介绍—Introduction 信息系统的发展为企业成功运营作出了很大的贡献,与竞争对手相比更具竞争优势,提高经营效率。然而也有很多的信息系统故障出现,(Remenyi 1999) 这些故障往往会使分部门的发展陷入困境,或是整个企业都会陷入困境之中。Heeks 2006) 这与行业调查的结果相同,即推荐了许多软件项目结果都是失败的或不能达到企业的指定任务,也就是说只有四分之一的软件项目的实施是百分百成功的。(Charette 2005; Johnson 2006) 那些实施失败的所有项目隐藏的风险,如信息系统项目涉及的风险;也可能是因为其他的因素,如创新程度。(Cadle & Yeates 2008) Cadle和Yeates(2008:259)声称,“近年来,风险管理已经成为越来越重要的研究话题……因为项目计划比以前的更为复杂……这导致项目计划的不确定性加大。相反,Schwalbe(2006)根据Ibbs和Kwak对项目管理的调查研究进行分析,结果表明信息系统或软件开发行业中,往往会对项目风险管理的重要性掉以轻心(Willcocks & Griffiths 1997),且研究结果表明,所有的企业必须在项目风险管理上花更多的精力。 介绍—Introduction The deployment of information systems by some organisations have contributed to their success by giving them competitive advantages over competitors and improving the efficiency of their operations whereas there has also been a lot of information system failures (Remenyi 1999) which tend to fall into the categories of partial or total failure (Heeks 2006). This has equally reflected in industry surveys which put forward that many software projects turn out to be a failure or are unable to deliver the promised benefits, this implies that only about a quarter of software projects are absolutely successful (Charette 2005; Johnson 2006). These failures are as a result of risks that all projects such as information systems project involve and they may stem from many factors such as the extent of novelty involved in the change (Cadle & Yeates 2008). Cadle and Yeates (2008:259) claim that 'in recent years, the subject of risk management has become increasingly important ... because projects are assuming ever-greater levels of complexity ... leading to a higher degree of uncertainty in the project'. Conversely, Schwalbe (2006) refers to a survey conducted by Ibbs and Kwak (2000) in assessment of project management maturity which shows that the information systems or software development industry amongst others, tend to take lightly the significance of project risk management (Willcocks & Griffiths 1997) and suggests that all organisations have to put more effort into project risk management. Therefore, this essay argues that risk management in software or information systems projects could help in improving project outcomes by foreseeing the future risks of an IS project then putting in place preventive or corrective measures thereby, making risk management an important consideration for organisations (Bannerman 2008). It is structured as follows: firstly, it discusses the processes involved in risk management and the critical success factors, secondly, an analysis of the challenges faced in conducting risk management in a real-world organisation and lastly, a discussion of how these challenges can be tackled which concludes this essay. 风险管理(RM)—Risk Management (RM) RM in IS project is defined as an effort to predict the future risks associated with a project with the aim of preventing or getting rid of the risks (Bocij et al 2003; Kerzner 2004) and it is said to be one of the most important project management processes (Raz & Micheal 2001; Kutsch & Hull 2010). One of the most common reasons for IS project failure in the literature being inadequate or lack of risk management, has been investigated in a study by KPMG 1997 (cited in Whitaker 1999) and the outcome revealed the significance of risk management in ensuring the success of IS projects (Cooke-Davies 2002; Maguire 2002). As a matter of fact, Willcocks and Griffiths (1997) conclude from their study of seven large-scale IT projects that IT-based projects even face a higher dimension of risks. In conducting risk management, several similar processes or stages have been suggested in the literature (Schwalbe 2006; McManus & Wood-Harper 2003; Cadle & Yeates 2008; McManus 2004; Field & Keller 1998; Kliem & Ludin 1997). Cadle and Yeates (2008) put forward the risk management process as follows (figure 1.0): Risk management plan, Risk identification, Risk assessment, Risk response planning and Risk reduction actions, monitoring and control. The first phase which is RM plan involves the decision on how to carry out the risk management activities for the project, such a plan should address the following: methodology to be used, the definition of roles and responsibilities of individual involved in the risk management, budget and schedule, main risk categories that needs to be considered, how the assessment of risk probability and impact will be done and finally, the reporting formats and procedures to be used for risk management activities (Schwalbe 2006). Secondly, the risk identification which is the most important (Boussabaine & Kirkham 2004; Dinsmore & Cabanis-Brewin 2006) deals with figuring out what the likely risks are with the aim of eliminating them before they influence the successful outcome of an IS project. Schwalbe (2006) mentions that project team often commence the process by checking project documentation and reviewing historical information about the organisation which might influence the project, these are followed by discussions about them in a meeting as they relate to risk. The project team might still use other techniques of gathering information such as brainstorming, the Delphi technique, interviewing, root cause analysis and SWOT analysis to identify more risks which might exist. Several other methods of identifying risks have been suggested in