T6 Risk Analysis of Alternative Solutions IT Acquisition Template 6 Perceptions of Risk There is risk everywhere, which is why two basic considera

T6 Risk Analysis of Alternative Solutions
IT Acquisition Template 6

Perceptions of Risk

There is risk everywhere, which is why two basic considera

Click here to Order a Custom answer to this Question from our writers. It’s fast and plagiarism-free.

Risk Analysis of Alternative Solutions
IT Acquisition Template 6

Perceptions of Risk

There is risk everywhere, which is why two basic considerations, probability and impact, are widely used
to determine which risks are most important and should be managed. Even so, judgments of probability
and impact vary based on past experience, organizational culture (which includes values), and
professional competence. It is no surprise, therefore, that risk identification and assessment results for
similar projects vary from organization to organization. Moreover, it is no surprise that not all use the
same set of risk assessment criteria. The variations in risk perceptions and practices from organization to
organization is why a buyer organization and its IT services contractor often have somewhat different
views of the risks involved with an IT project.

Allocating Risk Responsibilities

Assuming the buyer and contractor can come to an agreement on the major risks associated with a
project, the next question is which organization is in the best position to control a specific risk, the buyer
or the contractor? This is important because sometimes a buyer will ask the contractor to be responsible
for a risk that only the buyer can control. The contractor cannot make the mistake of accepting such a
risk, especially in a fixed price contract. Both parties need to have sufficient understanding of each
significant risk and who can best control it. Allocating risk between the buyer and the organization must
always reflect which party is in the best position to control the risk. If neither party can control the risk,
the best approach usually is for both parties to share the risk.

Risk and Contract Price

The contractor’s proposed price generally reflects the contractor’s understanding of the work, including
the amount of risk the contractor expects to assume. If the contractor has a poor understanding of the
risk, the price may be too high or too low and the allocation of risk might be detrimental to both parties.
Similarly, if the buyer has a poor understanding of the risk, the buyer might pay too much or too little for
the contractor’s services, and the allocation of risk could similarly be detrimental. This means that both
the buyer and potential contractors need to have a good understanding of the project risks by the time
contract negotiations take place

Sometimes there are so many unknowns that it is not possible for either party to have a good
understanding of the potential risks in advance of contract negotiations. The contractor cannot be
expected to assume such risks at its own expense. The contractor normally takes this uncertainty into
account in establishing its proposed price, usually with contingencies built into the contract.

Use of Integrated Project Team (IPT)

The principal reason for using an Integrated Project Team to identify and assess risk is because it brings
many different perspectives, which is important in identifying and evaluating risk. The team members
represent all of the key business areas affected by the proposed project. As a team, they are better able
than a single person to know what the risks are and how they might be avoided or mitigated.

Risk Analysis Process

Identifying risk should begin at the beginning of the pre-solicitation the planning, well before the formal
risk analysis documented in this template (Template 6). As risks are identified, they can be document for
subsequent consideration. The risks identify for some alternative solutions will be eliminated when the
solutions are screened out. The risks associated with the solutions that are not screened out need to be
retained for further analysis in the formal risk analysis documented in Template 6.

The risk analysis process consists of identifying the sources and types of risks associated with each
alternative solution and its work breakdown structure, evaluating each risk in terms of probability and
likely impact, and establishing a mitigation strategy for each risk. For the alternative solution that is
ultimately selected, this risk information will become part of a risk management plan that is used to
monitor and manage risks during the project. The process of identifying and evaluating risk, planning risk
mitigation strategies, and monitoring risks takes place throughout the life cycle of the IT investment. The
process ends with the disposal of the IT system at the end of its life cycle.

The most critical time to use the risk analysis process is early in the planning–for two purposes: (1) to
screen out alternative solutions that would present too much risk and (2) to determine how to modify
otherwise acceptable alternatives to reduce their risk. Too many organizations do a poor job of
identifying risk. In particular, they ignore the fact that many major risks can be avoided either by not
selecting certain alternative solutions or by modifying an alternative to reduce its risk.

In evaluating alternative solutions, risk analysis of alternative solutions generally precedes the economic
analysis of the alternatives because the economic analysis must take risk into account. The economic
analysis results (see Template 7) are “risk adjusted,” which requires that the risks associated with each
alternative solution be identified and quantified.

