INFORMATION

SYSTEMS IN
MANAGEMENT Information Systems in Management (2014) Vol. 3 (3) 182−192

RISK ASSESSMENT FOR ERP SYSTEM IMPLEMENTATION

a)
RAFIK NAFKHA , DARIUSZ STRZĘCIWILK b)
a)
Department of Informatics, Warsaw University of Life Science
b)
Department of Applied Informatics, Warsaw University of Life Science

In this article, based on the results of questionnaire sent to 50 companies with

different employment size, events affecting the failures of the ERP system
implementation were identified and their risk level as well as additional costs related
to preventive actions (reducing the probability or effects of the problem occurrence)
were investigated. To evaluate the risk values of chosen ERP system implementation
tasks, PMI (Project Management Institute) standard was applied.

Keywords: ERP implementation system, risk value, risk assessment

1. Introduction

Information systems suppliers, in particular ERP (Enterprise Resource

Planning) systems, avoid clearly in their presentations risk analysis of the system
mainly for two reasons: the first is the lack of or limited knowledge regarding the
risks in individual sectors of the economy, while the second reason is related to
sales and marketing. Risk has always aroused panic among both customers and
retailers offering the system. Disclosure of threats by the supplier in the first steps
of the sale may be subject to conflicts of interest. One general principle that is in
force is that the risk in the first stages of the project is a forbidden word.
Unfortunately, in the next stages of the system implementation, it becomes the not
needed word and for its analysis is too late, it remains only mitigate the impact of
rising incurred costs. This article presents, a sample list of risks for typical ERP
systems implementation and the risk assessment calculation method, that can be
useful running own risk implementation analysis, especially for medium and small
enterprises (MSP).
According to Lyytinen [7], there are two essential areas in which risk of the
information system project can arise [2]:
• The development of the system, where risks arise from user objectives
definition, the incorrect conceptualization of the system, the incomplete view of
the organization and the difficulty to predict the impact of the system, the
inability to create complex solutions for given specific industry, etc.
• Use of the system, in which the risks include inability to create or use
appropriate technical solutions , to collect and maintain relevant data, a negative
impact on working conditions, changes (authority, qualifications or scope of the
work).
A special case of projects are the ERP implementation projects, which are subject
to adjustment previously produced software to the specific conditions of the
company in order to achieve certain benefits. Risks in these projects arise on each
stage of the implementation of the ERP system [4]. According to report (Business
Software Report, Management Institute of Warsaw, 2001) and analyzing the
implementation management system suppliers methodology [8], the implement-
tation of a ready system is usually implemented in five phases:
• preparation of the organization for change – work out a project organization and
the rules for its implementation,
• determination the business concept - elaborate a list of business processes that
will be implemented by the system,
• implementation - development of a prototype solution ,
• preparation for work in the target environment - installation, launch (test
integration of the prototype, user training, data transfer , preparation of the
working environment) and transmission system operation,
• start and supervise the work of the system in the real environment.
In the following article, based on the results of surveys sent to 50 companies with
different employment structures, we identified events affecting the information
management system implementation failures that occur at every level in the life
cycle implementation project. These events are grouped in categories and on their
basis, an estimated level of risk and additional costs that will be incurred with the
launch of tasks related to actions that reduce the probability or effects of the
problem, will be adopted.

