1. Clear requirements definition:Ensure that project requirements are well-defined, detailed, and agreed upon by all stakeholders before the project begins.
2. Effective project management:
Ensure that project resources (personnel, funds, and time) are allocated effectively.
Promote clear and timely communication among project team members and stakeholders.
Identify, assess, and manage project risks proactively.
3. Choose technology that is suitable for project requirements and the enterprise environment.
4. Avoid overly complex system designs to make the project more manageable and implementable.
5. Implement a structured change management process to control scope creep and ensure that changes are properly documented and approved.
6. Involve end-users in the project from the beginning to ensure that the final system meets their needs and is well-accepted.
7. Ensure that senior management is actively involved in and supportive of the project, providing necessary resources and prioritizing the project.
8. Conduct comprehensive system testing to identify and resolve issues before implementation.
9. Ensure that data conversion is complete and accurate during system migration to prevent issues with the new system’s functionality.
10. Post-implementation review
11. Continuous monitoring and improvement
12. Independent audit
1. Strengthen Project Management Frameworks:
· Use Gantt Charts, PERT Networks, and Work Breakdown Structures (WBS) for task planning and progress tracking.
· Monitor budget deviations using Earned Value Analysis (EVA).
2. Implement Strict Change Management:
·Establish a change control process, with a“Change Advisory Board”to assess the impact of changes on scope, cost, and timelines ( as mentioned in the“File Updating and Maintenance Authorization” section).
3. Define Roles and Responsibilities:
.Clearly define roles such as project owners, project managers, and quality assurance (QA) teams ( the“Project Management Roles and Responsibilities” table).
4. Risk and Quality Control:
·Implement Data Validation Edits ( range checks, reasonableness checks) and Processing Controls ( run-to- run total verification).
· Ensure compliance of outsourced services through SOC Reports and Third-Party Audits ( the “Outsourcing and Third-Party Audit Reports” section).
5. Leverage Technology and Tools:
· Use CASE Tools and Fourth-Generation Languages (4GLs) to improve development efficiency while ensuring compatibility with existing processes.
1. Failure to make decisions
Responsibilities are scattered and there are no clear decision-makers.
Projects are decided by committees, leading to inefficiencies.
2. People management failure
The project team is disconnected from the business needs.
Project teams hide problems and risk builds up.
3. Design and requirement definition fail
The goal is too ambitious and not properly broken down.
Project requirements are unclear, resulting in frequent changes during development.
4. Project management failure
Failure to identify, track and mitigate key risks in a timely manner.
The change management mechanism is not sound, and the frequent change of requirements leads to the project getting out of control.
5. Supplier management failure
Improper supplier selection leads to project delays or cost overruns.
The unclear terms of the contract lead to unclear division of responsibilities.
Appoint a clear leader to take responsibility and make quick decisions.
Conduct thorough requirement analysis to ensure alignment between business and technical teams.
Enhance risk management, regularly reviewing progress to detect and resolve issues early.
Control changes, evaluating their impact on budget and timelines before approval.
Choose reliable vendors with proven experience, and ensure contracts are transparent.
Conduct post-project reviews to learn from mistakes and improve future projects.
1.Change Control: Regularly evaluate change control to ensure effective control over access to coding and program changes.
2.Application Development: For applications developed in-house, be particularly cautious and ensure the accuracy of critical calculations.
3.Logical Access Control: Evaluate logical access controls to ensure effective Segregation of Duties (SoD) and the principle of least privilege.
4.Third-Party Supplier Management: Ensure that outsourced services to third-party providers have adequate controls in place and conduct regular audits.
Business Continuity and Disaster Recovery Planning: Develop and regularly update business continuity and disaster recovery plans to ensure rapid restoration of operations following a system failure.
5.Continuous Learning and Education: Ensure that the IT governance team has the necessary knowledge and skills, with effective oversight provided by the Board of Directors or an IT steering committee.
Measures that an organization can take to control the risk of information systems (IS) project failure include: strict vendor evaluation to avoid failure due to problems on the vendor’s side; clarifying its own requirements and standards to avoid errors due to unclear requirements; building a cross-functional team to ensure efficient decision-making; adopting an adaptive development approach to ensure that it fits the company’s model size, etc.; strengthening testing and user involvement to ensure that the product is easy to use and user-friendly when it goes live; ensuring that problems are fixed and documented after it is in use; and controlling the risk of outsourcing. Enhance testing and user participation to ensure that the product is an easy-to-use product that meets the user’s operation; after entering the use of the product, you need to ensure that problems are fixed in a timely manner and keep files; you also need to control the risk of outsourcing, and multiple comparisons to assess the skills and experience of multiple vendors can be referenced in the book to diversify the risk of subcontracting behavior.
