A SURVEY AND WHITE PAPER PRODUCED IN CO-OPERATION WITH THE ECONOMIST INTELLIGENCE UNIT EIU_Merc_Risk_COVER 14/4/06 11:12 pm Page 1 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 1 Acknowledgments2 Executive summary 3 IntroductionDefining IT Business Risk 4 The link between IT and business outcomes 5 Risk management today 9 The sources of risk 13 Priorities for mitigating IT Business Risk 16 Survey results 18 MANAGING IT BUSINESS RISK Mercury_risk_v4 27/4/06 8:56 pm Page 1 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 2 ACKNOWLEDGEMENTS This report was prepared by Mercury in co-operation with the Economist Intelligence Unit. The author of the report was Terry Ernest- Jones, and the editor was Denis McCauley. The report is based on the findings of a survey of 1,077 IT professionals based in the Americas, Europe, the Middle East and Asia-Pacific. The survey was designed by Mercury and the Economist Intelligence Unit, and executed by Vanson Bourne. Our sincere thanks go to the survey participants for sharing their insights on this topic. About Mercury Mercury is the global leader in business technology optimization (BTO). Mercury is committed to helping customers optimize the business outcomes from IT. About the Economist Intelligence Unit The Economist Intelligence Unit is a division of The Economist Group. Sister companies include The Economist newspaper, CFO magazine, and an array of other specialist publications. The Economist Intelligence Unit has been providing information and advisory services to the global business community for more than 50 years through many channels, including print publications, electronic media, and conferences and client meetings organized under The Economist Conferences brand. Whilst every effort has been taken to verify the accuracy of this information, neither Mercury Interactive Corporation and its affiliates nor the Economist Intelligence Unit Ltd. and its affiliates can accept any responsibility or liability for reliance by any person on this information. Mercury_risk_v4 27/4/06 8:56 pm Page 2 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 3 Executive summary It is well recognised that a firms information technology (IT) infrastructure, organisation and strategy must be aligned with its business objectives. Less understood is the reality that most of the firms core business processes are already driven by IT, and that the ability of the firm to achieve its desired business outcomes usually hinges on IT systems performance. All organisations bear IT Business Riskthe danger that the failure or under-performance of IT applications, infrastructure or systems will result in negative business outcomes for the organisation. Executives awareness of security risk is high, but many fail to grasp the implications of IT Business Riskespecially the potential cumulative damage of minor system faults. This report, produced by Mercury in co-operation with the Economist Intelligence Unit, and based on a survey of 1,077 IT executives from around the world, finds that in over half of companies polled, no more than one in two IT projects undertaken in the past two years has delivered positive business outcomes. In this way, IT risk translates directly into business risk. Most companies (although substantially less in Europe than in other regions) claim to manage IT Business Risk in a co-ordinated fashion. At most firms, however, both accountability and day-to-day responsibility for managing risk lie within the IT department, where good risk management practice is less well understood than at higher levels. Other key findings include the following: Revenue loss and defection of customers are the most feared outcomes of IT failure, as is reputation or brand damage from service shutdowns. At the same time, IT Business Risk is most often measured in terms of potential cost (in terms of incurred expenses or unrealised savings). Executives view the supply chain and logistics as the parts of the business most vulnerable to IT failure. Among different business initiatives, efforts to boost cost- efficiency and customer satisfaction are seen to be most dependent on IT. Poor project management and business requirements definition, as well as difficulties in managing change, are the main reasons why IT initiatives fall short. Many projects also fail due to flawed implementation. Security initiativesparticularly when they failpose the greatest risk to the firms business objectives. SOA, Web Services and outsourcing also entail considerable risk of generating negative business outcomes. The most reliable means of mitigating IT Business Risk are fundamental and long-term in nature: building a genuine partnership between business and IT executives, based on a shared view of the issue, and improving the effectiveness of project management. A telephone-based survey was conducted in the Americas, Europe, the Middle East and Asia-Pacific from February through April 2006. The survey reached a total of 1,077 IT executives drawn from a range of small and large organisations. A total of 42 percent of executives were based in Europe and the Middle East and 30 percent in the Americas, with the rest coming from the Asia-Pacific region. The survey includes a cross- section of industries, including financial services, manufacturing, high- tech, pharmaceuticals, retail, distribution, transport, telecoms, utilities and business services. ABOUT THE SURVEY Mercury_risk_v4 27/4/06 8:56 pm Page 3 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 4 IntroductionDefining IT Business Risk A companys business and financial performance today depends on its information technology (IT) applications, infrastructure and systems. Typically 80-90 percent of core business processes are automatedfrom customer service and invoicing to supplier management, payroll, regulatory compliance and many others. When IT applications and infrastructure perform to expectations, they undoubtedly help the firm to achieve its business objectives. If they fail or under-perform, however, the business consequences can be far-reaching and difficult to isolate. IT Business Risk refers to risks arising from the failure or under-performance of IT that result in negative business outcomes for the company. The latter include more than just the costs incurred to repair systems; they may be manifested in a loss of revenue or customers, delayed product launches, or the failure