the literature, for example, a framework given by Ward and Griffiths (1996 cited in Bocij et al 1999) consisting of six areas of possible risks which are project size, project complexity, people issues, project control, novelty and requirements stability. Some others are ITPOSMO checklist in determining the design-reality gaps in IS projects (Heeks 2006) and IS project checklist given by Cadle and Yeates (2004). This phase is claimed to be more easily said than done in that it proves to be really challenging because all known risks must be identified whereas it is quite difficult for a project manager to be sure that all possible risks have been figured out. As a result of this, it is advisable that opinions of more experienced project managers who may have been involved in similar projects are sought. Upon completion of the risk identification, it is necessary to describe them concisely to ensure the risks are well understood so as to assess them. A good practice of risk identification makes use of risk breakdown structure which helps to categorize the risks well and easily figure out the types of risks that are frequently encountered ( Cadle & Yeates 2008). Thirdly, the identified risks are then assessed to discover the most important ones in terms of their probability of occurrence and how much impact they are likely to have on the project. Obviously, the ones that require the most concern are those with large impact and high likelihood of occurrence. Cadle and Yeates (2008) suggest the use of a risk map which plots the impact of each risk against its probability of occurrence in ratings of high, medium and low on each axis, it may also be necessary to have a separate mapping for positive and negative risks in order to address both adequately (Schwalbe 2006). Schwalbe (2006) gives a slightly different approach to the risk assessment phase by classifying it into qualitative and quantitative, out of which the project team can decide which is more suitable for their project. The qualitative risk assessment involves the use of a risk map as mentioned above or another technique called top ten risk item tracking which involves creating a periodic review of the most important risk items associated with the project and helps to keep an awareness of them throughout the project life cycle, the qualitative approach is usually carried out quickly (ibid). On the other hand, quantitative risk assessment is often done together with qualitative or separately depending on the project nature and availability of resources such as time and money, a wide quantitative risk assessment is mostly required in large and complex projects. Its main techniques are data gathering (via interviewing, expert judgement and collection of probability distribution information ), quantitative risk analysis and modelling techniques such as decision trees and expected monetary value (EMV), simulation (Monte Carlo analysis) and sensitivity analysis. A Decision tree helps to decide on the best action to take in situations of uncertainty in future results, it also usually involves the calculation of EMV which is 'the product of a risk event probability and the risk event's monetary value' (Schwalbe 2006: 447). Simulation, a more sophisticated method, involves modelling a system to examine the expected system performance and mostly based on monte carlos analysis, for example, a large aerospace company used this method to help quantify risks on many advanced-design projects (Schwalbe 2006) . Sensitivity analysis is frequently used to make common business decisions with the aid of spreadsheet software like Excel to examine the impacts of changing variables on an outcome. Fourthly, the risks identified and assessed are responded to in the Risk response planning phase in order to take action. Four major response strategies for risks (Cadle & Yeates 2008; Schwalbe 2006; Pritchard 2004) are: Risk acceptance: a situation whereby a risk is allowed to occur due to the fact that countermeasures are more costly or not feasible but also by making contingency or backup plan to deal with it. Risk avoidance: this has to do with preventing a risk from occurring at all which means dealing with the probability of occurrence. Risk transference: this involves shifting the impacts of a risk in case of occurrence to another person, for instance, an insurer feels the impact of any failure or fault in what is being offered or insured. Risk mitigation: this involves reducing the impact the occurrence of a risk could have. Schwalbe (2006) adds to these by introducing four major response strategies to positive risks and classifying the above mentioned as responses to negative risks. They are Risk exploitation which involves making sure the positive risk occurs, Risk sharing, Risk enhancement and Risk acceptance. Once a response plan has been made, actions are taken accordingly. Lastly, risk monitoring and control phase involves checking that risks are continually reassessed due to the fact that risk management is an ongoing process because the nature of risks change as project progresses resulting into occurrence of some of the anticipated risks which then needs to be managed, disappearance of some risks having being taken over by events and appearance of new risks not predicted at the initial stage. The