IT Investment Page
Technology Risks
IT Projects
a. Schedule and cost risks
b. Technical obsolescence
c. Dependencies between a new project and other projects or systems
d. Monopoly creation for future procurements
e. Implementation procedures and rules
f. Inadequate funding
IT investment decisions are among the most complex of any investment decisions because of the rapid technological change, dynamic costs relationships, and often-unclear benefits. IT exists in an environment of uncertainty and applying traditional investment methodologies may ignore key variables and lead to poor decisions. The IT risks can be classified as follows (Engemann & Miller, 1999):
1. Disaster recovery: The risks concerned with maintaining business continuity e.g. servers and telecommunications not operating as planned, technological obsolescence, software not performing as expected, incidents of software failure.
2. Information security: The risks associated with information security.
Investments in IT are subject to higher risks than any other capital investments for several reasons.
First the components are comparatively fragile in terms of machine breakdown, hard disk crash and ability to survive a disaster. Second, information system is likely to be the target of the disgruntled workers, protestor and even criminals. They can also fall in hands of the competitors.
Finally, the decentralization of information systems and the use of distributed processing have increased the difficulty of design, development, management and protecting information systems.
Another way of classifying IT risks is as follows (Wen & Sylla, 1999):
1. Physical Risks: The vulnerability of computer hardware, software, and data. Hardware can be subject to theft, sabotage and other crimes against the owners. These occur in three ways: piracy, deletion and alteration of the software. Both hardware and software are subject to the threats of natural disasters, malfunctions and obsolescence. An actual exposure of lost data can leak important inside information to competitors.
2. Managerial Risks: Some IT investments failed because the managerial risks in the systems design, development and implementation that involve both general management and information systems management. The managerial risks include
· Failure to obtain anticipated benefits
· Costs of implementation that vastly exceed planned levels
· Time for implementation that is much greater than expected
· Unexpected end user resistance or lack of the interest in the system
Elements of Risk Management:
The risk management involves assessing risks, evaluating alternatives and implementing solutions:
1. Assessment: It is the identification of all potential risk areas that are parts of a project having an uncertainty regarding future events that could have detrimental effect on meeting the goals. Risk assessment continues throughout the life of the project as previous uncertainties become known and new ones arise. The decision maker responds to risks by
1. Avoiding risks
2. Changing the likelihood of occurrence of an event
3. Reducing the losses if an event does occur
4. Assigning the risks to others
2. Estimation: It involves estimating the costs, losses and probabilities needed for the evaluation methodology. Estimates of the costs and losses are obtained via standard procedures, which rely on information contained in the organization’s MIS and expert managerial judgment. It characterizes of risk occurrence and the severity of its impact. It results in a watch list of potential areas of risk. Risk analysis also continues throughout the life of the project.
3. Evaluation: The effectiveness of the IT investment for risk planning may be evaluated after a disruptive event in a postmortem analysis. Postmortems are beneficial in identifying new alternatives but by definition occur only after the event occurs. After risk has been assessed and analyzed a determination is made on how to deal with it.
Deciding on the IT risks itself involves analyzing costs and benefits. Performing a risk analysis and a cost benefit analysis should be a formal part of the investment analysis procedure to ensure resources are allocated rationally and all risk exposures are considered when designing the IT application under consideration.