I would like to present an article about risk management. In this particular case, about risk management in Higher Education. Why do you need risk management? You can save a lot of money if you avoid risk in a proactive manner. Minimizing project threats allows you to deliver your project on time. If you are well prepared you won't exceed your project budget and you will deliver product with high enough quality. Last but not least, your team members will be happy working in the normal hours of work.
Few point that could help you with risk management:
- Don't be ignorant, embed risk management in your project from the begining.
- Do a brainstorm. Talk to your team to identify risky scenarios.
- If you aren't project manager, but a "common member" don't hesitate to show risks to your manager. Communication is very important.
- Assign ownerships, if uncertain event occurs you will know who is going to deal with it.
- Never treat all risks equally, prioritize. There is always something more important than broken coffee maker.
- Plan risk responses and track them if they occur.
Enjoy reading:
http://er.educause.edu/articles/2015/2/understanding-it-grc-in-higher-education-it-risk
My questions:
- Have you ever heard about risk management in IT?
- If you are working, does your company have risk management policies or procedures?
- What IT risks would cause the university to fail to achieve its institutional goals and operational excellence?
The first line of the article, stating that "IT risk is the potential for an unplanned, negative outcome" made me very curious to see what are the ways to actually manage risk in the current times of unpredictability (referred to by some business experts also as chaos). The article interestingly enough states that to identify risk it is important that experts from many fields cooperate together to make a good assessment. Furthermore, is it crucial to create a systematic, coordinated, disciplined, and repeatable set of processes and tools. In my opinion things are not as simple, and it is extremely difficult to create such a repeatable set of procedures, due to the nature of chaos.
ReplyDeleteTo answer your questions: I have heard about risk management, also in the domain of IT. My company does not have risk management policies. It is hard for me to answer the third question, but I would say the risk is always connected to human error.
Thank you for your comment. We can use ISO/IEC 27001 to improve our security in certain areas. Chaos shouldn't exist in companies like banks or research and development laboratories because they can lose a lot of money. Even worse they can lose credibility and clients. I admit, 3rd question is a bit hard.
DeleteOf course chaos shouldn't exist in these areas, but these areas are also subject to market forces, and for example if you take pharmaceutical R&D centers - ideally you should give the people all the time they need to come up with a good result, which is around 15 years in this sector, and that is much too long for companies to wait for their return on investment. So they are turning to so called "open innovations" which means the sources for ideas, technology, know-how are now coming not only from inside of company, but also from external sources. How can you assess this kind of external risk? For me it is an unknown - you can't predict neither the behaviour of external actors with 100% accuracy, nor the data / knowledge / input they will provide. The same with banks. The changes in legal constraints on the one side and client-friendly services on the other are the forces shaping this sector, there have to be some trade-offs between the two and usually what is client-friendly is more subject to risk (personalized services, the use of vulnerable data and so on)
DeleteYes, I heard about Risk Management when I was studying Project Management at PJWSTK. It is very important or most important think when you are going to prepare analize project. If you do not do that you project could not be done. This is one of first stage of point your work to do when you are going to be prepare to IT project. When you are going to prepare good project you have to be readiness to could have many points in your head to think about its.
ReplyDeleteMy company doesn't have any risk management of IT because my company does not have any external IT projects. We did not have enought indoor projects to have any polices. But when we have to do any project we prepare independent procedure based on risk management especially to our company.
I could not have any idea to answer your for your third questions.
Even in inhouse projects you can lose everything. For example, because of the fire or earthquake. Mother nature can seriously delay your project and destroy your data.
DeleteI think that years I've spent so far in IT Consulting gave me good lessons on risk management.
ReplyDeleteIt's inevitable part of every project, not to be narrowed to IT projects domain only.
The crucial thing is to identify a risk you spot/encounter. A properly managed - to be precised: mitigated - risk, never materializes into an issue. If not managed properly, it becomes a disruptive, 'unnecessarily' occupying you, delaying item sometimes very effectively blocking your progress or compromising your project goal.
Yes, the company I work for applies all kinds of governance and risk management policies. Without complying to these you're not able to proceed to the next step. Some perceive this as an unnecessary obstacle, some other view it as a sanity check. The goal is ensure that no risky stuff is unwittingly smuggled or omitted.
