Tag: Risk Management

IT Vendor Risk Management

IT vendor risk management is a component of over all IT risk management. In my previous blog on over all IT risk management, there is a comment from pmhut  to expand each component of the IT risk management.  Let me expand my thoughts on IT vendor risk management and provide a framework to develop the IT vendor risk management.

Steps to develop a IT vendor risk management plan:

  1. Develop a consolidated list of all IT vendors
  2. Categorize the vendors broadly
  3. Prioritize the vendors in each category based on the type of business you are in. For instance, if IT supports retail business, the Point of Sale is key functioin and the vendors supporting that line of business is very critical to the day to day operation. It will have top most priority than any other vendors.)
  4. Identify the potential risk of the vendors
  5. Analyze the potential risk of the vendors
  6. Develop residual risk matrix
  7. Monitor the residual risk matrix and repeat from step 4.
  8. Report the residual risk matrix to CIO office periodically.

Step I: Develop a consolidated list of all IT vendors

Get a IT vendor list from corporate purchase/procurement department. Make sure the following information are available

  • Account representative contact information – Office Phone, cell phone, snail address, email address
  • Investor contact information – Depends on the type of the company – corporate, partnership, properitary and etc
  • Client list

Step II: Categorize the vendors

Types of vendor involved in a typical IT organization.

  • Sourcing provider
    • Alliance provider (like out sourcing provider)
    • Human resource provider for in sourcing. It is generally for time and material model for 6 months to 1 year engagement
    • Consultant provider for insourcing. It is generally for time and material model for a specialized role for a very short time.
  • Software provider
    • Enterprise software system provider (like SAP, Peoplesoft, Fidelity and etc). Enterprise software system depends on the type of business.
    • Office software (like MS Office,and etc)
    • Specialized software provider  (for instance, in the financial industry, quantum is a specialized treasury software provided)
  • Service provider
    • Infrastructure service provider (in most cases, it includes all the system software like OS, database and etc)
    • Research consulting service provider (market research and etc – like gartner.com, executiveboard.com)
    • Specialized service provider (depends on type of business – credit score card development provider and etc)

Step III: Prioritize the vendors

Prioritize the vendors based on their dependencies to the core IT operation. It depends on the business you are in. If there is alliance provider to performing lights on support to an IT organization, then that provider play a vital role in IT operation. For an instance, if it is financial administration company (like financial out sourcing) then their enterprise application like SAP financial plays a major role to perform their core operation. 

 Lately, almost all organization utilizes the outsourcing company to provide lights on service to the core IT operation.

Step IV: Identify the potential risk of the vendors

Sourcing provider (includes alliance and out sourcing provider) is taken as an example and the associated risk are identified. The similar steps can be taken for other types of vendors.

Service level risk

Measure the performance of the provider against the objective set in the beginning of the engagement.  In some cases, the sourcing provider is selected to provide partnership or alliance to improve innovation or business consultation or value creation and few other cases, the provider is selected to provide the on going lights on support. In my example, I will assume the provider is selected to provide the on going lights on support. The typical performance measure for the lights on support are given below:

  • Service quality
  • Service delivery time
  • Missed service level
  • Response time
  • Resolution time
  • Problem repeatability rate

For an outsourcing engagements after the due diligence and contract and terms & conditions are agreed by all parties, there are two major phases. Transition phase and stabilization phases. The sample performance measure listed above will be used for the risk identification after the stabilization phase.

Receive the trend data for the performance measure and compare against the original agreement with the provider. Develop a variance analysis and repeat the cycle. If there is a negative variance in the measure for a prolonged duration then there is an issue. There is a risk that provider to continue under perform and impact the core IT operation.

Vendor Financial stability risk

I would not have come up with this as one of the potential risk item before Satyam scandal. I would not had  even considered it before the scandal. 

  • Participate in quarterly earning call
  • Study the provider balance sheet
  • Study the probability of liquidation or solvenacy
  • Identify your contribution percentage to the provider’s bottom line
  • Identify their auditors reputation

Vendor strategy risk

Request vendor to provide their corporate strategy and make sure their direction is aligned to your expectation of their service. If provider corporate strategy is to out of service business and sell software products, then organization currently receiving provider’s service need to know that. There is a risk that the provider will not focus on the service in near future and their service quality will deteriorate

Vendor cultural risk

It is a philosophical discussion. It depends on the philosophy you believe in. Few believes, same behavioural partners will lead into the strong longer marriage and few believe the opposite. I have an unpublished paper on “Q-learning algorithm for a quick and better mutal understanding of marital partners in the east Indian arranged marriage culture”. Two years after my arranged marriage (I saw my wife a week before my marriage) I wrote this paper. This paper assumes that both partners have commitment before the marriage that no matter what happens, they are going to make their marriage successful. 

I will leave the vendor cultural risk assessment up to your belief. Whatever your believe, the vendor cultural risk must be assessment.

Vendor Geo-political risk

Majority of the outsourcing players are from India. Geo-political risk for an outsourcing project has been a factor all the time. When it comes the analysis of the risk and probability of occurance, it used to score very low. In the recent past, as mentioned in my previous blog, it is elevated.

Vendor take over risk

In the financial world, when a small fish swims with strong cash gills, the big fish will swallow for good.

The above identified risks are  the major risks I could think of. There are few risks like provider employee retention and etc.. Those risk can be amplified based on type of organization you are in. I heard many times that business knowledge like electronic fund transfer knowledge will be lost if the provider keep losing their employees. In my opinion, those are very insignificant risk because eft can be learned by any programmer very quickly. However there are areas like 3D drafting package development out sourcing. Systems like this needs extensive analytical geomentry mathematical knowledge, programming language knowledge, device drivers knowledge and etc. It is very difficult to get people with all the skills. Mathematicians with extensive computer engineering hands on experience with executive level communication skills.  The initial training for these kind of development would take 8 – 10 months. These are rare cases and I’m not going to expand.

