Beating IT Risks
.pdf274 |
Index |
|
|
hazard and operability analysis 32 health metaphors 33, 34
Hoechst 42
Horizon 244
human–computer interface problems 187–8
human resource management 248
ICL 153 identification
of distressed projects 78 of project risks 97–100
identity theft 244 IEEE standards 96
impacting organization 85–7 industry-wide risk context factors 118 information assets 12–13, 50
access 126–7
asset categories and control 143–4 availability 127
case study 150–1
computer and network management 144–6
degraded, impacts of 129–32 exploitation, impact of 127–9 impacts 111
management implementation 138–48 policies 141–2
record keeping 143 risk assessment 142
roles and responsibilities 143 security 132–8
system access control 146–8 information security management 13, 126
standards 138
staff behaviour 139 policy confirmation 141
information technology capability, influence on business capability 230–2
Information Technology Infrastructure Library (ITIL) 120, 180, 214, 215
infrastructure 15–16 centralized computing 207–8 data networks 209–11 distributed computing 208–9 evolving risks 212–14 facilities 206
failure 51–2, 206–12 industry-specific risks and 211–12 market dynamics 212–13
migration of IT applications into 212 timing 213
transformation, de-risking 216–17 utility model 213–14
voice networks 211
in-house service delivery 161–2 insider abuse 133
instant messaging 33 insurance 29
integrity 126, 132, 134 loss of 130–1
intellectual property 137, 184, 196 interdependency 88
International Standards Organization (ISO) 13, 47
quality software model 96 standard 17799 120, 139 standards 96
Internet addiction 59 intrusion detection 144 investment lifecycle 25, 26 investment traps 26 investor perspective 24–7 isolation 59
issue forums 37
key performance indicators 228 Knowledge Capital 126
knowledge management systems 33, 229
legacy systems 16 legal function 249–50 legal impact 58
legalistic approaches to governance 22 Libra project 153
licence revenue 137
life scientist perspective 33
lifecycle approach to managing IT risk applications 198–201
concept and feasibility 199 implementation 200
maintaining and evolving systems 201 requirements and solution architecture
198
retirement and decommissioning 201
Index |
275 |
|
|
solution build, acquisition and integration 200
strategy, architecture and planning 198 testing 200
like for like option 94 London Stock Exchange 107
Taurus project 2, 97 lost benefit risk 73 Love Bug virus 197
management responses to project 98–9 Marine Information for Safety and Law Enforcement (MISLE) system 71
market risk 17
maximum tolerable outage (MTO) 109, 141, 185, 206
merger & acquisition 191 methods and standards, delivery
assurance and 96–7
multiple concurrent IT projects 79 Mydoom 107
National Air Traffic Services (NATS) 183 National Australia Bank 242, 244 National Bank of New Zealand 205 natural disasters 135
natural systems perspective 33
New Basel Capital Accord 241–2, 243 Next Generation Switching 205
offshore sourcing 177–8 open-book accounting 160–1
open-source software support 178–9 opportunity cost 131–2
ordinary failures 76
organization impact as risk factor 83 organization-specific risk context factors
119
organizational learning 64, 78 organizational views of risk 78–82 outputs and deliverables 95 outsourcing 3, 5, 14, 29, 56
agreement 117 over-enhancing, risk of 93 overheads 79
PABX 211 partial failure 74
partner risk 5 password control 147 patents 13, 137 penetration testing 134 people
delivery assurance and 95–6 selection and allocation 80
personal security 140–1 phishing 133
physical security 140, 250
piecemeal approach to risk management 5, 65
planning 80, 113–17, 198 business continuity 42, 141
disaster recovery (DR) 42, 47, 110 enterprise resource (ERP) 95, 228 service continuity 109
points of dependency 79
police service disaster avoidance–disaster recovery strategy 123–4
portfolio approach 7 post-implementation phase 102 post-implementation review (PIR)
activities 79 PRINCE2 96 probability 4
process engineering approach 32 program views of risk 78–82 project complexity as risk factor 83 project culture 78
project failure 49–50 impact of 73–7
project management 80 project risk 49–50, 54–5
assessment 5
degree of difficulty 88–9 factors, misinterpreted 89–92 management 10–11
Project Risk Exposure 88 project size as risk factor 83 project triage analogy 98–9 project views of risk 78–82 prototyping 85
public switched telephony service (PSTN) 211
Qantas 207
qualitative analysis techniques 64, 239
276 |
Index |
|
|
quality
assurance 86–7 failure 49
gap 75
service provider failure and 156 quantitative risk analysis 29, 64, 239
real options theory 25 recovery 120, 121
capability 110 routines 17
strategy, specific 119
recovery time objective (RTO) 43 regulatory approaches to governance 22 regulatory impact 58
repair cost 131 reputation 10, 18, 58
requirements and architecture phase 100 research and development 85
residual risk 47
