Risk Management

Executive summary

Risk Management

Software development is part of information technology (IT) projects. IT projects uses a variety of technological advancements and requires high levels of knowledge. Any IT projects will involve software development, whether they are the standard off-the-shelf application, custom-built application, mobile applications. Regardless of the method used to develop the applications whether they use PRINCE2 method or PMBOK® method, they are all part of IT projects. Software development today has the option to use Agile Scrum method or the most commonly used System Development Life Cycle based on waterfall method. Regardless of which method you choose, there are a number of uncertainties facing a software project. This uncertainty is known as risk. The success of a software development project depends quite heavily on the amount of risk that corresponds to each project activity. As a project manager, it’s not enough to merely be aware of the risks. To achieve a successful outcome, project leadership must identify, assess, prioritize, and manage all of the major risks. The risks may come from hardware, operating environment, database, network, people, and many other resources that make up the complete software solution. A large number of software projects failed to meet their intended objectives due to poor risk management. A project is classified as a failed project if it did not meet any of these i.e. failure to deliver within budget, failure to comply within the scope of the project, failure to meet the delivery schedule or failure to meet the quality requirements. Our unique consulting services is to guide client project team on the techniques and processes of managing risks for software development projects regardless of which development methodology you prefer.

The goal of most software development projects is to be distinctive often through new features, more efficiency, or exploiting advancements in software engineering. Any software project executive will agree that the pursuit of such opportunities cannot move forward without risk. Because risks are painfully real and quite prevalent on all software projects, it’s critically necessary that stakeholders work hard to identify, understand, and mitigate any risks that might threaten the success of a project. For projects that have time and cost constraints, our experience shows most clearly that successful software development efforts are those in which risk mitigation is a central management activity. Very simply, a risk is a potential problem. It is an activity or event that may compromise the success of a software development project. The risk is the possibility of suffering loss, and total risk exposure to a specific project will account for both the probability and the size of the potential loss. Guesswork and crisis-management are never effective. Identifying and aggregating risks is the only predictive method for capturing the probability that a software development project will experience unplanned or inadmissible events. These include terminations, discontinuities, schedule delays, cost underestimation, and overrun of project resources.

We can classify five main risk impact areas for software development projects, they are: New, unproven technologies – the majority of software projects entail the use of new technologies. Ever-changing tools, techniques, protocols, standards, and software development environment increase the probability that technology risks will arise in virtually any substantial software engineering initiatives. Training and knowledge are of critical importance, and the improper use of new technology most often leads directly to project failure; User and functional requirements – software requirements capture all user needs with respect to the software system features, functions, and quality. Too often, the process of capturing user and business requirements are lengthy, tedious, and complex. Moreover, requirements usually change with discovery, prototyping, and integration activities. Change in elemental requirements will likely propagate throughout the entire project, and modifications to user requirements might not translate to functional requirements. These disruptions often lead to one or more critical failures of a poorly-planned software development project.; Application and system architecture – taking the wrong direction with a platform, component, or architecture can have disastrous consequences. As with the technological risks, it is vital that the team includes experts who understand the architecture and have the capability to make sound design choices; Performance – It’s important to ensure that any risk management plan encompasses user and project stakeholders’ expectations on performance. Consideration must be given to benchmarks and threshold testing throughout the project to ensure that the work products are moving in the right direction; Organizational – organizational problems may have adverse effects on project outcomes. Project management must plan for efficient execution of the project, and find a balance between the needs of the development team and the expectations of the customers. Of course, adequate staffing includes choosing team members with skill sets that are a good match for the project.

There are many types of risks facing a project some of which can be controlled while others need a plan to mitigate them. Prior to managing and controlling these risks, a project team must have the knowledge and experience in identifying these risks at the early stage of the project whether it is a risk that everybody knows about or potential threats that they have no experience in handling them. The project team needs to compute the cost of each of these risk and feed this data into the project budget so the project sponsor and the executive management committee are fully aware of this cost. If the cost of risks is not known then the projected project profitability which has been developed during the project initiation stage is inaccurate.

Poor risk management, lack of knowledge and experience in the identification and quantification of the risks affecting a software development project, and the shortfall of the required expertise are some of the shortcomings facing IT organizations today. These are the fundamental issues that have contributed toward many failed projects since the early 1990s and still happening today. Failed projects are projects that do not meet the scope, cost, schedule, and quality requirements defined by the business user.

The objective of performing risk management for IT software projects is to enable your organization to accomplish its mission by: Better securing the IT software projects that store, process, or transmit organizational information; Reducing the number of failed projects through the establishment of a risk governance structure for IT software projects; Implementing project risk management processes that will support IT project team in the configuration of risks across the respective phases of the software development life cycle; Enabling management to make well-informed risk management decisions to justify the expenditures that are part of an IT budget; Assisting management in authorizing the IT software projects on the basis of the supporting documentation resulting from the performance of risk management; Implementing a structured budgeting framework for IT software projects in order to ensure that all high impact risk activities will be identified for tracking and accounting purposes; Providing training to the project team including the techniques of calculating project risks with the aid of a risk management tool; Identifying the risk and its associated cost which includes inflation charge, project liabilities, and contingencies; Monitoring and continuous reporting to risk management committee.

---

Service Methodology

The consulting services focus on managing risk for IT software projects that adopt the methods defined in the software development life cycle (SDLC). We shall embed the risk management processes into the SDLC processes that will allow the project team to act, monitor and control risks throughout the various phases of the software development life cycle. The SDLC comprised of six phases and the method used to achieve the service objectives are discussed in the following phases.