First, start by determining if the program has been designed and communicated to all key personnel. And, it is crucial to have questions about whether the scope and limits of the project have been clarified and whether the project will end up with the desired outcome. Then, are the senior leaders responsible for the project aware of the true needs of the business and the project need to be led by an experienced project manager. Also there needs to be a single point of accountability on the team for the outcome of the project. And most importantly, do the project team members have sufficient competence and experience, is the project adequately funded, and does the project have a comprehensive risk management strategy? These are all things that need to be accomplished by the organization to control risk.
Organizations should stress the importance of clearly defining the project scope and objectives, ensuring that all key stakeholders agree before the project begins. In addition, organizations should promote a culture of open communication, encouraging team members to report issues promptly rather than hiding them. Furthermore, It may be necessary to identify specific decision-makers and establish a clear chain of responsibility to avoid relying too much on committees or lacking leadership. To improve project discipline, organizations should conduct regular progress reviews, manage risks effectively, and set achievable milestones. Concerning supplier management, it is essential to ensure that contract terms are unambiguous, supplier selection is based on cost-effectiveness, and transparent communication is maintained. —Sabrina_ ZHANG Ruizhen
Controlling IS project risks requires a holistic approach that balances technical rigor, strong governance, stakeholder collaboration, and organizational agility. By embedding risk management into every phase—from planning to post-implementation—organizations can reduce failure rates and deliver systems that align with business needs. Learning from past mistakes and fostering a culture of transparency and adaptability are critical to long-term success.
Establish effective project governance:As suggested in “CISA® Official Review Manual 28th Edition”, organizations should establish proper project governance structures, policies, and procedures. This includes having a clear definition of IT risk, controls, and standards, and ensuring that project decisions are driven by the business case. For example, a project steering committee should be established to provide overall direction and ensure appropriate representation of major stakeholders.
Conduct thorough requirements analysis:Organizations should ensure that requirements are properly defined, documented, and validated. In “CISA® Official Review Manual 28th Edition”, it is emphasized that in the requirements definition phase, the project team should identify and consult stakeholders, analyze requirements to detect and correct conflicts, and verify that requirements are complete, consistent, and testable. “Modern systems analysis and design” also highlights the importance of involving users in the requirements determination process to ensure that the system meets their needs.
Implement risk management processes:As stated in “CISA® Official Review Manual 28th Edition”, organizations should identify, assess, and mitigate various risks associated with IS projects. The project sponsor and manager should be responsible for mitigating different types of risks. For example, the project sponsor is responsible for mitigating risks that impact business benefits, while the project manager is responsible for project – specific risks. Regular risk analysis should be performed in each project phase.
Select appropriate technology:When choosing technology for an IS project, organizations should consider various factors. In “CISA® Official Review Manual 28th Edition”, factors such as cost – effectiveness, compatibility with existing systems, and future growth needs are mentioned. In “Modern systems analysis and design”, when discussing software acquisition, criteria like functionality, vendor support, and flexibility are provided. Organizations should carefully evaluate these factors to select the most suitable technology for their projects.
1.Change Control: Regularly evaluate change control to ensure effective control over access to coding and program changes.
2.Application Development: For applications developed in-house, be particularly cautious and ensure the accuracy of critical calculations.
3.Logical Access Control: Evaluate logical access controls to ensure effective Segregation of Duties (SoD) and the principle of least privilege.
4.Third-Party Supplier Management: Ensure that outsourced services to third-party providers have adequate controls in place and conduct regular audits.
Business Continuity and Disaster Recovery Planning: Develop and regularly update business continuity and disaster recovery plans to ensure rapid restoration of operations following a system failure.
5.Continuous Learning and Education: Ensure that the IT governance team has the necessary knowledge and skills, with effective oversight provided by the Board of Directors or an IT steering committee.
1.Establish Clear Project Governance Structures: Organizations should establish governance structures that involve both the project and functional line organization. This ensures strategic and tactical alignment with the enterprise’s goals, objectives, and risk management strategy.
2. Implement Risk Management Strategies: Identify and assess risks early in the project lifecycle. Develop mitigation strategies for risks that could impact business benefits or the project itself. Regularly review and update risk management plans.
3.Ensure Quality Assurance: Implement quality assurance practices to verify and validate the system’s functionality. This includes conducting various levels of testing to ensure the system works as intended.
1) Identify key risk points (CRPs) in the project, such as system architecture errors, data privacy leakage, etc.
2) Centrally manage and monitor all relevant risks to ensure that potential problems are identified and resolved in a timely manner during project implementation.
2. Establish responsibility oriented management (RGM) framework:
1) Set up a clear resource allocation mechanism to distinguish between the main responsible parties at the highest level of internal responsibility (such as project managers, decision makers, etc.) and external support departments.
2) Determine the direct scope of responsibility of each main responsible party and clarify its specific tasks in the project.
