SAM Factors

Document Sample
SAM Factors Powered By Docstoc
					                                  Software Acquisition Management Risk Factors



                  Software Acquisition Management Risk Factors

Using this table for risk identification:
A project team might use this table to prompt their thinking about risks for their project.
The team can decide which factors are relevant at what rating, then proceed to state the
specific risks they suspect could affect their project.

When the project completes, the team should review its performance with risk management
and see if there are factors to add to this table or if there are cues that should be changed
to help future projects in the organization better identify their risks.

Material in the risk factor table is organized with the following headers:
Factor ID           A sequentially assigned number for risk factors in this domain.
Risk Category Header that names the category in which the following risk factors belong.
Risk Factors        Named areas of potential risk to projects in this domain.
Low Risk Cues Characteristics of this factor when it can be considered low risk to a project.
Medium Risk Cues    Characteristics of this factor when it provides a medium risk to a project.
High Risk Cues Characteristics of this factor when it should be considered high risk to a project.
Rating              Level of risk you think is true of this project.
              Low This project exhibits the low risk cue, or appears to have no risk in this area.
        Medium This project exhibits the medium risk cue, or something similar in threat.
             High This project exhibits the high risk cue, or something similar in threat.
     Not Applic This factor is not applicable to this project.
      Need Info We need information from someone else (perhaps an expert) to make a judgment.
             TBD The project is not far enough along to make a rating; we need to review this later.
Notes               Space for notes during rating, for later reference on reasons a rating was chosen.

Definitions for use with this set of acquisition risk factors
         Acquirer organization or individual who acquires or procures a product or service from a supplier
                   (alternate terms used elsewhere: customer, buyer, client)
         Supplier organization or individual who supplies a product or service to an acquirer
                   (alternate terms used elsewhere: provider, vendor)
                   note: there may be one or more suppliers, with different risks identified for each
       Customer end user of the solution being acquired; may be external to the organization or a
                   business user in the organization
      Solicitation means used to gather proposals for the work of an acquisition
                   (alternate terms: request for proposal, request for quote)
         Solution system, service, or product provided by the supplier to the acquirer
   Service Level measure of an aspect of a product or performance, which can be used as a target for
        Measure acceptable results or behavior
   Service Level current supplier performance relative to an agreed-on service level measure
   Service Level written agreement between an acquirer and supplier that defines performance targets
     Agreement for service level measures
       Technical precisely defined measure based on a product requirement, product capability, or
   Performance some combination of requirements and/or capabilities
        Measure




v. April 2007                                                                                                Page 1
                                             Software Acquisition Management Risk Factors


                             Software Acquisition Management Risk Factors
                                                                                                       Rating (check one)
            Risk Factors     Low Risk Cues            Medium Risk Cues High Risk Cues                                                                       Notes




                                                                                                             Medium


                                                                                                                             Not Applic
Factor ID




                                                                                                                                                      TBD
                                                                                                       Low


                                                                                                                      High


                                                                                                                                          Need Info
          Acquisition Requirements and Constraints
        1 Level of       customer needs       requirements defined             no defined
          requirements   have been elicited,  at an abstract level,            requirements from
          definition     analyzed, and        or only the                      the customer, or
                         documented as a full requirements for a               customer doesn't
                         set of customer      portion of the                   really know what's
                         requirements         solution is defined              needed

        2 Expectations of    results expected by      results expected of      expectations appear
          acquirer           the acquirer leaders     this acquisition are     to be unrealistic,
          executives         are realistic, well-     based on                 relying on trends in
                             grounded in analysis     experiences of other     industry, rather than
                             of costs, effort, and    organizations or of      data about this
                             time required for this   similar work done by     acquisition
                             acquisition              this organization

        3 Participation of   all relevant             key stakeholders are     acquisition team
          relevant           stakeholders in the      engaged in the           develops the
          stakeholders       requirements are         requirements             requirements and
                             involved in gathering    activities, along with   reviews with some
                             and validating the       acquisition project      stakeholders
                             requirements             leaders
        4 Requirements       requirements clearly     requirements rated       requirements not
          priorities         rated and ranked         but not ranked           rated or ranked

