Conceptualizations of risk and control in business <br />organizations relevant to the process of OSS adoption<br />Trial ...
53.3% of the respondents thought computer breakdowns was a major concern (Coleman, 2006)<br />The local hospital was in 20...
Table of content<br />The scope of this presentation<br />Risk and control <br />Ways of controlling risk<br />Risk and co...
Present and discuss relevant conceptualizations of risk and control in business organizationsrelevant to the process of OS...
Business organization<br />Is a legal entity (private or public)<br />Has a<br />Mission to provide either goods or servic...
Table of content<br />The scope of this presentation<br />Risk and control <br />Ways of controlling risk<br />Risk and co...
Risk<br />The effect of uncertainty on objectives<br />The effect may be positive or negative<br />Risk=Probability*Cost<b...
Types of risk<br /><ul><li> Technical
 Cost
 Schedule
 Organizational environment
 User
 Team
 Requirement
 Project complexity
 Planning and control</li></ul>Scott and Vessey (2002), Wallace et al. (2004), Karolak (1996)<br />
”Typical” software risks<br />Baccarini et al. (2004) – IT projects<br />Personnel shortfall<br />Unreasonable schedule an...
Few risks are technical<br />Baccarini et al. (2004) – IT projects<br />Personnel shortfall<br />Unreasonable schedule and...
Risks<br />Negative impact on objectives<br />May come from a number of sources<br />The most important risks are not rela...
Control<br />Measures that are modifying risk<br />Prevent<br />Reduce consequences<br />Event<br />Causes/threats<br />Co...
Table of content<br />The scope of this presentation<br />Risk and control <br />Ways of controlling risk<br />Risk manage...
1. Risk management<br />Coordinated activities to direct and control an organization with regard to risk<br />Aven (2008),...
Not all risk can be controlled<br />Hanseth and Ciborra (2007), Forester (1989)<br />
The norm of risk management<br />GALE (Globally At Least Equivalent)<br />ALARP (As Low As Reasonably Probable)<br />Stålh...
Traditional risk analysis<br />Baskeville and Stage (1996), Karolak (1996), Boehm (1991), Holmgren and Thedéen (2009)<br />
Risk identification: What can go wrong?<br />Group discussions<br />SWOT analysis<br />Brain storming<br />Expert panels<b...
Risk avoidance/mitigation<br />Find root causes of risks<br />Deal with root causes or reduce consequences<br />Sell risk ...
2. Real Option Theory<br />Add flexibility and options proactively<br />Options may be used but they don’t have to<br />Be...
First date at a steakhouse<br />The date is a vegetarian<br />Menu option 1.<br />Steak<br />Menu option 1.<br />Steak<br ...
Options for IT projects<br />The option to:<br />Defer <br />Explore<br />Stage<br />Change-Scale<br />Abandon<br />Outsou...
3. Processes and standardization<br />Processes<br />Tool support<br />Techniques<br />Standards<br /><ul><li>In software ...
Upcoming SlideShare
Loading in …5
×

Trial lecture - Risk Management and Open Source Software Adoption - Øyvind Hauge

1,694 views

Published on

The trial lecture from my PhD defense with the original topic: Present and discuss relevant conceptualizations of risk and control in business organizations relevant to the process of OSS adoption

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,694
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Trial lecture - Risk Management and Open Source Software Adoption - Øyvind Hauge