183
2. Factors affecting the risk

The main impacts of risk found in the literature [2] are: over budget, time
overruns, cancelled prior to completion, unsatisfactory business performance,
insufficient system stability, weak or less than the required features and functions,
a low degree of integration, failure to achieve strategic goals and inadequate
financial and economic results. Identifying sources and risk factors requires an
understanding of their causes and mechanisms by all participants of the
implementation team. Gaining this awareness is a condition to work on identifying
the risks in order to eliminate, reduce and control the risk intentions. The
identification of potential risk factors, is one of the essential elements of the risk
management process. Errors made at this stage of the analysis may adversely affect
the credibility of risk assessment [10]. The identification, which results will be the
final specification of risk factors must be carried out very honest and reliable.
Omission of potential threats which are important for the project implementation,
may reduce the effectiveness of risk analysis, and even undermine the legitimacy
of the project management. Unfortunately there is no universal method of
identifying key risk factors which guarantees reaching established goals. A good
rule is to use own experience and the information delivered from the institutions
that collect statistical data, suggestions and opinions of experts in a given field,
own practical experience and theoretical knowledge. Quantification of risk factors,
ie, its quantitative indication is not only important but also very difficult element of
the project management. Most analysts and theorists engaged in risk analysis "run
away" from the problems of quantification. They lead arguments about the risks
and make only superficial qualitative analysis. Unfortunately, this leads to control
the risk, and do not manage what can be described quantitatively.
In this article, to identify the implementation project key risk factors, we asked
both customers and experts in the field of ERP systems implementation to indicate
repeated and common in their opinion, implementation failures factors. Participants
in the study indicated more than 42 different problems occurring during the
implementation of the ERP system. In this study only 25 of them have been
identified as having a negative impact on the time, budget of the project and
product conformity with the project objectives. To evaluate the risks first for each
event, the number of problems indicated by the study participants are summed.
Then an importance of validity, according to the methodology in Section 3, was
adopted. Table 1 shows the critical risk factors ranked by the number of reported
problem.

184
 Table 1. Types and quantities of identified problems
Number of
Id Critical risk factors reported
problem
1 Lack of Top Management commitment and support 20
2 Poor project management team 19
3 Lack of Departmental cooperation 19
4 Unclear goals and objectives 18
5 Incorrect project management 18
6 Ineffective communications 17
7 Improper management of expectations 17
8 Incompetent project leader 16
9 Lack of vendor or supplier support 16
10 Improper change management, risk and scope of the 15
project
11 lack of knowledge of their own business processes 15
12 incorrect system selection 12
13 Analysis and data conversion 12
14 Limitation in resources 12
15 Insufficient training of end-users 10
16 Lack of new business processes familiarity 10
17 Non-acceptance of organizational structure change and 10
business processes
18 Poor integration of the infrastructure systems 9
19 Poor conflict management 9
20 Using tools supplier 8
21 Ineffective project cost and time management 6
22 Lack of metrics for evaluating project efficiency and 6
benefits
23 Lack of competence of ERP’s consultants 5
24 Data losses 2
25 Insufficient testing phase 2

3. Project methodologies

The probability value estimation and consequences of risk occurrence consist

in identifying project implementation tasks at risk of failure implementation. Next
one should find answers about the impact of threats on one of completed tasks as
well as to whole project (schedule, budget, quality, ect). In order to carry out a
comparative analysis, each problem has been prescribed a certain value on a scale
of 1 (least important) to 5 (the biggest problem). The final value of each problem is
the sum of all values fulfilled by various participants in the interview. Since the

185
determination of the probability is done intuitively and based on PMI standards [9],
the intuitive probability scheme is defined as presented in Table 2.

Table 2. Likelihood Value Guidelines

Range Likelihood Designation Interpretation
1-4 0,1 very low Very unlikely
5-8 0,3 low Probably will not occur
9 - 12 0,5 medium Equal chance of occurring or not
13 - 16 0,7 hight Will probably occur
17 - 20 0,9 very high Very likely to occur

Please note that there are no verifiable method that will accurately determine
the threat likelihood therefore, the only attempt was to determine the range to
which the likelihood belongs. Each risk is assessed for its impact and a response
plan must be generated to avoid the risk or take advantage of an identified
opportunity. To achieve determined project objectives a degree of risk impact
should be defined. The following sizes, as presented in Table 3, indicating risk
impact on project tasks realization are taken into account.

Table 3. The degree of risk impact

Points Risk impact Degree of the impact on the project / task description
0,05 very small Need to change tasks plan (problems with the
implementation are important only for task manager)
0,1 small Increase of task time and cost (problems with the tasks
implementation are taken into account by the Project
Manager). Delays in the implementation do not affect project
date realization or budget.
0,2 medium Tasks project time and cost will increase and then will force
a change in project schedule or budget. Tasks will be not
achieved and a correction of the project plan will be
necessary.
0,4 critical Project goal is not achieved. An arrangement with the
sponsor is needed. Project time and cost increases
0,8 dangerous Negative effects on the design environment (the whole
company, processes, systems, ect.). Effects exceed the
expected project benefits.

Based on PMI Methodology [9], the risk weight is calculated as the product of
the risk likelihood value and the degree of risk impact, please see Table 4.

