Managing Software Acquisition Risk

Source – Public Domain, 2000

 

Selecting and acquiring software can be as easy as entering a few requirements keywords in your search engine, scanning the product features and prices, and downloading an executable with a quick credit card payment.  This might be thoroughly adequate for personal or home use applications, but for medium to large size organizations with architecture and integration issues, selecting the right product fit is crucial. 

 

One of the biggest risks to successful implementation is poor package evaluation and selection.  With some enterprise package implementations costing millions, failure to mitigate the risk has a potentially huge financial and logistical impact on the whole organization.  For global enterprises and large institutions such as the Department of Defense, the risk is unacceptably high and a comprehensive risk management strategy is essential. 

 

To address this need, the Software Engineering Institute of Carnegie Mellon University has developed a risk management stream specifically for the evaluation and acquisition of software.  As with their Capability Maturity Model (CMM), there are five levels of increasing sophistication, with level one having risk management through individual competence and heroics, and level five having a continuously improving optimized software acquisition process.  While many organizations may not be prepared to embark on an intensive and potentially lengthy pursuit of acquisition process excellence, it makes a great deal of sense to at least move from the first to the second level where successes are repeatable.

 

The SEI risk management process, or paradigm as they refer to it, is defined as a set of continuous activities performed throughout the project lifecycle.  The activities are:

 

• Identify – seek out potential trouble areas before they become problems
• Analyze – evaluate the time and cost impact and the probability of occurrence of the identified risks
• Plan – formulate mitigation strategies and action plans to counter the risks
• Track – monitor risk indicators and follow the effectiveness of the mitigation actions
• Control – make timely decisions on risk indicators and triggers
• Communicate – collect feedback and provide information about emerging risks, the monitored risks, and the mitigated risks

 

To implement this paradigm, the Project Manager or Project Management Office must incorporate it into the Risk Management Plan (sample the Risk Management Plan and Risk Analysis deliverable templates in the Project Management set at IT-Project-Templates.com).  The defined activities must then be entered as discrete tasks in the Project Plan.  Time and money contingency reserves can then be built into a separate column of the plan and if the risk triggers are met, the plan can be rebaselined with the already-defined time and cost estimates.