What IT risks would compromise the university's goals? We could come with plenty of them.. but let's take one from the last week.. a power blackout (though it was already an issue!). How the university is prepared to handle blackouts? Does it have any redundant power generators? How IT infrastructure is detecting this kinds of events?
Thank you for your answer, good to know there are companies aware of the problem. I admit sometimes you can think about it as an obstacle, but it pays off if you get into real trouble.
DeleteCouple of years ago I worked in EAI department where a lot of products we created were dependent from products delivered by different vendors, other departments, stakeholders, etc. We used to report every potential risk of not meeting the deadline because of missing input from other departments. Delivery manager responsible for integration assigned priorities and mitigated risks before they became problems.
ReplyDeleteIn my current company we use Scrum methodology, so risks are reported on daily scrums and managed as they arrive.
Answering your third question: universities existed long before computers. Their goal is to provide education. They don't have to worry about marketing, SLAs, competitiveness (at least the public ones) and so on. I think that they could live without IT department, buying software or services, like for example USOS.
Scrum can help and it's working fine in most companies. Thank you, for the comment.
DeleteModern IT Risk Management is generally new domain in a Polish company exactly in the government company. I know a little about risk management because a few years ago I was working as a security inspector. When in 2010 authority took affect the new security law, all the governmental institutions which developed confidential documents had to prepare risk management documentation. There are a lot of ways to prepare this documentation because there are a few models to achieve this task. Good and completed risk management documentations are very hard to prepare. Because I still work in a governmental institution I know that we have and use and always update these documentations. Risk management covers a lot of issues which still change and these changes have to be reflected by administrators in all kinds of documentations. Risk management issues are covered in Security documentations called SWB and PB. In this documentation all emergency situations are described and how to prevent them. For example what we should do when we find unnamed IT item, what we should do when we receive strange emails, what we should do when our office is overwhelmed.
ReplyDeleteI think all organizations including schools and universities should have risk management documentations because in the modern world unshielded IT systems are vulnerable to different risk. Each unnamed and unsigned security incident can destroy all IT system and can destroy all company data.
Thank you for for the comment with a bit of history :) Risk management in our governmental institutions are far behind in my opinion. They have a lot of papers about it etc. But in my honest opinion, people are poorly prepared.
Delete1. Have you ever heard about risk management in IT?
ReplyDeleteYes, I heard about risk management.
2. If you are working, does your company have risk management policies or procedures?
I Am IT Consultant and seriously I don't know anything about risk management in my company - I have been there twice :). They probably know what it's (my company) more than I do. I think that whenever it comes to lose money or client lost, company knows what to do because they were prepared for that.
3. What IT risks would cause the university to fail to achieve its institutional goals and operational excellence?
Like s14772 said there would be plenty of them. But next quite nice example would be demographic decline. I know that schools had to consider this kind of risk and they know how to handle it. For example in PJATK knows how to attract foreign students. They were prepared for this and they know how fix this issue.
But I don't agree with Mikołaj about his argumentation to the third point. I think that schools have to worry about marketing, we can notice an increase amount of leaflets that are handed out at the beginning of spring.
And about SLA I think that they have to worry about it , because they do projects - usually projects that are founded by EU.
ReplyDeleteHello, I heard about Risk Management. IT Risk Management is very important for projects. Risk Management is a part of Project Management methodologies. People who spent time reading about PM, or were involved in project have to know what is risk. Otherwise it can affect our project. We have to identify potential risk before it became a problem.
I am working in international corporation so it is clear that they have proper procedures for risk management. “Study on IT governance, risk, and compliance (GRC) programs in higher education found that 81 percent of institutions do not include IT risk in their institution's strategic plan.” - this information shows the leaks in Project Management. This area is developing and needs continuous improvements.
Third question is pretty hard but first idea, which came to my mind is data leak or lost. You can lose data due to natural disaster like fire etc., and you have to minimize the possibility of risk materialization. Like Tomasz said SLA is very important.
ReplyDeleteHello, I heard about Risk Management. IT Risk Management is very important for projects. Risk Management is a part of Project Management methodologies. People who spent time reading about PM, or were involved in project have to know what is risk. Otherwise it can affect our project. We have to identify potential risk before it became a problem.