        5 Support for        there is strong          executives are          active opposition
          potential          executive support for    indifferent to need for from executives to
          business           business process         business process        process changes
          process            changes to ensure        changes
          changes            solution
                             implementation
        6 User               key users participate    key users indirectly     no key users
          participation in   in defining related      involved in defining     involved
          business           business processes       business process
          process            changes                  changes
          changes
        7 Match to         acquisition                acquisition              significant mismatch
          documented "To requirements set             requirements set         to elements of
          Be" process      after processes were       while processes          existing process, or
                           documented and/or          under definition;        process is
                           redesigned; good fit       some mismatches to       undocumented so
                                                      process, which must      that comparison is
                                                      be changed               not possible




            v. April 2007                                                                                                                                    Page 2
                                           Software Acquisition Management Risk Factors


            Risk Factors    Low Risk Cues         Medium Risk Cues High Risk Cues                                                                        Notes




                                                                                                          Medium


                                                                                                                          Not Applic
Factor ID




                                                                                                                                                   TBD
                                                                                                    Low


                                                                                                                   High


                                                                                                                                       Need Info
        8 Requirements      all requirements can some critical             competitive situation
          available to      be passed along to requirements cannot         or protection of trade
          supplier          the supplier         be passed along           secrets makes it
                                                 directly, because of      impossible for
                                                 legal or other            supplier to talk
                                                 reasons                   directly to customer
                                                                           about requirements

        9 Testable    requirements are       some requirements             requirements are not
          requirementstestable, to allow for are testable, some            testable
                      accurate               are difficult to assess
                      assessment of
                      evaluation criteria
  10 Design           specific design        acquirer provides             design constraints
     constraints      constraints            standard catalog of           are discussed during
                      documented and         architecture and              requirements
                      provided to supplier other required design           reviews between
                      (such as required      parameters                    acquirer and supplier
                      architecture
                      standards)
     Acquisition Strategy and Potential Supplier Identification
  11 Development of alternatives are         only a few different          each acquisition
     acquisition      considered and a       approaches are used           strategy is based on
     strategy         specific strategy set by the organization,           the wishes of the
                      for the acquisition,   and the specific              group which needs
                      based on defined       strategy is chosen            the results
                      processes and          by executive
                      lessons learned        management

  12 Not Invented           little concern in     some in organization     strong culture for
     Here (NIH)             organization about    prefer building own      building their own
     Factor                 whether solution is   solutions, for ease of   solutions; if "not
                            built or bought       extension and            invented here,"
                                                  support                  solutions are
                                                                           mistrusted
  13 User attitude          users have            some users have          some (perhaps
     toward another         widespread            experience with an       vocal) users have
     solution               familiarity with a    alternative and          had good experience
                            common alternative    expect similar           with a
                            to the proposed       capabilities in this     competitive/existing
                            solution              solution                 solution; don't want
                                                                           this one




            v. April 2007                                                                                                                                 Page 3
                                           Software Acquisition Management Risk Factors


            Risk Factors    Low Risk Cues           Medium Risk Cues High Risk Cues                                                                         Notes




                                                                                                             Medium


                                                                                                                             Not Applic
Factor ID




                                                                                                                                                      TBD
                                                                                                       Low


                                                                                                                      High


                                                                                                                                          Need Info
  14 Number of user 1-3 user areas or               4-6 user areas or        more than 6 user
     areas or        decision makers for            decision makers          areas or decision
     decision makers the acquisition                                         makers involved,
                                                                             making decisions
                                                                             difficult to make
  15 Use of                 analysis of costs and   cost analysis is         cost/benefit analysis
     cost/benefit           benefits of             done, but benefits       shows no significant
     analysis               alternative solutions   are ill-defined or not   impact to the
                            follows an approved,    defined at all           organization from
                            documented                                       this acquisition, or no
                            organization                                     analysis is done
                            standard

  16 Source of              set of preferred        suppliers who were       solicitation is
     supplier               suppliers is            successful in the        circulated widely via
     candidates for         maintained, with        past are ones asked      internet and other
     solicitation           additions to meet       to bid again             means, so that
                            requirements of a                                anyone can apply
                            specific acquisition
  17 Proposal               evaluation criteria     proposal evaluated       no evaluation criteria
     evaluation             are based on            using same standard      available; acquisition
     criteria               acquisition             set of criteria each     team makes up its
                            requirements and        time                     own
                            key business factors

