The trial lecture from my PhD defense with the original topic: Present and discuss relevant conceptualizations of risk and control in business organizations relevant to the process of OSS adoption
Trial lecture - Risk Management and Open Source Software Adoption - Øyvind Hauge
1. Conceptualizations of risk and control in business organizations relevant to the process of OSS adoption Trial lecture Øyvind Hauge oyvind.hauge@idi.ntnu.no
2. 53.3% of the respondents thought computer breakdowns was a major concern (Coleman, 2006) The local hospital was in 2006 a full day without ICT support and a week without wireless phone Denver Airport, Computerized Baggage Handling fails, 1995 -> costs up to 1$ million per day Therac-25, 1985-1987, overdoses of radiation leading to three deaths
3. Table of content The scope of this presentation Risk and control Ways of controlling risk Risk and control related to OSS adoption
4. Present and discuss relevant conceptualizations of risk and control in business organizationsrelevant to the process of OSS adoption SE & IS
5. Business organization Is a legal entity (private or public) Has a Mission to provide either goods or services Owner Budget Variations in Size Domain Country Organization form Geographical distribution …
6. Table of content The scope of this presentation Risk and control Ways of controlling risk Risk and control related to OSS adoption
7. Risk The effect of uncertainty on objectives The effect may be positive or negative Risk=Probability*Cost Involves uncertainty Event Causes/threats Consequences ISO Guide 73:2009, Aven (2009)
16. Planning and controlScott and Vessey (2002), Wallace et al. (2004), Karolak (1996)
17. ”Typical” software risks Baccarini et al. (2004) – IT projects Personnel shortfall Unreasonable schedule and budget Unrealistic expectations Incomplete requirements Diminishing window of opportunity Boehm (1991) – Software risks Personnel shortfall Unreasonable schedule and budget Developing the wrong functions and properties Developing the wrong user interface Gold-plating Changing requirements Shortfall in externally furnished components Shortfall in externally performed task Real-time performance shortfalls Straining computer science capabilities Aloini et al. (2007) – ERP systems Inadequate product selection Ineffective strategic thinking and planning Ineffective project management techniques Bad managerial conduct Inadequate change management Inadequate training and instruction Poor project team skills Inadequate Business Process Re-engineering Low top management involvement Low key user involvement Chatzoglou and Diamantidis (2009) – IT/IS implementation Management ability Information integrity Controllability Exclusivity
18. Few risks are technical Baccarini et al. (2004) – IT projects Personnel shortfall Unreasonable schedule and budget Unrealistic expectations Incomplete requirements Diminishing window of opportunity Boehm (1991) – Software risks Personnel shortfall Unreasonable schedule and budget Developing the wrong functions and properties Developing the wrong user interface Gold-plating Changing requirements Shortfall in externally furnished components Shortfall in externally performed task Real-time performance shortfalls Straining computer science capabilities Aloini et al. (2007) – ERP systems Inadequate product selection Ineffective strategic thinking and planning Ineffective project management techniques Bad managerial conduct Inadequate change management Inadequate training and instruction Poor project team skills Inadequate Business Process Re-engineering Low top management involvement Low key user involvement Chatzoglou and Diamantidis (2009) – IT/IS implementation Management ability Information integrity Controllability Exclusivity
19. Risks Negative impact on objectives May come from a number of sources The most important risks are not related to the technology
20. Control Measures that are modifying risk Prevent Reduce consequences Event Causes/threats Consequences ISO Guide 73:2009
21. Table of content The scope of this presentation Risk and control Ways of controlling risk Risk management Real Option Theory Processes and standardization Risk and control related to OSS adoption
22. 1. Risk management Coordinated activities to direct and control an organization with regard to risk Aven (2008), ISO Guide 73:2009
23.
24. Not all risk can be controlled Hanseth and Ciborra (2007), Forester (1989)
25. The norm of risk management GALE (Globally At Least Equivalent) ALARP (As Low As Reasonably Probable) Stålhane and Skramstad (2006), Aven (2009)
26. Traditional risk analysis Baskeville and Stage (1996), Karolak (1996), Boehm (1991), Holmgren and Thedéen (2009)
27. Risk identification: What can go wrong? Group discussions SWOT analysis Brain storming Expert panels Earlier experiences References Checklists McManus (2004), Boehm (1991)
28. Risk avoidance/mitigation Find root causes of risks Deal with root causes or reduce consequences Sell risk to 3rd party Expertise (train/hire) Introduce barriers Design the risk out of the solution Buy information e.g. proof of concept Lane (1998), Boehm (1991)
29. 2. Real Option Theory Add flexibility and options proactively Options may be used but they don’t have to Benaroch et al. (2007), Erdogmus and Favaro (2002)
30. First date at a steakhouse The date is a vegetarian Menu option 1. Steak Menu option 1. Steak First date at a restaurant serving different dishes The date is a vegetarian Menu option 2. Salad Menu option 2. Fish
31. Options for IT projects The option to: Defer Explore Stage Change-Scale Abandon Outsource Lease Strategic-Grow Benaroch et al. (2007), Erdogmus and Favaro (2002)
40. Risk, control and OSS adoption Non-technical risks are the most important OSS risk are therefore not the most prominent ones Relevant to IT adoption and development also relevant to OSS Risk management Alternatives Standards, tools, and processes OSS experience: to analyse the use of OSS in the context
41. "software risks can be best managed by combining specific risk management considerations with a detailed understanding of the environmental context and with sound managerial practices, such as relying on experienced and well-educated project managers and launching correctly sized projects" (Ropponen and Lyytinen, 2000, p.98).