I am working in international corporation so it is clear that they have proper procedures for risk management. “Study on IT governance, risk, and compliance (GRC) programs in higher education found that 81 percent of institutions do not include IT risk in their institution's strategic plan.” - this information shows the leaks in Project Management. This area is developing and needs continuous improvements.
Third question is pretty hard but first idea, which came to my mind is data leak or lost. You can lose data due to natural disaster like fire etc., and you have to minimize the possibility of risk materialization. Like Tomasz said SLA is very important.
Thank you for your comments (clones? :D ). Most of the work should be made by PM's. Apparently, they are so unprepared so many times. SLA is important when we are talking about infrastructure. It's hard to have SLA in Software Lifecycle.
Delete1. Have you ever heard about risk management in IT?
ReplyDeleteYes, due to my work history it wasn't possible for me to avoid this topic.
2. If you are working, does your company have risk management policies or procedures?
To be honest, I have no idea. I presume the answer is yes, but I have other things to worry about ;)
3. What IT risks would cause the university to fail to achieve its institutional goals and operational excellence?
It depends on the actual institution, I believe. In case of PJIIT there are countless of risks, because it is after all IT school and working IT infrastructure is crucial. PJIIT cannot afford to lose data, especially financial ones; neither it can allow to be hacked. Should this happen, the school will lose its prestige.
About answer 2, if you have no idea it's poorly addressed :)
DeleteHi,
ReplyDelete1. Have you ever heard about risk management in IT?
Yes, I heard about risk management in IT , but my knowledge of this subject is small because I heard about this only in school.
2. If you are working, does your company have risk management policies or procedures?
My company have risk management policies and procedures and it working fine.
In my company there is a person responsible for it. I don't know nothing about this. I am only programist.
3. What IT risks would cause the university to fail to achieve its institutional goals and operational excellence?
I am agree with Pawel Dyda, it depends on the actual institution.
Good to know that so many companies have risk management policies, thank your for the answer.
DeleteI heard about Risk Management in other fields than IT and I guess the general idea is similar. I participated in workshop about Risk Assessment at work (which should be done as a part of Risk Management I guess). Two most important things were to identify the probability of hazard happening and to access size of damage if the hazard happen.
ReplyDeleteMy company do not have any Risk Management policy. For the third questions I can not think of any other examples than the ones already said like: leak of data etc.
* Have you ever heard about risk management in IT?
ReplyDeleteYes, this is something that I need to know in my work. It is hard for me to imagine controlling IT projects with out at least basic knowlage about risk management.
* If you are working, does your company have risk management policies or procedures?
yes, we always try to predict every possible risk and create plan for it before it will happen. That way we`re prepared when it will come true
* What IT risks would cause the university to fail to achieve its institutional goals and operational excellence?
too much bureaucracy
"too much bureaucracy" like in every institution in Poland :)
DeleteIT risk management is a component of a larger enterprise risk management system. This encompasses not only the risks and negative effects of service and operations that can degrade organizational value, but it also takes the potential benefits of risky ventures into account.
ReplyDeleteIT risks are managed according to the following steps:
- Assessment: Each risk is discovered and assessed for severity
- Mitigation: Countermeasures are put in place to reduce the impact of particular risks
- Evaluation and Assessment: At the end of a project, the effectiveness of any countermeasures (along with their cost-effectiveness) is evaluated. Based on the results, actions will be taken to improve, change or keep up with the current plans.
what IT risks would cause the university to fail to achieve its institutional goals and operational excellence?
for example :
Cybersecurity/leveraging IT
•Protect sensitive data and information
•Effectively leverage technology in the residential educational experience
Thank you for the comment, good picks. I agree with you, protecting sensitive data about students is quite important, especially with high GiODO standards.
DeleteHi Mateusz, thanks for bringing up this topic. I’ve heard about risk management in IT, as I had worked in multinational corporation with pretty strict procedures. I’ve seen it applied in several projects. Currently I work in a early stage tech startup, we don’t have many policies like that in place. I definitely need to keep risk management in mind and probably try to introduce it in a lightweight, agile fashion, so it will play well with company culture.