System Initiation phase is the first phase of any software project where the risks are highest because known and unknown threats are likely to hit the project. The business case and proposed solution developed during project origination phase are re-examined to ensure that they are still valid and address an existing organizational need. This validation effort provides the project team with the opportunity to discover the list of risks that may arise should the business team decide to proceed with the proposed solution. The primary focus is to develop the initial project plan, produce a preliminary budget, defining the scope of the project, and to develop a high-level project schedule. At this stage, we shall conduct risk planning activities and develop the risk management plan as the formal framework for risk management activities throughout the rest of the project.

System Requirement phase in which the needs of the business are captured in as much detail as possible. At this stage, the project manager has completed definition of some risks based on input from project business case. The project manager leads the project team to define what it is that the new system must do. By obtaining a detailed and comprehensive understanding of the business requirements, the project team can develop the functional specification that will drive the system design. Investment increases during System Requirements phase due to engagement of human resources to develop the project team and to produce the project management plan and project communications plan. During this phase, we shall conduct risk identification process to identify the list of risks and assist the project team in the development of the Risk Register.

System Design phase which builds upon the work performed during system requirements phase, and results in a translation of the functional requirements into a complete technical solution. This phase dictates the technical architecture, standards, specifications and strategies to be followed throughout building, testing, and implementation of the system. The completion of system design also marks the point in the project at which the project manager should be able to plan, in detail, all future project activities including the system testing and system acceptance plan. At this stage, we shall conduct an assessment of all risks using qualitative and/or quantitative techniques to identify the high impact risk, prioritize them and update the risk register. This includes high impact risks and contingencies that will impact development work during system development phase.

System Development phase where the project team builds and tests the various modules of the application, including any utilities that will be needed during System Testing and Acceptance phase. As system components are built, they will be tested both individually and in logically related groupings until such time when a full system integration testing will be performed to validate functionality. We will work with the project team to ensure that the development environment is secure, and there is no exposure that can be considered a major threat to the environment. The high impact risks identified in the system design phase will be closely monitored to ensure that they will not cause problems to the development effort. In cases where a particular risk occurred, the mitigation plan will be executed together with the appropriate risk response strategy. The risk monitoring and control activities will be extended into the System Testing and Acceptance phase as part of the validation cycle until the component is accepted by the end user.

System Testing and Acceptance during which the focus of system validation efforts shifts from those team members responsible for developing the application to those who will ultimately use the system in the execution of their daily responsibilities (the end users). This is the critical phase of the system development life cycle where all the components of the applications will be tested together following the system test plan developed during the system design phase. This process is commonly called the system integration testing (SIT). Any component that failed during SIT will be sent back to the development team for rectification and these components will be re-tested until they are error-free. One of the common risk facing SIT is the execution of the testing activities that are dependent upon the result of another testing that precedes it. Other risks include the readiness of the SIT environment, migration of test data, the technical configuration of the computer system need to be identical to the production environment, and much more. This phase also includes user acceptance testing (UAT which is the testing of the functional components of the system by the business users. A dedicated UAT environment needs to be installed prior to undertaking user acceptance testing. In addition to confirming that the system meets functional expectations, activities are aimed at validating all aspects of data conversion and system deployment.

System Implementation phase is the final phase of the SDLC which comprises all activities associated with the deployment of the application to the production environment. These efforts include installation of the system in a production setting and transition of ownership of the application from the project team to the customer. The final process is the closure of a project that should include contract closure, risk closure, and administrative closure. Contract closure ensures that all of the deliverables and agreed upon terms of the project have been completed and delivered so that the project can end. It allows resources to be reassigned and settlement or payment of any account, if applicable.

---

Service Options

Companies can elect whether they just require Appleton Greene for advice and support with the Bronze Client Service, for research and performance analysis with the Silver Client Service, for facilitating departmental workshops with the Gold Client Service, or for complete process planning, development, implementation, management and review, with the Platinum Client Service. Ultimately, there is a service to suit every situation and every budget and clients can elect to either upgrade or downgrade from one service to another as and when required, providing complete flexibility in order to ensure that the right level of support is available over a sustainable period of time, enabling the organization to compensate for any prescriptive or emergent changes relating to: Customer Service; E-business; Finance; Globalization; Human Resources; Information Technology; Legal; Management; Marketing; or Production.

---

Service Mission

To increase the rate of success particularly for software development projects through the establishment of the project risk governance structure at the system initiation phase of the software development life cycle. To introduce and implement a structured project risk and costing framework in order to ensure that all cost drivers will be identified and captured at the end of the system requirements phase of the software development life cycle. To introduce and implement project risk management processes in the client organization that will support client IT project team in the configuration of risks across the respective phases of the software development life cycle. To guide the project team on the techniques of calculating project risks with the aid of a custom-design tool, how to quantify the cost of handling each of these risks, what is the maximum risk a project can absorb, and how to balance the risk in order to stay within the project budget. To guide the project team in the development of the IT Risk Management plan for official tracking and reporting, during the system development phase of the software development life cycle. To ensure appropriate and continuous monitoring of risk to be conducted during system development and system acceptance phase of the software development life cycle.

Areas to focus on future consulting services: Provide risk management training to information technology personnel prior to the start of their duties or their participation, these include project managers, project team members, and representatives from the client business team who are involved with projects; To conduct client induction program for all new hires to be deployed for information technology projects has a risk education component that articulates their duty of care. Ensure that all committee members attend induction and if possible, attend more comprehensive risk education or training; To train and coach client project team in the structured process of defining and computing the risks affecting the project including labor, material, product licenses, expenses, liabilities, and contingencies.