resulting output of this stage becomes the changes required, updates to the risk register and project management plan which also serves as lessons learnt to assist with future projects. A risk register, which could be paper-based or computerised system depending on the project scale, is necessary in the risk management process to keep information about each risk such as title, current status, potential impacts, risk owner, actions identified and record of progress made in implementing the actions (Cadle & Yeates 2008; Schwalbe 2006). Despite all these processes and tools made available in the literature, RM in practice could still fail to deliver if care is not taken therefore certain critical success factors (CSF) have been pointed out for effective risk management (Hillson 2004; Hillson & Simon 2007). Hillson (2004) mentions four CSFs as: Firstly, clear and widely accepted definitions of risk to all participants so that everyone can work towards achieving a common goal. Secondly, 'a simple scalable process' as already discussed should be followed to keep it as uncomplicated as possible while still meeting the project needs because many organizations are tempted to employ complex tools and processes (p.231). Thirdly, select the right infrastructure to support the risk management process having decided the implementation process to be followed. The choice of infrastructure might include purchase or development of software tools, resource allocation, providing training, developing procedures to work with other project and business processes, creating templates for different parts of the risk process and the need for support from stakeholders. Inadequate infrastructure can affect the risk process while excessive infrastructure can even increase the cost overhead therefore, getting it right is critical to the success of risk management. Fourthly, to be aware of the risk attitudes of people, this ranges from being risk-averse through risk-tolerant to risk-neutral and risk-seeking (Brown 2008). All of these have effects on the way a person thinks about risk and influences action taken and awareness about it leads to management of the attitudes. A project manager uses the soft management skills possessed to influence and counter the bias in the people. In the same way as individuals and as opposed to being risk-mature, an organisation could also have a risk-culture which negatively influences the approach in handling uncertainty. Therefore in order to have an effective RM, individual risk attitudes must be managed and an organization's perception of risk must be mature. Nevertheless, the practices of project risk management in real-world organizations are faced with several challenges, some of which would be discussed. But, a review of literature has proved that not many detailed research on practice of risk management in Information systems projects have been conducted (Freimut et al 2001) or little focus on the challenges faced in the process, this makes it particularly challenging to ascertain many claims in the literature. In order to find out these challenges, a general literature review is done and validated using a case study carried out by Freimut et al (2001) on implementation of RM in a software project at Tenovis. Tenovis 的案例研究—Case study of Tenovis Tenovis is one of Germany's largest telecommunications companies and 'the [Tool Harmonization] project ... aimed to provide a unified, integrated tool to support service personnel in their task of administrating all of Tenovis' existing PBX platforms ... [started] at the end of 1999 ... to be [completed in] one year' (Freimut et al 2001:279). In order to identify and manage the risks involved in this project, the company applied the Riskit method, 'a comprehensive [software] risk management method that is based on sound theoretical principles and thus it avoids many limitations and problems that are common to many other risk management approaches in software engineering' Kontio et al (1998:163). Some of the risk elements in this project were the new technologies to be applied, a new development process and a new project organization which involved participants from three locations. The Riskit method as a risk management approach is quite similar to the RM process earlier discussed based on literature review. The steps involved are shown in figure 1.1 below. The implementation was anchored by a risk management team and supported by personnel from the project organization and methodology provider, Fraunhofer IESE, who played the role of facilitators in the RM meetings to select and prepare RM techniques, providing necessary documents, ensuring correct application of techniques and documentation of result of meetings. While the application of risk management in Tenovis' project using Riskit method was highly appreciated as it helped them to identify and select most important risks to deal with, there were some drawbacks mentioned as regards practising risk management which confirms some issues with RM in the literature. Firstly, De Furia (2009) points out that there is widespread attitude towards risk management activities in a project as unimportant or a waste of time (Hillson & Simon 2007), this is particularly experienced in the case of Tenovis as reported by Freimut et al (2001:279) that 'the