of a new application to realise projected cost savings. Egregious systems failures can sometimes result in damage to a firms brand and reputation, or may result in the filing of legal claims against the firm. In some cases, poor IT performance contributes to failures in integrating newly- acquired firms, the consequences of which can be devastating for the merged companys long-term financial health. IT Business Risk differs from conventional definitions of IT-related risk, which focus on security threats from viruses and hackers, and disasters from fire or terrorism. These capture the attention of the board, and in the worst cases the media, whereas the risk from less dramatic problems is routinely neglected. Theres a danger of too much focus on pure failure, says Eric Holmquist of Advanta Bank Corp. and chair of the US-based Risk Management Associations committee for operational risk management in IT. But what happens if a given technology kind of fails? He cites the example of data corruption on customer records: businesses may not immediately recognise this, but the consequences can be devastating. IT Business Risk is not a new concept. Over two-thirds of IT managers worldwide already say it is managed in an organised fashion at their companies. This is encouraging, but other survey results suggest that recognition of IT Business Risk is not matched everywhere by well-thought-out risk management practices. In most cases, organisations are not paying enough attention to this kind of risk, says Michael Gough, CEO of the UKs National Computing Centre (NCC), the countrys paramount IT industry organisation. Based on quantitative analysis, as well as insights from interviews conducted with senior IT executives and industry experts, this report sheds light on how companies around the world view the nature of IT Business Risk and its chief sources, the structures they use to manage it, and the strategies that many are employing to mitigate this type of risk. Mercury_risk_v4 27/4/06 8:56 pm Page 4 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 5 The link between IT and business outcomes IT has delivered immeasurable value to companies over the past 15 years in improving cost-efficiency, enhancing decision-making and, more recently, creating new channels for revenue generation. But IT advances have also introduced greater complexity into companies infrastructure and applications. The fact is that many IT projects fail to deliver. Teams have developed and implemented large and small IT projects for decades, but many repeat the same mistakes despite vastly improved development tools and a wealth of experience won through bitter trial and error. The survey conducted for this report reveals that, for 54 percent of firms across the globe, no more than one in two IT projects has delivered positive business outcomes over the past two years. Other research supports this finding. In a recent survey by KPMG International, nearly half of 600 organisations reported at least one project failure in the past year 1 . And the Standish Group, a consultancy that tracks project failure rates in the United States, says in a 2004 report that more than half of IT projects over the previous two years were completed late, over budget or lacking intended features, and almost one in five were cancelled before completion 2 . The impact on business outcomes Be it IT under-performance or full systems crashes that cause major disruptions, the consequences of IT failures are usually manifested in negative business outcomes. And these can be sudden: Protection of information isnt something new; what has changed is that you can lose data much faster now, says Mr Holmquist. The effects of IT failure can be enormously harmful to firms financial health. Worldwide, loss of revenue is the outcome that companies dread most from IT failure. IT has taken centre stage, says Key points: At over half of companies globally, no more than one in two IT projects delivers positive business outcomes Companies consider improved cost-efficiency as the business outcome most dependent on IT; at the same time, loss of revenue and customers are the most feared outcomes arising from IT failure The supply chain and logistics are the most vulnerable areas of company operation to IT failure WHICH ARE THE MOST FEARED BUSINESS OUTCOMES OF IT FAILURE WITHIN YOUR ORGANISATION? Asia- Total EMEA Pacific Americas Revenue loss 43% 48% 34% 46% Loss of customers 40% 36% 44% 43% Reputation or brand damage from publicly recognised service failures 30% 27% 41% 22% Unanticipated business expenses (eg, to repair or replace systems) 19% 17% 15% 26% Not making planned cost savings 18% 26% 11% 13% Delayed launches of new products/services 11% 9% 15% 12% Legal claims (eg, from customers, shareholders) 10% 14% 6% 8% Regulatory challenges arising from compliance failures 8% 9% 12% 4% Failure to integrate businesses or departments in M&A situations 6% 4% 12% 2% 1 Global IT Project Management Survey, November 2005 2 The Chaos Report, 2004 Mercury_risk_v4 27/4/06 8:56 pm Page 5 MANAGING IT BUSINESS RISK CP Gangadharaiah, senior vice president with IT services provider Wipro Technologies, based in India. For large and small companies alike, systems failure will impact revenue immediately. In just one of many examples, an unsuccessful upgrade to its customer relationship management (CRM) system is estimated to have cost US mobile operator AT&TWireless (now part of Cingular) US $100 million in 2003 and 2004. And the examples are not limited to the private sector: in another celebrated case in the UK, software errors led the Inland Revenue to make about US $3.5 billion worth of tax-credit overpayments in 2004 and 2005. Loss of customers is another feared business outcome from IT failure. Most often this results from breakdowns of CRM systems of the type mentioned above, but website downtime or other process failures can also generate intense customer frustration leading to churn, as Amazon and other online retailers have found to their dismay. For survey respondents in Asia-Pacific, the prospect of customer defection from IT failures causes the greatest anxiety. Other firms (30 percent of our global sample) cite damage to their brand or reputation among the most feared outcomes of IT failure. Such damage often goes hand in hand with revenue or customer loss. The US airline Comair, for example, failed to take action to replace a