ERP Implementation Risk Management Part II: The Silver Bullet

In “Don’t Become an ERP Horror Story – Implement Solid Risk Management”, we contend that project risk management is the silver bullet in the successful implementation of a business transformation and outline 5 areas where risk management can go off the rails:

1. Failure to establish the proper context of the risk management process
2. Neglecting to engage senior stake holders in the risk identification
3. Not recognizing and addressing biases in the identification and assessment process
4. Failure to account for risk interrelationships and the potential amplification of risk
5. Lack of rigor in tracking and treating risks.

In this post we dig deeper into the first of these items: failure to establish the proper context.

There are a number of good standards and practices prescribed to effectively manage project based risk. PMBOK (Project Management Book of Knowledge) and ISO 31000 Standard: Risk management – Principles and guidelines, are two examples. A gross simplification of the processes is as follows:

A. Identify the scope of what you want to go right that defines program success
B. Determine what can go wrong / or much better than planned
C. Figure out if there is anything you can do to prevent or enable these events
D. Take the appropriate actions consistent with the level of risk you are willing to accept
E. Track and communicate
F. Rinse and repeat

Our first failure point, failure to establish the proper context, deals with the first two steps in the process. I would stand to reason, that if you don’t properly identify the scope of what defines program success, there is a pretty good chance that you will have some big misses in the identification of what can go wrong. Thus, I will start with getting point A right.

A best practice ERP implementation risk management process will focus on managing the risk associated with five broad business outcomes:

1. Limited disruption to the business during the execution of the project. Business should not be substantially impacted through the draw-down or talent, or the improper manipulation of the current legacy environment.

2. Implementing the project in an efficient and timely manner. Staying within the framework of the budget and delivering on time.

3. Minimizing the impact of the initial deployment. Avoiding disruptions in customer service and a timely closing of the financial books.

4. Achieving the tactical benefits associated with the program. Typically this involves measured improvements in key business performance indicators like reductions in working capital, improved on-time delivery, or S&A efficiency.

5. Achieving strategic benefits. Examples might include opening up new markets, increased product portfolio, or improved management decision making.

Commonly, during the course of the program’s execution, a team can get focused on the second point related to staying within budget and on time. This focus on budget and schedule performance may become laser-like when System Integrators get involved. In particular, those System Integrators are motivated by contracts that reward this particular outcome. This is not a criticism of System Integrators or these types of contract structures, but rather to stress the importance to the Program Manager that all five business outcomes are essential and that the programs risk management processes must address all five with the appropriate rigor.

This leads us to our first imperative:

Imperative 1: ERP implementation risk management processes must consider five domains of risk effects: current state business performance, program execution performance (cost, schedule, and quality), future state business performance, program operational benefits, and program strategic benefits.

The second part of establishing the proper context involves the proper examination of all sources of potential risks. Many times we have seen programs get focused only on the risks that they believe they can directly control. This can leave anywhere from 40-70% of all risks unchecked. There are many articles, studies and publications that outline possible risks for execution and all can be valuable in assessing your own risks. What tends to be unimportant are the lists that prescribe the 5-10 things you need to get right.. or can go wrong with ERP. The subject is far more complicated and complex than a top 10 list. We segment the risks into five broad categories to guide your assessment process.

1. Talent – often times sited as the number one success factor talent is a source of considerable risk. This segmentation includes executive talent, project team talent, system integrator talent, end user engagement, and the overall assumptions regarding productivity and collaboration.

2. Technology – If the package you select does not fit your future expectations for your business model then you clearly have taken on a great deal of risk. Included in this category are software, infrastructure performance, vendor delivery performance, and system resiliency and security.

3. Implementation Process – ERP implementation includes the transformation of IT systems, data, people, and business processes. Risks can manifest themselves poor execution of these processes or failing to adequately link them together in a cohesive fashion.

4. Management and Governance – Ineffective project management, poor decision making, and the lack of executive involvement all fall within this area. A poorly designed / executed risk management process also falls into this category.

5. External – Often times these risks are totally ignored by project teams, but frequently they become the penny on the tracks that throws the train off the rails. Included in this grouping are legacy system stability, data quality, regulatory changes, unplanned mergers or divestitures.

Developing a solid view of sources of risk, leads to our second imperative:

Imperative 2: Develop a broad and deep understanding of potential sources of risk by engaging with a trusted advisor that has both the catalog or potential risk points but also the experience to understand the effect of these risks on all 5 business outcomes.

In our next blog post on this subject we will explore the importance of engaging senior level stake holders in the risk identification process.