Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
Conceptualizations of risk and control in business organizations relevant to the process of OSS adoption
Trial lecture Øyvind Hauge, 17 June [email protected]
2
53.3% of the respondents thought computer breakdowns was a major concern (Coleman, 2006)
The local hospital was in 2006 a full day without ICT support and a week without wireless phone
Denver Airport, Computerized Baggage Handling fails, 1995 -> costs up to 1$ million per day
Therac-25, 1985-1987, overdoses of radiation leading to three deaths
3
Table of content
1. The scope of this presentation2. Risk and control 3. Ways of controlling risk4. Risk and control related to OSS adoption
4
Present and discuss relevant conceptualizations of risk and control in business organizationsrelevant to the process of OSS adoption
SE & IS
5
Business organization
• Is a legal entity (private or public)• Has a
– Mission to provide either goods or services– Owner– Budget
• Variations in– Size– Domain– Country– Organization form– Geographical distribution– …
6
Table of content
1. The scope of this presentation2. Risk and control 3. Ways of controlling risk4. Risk and control related to OSS adoption
7
Risk
• The effect of uncertainty on objectives– The effect may be positive or negative
• Risk=Probability*Cost– Involves uncertainty
ISO Guide 73:2009, Aven (2009)
Event
Causes/threats Consequences
8
Types of risk
Scott and Vessey (2002), Wallace et al. (2004), Karolak (1996)
• Technical• Cost• Schedule
• Organizational environment• User• Team• Requirement• Project complexity• Planning and control
9
”Typical” software risks
Aloini et al. (2007) – ERP systems1.Inadequate product selection2.Ineffective strategic thinking and planning3.Ineffective project management techniques4.Bad managerial conduct5.Inadequate change management6.Inadequate training and instruction7.Poor project team skills8.Inadequate Business Process Re-engineering9.Low top management involvement10.Low key user involvement
Baccarini et al. (2004) – IT projects1.Personnel shortfall2.Unreasonable schedule and budget3.Unrealistic expectations4.Incomplete requirements5.Diminishing window of opportunity
Boehm (1991) – Software risks1.Personnel shortfall2.Unreasonable schedule and budget3.Developing the wrong functions and properties4.Developing the wrong user interface5.Gold-plating6.Changing requirements7.Shortfall in externally furnished components8.Shortfall in externally performed task9.Real-time performance shortfalls10.Straining computer science capabilities
Chatzoglou and Diamantidis (2009) –IT/IS implementation1.Management ability2.Information integrity3.Controllability 4.Exclusivity
10
Few risks are technical
Aloini et al. (2007) – ERP systems1.Inadequate product selection2.Ineffective strategic thinking and planning3.Ineffective project management techniques4.Bad managerial conduct5.Inadequate change management6.Inadequate training and instruction7.Poor project team skills8.Inadequate Business Process Re-engineering9.Low top management involvement10.Low key user involvement
Baccarini et al. (2004) – IT projects1.Personnel shortfall2.Unreasonable schedule and budget3.Unrealistic expectations4.Incomplete requirements5.Diminishing window of opportunity
Boehm (1991) – Software risks1.Personnel shortfall2.Unreasonable schedule and budget3.Developing the wrong functions and properties4.Developing the wrong user interface5.Gold-plating6.Changing requirements7.Shortfall in externally furnished components8.Shortfall in externally performed task9.Real-time performance shortfalls10.Straining computer science capabilities
Chatzoglou and Diamantidis (2009) –IT/IS implementation1.Management ability2.Information integrity3.Controllability 4.Exclusivity
11
Risks
• Negative impact on objectives
• May come from a number of sources
• The most important risks are not related to the technology
12
Control
• Measures that are modifying risk– Prevent– Reduce consequences
ISO Guide 73:2009
Event
Causes/threats Consequences
13
Table of content
1. The scope of this presentation2. Risk and control 3. Ways of controlling risk
1. Risk management2. Real Option Theory3. Processes and standardization
4. Risk and control related to OSS adoption
14
1. Risk management
Aven (2008), ISO Guide 73:2009
• Coordinated activities to direct and control an organization with regard to risk
15
16
Not all risk can be controlled
Hanseth and Ciborra (2007), Forester (1989)
17
The norm of risk management
ALARP (As Low As Reasonably Probable) GALE (Globally At Least Equivalent)
Stålhane and Skramstad (2006), Aven (2009)
18
Traditional risk analysis
Baskeville and Stage (1996), Karolak (1996), Boehm (1991), Holmgren and Thedéen (2009)
19
Risk identification: What can go wrong?