186
 Table 4. The matrix of the likelihood and impact of risks in the project
for a given risk tolerance
Likelihood
0,9 Very high 0,045 0,09 0,18 0,36 0,72
0,7 High 0,035 0,07 0,14 0,28 0,56
0,5 Medium 0,025 0,05 0,10 0,20 0,40
0,3 Low 0,015 0,03 0,06 0,12 0,24
0,1 Very low 0,005 0,01 0,02 0,04 0,08
0,05 0,1 0,20 0,40 0,80
Very small Small Medium Critical Dangerous
Degree of the impact on the project / task (Time. Cost, quality

Survey participants filling the questionnaire do not need to be familiar with

risk management, it is sufficient that they present significant implementation
threats in their opinion. The grouping and the formalization of the risk list is made
by an expert in this area. In this article and in order to group different
implementation tasks, a risk categorization has been provided:
1. Organizational (O) − subcategories include (top management, business
processes, strategy, employment policy, company culture, process
planning, finance, staff).
2. Project (P) − subcategories include (project management methods, quality
and implementation team, business development, project integration).
3. Technical and technological (T) − subcategories include (system
functionality, support, critical IT infrastructure,).
4. External (E) − subcategories include (legislation, the economic situation,
exchange rate, competition, lobbying ....).
After summing up indicated scores and assigning ratings to each risk factor, it is
necessary to evaluate its effects in order to apply any simplest strategies for its
elimination or restriction by adding an appropriate cost estimation (to handle
emerging problems) to estimated before schedule "margin of safety".

4. Application of risk assessment method on the example of Sap Sprint

implementation

The scope and cost of the proposed example is specified using SAP Business
All-in-One the Configurator (http://www.sap.com/solution/sme/software/erp/all-in-
one/buy/rds.html), enabling the calculation of the predicted and the estimated SAP
Business All-in-One rapid deployment solution price including hardware, software
and system implementation (without software maintenance cost).

187
 SAP Business All-in-One is a complex, integrated ERP solution, prepared by
SAP partners for medium-sized companies. Implementation scope for a typical
enterprise SMEs (Small and medium-sized enterprises) adopted in this example
includes the following areas: activities related to logistics process in terms of sales,
distribution and invoicing including , offer to the customer, customer contract,
customer order, sales, refunds and claims adjustment.
Activities related to process of ensuring supply including: warehouse
management, purchase offer, a supply contract, batch management, stock transfer,
inventory and purchase settlement.
Financial Accounting and Management which includes: general ledger,
accounts receivable and suppliers, liquidity management, accounting and reporting
of fixed assets for finance.
The following assumptions and cost estimation are adopted: total number of
employees 100, number of users 20, licenses cost 214 200 PLN, services 300 000
PLN, total solution cost 584 200 PLN.
After working out an implementation timetable for the adopted case, which
established the duration and the resources assigned to the project tasks, the next
step focus on tasks identification that are risky during their implementation and
then assign each of them to adopted in Table 2, range of risk allocation. Examples
of risky tasks for the adopted implementation are shown in Table 5.
The risk analysis purpose is to determine the quantitative value and identified
risks impact on the project implementation. All data are collected in a risk register
and updated with score risk value and measurable financial and non-financial
consequences reducing identified risks. Ending risk factors analysis, we are able to
a risk response planning. In general, risk response plan means a plan which aimed
at minimizing the project risk and maximizing its positive effects. When planning
risk responses, one should indicate person or group of persons, responsible for
implementation tasks and associated with them risk factors management. Among
risk handling strategy, we distinguish the following risk management approach:
risk avoidance (eg. limitation of the project scope, increasing resources or avoiding
unknown subcontractors), risk transfer of (insurance or guarantee transfer), risk
minimization (eg. use of less complex processes, making prototyping, ect.) and risk
acceptance which means conscious decision of not taking activity associated with
risk management, eg. due to low influence of the identified risk factors. In the
adopted example, we use a technique that avoid risk by making changes in the
initial stage of the project, clarifying requirements and obtaining additional
information, expertise and internal training in order to eliminate the risk and
protect the project objective. Table 6 shows risks and costs of introducing
preventive actions of grouped project tasks.