3. Develop a Continuous improvement Plan (DMP) :
1) When implementing RGM, identify and control key resources (such as hardware, software and technology platforms) to ensure that these resources can be replenised and upgraded in a timely manner.
2) Regularly evaluate the work results of each responsible party and timely adjust the plan to cope with changes in risks.
4. Clarify communication channels and mechanisms:
1) Establish clear communication channels to allow internal and external stakeholders to communicate effectively and share project progress and risk information in a timely manner.
Ensure that each primary responsible party has the appropriate support and resources to deal with possible risks.
5. Implement Continuous improvement Method (DMM) :
1) In the initial phase of the project, identify and control key resources and provide basic support for subsequent upgrades.
2) Improve system stability, scalability and performance through continuous improvement measures, and reduce dependence on external risks.
6. Regular review and evaluation:
1) Regularly review the implementation of RGM to ensure that the tasks of each responsible party are achieved.
2) Summarize the progress of the project, identify potential risks and adjust the plan to cope with changes.
1、Adopt effective project management practices: Establish a sound governance structure, policies, and procedures, clarify the roles and responsibility of each member of the project team, such as the project manager, steering committee, and various stakeholders. Using project mangement techniques like Gantt chart or other resources.
2、Conduct comprehensive feasibility study and business case analysis: Prior to project initiation, conduct a comprehensive feasibility of solutions, determine alternative options, and conduct cost-benefit analysis. Develop a detailed business case to provide sufficient justification for the project, and continuously review it throughout the project lifecycle to ensure its effectiveness.
1、Establish formal change process management.
2、Develop a comprehensive test plan and conduct a comprehensive test of the system.
3、Ensure effective communication between users and stakeholders.
4、Establish sound governance structure policies and procedures to identify project team members.
5、Select the appropriate development method according to the project requirements.
1. Establish a robust project governance structure that includes a project steering committeeproject sponsor, project manager, and user management, each with clearly defined roles andresponsibilities
2. lmplement effective project management practices that cover iniliating, planning, executingcontrolling, monitoring, and closing projects, ensuring alignment with organizational goals andobjectives
3. Use appropriate project management technigues and tools such as Gantt charts, criticalpath method (CPM), and Program Evaluation Review Technique (PERT) to schedule, monitorand control project activities
4. Conduct thorough feasibility studies and business case analyses to justily the project’sstrategic benefits, cost savings, and return on investment (ROl) before proceeding
5. Adopt a suitable system development methodology such as the traditional waterfall. Vshaped, or iterative model, depending on the project’s requirements and the organization’scontext
6. Follow the SDLC phases which include feasibility study, requirements definition, softwareselection and acquisition, design, configuration, development, final testing and implementationand post-implementation review, ensuring each phase has defined aclivities, deliverables, andquality assurance measures
7.Involve lS auditors in the project lifecycle to identify vulnerabilities, assess risks, and
recommend appropriate controls to miigate risks
8. lmplement rigorous testing procedures including unit testing, integration testing, systemtesting, and user acceptance testing (UAT) to ensure the system meets requirements andfunctions correctly
Organizations should take the following measures to control the risk of IS project failure. For the department, the department and other key stakeholders have a clear understanding of how this project will impact the business and environment, and how adjustments should be made after the project is launched. For the project, find senior management personnel who truly understand business needs and can achieve business benefits, with sufficient time and experience to manage from project start to project end, and can respond to project risks and make the most decisions. The project also needs to be equipped with sufficient personnel. For the supplier, get to know each other and benefit together with suppliers, sign undisputed contracts with suppliers, explain the responsibilities that our department should fulfill in the project, and clarify the senior managers of suppliers that can be contacted. Understand the qualifications of the supplier team, past achievements in this technology, and cost control.
For IS project failure, I think there are the following measures to control relevant risks:
1.Strengthen Planning and Project Management: organizations should attach great importance to planning and project management to ensure that project execution is orderly and completed on time and with high quality.
2.Enhance Technical Proficiency: organizations should encourage team members to continuously learn and update their technical knowledge to improve their ability to handle complex technical problems and ensure the smooth progress of the project.
3.Optimize Requirement Change Management: requirement changes are often inevitable. Organizations need to establish an effective requirement change management process. When requirements change, the development team should respond in a timely manner and conduct full communication and coordination with relevant parties to ensure that the project plan can be adjusted according to the changes, thereby controlling development costs and schedules.
4.Strengthen Risk Assessment and Control: organizations should integrate risk assessment and control throughout the entire process of project development to ensure the stable progress of the project.
To control the risks of Information System (IS) project failures, I think we can take the following measures.
1. Enhance project management: appoint experienced project managers, develop a detailed project plan, monitor progress regularly and communicate effectively.
2. Technical best practices: choose appropriate technologies, follow development standards, conduct rigorous testing and plan for scalability and maintenance.