     Acquisition Project Parameters
  18 Acquisition     acquisition manager            acquisition manager      acquisition manager
     management      has experience in              has been trained, but    has no prior
     experience      successfully                   has not managed an       experience or
                     implementing                   outsourced project.      training in managing
                     outsourced project(s)                                   supplier
                                                                             engagements

  19 Acquisition team a comprehensive               the team has all         relevant functions
     composition      cross functional              functions present,       are not represented,
                      team has been                 but participants are     or they participate
                      assembled to ensure           not empowered to         sporadically in the
                      success of the                represent their          team
                      acquisition                   respective functions
  20 Budget for the   budget based on               budget set during        budget based on
     acquisition      early analysis of this        analysis of              what is available, not
                      solution                      alternative solutions,   the specific solution
                                                    without specifics
                                                    about this one




            v. April 2007                                                                                                                                    Page 4
                                            Software Acquisition Management Risk Factors


            Risk Factors    Low Risk Cues             Medium Risk Cues High Risk Cues                                                                         Notes




                                                                                                               Medium


                                                                                                                               Not Applic
Factor ID




                                                                                                                                                        TBD
                                                                                                         Low


                                                                                                                        High


                                                                                                                                            Need Info
  21 Life cycle budget budget includes                budget includes         budget includes no
                       support for at least           marginal support for    funds for work other
                       first several years of         a year from internal    than implementation
                       use of the solution            personnel
  22 Budget for        budget includes                budget includes         budget was set
     supporting        funds for purchase             funds for purchase of   without regard to
     components        and support of                 embedded products,      costs of any
                       embedded products,             but no other            supporting
                       infrastructure, and            associated costs        components
                       other support

  23 Travel budget          budget has been           budget is allocated     travel is very
                            allocated for pre-        for only a small        restricted for the
                            contract travel to do     number of trips by      acquirer, and the
                            supplier qualification,   the acquirer and by     supplier is expected
                            as well as for            the supplier, to        to absorb all its travel
                            contract monitoring       perform regular         costs as part of
                            and communication         progress reviews        doing business
                            activities

  24 Time pressure    adequate time is       parts of the overall the whole project is
     to complete the  allowed for selection, acquisition project  under intense time
     acquisition      contract               need to be rushed    pressure
                      development and
                      review, solution
                      development
     Supplier Proposal Evaluation [used with proposals under review]
  25 Relative cost of supplier solution is   solution requires    solution requires
     solution         based on use of well- significant           extreme modification
                      known methods or       modification to      and/or is high cost
                      existing systems,      existing methods or
                      and is competitive in systems, and cost is
                      price                  competitive
  26 Supplier effort  supplier effort and    supplier effort and  project requirements
     estimation       cost estimates were cost estimates were were not available to
                      based on detailed      based on high level supplier when cost
                      requirements           requirements         and effort estimates
                                                                  were made

  27 Solution match         features of solution      some elements of        solution is mismatch
     to acquirer            fit organization          architecture are not    with significant
     architecture           architectures well        addressed well          elements of local
                            (application,                                     architectures
                            technology, data)




            v. April 2007                                                                                                                                      Page 5
                                           Software Acquisition Management Risk Factors


            Risk Factors    Low Risk Cues           Medium Risk Cues High Risk Cues                                                                     Notes




                                                                                                         Medium


                                                                                                                         Not Applic
Factor ID




                                                                                                                                                  TBD
                                                                                                   Low


                                                                                                                  High


                                                                                                                                      Need Info
  28 Compatibility          solution is             solution is not        solution uses
     with other             compatible with other   compatible with        completely new
     solutions or           commonly used           some other             approach or
     systems                solutions or systems    commonly used          technology
                                                    solutions or systems

  29 Integration with solution is easy to           solution is somewhat supplier doesn't
     existing systems integrate with                difficult to integrate address integration
                      existing systems              with existing systems

  30 License                supplier offers       supplier offers          supplier does not
     agreements for         enterprise licensing  flexible licensing       offer flexible
     solution               to reduce the cost of agreements or site       licensing agreements
                            multiple seats        licenses
  31 Access to              source code to        source code will be      no provisions for
     source of              system is (or will be made available if        obtaining source
     solution               put) in escrow        supplier stops           code
                                                  supporting system
  32 Support for            supplier provides     supplier supports        supplier supports
     previous               long term support for previous versions for    previous versions for
     versions               previous versions     up to one year           less than 6 months