188
 Table 5. Types and risk values of selected tasks in the different phases
of the adopted SAP project implementation
Nr Tasks Cat Critical risk factor (P) (I) RS
1 Strategic Analysis Unclear goals and objectives, lack 0,9 0,4 0,36
O of Top Management commitment
and support.
2 Preliminary project plan Unclear goals and objectives, lack 0,9 0,4 0,36
O of Top Management commitment
and support.
0,9 0,4 0,36
3 Pre-implementation analysis Incompetent project leader, lack of 0,7 0,4 0,28
including modeling Departmental cooperation,
P
lack of knowledge of their own
business processes.
4 Business processes Non-acceptance of organizational 0,5 0,4 0,2
modifying according to structure change and business
P
accepted company needs. processes, lack of new business
processes familiarity.
0,60 0,40 0,24
5 License purchase Z Delay of license delivery. 0,1 0,4 0,04
6 Needed shopping and Lack of co-operation with supplier, 0,5 0,4 0,2
Z
infrastructure preparation delay of devices delivery.
0,3 0,4 0,12
7 Installation and Technical Poor integration of the 0,5 0,4 0,2
T
Configuration infrastructure systems.
8 Installation and functional Lack of dedicated resources, 0,5 0,2 0,1
T
configuration – Logistics module is not in time.
9 Installation and functional Lack of dedicated resources, 0,5 0,2 0,1
configuration - Materials T module is not in time.
Management
10 Installation and functional Lack of dedicated resources, 0,5 0,2 0,1
configuration- Financial module is not in time.
T
Accounting and
Management
11 Administrators training Delay in training, lack of 0,5 0,4 0,2
T
competent trainers.
12 Training users with regard Insufficient training of end-users. 0,5 0,4 0,2
T
to purchased modules
13 Data migration Lack of prepared appropriate 0,3 0,4 0,12
T forms, lack of supplier tools for
data conversion , loss of data.
14 Data input System not ready yet, lack of data 0,3 0,4 0,12
T
prepared.
15 System performance testing System not ready yet, ineffective 0,1 0,4 0,04
project time management, lack of
T
metrics for evaluating project
efficiency and benefits.
16 System testing in terms of System not ready yet, lack of all 0,1 0,8 0,08
system functionality T functionality system testing.
including interfaces
17 Technical support during Lack of supplier support , lack of 0,7 0,4 0,28
system startup T competence of ERP’s project team
fine-tunes.
0,41 0,38 0,16
P – likelihood, I – impact, RS – Risk Score

189
 Table 6. Risk and costs of introducing preventive actions
Nr Preventive actions Cost (P) (I) RS Cost (P) (I) RS
1 All stakeholders 5000 0,5 0,4 0,28 5000 0,3 0,4 0,20
identification. Kick-off.
2 Internal training, coaching 3000 0,5 0,4 0,28 3000 0,3 0,4 0,20
0,5 0,4 0,20 0,3 0,4 0,12
3 High power decision for PM. 3000 0,5 0,4 0,20 3000 0,3 0,4 0,12
External consultants support,
Process modeling training
4 Collecting supplier --- 0,5 0,4 0,2 2000 0,3 0,4 0,12
references

0,5 0,5 0,20 0,3 0,4 0,12

5 Collecting supplier --- --- --- --- --- ---- --- ---
references. Early orders and
transfers in time.
6 Additional technologies --- 0,5 0,4 0,12 --- --- --- ----
testing before implementation
work.
0,3 0,4 0,12 0,2 0,4 0,08
7 Determine the necessary time --- 0,5 0,4 0,12 --- --- --- ---
dedicated for project
implementation.
Provide separate room.
8 Determine the necessary time --- 0,5 0,2 0,06 --- --- --- ---
dedicated for project
implementation.
Provide separate room
9 Determine the necessary time --- 0,5 0,2 0,10 --- --- --- ---
dedicated for project
implementation.
Provide seperate room
10 Collecting supplier --- 0,5 0,2 0,10 --- --- --- ---
references. Client
management support and co-
operation with supplier .
11 References and trainers 0,5 0,4 0,20 1000 0,3 0,4 0,12
certificates
12 References and trainers 0,5 0,4 0,20 2000 0,3 0,4 01,2
certificates.
Additional targeted training
13 Collecting supplier --- --- --- --- --- --- --- ---
references. Request data
migration methodology
14 Determine the necessary --- --- --- --- --- --- --- ---
time dedicated to preparation
and data input
15 Making simulation tests --- --- --- --- --- --- --- ---
16 Functionality testing in --- --- --- --- --- --- --- ---
particular phases of the
project
17 Collecting supplier 2000 0,5 0,4 0,28 2000 0,3 0,4 0,12
references. Request additional
consultancy or support
0,4 0,38 0,15 0,26 0,38 0,10