Risks Identified with the Work Breakdown Structures

Work breakdown structures have been prepared for at least two or more of the “best” solutions based
on prior analysis. The review of the work breakdown structures for Template 5 is likely to have identified
risks that could not be avoided or otherwise eliminated by modifications of the solutions. Those risks
need to be taken into account in the risk analysis. It is advisable for the IPT to perform a formal risk
analysis of each WBS, not only to confirm the risks identified earlier, but also to identify risks that may
have been missed.

Risk Criteria Categories

Leading organizations group related risks into a single “risk category” that is given a name that identifies
the types of risks in that category. The organization may establish five, six, seven or more categories to
represent all of the possible risks that might be identified. The table below illustrates the risk categories
used by two different organizations.

Organization A’s Risk Categories
Organization B’s Risk

Categories
• Strategic/Commercial Risk
• Economic/Financial/Market Risk
• Legal and Regulatory Risks
• Organizational Management/People Issues
• Political/Societal Issues
• Environmental Factors/Acts of God
• Technical/Operational/Infrastructure Risks

• Business/Strategic
• External Factors
• Procurement
• Organizational Factors
• Management
• Technical

Each risk identified by an organization must be documented in one of the risk categories. To facilitate
this, organizations develop a detailed definition of each category and the risks that it includes and they
provide checklists, examples, and other aids to help individuals identify risk and correctly document
them in the correct categories. Leading organizations have policies and procedures that support a
professional approach to risk identification, documentation, assessment, mitigation, and management.
They are aware that most project failures occur because important risks were not identified until it was
too late to avoid the risks or effectively mitigate them.

Research-Based Risk Categories

Listed below are a set of risk criteria categories and definitions that grew out of a number of years of
research on planning and implementing IT projects. The risk category definitions have been abbreviated
for use here, but as stated they give a good idea of the nature of each category. Also, none of the aids
associated with each category (e.g, checklist, examples) is shown. It is important to keep in mind that,
while organizations may use the same criteria categories, they will modify the definitions of these
categories to best address their own situations. For example, a law firm is likely to have some different
risk exposures related to its IT projects than a clothing manufacturer.

1. Organizational Risk: Extent of buy-in by key stakeholders (e.g., affected managers, users, other
employees, customers). Extent to which qualified individuals will be available to manage and
staff the project. Extent to which employees with the required knowledge and skills are likely to
be available to staff the implemented system. Extent to which the organization is otherwise
ready to successfully implement and use the system. Possibility for loss of senior management
support at some point in the project and possibility for resistance to change by one or more
managers who are or will be affected by the project.

2. Infrastructure Risk: The extent to which it places demands on the organization’s infrastructure,
including its IT infrastructure (e.g., will it incur non-project costs elsewhere in the organization;
will it slow up other processes or reduce needed flexibility; will it interoperate with other
systems without undue cost or risk?)

3. Information Security and Privacy: The extent to which it meets the established standards for
information security and privacy.

4. Complexity Risk: Degree of complexity of the project and/or the proposed solution. Extent to
which all of the assumptions have been identified, are supported, and taken into account in the
planning. Likely accuracy of forecasts for benefits, costs, and risks.

5. External Risk: The extent to which external risks pertain to this solution (e.g., affect on
corporate partners, the environment, compatibility with law and regulation). Includes
contractual relationships and regulations.

Every risk associated with an alternative solution is documented and placed in its proper risk category.
Risks that fall into the same risk category are often related and similar risk management strategies may
be applicable. Sometimes an overarching strategy can help to control all of the risks in the category.

A variety of sources of information may be used to estimate the probability of the risk occurring and the
likely financial impact if it does occur. Analyzing the risk will be important in judging the probability and
likely impact. Other important sources are the organization’s performance with past projects and any
“lessons learned” from them. The probability and likely impact make it possible to calculate the
organization’s financial “risk exposure” for each risk, which enable the risks to be prioritized. The highest
priority risks based on the risk exposure calculation get the most attention and resources for managing
them.

Template 6 is used to summarize the findings of the detailed analysis of each alternative.
Documentation of the detailed analysis should be maintained to support and defend the entries made in
the template. One Template 6 form is used for each alternative.

