eBusiness Projects Risk

1
e-Business Projects Risk Management
Mr. Frank Yam CISA, CIA, MHKCS, CCP, CSP, CDP,
CFE, CFSA, FFA COO - Focus Strategic Group Inc
2
FOCUS Group

• Founded in 1997
• Offers consulting and training services
• Internal Audit and IT Audit
• IT Management and Strategic Planning
• Information Security
• Business Continuity Planning
• Greater China Advisory and Business Development

3
Mr. Frank Yam

• Professional career started in 1984. Focusing on
  IT Audit, Internal Audit, and Management
  Consulting
• ISACA
• Past President Hong Kong Chapter
• International Membership Board Member
• Global Conference Program Committee Member
• Governmental and Regulatory Agency Board Member
• Chairperson - China Development Working Group
• Expert Reviewer - CISA Exam Review Manual

4
Presentation Outline

• Myths and Pitfalls
• The e-Business Project Risk Model
• Performance Management and Benchmarking
• The Role of IS Auditors
• Asking the Tough Questions

5
What is e-Business?

• A means to provide services or material via
  electronic communication
• Usually assumed to be based on Internet
  communication
• Can also be based on
• Electronic Data Interchange (EDI)
• Touch tone telephone
• Custom written client / server application

6
e-Business Project

• Any business project that involves using
  e-Commerce and related technologies and processes
  to develop, expand or enhance its business
  activities.

7
Forces Driving the E-volution
Technology Improvements
Competition drives efficiency
Increased internal penetration
e
Internet savvy customers
Media coverage
Rich valuations
Paper money to digital cash
First mover advantage
8
Worldwide e-Business
Surge in Asia Pacific e-Commerce will result in
US1.6 trillion of revenues by 2004. Worldwide
online spending will reach US6.9 trillion in
2004. With Asia Pacific market accounting for
more than 20 of total sales.
9
Business is going to change more in the next ten
years than it has in the last fifty. Bill Gates
10
Only takes 3 minutes to find and order a book!
11
e-Business

• e-Banking services
• e-Shopping (E-books and E-music)
• e-Food
• e-Hotel
• e-Ticket
• e-Logistics
• e-Gambling
• e-Learning

12
e-Business
Benefits - Company Perspective
Lower Operational Costs - Rental, Wages, Stock
Improved Customer Services - 24/7,
Multi-languages, Multimedia
Improved Company Image - International,
Professional
More Potential Customers - Borderless
13
Barriers to e-Business
Security and Privacy are the major barriers to
online purchase.
14
Myths and Pitfalls
15
The MythsHow Do e-Business Projects Fail?

• Very vague business objectives
• Lack of real business model
• Inadequate market research
• Inflation of actual customer demand
• Shortfall in fulfillment
• Does not meet user requirement
• Poor website design
• Navigation or operating process not user-friendly

16
The Pitfalls (1 of 2)

• The Project Teams PROMISES
• Improve productivity and efficiency
• Increase/maintain competitiveness
• Reduce costs

17
The Pitfalls (2 of 2)

• Finally,
• Over budget
• Project reschedule and re-reschedule ...
• Project partial delivery or re-scoped
• Not fulfilling user requirements

18
The PitfallsStatistics

• Over 30 of projects are cancelled before
  completion
• Over 50 of projects cost 100 or more than their
  original estimates
• Only 16 of software projects are completed on
  time and within budget
• In large companies, only 9 of projects are
  completed on time and within budget
• The average time overrun on projects is 222

19
A Reality Check

• Market conditions
• Product complexity
• Manufacturing flexibility
• Fulfillment complexity
• Marketing structure
• Sales and channel structure
• Terms and conditions flexibility
• Economic conditions
• Regulatory environment

Source Gartner
20
Key Success Factors

• Funding / Resources
• Focus
• Speed to market
• Customer confidence
• Security

21
The e-Business Project Risk Model
22
The e-Business Project Risk Model

• Content delivery risks
• Technology risks
• Organisational risks
• Resource risks
• Market risks
• Project risks (e.g. scope creep)

23
The e-Business Project Risk Model

• Depending on the objective, risk may vary
• To have presence in cyberspace
• To provide information only
• To facilitate transactions with existing
  customers
• To reach new markets and new customers
• To create a brand new business model

24
Security Risk

• System penetration (social engineering)
• Authorisation violation (passwords)
• Trojan horse
• Communications monitoring (spoofing)
• DoS
• Repudiation

25
Risk Mitigation

• Build risk into your plan, schedule and budget
• Test, test, test
• Communicate early and often
• Anticipate the best, but plan for the worst

A Project Manager is a Crisis Manager. B.
Thomas
26
Murphys Law
If anything can happen, it will, and at the
worst possible time.
Failure to manage e-Business project risks can be
disastrous to an organisation.
27
Self Assessment Checklist