3.External risk management: evaluate vendor reliability, stay informed about regulatory changes and plan for market changes.
1. Risk management and control, identifying risks, formulating policies and preventing risks;
2. Make normative plans, clarify the work direction, and stipulate the responsibilities of team members;
3. Choose a reliable company.
To control risks of IS project failures, Organizations should avoid the five types of failures mentioned above with specific controls.
1. Design and Definition Failures.
Clarify project objectives and scope to prevent scope sweeping.
2. Decision Making Failures.
Assign a project leader to make decisions and create a decision-making process.
3. Project Discipline Failures.
Set reasonable project milestones and properly identify and assess potential risks encountered in the project.
4. Supplier Management Failures.
Establish a list of qualified suppliers and hold internal bidding and procurement committee meetings to agree on contractual completion dates, acceptance criteria, and cost limits.
5. People Failure.
Identify user needs and encourage team members to solve problems rather than hide risks.
Organizations should take the following actions to control:
Firstly, review and evaluate the suppliers’ qualifications, including financial resources, technical feasibility and operational stability, to ensure the supplier can serve for the project consistently.
Second, the organization should verify users’ requirements in the analysis stage to ensure the requirements are all satisfied and measurable.
Third, an objective and professional project manager can ensure decisions are made correctly and efficiency, in order to promote the project in the right direction.
Last, responses from tests and users will be necessary. In the implementation phase, tests can help systems achieve objectives of mitigating risk, providing management accountability over the effectiveness of the systems.
1. Establish risk awareness and risk culture
2. Comprehensively identify risks and establish a risk list
3. Scientifically assess risks and determine coping strategies
(1) Risk mitigation
(2) Risk prevention
(3) Transfer risk
(4) Avoid risks
(5) Accept risks
(6) Reserve risk
4. Make detailed plans to ensure effective response
5. Strengthen monitoring and adjustment to keep risks controllable
6. Strengthen communication and collaboration to form synergy
7. Summarize experience and lessons and make continuous improvement
1. Establish strong project governance with clear roles and accountability.
2. Use proven project management practices to align with business goals and manage resources effectively.
3. Conduct thorough risk assessments and implement mitigation strategies.
4. Ensure stakeholder engagement and clear communication throughout the project.
5. Monitor progress regularly and adjust plans as needed to address issues promptly.
6. Focus on delivering measurable business value and aligning IT investments with strategic objectives.
1.Clarify project details: Before project approval, make sure the department and key stakeholders understand the project’s business impact and post launch changeability. Have a clear, fixed basic design accessible to key personnel and be aware of change related costs.
2.Optimize staffing: Ensure proper project staffing from the start, with effective leadership, decision making, and risk management capabilities. Maintain an adequate number of experienced project and “user” staff throughout.
3.Understand and manage stakeholders: Involve future technology users appropriately. Identify a senior manager responsible for business benefits and a senior decision maker accountable for project delivery.
4.Manage risks: Identify the project’s top ten risks and develop management and contingency plans. Differentiate between in house and supplier led projects in project structures, roles, and responsibilities.
5.Establish clear communication with suppliers: Comprehend suppliers’ business needs and commercial interests for mutual benefit. Define clear contract terms and ensure management information transparency.
6.Set clear expectations and monitor progress: Clearly understand business requirements and realistic expected results. Define failure assessment points and have plans for remedies or project termination.
1. Establish Strong Project Governance and Management
2. Implement Effective Requirements Management
3. Enforce Robust Change Control Processes
4. Adopt Appropriate Development Methodologies and Tools
5. Manage Resources and Risks Effectively
6. Ensure Adequate User Involvement
7. Conduct Comprehensive Testing and Acceptance
8. Implement Configuration and Release Management
9. Plan for Data Migration and System Changeover
Organizations can define clear goals, involve stakeholders, do proper planning, manage changes, and conduct regular reviews to control risks of IS project failures.
1. Clear requirements definition:Ensure that project requirements are well-defined, detailed, and agreed upon by all stakeholders before the project begins.
2. Effective project management:
Ensure that project resources (personnel, funds, and time) are allocated effectively.
Promote clear and timely communication among project team members and stakeholders.
Identify, assess, and manage project risks proactively.
3. Choose technology that is suitable for project requirements and the enterprise environment.
4. Avoid overly complex system designs to make the project more manageable and implementable.
5. Implement a structured change management process to control scope creep and ensure that changes are properly documented and approved.
6. Involve end-users in the project from the beginning to ensure that the final system meets their needs and is well-accepted.
7. Ensure that senior management is actively involved in and supportive of the project, providing necessary resources and prioritizing the project.
8. Conduct comprehensive system testing to identify and resolve issues before implementation.
9. Ensure that data conversion is complete and accurate during system migration to prevent issues with the new system’s functionality.
