The Schwalbe (2016) text discusses five broad categories of risk on page 433-434; Market risk, Financial risk, Technology risk, People risk, and Structure/process risk. Consider the “What Went Wrong” example involving Comair on page 436. Discuss how a risk management approach that addressed each of the five broad risk categories might have allowed Comair to avoid big problems during the 2004 holidays.
What Went Wrong
KPMG, a large consulting firm, published a study in 1995 that found 55 percent of runaway projects (projects with significant cost or schedule overruns) did no risk management at all, 38 percent did some, and 7 percent were not sure whether they did risk management or not.9.
Even within the percentage that did some risk management, half did not use their risk findings after the project was under way. This study suggests that performing risk management is important to improving the likelihood of project success and preventing runaway projects.
The timing of risk management is also an important consideration. For example, Comair is a regional airline based in Cincinnati that operates in 117 cities and carries about 30,000 passengers on 1,130 flights a day. Comair’s IT managers knew in the late 1990s that they had to address the replacement of an aging legacy system used to manage flight crews. The application was one of the oldest in the company (11 years old at the time), written in Fortran (code that no one at Comair knew), and the only system left that ran on the airline’s old IBM AIX platform. Although managers and crew addressed possible options for replacing the system, they kept putting it off as other priorities emerged. A replacement system was finally approved in 2004, but the switch didn’t happen soon enough. “Over the holidays, the legacy system failed, bringing down the entire airline, canceling or delaying 3,900 flights, and stranding nearly 200,000 passengers. The network crash cost Comair and its parent company, Delta Air Lines, $20 million, damaged the airline’s reputation and prompted an investigation by the Department of Transportation.” Had Comair or Delta acted sooner, it could have taken steps to mitigate the risk and avoid the disaster.
discusses five broad categories of risk
The number of questions corresponding to each success criterion determines the number of points each positive response is assigned. For example, the topic of user involvement includes five questions. For each positive reply, you would get 3.8 (19/5) points; 19 represents the weight of the criterion, and 5 represents the number of questions. Therefore, you would assign a value to the user involvement criterion by adding 3.8 points to the score for each question you can answer positively.
Many organizations develop their own risk questionnaires. Broad categories of risks described on these questionnaires might include:
Market risk: If the IT project will create a new product or service, will it be useful to the organization or marketable to others? Will users accept and use the product or service? Will someone else create a better product or service faster, making the project a waste of time and money?
Financial risk: Can the organization afford to undertake the project? How confident are stakeholders in the financial projections? Will the project meet NPV, ROI, and payback estimates? If not, can the organization afford to continue the project? Is this project the best way to use the organization’s financial resources?
Technology risk: Is the project technically feasible? Will it use mature, leading-edge, or bleeding-edge technologies? When will decisions be made on which technology to use? Will hardware, software, and networks function properly? Will the technology be available in time to meet project objectives? Could the technology be obsolete before a useful product can be created? You can also break down the technology risk category into hardware, software, and network technology, if desired.
People risk: Does the organization have people with appropriate skills to complete the project successfully? If not, can the organization find such people? Do people have the proper managerial and technical skills? Do they have enough experience? Does senior management support the project? Is there a project champion? Is the organization familiar with the sponsor or customer for the project? How good is the relationship with the sponsor or customer?
Structure/process risk: What degree of change will the new project introduce into user areas and business procedures? How many distinct user groups does the project need to satisfy? With how many other systems does the new project or system need to interact? Does the organization have processes in place to complete the project successfully?