Here is an important finding based on the experience of organizations using the five risk criteria
provided in the template: The greatest proportion of project failures are caused by risks that fall into
the Organizational Risk category. Such risks include stakeholder buy-in and senior management
support. This underlines the need for stakeholder participation in the project to help obtain and
maintain stakeholder buy-in and the importance of appointing an executive to serve as an executive
change manager and project champion.

Using Template 6 – the Risk Analysis Template

The use of Template 6 should follow a full risk identification and analysis process (e.g., using checklists
and other aids). Template 6, below, uses the five research-based criteria categories and definitions
provided above.

A separate Template 6 is used for each alternative solution that is analyzed for risk. Enter the name of
each alternative solution at the top of each template, as shown in the examples below.

• Identify and Document the Risks. Use the risk categories and definitions above to identify and
categorize the risks for each alternative solution. Specifically, use each of the five categories of
risk and their definitions, one at a time, to help you determine if one or more important risks in
a risk category is associated with your alternative solution. If it is, document the risk—as
illustrated in the Template 6 examples below—under the proper category name. As shown in
the first example below, three significant risks were identified in the Organization Risk category.

• Estimate Probability of Occurring and the Impact if it Occurs. After you have identified and

documented a risk, estimate its probability of occurring and then the likely financial impact if it
does occur. The financial impact is usually indicated by a range of dollar costs because it is
almost impossible to forecast a precise dollar figure.

• State Mitigation Strategy for Each Risk. Next, state the mitigation strategy for the risk–your
recommendation for avoiding or otherwise controlling and minimizing the risk.

• Calculate Risk Exposure. Then calculate the approximate risk exposure for that risk and enter it
in the Approximate Risk Exposure column. The purpose of calculating the risk exposure is to aid
in prioritizing the risk—the greater the risk exposure, the higher the priority. Risks that fall into
the same category tend to be interrelated, enabling certain risk management strategies to be
applied at the aggregate level. Here is an explanation of how to calculate the risk exposure of
individual risks:

Calculating Risk Exposure
The risk exposure of any given risk is the probability of the
risk occurring times the total loss if the risk occurs. We are
using a financial cost (loss) range, so you need to multiply
the probability times the low-cost figure and the probability
times the high cost figure.

For example, if there is a 20% probability of risk “X”
occurring and the impact cost (loss) is in the range of
$20,000 to $50,000, the risk exposure range calculation
would be as follows:

20% x $20,000 = $4,000 Low end of risk exposure

20% x $50,000 = $10,000 High end of risk exposure

Risk exposure range for risk “X” = $4,000 – $10,000

• Prioritize the Risks. After the risk exposure range has been calculated for each risk, the risks

need to be prioritized based on their risk exposure. The greater the risk exposure, the higher the
priority. A simple way to prioritize them is to form three categories, Low, Medium, and High,
and define each. The definitions of the ranges will vary with the organization. For the Template
6 examples below, the following ranges were used: L (low) = $1,000 – $5,000; M (medium) =
$5,001 – $15,000; and H (high) = $15,001 and up. L, M, and H are used to identify the priorities in
the Risk Priority column in the template.

• Compute the Average Risk Probability. At the bottom of Template 6, there is a cell titled

Average Probability. The entry to be made in this cell is merely the average probability of
occurrence for the risks listed above for this alternative. For example, assume the sum of eight
risk probability entries in the column is 170%. Dividing the 170% by eight, we find that there is a
21.5% average probability that the risks will occur. This average is simply a general reference
point in assessing the riskiness of an alternative solution. [Note, the economic analysis software
used with Template 7 requests entries for the “probability that this benefit will be achieved.”
This is looking at risk from a different perspective. If the risk is, say, 21.5% that the benefit will
NOT be achieved, the probability that it WILL be achieved is 78.5% (100% – 21.5% = 78.5%).]

• Compute Total Approximate Risk Exposure. At the bottom of Template 6, there is a place for
entering the sum of the risk ranges for the individual risks. It is titled Total Approximate Risk
Exposure. The figures to enter are obtained by summing the dollar impact figures at the bottom
of the range for each risk’s probability range and then summing the dollar impact figures at the
top of each risk’s probability range. This produces the total cost impact range of from $X to $Y.
These total impact figures permit a comparison of alternative solutions based on their risk
probabilities and their likely impacts.

