1. CIO’s Guide to Risk Management

2. Agenda
• Introductions
• IT Management Basics
• IT Risk Management
• Managing Application Support Risks
• Application Management Case Study
• Managing Project Risks

3. Introductions
Agenda
Computer Aid, Inc
• 30 Years in IT Consulting Services Business
• Privately Held Entrepreneurial Organization
• 3,000 Associates Worldwide
• $300 Plus Million in Revenue in 2011
• Offices in 34 U.S. Metropolitan Areas
• Global offices in Toronto, London, Sydney, and
Kuwait, Singapore
• Off-shore delivery: Philippines, China, Argentina,
Ethiopia, and India
• Headquarters: Allentown, Pa.

4. CAI Managed Services
• Application Support Outsourcing
– Assume full responsibility for support
– Fixed Price
– Service Level Commitments
– Continuous Improvement Commitments
• Application Development
– Fixed Price Proposals
– On-Time, On-Budget, High Quality, Warranty
• Help Desk Outsourcing
– Service Level Commitments
– Fixed Price

5. CAI Clients
Manufacturing Government
Retail Financials Transportation / Logistics
Services
Education
Insurance Utilities

6. Agenda
• Introductions
• IT Management Basics
• IT Risk Management
• Managing Application Support Risks
• Application Management Case Study
• Managing Project Risks

7. IT Management
Basics

8. What is the mission of IT?
Deliver the Information Processing
Capability required by the business at
a cost that represents value

9. IT Services
• Implement, operate, and support
– Infrastructure (servers, mainframes, networks)
– System software and Tools
• Operating Systems
• Data Query and Reporting
• E-mail and Internet Access
• Application design, development, and support tools
• Design, build/purchase, install, operate and support
application software to support the business
• Store, protect and provide secure access to business
information
• Provide consulting services to the business

10. Dimensions of IT Management
• Strategy and Business Alignment
– Strategic Planning: Management Vision, Philosophy, and Objectives
– Business Planning: Identify Business Needs
– Portfolio Management: Initiate and prioritize projects
– Budgeting: Authorize with budgets and funding
• IT Services
– Technology Architecture: Languages, DBMS, Network
– Infrastructure Operation: Operations Processes
– Application Development: SDLC, Project Management, Standards
– User Support and Services: Help Desk, SLA’s
• Administration and Control
– Human Resource Management: HR Policies, Training
– Supplier Management: Purchasing

11. Dimensions of Project
Management
• Cost • Integration
• Schedule • Communication
• Scope • Human Resources
• Quality • Procurement
• Risk • Methodology

12. Dimensions of Operations &
Support Management
• Reliability
• Availability
• Capability
• Timely
• Responsive/Performance
• Flexibility/Adaptability

13. IT Risk
Management

14. What is an IT Risk?
The possibility that IT will not be able
to deliver the required capability

15. SEI Service CMMI
• Identify the “Commitment to Deliver”
• Establish the “Ability to Deliver”
• Deliver
Note: Risk identification and mitigation are ongoing
activities … requirements change which results in
new commitments.

16. Risk Management Impact on Project Success

17. Risk Management (NASA)
• Identify - scenarios for failure
• Analyse - likelihood and consequence of failure
• Plan - actions required to track and control risks
• Track - program performance against plan
• Control - risk issues and verify effectiveness
• Communicate and Document

18. Identify & Analyse Risks
• Strategic
– Does the business strategic plan address information
processing capabilities?
– Is there a reasonable budget?
– Does the Information Processing strategy directly link
to business goals and objectives?

19. Identify & Analyse Risks
• Service Management Processes
– Do the services management processes adequately address the
following areas?
• Change and Quality Management
• Incident and Problem Management
• Availability and Capacity Management
• Service Level Commitments
– What type of commitments does IT make (by area)?
– Are they reasonable?
– What scenarios would prevent IT from meeting the
commitments?
– Can IT respond to changing requirements?

20. Identify & Analyse Risks
• Application Architecture
– Is the technology obsolete?
– Does the application provide flexibility to respond to changing
business requirements?
– Is the application reliable and available when needed?
– Does it handle spikes in processing volumes?
• Hardware and System Software
– What scenarios would impact this area?
– What is the required capacity, availability, and security?
– Do we have visibility of availability, reliability, and performance?
– Can faulty components be replaced?
– Can we identify trends?

