Assignment 2 (Due: July 7, 2009, before 01:00pm)

In every business, there is an IS/IT change. Changing the IS/IT of an organization is also important especially that technology today is evolving so that the company can also have the competence with the other companies and that they can suffice the needs of the users. But in changing the IS/IT of an organization, there are benefits and risks involved.

Information systems (IS) change initiatives often represent the single largest investment (and therefore risk) for large corporations, yet there exist few management frameworks in the literature to help decision makers measure organizational risk in a balanced manner during this organization-wide change process. Management consultants have methodologies to implement information systems. The information system implementation objective prevents the needed benefit from business change.

Enterprises make large investments to implement all kinds of resource planning, human resource, accounting, customer, logistics, manufacturing, and other information systems. The objective of many of our business change projects is information system implementation that converts existing business operations and data.

In our adopted company Concentrix, the supervisor said that the company, like other BPO Company, is constantly evolving. According also to him, before modifying their system, a feasibility study will be made regarding the proposed changes of the system. Before approving the changes, they make sure that the changes are necessary or that it could truly enhance their system. The management must first approve the proposed changes. Before approving, the management looks first for the risks and the benefits of the changes.

So what are the risks of IS/IT change?
Hardware Failure
The risk of hardware failure is the most commonly talked-about reason to perform backups. Indeed, nothing will jolt someone into realizing the importance of backups more than an unrecoverable hard disk failure. Since the hard disk stores your main programs and data, it is the hardware whose failure hurts the most. It is also what gets the most attention, and rightly so.
However, there are other hardware problems that can cause permanent data loss, and some of these can be rather hard to figure out, since they don't seem like they should be responsible for the problem. Here are just a few:
• Memory Errors: With so many systems today running without error detection or correction on their system memory, there is a chance of a memory error corrupting the data on the hard disk. It is rare for it to happen, but it does happen.
• System Timing Problems: Setting the timing for memory or cache access too aggressively, or using a hard disk interface transfer mode that is too fast for the system or device, can cause data loss. This is often not something that will generally be realized until after some amount of damage has been done.
• Resource Conflicts: Conflicts resulting from peripherals that try to use the same interrupt requests, DMA channels or I/O addresses, can cause data to become corrupted.
• Power Loss: Losing power at the wrong time, such as when you are doing sensitive work on your hard disk, can easily result in the loss of many files.

Cost

Considering cost is very important in changing the IS/IT of an organization. The cost of IT has plunged since the 1960s resulting in enormous investments in IT applications that have stimulated increasingly complex organizational change.

Logical IS Security
Logical IS Security is also a main concern, especially when the company changes from insourcing to outsourcing. Logical IS security deals with unauthorized access to the organization's information system. When an organization's IT functions are outsourced to a third party, the number of users with access to the system increases; in turn, this increases the likelihood of the system being breached. Furthermore, the organization loses control over its system security administration, which is the process through which the information system is protected against unauthorized access.3 Unauthorized access to an organization's information system can lead to the destruction or alteration of the firm's IT function. In addition, logical IS security includes the risks associated with losing confidentiality and privacy.

http://www.pcguide.com/care/bu/risksHardware-c.html
http://www.kmbook.com/change/overview.htm
http://www.itgi.org/Template.cfm?Section=Home&CONTENTID=22050&TEMPLATE=/ContentManagement/ContentDisplay.cfm
http://businesschangeforum.com/cat/topics/information-system-implementation/

*Number of users that could be impacted by a service interruption
*Financial impact of an extended service outage or unrecoverable loss of data
*Likelihood that a system/service failure could result in:
Disclosure of sensitive information that needs to be protected
Misuse of client-owned resources
Malicious interruption of services or research operations

Possibility that a system/service failure could result in an event or condition that may have adverse safety, health, security, operational, environmental, or mission implication
Potential future impacts based on prior system/service interruption experiences

Secondly, when a change is proposed, each request is graded against the following criteria:
How many users will be visibly affected by the proposed change?
What is the anticipated difficulty for user and support personnel to learn the new or modified system/service?
What is the stability and supportability of the technology or vendor products utilized by the system?
In the event the change implementation fails or adversely impacts other systems or services, what will be the impact of executing the implementation contingency plan?
Based upon past experience, what is the likelihood of failure or adverse problems resulting from the change?

The criticality appraisal blends with the change risk evaluation to produce a composite risk assessment that is used to pre-populate an automated release plan that guides the implementation of the change. Depending on the level of the composite risk, requirements of the release plan such as testing rigor and end-user communications are strengthened to mitigate higher levels of risk. Conversely, a lower risk score results in a reduced scope of change implementation requirements.

In an era of dynamism the only thing that remains constant is change. Organisations execute change programmes to implement strategic, regulatory and other such business drivers. Whatever the organisation and in whichever sector it exists in, be it Public or Private, and howsoever it may be structured, it has to witness and face an ever increasing rate of change. These business transformation changes can be implemented and managed effectively by using Programme Management methodologies. As is inherent within any organisational activity successful delivery of these Business Change Programmes lies to a large extent in successfully managing the risks that are being faced while executing the programme.

The paper attempts to focus on the Risk Management activities that need to be considered in such a Programme environment. It tries to present a framework that could be tied into the practices of Programme Management to effectively manage the loose ends presented by Risks.
Risk is defined as the uncertainty of outcome, whether positive opportunity or negative threat, of actions and events. The risk has to be assessed in respect of the likelihood of something happening, and the impact which would arise if it actually happens. Risk management includes identifying and evaluating risks and then suitably responding to them. Risk management enables informed decisions. Managers at all levels in an organisation such as programme managers, project managers, general managers and executive managers make multiple decisions each day as a primary function of their jobs. Apart from having access to factual information, knowledge of potential risks faced can improve the decision process by allowing the decision maker to weigh potential alternatives or trade-offs in order to maximize the reward/risk ratio.

Risk management brings a level of predictability to the dynamic environment within which programmes of business change operate. By understanding and bounding various uncertainties faced by the programme, the programme manager is able to manage the risks effectively.
(i) Risks that would lead to Programme not being implemented. These would be risks to Strategy that initiated the Business Change. These could also be risks to Operations that would undergo this change depending upon the type and criticality of change.
(ii) Risks created by the programme. These are Business Change Risks that need to be mitigated by proper planning at Strategic Level and fed back into the same Programme by changing its scope or another Business Change Programme in case it’s related outside the scope of current change.
(iii) Risks to the programme itself. These are risks internal to the Programme and could be due to one or more of the projects that fall under the umbrella of programme or any other transformational activity that the programme is undertaking.

With the interview that we had and all the articles that I have read, I’ve learned that “You have to risk it, to take the biscuit”. Just like in IT and any organization, it won’t grow and develop unless you try and take the possible risk.