Title: eBusiness Projects Risk
1e-Business Projects Risk Management
Mr. Frank Yam CISA, CIA, MHKCS, CCP, CSP, CDP,
CFE, CFSA, FFA COO - Focus Strategic Group Inc
2FOCUS Group
- Founded in 1997
- Offers consulting and training services
- Internal Audit and IT Audit
- IT Management and Strategic Planning
- Information Security
- Business Continuity Planning
- Greater China Advisory and Business Development
3Mr. Frank Yam
- Professional career started in 1984. Focusing on
IT Audit, Internal Audit, and Management
Consulting - ISACA
- Past President Hong Kong Chapter
- International Membership Board Member
- Global Conference Program Committee Member
- Governmental and Regulatory Agency Board Member
- Chairperson - China Development Working Group
- Expert Reviewer - CISA Exam Review Manual
4Presentation Outline
- Myths and Pitfalls
- The e-Business Project Risk Model
- Performance Management and Benchmarking
- The Role of IS Auditors
- Asking the Tough Questions
5What is e-Business?
- A means to provide services or material via
electronic communication - Usually assumed to be based on Internet
communication - Can also be based on
- Electronic Data Interchange (EDI)
- Touch tone telephone
- Custom written client / server application
6e-Business Project
- Any business project that involves using
e-Commerce and related technologies and processes
to develop, expand or enhance its business
activities.
7Forces Driving the E-volution
Technology Improvements
Competition drives efficiency
Increased internal penetration
e
Internet savvy customers
Media coverage
Rich valuations
Paper money to digital cash
First mover advantage
8Worldwide e-Business
Surge in Asia Pacific e-Commerce will result in
US1.6 trillion of revenues by 2004. Worldwide
online spending will reach US6.9 trillion in
2004. With Asia Pacific market accounting for
more than 20 of total sales.
9Business is going to change more in the next ten
years than it has in the last fifty. Bill Gates
10Only takes 3 minutes to find and order a book!
11e-Business
- e-Banking services
- e-Shopping (E-books and E-music)
- e-Food
- e-Hotel
- e-Ticket
- e-Logistics
- e-Gambling
- e-Learning
12e-Business
Benefits - Company Perspective
Lower Operational Costs - Rental, Wages, Stock
Improved Customer Services - 24/7,
Multi-languages, Multimedia
Improved Company Image - International,
Professional
More Potential Customers - Borderless
13Barriers to e-Business
Security and Privacy are the major barriers to
online purchase.
14Myths and Pitfalls
15The MythsHow Do e-Business Projects Fail?
- Very vague business objectives
- Lack of real business model
- Inadequate market research
- Inflation of actual customer demand
- Shortfall in fulfillment
- Does not meet user requirement
- Poor website design
- Navigation or operating process not user-friendly
16The Pitfalls (1 of 2)
- The Project Teams PROMISES
- Improve productivity and efficiency
- Increase/maintain competitiveness
- Reduce costs
17The Pitfalls (2 of 2)
- Finally,
- Over budget
- Project reschedule and re-reschedule ...
- Project partial delivery or re-scoped
- Not fulfilling user requirements
18The PitfallsStatistics
- Over 30 of projects are cancelled before
completion - Over 50 of projects cost 100 or more than their
original estimates - Only 16 of software projects are completed on
time and within budget - In large companies, only 9 of projects are
completed on time and within budget - The average time overrun on projects is 222
19A Reality Check
- Market conditions
- Product complexity
- Manufacturing flexibility
- Fulfillment complexity
- Marketing structure
- Sales and channel structure
- Terms and conditions flexibility
- Economic conditions
- Regulatory environment
Source Gartner
20Key Success Factors
- Funding / Resources
- Focus
- Speed to market
- Customer confidence
- Security
21The e-Business Project Risk Model
22The e-Business Project Risk Model
- Content delivery risks
- Technology risks
- Organisational risks
- Resource risks
- Market risks
- Project risks (e.g. scope creep)
23The e-Business Project Risk Model
- Depending on the objective, risk may vary
- To have presence in cyberspace
- To provide information only
- To facilitate transactions with existing
customers - To reach new markets and new customers
- To create a brand new business model
24Security Risk
- System penetration (social engineering)
- Authorisation violation (passwords)
- Trojan horse
- Communications monitoring (spoofing)
- DoS
- Repudiation
25Risk Mitigation
- Build risk into your plan, schedule and budget
- Test, test, test
- Communicate early and often
- Anticipate the best, but plan for the worst
A Project Manager is a Crisis Manager. B.
Thomas
26Murphys Law
If anything can happen, it will, and at the
worst possible time.