ReplyDeleteI’m not really sure what are institutional goals of a university and how to define operational excellence in terms of academia. I can imagine that these goals and criteria could be significantly different for every university. Nevertheless, problems with IT infrastructure and security breaches seem to be the biggest risks.
Lightweight form won't work I'm afraid. Still, better in the middle of the project than never. Go for it if you can :)
DeleteFrom my experience: broken coffee machine is one of critical issues!
ReplyDeleteI don't know much about theoretical assumptions about risk management. I've never had a chance to get know this term better during my entire work experience. Still, the practical side sounds already familiar. We have some policies and procedures in our department which could be defined as part of risk management. They're primarily associated with security area. Unfortunately, it causes grow of the bureaucracy, mentioned by Dawid few comments before (for example extra forms to fulfil to get an access to some IT resources). The security is most important issue in risk management of institutions like PJAIT.
Totally agree with you: http://s42.photobucket.com/user/wesmdunn/media/CoffeeMachineisBroken.jpg.html
DeleteThis comment has been removed by the author.
ReplyDeleteYes, I have heard about risk management before. I think that it is a very complicated issue. Company may have some risk management procedures implemented, but in the IT area it is more difficult to identify than in any particular project. I mean, every project is unique and have their own risks so we cannot create some general risk list and say 'look at this is a list of you risks’, independently of the project type, scope, etc. There is a lot of papers published about risk management in IT and other areas. Risk management it's also very well described in such methodologies as Prince2 or PMP.
ReplyDeleteHi Mateusz,
ReplyDeleteHave you ever heard about risk management in IT?
I have heard about that, but I don't have a broad knowledge in this area, because I did not have much in common with PM.
I know it is always better to have such management, especially when it is company which operates on sensitive data or R&D institute.
If you are working, does your company have risk management policies or procedures?
I worked in few international companies, and all of them have such policies.
I always worked as a developer, so was not much involved in risk management, maybe besides that I had to follow certain rules in my work.
What IT risks would cause the university to fail to achieve its institutional goals and operational excellence?
I am not sure. Universities have a bit different priorities than commercial companies, so it is a bit difficult to answer this question.
Universities have a lot of sensitive data about students, so that may be a risk (I think).
You can apply risk management to any field actually, the things that change are the risk factors. Its a good practice to know the risks that can occur in a project and plan for ways to counter them when problems arise. The topic is very broad. An example I can come up with is i.e. leak of students private data or services working denial caused by cyber-attacks.
ReplyDeleteBasically, I am not concerning on IT issues at my work but I am obliged to respect
ReplyDeleterules imposed by the security department. My company has many risk management policies as well procedures covering many possible risks in the company.
There are many issues which I, as a programmer, have to check before I start my work or ask for an access which delays my work.
There are many IT risks which may influence the the achievement of the goals. One of them may be a leakage of confidential data of the students, cooperators or of the staff.
Another of the risks is hacking into the database of the notes of students. As a result the University looses its credibility.
I heard about risk management at the university and at work. While participating in the projects. Risk management in projects is a huge serving important. The major projects there are always risks. Especially if the project involves 10-50 people and more and the project lasts one month to one year.
ReplyDeleteHi, it's a very important topic nowadays. My thesis written this year was on risk management in public administration. Today, thinking about IT doesn't stop only on management at the operational level. Experience shows that it's more important is to look at IT management from the perspective of managing the entire enterprise. It's difficult in such a situation, not mention about the risk management. I recommend route map for risk management like M_o_R for more interested. It's worth mentioning that the implementation of the risk management system in many institutions it's obligation under the law. By the way, I haven't heard about the program Educause IT GRC, nice to heard something new. In my company, we established information security management system according to ISO 27001. In my opinion, painful for our school can be loss of reputation made by data leak or hacked main sites.
ReplyDeleteFrom my point of view the risk management is the most important thing in project management. We cannot mitigate all the risks but we can identify most of them and just be prepared. For software development we use Tom Gilb's methods (gilb.com) to identify risks and act accordingly. I think that IT systems in universities became a core of their operations and there are a lot of risks that would potentially cause them to fail to achieve their institutional goals and operational excellence. Starting from all business administration stuff (e.g. accounting) and ending with grades management are nowadays supported by school management systems which are crucial part of operations which means that avoiding to identify that risks might lead to failing.
ReplyDelete