  1. 1. Conceptualizations of risk and control in business <br />organizations relevant to the process of OSS adoption<br />Trial lecture Øyvind Hauge<br />oyvind.hauge@idi.ntnu.no<br />
  2. 2. 53.3% of the respondents thought computer breakdowns was a major concern (Coleman, 2006)<br />The local hospital was in 2006 a full day without ICT support and a week without wireless phone<br />Denver Airport, Computerized Baggage Handling fails, 1995 -> costs up to 1$ million per day<br />Therac-25, 1985-1987, overdoses of radiation leading to three deaths<br />
  3. 3. Table of content<br />The scope of this presentation<br />Risk and control <br />Ways of controlling risk<br />Risk and control related to OSS adoption<br />
  4. 4. Present and discuss relevant conceptualizations of risk and control in business organizationsrelevant to the process of OSS adoption<br />SE & IS<br />
  5. 5. Business organization<br />Is a legal entity (private or public)<br />Has a<br />Mission to provide either goods or services<br />Owner<br />Budget<br />Variations in<br />Size<br />Domain<br />Country<br />Organization form<br />Geographical distribution<br />…<br />
  6. 6. Table of content<br />The scope of this presentation<br />Risk and control <br />Ways of controlling risk<br />Risk and control related to OSS adoption<br />
  7. 7. Risk<br />The effect of uncertainty on objectives<br />The effect may be positive or negative<br />Risk=Probability*Cost<br />Involves uncertainty<br />Event<br />Causes/threats<br />Consequences<br />ISO Guide 73:2009, Aven (2009) <br />
  8. 8. Types of risk<br /><ul><li> Technical
  9. 9. Cost
  10. 10. Schedule
  11. 11. Organizational environment
  12. 12. User
  13. 13. Team
  14. 14. Requirement
  15. 15. Project complexity
  16. 16. Planning and control</li></ul>Scott and Vessey (2002), Wallace et al. (2004), Karolak (1996)<br />
  17. 17. ”Typical” software risks<br />Baccarini et al. (2004) – IT projects<br />Personnel shortfall<br />Unreasonable schedule and budget<br />Unrealistic expectations<br />Incomplete requirements<br />Diminishing window of opportunity<br />Boehm (1991) – Software risks<br />Personnel shortfall<br />Unreasonable schedule and budget<br />Developing the wrong functions and properties<br />Developing the wrong user interface<br />Gold-plating<br />Changing requirements<br />Shortfall in externally furnished components<br />Shortfall in externally performed task<br />Real-time performance shortfalls<br />Straining computer science capabilities<br />Aloini et al. (2007) – ERP systems<br />Inadequate product selection<br />Ineffective strategic thinking and planning<br />Ineffective project management techniques<br />Bad managerial conduct<br />Inadequate change management<br />Inadequate training and instruction<br />Poor project team skills<br />Inadequate Business Process Re-engineering<br />Low top management involvement<br />Low key user involvement<br />Chatzoglou and Diamantidis (2009) – IT/IS implementation<br />Management ability<br />Information integrity<br />Controllability <br />Exclusivity<br />
  18. 18. Few risks are technical<br />Baccarini et al. (2004) – IT projects<br />Personnel shortfall<br />Unreasonable schedule and budget<br />Unrealistic expectations<br />Incomplete requirements<br />Diminishing window of opportunity<br />Boehm (1991) – Software risks<br />Personnel shortfall<br />Unreasonable schedule and budget<br />Developing the wrong functions and properties<br />Developing the wrong user interface<br />Gold-plating<br />Changing requirements<br />Shortfall in externally furnished components<br />Shortfall in externally performed task<br />Real-time performance shortfalls<br />Straining computer science capabilities<br />Aloini et al. (2007) – ERP systems<br />Inadequate product selection<br />Ineffective strategic thinking and planning<br />Ineffective project management techniques<br />Bad managerial conduct<br />Inadequate change management<br />Inadequate training and instruction<br />Poor project team skills<br />Inadequate Business Process Re-engineering<br />Low top management involvement<br />Low key user involvement<br />Chatzoglou and Diamantidis (2009) – IT/IS implementation<br />Management ability<br />Information integrity<br />Controllability <br />Exclusivity<br />