Step V: Risk analysis

All the above identified risk should have:

  • Probabaility of occurance
  • Cost of business impact if the risk becomes an issue
  • Risk treatment
    • Avoidance
    • Reduction
    • Transfer
    • Retention (accept it)
  • A plan for avoidance, redution and transfer risk treatments

Step VI: Residual Risk Matrix

The residual risk matrix is a consolidated vendor risk exposure to the organization.

Step VII: Monitor Residual Risk Matrix

A dedicated team and process to monitor the residual risk matrix of the organization.

Step VIII: Reporting

Report the RRM to the CIO, steering committe and operating committe of vendor management for a proactive informated decisions.

Basic introduction to Gabor Transformation

It is very challenging to use wordpress Latex plugin to write mathematical article in wordpress. It is not impossible but it is very challenging and realized it in my attempt to write the explanation of Schrodinger equation.

Looking for how to apply Gabor transformation/filters in credit risk management. My attempt to explain the basics of Gabor transformation and step wise proof that Gabor functions holds the minimum uncertainty in the joint time frequency domains.  Please click the following link for the details.

I wrote it in a pdf, please CLICK this link

High Demand IT jobs in 2009

In the recent well know IT industry research firm’s study, analysts (the authors of the paper)  identified list of IT roles hard to fill even in this market. In the  paper, the top most of list is enterprise architect. EA role is  hard to find even in this poor job market. The report also stated that the demand of enterprise architect in 2008 grew and predicted that the demand of enterprise architect will continue to grow in 2009. The sample taken in the study is in the range of 250 companies.

Why companies hire enterprise architects even in this poor job market and here are my rationale.

  1. Enterprise Architect is not like programming or administration skill. It can not be mastered by under going a certification process. It is a good balanced combination of  IT  and business knowledge to assist the senior executives to identify the discretionary and mandatory  spend of organization.
  2. Cost optimization ideas are most needed and common in this economic climate and enterprise architect would play a significant role. Enterprise architects would be able to come with out of box ideas to sustain in the market condition. The specific ideas are based on the industry. Just to amplify the above point, let me take BFSI industry. A seasoned enterprise architect in BFSI industry will understand the major driver of the business and propose an investment strategy to the office of CIO.  Even to be more precise, in this credit market, consumer leading companies shall look for a refined credit score cards and EA would provide recommendation to executive management office that the systems in the IT landscape should be flexible to accommodate the changes to support the credit score card. Influence the executive steering committee of investment strategy team to assign more weights to credit scorecard project since it has direct impact to the bottom line of the lending business. Even in some cases, based on their business knowledge depth, EA are in good position to even recommend the credit risk management team in the lending company  various options available to non traditional credit score card fit the current economical situation. In stead of traditional logistic regression credit scoring model, they would be in better position to recommend how the joint time frequency analysis (like wavelet analysis, Gabor transformation, short time Fourier transform and etc)  can be applied particularly in this economy. There is no standard scoring model available which analyze the behavior of the credit market in the joint time and frequency domains and it is very appropriate in this economic situation.

IT Risk Management – An Elevated view

Risk management is part of any management science. (period) Any good project managers do have a risk management plan of a project, team, organization and etc . Risk management plan is part of any management science (yes, I’m repeating myself to stress the point).

CIO‘s are part of the management team and any good (or even an ordinary) CIOs do have a risk management plan for the over all IT organization.

It is a basic principle of business, more risk more profit. At the same time, business is not pure gambling and some time it is calculated gambling. When it comes to gambling, it is taking the chances. When you take the chances blindly, then it is gambling and when you take chances after your due diligence then it is business. May be, I’m over simplifying it but that is the simple definition. If a bank wants to AVOID risk, the ONLY best way to avoid risk 100% is NOT to do business. That is, not performing steps towards their organization goal, mission and vision. Philosophical interpretation is, if you want no complaints then be nothing and do nothing.

Are we not take chances every day? Yes, we take chances every minute. I know some one do not agree what I’m saying. There is a risk of rejection from someone. To avoid it, the best approach is to stop expressing myself. By doing so, I can completely avoid the risk of rejection of my opinions but I can not accomplish my mission (Blog as much I can). The point I’m trying to make is, risk is part of any management science and it should be managed better.

How to manage IT risk better?

Residual risk matrix (RRM) for an IT organization risk is one of key metrics a CIO should have to have a clear picture on probability of exposure. Before I jump into the RRM, let me explain what are the key components of enterprise IT risk management?

Components of enterprise IT Risk management

  • Compliance Risk
  • Infrastructure risk (including data center and business locations)
  • Project Risk
  • Security Risk
  • Financial Risk
  • Technology Risk
  • Process Risk
  • Competency Risk
  • Vendor Risk (service providers like infra service, right sourcing, etc)
  • License Risk
  • Open source Risk
  • Business Risk

Steps to create an enterprise IT residual risk matrix (IT RRM)

  • Identify the known & known unknown risk for each components of the IT risk management
  • Device a mitigation plan for each identified risk
  • Identify the cost of the mitigation plan
  • Identify the probability of the risk occurrence
  • Calculate the risk at exposure (risk exposed to the organization after the mitigation plan)

IT Residual Risk Matrix provides an elevated view to the executive management on the exposed IT risk.