critical legacy system which managed its flight crews, nor did it take into consideration the risk if the application crashed. When this happened, it cost the airline US $20 million in lost revenue and badly damaged its reputation. Probably the most visible and tangible effects of IT failures are the costs incurred in correcting faults and, in the case of longer term projects, the loss of sunk investment in initiatives that go wrong. In 2004, for example, the UK supermarket chain J Sainsbury abandoned a supply chain management (SCM) system in which it had invested US $530 million. WWW.MERCURY.COM 6 HOW DEPENDENT ARE EACH OF THESE TYPES OF BUSINESS OUTCOMES ON IT? 1 2 3 4 5 No dependence on IT Some dependence on IT Heavy dependence on IT ABILITY TO MERGE WITH OR ACQUIRE OTHER BUSINESSES NEW PRODUCT INTRODUCTION OR INNOVATIONS ENTRY INTO NEW GEOGRAPHICAL MARKETS OR CUSTOMER SEGMENTS REDUCE COST OF OPERATIONS CUSTOMER SATISFACTION REGULATORY COMPLIANCE 13% 14% 27% 28% 19% 10% 14% 25% 29% 22% 11% 17% 33% 24% 15% 2% 8% 23% 38% 29% 4% 9% 28% 33% 25% 5% 13% 32% 25% 25% Mercury_risk_v4 27/4/06 8:56 pm Page 6 WWW.MERCURY.COM MANAGING IT BUSINESS RISK 7 Such IT calamities grab the headlines, but Mercurys Chief Marketing Officer, Christopher Lochhead, believes that companies must not lose sight of where risk resides: Its often the smaller things that get overlooked, he says, citing the loss of productivity if an HR system fails. It is impossible to hire an employee without having the technology up and running. When asked how dependent various business outcomes are on IT, two-thirds of respondents in the surveyand over three-quarters of firms with more than US $5 billion in annual revenueplace greatest emphasis on reducing operating costs. IT is regarded as crucial in increasing profitabilityfor example, by automating processes and lowering headcount, thus boosting productivity. It is also an enabler of outsourcing, which financial services firms have employed to particular benefit to reduce operating costs. (At the same time, as we will discuss later, respondents view outsourcing as a significant source of IT Business Risk.) Customer satisfaction is also perceived to be heavily dependent on IT for the majority of surveyed firms. As companies expand their interaction with customers to embrace multiple channels beyond voice (to include the web, SMS texting, email and others), and as contact centres shift to IP platforms, this level of dependence is certain to rise. Increasingly, customers judge an organisation not only on the smooth service they receive via the website or contact centreboth of which require the highest standards of IT performancebut also on other IT-dependent factors, for example, how knowledgeable agents are about previous interactions. Areas of vulnerability Across all regions, supply chain and logistics are the areas of company operation perceived as most vulnerable to IT failure. Not surprisingly, this vulnerability is felt most acutely by respondents from the retail and distribution/transport industries (perhaps with the unhappy example of J Sainsbury, cited above, in their minds), as well as by telecommunications firms and utilities. It is also more pronounced in the largest firms in the surveythose with over US $5 billion in revenue. With the scattered supply chain, everything grinds to a standstill when systems are down. Customer service, IN WHICH PARTS OF THE BUSINESS ARE OPERATIONS MOST VULNERABLE TO IT FAILURE? Firms with Firms with over US$1bn over US$5bn Total in revenue in revenue Supply chain/logistics 32% 34% 37% Customer Service 24% 25% 28% New product/service development 23% 24% 26% Production 22% 22% 25% Finance 20% 19% 16% Sales 20% 18% 15% General Management 18% 16% 15% Compliance 10% 13% 14% Marketing 10% 11% 12% Human Resources Management 7% 7% 7% Other 4% 4% 1% Mercury_risk_v4 27/4/06 8:56 pm Page 7 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 8 for the reasons cited above, along with production and financial operations, are also prominent in the list of vulnerable areas to IT failure. IT initiatives that matter most IT initiatives, of course, produce positive, as well as negative business outcomes, although the latter tend to attract greater publicity. For better or for worse, IT managers believe that enterprise application deployments such as ERP (enterprise resource planning) or CRM are the IT initiatives that are most closely linked to driving business outcomes. (Asia-Pacific and EMEA respondents cite enterprise application deployments most frequently in this context, while those in the US include it among their top three.) ERP offers tempting benefits, although executives often find that new systems present them with either over-complex or simplistic data on which they are supposed to make decisions. Failed ERP deployments due to applications conflicts are also common, and have costly consequences. In 2004, car hire firm Avis Europe cancelled an ERP deployment, costing the company US $54 million. In the same year, US IT giant Hewlett-Packard was forced to report that problems with its ERP system contributed to a US $160 million loss. IT managers also see service-oriented architecture (SOA) and Web Services initiatives as closely linked to business outcomes, as well as moves to centralise and consolidate IT systems. Few IT professionals need to be convinced of the benefits that SOA offers, but the risks associated with it are not yet widely recognised. It is still early in the implementation stage, and problems are certain to emerge before SOA delivers in full on its potential. (More on SOA-related risks later.) WHICH OF THE FOLLOWING IT INITIATIVES ARE MOST CLOSELY LINKED TO DRIVING BUSINESS OUTCOMES IN YOUR COMPANY? Firms with Asia- over US$5bn Total EMEA Pacific Americas in revenue Enterprise application deployments (ERP/CRM) 35% 33% 44% 30% 38% SOA/Web Services 26% 26% 23% 30% 27% Centralisation/Consolidation 26% 32% 19% 25% 40% Mercury_risk_v4 27/4/06 8:56 pm Page 8 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 9 Risk management today Companies may understand the concept of IT Business Risk, but this does not mean that all have come to grips with it. While most IT managers globally say their firms manage it in an organised fashion, 40 percent of respondents from the EMEA region (Europe, Middle East and Africa) say it is not the case in their companies. Most firms seem to equate IT Business