  19. 19. Risks<br />Negative impact on objectives<br />May come from a number of sources<br />The most important risks are not related to the technology<br />
  20. 20. Control<br />Measures that are modifying risk<br />Prevent<br />Reduce consequences<br />Event<br />Causes/threats<br />Consequences<br />ISO Guide 73:2009 <br />
  21. 21. Table of content<br />The scope of this presentation<br />Risk and control <br />Ways of controlling risk<br />Risk management<br />Real Option Theory<br />Processes and standardization<br />Risk and control related to OSS adoption<br />
  22. 22. 1. Risk management<br />Coordinated activities to direct and control an organization with regard to risk<br />Aven (2008), ISO Guide 73:2009 <br />
  23. 23.
  24. 24. Not all risk can be controlled<br />Hanseth and Ciborra (2007), Forester (1989)<br />
  25. 25. The norm of risk management<br />GALE (Globally At Least Equivalent)<br />ALARP (As Low As Reasonably Probable)<br />Stålhane and Skramstad (2006), Aven (2009)<br />
  26. 26. Traditional risk analysis<br />Baskeville and Stage (1996), Karolak (1996), Boehm (1991), Holmgren and Thedéen (2009)<br />
  27. 27. Risk identification: What can go wrong?<br />Group discussions<br />SWOT analysis<br />Brain storming<br />Expert panels<br />Earlier experiences<br />References<br />Checklists<br />McManus (2004), Boehm (1991)<br />
  28. 28. Risk avoidance/mitigation<br />Find root causes of risks<br />Deal with root causes or reduce consequences<br />Sell risk to 3rd party<br />Expertise (train/hire)<br />Introduce barriers<br />Design the risk out of the solution<br />Buy information e.g. proof of concept<br />Lane (1998), Boehm (1991)<br />
  29. 29. 2. Real Option Theory<br />Add flexibility and options proactively<br />Options may be used but they don’t have to<br />Benaroch et al. (2007), Erdogmus and Favaro (2002)<br />
  30. 30. First date at a steakhouse<br />The date is a vegetarian<br />Menu option 1.<br />Steak<br />Menu option 1.<br />Steak<br />First date at a restaurant serving different dishes<br />The date is a vegetarian<br />Menu option 2.<br />Salad<br />Menu option 2.<br />Fish<br />
  31. 31. Options for IT projects<br />The option to:<br />Defer <br />Explore<br />Stage<br />Change-Scale<br />Abandon<br />Outsource<br />Lease<br />Strategic-Grow<br />Benaroch et al. (2007), Erdogmus and Favaro (2002)<br />
  32. 32. 3. Processes and standardization<br />Processes<br />Tool support<br />Techniques<br />Standards<br /><ul><li>In software development
  33. 33. RUP, CMMI, Cleanroom, …
  34. 34. Revision control, issue tracking, automated building, …
  35. 35. Design patterns, code refactoring, pair programming, …
  36. 36. For code, documentation, requirements, …</li></li></ul><li>Just in time – lean – agile<br />Earlier value and more options<br />Karolak (1996), Stober and Hansmann (2009), Erdogmus and Favaro (2002)<br />
  37. 37. Table of content<br />The scope of this presentation<br />Risk and control <br />Ways of controlling risk<br />Risk and control related to OSS adoption<br />
  38. 38. OSS Adoption<br />
  39. 39. OSS Adoption<br />Hauge et al. (2010)<br />
  40. 40. Risk, control and OSS adoption<br />Non-technical risks are the most important<br />OSS risk are therefore not the most prominent ones<br />Relevant to IT adoption and development also relevant to OSS<br />Risk management<br />Alternatives<br />Standards, tools, and processes<br />OSS experience: to analyse the use of OSS in the context<br />
  41. 41. "software risks can be best managed by combining specific risk management considerations with a detailed understanding of the environmental context and with sound managerial practices, such as relying on experienced and well-educated project managers and launching correctly sized projects" (Ropponen and Lyytinen, 2000, p.98).<br />