10. Post-implementation review
11. Continuous monitoring and improvement
12. Independent audit
Camellia_HUANG Jianwei
1. Strengthen Project Management Frameworks:
· Use Gantt Charts, PERT Networks, and Work Breakdown Structures (WBS) for task planning and progress tracking.
· Monitor budget deviations using Earned Value Analysis (EVA).
2. Implement Strict Change Management:
·Establish a change control process, with a“Change Advisory Board”to assess the impact of changes on scope, cost, and timelines ( as mentioned in the“File Updating and Maintenance Authorization” section).
3. Define Roles and Responsibilities:
.Clearly define roles such as project owners, project managers, and quality assurance (QA) teams ( the“Project Management Roles and Responsibilities” table).
4. Risk and Quality Control:
·Implement Data Validation Edits ( range checks, reasonableness checks) and Processing Controls ( run-to- run total verification).
· Ensure compliance of outsourced services through SOC Reports and Third-Party Audits ( the “Outsourcing and Third-Party Audit Reports” section).
5. Leverage Technology and Tools:
· Use CASE Tools and Fourth-Generation Languages (4GLs) to improve development efficiency while ensuring compatibility with existing processes.
1. Failure to make decisions
Responsibilities are scattered and there are no clear decision-makers.
Projects are decided by committees, leading to inefficiencies.
2. People management failure
The project team is disconnected from the business needs.
Project teams hide problems and risk builds up.
3. Design and requirement definition fail
The goal is too ambitious and not properly broken down.
Project requirements are unclear, resulting in frequent changes during development.
4. Project management failure
Failure to identify, track and mitigate key risks in a timely manner.
The change management mechanism is not sound, and the frequent change of requirements leads to the project getting out of control.
5. Supplier management failure
Improper supplier selection leads to project delays or cost overruns.
The unclear terms of the contract lead to unclear division of responsibilities.
Appoint a clear leader to take responsibility and make quick decisions.
Conduct thorough requirement analysis to ensure alignment between business and technical teams.
Enhance risk management, regularly reviewing progress to detect and resolve issues early.
Control changes, evaluating their impact on budget and timelines before approval.
Choose reliable vendors with proven experience, and ensure contracts are transparent.
Conduct post-project reviews to learn from mistakes and improve future projects.
1.Change Control: Regularly evaluate change control to ensure effective control over access to coding and program changes.
2.Application Development: For applications developed in-house, be particularly cautious and ensure the accuracy of critical calculations.
3.Logical Access Control: Evaluate logical access controls to ensure effective Segregation of Duties (SoD) and the principle of least privilege.
4.Third-Party Supplier Management: Ensure that outsourced services to third-party providers have adequate controls in place and conduct regular audits.
Business Continuity and Disaster Recovery Planning: Develop and regularly update business continuity and disaster recovery plans to ensure rapid restoration of operations following a system failure.
5.Continuous Learning and Education: Ensure that the IT governance team has the necessary knowledge and skills, with effective oversight provided by the Board of Directors or an IT steering committee.
Measures that an organization can take to control the risk of information systems (IS) project failure include: strict vendor evaluation to avoid failure due to problems on the vendor’s side; clarifying its own requirements and standards to avoid errors due to unclear requirements; building a cross-functional team to ensure efficient decision-making; adopting an adaptive development approach to ensure that it fits the company’s model size, etc.; strengthening testing and user involvement to ensure that the product is easy to use and user-friendly when it goes live; ensuring that problems are fixed and documented after it is in use; and controlling the risk of outsourcing. Enhance testing and user participation to ensure that the product is an easy-to-use product that meets the user’s operation; after entering the use of the product, you need to ensure that problems are fixed in a timely manner and keep files; you also need to control the risk of outsourcing, and multiple comparisons to assess the skills and experience of multiple vendors can be referenced in the book to diversify the risk of subcontracting behavior.
First, start by determining if the program has been designed and communicated to all key personnel. And, it is crucial to have questions about whether the scope and limits of the project have been clarified and whether the project will end up with the desired outcome. Then, are the senior leaders responsible for the project aware of the true needs of the business and the project need to be led by an experienced project manager. Also there needs to be a single point of accountability on the team for the outcome of the project. And most importantly, do the project team members have sufficient competence and experience, is the project adequately funded, and does the project have a comprehensive risk management strategy? These are all things that need to be accomplished by the organization to control risk.
Organizations should stress the importance of clearly defining the project scope and objectives, ensuring that all key stakeholders agree before the project begins. In addition, organizations should promote a culture of open communication, encouraging team members to report issues promptly rather than hiding them. Furthermore, It may be necessary to identify specific decision-makers and establish a clear chain of responsibility to avoid relying too much on committees or lacking leadership. To improve project discipline, organizations should conduct regular progress reviews, manage risks effectively, and set achievable milestones. Concerning supplier management, it is essential to ensure that contract terms are unambiguous, supplier selection is based on cost-effectiveness, and transparent communication is maintained. —Sabrina_ ZHANG Ruizhen
Controlling IS project risks requires a holistic approach that balances technical rigor, strong governance, stakeholder collaboration, and organizational agility. By embedding risk management into every phase—from planning to post-implementation—organizations can reduce failure rates and deliver systems that align with business needs. Learning from past mistakes and fostering a culture of transparency and adaptability are critical to long-term success.