Risk with other, more familiar and more visible categories, such as financial risk, security and operational risk, and managing them all under one portfolio. Again, however, there are stark differences between regions, with firms in Asia-Pacific and the US more likely to manage these in a single risk portfolio than those in EMEA. The inference is that not all firms fully appreciate the nature of IT Business Risk and the potential consequences of systems failure. Some practitioners believe there is less than meets the eye to executive assertions that their firms manage this risk well. Executives dont realise how much of the core business processes are enabled by technology, says Mercurys Mr Lochhead. Executives tend to treat IT in the same way as an elevator. It doesnt occur to them that it is liable to break down until they are stuck between floors waiting for help. This attitude, says Mr Lochhead, is all the more unwise as regulatory pressures increase. The level of acceptable risk has changed. Establishing accountability This view is borne out by the finding that in the majority of firms (59 percent), accountability for IT Business Risk resides outside the executive suite. In more than half of the surveyed firms (47 percent of those with revenue of over US $5 billion), the IT director or IT manager hold primary accountability, rather than the CIO, CEO or other senior executive. Responsibility for day-to-day management of risk also lies mainly with non-business managers. Moreover, although senior IT managers are primarily responsible at a majority of firms, management responsibility is often spread across several roles. These include line-of-business managers, compliance officers, chief risk officers, the programme management office and even outsourced IT suppliers. (In EMEA about one in ten companiesand about four in ten in Latin Americahas no one managing it.) Key points: Most companies claim to manage IT Business Risk in a co-ordinated fashion, but understanding of its nature, and of good risk management practice, may not run as deep Accountability for IT Business Risk resides below the most senior levels of management in most firms, and most frequently with IT managers; the latter are also tasked with day- to-day risk management, but this responsibility is often shared with several other executives less directly accountable for IT Business Risk IT Business Risk is most often measured in terms of potential cost, although many firms view it through the prism of potential lost revenue or brand and reputation damage PLEASE INDICATE WHETHER YOU AGREE WITH THE FOLLOWING STATEMENT: IT BUSINESS IS NOT MANAGED IN A CO-ORDINATED FASHION AT MY COMPANY Asia- Total EMEA Pacific Americas Agree 27% 40% 12% 22% Disagree 68% 56% 83% 71% Don't know 5% 3% 6% 6% Mercury_risk_v4 27/4/06 8:56 pm Page 9 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 10 This is a worry for some experts, given the potential consequences to the business of IT failure or under-performance. IT risk is typically managed reactively in companies, according to Mr Holmquist of the Risk Management Association. Technical people generally have a higher tolerance of risk than business people. Placing some responsibility on the firms business managers for IT risk is desirable, adds Mr Holmquist. IT is best at defining what could go wrong; business is best at saying what that would mean, he says. Around half of companies in the survey (45 percent) utilise a program or project management office for management of IT Business Risk. Service level management is also widespread, and so are dedicated security teams, especially in the largest IT shops, and especially in Asia-Pacific. WHO IS PRIMARILY ACCOUNTABLE FOR IT BUSINESS RISK IN YOUR ORGANISATION? Firms with Asia- over US$5bn Total EMEA Pacific Americas in revenue CIO/Head of Technology 30% 24% 38% 32% 34% IT Director 22% 12% 40% 44% 22% IT Manager 14% 14% 17% 12% 13% Senior IT Manager 14% 13% 15% 14% 12% CEO 4% 2% 9% 2% 4% CFO 4% 5% 2% 4% 4% Nobody 3% 4% 2% 3% 1% Chief Risk Officer 3% 4% 2% 2% 5% Line of Business Manager 2% 1% 2% 3% 1% Programme Management Office 1% 1% 1% 2% 2% Outsourced IT supplier 1% 1% 3% 1% Compliance Officer 1% 1% 1% 1% The effects of systems failures vary, of course, from industry to industry. For the Danish healthcare company Novo Nordisk, they could lead to compliance problems and possibly a shut-down mandated by the regulatory authorities, as CIO Lars Fruergaard Jrgensen points out. The companys risk structure now includes interviews with all system owners and managers throughout the company which can reveal, for example, that a legacy system is over-reliant on too few staff for maintenance. We are confident that this thorough risk management approach will lower the overall risk of a major breakdown, says Mr Fruergaard Jrgensen. For overall management of risk, clear procedures and responsibilities must be established. The firm has an IT risk manager, and a cross-functional committee reviews IT risk on a regular basis. It uses a risk matrix to track progress on every IT project (there are usually 20-30 running concurrently); reports are made monthly, and the status of each is marked by colour according to how well things are progressing. When it comes to introducing new systems, Novo Nordisk recognises the danger of project failure during the implementation stage. To combat this, Mr Fruergaard Jrgensen relates that project teams at Novo Nordisk are not disbanded until user satisfaction has reached an acceptable level, key performance indicators have been attained and mandatory benefits are realised. This may require several weeks, but the company feels it is worth the effort. RISK MANAGEMENT AT NOVO NORDISK Mercury_risk_v4 27/4/06 8:56 pm Page 10 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 11 WHAT MANAGEMENT TECHNIQUES OR STRUCTURES DOES YOUR BUSINESS EMPLOY TO MANAGE IT BUSINESS RISK? Firms with Asia- over US$5bn Total EMEA Pacific Americas in revenue Programme/project management office 45% 48% 46% 39% 54% Service level management 43% 52% 36% 39% 50% Dedicated security team 38% 41% 45% 28% 53% Formal change management 34% 48% 23% 27% 53% Centralised quality assurance function 33% 35% 25% 43% 45% Measuring risk It is often said that if risk cannot be measured, it cannot be managed. There is a broad range of approaches to measuring IT Business Risk, but companies most frequently view it in terms of