  33 Solution          solution is modular          solution is modular    solution is complex
     complexity        and easily                   but not easily         and difficult to
                       configurable                 configurable           configure
  34 Life expectancy supplier has                   supplier has short     supplier has no plans
     of solution       documented long              term plans for         for product evolution
                       term plans for               product evolution      and support
                       product evolution            and support
                       and support
  35 Data or interface solution adheres to          solution uses some solution uses only
     standards         reliable data and            proprietary data      proprietary interface
                       interface standards          formats or interfaces or data formats

     Supplier Qualification and Selection
  36 Supplier         the evaluation and            the evaluation and     no documented
     selection        selection processes           selection processes    evaluation and
     process          follow approved,              are based on           selection processes
                      documented                    external               are used
                      organization                  recommendations
                      processes




            v. April 2007                                                                                                                                Page 6
                                           Software Acquisition Management Risk Factors


            Risk Factors    Low Risk Cues           Medium Risk Cues High Risk Cues                                                                         Notes




                                                                                                             Medium


                                                                                                                             Not Applic
Factor ID




                                                                                                                                                      TBD
                                                                                                       Low


                                                                                                                      High


                                                                                                                                          Need Info
  37 Supplier           acquirer weighs             acquirer advocates acquirer expects low
     selection criteria technical, process          mitigating technical cost supplier will be
                        and cost implications       and process related selected
                        when selecting              risks while selecting
                        supplier                    low cost supplier

  38 Participation of       decision maker(s)       decision maker(s)         decision maker(s)
     decision               involved in             set selection criteria,   will choose supplier
     maker(s) in            establishing            but are not involved      without regard to the
     qualification and      selection criteria,     in evaluation or          results of any
     selection              proposal evaluation     qualification             evaluation or
                            and qualification                                 qualification process.

  39 Number of              several qualified    only a few qualified         only one potential
     supplier               suppliers from which suppliers                    supplier, or all
     candidates             to choose                                         supplier candidates
                                                                              have poor prior
                                                                              performance records

  40 Supplier               each potential          potential suppliers    previous work of the
     qualification          suppliers' technical    reviewed using         supplier is examined
     approach               and process             surveys or other high- from their submitted
                            capabilities reviewed   level approach         project portfolio
                            by specialists using
                            document reviews
                            and interviews

  41 Capability of          supplier can supply     supplier can supply  supplier must
     supplier               fully qualified         personnel with       develop or hire
     personnel              personnel for the       moderate abilities   appropriate
                            acquisition                                  personnel
  42 Supplier               supplier has history  supplier is known to supplier must
     personnel              of keeping            provide a good         compete with others
     retention              employees satisfied,  learning               for a limited talent
                            with high retention   environment, but has pool, and has
                                                  high personnel         difficulty retaining
                                                  turnover               staff
  43 Supplier               supplier has previous supplier has           supplier is new to
     experience in          successful solutions successful solutions domain; or supplier
     application            in the application    in similar application is more experienced
     domain                 domain and            domains                than acquirer and
                            understands the                              assumes too much
                            industry                                     of the acquirer




            v. April 2007                                                                                                                                    Page 7
                                            Software Acquisition Management Risk Factors


            Risk Factors    Low Risk Cues           Medium Risk Cues High Risk Cues                                                                      Notes




                                                                                                          Medium


                                                                                                                          Not Applic
Factor ID




                                                                                                                                                   TBD
                                                                                                    Low


                                                                                                                   High


                                                                                                                                       Need Info
  44 Supplier               supplier has good   supplier has some            supplier cannot
     processes              project management, process problem              describe how they
                            development, and    areas                        manage their
                            supporting                                       software processes
                            processes in place

  45 Business               supplier is solid and   supplier is            supplier is new to the
     continuity of          successful in the       successful, but fairly market with no
     supplier               market                  new in the market      record of success

  46 Use of internal        internal supplier       acquirer expects that    internal supplier
     suppliers              must demonstrate        internal supplier is     operates informally
                            capability, cost and    competitive, but has     without an
                            proposal competitive    not benchmarked its      agreement or review
                            with external           performance              of their development
                            suppliers                                        work

