ICT Standards and Guidelines
Segment 206
Risk Management
Risk Classifications - Socrates Inc.
(Version 2.0)
Project Profile
Worksheet
This worksheet is designed to help you evaluate any proposed client/server project to assess its overall risk and complexity. The worksheet will expose two important characteristics of the project: (1)any specific items that need attention, and (2)the overall risk level of the project.
To use this worksheet, answer each relevant question by circling the appropriate number on the 1–5 scale, in which 1 indicates a definite “yes” (low risk), 5 indicates a definite “no” (high risk), and 2 through 4 indicate various shades between (increasing degrees of risk).
If you don’t know the answer, or if you don’t understand the question, circle 5.
Project Identification
Client:______
Project name:______
Project manager:______
Assessment performed by:______Date:______
Infrastructure Characteristics
VISION & ArchitectureYESNO
1 Business technology vision defined 12345
Have the business guidelines that define how information technology will be applied to business opportunities been decided and written down?
2 Business technology vision communicated to all developers12345
Has the business technology vision been communicated to all people affected by that vision, including (but not limited to) all information technology developers and key end users?
3 Architecture project team in place12345
Has your organization chartered a team of people to establish your application (logical) and technical (physical) architectures?
4 Application architecture defined12345
Has your architecture team defined the application architectures that will be used to develop client/server applications in your environment?
5 Technology selection process defined12345
Has the process by which technology choices are made been defined in a manner that will assure the process is applied effectively for the selection of all distributed computing technology throughout the organization?
6 Technology architecture process in use12345
Has the technology architecture process been applied successfully to the choice of distributing computing?
7 Distributed data issues identified12345
Has the architecture team identified the key issues relating to whether and how you will distribute data?
8 Distributed data access strategy defined12345
If you have decided to distribute data, have you determined how replicated data will be kept synchronized?
Architecture total score: divided by number of questions answered: equals risk factor:_____
StaffYESNO
9 Experienced client/server developers12345
Does your development team include a reasonable proportion of people who have developed successful client/server applications using similar environments?
10 Common vision and vocabulary12345
Have you provided training to all developers, project leaders, managers and involved end users that gives them a common vision of and vocabulary for client/server technologies?
11 Training budgeted12345
Have you established an adequate training budget? (If you have planned for at least eight weeks of training for each developer, score 1; for four to seven weeks, score 3; for less than four weeks score 5.)
12 Training scheduled12345
Have you included “just-in-time” product- or technology-specific training for every member of the team?
13 Help desk budgeted and staffed12345
Does your organization have a trained help desk that will provide support for this application when it is deployed?
14 Experienced consultants identified12345
Have you identified, qualified, and retained experienced consultants to help with both planning and development throughout the entire project?
Staff total score: divided by number of questions answered: equals risk factor:_____
Technology—networksYESNO
15 LAN in place12345
Is a LAN in place at all locations where this application will be deployed?
16 LAN compatible between all locations12345
Are all locations using the same LAN protocols and network operating systems?
17 LAN has adequate bandwidth12345
Does the LAN have adequate bandwidth to support the anticipated load?
18 WAN in place12345
Are the requisite wide area networking links in place?
19 WAN has adequate bandwidth12345
Has WAN configuration been based on a capacity plan that takes the proposed application’s characteristics into account?
20 WAN capacity overload contingency plan established12345
Are there contingency plans to cope with bottlenecks and/or unexpected changes in business location or activity volumes?
21 Wide area network systems management12345
Is there an effective wide area network management process in place?
22 Centralized network management12345
Is WAN administration centralized? (If LAN is totally managed from a single site, score 1; if fully distributed, score 5.)
23 Automated WAN support tools12345
Are WAN support procedures supported by up-to-date automation?
24 Wide area network support team on board and trained12345
Does your organization have a team of people who are trained and dedicated to supporting the enterprise network?
25 WAN support team accessible to developers12345
Are these people accessible to your development team to help with any problems that may arise?
Network technology total score: divided by number of questions answered: equals risk factor:_____
Technology—serversYESNO
26 Server platform(s)12345
Have you selected the hardware and operating system for all servers?
27 Standardized server environments12345
Are all servers that will participate in this application running on the same hardware, under the same operating system?
28 Servers under configuration management
Are all of these servers covered by configuration management procedures?
29 Proven components12345
Are all of the hardware and software components of your networks and servers current shipping versions (i.e., you are not dependent on beta products or promises of future functionality)?
30 Server database engines selected12345
Have you selected a server database engine for use by this application?
31 Single database technology selected12345
Have you selected a single database technology vendor? (If you are integrating two different technologies, score 3; if more than two different technologies, score 5.)
32 Server database engines experience12345
Does your team already have experience using the selected database engine(s) together with the server operating systems?
