When implementing technology projects associated with new products and services, or projects involving existing applications or services, organizations may employ various risk management controls to understand the impact of such projects. Attempts are made to ensure that each new technology project adheres to the policies, guidelines, and operating practices set forth in connection with the risk management controls.
Project managers within organizations are often burdened with the need to learn and use a number of different risk assessment processes to enter information and answer questions relating to their projects. Typically, each assessment process uses a different question format with its own localized nomenclature. Assessment questions can be difficult for users to understand and may be produced redundantly and inefficiently in multiple locations. Also, there may be no capability to perform centralized reporting, and the repositories that hold the assessment information may have no facilities to maintain historical content for previous versions of an application. For example, compliance assessment processes may contain many steps, confusing relationships among different divisions of the organization, overlapping and redundant questions, and exhibit limited project manageability.
In many organizations, existing assessment processes are not validated for their intended purposes: the assessments may not yield the information which is really needed or which the organization intends to obtain. Process ownership and roles are often not clearly defined or well communicated; process dependencies and relationships are not well understood or well integrated; and processes are not sufficiently robust to be adapted to changing business needs. In addition, data obtained from existing assessment processes may not be readily usable for multiple business purposes.
When application owners and project managers are unable to comply with unreasonably onerous processes, negative consequences can arise. With respect to productivity, there may be excessive costs associated with attempting to comply with the processes, including efforts related to validate compliance against the processes, maintaining the processes and associated toolsets, and fixing problems associated with non-compliance. Remediation and rework undertaken to bring applications into compliance can be expensive and time consuming. The inability to manage application and project risk because of process inflexibility and incomplete, inaccurate, or unavailable information may increase overall vulnerability of the applications. Furthermore, when application and project portfolio information is contained in disparate systems, and data is often inaccurate or inconsistent among these systems, this may lead to inaccurate reporting and improper business decisions.
In view of the foregoing issues, enhanced systems, processes, tools, techniques and strategies are needed for constructing and performing project and application assessments within various organizations.