  42. 42. References<br />DavideAloini, RiccardoDulmin, and Valeria Mininnocial, Risk management in ERP project introduction: Review of the literature, Information & Management 2007:44, pages 547-567<br />TerjeAven, 2008, Risk Analysis: Assessing Uncertainties Beyond Expected Values and Probabilities, Wiley<br />TerjeAven, 2009, Risk Mangement, in GöranGrimvall, Åke J. Holmgren, Per Jacobsson, and TorbjörnThedéen (editors), Risks in Technological Systems, Springer<br />David Baccarini, Geoff Salm, and Peter E.D. Love, Management of risks in information technology projects, Industrial Management & Data Systems 2004:104(4) pages 286-295<br />Michel Benaroch, Yossi Lichtenstein, Karl Robinson, Real options in information technology risk management: an empirical validation of risk-option relationships, MIS Quarterly 2006:30(4)<br />YegorBugayenko, 2009, Competitive Risk Identification Method for Distributed Teams, in OllyGotel, Mathai Joseph, and Bertrand Meyer (editors), Software Engineering Approaches for Offshore and Outsourced Development - Proceedings of the Third International Conference, SEAFOOD 2009, Zurich, Switzerland, Springer<br />Richard L. Baskerville and Jan Stage, Controlling Prototype Development through Risk Analysis. MIS Quarterly, 1996:20(4), pages 481-504<br />Barry W. Boehm, Software Risk Management: Principles and Practices, IEEE Software, 1991:8(1), pages 32-41<br />Prodromos D. Chatzoglou and Anastasios D. Diamantidis, IT/IS implementation risks and their impact on firm performance, International Journal of Information Management, 2009:29, pages 119-128<br />Les Coleman, 2006, Why Managers and Companies Take Risks, Springer<br />John Forester, 1989, Planning in the Face of Power, University of California Press<br />HakanErdogmus and John Favaro, 2002, Keep Your Options Open: Extreme Programming and Economics of Flexibility, in G. Succi, M. Marchesi, L. Williams, D. Wells (editors) XP Perspectives, Addison Wesley<br />
  43. 43. References<br />Ole Hanseth and Claudio Ciborra (editors), 2007, Risk Complexity and ICT, Edward Elgar Publishing Limited<br />ØyvindHauge, Daniela S. Cruzes, ReidarConradi, KetilSandangerVelle and Tron André Skarpenes, Risks and Risk Mitigation in Open Source Software Adoption: Bridging the Gap between Literature and Practice, in: Proceedings of the 6th IFIP Working Group 2.13 International Conference on Open Source Systems (OSS2010) - Open Source Software: New Horizons, May 30th-June 2nd, Notre Dame, USA, pages 105--118, Springer, 2010<br />Åke J. Holmgren and TorbjörnThedéen, 2009, Risk Analysis, in GöranGrimvall, Åke J. Holmgren, Per Jacobsson, and TorbjörnThedéen (editors), Risks in Technological Systems, Springer<br />ISO 31000:2009, Risk management -- Principles and guidelines, http://www.iso.org/iso/catalogue_detail.htm?csnumber=43170<br />ISO Guide 73:2009, Risk Management Vocabulary, http://www.iso.org/iso/catalogue_detail?csnumber=44651<br />Casper Jones, 1994, Assessment and Control of Software Risks, Yourdon Press <br />http://www.springerlink.com/content/q0j808/<br />Christel Lane, 1998, Introduction: theories and issues in the study of trust, in Christel. Lane and<br />John McManus, 2004, Risk Management in Software Development Projects, Elsevier<br />JanneRopponen and KalleLyytinen, Components of software development risk: how to address them? A project manager survey, IEEE Transactions on Software Engineering, 2000:26(2), pages 98-112<br />Reinhard Bachmann (editors), Trust within and between organisations, Oxford: Oxford University, pages. 1–30.<br />Marvin Rausand, 1991, RisikoanalyseVeiledningtil NS 8514, Tapir<br />Judy E. Scott and Iris Vessey, Managing Risks in Enterprise Systems Implementations, 2002:45(4) Communications of the ACM<br />Thomas Stober and UweHansmann, 2009, Agile Software Development , Springer<br />Tor Stålhane and TorbjørnSkramstad, Presentation for Workshop at EuroSPI 2006<br />Linda Wallace, Mark Keil, and ArunRai, Understanding software project risk: a cluster analysis, Information & Management, 2004:42 pages 115-125<br />

×