resilience 110, 119, 120, 121 return on investment 3 Rhone-Poulenc 42
‘right now’ benefits 121 risk and reward 29
risk aversion 82
risk-based management, supporting with IT 245–8
risk classes 49–52
applications and infrastructure risk relationships 56–7
project risk 49–50, 54–5 relationships between 53–7 service provider and vendor risk
relationships 55–6
strategic and emergent risk 52, 53–4 risk exposure, concept of 84
risk leverage 61
risk management capability 60–6 implementation and improvement 64–5 people and performance 64
processes and approach 62–4 roles and responsibilities 61–2 strategy and policy 60–1
risk management lifecycle 62
risk management of information systems (RMIS) 17
risk management profile 84
risk management responsibilities 62, 63 risk management standards 6
risk portfolio 9–18, 45–69
managing like other business risks 46–8
need for 46
portfolio of risks 48–9 risk impact 57–9
RiskIT 96 risk-reward 4, 7, 9 RMIT 183
roles and responsibilities for risk management 239–40
root access privileges 147 root-cause analysis 163
Royal Automobile Club of Victoria 171
Sarbanes-Oxley Act (USA) 135 SCO Group 107
scope, failure in 49 security 132–40 seed funding 85, 87
SEI Capability Maturity Model 28 service continuity 50
budget setting 117–18 buy-in and appetite 120 designed-in 119 implementation 117–21
performance indicators 120–1 planning 109
risk context 118–19
service delivery in-house 161–2 service failures 109–13
service level agreements (SLAs) 170 service performance 109–10 service provider failure 154–63
difficulty integrating services 159–60 failure to deliver project services
156–7
failure to meet other contract or relationship requirements 156
failure to meet service levels for an operational service 155
failure to stay in business 157–8 finger-pointing rather than
accountability 158 inflexibility 159
lack of control 161
Index |
277 |
|
|
one-horse races rather than contestability 158–9
poor value for money 159 poor visibility 160–1 transition risks 160
unfulfilled transformation objectives 160 service provider risk, managing 165–74
ability to change 171 evaluation 168 lower risks 172–4 management 169 negotiation 168–9 pre-negotiation 167
review/termination/renewal 169–70 rights and responsibilities 170 risk-effective contracting 170–2 service level agreements (SLAs) 170 sourcing strategy 166–7
terms and conditions 171–2 transition 169
service providers and vendors 13–14, 50–1, 55–6
service providers, multiple
align technology strategies with sourcing strategies 176
clusters of IT services 174–6 link processes end-to-end 176
service provision, new and emerging risks 176–9
services 11–12, 107–24 shared resource base 79
shared services, in-house/external 162 shareholder value 227–9
significance of portfolio 9 size, failure and 84–5 skills and experience 90 Softbank BB Corp 148 software
assets and liabilities 195–8 errors 134
licenses 196–7 project failures 25
unwanted and unwelcome 197–8 spam prevention 144
stability of requirements 89–90 standardization 16
step-in rights 171 storage virtualization 214
strategic and emergent risks 16–17, 52, 53–4
strategic failure 3
diversity vs standardization 224 graceful degradation 222–3 sabre-rattling 226
strategic importance of IT 224–5 sustainability 225–6
strategy and planning 249
Structured Systems Analysis and Design Methodology (SSADM) 10, 92, 96
superuser 147
supplier or partner IT failure 135 surprises and reactivity 5, 65 surveillance 246–7
SWIFT 119, 153
system access control 146–8 authentication 147 identification 147
least privilege 146 system time-out 147
systems development and maintenance 148
system failures managing 111–12
in project delivery 76–7
systems enabling organizations 228–9
Tampere Convention for telecommunications 117
team efforts, where to focus 240 team skills and capability 83 technical risk 5
technology 87
number and types 90–2 risk and 83
telephone messaging 33 termination-for-cause provisions 171 termination-for-convenience provisions
171
testing, acceptance and implementation phase of project 101–2
third party risks 14 time 213
failure 49, 74–5
service provider failure and 156 tracking 81
decision-making and 81–2
278 |
Index |
|
|
trademarks 137 trust 22, 140
underperformance 66 understanding IT project risk factors
82–95
Unified Process methodology 92, 96 uninterruptible power supplies (UPS)
108 Unisys 171
upgrade and replacement 93–5 US Navy desktop fleet 205 user error 134
utility failure 134 utility model 213–14
V model 95
value chain 50–1, 153 vapourware 165
vendor failure, dimensions of 163–5 aggressive upgrade cycles 164 failure to support product 163–4 functional gaps 164
proprietary solution lock-in 165 unfulfilled promises 165
vendor risk relationships 55–6 Virgin Blue 207–8
viruses 133, 144, 197–8 VIS 71
voice networks 211
water company case study 203–4 Web services 214
Westfield Corporation 227 whistle-blowing 5, 64
World Health Organization 206, 236 worst case scenario 57
Yahoo 227