Establish effective project governance:As suggested in “CISA® Official Review Manual 28th Edition”, organizations should establish proper project governance structures, policies, and procedures. This includes having a clear definition of IT risk, controls, and standards, and ensuring that project decisions are driven by the business case. For example, a project steering committee should be established to provide overall direction and ensure appropriate representation of major stakeholders.
Conduct thorough requirements analysis:Organizations should ensure that requirements are properly defined, documented, and validated. In “CISA® Official Review Manual 28th Edition”, it is emphasized that in the requirements definition phase, the project team should identify and consult stakeholders, analyze requirements to detect and correct conflicts, and verify that requirements are complete, consistent, and testable. “Modern systems analysis and design” also highlights the importance of involving users in the requirements determination process to ensure that the system meets their needs.
Implement risk management processes:As stated in “CISA® Official Review Manual 28th Edition”, organizations should identify, assess, and mitigate various risks associated with IS projects. The project sponsor and manager should be responsible for mitigating different types of risks. For example, the project sponsor is responsible for mitigating risks that impact business benefits, while the project manager is responsible for project – specific risks. Regular risk analysis should be performed in each project phase.
Select appropriate technology:When choosing technology for an IS project, organizations should consider various factors. In “CISA® Official Review Manual 28th Edition”, factors such as cost – effectiveness, compatibility with existing systems, and future growth needs are mentioned. In “Modern systems analysis and design”, when discussing software acquisition, criteria like functionality, vendor support, and flexibility are provided. Organizations should carefully evaluate these factors to select the most suitable technology for their projects.
1.Change Control: Regularly evaluate change control to ensure effective control over access to coding and program changes.
2.Application Development: For applications developed in-house, be particularly cautious and ensure the accuracy of critical calculations.
3.Logical Access Control: Evaluate logical access controls to ensure effective Segregation of Duties (SoD) and the principle of least privilege.
4.Third-Party Supplier Management: Ensure that outsourced services to third-party providers have adequate controls in place and conduct regular audits.
Business Continuity and Disaster Recovery Planning: Develop and regularly update business continuity and disaster recovery plans to ensure rapid restoration of operations following a system failure.
5.Continuous Learning and Education: Ensure that the IT governance team has the necessary knowledge and skills, with effective oversight provided by the Board of Directors or an IT steering committee.
1.Establish Clear Project Governance Structures: Organizations should establish governance structures that involve both the project and functional line organization. This ensures strategic and tactical alignment with the enterprise’s goals, objectives, and risk management strategy.
2. Implement Risk Management Strategies: Identify and assess risks early in the project lifecycle. Develop mitigation strategies for risks that could impact business benefits or the project itself. Regularly review and update risk management plans.
3.Ensure Quality Assurance: Implement quality assurance practices to verify and validate the system’s functionality. This includes conducting various levels of testing to ensure the system works as intended.
1. Clarify risk management objectives:
1) Identify key risk points (CRPs) in the project, such as system architecture errors, data privacy leakage, etc.
2) Centrally manage and monitor all relevant risks to ensure that potential problems are identified and resolved in a timely manner during project implementation.
2. Establish responsibility oriented management (RGM) framework:
1) Set up a clear resource allocation mechanism to distinguish between the main responsible parties at the highest level of internal responsibility (such as project managers, decision makers, etc.) and external support departments.
2) Determine the direct scope of responsibility of each main responsible party and clarify its specific tasks in the project.
3. Develop a Continuous improvement Plan (DMP) :
1) When implementing RGM, identify and control key resources (such as hardware, software and technology platforms) to ensure that these resources can be replenised and upgraded in a timely manner.
2) Regularly evaluate the work results of each responsible party and timely adjust the plan to cope with changes in risks.
4. Clarify communication channels and mechanisms:
1) Establish clear communication channels to allow internal and external stakeholders to communicate effectively and share project progress and risk information in a timely manner.
Ensure that each primary responsible party has the appropriate support and resources to deal with possible risks.
5. Implement Continuous improvement Method (DMM) :
1) In the initial phase of the project, identify and control key resources and provide basic support for subsequent upgrades.
2) Improve system stability, scalability and performance through continuous improvement measures, and reduce dependence on external risks.
6. Regular review and evaluation:
1) Regularly review the implementation of RGM to ensure that the tasks of each responsible party are achieved.
2) Summarize the progress of the project, identify potential risks and adjust the plan to cope with changes.