---

Service objectives

The following list represents the Key Service Objectives (KSO) for the Appleton Greene Risk Management service.

1. Risk Planning
   The objective of risk planning is to produce the risk management plan which is a document that will define the framework for the risk management activities that is to be conducted by the project team throughout the respective phases in the system development life cycle. The risk management plan lays down the groundwork for how risk management will be carried out in a project. It serves as guidance for the risk process, its thresholds, its formats, defining the roles and responsibilities of stakeholders in governing the risk activities. It is notable that the risk management plan is not a listing of specific risks and is not used to establish the particular strategies for risks, once they are identified. The risk management plan is shared with project stakeholders to clarify their roles and responsibilities in the risk management process and to identify when specific potential risks are truly of concern to the organization. It also outlines the risk budgeting process, detailing how and when risk contingency funds may be allocated and applied. There are a number of steps involved in the development of the risk management plan. A risk management plan template will be easier to start with including the organization policies and the risk tolerance level of the stakeholders. The first step begins with having a firm commitment to the entire risk management approach from all project stakeholders. This commitment ensures that adequate resources will be in place to properly plan for and manage the various risks of the project. These resources may include time, people, and technology. Based on the size, impact, and priority of the project, a budget may need to be established for the project risk management activities. A project with high priority and no budget allotment for risk management activities may face uncertain times ahead. A realistic dollar amount is needed for risk management activities if the project is to be successful. The roles and responsibilities identify the groups and individuals who will participate in the leadership and support for each of the risk management activities within the risk management plan. The duties of project steering committee, project manager, and the project team must be clearly defined. Responsibilities may include information on who will identify risks, as well as who should evaluate them and develop strategies for those that are of the greatest significance. Stakeholders also must be committed to the process of identifying, analyzing, and responding to threats and opportunities. Too often plans are disregarded at the first sign of trouble, and instinctive reactions to situations can lead to perpetual crisis management. In addition to commitment, risk planning also focuses on preparation. It is important that resources, processes, and tools be in place to adequately plan the activities for project risk management. Systematic preparation and planning can help minimize adverse effects on the project while taking advantage of opportunities as they arise. The risk management process needs a schedule to determine how often and when risk management activities should happen throughout the project. If risk management happens too late in the project, then the project could be delayed because of the time needed to identify, assess, and respond to the risks. A realistic schedule should be developed early in the project to accommodate risks, risk analysis, and risk reaction. A clearly defined scoring system and interpretation of the scoring system must be in place. Altering the scoring process during risk analysis or from analysis to analysis can skew the seriousness of a risk, its impact, and the effect of the risk on the project. The project manager and the project team must have clearly defined scores that will be applied to the analysis to ensure consistency throughout the project. The risk management plan shall include detail on the frequency of risk identification, assessment, and response development, as well as the appropriate application of any tracking processes or documentation. As risk management activities are induced, they will need to be documented. The documented actions and their results will support ongoing decisions within the current project (as well as future projects) and will serve as information for management, the project team, the customers, and other stakeholders. The Risk Management Plan should provide the project steering committee with clear statements of the project risks and the proposed risk management strategies to enable ongoing management and regular review.
2. Risk identification
   Risk identification is the process of identifying the threats and opportunities that could occur during the life of the project along with their associated uncertainties. The life of the project means the complete life cycle of the project, not just the time the project team is in place, the time until the final acceptance by the customer, or even the end of the warranty period. Risks should be considered through the useful life of the product or service that we are providing by doing this project. The risk of corrosion causing a catastrophic product failure during the useful life of a product that we have designed and built should be considered, and corrective action should be taken in accordance with the seriousness of the threat. Risks can be identified in a large number of ways, and all of the productive and economical ways should be employed. We shall start with recognizing the areas of the project where the risks can occur. This means that we will have to investigate the following areas: Scope – we must look at the work of the project. The work breakdown structure (WBS) will be useful here. The project scope must be clearly defined in terms of both the deliverables and the work that must be done to deliver them. Errors and omissions on the part of the project team and the stakeholders must be minimized. As always, the WBS will be very helpful in doing this; Schedule – estimates for the duration of the project and the duration of the project tasks must be done accurately and reliably. The sequence of work must be identified, and the interrelationships between the tasks must be clearly defined; Cost – estimates for tasks must be done accurately and reliably. All associated costs must be considered and reported accurately. Life-cycle costs should be considered as well as maintenance, warranty, inflation, and any other costs. Customer expectations – estimates of project success must be considered in terms of customer needs and desires. The ability of the project to be scaled up or manufactured in different quantities or for different uses and sizes must also be considered; Resources – this involves the quantity, quality, and availability of the resources that will be needed for the project. Skills must be defined in the roles that will be necessary for the project; Organization – This is the ability to interface with the stakeholder’s organization in terms of communications and knowledge. The Risk Management plan developed earlier will be the primary input into this process, many people both inside and outside the project will also be useful input into this process. This includes input not only from the project team and all of the stakeholders but also from project managers who have managed this type of project before and even consultants who have special expertise about certain kinds of risks. It may be necessary to organize the types of risks into categories so that separate teams of people can be brought together more efficiently. Many of the risks that will affect the project are risks that have happened in one form or another on other projects of this type. Utilizing the information available in the previous project’s lessons-learned documents will be very helpful in identifying risks for this project. An organized review of past projects should be done as part of the risk identification process. Since much of the risk identification process will involve large numbers of people, formal group dynamics techniques should be used. It is, therefore, important that the project manager and team guide the risk management process. Risk identification should include the project team and other stakeholders who are familiar with the project’s goal and objectives. Using one or more of the following tools, the project risk framework introduced earlier in this course can provide direction for identifying the threats and opportunities associated with the project. Tools and techniques that will be applied to this process include brainstorming, Delphi technique, SWOT analysis, interviewing, and Ishikawa diagram.