• Make Recommendations for Alternative Solutions. After a Template 6 has been used to
document and analyze the risks associated with each alternative solution, it is necessary to state
which alternatives should be carried forward for further analysis and which should be
eliminated because of risk. Generally, an alternative solution with even one unacceptable risk is
screened out. Similarly, if the total amount of risk for an alternative solution is unacceptable to
the organization, the alternative needs to be screened out. There needs to be at least two
acceptable alternative solutions carried forward. If there are not two that are are acceptable, it
will be necessary to modify the alternative solutions so at least two will be acceptable or to
identify new ones that will be acceptable. Note the statement below following the fourth
Template 6 form, which describes the recommendations regarding the four alternative
solutions.

The use of Template 6 is illustrated below. Four alternative solutions to a performance problem were
assessed in terms of their risks. The Template 6 forms illustrate the risks that were identified and
documented in each risk criteria category. This is followed by a statement recommending that two of
the alternatives be eliminated and two retained. The entries are illustrative and are not meant to
represent a full risk assessment.

Alternative Solution #1 (Tentative Solution Rank Order #1):
Acquire In-house Graphics Management System – Hire a contractor to recommend, acquire, and install the graphics
management tool or tool set and provide training, using a performance-based contract

Risk Category Probability
Impact If
Occurs

Mitigation Strategy
Approximate
Risk Exposure

Risk
Priority

Organizational Risk

a. Scope creep (users

may increase
functionality
requirements)

b. Users may resist
use of new system

c. Possible loss of

executive support
during project due
to new priorities

a. 20%

b. 50%

c. 20%

a. $20,000 –
$50,000

b. $5,000 –

$20,000

c. $10,000 –
$30,000

a. Use of representative IPT;
frequent meetings with users to
inform and prevent
misunderstandings

b. Pre-sell new system, provide
training; remove old systems as of
a specified date

c. Frequent executive briefings;

stress link to the organization’s
key performance indicators

a. $4,000 –
$10,000

b. $2,500 –
$10,000

c. $2,000 –
$6,000

a. M

b. M

c. M

Information Security
and Privacy Risk

Potential loss of
control of proprietary
graphics

20%
$15,000 –
$50,000

Identify proprietary graphics at
outset; establish and test security
measures to safeguard them

$3,000 –
$10,000

M2

Complexity Risk

a. Possible

unrecognized
assumptions

b. Accuracy in
forecasting costs
and benefits

a. 20%

b. 10%

a. $5,000 –
$20,000

b. $5,000 –

$10,000

Require all estimates and
assumptions to be justified; obtain
independent verifications of
assumptions and estimates; assign
responsibility for specific assumptions
and estimates to individuals by name
and hold them accountable for their
accuracy.

a. $1,000 –
$4,000

b. $500 –
$1,000

a. L

b. L

Infrastructure Risk

Possible
interoperability
Problem

15%
$2,000 –
$10,000

Require onsite pilots by vendors to
identify and address potential
problems

$300 – $1,500 L

External Risk

Contractor
underperformance

15%
$20,000 –
$30,000

Require certification of the contractor
by the software vendor; check related
past performance and staff to be
assigned; use performance-based
contract

$3,000 –
$4,500

L

Average
Probability

21.25%

Total Approximate Risk Exposure:
$16,300 –
$47,000

Template 6. Alternative #1 Risk Analysis Results

Alternative Solution #2 (Tentative Solution Rank Order #3):
Outsource the Graphics Management Functions – Outsource the graphics design and management work to an expert
graphics design and production company under a negotiated time and materials contract with incentives and penalties.

