A thorough analysis of current business processes, data, customer impact, existing systems and human resource capabilities must precede any system implementation planning. It is often the case that risk is flushed out during the system planning or configuration phase; however, that is really too late to identify risk. Further, the impact of identifying risk late in the game are: implementation failure, budget overruns and lack of adoption.
In order for organizations to properly assess risk they need to take an independent view of their current systems and processes. There is a substantial push by larger accounting firms to provide “IT Audit” services; these services could be critical to identifying risk prior to system selection and implementation. These firms are also starting to lend their hand at implementation, but it is important to keep these functions separate as it will eliminate bias. The IT Audit firms should always remain independent and provide the organization with the outside view that it cannot take internally.
If the independent view can successfully identify gaps the risk identification and mitigation can be planned and addressed from the onset of system acquisition. This would be an ideal state to aspire too; however, too many implementations either miss risk areas or the organization is not equipped to address the risk late in the game.