     Supplier Agreement (Contract)
  47 Content of       both solicitation and         contractual           solicitation and
     solicitation and contract agreement            requirements are      contract focus on
     agreement        contain complete              included, but only    how the work will be
                      customer                      high level customer   done, rather than the
                      requirements, as well         requirements are      customer
                      as contractual                available             requirements for the
                      requirements                                        work
  48 Acceptance       contract includes             contract has          contact has no
     criteria in      acceptance criteria           standard acceptance acceptance criteria
     contract         for the solution being        criteria, not tied to
                      provided based on             specific customer
                      customer                      requirements
                      requirements
  49 Provisions for   contract includes a           contract includes no     contract does not
     handling         known time and cost           buffer, but has well-    address the matter
     requirements     buffer for amount of          defined mechanisms       of requirements
     changes          change, as well as            for amending to          changes
                      methods to amend              handle changes
                      the contract if
                      needed
  50 Service level    contract includes             service level            service level
     agreements       service level                 agreements are           agreements are not
                      measures and                  made with each           addressed in the
                      required levels of            specific work activity   contract or specific
                      performance, tied to          performed by the         work agreements
                      financial incentives          supplier




            v. April 2007                                                                                                                                 Page 8
                                           Software Acquisition Management Risk Factors


            Risk Factors    Low Risk Cues           Medium Risk Cues High Risk Cues                                                                       Notes




                                                                                                           Medium


                                                                                                                           Not Applic
Factor ID




                                                                                                                                                    TBD
                                                                                                     Low


                                                                                                                    High


                                                                                                                                        Need Info
  51 Technical              contract includes       contract provides        contact does not
     performance            mandatory technical     targets for technical    address technical
     measures               performance             performance              performance
                            measures on             measures, without        measures
                            solution                any incentives or
                            requirements that       penalties
                            are key to acquirer
                            business success,
                            with incentives
                            attached

  52 Contract terms         contract includes       contract has only a      contract provides no
     for monitoring         penalties and           few payment options      leverage for dealing
                            rewards that can be     for ensuring action      with monitoring
                            used to enforce         items are handled        action items
                            follow-up of action
                            items from
                            monitoring activities
  53 Contract               contract provides for   contract is vague        contract does not
     constraints on         adequate technical      about interactions, or   address key areas
     monitoring             interchange,            contract limits some     for monitoring, so
                            progress review, and    aspects of               supplier can report
                            performance review      monitoring               as it chooses


  54 Contract support contract includes             due diligence checks     acquirer and supplier
     for regulatory   terms and conditions          by the acquirer have     don't discuss the
     compliance       (such as audit trails)        confirmed the            matter; each
                      to ensure that the            supplier's business      assumes the other
                      acquirer can meet             processes support all    has sufficient
                      regulatory and                regulatory needs         business practices
                      corporate standards

  55 Contract review contract reviewed in           contract is routed to    contract approved
                     detail by appropriate          the appropriate          without sufficient
                     functions, such as             functions, but           review by
                     purchasing and legal           insufficient time is     appropriate functions
                                                    allocated for a full
                                                    review
  56 Supplier               final payment is        final payment occurs     final payment to
     incentive for          contingent on           after successful         supplier is when
     deployment             successful full         initial deployment(s).   solution is delivered
                            deployment of the
                            solution




            v. April 2007                                                                                                                                  Page 9
                                            Software Acquisition Management Risk Factors


            Risk Factors    Low Risk Cues           Medium Risk Cues High Risk Cues                                                                       Notes




                                                                                                           Medium


                                                                                                                           Not Applic
Factor ID




                                                                                                                                                    TBD
                                                                                                     Low


                                                                                                                    High


                                                                                                                                        Need Info
     Organizations and Cultures
  57 Ease of         language and time              time or language         supplier personnel
     communicating zones are very                   differences cause        and acquirer
     between         similar, and                   some difficulty in       personnel cannot
     acquirer and    communication                  communicating            easily communicate
     supplier        between teams can              about work and           or work together,
                     be direct                      expectations             adding time and cost
                                                                             to their interactions


  58 Match of        acquirer and supplier          the meanings of          acquirer and supplier
     decision-making use similar decision-          "yes," "no," and         have not explicitly
     styles          making methods, or             "maybe" are different    considered how
                     they agree on the              among the several        decisions are made,
                     different alternatives         cultures; some are       leaving one or the
                     in use                         unaware when             other guessing about
                                                    decisions have really    completed decisions
                                                    not been made or of
                                                    who needs to make
                                                    them