42. References DavideAloini, RiccardoDulmin, and Valeria Mininnocial, Risk management in ERP project introduction: Review of the literature, Information & Management 2007:44, pages 547-567 TerjeAven, 2008, Risk Analysis: Assessing Uncertainties Beyond Expected Values and Probabilities, Wiley TerjeAven, 2009, Risk Mangement, in GöranGrimvall, Åke J. Holmgren, Per Jacobsson, and TorbjörnThedéen (editors), Risks in Technological Systems, Springer David Baccarini, Geoff Salm, and Peter E.D. Love, Management of risks in information technology projects, Industrial Management & Data Systems 2004:104(4) pages 286-295 Michel Benaroch, Yossi Lichtenstein, Karl Robinson, Real options in information technology risk management: an empirical validation of risk-option relationships, MIS Quarterly 2006:30(4) YegorBugayenko, 2009, Competitive Risk Identification Method for Distributed Teams, in OllyGotel, Mathai Joseph, and Bertrand Meyer (editors), Software Engineering Approaches for Offshore and Outsourced Development - Proceedings of the Third International Conference, SEAFOOD 2009, Zurich, Switzerland, Springer Richard L. Baskerville and Jan Stage, Controlling Prototype Development through Risk Analysis. MIS Quarterly, 1996:20(4), pages 481-504 Barry W. Boehm, Software Risk Management: Principles and Practices, IEEE Software, 1991:8(1), pages 32-41 Prodromos D. Chatzoglou and Anastasios D. Diamantidis, IT/IS implementation risks and their impact on firm performance, International Journal of Information Management, 2009:29, pages 119-128 Les Coleman, 2006, Why Managers and Companies Take Risks, Springer John Forester, 1989, Planning in the Face of Power, University of California Press HakanErdogmus and John Favaro, 2002, Keep Your Options Open: Extreme Programming and Economics of Flexibility, in G. Succi, M. Marchesi, L. Williams, D. Wells (editors) XP Perspectives, Addison Wesley
43. References Ole Hanseth and Claudio Ciborra (editors), 2007, Risk Complexity and ICT, Edward Elgar Publishing Limited ØyvindHauge, Daniela S. Cruzes, ReidarConradi, KetilSandangerVelle and Tron André Skarpenes, Risks and Risk Mitigation in Open Source Software Adoption: Bridging the Gap between Literature and Practice, in: Proceedings of the 6th IFIP Working Group 2.13 International Conference on Open Source Systems (OSS2010) - Open Source Software: New Horizons, May 30th-June 2nd, Notre Dame, USA, pages 105--118, Springer, 2010 Åke J. Holmgren and TorbjörnThedéen, 2009, Risk Analysis, in GöranGrimvall, Åke J. Holmgren, Per Jacobsson, and TorbjörnThedéen (editors), Risks in Technological Systems, Springer ISO 31000:2009, Risk management -- Principles and guidelines, http://www.iso.org/iso/catalogue_detail.htm?csnumber=43170 ISO Guide 73:2009, Risk Management Vocabulary, http://www.iso.org/iso/catalogue_detail?csnumber=44651 Casper Jones, 1994, Assessment and Control of Software Risks, Yourdon Press http://www.springerlink.com/content/q0j808/ Christel Lane, 1998, Introduction: theories and issues in the study of trust, in Christel. Lane and John McManus, 2004, Risk Management in Software Development Projects, Elsevier JanneRopponen and KalleLyytinen, Components of software development risk: how to address them? A project manager survey, IEEE Transactions on Software Engineering, 2000:26(2), pages 98-112 Reinhard Bachmann (editors), Trust within and between organisations, Oxford: Oxford University, pages. 1–30. Marvin Rausand, 1991, RisikoanalyseVeiledningtil NS 8514, Tapir Judy E. Scott and Iris Vessey, Managing Risks in Enterprise Systems Implementations, 2002:45(4) Communications of the ACM Thomas Stober and UweHansmann, 2009, Agile Software Development , Springer Tor Stålhane and TorbjørnSkramstad, Presentation for Workshop at EuroSPI 2006 Linda Wallace, Mark Keil, and ArunRai, Understanding software project risk: a cluster analysis, Information & Management, 2004:42 pages 115-125