Failure to manage e-Business project risks can be
disastrous to an organisation.
27Self Assessment Checklist
- Alignment with Strategic Plan/e-Business Vision
- Impact on Customers
- Risk Assessment
- Feasibility Studies / Cost Benefit Analysis
- Right Resources for the right job
28Special Attributes
- More modular and component driven
- Rely less on traditional SDM, and more on
iterative prototyping methods - Wider range of partners/suppliers (project
co-ordination risk) - Special skills (both business and technology) and
competencies expected - Greater diversity in the range of user groups
29Special Challenges
- Dealing with multiple stakeholder groups
- Understanding of stakeholder requirements
- Meeting / managing stakeholder expectations of
systems functionality and availability - Finding project managers with appropriate skill
sets - Managing a wider range of external parties
30The Balancing Act
31Key Issues to Address
- Strategy
- Security
- Delivery and Operations
- Systems and Technology
- Performance Management
- Processes
- Organizations and Competencies
- Legal
- Tax
32How do you manage change?
- In spite of our amazing advances, the work of an
organisation is accomplished by PEOPLE - It is peope who
- Interface with the customer
- Make the product
- Deliver the service
- Plan and co-ordinate how work gets done
- Improve processes and systems
- Ensure quality and return a profit
33Performance Management and Benchmarking
34Performance Management
- The board should measure performance by
- Defining and monitoring measures together with
management to verify that objectives are achieved
and to measure performance to eliminate surprises - Leveraging a system of balanced business
scorecards maintained by management that form the
basis for executive management compensation
35Performance Management
- High performance organisations
- Focus on alignment of philosophy and goals
- Create a climate of trust among all stakeholders
- Acquire individuals who can collaborate and work
together effectively
36Performance Management
- Performance measures
- Cost
- Schedule
- Performance objectives
- User requirements
- Defined performance metrics (threshold and
objectives) - KPI
37Benchmarking
ISACA Example
38Benchmarking
ISACA Example
- Most senior officer in ISACAs database, from 800
Fortune500 and significant government entities - 146 responses for 205 entities 17.5
39The Role of IS Auditors
40How can IS Auditors add value?
- Involvement
- Directly in Project Management Team and/or
- Indirectly in Project Steering Committee
- Analysis
- Cost
- Return
- Potential financial implications
- Contract terms (i.e. SLA)
41How can IS Auditors add value?
- Security and risk management
- Setting security objectives
- Identifying threats
- Providing advice on feasible solutions
- Developing incident response capability BCP
42How can IS Auditors add value?
- Monitoring
- User Requirements
- Security and Controls
- Testings
- Documentation
43How can IS Auditors add value?
- Proactively looking ahead
- New Business Drivers
- Mobile Commerce risks and opportunities
- Impact of Natural Language Technologies
44Asking the Tough Questions
45Asking the Tough Questions
- Is the e-Business strategy aligned with
enterprise strategy? - Does e-Business delivers against the strategy
through clear expectations and measurement? - Is the e-Business strategy to balance investments
between supporting and growing the enterprise? - Are formal project planning techniques used?
- Is the project scope clearly defined and approved?
46A sample control framework
- Security
- Confidentiality
- Integrity
- Availability
- Accountability
- Legal
- Contractual risk
- Jurisdictional risk
- Privacy enforcement
- Reliance on third parties Escrow and Auditing
- IP rights
47A sample control framework
- Development Process
- Policies and standards
- Application design
- Testing
- System performance
- Change management
- Capacity planning and management
- Openness and flexibility
- Data conversion
- Implementation / Rollout
48A sample control framework
- Application Integrity
- Validation of critical data
- Application audit trails
- Exception and monitoring reporting
- Confirmation
- Data transmission and reception
- Backup and recovery
49A sample control framework
- Internet Technology
- Plug-ins, programs, and components
- Browsers
- ISPs
- Cookies and push technology
- Publishing
- Content
- Production process
Source Morgan Stanley
50Final Thought
51Frank Yam
- Chief Operating Officer
- Focus Strategic Group Inc
- Tel 852-81012892, Fax 852-25754853
- Email frankyam_at_yahoo.com
- CISA Certified Information Systems Auditor
- CIA Certified Internal Auditor
- CFE Certified Fraud Examiner
- CSP Certified Systems Professional
- CCP Certified Computing Professional
- CDP Certified Data Processor
- CFSA Certified Financial Services Auditor
- FFA Fellow of the Institute of Financial
Accountants - MHKCS Full Member of the Hong Kong Computer
Society
Progress through sharing and active participation
52THANK YOU !!!
Questions and Discussion
53I will be back