Missing Questions

By Donald Sears  |  Posted 2008-07-30

In May 2008, the Information Systems Audit and Control Association (ISACA), a 75,000-member organization based in Rolling Meadows, Ill., that provides certifications, training and professional development to security, audit and governance professionals, published findings from a survey taken during its North American Computer, Audit, Control and Security Conference. The survey, which polled 386 IT security, audit and governance professionals, asked two key questions:

1. Has your organization recently “killed” an IT-related project before it was fully implemented?”

2. If so, what was the primary reason the project didn’t work out?

In answer to the first question, 43 percent of respondents said they had euthanized a project.

“The number of projects killed or stopped is the most significant finding here,” says Mario Damianides, a partner at accounting and audit firm Ernst & Young and a former international president of ISACA and the IT Governance Institute. “Four in 10 had a major project killed or stopped. That sounds like a big wasted effort.”

Hold on a minute. What about the 57 percent of projects that were not ended? Also, are we to interpret projects that were killed as a positive or negative sign of information technology practice?

“It could be seen as a positive,” Damianides acknowledges. “But, if something has been effectively budgeted for in a project, you would have additional built-in funds that you could draw on as needed. What this says to me is that there is an unwillingness to eat into slush funds right now. It’s almost like saying, ‘We’re not going to spend the money on that project.’”

When you drill a little deeper into ISACA’s survey, it appears to support Damianides’ assertions. It’s possible that money is being reassigned from projects—or simply rescinded.

And when you combine the nearly 30 percent who answered the second question by stating that “business needs changed” with the 14 percent who answered that the project was “no longer a priority,” the business air is thick with changing winds at 44 percent.

But what about all that costly work being tomahawked?

“I do believe it is a big wasted effort, but it’s less of a waste than if those doomed projects had proceeded,” says Will Weider, CIO of Ministry Health Care and Affinity Health System, based in Milwaukee. “Many IT organizations understand the value of their IT investments, and they know when the return is no longer worth the cost. That is much better than the state of IT 10 years ago, when nearly everything started was completed because the goal of most IT projects was to finish them.”

One survey statistic seems to support Weider’s contention: Twenty-three percent of projects did not deliver as promised—the second most frequent reason given for killing a project.

Missing Questions

Are there more facets the ISACA survey could have explored?

“The question the survey doesn’t ask is the point at which they pulled the plug,” says Bill Hayduk, president of RTTS, a New York City-based software quality assurance company. “These projects could have been killed at the inception stage, which could make sense,” Hayduk asserts. “But if they were killed at the implementation stage, that is very different.

“IT is being driven by business more than it was before the Internet bubble. Talk to CIOs or CTOs: They’re all reporting to the business units. Rarely are they undertaking things that the business isn’t driving.”

Hayduk points out that compliance and governance are not necessarily deemed mission-critical unless mandated by government or industry, or are part of Sarbanes-Oxley compliance or the Health Insurance Portability and Accountability Act.

“Perhaps [the ISACA survey respondents] are dealing with network policy projects or application security—the kinds of projects that are regularly put on the back burner,” he says. “But when they have to have, say, a new trading system that is crucial to the business, that will take priority.”

Ernst & Young’s Damianides raises another question: “If the business needs changed, why wasn’t the project being better evaluated as it went along? The question that arises is, ‘Are organizations managing the how of the project?’”

The economy might be another factor. However, in the ISACA survey, the budget cutbacks number came in at less than 1 percent.

“If we were to ask these same questions six months from now, I would expect to see budget cutbacks having a much higher presence due to the economy,” says Damianides.

“We’re seeing some slowdown in our clients’ internal projects,” reports Hayduk of RTTS. “But we don’t ever see a complete withdrawal of a project in large software development.”

What can be extrapolated from the survey numbers is that IT is being driven more directly by business needs, and that the technology organization has to live with the review process, priority changes and early project death. But IT is learning from these experiences.

“This [killing of projects] is an important intermediary step,” says Weider of Ministry Health Care. “Many IT organizations like mine are spending a lot of time performing autopsies on dead projects in order to refine our IT project methodology.”

The goal? To identify any problem projects quickly before too much time and money is invested in them