In 2002, Cutter Consortium conducted its first comprehensive survey of the state of risk management practice in the IT community. From all reports, the practice of risk management seems to have grown both generally and in formality over the past four years. The question this two-part series of Executive Reports addresses is, has it, and if so, by how much? Here in Part II, we continue our examination of the 2006 survey, focusing on risk management costs, its perceived effectiveness, organizational support, lessons learned, ROI, and enterprise risk management -- the latest entry into the risk realm. Overall, the 2006 survey finds that IT risk management practice has grown in maturity, if not in absolute numbers.

• Read the Executive Summary

Many problems with outsourcing deals stem from the supplier taking over activities that were not well understood by the client organization prior to engaging the supplier. Very early in the outsourcing lifecycle, the activities that are candidates for outsourcing are identified by the organization. But it is not enough to just target the services; a detailed understanding of the targeted services is essential or the organization faces the risks of providing inaccurate information to its suppliers.

The US National Oceanic & Atmospheric Administration (NOAA -- www.noaa.gov) released its 2006 hurricane forecast this week. The forecast says that for "the 2006 north Atlantic hurricane season, NOAA is predicting 13 to 16 named storms, with eight to ten becoming hurricanes, of which four to six could become 'major' hurricanes of Category 3 strength or higher." Now, tell me whether you know what this means, given the following headlines from various media sources ...

Just exactly what is it that we manage on software projects if not the risks? Project management IS risk management. The risk-aware manager can show you a substantial list of causal risks. He/she can tell you the likely cost in time or money should the risk materialize, and point to a specific set of materialization indicators and contingency plans to protect the project. Listen to this Webinar recording and you'll learn:

• Why risk management for software is entirely different from financial risk management.
• The core process to do risk management at the project level and above.
• Why you can never completely avoid or transfer risk in software development.
• How to mitigate or contain risks.