introduction of risk management was negatively affected ... the project members regarded risk management as yet another new method ...resulting in low motivation for it'. Secondly, lack of integration of risk management with project management and project work as it was applied at Tenovis posed a drawback in the RM process which resulted into more time being dedicated to RM meetings alone as opposed to handling them together with other project management activities. This makes them perceive RM as a burden therefore, this calls attention to the need for integration 'to foster the synergy between these activities' (Freimut et al 2001:283) as risk management is already criticised to be time consuming which is an issue in practice (Hillson & Simon 2007; De Furia 2009). Mayo (2008) also points out that the most common challenge in practice is that risks are not appropriately identified. Thirdly, since risk management in a project is a lengthy process and does not stop at the initial risk identification prior to response but involves a continuous monitoring to identify new risks not considered before, this was seen as a challenge at Tenovis because they claimed that the newly identified risks 'that were unknown at the beginning of the project were not systematically included in risk management'. The nature of continuous risk monitoring suffered less commitment at a point in this case as there was disruption in the full participation needed towards risk monitoring meetings as at when due because facilitators and participants were not available, this resulted into rescheduling of meetings and disruption in the normal monitoring practice. Furthermore, 'participants failed to remember the context of risks and their controlling actions' (Freimut et al 2001:282). Fourthly, since RM requires the full commitment of participants, particularly the project manager, an inadequacy in this could pose a problem in practice (Galorath 2006). The case of Tenovis witnessed a change of project manager while the project was ongoing, this resulted into process ownership being fully taken over by external facilitators especially because of time restrictions and this gave the participants the impression that RM was an activity for an external party as opposed to being a part of their regular project work. As a good practice, the 'process ownership has to rest with the project manager' (Freimut et al 2001:283). 讨论和总结—Discussion and Conclusion Several attempts are being made to improve the success rate of projects resulting into what is known as Project management and risk management being one of its key processes to manage the inevitable risks associated with every project. Much emphasis has been made in the literature on the risk management process for effectively identifying risks and taking actions, these are being employed in RM in practice. The use of Riskit method in managing risks of Tenovis' project has presented some drawbacks associated with RM in practice as already analyzed yet, such challenges are probably almost unavoidable but could have been managed better. As a hybrid manager, the following could have been done:#p#分页标题#e# The first challenge of reluctance towards RM requires soft skills and would be addressed by sufficiently discussing the importance of RM to all participants in order to deal with any existing bias and defining responsibilities so that everyone can work towards achieving a common goal (Hillson 2004). Secondly, since project management involves risk management, it would be integrated with project management as a whole measure of preventing failure and the process of RM as previously explained would be followed, utilizing both soft and hard skills in the process (Barkley 2004). Lastly, the third and fourth challenges require that the participants are fully aware about RM and the commitments that need to be in place especially that of the project manager being the utmost. As a hybrid manager, sufficient training would be ensured to raise awareness for risks and RM coupled with guidance by the manager him/herself (Kezner 2009). As it is inevitable to have a key participant being replaced, for instance, the project manager in Tenovis, this could have been postponed in order not to disrupt the full commitment required of the project manager. Alternatively, the new project manager needs to be carried along and trained as soon as possible to still take charge of the RM process. Although project risk management could be a daunting task (Kwak & Stoddard 2004), the role it plays in curbing IS project failure cannot be over-emphasized. A well implemented risk management should be successful while failure in employing best practices could result into failure and turns out to create an impression that RM is ineffective (Royer 2002). It is however important to bear in mind the critical success factors for effective RM as most people's perception of risk management is unfavourable and as evident in the case of Tenovis, this makes its implementation quite challenging. In essence, the issues with risk management should not discourage organizations from implementing it effectively in projects, particularly IS projects but rather, they should improve on how it is applied by considering best practices to assist in guiding their projects towards success. |