Risk Category Probability
Impact If
Occurs

Mitigation Strategy
Approximate
Risk Exposure

Risk
Priority

Organizational Risk

a. Scope creep (users

may increase
functionality
requirements)

b. Users may resist

use of new system

c. Possible loss of

executive support
during project due
to new priorities

d. Internal staff not

able to qualify to
manage
outsourcing
contract

a. 20%

b. 40%

c. 20%

d. 40%

a. $5,000 –
$50,000

b. $5,000 –

$20,000

c. $10,000 –

$30,000

d. $30,000 –
$50,000

a. Use of representative IPT; frequent
meetings with users to inform and
prevent misunderstandings

b. Pre-sell new system, provide

training; remove old systems as of
a specified date

c. Frequent executive briefings;

stress link to the organization’s key
performance indicators

d. Hire or train to gain qualified

personnel

a. $1,000 –
$10,000

b. $2,000 –

$8,000

c. $2,000 –

$6,000

d. $12,000 –
$20,000

a. M

b. M

c. M

d. H

Information Security
and Privacy Risk

a. Potential loss of

control of
proprietary
graphics

b. Contractor security
breach

a. 30%

b. 15%

a. $50,000 –
$150,000

b. $15,000 –
$50,000

a. Identify proprietary graphics at
outset; establish and test security
measures to safeguard them

b. Confirm contractor’s security
controls; include contractual
penalties

a. $3,000 –
$10,000

b. $2,250 –
$7,500

a. H

b. M

Complexity Risk

a. Possible

unrecognized
assumptions

b. Accuracy in
forecasting costs
and benefits

c. Initial relationship

policies and
procedures may
have defects and
new ones will need
to be developed.

a. 20%

b. 20%

c. 30%

a. $5,000 –
$20,000

b. $5,000 –

$10,000

c. $10,000 –
$50,000

a & b. Require all estimates and
assumptions to be justified; obtain
independent verifications of
assumptions and estimates; assign
responsibility for specific assumptions
and estimates to individuals by name
and hold them accountable for their
accuracy.

c. Hire expert advisor to make
recommendations; investigate and
adopt suitable best practices in
graphics outsourcing; establish
integration monitors; give issue
resolution high priority

a. $1,000 –
$4,000

b. $500 –

$1,000

c. $3,000 –
$15,000

a. L

b. L

c. L

Infrastructure Risk

Possible
interoperability
Problem

15%
$5,000 –
$10,000

Onsite pilots by contractors to
identify potential problems

$750 – $1,500 L

External Risk

a. Services are not as

described

b. Selected company
has relationship
with our
competitor

a. 20%

b. 10%

a. $10,000 –
$20,000

b. $10,000 –
$20,000

a. Hire experienced outsourcing legal
experts to prepare, modify, and/or
review proposed outsourcing
contract. Assess contractor’s past
performance in outsourcing;
establish contractual penalties.

b. Perform due diligence prior to

selection; negotiate conflict of
interest policies, procedures, and
penalties

a. $2,000 –
$4,000

b. $1,000 –
$2,000

a. L

b. L

Average
Probability

22.5%

Total Approximate Risk Exposure:
$42,950 –
$126,000

Template 6. Alternative #2 Risk Analysis Results

Alternative Solution #3 (Tentative Solution Rank Order #2):
Use Software as a Service – Use a graphics management system that is hosted on the computer of a service provider.
This is a web-based solution that falls in the category of “cloud computing.”

Risk Category Probability
Impact If
Occurs

Mitigation Strategy
Approximate
Risk Exposure

Risk
Priority

Organizational Risk

a. Scope creep (users

may increase
functionality
requirements)

b. Users may resist

use of a hosted
system

c. Possible loss of

executive support
during project due
to new priorities

d. Internal staff may

not be satisfied
with the host
system
arrangement

a. 20%

b. 20%

c. 20%

d. 25%

a. $5,000 –
$50,000

b. $5,000 –

$20,000

c. $10,000 –

$30,000

d. $20,000 –

$40,000

a. Use of representative IPT; frequent
meetings with users to inform and
prevent misunderstandings

b. Pre-sell the host system approach

via presentations, visit to host
sites, and Q&A sessions;
subsequently remove old systems
as of a specified date

c. Frequent executive briefings;

stress the value and potential of
SaaS; stress the expected
contributions to the organization’s
key performance indicators

d. Have internal users help to select

the SaaS system, including test it
before selection, and after
selection be trained in its use by
qualified training personnel