33 Servers in place12345
Are all servers that will be used by this application already in place, configured, programmed, and tested?
34 Network and server platform sharing12345
Will the networks and servers be dedicated to the application under assessment?
Server technology total score: divided by number of questions answered: equals risk factor:_____
Technology—desktop environmentsYESNO
35 Desktop platform(s)12345
Have you selected the hardware, operating systems, and other software that will run on all desktops?
36 Standardized desktop environments12345
Are all desktops that will participate in this application using the same general hardware configuration, operating system, and graphical environment?
37 Configuration management procedures12345
Are all participating desktops managed by your configuration management procedures?
38 Proven components12345
Are all of the hardware and software components of your desktops current shipping versions ( i.e., you are not dependent on beta products or promises of future functionality)?
39 Desktops in place12345
Does each end user of the system already have a desktop in place that can support the proposed system?
40 Trained end users12345
Are users trained in the use of the desktop environment?
41 Trained support staff12345
Is your internal support staff in place and trained to support these desktops?
42 Compatible desktops & servers12345
Have the desktops and servers that will participate in this application been proven to be compatible with each other?
43 Desktop to server connectivity experience12345
Do you have people on staff who have experience in connecting the desktop and server environments?
44 Desktop data access interface(s) selected12345
Have you selected a desktop database interface(s) for use by this application?
45 Single data access interface12345
Have you selected a single database API for use by all applications? (If two different APIs, score 3; if more than two APIs, score 5.)
46 Data access interface provided by DBMS vendor12345
Is the data access interface provided by the same vendor as the server database engine?
47 Database engine(s) experience12345
Does your team already have experience using the selected database engine(s) together with the desktop and server operating systems?
48 Desktop workstations not shared12345
Will the desktop workstations be dedicated to the application under assessment? (Dedicated, score 1; if application will be dominant, score 3; otherwise, score 5.)
Desktop environment total score: divided by number of questions answered: equals risk factor:_____
development methods, tools and environmentYESNO
49 Development method selected12345
Have you selected a development method for the proposed application? (If you haven’t selected a method, or if you intend to use an ad-hoc approach, score 5.)
50 Rapid application development method12345
Does the selected development method support iterative requirements definition, design, development, and user interface prototyping?
51 Mature development method12345
Is your selected development method mature, with a proven track record for developing distributed client/server GUI applications?
52 Development method experience12345
Does your team already have experience using the selected development method?
53 User involvement with development12345
Does your development method provide for full time end user involvement at all stages of the development process?
54 User interface development tools selected12345
Have you selected the tools that will be used to implement the desktop elements of the applications?
55 Use mainstream graphical user interface12345
Will the end user interface utilize a mainstream GUI?
56 Desktop tools support GUI12345
Do the selected development tools support the desktop GUI effectively? ( For a mature version of any market leader GUI-based toolset, score 1; for C or C++, score 5. For anything else, score 3.)
57 User interface development tools experience12345
Does your team already have experience using the selected user interface development tools together with the selected business rules tools, database engines, and desktop and server operating systems?
58 Development tools support for database engine12345
Are the development tools closely integrated with the selected database engine(s)?
59 Single development environment proposed12345
How many different development environments do you propose to use? (For one, score 1; for two, score 3; for over two, score 5.)
NOTE: Questions 12 through 14 should all be answered, in spite of the fact you will invariably incur a risk factor of 5 on at least two of them. There is no risk-free method for the implementation of business rules. Risks lowered by one choice will increase risks that would be lowered by another, and vice versa. If you have not yet determined which method would be best for your application, score 5 on all three questions.
60 Business rules development on desktop12345
Will your business rules be implemented using the same tools and language used to develop your graphical user interface? (YES, score 1; NO, score 5. NOTE: Using the same tools used for your user interface is the simplest method for developing your business rules. However, this solution doesn’t scale well for large applications.)
61 Business rules development tools in DBMS12345
Will your business rules be implemented as stored procedures and triggers inside your DBMS? (YES, score 1; NO, score 5. NOTE: Implementing business rules as stored procedures and triggers works well for small applications. However, this solution doesn’t scale well for large applications.)
62 Business rules in three-tier architecture12345
Will business rules be implemented as a separate process executing independently from both the desktop and database? (YES: score 1; NO, score 5. NOTE: Using a three-tier architecture will scale well. However, it is complex to implement and manage.)
63 Business rules execution in three-tier architectures determined12345
If you are using a three-tier architecture, have you determined how desktop applications will access and execute business rules? (YES, score 1; NO, score 5.)
64 Business rules tools experience12345
Does your team already have experience using the selected business rules tools together with the selected database engines, desktop, and server operating systems?
65 Application development support tools selected12345
Have you selected the supporting tools—including testing, version control, and configuration management—that will be used to build, test, and control your applications?