21. Identify & Analyse Risks
• Application Operations and Support
– Do the applications provide the required capabilities?
– How often to they need to be enhanced?
– How often do they need to be fixed?
– What knowledge is required to operate and support?
– Are they reliable, flexible, easy to use?
– Is the technology obsolete?
– Can they be easily updated to support changing
requirements?
– What do they cost and what value is provided?

22. Risk Planning
• Define success or the “commitment to deliver”
(SLA’s, dates, estimates, scope)
• Analyse the “ability to deliver” including
processes, tools, infrastructure, applications,
staff, and knowledge
• Identify gaps or scenarios where the ability to
deliver will not be able to meet the commitment
• Identify prevention or response actions

23. Track Progress
• Is the available capacity for processing and
services aligned with the demand to meet
business needs without wasting resources?
• Are SLA’s being met?
• Are processes being followed?
• What is the level of quality and the reason for
defects?
• Is the staff size and their knowledge level
adequate to meet the service demand?

24. Control
• Is there a formal risk management process?
• Are all risks logged?
• Who owns the responsibility for ownership for
mitigation or prevention been assigned?
• Are problems analyzed to determine the risks
that have not been addressed?
• Is there a problem management process for
permanently fixing problems and eliminating
risk?

25. Communicate
• Is there a formal risk management plan?
• Are known risks communicated to the staff so
they can be aware of the risks?
• Does the business participate in the prioritization
and mitigation of risks?
• Are the causes and impacts of problems
communicated?

26. Scenario:
Managing
Application
Maintenance Risks

27. Application Risk Areas
• Do the applications provide the required capabilities?
• How often to they need to be enhanced?
• How often do they need to be fixed?
• What knowledge is required to operate and support?
• Are they reliable, flexible, easy to use?
• Is the technology obsolete?
• Can they be easily updated to support changing
requirements?
• What do they cost and what value is provided?

28. Plan and Manage
• Inventory applications and their capabilities, availability
requirements, and redundancies.
• Implement application management processes to track
costs, changes, quality, and value to business.
• Identify missing or deficient capabilities and how
often they need to be enhanced. Initiate enhancements
to provide user-controlled configuration.
• Eliminate recurring problems by implementing fixes.
• Document required knowledge and facilitate
orientation or cross-training of staff.
• Identify solutions for replacing obsolete technologies.
• Develop a retirement strategy.

29. Management Capability
Visibility
• What services are needed?
• What services are provided?
• When are they provided?
• How often?
• Why are they provided?
• How much do they cost?

30. Management Capability
Control
• Were the services authorized?
• Did they deliver the correct result?
• Were standard processes followed?
• Were the services delivered on-time and on-
budget?
• Did the customer receive value?

31. Management Capability
Optimization
• Reduce Risks and Costs
• Improve Quality
• Improve Processes
• Improve Customer Satisfaction
• Increase Value to the Business

32. Case Study:
Highmark Service
Excellence Project

33. Service Excellence Project
Objective:
Improve IT’s ability to meet or exceed commitments to the business
Year 1 Goal:
Increase value to the business by increasing time spent on
enhancements from 4% to 18%
Achievements
• Time spent on enhancements increased to 22.5% in 9 months and 36%
after 18 months
• Enhancement backlog was eliminated
• Application Problems and Support costs were reduced
• Business management received increased visibility and control of their
requested services, required hours, and cost
• Increased Customer Satisfaction

34. Risk Assessment Results
• Service requests were not logged
• Service Level Goals are not formally defined
• Most of the available resource hours are spent resolving
incidents resulting in a large backlog of projects
• Customer satisfaction was not measured but it was assessed
as poor based on informal feedback
• Most of the support management processes were informal
and team specific
• Knowledge was undocumented resulting in a dependence on
“hero experts for each application
• “Reactive” management because of limited visibility and
control

35. Solution Framework
Optimise
•Improve Processes
•Reduce/Prevent Problems
•Increase Value
Control
•Implement Processes
•Commitments/SLA’s
•Enforce Processes
•Authorize Services
Visibility
•Services
•Resources
•Performance
•Metrics