3. Risk Assessment
   The framework introduced in the previous section provides tools for identifying and understanding the nature of risks to projects. The next step requires that those risks be analyzed to determine what threats or opportunities require attention or a response. Risk assessment provides a systematic approach for evaluating the risks that the project stakeholders identify. The purpose of risk assessment is to determine each identified risk’s probability and impact on the project and prioritizing them so that an effective risk strategy can be formulated. In short, which risks require a response? To a great degree, this will be determined by the project stakeholders’ tolerances to risk. Risk assessment is the process of evaluating the risks that have been identified and developing the data that will be needed for making decisions as to what should be done about them. Risk management is done from very early in the project until the very end. For this reason, the qualitative analysis should be used at some points in the project, and quantitative techniques should be used at other times. The objective of risk assessment is to establish a way of arranging the risks in the order of importance. In most projects, there will not be enough time or money to take action against every risk that is identified. The severity of the risk is a practical measure for quantifying risks. Severity is a combination of the risk probability and the risk impact. In its simplest form, the risks can be ranked as high and low severity or possibly high, medium, and low. At the other extreme, the probability of the risk can be a percentage or a decimal value between zero and one, and the impact can be estimated in dollars. When the impact in dollars and the probability in decimal are multiplied together, the result is the quantitative expected value of the risk.
   In short, which risks require a response? To a great degree, this will be determined by the project stakeholders’ tolerances to risk. There are two basic approaches to analyzing and assessing project risk. The first approach is more qualitative in nature because it includes subjective assessments based on experience or intuition. Quantitative analysis, on the other hand, is based on mathematical and statistical techniques. Each approach has its own strengths and weaknesses when dealing with uncertainty, so a combination of qualitative and quantitative methods provides valuable insight when conducting risk analysis and assessment.
4. Risk Strategy
   It is not feasible or advisable to respond to each and every threat identified because avoiding all threats or requires resources to be diverted away from the real project work. Furthermore, the cost that needs to be allocated for contingencies and mitigations will reach to the point where it will not make any sense to justify the implementation of the project. Risk strategies are the responses we can make to dealing with the risks we have identified and quantified during risk assessment. In the section on risk quantification, we discussed evaluating the risk in terms of its impact and probability in such a way that we would be able to rank risks in their order of importance. This is what we called severity, the combination of impact and probability. Risk response strategy is really based on risk tolerance. Risk tolerance in terms of severity is the point above which a risk is not acceptable and below which the risk is acceptable. There are many reasons for selecting one risk strategy over another, and all of these factors must be considered. Cost and schedule are the most likely reasons for a given risk to have a high severity. Other factors may affect our choice of risk strategy. For example, if a schedule risk is identified for a task in the project, and if this task has many other tasks depending on it, its severity may be calculated as being lower than is apparent, and the severity should be adjusted even though the schedule impact due to the disruption may be difficult to judge. The strategy should be appropriate for the risk it is intended for. The output of this process is the risk response plan which is a detailed plan that describes the actions that will be taken in regards to responding to a particular risk. It is also called the risk register and will include identified risks and descriptions, areas of the affected project, causes of identified risks, and impact on project objectives, risk owners and assigned responsibilities, results from the qualitative and quantitative risk analysis processes, agreed responses including avoidance, transference, mitigation, or acceptance for each risk in the risk response plan, the level of residual risk expected to be remaining after the strategy is implemented, specific actions to implement the chosen response strategy, budget and times for responses, contingency plans and fall back plans. The approach to developing this plan is through meetings with all project stakeholders and obtain project sponsor to sign off prior to approval by the project steering committee.
5. Risk Control
   Once the risk response plan is created, the various risk triggers must be continually monitored to keep track of the various project risks. In addition, new threats and opportunities may present themselves over the course of the project, so it is important that the project stakeholders be vigilant. The purpose of risk control is to determine whether or not risk responses have been implemented as planned, and risk response actions are as effective as expected, or if new responses should be developed. The process of monitoring and keeping track of the identified and unidentified risks is called risk control. In this process, we hope to identify risks that are no longer possible and risks that are coming due, as well as any new risks that may become evident. We will also monitor risk activity to make sure the risk plans have been carried out successfully. Problems that have been found out in the risk management plan can help us adjust the plans for future risk activities. Risk control is part of the risk management processes and must be started early in the project and continued until the end. As the project progresses, we will find that many of the risks will change, some will no longer be possible, others will happen and be disposed of, and new risks will be identified. The level of risk tolerance should be monitored as well. The attitude of the stakeholders will change during the course of the project. Communication with all stakeholders is important since it gives us a means of assessing changes in their risk tolerance. Risk control may involve changing the way we look at risk. There are several reasons why this might take place. The risk tolerance of the stakeholders may change; the risk tolerance of the project team may change. As the project progresses toward its completion, certain risks that were thought to be very important to the success of the project may become risks that are no longer thought of as being so important. There are several methods to control risks, they can be achieved by performing: Project risk response audits – Risk auditors examine and document the effectiveness of the risk response in avoiding, transferring, or mitigating risk occurrence as well as the effectiveness of the risk owner. Risk audits are performed during the project life cycle to control risk; Periodic project risk reviews – Risk ratings and priorities may change during the course of the project and may require additional qualitative or quantitative analysis; Earned value analysis – Used for monitoring overall project performance against a baseline plan. If earned value analysis (or comparable tool) shows a significant deviation from the baseline, updated risk identification and analysis should be performed.; Technical performance measurement – Compares technical accomplishments during project execution to the project plan’s schedule of technical achievement. The deviation can imply a risk to achieving the project’s objectives; Additional risk response planning – May be required for unanticipated risks or for risks where the impact was greater than expected.