• Group discussions• SWOT analysis• Brain storming• Expert panels• Earlier experiences• References• Checklists
McManus (2004), Boehm (1991)
20
Risk avoidance/mitigation
1. Find root causes of risks2. Deal with root causes or reduce consequences
– Sell risk to 3rd party– Expertise (train/hire)– Introduce barriers– Design the risk out of the solution– Buy information e.g. proof of concept
Lane (1998), Boehm (1991)
21
2. Real Option Theory
Add flexibility and options proactively
Benaroch et al. (2007), Erdogmus and Favaro (2002)
Options may be used but they don’t have to
22
First date at a steakhouse
The date is a vegetarian
Menu option 1.Steak
First date at a restaurant serving
different dishes
The date is a vegetarian
Menu option 1.Steak
Menu option 2.Salad
Menu option 2.Fish
23
Options for IT projects
• The option to:– Defer – Explore– Stage– Change-Scale– Abandon– Outsource– Lease– Strategic-Grow
Benaroch et al. (2007), Erdogmus and Favaro (2002)
24
3. Processes and standardization• Processes• Tool support• Techniques• Standards
• In software development– RUP, CMMI, Cleanroom, …– Revision control, issue tracking, automated building, …– Design patterns, code refactoring, pair programming, …– For code, documentation, requirements, …
25
Just in time – lean – agile
• Earlier value and more options
Karolak (1996), Stober and Hansmann (2009), Erdogmus and Favaro (2002)
26
Table of content
1. The scope of this presentation2. Risk and control 3. Ways of controlling risk4. Risk and control related to OSS adoption
27
OSS Adoption
Business organizations leverage Related Research FieldsOSS products1.Deploy (OpenOffice.org, MySQL)2.CASE Tools (Eclipse, Maven, SVN)3.Integrate (Hibernate, Spring)
Deploying/diffusing IS and ICT, SE, CASE tools, CBSD, legal, SPI
OSS communities4. Participate (IBM - Linux, Sun - OpenOffice)5. Provide (JBoss, MySQL, Qt)
Legal/IPR, marketing, community management, CoP
OSS development practices SPI, distributed/global software development
28
OSS AdoptionBusiness organizations leverage
Potential risks
OSS products Licenses (Lawsuits, unable to distribute derivate products)Easy to adopt (Diverse technological portfolio)Not free (requires resources)Source code (Modification, maintenance responsibility)No provider (Lack of support, no contracts, no one to “blame”, uncertain future)
OSS communities Unable to get influence community/productCommitment may require (significant) resourcesNo clear market (Hard to do marketing)The product is free (No paying customers)Attracting a community (No users, customers, or contributions)
OSS development practices
Practices inappropriate for the company
Hauge et al. (2010)
29
Risk, control and OSS adoption
• Non-technical risks are the most important– OSS risk are therefore not the most prominent ones
• Relevant to IT adoption and development also relevant to OSS– Risk management– Alternatives– Standards, tools, and processes
• OSS experience: to analyse the use of OSS in the context
30
"software risks can be best managed by combining specific risk
management considerations with a detailed understanding of
the environmental context and with sound managerial
practices, such as relying on experienced and well-educated
project managers and launching correctly sized projects"
(Ropponen and Lyytinen, 2000, p.98).