• Alignment with Strategic Plan/e-Business Vision
• Impact on Customers
• Risk Assessment
• Feasibility Studies / Cost Benefit Analysis
• Right Resources for the right job

28
Special Attributes

• More modular and component driven
• Rely less on traditional SDM, and more on
  iterative prototyping methods
• Wider range of partners/suppliers (project
  co-ordination risk)
• Special skills (both business and technology) and
  competencies expected
• Greater diversity in the range of user groups

29
Special Challenges

• Dealing with multiple stakeholder groups
• Understanding of stakeholder requirements
• Meeting / managing stakeholder expectations of
  systems functionality and availability
• Finding project managers with appropriate skill
  sets
• Managing a wider range of external parties

30
The Balancing Act
31
Key Issues to Address

• Strategy
• Security
• Delivery and Operations
• Systems and Technology
• Performance Management
• Processes
• Organizations and Competencies
• Legal
• Tax

32
How do you manage change?

• In spite of our amazing advances, the work of an
  organisation is accomplished by PEOPLE
• It is peope who
• Interface with the customer
• Make the product
• Deliver the service
• Plan and co-ordinate how work gets done
• Improve processes and systems
• Ensure quality and return a profit

33
Performance Management and Benchmarking
34
Performance Management

• The board should measure performance by
• Defining and monitoring measures together with
  management to verify that objectives are achieved
  and to measure performance to eliminate surprises
• Leveraging a system of balanced business
  scorecards maintained by management that form the
  basis for executive management compensation

35
Performance Management

• High performance organisations
• Focus on alignment of philosophy and goals
• Create a climate of trust among all stakeholders
• Acquire individuals who can collaborate and work
  together effectively

36
Performance Management

• Performance measures
• Cost
• Schedule
• Performance objectives
• User requirements
• Defined performance metrics (threshold and
  objectives)
• KPI

37
Benchmarking
ISACA Example
38
Benchmarking
ISACA Example

• Most senior officer in ISACAs database, from 800
  Fortune500 and significant government entities
• 146 responses for 205 entities 17.5

39
The Role of IS Auditors
40
How can IS Auditors add value?

• Involvement
• Directly in Project Management Team and/or
• Indirectly in Project Steering Committee
• Analysis
• Cost
• Return
• Potential financial implications
• Contract terms (i.e. SLA)

41
How can IS Auditors add value?

• Security and risk management
• Setting security objectives
• Identifying threats
• Providing advice on feasible solutions
• Developing incident response capability BCP

42
How can IS Auditors add value?

• Monitoring
• User Requirements
• Security and Controls
• Testings
• Documentation

43
How can IS Auditors add value?

• Proactively looking ahead
• New Business Drivers
• Mobile Commerce risks and opportunities
• Impact of Natural Language Technologies

44
Asking the Tough Questions
45
Asking the Tough Questions

• Is the e-Business strategy aligned with
  enterprise strategy?
• Does e-Business delivers against the strategy
  through clear expectations and measurement?
• Is the e-Business strategy to balance investments
  between supporting and growing the enterprise?
• Are formal project planning techniques used?
• Is the project scope clearly defined and approved?

46
A sample control framework

• Security
• Confidentiality
• Integrity
• Availability
• Accountability
• Legal
• Contractual risk
• Jurisdictional risk
• Privacy enforcement
• Reliance on third parties Escrow and Auditing
• IP rights

47
A sample control framework

• Development Process
• Policies and standards
• Application design
• Testing
• System performance
• Change management
• Capacity planning and management
• Openness and flexibility
• Data conversion
• Implementation / Rollout

48
A sample control framework

• Application Integrity
• Validation of critical data
• Application audit trails
• Exception and monitoring reporting
• Confirmation
• Data transmission and reception
• Backup and recovery

49
A sample control framework

• Internet Technology
• Plug-ins, programs, and components
• Browsers
• ISPs
• Cookies and push technology
• Publishing
• Content
• Production process

Source Morgan Stanley
50
Final Thought

• Think, Think, Think

51
Frank Yam

• Chief Operating Officer
• Focus Strategic Group Inc
• Tel 852-81012892, Fax 852-25754853
• Email frankyam_at_yahoo.com
• CISA Certified Information Systems Auditor
• CIA Certified Internal Auditor
• CFE Certified Fraud Examiner
• CSP Certified Systems Professional
• CCP Certified Computing Professional
• CDP Certified Data Processor
• CFSA Certified Financial Services Auditor
• FFA Fellow of the Institute of Financial
  Accountants
• MHKCS Full Member of the Hong Kong Computer
  Society

Progress through sharing and active participation
52
THANK YOU !!!
Questions and Discussion
53
I will be back