---

Achievements

Oracle

Oracle Corp Malaysia applications consulting division has achieved better project risk management where senior management also benefits from knowledge of the risks associated with proposed projects through identification of areas of redundancy and inefficiency which allows financial and human capital to be allocated more effectively. Oracle improved its operational effectiveness, where the net effect of all the activities above means governance, risk and compliance activities are directed to the appropriate people and departments. Decision-making by the pre-sales support team improved drastically after applying the knowledge of the risks involved in a project. The knowledge gained from the training and coaching had improved their assessment of contingencies that actually reflect the risks and that also tend to discourage the acceptance of financially unsound projects. The overall performance with a reduction in costs had contributed to the overall return on investment gains represented by effective governance and risk compliance activities.

---

IBM

IBM Malaysia professional services division has achieved improvement in risk assessment, an increased understanding of the project risks which in turn leads to the formulation of more realistic plans in terms of both cost estimates and project delivery schedule. One of the remarkable achievement is the higher quality information, this is achieved through integrating governance and risk information that allows management to make intelligent decisions more accurately and rapidly. Incorporating risk management the important function of project governance had provided the project team with a framework for accurate budgeting, where the cost of all expenses including allocation for contingencies associated with project risks can be easily accounted for, hence reduce unnecessary wastage during the budgeting process. Higher quality information was achieved through integrating governance and risk information that allows management to make intelligent decisions more rapidly. Statistical information, contribute to the build-up of historical information of risks that will assist in the modeling of future projects.

---

Hewlett Packard

Hewlett Packard outsourcing services division had achieved higher quality information through integration of governance and risk information that allows management to make intelligent decisions more rapidly. Disaster recovery services is a risky business. Disaster recovery that represents one of the business portfolios of HP outsourcing services comprised of a number of business processes where these are delivered to the customer in the form of a service. Each service process carries a risk, they are minimized through process optimization. The non-value-added activities are eliminated and value-added activities are streamlined to reduce lag time and undesirable variation where these risks are reduced significantly. Lower costs contribute to the overall return on investment gains represented by effective governance and risk compliance activities. Improved risk assessment, an increased understanding of the risk impacting the disaster recovery services which in turn leads to the formulation of more realistic service delivery plans in terms of both cost estimates and project schedule.

---

RHB Bank

RHB Bank IT division has achieved significant benefits from the application of risk management processes in their IT transformation projects, one of which was the contact center and electronic banking services project. Opportunities exist to transform governance, risk and compliance program to realize cost savings and improve mission and business performance. RHB Bank IT have achieved successful results by focusing on shifting risk management focus to a cross–functional approach aligned to strategic risks and business performance measures. RHB Bank focuses on standardizing governance risk and compliance processes to enhance decision making and avoid unnecessary costs. They also embraced governance risk and compliance technology to execute processes effectively and efficiently. Improved effectiveness, where the net effect of all the activities above means governance, risk and compliance activities are directed to the appropriate people and departments. RHB Bank achieved cost reduction in internal and external risk activities, including monitoring and remediation. A significant reduction in disruption to the business and improvement in business performance and innovation via value–based risk management.

---

CIMB Bank

CIMB Bank achieved significant benefits from the implementation of program risk management. Program risk management has brought a positive impact to the bank with a number of benefits, including reduced contingency budgets, the ability to focus resources on top risks for the program and not just for individual projects, identifying inconsistencies, identifying systemic risks, and, last but not least, cost savings by mitigating risks at program level. The assessment of project risk to determine its viability and the cost of risks were easily known via this tool that had facilitated the IT project team in managing and controlling the project expenditure, reducing wastage and increase accuracy in the budgeting process. By implementing risk management processes in the information technology division, CIMB Bank achieved success by minimizing and eliminating negative risks so projects can be completed on time. This enables the bank to meet its budget and fulfill its targeted objectives. Formerly without the risk management strategies in place, projects get exposed to problems and become vulnerable. Effective risk management strategies helped the bank to maximize profits and minimize expenses on activities that do not produce a return on investment.

---

More detailed achievements, references and testimonials are confidentially available to clients upon request.

---

Industries

This service is primarily available to the following industry sectors:

Consultancy

Companies offering consultancy services in various areas of the industry that include engineering, construction, information technology, banking and financial services, have enjoyed good revenues and remain profitable in recent years in comparison with other services sector. Taking a closer look at IT consultancy services for a software project development, for example, there exist a high demand for an experienced IT consultant with skills as a solution architect, project manager, business analyst, risk consultant, and much more. The customer does not want to invest in human capital because the skill set is only required for the duration of the project. The majority of the resources are no longer required after completion of the project. There will always be demand for these professionals regardless of the industry sector as long as customers are embarking on new IT related projects or replacing old systems with fresh technologies. Companies that operate globally are the ones that are heavily dependent on external consultants for project implementations. Cost-savvy companies usually engage a dedicated risk consultant to work alongside a project manager to ensure that the project team remains focus at delivering the project deliverables and leave the responsibilities of managing threats to the risk consultant. The risk consultant will support the project team in the preparation of risk management plan, monitoring and respond to the risk based on the plan, reporting, and escalation to senior management where appropriate. The trend has started since early 2000 to recruit a dedicated risk consultant for the project-related role and this trend is going to continue beyond 2020.