1、Adopt effective project management practices: Establish a sound governance structure, policies, and procedures, clarify the roles and responsibility of each member of the project team, such as the project manager, steering committee, and various stakeholders. Using project mangement techniques like Gantt chart or other resources.
2、Conduct comprehensive feasibility study and business case analysis: Prior to project initiation, conduct a comprehensive feasibility of solutions, determine alternative options, and conduct cost-benefit analysis. Develop a detailed business case to provide sufficient justification for the project, and continuously review it throughout the project lifecycle to ensure its effectiveness.
1、Establish formal change process management.
2、Develop a comprehensive test plan and conduct a comprehensive test of the system.
3、Ensure effective communication between users and stakeholders.
4、Establish sound governance structure policies and procedures to identify project team members.
5、Select the appropriate development method according to the project requirements.
1. Establish a robust project governance structure that includes a project steering committeeproject sponsor, project manager, and user management, each with clearly defined roles andresponsibilities
2. lmplement effective project management practices that cover iniliating, planning, executingcontrolling, monitoring, and closing projects, ensuring alignment with organizational goals andobjectives
3. Use appropriate project management technigues and tools such as Gantt charts, criticalpath method (CPM), and Program Evaluation Review Technique (PERT) to schedule, monitorand control project activities
4. Conduct thorough feasibility studies and business case analyses to justily the project’sstrategic benefits, cost savings, and return on investment (ROl) before proceeding
5. Adopt a suitable system development methodology such as the traditional waterfall. Vshaped, or iterative model, depending on the project’s requirements and the organization’scontext
6. Follow the SDLC phases which include feasibility study, requirements definition, softwareselection and acquisition, design, configuration, development, final testing and implementationand post-implementation review, ensuring each phase has defined aclivities, deliverables, andquality assurance measures
7.Involve lS auditors in the project lifecycle to identify vulnerabilities, assess risks, and
recommend appropriate controls to miigate risks
8. lmplement rigorous testing procedures including unit testing, integration testing, systemtesting, and user acceptance testing (UAT) to ensure the system meets requirements andfunctions correctly
Organizations should take the following measures to control the risk of IS project failure. For the department, the department and other key stakeholders have a clear understanding of how this project will impact the business and environment, and how adjustments should be made after the project is launched. For the project, find senior management personnel who truly understand business needs and can achieve business benefits, with sufficient time and experience to manage from project start to project end, and can respond to project risks and make the most decisions. The project also needs to be equipped with sufficient personnel. For the supplier, get to know each other and benefit together with suppliers, sign undisputed contracts with suppliers, explain the responsibilities that our department should fulfill in the project, and clarify the senior managers of suppliers that can be contacted. Understand the qualifications of the supplier team, past achievements in this technology, and cost control.
1.Define Clear and Realistic Requirements
2. Implement Strong Project Management Practices
3. Ensure Adequate Resource Allocation
4. Foster Effective Communication
5. Conduct Thorough Testing
6. Adopt Robust Risk Management Practices
For IS project failure, I think there are the following measures to control relevant risks:
1.Strengthen Planning and Project Management: organizations should attach great importance to planning and project management to ensure that project execution is orderly and completed on time and with high quality.
2.Enhance Technical Proficiency: organizations should encourage team members to continuously learn and update their technical knowledge to improve their ability to handle complex technical problems and ensure the smooth progress of the project.
3.Optimize Requirement Change Management: requirement changes are often inevitable. Organizations need to establish an effective requirement change management process. When requirements change, the development team should respond in a timely manner and conduct full communication and coordination with relevant parties to ensure that the project plan can be adjusted according to the changes, thereby controlling development costs and schedules.
4.Strengthen Risk Assessment and Control: organizations should integrate risk assessment and control throughout the entire process of project development to ensure the stable progress of the project.
To control the risks of Information System (IS) project failures, I think we can take the following measures.
1. Enhance project management: appoint experienced project managers, develop a detailed project plan, monitor progress regularly and communicate effectively.
2. Technical best practices: choose appropriate technologies, follow development standards, conduct rigorous testing and plan for scalability and maintenance.
3.External risk management: evaluate vendor reliability, stay informed about regulatory changes and plan for market changes.
1. Risk management and control, identifying risks, formulating policies and preventing risks;
2. Make normative plans, clarify the work direction, and stipulate the responsibilities of team members;
3. Choose a reliable company.
To control risks of IS project failures, Organizations should avoid the five types of failures mentioned above with specific controls.
1. Design and Definition Failures.
Clarify project objectives and scope to prevent scope sweeping.
2. Decision Making Failures.
Assign a project leader to make decisions and create a decision-making process.
3. Project Discipline Failures.
Set reasonable project milestones and properly identify and assess potential risks encountered in the project.