31
References• Davide Aloini, Riccardo Dulmin, and Valeria Mininnocial, Risk management in ERP project introduction: Review of the literature, Information &
Management 2007:44, pages 547-567• Terje Aven, 2008, Risk Analysis: Assessing Uncertainties Beyond Expected Values and Probabilities, Wiley• Terje Aven, 2009, Risk Mangement, in Göran Grimvall, Åke J. Holmgren, Per Jacobsson, and Torbjörn Thedéen (editors), Risks in
Technological Systems, Springer• David Baccarini, Geoff Salm, and Peter E.D. Love, Management of risks in information technology projects, Industrial Management & Data
Systems 2004:104(4) pages 286-295• Michel Benaroch, Yossi Lichtenstein, Karl Robinson, Real options in information technology risk management: an empirical validation of risk-
option relationships, MIS Quarterly 2006:30(4)• Yegor Bugayenko, 2009, Competitive Risk Identification Method for Distributed Teams, in Olly Gotel, Mathai Joseph, and Bertrand Meyer
(editors), Software Engineering Approaches for Offshore and Outsourced Development - Proceedings of the Third International Conference, SEAFOOD 2009, Zurich, Switzerland, Springer
• Richard L. Baskerville and Jan Stage, Controlling Prototype Development through Risk Analysis. MIS Quarterly, 1996:20(4), pages 481-504• Barry W. Boehm, Software Risk Management: Principles and Practices, IEEE Software, 1991:8(1), pages 32-41• Prodromos D. Chatzoglou and Anastasios D. Diamantidis, IT/IS implementation risks and their impact on firm performance, International
Journal of Information Management, 2009:29, pages 119-128• Les Coleman, 2006, Why Managers and Companies Take Risks, Springer• John Forester, 1989, Planning in the Face of Power, University of California Press• Hakan Erdogmus and John Favaro, 2002, Keep Your Options Open: Extreme Programming and Economics of Flexibility, in G. Succi, M.
Marchesi, L. Williams, D. Wells (editors) XP Perspectives, Addison Wesley
32
References• Ole Hanseth and Claudio Ciborra (editors), 2007, Risk Complexity and ICT, Edward Elgar Publishing Limited• Øyvind Hauge, Daniela S. Cruzes, Reidar Conradi, Ketil Sandanger Velle and Tron André Skarpenes, Risks and Risk Mitigation in Open
Source Software Adoption: Bridging the Gap between Literature and Practice, in: Proceedings of the 6th IFIP Working Group 2.13 International Conference on Open Source Systems (OSS2010) - Open Source Software: New Horizons, May 30th-June 2nd, Notre Dame, USA, pages 105--118, Springer, 2010
• Åke J. Holmgren and Torbjörn Thedéen, 2009, Risk Analysis, in Göran Grimvall, Åke J. Holmgren, Per Jacobsson, and Torbjörn Thedéen(editors), Risks in Technological Systems, Springer
• ISO 31000:2009, Risk management -- Principles and guidelines, http://www.iso.org/iso/catalogue_detail.htm?csnumber=43170• ISO Guide 73:2009, Risk Management Vocabulary, http://www.iso.org/iso/catalogue_detail?csnumber=44651• Casper Jones, 1994, Assessment and Control of Software Risks, Yourdon Press • http://www.springerlink.com/content/q0j808/• Christel Lane, 1998, Introduction: theories and issues in the study of trust, in Christel. Lane and• John McManus, 2004, Risk Management in Software Development Projects, Elsevier• Janne Ropponen and Kalle Lyytinen, Components of software development risk: how to address them? A project manager survey, IEEE
Transactions on Software Engineering, 2000:26(2), pages 98-112• Reinhard Bachmann (editors), Trust within and between organisations, Oxford: Oxford University, pages. 1–30.• Marvin Rausand, 1991, Risikoanalyse Veiledning til NS 8514, Tapir• Judy E. Scott and Iris Vessey, Managing Risks in Enterprise Systems Implementations, 2002:45(4) Communications of the ACM• Thomas Stober and Uwe Hansmann, 2009, Agile Software Development , Springer• Tor Stålhane and Torbjørn Skramstad, Presentation for Workshop at EuroSPI 2006• Linda Wallace, Mark Keil, and Arun Rai, Understanding software project risk: a cluster analysis, Information & Management, 2004:42 pages
115-125