---

Banking & Financial Services

The shift towards more intrusive, fragmented and data-intensive regulatory regimes requires firms to push the envelope to achieve economies of scale, operational consistency, and transparency to be embedded as much as possible in financial services business models. Alongside the weight of industry reform focused on risk, capital, and compliance requirements, financial institutions face a new world where the forces of industrialization and innovation intermingle, set against potential fallouts from the recent tide of identity politics around populism and nationalism. Project risks are now important considerations for risk managers. Not immune to the broader cost reduction agenda, risk and compliance functions are required to align to a bank’s strategic responses and contribute to firm-wide efficiency and cost-cutting targets, with the near-term focus on keeping regulators at bay and keeping the lights on. More financial institutions are pursuing efforts to reduce inefficiencies in risk and compliance activities and to optimize an institution’s total cost of risk. The “industrialization of supply chains” which include risk data, risk models, and information production and reporting processes will require firms to invest in emerging innovations, technologies, IT paradigms, and financial technology partnerships in order to achieve a meaningful step change. There has been constant pressure to reduce operational cost and reducing wastage. Banks are continuously moving toward digital banking services, anything that can offer cheaper operating cost and increase profitability. Risk and compliance are one of the areas of where these costs can be reduced specifically project liabilities and ongoing maintenance charges for applications licensing and upkeep of storage and computing devices. Information technology projects are their primary focus since IT spending has been on the rise since the introduction of several technologies associated with mobile devices. The demand for risk management consulting services are increasing steadily in recent years and this positive outlook will continue to grow in parallel with the advancement of information technology.

---

Technology

Information technology is another term for computing, which is the use of computers and other devices for exchanging, retrieving, storing, and networking of electronic data. Information technology consultants advise companies of all sizes, from startups to large international corporations, on the fastest, most efficient, and cost-effective information technology systems for their business. The specialty areas that information technology consultants may focus on include hardware, software, networks, communications, and web design, among others. The IT consulting industry consists of companies that offer IT specialized consulting services that include business process management, project management, risk management, as well as other business services to technology companies. The specific products of the IT consulting industry are computer systems design, development, and integration; computer application design and development; information technology technical support services; IT risk management, IT network and infrastructure design; and IT technical consulting services. The state of the economy affects companies’ spending on consulting services. During the economic recession in the late 2000s, many companies tightened their budgets and held off on information technology upgrades and replacements, thus scaling back on IT consulting services. The economy has been improving the past few years and the need for information technology consultants is on the rise. The industry’s steady growth is attributed to the strong performance from major markets such as financial services and insurance providers. And the outlook from 2016 through 2021, demand for information technology consultants increasing due to increasing mergers and acquisitions in other industries. As more companies consolidate, IT risk management consultants will be needed to help with the integration of accounting, business process reengineering, information technology transformation, cloud computing, and other technology systems. Successful companies recognize that risk management is important because achieving a project’s goals depends on planning, preparation, results, and evaluation that contribute to achieving strategic goals.

---

Education

Businesses today must do everything possible to stay competitive and maintain a highly skilled, motivated staff. Despite today’s very competitive job market, employees often have a little hesitation when it comes to searching for a new job if they become unhappy with their current employer. In order to keep employees satisfied, boost morale, and remain competitive, employers need to be aware of the need for continual employee training and education. One of the most important reasons to offer further training and education to employees is to ensure that work skills stay current. Keeping employees up-to-date with software applications, the latest thinking on logistical methods, and ways to improve efficiency are all necessary to keep businesses on a level playing field with competitors. Training is also an excellent way to retain the best employees. An unsuccessful company is one that does not keep up with trends in business, that is reluctant to change, and that has an unmotivated job staff with stagnant skills. There are many training companies that provide similar training program e.g. soft skills training, technical skills, and leadership program. However, a specialist and unique training program e.g. “risk management training associated with IT projects” will certainly attract a lot of interest. Companies are willing to invest in quality training programs that will bring in high value toward the company businesses, increases productivity, and targeted at developing a specific skill set for their employees. There are huge demands for custom-designed training programs that are related to business processes like risk management, project management, and quality management. The outlook for this sector is very promising, the target market is companies or corporations with IT organization employing a minimum of 100 IT staff.

---

Telecommunication

The telecom sector continues to be at the epicenter for growth, innovation, and disruption for virtually any industry. Mobile devices and related broadband connectivity continue to be more and more embedded in the fabric of society today and they are key in driving the momentum around some key trends such as video streaming, Internet of Things (IoT), and mobile payments. The number of “connected things” continues to grow as mobile and “smart” device utilization and connectivity continues to expand which will ultimately shape and define the IoT space. This is a big deal for all sectors within the telecom industry including wireless and wireline/broadband carriers, network equipment, infrastructure companies, and device manufacturers who are all critical components of this key ecosystem. As the number of embedded devices that require mobile connectivity grows, telecommunications companies will be looking for opportunities to increase revenue through their core businesses such as network connectivity, sale of network equipment and devices, all of which this emerging ecosystem will require, as well as through new products and services that are enabled by these core businesses.

Carriers need to continue to focus on providing data and voice services that are high quality, reliable, and affordable. Data usage has been growing dramatically, particularly due to streaming services, and is expected to continue that path in the year ahead. Wi-Fi usage will continue to be key, especially as carriers look to offload more mobile traffic onto broadband networks (especially fiber). Operators are essentially moving away from proprietary, hardware-based network equipment to software-based network functions which should allow them to manage their networks more efficiently and effectively. Massive data consumption will continue to grow with the expansion of IoT and more streaming of content, especially video. The outlook for risk consulting services for this market is positive in 2016 for several years ahead as the telecom sector investing in content-based applications as their core revenues.