a. $4,000 –
$10,000

b. $1,000 –

$4,000

c. $2,000 –

$6,000

d. $5,000 –
$10,000

a. M2

b. L8

c. M4

d. M1

Information Security
and Privacy Risk

a. Possible

productivity loss
through internet or
other network
problems

b. Contractor security
breach

a. 10%

b. 15%

a. $15,000 –
$50,000

b. $15,000 –
$50,000

a. Identify proprietary graphics at
outset; establish and test security
measures to safeguard them

b. Confirm contractor’s security
controls; include contractual
penalties

a. $1,500 –
$5,000

b. $2,250 –
$7,500

a. L5

b. M3

Complexity Risk

a. Possible

unrecognized
assumptions

b. Accuracy in
forecasting costs
and benefits

c. Users may seek to

use capabilities
available from host
that are beyond
their training and
experience

a. 10%

b. 15%

c. 20%

a. $10,000 –
$25,000

b. $5,000 –
$10,000

c. $5,000 –

$20,000

a & b. Require all estimates and
assumptions to be justified; obtain
independent verifications of
assumptions and estimates; assign
responsibility for specific assumptions
and estimates to individuals by name
and hold them accountable for their
accuracy.

c. In coordination with host, block
user access to host system
capabilities that have not been
approved for use by the users;
establish a program to give users
training and access to selected new
capabilities that can strengthen our
organization’s performance.

a. $1,000 –
$2,500

b. $750 –
$1,500

c. $1,000 –
$4,000

a. L9

b. L11

c. L7

Infrastructure Risk

Possible
interoperability
Problem

15%
$5,000 –
$10,000

Conduct tests to ensure that host
system will interface smoothly with
related internal systems.

$750 – $1,500 L12

External Risk

a. Services are not as

described

b. Selected host has
relationships with
our competitor

c. 20%

d. 10%

c. $10,000 –
$20,000

d. $10,000 –
$20,000

a. Hire experienced SaaS experts to
assist in evaluating the host and
developing a mutually beneficial
SaaS contract. Assess host’s past
performance in serving its clients;
establish contractual penalties.

b. Perform due diligence prior to
selection of host; as needed,
interest-protection policies,
procedures, and penalties

a. $2,000 –
$4,000

b. $1,000 –
$2,000

a. L6

b. L10

Average
Probability

16.67%

Total Approximate Risk Exposure:
$22,666 –
$80,666

Template 6. Alternative #3 Risk Analysis Results

Alternative Solution #4 (Tentative Solution Rank Order #4):
Acquire Graphics Management Firm – Acquire a small graphics arts firm with demonstrated expertise in graphics
creation and management in support of business proposals.

Risk Category Probability
Impact If
Occurs

Mitigation Strategy
Approximate
Risk Exposure

Risk
Priority

Organizational Risk

a. Scope creep (users

may increase
functionality
requirements)

b. Culture conflicts
(differences in
values, priorities,
expectations, and
practices)

c. Possible loss of

executive support
during project due
to new priorities

d. Inability of firm to

pay relatively large
up-front
expenditure to
purchase the firm

a. 20%

b. 50%

c. 20%

d. 40%

a. $20,000 –
$50,000

b. $50,000 –

$100,000

c. $10,000 –

$30,000

d. $20,000 –
$30,000

a. Use of representative IPT; frequent
meetings with users to inform and
prevent misunderstandings

b. Involve firm being acquired in all
integration planning activities;
pilot test each procedure involving
graphics support services; conduct
two or more welcoming get-to-
know-each-other events

c. Frequent executive briefings;

stress link to the organization’s key
performance indicators

d. Ensure that the firm can afford the

cost of acquiring the firm,
considering other demands on its
resources; establish minimum
performance requirements for the
acquired firm; seek to negotiate
mutually-beneficial arrangement
for paying the purchase cost over a
period of time.

a. $4,000 –
$10,000

b. $25,000 –

$50,000

c. $2,000 –
$6,000

Place your order now for a similar assignment and have exceptional work written by one of our experts, guaranteeing you an A result.

Need an Essay Written?

This sample is available to anyone. If you want a unique paper order it from one of our professional writers.

Get help with your academic paper right away

Quality & Timely Delivery

Free Editing & Plagiarism Check

Security, Privacy & Confidentiality