potential costfor example, the value of sunk investment in an application. (This is particularly the case in firms with large IT departments, having over 1,000 staff.) But as discussed earlier, negative business outcomes often take the form of lost revenue, and indeed nearly 40 percent of surveyed companies HOW DOES YOUR COMPANY MEASURE IT BUSINESS RISK? Firms with Asia- over US$5bn Total EMEA Pacific Americas in revenue Quantified as potential cost 48% 50% 50% 42% 60% Quantified as potential lost revenue 39% 40% 38% 38% 48% It is assessed in qualitative terms 35% 36% 42% 27% 42% Impact on corporate reputation/brand 33% 36% 37% 24% 45% We do not attempt to measure IT Business Risk 18% 17% 12% 24% 5% For Chicago Public Schools there is an urgency to use IT systems to raise standards that few commercial organisations face: of the 430,000 students in its care, 85 percent are below the poverty line. A team of 200 full-time IT staff supplemented by consultants run a variety of applications for the network of schools, including enterprise systems, HR, finance and student information. There are 85,000 computers across the school system. Its like a Fortune 250 company, says CIO Robert Runcie, a Harvard graduate with a business background at Accenture and Computer Sciences Corporation. To provide transparency and drive accountability, Mr Runcie has created an IT governance process which presents to key C-level officers and stakeholders. There is also an enterprise project management office to ensure strong project management. Before an IT project starts, one key factor is settled in order to mitigate riskappropriate staffing. We dont do a project unless we can find the right skills and experience within the organisation, says Mr Runcie. Once started, project risk is managed on an on-going basis. A steering committee is given regular status reports on each IT project. Mr Runcie points to another critical risk factorexecutive sponsorship. The CEO and other key officers need to be on board and engaged with the project on a regular basis. IT risk is not a matter of how perfectly you execute the project, Mr Runcie believes. Rather, its ensuring proper alignment of the project to the organisations strategic goals. The biggest IT risk is in failing to impact on the business properly. AN EDUCATION IN IT RISK MANAGEMENT Mercury_risk_v4 27/4/06 8:56 pm Page 11 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 12 view IT risk primarily through this prism. Still other firms make qualitative assessments of the risk of an IT projects failure, for example as the potential damage to the companys brand or reputation. The predominance of a cost-based perspective is not surprising given the finding that so much responsibility for management of IT Business Risk resides within the IT department, widely regarded by management as a cost centre. But this approach to measuring risk is potentially limiting. By taking a broader view, one which includes the potential of lost revenue, firms could focus on prevention rather than merely remedial measures. Fundamentals must be calculated: What is the impact of failures on external stakeholders such as customers and distributors, as well as on other departments in the organisation? What is the toll if an application cannot be accessed? What figure can be estimated for lost sales from a CRM fault? Mercury_risk_v4 27/4/06 8:56 pm Page 12 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 13 The sources of risk When IT initiatives fail or under-perform, and have a negative impact on the business, what are the key factors involved? Three stand out for companies across the world: ineffective project management (including resource and budget management), poor business requirements definition, and difficulties in handling change. Its not software or technology that kills a project, says Robert Runcie, CIO serving Chicagos 640 public schools. (See box on page 11.) Its getting well-defined requirements that makes or breaks it. You have to make sure theyre set in advance, and that the team knows what the transformation should look like. Theres a tendency for executives to lob an idea over the wall, and expect IT to use osmosis to understand it, says Mr Holmquist. Operational risk for IT projects should focus on three areas, he says: quality of business requirements definition, quality of implementation, and quality in the selection of tools. Better strategic technology planning is also needed in order to map technology strategy to business strategy, adds Mr Holmquist. But, he observes, communication between IT and other business functions is often problematic. Typically there is a language barrier between business and IT. One of an IT departments most valuable assets, Mr Holmquist notes, is that rare breed of business analyst who can act as a liaison between IT and other business functions. You need to have a business champion who is responsible for delivery of benefits, adds Mary Lacity, Professor of Information Systems at the University of Missouri-St. Louis (in the US). IT is responsible for delivery of products and is accountable for costs. Seeing the projects through Even where communication flows well, organisations find that deployment and roll-out issues frequently wreck IT projects. (This is especially problematic in Europe.) Often projects fail at the very end when users are not trained properly to benefit from the new system. Most people ignore the risk at the implementation stage, says the NCCs Michael Gough. Often, the more money spent on analysis and design, the less is spent later on training. Its vital to have enhanced training. A case in point is the UK governments multi-million dollar Jobcentre Customer Management System, which handles claims for income support and allowances. The system, implemented over 2003-2005, has been the object of heavy criticism in the British parliament and press for a 40 percent failure rate in processing claims. The system had a very poor reception from staff, and an independent report identified inadequate training, a failure to listen to staff concerns and inflexibility in using the system as causes for the failure. Key points: Ineffective project management, poor definition of business requirements and difficulties in handling change are most often to blame when IT initiatives fail to produce positive business outcomes Formal change management is the factor most blamed by large companies (over US $5 billion in turnover) in Europe and the US for IT initiatives which fail Follow-through is critical: many IT projects fail during the implementation stage. Inadequate troubleshooting and poor user training are frequently the culprits Security systems deploymentsparticularly when they failpose the greatest risk to the firms business objectives. Newer initiatives, such as SOA, Web Services and outsourcing, also entail considerable risk of generating negative business outcomes Mercury_risk_v4 27/4/06 8:56 pm Page 13 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 14 WHEN IT INITIATIVES HAVE FAILED TO PRODUCE THE EXPECTED BUSINESS OUTCOMES IN YOUR COMPANY, WHAT HAVE BEEN THE PRIMARY FACTORS? Firms with Firms with over US$1bn over US$5bn Total in revenue in revenue Project management (including resource and budget management) 28% 27% 28% Business requirements definition 24% 25% 26% Deployment or rollout issues 19% 24% 25% Poor quality software/technology 17% 14% 13% Business environment change 12% 14% 15% Quality assurance (functional, integration, and system testing) 12% 13% 12% Development issues (design/architecture issues, code quality/developer testing, etc.) 12% 13% 10% Requirements governance (ie, scope creep) 11% 17% 20% Change management 11% 10% 9% Quality of implementation also has much to do with system design, testing and performance in the pre-launch phaseand monitoring after launch. Surveyed executives point to problems in applications testingsuch as poor coding, quality assurance, load/performance testing and system diagnosticsas sources of project failure and negative business outcomes. A new application could have thousands of functions, says Mr Gangadharaiah of Wipro. End-user testing used to be relevant when applications were simpler. A professional testing organisation is needed now. Difficulties in coping with change figure prominently as sources of IT failure (providing three of the top ten failure-related factors cited in the survey), and particularly for larger firms. Deployment issues frequently arise due to employees resistance to change, both in the systems that they use and in the business processes that they are a part of. Changed circumstances in the business environment such as new regulatory decisionscan alter the requirements of a project; this need not be a problem if the new requirements are assimilated and communicated but, as discussed above, this is often not the case. Problems in these areas point to shortcomings in change management, both within the IT department and in the business as a whole. Sometimes performance issues at outsourcing partners are at the root of IT project failure. Elsewhere, production application or service management may be the problem. Other causes of failed projects stem from changes in specifications. You need to put a box around scope creep, says Ms Lacity of the University of Missouri-St. Louis. Problems with requirements governance are more likely to be a source of IT failure at larger organisations than smaller ones, judging by the survey results. Mercury_risk_v4 27/4/06 8:56 pm Page 14 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 15 New initiatives, new risks So great today is the fear of breaches of information securitysuch as theft of intellectual property or virus attacksthat security initiatives, or rather their failure, are viewed by managers as posing the greatest IT Business Risk to the company. Little wonder, as hacking is increasingly motivated by criminal gain. Across all regions, security stands out as the riskiest type of project from a business outcomes perspective. Other risk-laden IT initiatives include: Service-oriented architecture. Although it can cut total IT expenses over the long term by as much as 20 percent (according to analyst firm Gartner), many companies are currently struggling with SOA implementation. There are any number of reasons: the supporting technology is still evolving, and standards are maturing; it requires organisational change to cross former boundaries; and it creates complexity in the form of a large number of small applications and services (a problem in one can impact the others). Last but not least, SOA requires new competencies on the part of IT staff. Web Services. These types of initiatives are another new source of complexity, due in no small measure to the multiplicity of competing standards and specifications, and the interoperability headaches this causes. Web Services can also make conventional security methods irrelevant, as the doors are opened to outsiders to enter and access a corporate system. Existing firewalls often are not up to the security task. Outsourcing. Some experts feel that companies are exposing themselves unwittingly to further risk through outsourcing. With outsourcing, many organisations have divested themselves of analysis and have eroded internal competencies, according to the NCCs Michael Gough. This puts tremendous pressure on the CIO, who must make decisions without the appropriate surrounding support. This plus loss of business knowledge, compliance problems and data security breaches are other outsourcing-related risks which demand that firms maintain visibility over the outsourcers business processes. WHICH OF THE FOLLOWING IT INITIATIVES ARE INTRODUCING THE MOST IT BUSINESS RISK INTO YOUR ORGANISATION? Firms with Asia- over US$5bn Total EMEA Pacific Americas in revenue Security 36% 37% 39% 32% 33% SOA/Web Services 29% 36% 21% 29% 28% Outsourcing 28% 33% 21% 29% 34% Enterprise application deployments (ERP/CRM) 22% 16% 29% 23% 16% Quality Assurance 14% 14% 13% 13% 13% Business Service Management 13% 11% 18% 13% 13% Centralisation/Consolidation 13% 10% 19% 13% 16% IT Governance 13% 15% 9% 12% 13% ITIL/ITSM 10% 14% 8% 7% 15% Performance Management 10% 11% 8% 11% 8% Mercury_risk_v4 27/4/06 8:56 pm Page 15 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 16 Priorities for mitigating IT Business Risk Aside from developing contingency plans to cope with major crashesnormally a part of business continuity planningthere are few back-up mechanisms to mitigate IT Business Risk. The most reliable means of mitigation are more fundamental and long-term: developing a genuine partnership between business and IT executives, and improving the effectiveness of project management. It is no accident that IT governance and project management are two of the most important areas in which firms