---

Locations

This service is primarily available within the following locations:

Jakarta ID

Digital transformation plays a key role in fuelling the growth of the banking industry in Indonesia. Banks started to direct their focus at implementing business support applications following the recent rise in credit risk in the country. Although Indonesia is the most attractive market for financial services in Southeast Asia, despite what people may think, the most immediate prospects for business growth and economic growth are not the main attractions but rather, the longer-term potential of a large, growing market with current low banking penetration. The banking industry in Indonesia is undergoing a significant transformation driven by technology. Technology will be the main driver of transformation in the majority of Indonesian banks over the next three to five years. Technology is seen by many especially mid-size banks as a way to level the playing field with larger banks by providing new access to customers while driving down the cost of acquisition and servicing. Traditional banking through branches and automated teller machines and kiosks, physical branches currently account for more transactions than digital channels, some banks are already witnessing a shift in the last two years. In 2015 survey, 75% said more than half their transactions were via the branch, whereas this year, it was down to 45%. In contrast, in 2015, only a quarter of transactions were made via a mobile device or over the internet, which is now up to 48%. Nevertheless, a key concern still persists with relation to the outlook for growth, as almost all bankers see credit risk as the biggest challenge to loan growth and more than one-third are either undecided or feel that NPLs will remain at the same level according to a survey conducted by Bloomberg late last year. In order to address this situation, the banking sector is looking at new banking applications to assist in the process of credit processing with stricter controls. With so many solutions available in the market, the process of selecting the right software and choosing the right vendor for a successful implementation has created another problem. Which solutions offer the minimum risk? Lack of risk expertise in the information technology organization creates another problem in the process of selection and evaluation of the right solution provider. The market for risk management consultancy services specifically in the information systems project development and implementation has seen a significant increase since early 2016. Statistics indicate that quite a number of failed software projects in recent years are due to lack of expertise in risk management. Banking and financial institutions suffered the most because of the large number of applications that they need to deploy to support their business and operations. Other sectors that are severely affected are the government ministries where their departmental support applications need to be custom-designed and develop because of the unique processes. Searching for the right ready-made software is almost impossible. The construction of any bespoke applications poses major threats during the various stages of the design and development. Risk management consulting services will be required across all the phases of the software development life cycle. There are several hundred banks in the country, the prospects for IT risk management consulting services in project implementations are in demand today and will continue to grow for as long as there are demands for new IT applications.

---

Bangkok TH

To help modernize the economy, the government has earmarked ?27.9 billion of investment for 2017-21 in four digital areas: commerce, entrepreneurship, innovation, and content. In 2018, Thailand’s first technological innovation park is scheduled to open in Chonburi province, southeast of Bangkok. The ?10-billion project will promote Thai tech start-ups and hopes to attract global tech companies to invest in data servers and research and development as a hub for the Association of Southeast Asian Nations member countries. The information technology industry is growing from 2017 for the next 5 years to ensure that the government key performance objectives are realized. Just like any other country, the country saw an increase in the number of aging population that affected its growth. This open doors to expatriates with skills and knowledge to provide technical services in strategic areas primarily in information technology. Business-to-consumer applications are getting popular due to the increasing number of online traders and buyers annually. E-commerce through the Internet has generated great demand for expertise in web development, computer graphics and design, mobile applications, and advertising. The financial institutions are developing a secure e-commerce platform to support the increasing number of online consumers. The government provides loans to support the growing number of young entrepreneurs that require some start-up capital to design and build content-based applications. While more complex and large IT-based projects have been awarded by the government in recent years to major tech companies to develop the e-commerce infrastructure and to provide secure hosting platforms for the small medium enterprises. Most of these tech companies engage foreign consultants to undertake a leading role in the project particularly in business process management, risk management, and project management. The scope of consulting services need to focus on business process management associated with IT risk governance specifically for software development, bid management, implementation of project risk management methodology, provision of consultancy services for IT and risk management integration, and training associated with the risk management processes specifically for software project management.

---

Manila PH

IT transformation has been the theme of outsourcing market since the start of 2016. More end users have been engaged in outsourcing projects in 2016 because of the need to consolidate resources and scale down IT infrastructure cost. Hosted services have been driving the growth of overall outsourcing market. SMEs are more conventional on their ICT priorities, focusing on the improvement of their basic infrastructure, while large enterprises are taking into account the enhancement of new technology requirement, hence more project-based (e.g. Systems Integration (SI) and IT consulting) and managed services (e.g. data center outsourcing) opportunities. Project-oriented services, as a proportion of total services spend in the country, increased. This can be attributed to the demand for consulting and systems integration services for data center deployments, the movement to cloud, and need for Big Data and analytics-centric projects. Enterprises are increasingly opting for outsourcing to reduce costs, have faster service delivery, better manage their finances, and integrate business processes easily. Furthermore, growth was enhanced by the expansion of global BFSI and manufacturing companies. As a result, there was an increased demand for colocation services, server hosting, and cloud-based services. SIs in the Philippines are very traditional, which are still hardware-centric. Most SIs are still transitioning to becoming solutions providers, and some have just started infusing 3rd Platform technologies in their products. In addition, they plan to expand outside of Metro Manila and other regions like ASEAN and North America. Key promotion and pricing strategies are tied with the principals for most of them. Some end users are in wait-and-see mode in terms of technology adoption, but they prefer vendors that they trust and work with. One of the strategies is to work with local system integrators that have over the years established strong connections with end users in the financial services, telecommunications, and manufacturing industries. Leading IT vendors like IBM, HP, Oracle have established a strong presence in this country with local partners like Questronix, Fountainhead Technologies, Jupiter Systems, AMTI are some of the best names in the local IT industry. There is a huge market for risk management consultancy services in association with IT projects, either directly working with customers or via system integrators.

