidence</strong> <strong>in</strong> atta<strong>in</strong><strong>in</strong>g<br />
the expected benefits. They are adapt<strong>in</strong>g their approach and enhanc<strong>in</strong>g controls and<br />
risk management over their strategic <strong>IT</strong> <strong>programs</strong>.<br />
Organizations are strengthen<strong>in</strong>g their controls by:<br />
1. Appo<strong>in</strong>t<strong>in</strong>g experienced risk managers and a risk committee to take charge of the<br />
management of end-to-end program risk: this is <strong>in</strong> addition to the traditional role<br />
that a project management office (PMO) undertakes to track and report project risks<br />
and issues.<br />
2. Enhanc<strong>in</strong>g the role of <strong>in</strong>ternal audit, compliance and enterprise risk functions to<br />
provide assurance coverage at selected decision po<strong>in</strong>ts dur<strong>in</strong>g the implementation of<br />
the program.<br />
3. Appo<strong>in</strong>t<strong>in</strong>g an external <strong>in</strong>dependent PRM provider who is charged with br<strong>in</strong>g<strong>in</strong>g<br />
experience and provid<strong>in</strong>g a forward-look<strong>in</strong>g and predictive view of risk: the reasons<br />
are that these capabilities are typically not readily available <strong>in</strong>side the company, or<br />
that other suppliers (e.g., system <strong>in</strong>tegrators) cannot provide true objectivity due to<br />
conflicts of <strong>in</strong>terest.<br />
<strong>IT</strong> PRM focuses on provid<strong>in</strong>g a clear understand<strong>in</strong>g of the current program issues<br />
environment and a full life cycle, forward-look<strong>in</strong>g view of risks. This holistic overview<br />
of issues, risks and complexities allows <strong>in</strong>formed decisions to be taken at the earliest<br />
possible time and leads to improved program performance and enhanced benefit<br />
realization. A proven method is to create multiple “l<strong>in</strong>es of defense” aga<strong>in</strong>st the threats<br />
and reduce the impact of realized risks.<br />
• First l<strong>in</strong>e of defense: the most crucial layer of risk management on a program.<br />
It typically <strong>in</strong>cludes the executive leadership team, program steer<strong>in</strong>g committee,<br />
program risk committee, technical design authority, the PMO, system <strong>in</strong>tegrators (SIs)<br />
and the various project work stream leaders.<br />
• Second l<strong>in</strong>e of defense: an <strong>in</strong>dependent <strong>IT</strong> PRM role. It can be provided by one<br />
<strong>in</strong>dependent (mostly external) party, or it can <strong>in</strong>clude a comb<strong>in</strong>ation of <strong>in</strong>ternal<br />
and external providers, such as an <strong>in</strong>dependent (external) program risk and quality<br />
assurance provider, operational risk and compliance functions, external auditors and<br />
even software providers.<br />
• Third l<strong>in</strong>e of defense: typically <strong>in</strong>cludes the audit committee and <strong>in</strong>ternal audit<br />
function; often seen as the last l<strong>in</strong>e of defense when it comes to detect<strong>in</strong>g error and<br />
waste <strong>in</strong> organizational activities. These functions often benefit from be<strong>in</strong>g able to<br />
rely on the outputs of a trusted <strong>in</strong>dependent party who can focus better on selected<br />
areas of oversight; it may may even reduce the need for their oversight <strong>in</strong> other<br />
program risk and assurance activities.<br />
An <strong>in</strong>dependent<br />
<strong>IT</strong> PRM approach is<br />
crucial <strong>in</strong> the last l<strong>in</strong>e<br />
of defense for major<br />
<strong>IT</strong> program <strong>in</strong>itiatives<br />
to drive success and<br />
unlock the benefits<br />
of your capital<br />
<strong>in</strong>vestment.<br />
<strong>Build<strong>in</strong>g</strong> <strong>confidence</strong> <strong>in</strong> execut<strong>in</strong>g <strong>IT</strong> <strong>programs</strong> | 9