will invest over the next year to improve IT performance. Projects succeed where there is a true partnership between business and IT, say Ms Lacity of the University of Missouri, St. Louis. According to Mr Runcie of Chicago Public Schools, ensuring adequate resourcing and staffing is a fundamental means of mitigating IT project risk before it is launched. (See box on page 11.) Once it is under way, ensuring quality and performance before the system goes live is a fundamental means of minimising risk of failure later on. Another way to mitigate the effectsand lessen the likelihoodof IT failure, according to Ms Lacity, is to reduce the scale of projects. The bigger the project, she warns, the lower the success rate. Ms Lacity advocates dividing large projects into multiple smaller projects to minimise risk, making full Key points: The most reliable means of mitigating IT Business Risk are building a partnership between business and IT executives and improving project management IT governance and project management are, accordingly, two of the most important areas in which firms will invest over the next year to improve IT performance Business service management and infrastructure management are other investment priorities for firms as they strive to enhance IT performance Large firms (over US $5 billion in revenue) will focus investment on IT governance, security, requirements management and business service management There are several effective techniques and approaches for mitigating IT Business Risk, and best practice varies according to the circumstances of each organisation. But some common ground was found when speaking to a range of international experts in researching this report: CHECK AGAINST STRATEGIC GOALS. Ensure that the project and its immediate objectives support the wider goals of the business. GET SUPPORT AT THE TOP. Support for large projects must be established at the highest level of the company, and a senior champion is often required to ensure focus is sustained. DEFINE AND PRIORITISE REQUIREMENTS. Ensure requirements are clearly articulated before a project starts. By the time a project gets under way, a large number of people, often with conflicting requirements, are likely to have given input. Also, determine the importance of each requirement from the business point of view. PROTOTYPE. Dividing large projects into smaller units and prototyping them can be an effective way to lower risk. The divide and rule principle applies. Also, users have a chance to spot problems before the full deployment. TRY INDEPENDENT TESTS. With the complexity of todays large-scale projects, testing by a separate party (often the quality assurance team) is found to be useful, enabling the system to be put through its paces by an objective source. AUTOMATE. The vast majority of IT faults are the result of human errors. Automating the management of IT Business Risk will help ensure that problems are caught and addressed before they produce negative business outcomes. BEWARE THE IMPLEMENTATION STAGE. Many projects stumble at the last hurdle. Thorough training of users at the implementation stage is required, but so is constant monitoring to ensure systems availability and performance. Monthly reporting of project progress at a senior level is also recommended. AUDIT REGULARLY. Regular audits should be conducted across all existing systems to detect problems, for example, a hidden application that has the potential to bring major systems down and cause damage to the company. GUIDELINES FOR MITIGATING IT BUSINESS RISK Mercury_risk_v4 27/4/06 8:56 pm Page 16 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 17 use of prototypingwhich in IT denotes a method of using small project components to confirm requirements, define interfaces, troubleshoot problems and ensure that software actually meets contractual agreements. (This is where SOA and Web Services, in their ability to break up projects and thus IT Business Riskinto smaller discrete blocks, will ultimately benefit business outcomes.) The bigger picture At a higher level, companies need to get to grips with managing ongoing IT Business Risk. IT projects tend to be complex and long-term, making it difficult for the firms senior business executives to sustain interest in them. For the larger organisations surveyed (with more than US $5 billion in turnover), IT governance (35 percent) and security (24 percent) are closely followed as investment areas over the next 12 months by requirements management and business service management (19 percent each). On larger projects, the business requirements are almost certain to have changed (and the projects original sponsors may have moved on) during implementation, requiring effective communication of the new objectives to project teams, a challenge for executives whose focus has shifted. IT staff themselves are faced with reconciling complex, ill-defined, often conflicting and changing business requirements while juggling millions of lines of code. The risk of projects failure or their misalignment with the business objectives will never disappear. Consistently following some basic guidelines will help mitigate the risk that such failure will produce negative business outcomes. Mercury_risk_v4 27/4/06 8:56 pm Page 17 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 18 Appendix Survey results HOW WOULD YOU DESCRIBE THE JOB ROLES YOU HAVE HELD TO DATE? Primarily IT 61% A mix of both IT and business 33% Primarily business 6% HOW WOULD YOU DESCRIBE THE JOB ROLES YOUR CIO HAS HELD TO DATE? Primarily IT 32% A mix of both IT and business 56% Primarily business 12% HOW DOES YOUR COMPANY MEASURE IT BUSINESS RISK? Quantified as potential cost 48% Quantified as potential lost revenue 39% It is assessed in qualitative terms 35% Impact on corporate reputation/brand 33% We do not attempt to measure IT Business Risk 18% The survey was designed by the Economist Intelligence Unit for Mercury and conducted by Vanson Bourne from February through April 2006. A total of 1,077 IT managers participated in the survey. Mercury_risk_v4 27/4/06 8:56 pm Page 18 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 19 PLEASE INDICATE WHETHER YOU AGREE WITH THE FOLLOWING STATEMENTS ABOUT THE MANAGEMENT OF IT BUSINESS RISK IT Business Risk is not managed in a co-ordinated fashion at my company Agree 27% Disagree 68% Dont know 5% IT Business Risk is managed as a separate risk