---

Kuala Lumpur MY

The Malaysian ICT market is going through a lot of changes and will gain momentum. Capabilities will be built in digital content, software development and testing, Internet of Things (IoT), data centers and cloud services, cyber security and big data analytics (BDA). The Government has taken the special interest in developing the Internet of Things (IoT) sector, which has resulted in several market partnerships. The commercialization of ‘smart city’ infrastructure, applications, and services such as smart highways, intelligent traffic management systems and advanced energy management systems are expected to drive IoT adoption across key social and economic sectors. Over the last five years, the data center industry has grown rapidly to support 26 data center service companies and nearly 200 specialized service providers capable of providing affordable, scalable and high-quality remote data storage and retrieval services to the growing numbers of multinational corporations looking to establish regional headquarters in the country. Cloud computing is expected to gain momentum with growing investments in data centers and ICT infrastructure in Malaysia. Multimedia Super Corridor (MSC) Malaysia has named cloud computing as the most important of its top 10 strategic technology priorities. The government hopes that adoption of cloud computing, building on the national broadband initiative, could accelerate Malaysia’s development into an advanced economy. In Malaysia, Software-as-a-Service (SaaS) has the highest adoption of cloud computing followed by Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS). Hybrid Clouds remain the dominant form of deployment by enterprises and this model has been recognized by service providers as a key growth market. While the adoption of cloud computing offers multiple potential benefits, there are also concerns regarding bandwidth consumption, lack of maturity of cloud environments, latency, data security and privacy guarantees from service providers. Ministry of Science, Technology, and Innovation (MOSTI) identified R&D in cyberspace security as a critical issue for the continued development of its IT and telecoms sectors. MOSTI stated the imperative of reducing the vulnerability of critical infrastructures such as power grids, air traffic control systems, military and financial systems. More focus will be given to key areas such as secure communications to protect the confidentiality and integrity of information during transmission and storage, high availability systems to ensure continuous and uninterrupted operations of critical IT software projects, network surveillance to detect and respond to incidents of system disruption, secure access to protect the ICT system from unauthorized entry, and system integrity controls to ensure that a system and its data are not illicitly modified or corrupted. These changes in growth are attributed to the move from traditional computers to smaller ICT devices and wearable gadgets, the increasing amount of real-time and interactive multimedia content supported by mobile technology, the rising popularity of cloud computing, Big Data Analytics, software-as-a-service (SaaS), social media applications, Internet of Things (IoT) and wearable technology, the integration of systems and processes and ICT services by and with the people and institutions and service providers. Currently, its share to gross domestic product (GDP) is 17.3 percent (USD 62 billion in current prices) in 2016. Despite the slower economy in 2016, the ICT industry registered 14.2 percent growth, based on the 12.5 percent growth that the industry experienced in 2015. The outlook for consultancy services remains bullish specifically in the risk management associated with cloud computing projects, Internet of Things (IoT) projects, e-commerce, and security systems.

---

Singapore SG

Despite Singapore’s low unemployment rate, skills challenges exist in a number of key growth industries as a result of the ongoing structural changes in the economy, the impact of disruptive technologies. The industries in Singapore most in need of skilled workers include the information and communications technology sector, which currently employs about 150,000 workers. The government forecasted that by 2017, the ICT industry will require an additional 15,000 workers, particularly in the areas of cyber security, data analytics, software development and network infrastructure, a number that could rise to 30,000 by 2020. A lack of necessary work experience and specialist skills, and the perceived uncompetitive pay are the main reasons why engineers are shunning the industry. The skills gap is set to widen as Singapore moves towards an innovation-driven economy, especially in newer engineering fields like robotics and digital manufacturing. The outlook for ICT services, particularly in risk management looks promising in 2017 onwards because the business processes and methodology will be applied across any of the ICT program initiatives i.e. cloud computing, Internet of Things, security applications, and data center services. The government is considering moderating the pace of change in targeting new sectors for growth. Industries will be given time to mature to gain scale and depth and achieve international competitiveness. This would also allow time for skilled workers to keep up with changing demands. Given the dynamic nature of Singapore’s economy, demands for specialist services continue to grow specifically resources with specialized skills in project and risk management, evaluation of risks in software projects, risk governance, and the implementation of risk and compliance processes. Most technology companies and software houses are competing with one another to obtain the best-skilled resources. Banking and financial institutions share the same situation, lack of qualified and skilled IT resources have affected their plans to transform into a full-fledged digital banking. Lots of opportunities for experienced professionals in areas related to IT project management and risk management. The value to be derived from the investments in these new digital technologies needs to be assessed including technological risks and operational risk after implementation. An understanding of risk and the application of risk assessment methodology is essential to being able to efficiently and effectively create a secure computing environment. Unfortunately, this is still a challenging area for information professionals due to the rate of change in technology, the relatively recent advent and the explosive growth of the Internet, and perhaps the prevalence of the attitude that assessing risk and identifying the return on investment is simply too hard to do. It is vital to managing risks to systems. Understanding risk, and in particular, understanding the specific risks to a system allow the system owner to protect the information system commensurate with its value to the organization. The fact is that all organizations have limited resources and risk can never be reduced to zero. So, understanding risk, especially the magnitude of the risk, allows organizations to prioritize scarc