190
 A summary of measured key risk indicators shows table 6. The proposed
preventive actions reduce the risk score - in case of acceptance a risk reduction cost
at level 12 000 PLN. (which represent 4% of the implementation budget). In this
case the total project risk likelihood (calculated as ratio between total risk
likelihood and total tasks number) is reduced from 0,55 (high) to 0,42 (medium
level) and the Risk Score is reduced from 0,22 to 0,17. When the preventive
actions value increases to 16 000 PLN which represent 5,2% the whole
implementation budget, then total project risk likelihood is reduced from 0,55 to
0,27 (low level) and the Risk Score from 0,22 to 0,11 (acceptable).

Table 7. Risk indicators for the implemented case

Lp Risk indicators Initial Cost = 12 000 PLN Cost = 16 000 PLN
1 Risk likelihood 0,55 0,42 0,27
2 Risk impact 0,40 0,40 0,40
3 Risk Score 0,22 0,17 0,11

According to risk management theory [5], the risk owner decides how to deal
with risk. If the threats reduction cost does not exceed 5% total implementation
budget, which represent in most cases an acceptable risk level, the project is
realized without any corrections. In the adopted example, additional cost of 16 000
PLN reduces the ERP system implementation failure probability by 2 levels and
increases the system implementation budget by approximately 5,2% of total
implementation cost.

5. Summary

Successful management systems implementation is dependent on many

factors related both to the type of activities carried out by the company, and the
way of managing project and in particular the selection and use of risk
management methods. There are no verifiable methods that will accurately
determine system implementation failure or success likelihood, but we can
determine the interval in which the success/failure likelihood of each task is
located. Risk assessment according to adopted in this paper method for risk
assessment consist in the identification of risky tasks that can lead to
implementation failure. Next for each of them a range of risk value was adopted.
Since the risk score determination depends on risk impact value, based on the
experiences and statements of specialists in one hand, and applying PMI standards
on the another hand, appropriate values of risk impact were pointed for each task.
According to problem likelihood appearance, risk impact on the task realization

191
and finally depending of Risk Score value, an appropriate preventive action was
taken. These steps shows that adopted risk assessment for ERP system
implementation method can be appropriate.

REFERENCES

[1] Beynon-Davies P. (1999), Human Error and Information Systems Failure: The Case
of The London Ambulance Service Computer-aided Despatch System Project,
Interacting with Computers, vol. 11, no. 6, pp. 699-720.
[2] Aloini D., Dulmin R., Mininno V. (2007) Risk management in ERP project
introduction: Review of the literature, Information & Management 547–567.
[3] Frączkowski K. (2003) Zarządzanie projektem informatycznymProjekty w środowisku
wirtualnym czynniki sukcesu i niepowodzeń projektów, Politechnika Wrocławska.
[4] Khvalev E.A (2010) Key characteristics in ERP implementation Identification and
Analysis by Project Phases: Conceptual model for analysis - Proceedings of the 4th
Conference on Theory and Practice of Modern Science, Moscow, Russia.
[5] Korczowski A. (2009) Zarządzanie ryzykiem w projektach informatycznych. Teoria
i praktyka, Hellion.
[6] Lech P. (2003). Zintegrowwane systemy Zarządzania ERP/ERP II. Wykorzystanie w
biznesie, wdrażania. Difin, Warszawa.
[7] Lyytinen K. (1988), Expectation Failure Concept and Systems Analysts’ View of
Information System Failures: Results of an Exploratory Study. Information and
Management 14(1): 45-56.
[8] Nafkha R. (2014) Analiza wybranych metod zarządzania projektem informatycznym
we wsparciu procesów biznesowych i organizacyjnych firmy, IX Scientific
Conference, Internet in the information socjety.
[9] PMI (2008) – A guide to the Project Management of Knowledge (PMBOK Guide) –
Fourth Edition.
[10] Sorupka D., Kuchta D., Górski M.(2012) Zarządzanie ryzykiem w projekcie,
WSOWL, Wrocław.

192