4. Supplier Management Failures.
Establish a list of qualified suppliers and hold internal bidding and procurement committee meetings to agree on contractual completion dates, acceptance criteria, and cost limits.
5. People Failure.
Identify user needs and encourage team members to solve problems rather than hide risks.
Organizations should take the following actions to control:
Firstly, review and evaluate the suppliers’ qualifications, including financial resources, technical feasibility and operational stability, to ensure the supplier can serve for the project consistently.
Second, the organization should verify users’ requirements in the analysis stage to ensure the requirements are all satisfied and measurable.
Third, an objective and professional project manager can ensure decisions are made correctly and efficiency, in order to promote the project in the right direction.
Last, responses from tests and users will be necessary. In the implementation phase, tests can help systems achieve objectives of mitigating risk, providing management accountability over the effectiveness of the systems.
1. Laser-Focused Planning
· SMART Goals: Define specific outcomes (e.g., “Reduce order processing time by 30% in 6 months”).
· Stakeholder Workshops: Co-create requirements with end-users (e.g., agile user story mapping).
· Dynamic Scope Control: Freeze critical features upfront (MVP mindset) but allow iterative adjustments.
2. Agile Execution Framework
· Hybrid Methodologies: Blend waterfall milestones (e.g., regulatory sign-offs) with sprints for flexibility.
· Real-Time Monitoring: Use tools like Jira + Power BI dashboards to track:
· Burndown rates
· Resource utilization (e.g., dev hours vs. budget)
· Risk heatmaps (prioritize high-impact threats).
3. Fail-Safe Quality Gates
· Shift-Left Testing: Embed QA in every sprint (e.g., automate 80% of test cases with Selenium).
· Compliance Checklists: Align with standards (GDPR, ISO 27001) before coding starts.
· Chaos Engineering: Simulate worst-case scenarios (e.g., AWS Fault Injection Simulator).
4. Human-Centric Governance
· Anti-Silo Tactics:
· Daily standups with business + IT teams.
· Pair programming for knowledge transfer.
· Change Adoption Kits:
· Pre-launch training (e.g., SAP rollout with gamified learning modules).
· “Super User” networks to combat resistance.
5. Future-Proofing
· Tech Debt Sprints: Allocate 10% of each release cycle to refactor legacy code.
· Vendor Exit Clauses: Mandate code escrow in third-party contracts.
· AI-Driven Risk Prediction: Deploy tools like Palantir to model market/tech disruption impacts.
1. Establish risk awareness and risk culture
2. Comprehensively identify risks and establish a risk list
3. Scientifically assess risks and determine coping strategies
(1) Risk mitigation
(2) Risk prevention
(3) Transfer risk
(4) Avoid risks
(5) Accept risks
(6) Reserve risk
4. Make detailed plans to ensure effective response
5. Strengthen monitoring and adjustment to keep risks controllable
6. Strengthen communication and collaboration to form synergy
7. Summarize experience and lessons and make continuous improvement
1. Establish strong project governance with clear roles and accountability.
2. Use proven project management practices to align with business goals and manage resources effectively.
3. Conduct thorough risk assessments and implement mitigation strategies.
4. Ensure stakeholder engagement and clear communication throughout the project.
5. Monitor progress regularly and adjust plans as needed to address issues promptly.
6. Focus on delivering measurable business value and aligning IT investments with strategic objectives.
1.Clarify project details: Before project approval, make sure the department and key stakeholders understand the project’s business impact and post launch changeability. Have a clear, fixed basic design accessible to key personnel and be aware of change related costs.
2.Optimize staffing: Ensure proper project staffing from the start, with effective leadership, decision making, and risk management capabilities. Maintain an adequate number of experienced project and “user” staff throughout.
3.Understand and manage stakeholders: Involve future technology users appropriately. Identify a senior manager responsible for business benefits and a senior decision maker accountable for project delivery.
4.Manage risks: Identify the project’s top ten risks and develop management and contingency plans. Differentiate between in house and supplier led projects in project structures, roles, and responsibilities.
5.Establish clear communication with suppliers: Comprehend suppliers’ business needs and commercial interests for mutual benefit. Define clear contract terms and ensure management information transparency.
6.Set clear expectations and monitor progress: Clearly understand business requirements and realistic expected results. Define failure assessment points and have plans for remedies or project termination.
Yujing Gao
1. Establish Strong Project Governance and Management
2. Implement Effective Requirements Management
3. Enforce Robust Change Control Processes
4. Adopt Appropriate Development Methodologies and Tools
5. Manage Resources and Risks Effectively
6. Ensure Adequate User Involvement
7. Conduct Comprehensive Testing and Acceptance
8. Implement Configuration and Release Management
9. Plan for Data Migration and System Changeover
Organizations can define clear goals, involve stakeholders, do proper planning, manage changes, and conduct regular reviews to control risks of IS project failures.