category Agree 47% Disagree 47% Dont know 6% IT Business Risk is managed within the firm's overall risk portofio (including financial risk, security risk, operational risk and other types of risk) Agree 61% Disagree 29% Dont know 10% WHO IS PRIMARILY ACCOUNTABLE FOR IT BUSINESS RISK IN YOUR ORGANISATION? CIO/Head of Technology 30% IT Director 22% IT Manager 14% Senior IT Manager 14% CEO 4% CFO 4% Nobody 3% Chief Risk Officer 3% Line of Business Manager 2% Programme Management Office 1% Outsourced IT supplier 1% Compliance Officer 1% Appendix Survey results Mercury_risk_v4 27/4/06 8:56 pm Page 19 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 20 Appendix Survey results WHO MANAGES IT BUSINESS RISK ON A DAILY BASIS IN YOUR ORGANISATION? IT Manager 40% Senior IT Manager 23% Line of Business Manager 19% CIO/Head of Technology 16% IT Director 16% Outsourced IT supplier 12% Programme Management Office 12% Compliance Officer 11% CFO 11% Chief Risk Officer 10% Nobody 8% CEO 4% Other 3% IN WHICH PARTS OF THE BUSINESS ARE OPERATIONS MOST VULNERABLE TO IT FAILURE? Supply chain/logistics 32% Customer Service 24% Production 23% Finance 22% Sales 20% New product/service development 20% General Management 18% Marketing 10% Compliance 10% Human Resources Management 7% Other 4% Mercury_risk_v4 27/4/06 8:56 pm Page 20 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 21 Appendix Survey results HOW DEPENDENT ARE EACH OF THESE TYPES OF BUSINESS OUTCOMES ON IT? 1 2 3 4 5 No dependence on IT Some dependence on IT Heavy dependence on IT ABILITY TO MERGE WITH OR ACQUIRE OTHER BUSINESSES NEW PRODUCT INTRODUCTION OR INNOVATIONS ENTRY INTO NEW GEOGRAPHICAL MARKETS OR CUSTOMER SEGMENTS REDUCE COST OF OPERATIONS CUSTOMER SATISFACTION REGULATORY COMPLIANCE 13% 14% 27% 28% 19% 10% 14% 25% 29% 22% 11% 17% 33% 24% 15% 2% 8% 23% 38% 29% 4% 9% 28% 33% 25% 5% 13% 32% 25% 25% WHICH ARE THE MOST FEARED BUSINESS OUTCOMES OF IT FAILURE WITHIN YOUR ORGANISATION? Revenue loss 43% Loss of customers 40% Reputation or brand damage from publicly recognised service failures 30% Unanticipated business expenses (eg, to repair or replace systems) 19% Not making planned cost savings 18% Delayed launches of new products/services 11% Legal claims (eg, from customers, shareholders) 10% Regulatory challenges arising from compliance failures 8% Failure to integrate businesses or departments in M&A situations 6% WHICH OF THE FOLLOWING IT INITIATIVES ARE MOST CLOSELY LINKED TO DRIVING BUSINESS OUTCOMES IN YOUR COMPANY? Enterprise application deployments (ERP/CRM) 35% SOA/Web Services 26% Centralisation/Consolidation 26% Security 19% Business Service Management 18% Quality Assurance 18% Outsourcing 16% IT Governance 13% Performance Management 13% ITIL/ITSM 9% Mercury_risk_v4 27/4/06 8:56 pm Page 21 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 22 Appendix Survey results WHICH OF THE FOLLOWING IT INITIATIVES ARE INTRODUCING THE MOST IT BUSINESS RISK INTO YOUR ORGANISATION? Security 36% SOA/Web Services 29% Outsourcing 28% Enterprise application deployments (ERP/CRM) 22% Quality Assurance 14% Business Service Management 13% Centralisation/Consolidation 13% IT Governance 13% ITIL/ITSM 10% Performance Management 10% APPROXIMATELY WHAT PERCENTAGE OF IT INITIATIVES UNDERTAKEN IN YOUR COMPANY OVER THE PAST TWO YEARS HAVE HAD POSITIVE BUSINESS OUTCOMES (A POSITIVE IMPACT ON THE COMPANYS BUSINESS)? 0% 2% 10% 7% 25% 19% 50% 26% 75% 35% 100% 11% % of IT initiatives % of respondents WHEN IT INITIATIVES HAVE FAILED TO PRODUCE THE EXPECTED BUSINESS OUTCOMES IN YOUR COMPANY, WHAT HAVE BEEN THE PRIMARY FACTORS? Project management (including resource and budget management) 28% Business requirements definition 24% Deployment or rollout issues 19% Poor quality software/technology 17% Business environment change 12% Quality assurance (functional, integration, and system testing) 12% Development issues (design/architecture issues, code quality/developer testing, etc.) 12% Requirements governance (ie, scope creep) 11% Change management 11% Outsourcing/offshoring failure 10% Production application/service management 10% Security 9% Performance assurance (load/performance testing, application/system diagnostics & tuning) 7% Mercury_risk_v4 27/4/06 8:56 pm Page 22 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 23 Appendix Survey results WHAT MANAGEMENT TECHNIQUES OR STRUCTURES DOES YOUR BUSINESS EMPLOY TO MANAGE IT BUSINESS RISK? Programme/project management office 45% Service level management 43% Dedicated security team 38% Formal change management 34% Centralised quality assurance function 33% Portfolio management 27% IT demand management 27% Formal process framework 25% IN WHICH REGION ARE YOU PERSONALLY BASED? EMEA 42% Asia-Pacific 28% Americas 30% IN WHICH COUNTRY ARE YOU PERSONALLY BASED? EMEA Belgium 2% Denmark 2% Finland 2% France 6% Germany 7% Israel 2% Italy 5% Netherlands 3% Spain 3% Sweden 3% UK 7% Americas Brazil 2% Canada 2% Mexico 2% United States 23% Asia-Pacific Australia 4% China 4% Singapore 4% Japan 4% Korea 4% India 4% Hong Kong 3% Malaysia 3% Mercury_risk_v4 27/4/06 8:56 pm Page 23 MANAGING IT BUSINESS RISK WWW.MERCURY.COM 24 Appendix Survey results WHAT IS YOUR COMPANY'S PRIMARY INDUSTRY? Manufacturing 21% Retail, distribution or transport 21% Finance 12% Business Services 10% Government/Public Sector 8% Utilities or telecoms 7% Technology 7% Pharmaceuticals & Chemicals 6% Materials Handling (Oil & Gas;Mining) 6% Construction 2% WHAT ARE YOUR ORGANISATION'S GLOBAL ANNUAL REVENUES IN US DOLLARS? $500m or less 29% More than $500m up to $1bn 28% More than $1bn up to $5bn 17% More than $5bn up to $10bn 8% Over $10bn 12% Not applicable 6% HOW MANY EMPLOYEES WORK FOR YOUR IT DEPARTMENT GLOBALLY? Between 50 and 100 48% More than 100 up to 250 18% More than 250 up to 500 13% More than 500 up to 1,000 10% Over 1,000 11% 2006 Mercury Interactive Corporation. Patents pending. All rights reserved. Mercury Interactive, Mercury, the Mercury logo, and Mercury BTO Enterprise are trademarks of Mercury Interactive Corporation and may be registered in certain jurisdictions. All other company, brand, and product names are marks of their respective holders. Mercury_risk_v4 27/4/06 8:56 pm Page 24 MANAGING IT BUSINESS RISK SAFEGUARDING THE ORGANISATION FROM IT FAILURE A SURVEY AND WHITE PAPER PRODUCED IN CO-OPERATION WITH THE ECONOMIST INTELLIGENCE UNIT EIU_Merc_Risk_COVER 14/4/06 11:12 pm Page 1