66 Support tools compatible with configuration management tools12345
Are all of the supporting tools compatible with your configuration management and system management tools and procedures?
67 Application development support tools experience12345
Does your team already have experience using the selected support tools with the other selected software?
68 Approach to performance engineering established12345
Is there a mature process in place for capacity planning and performance engineering that addresses all stages of the design and construction cycle?
69 Performance engineering process supports LAN/WAN 12345
Does your capacity planning and performance engineering process cover LAN, WAN and server environments?
70 Performance engineering process uses automated tools12345
Is your capacity planning and performance engineering process supported by automated tools?
71 Use of performance data by automated tools12345
Are the results of operational performance monitoring fed back into your automated tools and models?
72 Performance engineering process covers aggregate work load12345
Does your capacity planning and performance engineering approach take into account the aggregate workload arising from other applications sharing the platforms?
73 Performance engineering process measures end-to-end response12345
Does your capacity planning and performance engineering process take into account end-to-end response time requirements?
Development methods, tools and environment
total score: divided by number of questions answered: equals risk factor:_____
Application Characteristics
ApplicationYESNO
74 Availability requirement not critical12345
Will your business still be able to operate successfully if this application fails totally? (For normal working day availability with reasonable tolerance for limited down-time, score 1; for 24 hour cover, 365 days per year, score 5.)
75 Delivery time-scale not critical12345
If this application is not completed and operational by a specific target date, will your business remain materially unaffected? (If a specific date must be met, score 5.)
76 Analytical vs. OLTP12345
Is this application strictly analytical (read-only)? (If the application also includes operational (OLTP) components, score 3–5 depending on degree.)
77 Analytical components can be implemented separately12345
If the application contains both analytical and OLTP components, can the analytical components be implemented as separate projects that will complete before the OLTP project begins? (If analytical applications can be implemented and deployed before more complex OLTP components, score 1; if all components must be implemented and deployed concurrently, score 5.)
78 Application of limited scope12345
Is this application limited in its scope, affecting only a limited area of the business and no other systems? (A system with very limited scope could be implemented on entirely separate server hardware without any need to access other systems.)
79 Complex projects can be broken down12345
If the project is large and/or complex, can it be readily broken down into a series of separately deliverable projects, each with a clear business scope?
80 Business process defined and understood12345
Are the business processes that are being implemented in this system well understood, well defined, and formally documented?
81 Users agree with process definition12345
Are the users of the system in agreement that these processes are well understood?
82 Perceived value added12345
Does implementation of this system provide substantial value to the ongoing operation of the organization?
83 Transaction volume low12345
Is the volume of transactions low? (A transaction is a set of changes to the database that must occur as a single entity. For example, a customer order with 10 line items would be a single transaction. This metric should measure the total number of transactions of all types that the system must support. For volume of one transaction per second, score 1; for over 20 TPS, score 5.)
84 Average transaction simple12345
Is the average complexity of the transactions low? (A transaction that makes only a single change to a single table is very simple; however, a sales order entry transaction is very complex. This measure should reflect the “average” transaction complexity. )
Application total score: divided by number of questions answered: equals risk factor:_____
Data characteristicsYESNO
85 Data models defined12345
Are the high-level data entities being used by this application well documented and understood?
86 Data relationships defined12345
Are the relationships between data entities and elements well understood and documented?
87 Data rules defined12345
Are the rules for valid and default field values and mandatory vs. optional fields defined for each data element?
88 Simple data12345
Is the data model on which the databases are based of low complexity? (For ten or less entity types, score 1; for one-hundred or more entity types or subtypes, score 5.)
89 Data access volumes low12345
Does this application require access to less than 1Gb of data? (For over 10Gb, score 5.)
90 Data volatility low12345
Does the data change slowly? (For change of less than 5% per day, score 1; for over 50% per day, score 5.)
91 Dedicated databases12345
Are databases used by this application inaccessible to any other application?
92 Low data timeliness requirements12345
Is the application not dependent on extremely timely data? (If the data can be current as of a lengthy period such as last month, score 1; if data can be current as of last night, score 3; if the data must be up-to-the-minute; score 5.)
Data total score: divided by number of questions answered: equals risk factor:_____
DistributionYESNO
93 Users at single site12345
Will this application serve users at only a single geographic site? (If all users are at a single site, score 1. If users are at multiple sites, but all sites are physically nearby, score 3. If users are distributed at multiple distant sites, score 5.)
94 Small number of users12345
Will the number of users be small? (Less than 10, score 1; over 200, score 5.)
95 Database access volume supported by network12345
Will all high volume database access involve only high bandwidth LAN/WAN links?
96 Peak load capacity plan defined12345
If high-volume network links are not in place, have you made provisions to cope with peak loads required by your application?