When to kill an IT project

Only 36 per cent of 442 Information Systems Audit and Control Association (ISACA) members in Australia said they had ‘killed’ an IT-related project before it was fully implemented.

The top two reasons for ending it early were that it did not deliver as promised or the business needs had changed.

Speaking at the opening of the Oceania CACS conference in Sydney today, John Thorp, CEO of ThorpNet Canada, expressed disbelief that stakeholders weren’t more concerned with the level of investment wastage.

“I think it’s amazing there hasn’t been a shareholder or taxpayer revolt when you see the billions of dollars being wasted,” said Thorp.

“And that’s not the biggest issue – it’s the potential value [of these investments] that hasn’t been realised.”

The Commonwealth Bank of Australia’s group executive for enterprise IT, Michael Harte, concurred.

“When you’re putting $1 billion at risk every year in capital investment you have an obligation on behalf of shareholders to get it right,” Harte said.

Harte said that between 70 and 80 per cent of capital investment made by CBA each year was in IT-related systems.

“What our organisation is doing is creating a governance process that helps us decide on the right investments, maintains management oversight, and gives us the maturity to change projects within the portfolio with the changing needs of the business,” Harte said.

CBA’s governance framework is understood to combine ITIL, COBIT and other software development lifecycle (SDLC) methodologies.

Harte proposed that IT risk managers must ‘rebrand’ the function internally so it is seen as driving value.

“IT governance is often looked at as putting more rules on a project that require additional infrastructure and processes and get in the way of the project,” Harte said.

“I think that’s an unfair criticism but your challenge is how do you get involved within the investment process to speed up decisions and ensure project executing by putting in place infrastructure with the highest level of fidelity?”

Harte advised IT risk managers to ensure the operational risk architecture within the business is ‘a fully-fledged governance entity’ and to ensure governance ‘is not seen as bureaucratic’.

“Then you need a certified IT auditor sitting in the project and assurance role from day one,” Harte explained.

“You need someone to measure risk and be accountable upfront and throughout the process.

“Too often we see the auditors involved in periodic project health checks or the post-implementation review only because there’s not enough of them and they can’t sit on all projects proactively,” said Harte.

Howard Nicholson, international vice president of ISACA and business analyst for the City of Salisbury in South Australia, claimed that many underperforming IT-related projects continue longer than they should ‘because management does not constantly assess projects and ensure that they generate appropriate value and benefits’.

“It is a good management practice and a sign of appropriate governance to evaluate and take action on underperforming IT projects as they progress, rather than suffer the consequences further down the road,” Nicholson said.

Thorp agreed: “I can’t tell you how many executives I talk to that say a project has gone a bit off track but they’re hoping it will get back on course.

“Hope is not a strategy,” he said.

Thorp urged project owners to consider measuring the value of what he called ‘IT-enabled change projects’ across the full economic lifecycle of the investment, ‘not just get the business case through the door, get the money and run, which is typically what happens in most organisations.’

This could include taking down systems that are no longer delivering value to the business.

“Why are we spending a dollar on anything that doesn’t deliver value,” Thorp said.

“If you can’t answer why, then you shouldn’t spend it.”

auditcbagovernanceisacakillprojectstrategytechnology