36. Resulting Business Value
• Increased quality, reduced rework and application problems, and
reduced support costs
• Improved process maturity
• Implemented metrics to support ongoing improvement initiatives
• Increased staff effectiveness and productivity
• Reduced risk
• Improved performance against commitments which improved
customer satisfaction

37. Case Study
Pa. Department of Transportation
Application Management and
Outsourcing

38. PennDOT Introduction
 Provides Transportation Management for
the Commonwealth of Pennsylvania
 Created in 1970 to streamline transportation management
 Annual budget of over $6 bn of state and federal funds
 Total 121,000 miles of state and local highways
 Total 55,000 state and local bridges
 Manage 40,000 miles of highway and 25,000 bridges
 12,000 employees
 11.3 Million vehicle registrations
 8.7 Million driving licenses
 Safety and Emissions control inspection programmes

39. Commonwealth Directive
“Do more with less”
 Commonwealth Budget 2011-12
 Balance budget with no tax increases
 Refocus investment in core functions of government
 Reduce general fund budget by 4% ($1.17 billion)
 State spending overall reset to near 2008-09 levels
 State agencies are directed to focus on delivery and reduce
administrative overhead

40. Success
76,500 Function Points added
0.2% defect rate

41. Scenario:
Managing Project Risks

42. Risk Analysis: Why Projects Fail?
Standish Chaos Report
• Incomplete Requirements 13.1%
• Lack of User Involvement 12.4%
• Lack of Resources 10.6%
• Unrealistic Expectations 9.9%
• Lack of Executive Support 9.3%
• Changing Requirements 8.7%
• Lack of Planning 8.1%
• Didn't Need It Any Longer 7.5%
• Lack of IT Management 6.2%
• Technology Illiteracy 4.3%
• Other 9.9%

43. The solution begins with accountability
• Who is responsible for managing project risk?
• Who is responsible for project success?
• Who is to blame for project failures?
• Does the IT project team have unrealistic
expectations of the business?
• Does the business have unrealistic
expectations of the IT project team?

44. Mitigating Project Risks
• Cleary defining Requirements minimizes changes and
re-work
• Establish an achievable Scope based on available
resources, budgets, and expected completion date
• Plan the project to avoid Resource downtime and
minimize schedule disruptions
• Identify Issues early to prevent problems and avoid the
resulting re-work

45. Will you be successful?
Effective Risk Management answers this question
• Required Information
– Timely and accurate project performance data
– Opinions/feedback from all participants
– Status of all open issues
• Risk Analysis
– Is the project on-time and on-budget for completed tasks?
– Is the project on-time and on-budget for active tasks?
– Has anything changed (scope, resource availability,
customer satisfaction, levels of overtime)?
– What is the reason and impact of the change?
– What is the impact of open issues?

46. Information Requirements
• Stakeholder and Team Communications
– Requirements
– Status
– Issues/Concerns
• Project Performance data
– Actual effort/cost vs. estimates
– Total Changes and the impact of changes
– Total Re-Work by reason (requirements changes vs. errors)
– Lost time due to schedule disruptions

47. Solutions
• Improve communications with all project
participants without disrupting progress
• Ensure compliance with processes
• Collect and analyze project performance metrics
to identify trends and new risks
• Efficient staff orientation to the project and the
management processes to enable agile staffing
• Establish accountability

48. How does CAI succeed?
• Repeatable Processes are used to manage requirements,
scope, schedules, risk, issues, changes, quality, and resources
• Tracer Service Management Tool provides visibility (metrics)
and status into all assigned activities across projects and
support
• Automated Project Office Answers the question “Will we
succeed?”
– Early identification of risks by conducting project health
assessments to analyze project performance metrics and
surveys of participants and stakeholders
– Validates compliance with processes

49. Automated Project Office
Visibility of Issues

50. Automated Project Office
Visibility of Issues

51. How can CAI help you?
• Fixed price Application Development services
• Application Support Outsourcing to allow your staff
to work on projects
• Project Management and Transformation consulting
to improve effectiveness
• Automated Project Office tool to enable a rapid
project office implementation
• ITMPI – IT Metrics and Productivity Institute provides
access to resources and knowledge from world-
renowned experts in various fields

52. Thank You.