  59 Understanding          members of both the     teams are aware of       acquirer personnel
     of diverse             acquirer and supplier   the holidays in each     assume that the
     cultures               teams share a           other's culture, but     supplier works and
                            common culture or       not the subtle           thinks in the same
                            have been trained on    elements such as         ways as they do,
                            the other team's        the level of direction   oblivious to cultural
                            culture and             that is wanted or        differences outside
                            participate in cross-   needed for doing a       of natural language
                            cultural events         specific task

  60 Politics of            acquirer is working     acquirer works with      acquirer attempts to
     several                with several            several suppliers        use competition
     suppliers              suppliers, and all      who are competitors      between suppliers to
                            work effectively to     and are                  its advantage and/or
                            clearly defined roles   uncomfortable with       suppliers sabotage
                            and responsibilities    overlap of duties        each other




            v. April 2007                                                                                                                                 Page 10
                                           Software Acquisition Management Risk Factors


            Risk Factors    Low Risk Cues           Medium Risk Cues High Risk Cues                                                                         Notes




                                                                                                             Medium


                                                                                                                             Not Applic
Factor ID




                                                                                                                                                      TBD
                                                                                                       Low


                                                                                                                      High


                                                                                                                                          Need Info
  61 Use of informal        acquirer and supplier   key decisions and        team members from
     communication          have identified their   regular status reports   the acquirer and/or
     channels               points of contact for   are made through         supplier often
                            all communication,      official                 contact members of
                            and use of these        communication            the other
                            channels is enforced    channels, but some       organization
                                                    other communication      informally, to
                                                    is informal              influence them on
                                                                             choices or decisions

     Supplier Monitoring
  62 Level of acquirer management asks              management often         management is so
     management        for information and          asks for information     involved with reviews
     involvement       status, as agreed to         from others on the       and status checks
                       in the contract; is          acquisition team; is     that supplier wastes
                       available for decision       sometimes                time preparing and
                       making and conflict          unavailable for          responding or
                       resolution as needed         decision-making          management is
                                                                             absent most of the
                                                                             time when decisions
                                                                             are needed


  63 Involvement of         monitoring personnel    monitoring personnel     monitoring personnel
     acquirer               understand the          are involved in the      have no involvement
     monitoring             terms and conditions    acquisition              in the project or are
     personnel              of the acquisition,     periodically but have    involved deeply and
                            and are objective       little awareness of      have lost their
                            and independent         the contract             objectivity
                            reviewers of the        conditions or
                            supplier's work         requirements


  64 Availability of        those who are           acquirer personnel       monitoring the
     acquirer               monitoring the          play several roles,      acquisition is of low
     monitoring             acquisition have        and sometimes have       priority to the
     personnel              dedicated time for      conflicts in finding     acquirer personnel,
                            doing so and are        time to do the           so little time is spent
                            always available as     monitoring work          on these activities
                            needed




            v. April 2007                                                                                                                                   Page 11
                                            Software Acquisition Management Risk Factors


            Risk Factors    Low Risk Cues            Medium Risk Cues High Risk Cues                                                                         Notes




                                                                                                              Medium


                                                                                                                              Not Applic
Factor ID




                                                                                                                                                       TBD
                                                                                                        Low


                                                                                                                       High


                                                                                                                                           Need Info
  65 Effort of supplier     work expected of         supplier must do          supplier sees the
     required for           supplier is very close   some additional           monitoring work as
     monitoring             to what the supplier     work, but can see         seriously intrusive or
     activities             process already          the value of the          requiring excessive
                            provides for their       monitoring activities     effort, impeding
                            own use                                            project progress

  66 Frequency of    some type of review             reviews are planned       reviews and
     progress        or interchange                  at regular intervals,     interchanges occur
     reviews         occurs fairly often, so         but there are long        only at crises, or
                     that acquirer and               gaps during certain       many interactions
                     supplier are kept               phases                    are canceled
                     aware of progress
  67 Frequency of    reviews, audits and             reviews, audits and       reviews, audits and
     monitoring      interchanges occur              interchanges occur        interchanges occur
     activities      fairly often and are            frequently without        too often, inhibiting
                     planned to ensure               consideration for the     the supplier from
                     sufficient oversight is         activities taking place   completing the work
                     provided and project            at the supplier
                     objectives are
                     addressed
  68 Adequacy of     escalation paths are            escalation paths are  no escalation paths
     escalation      well defined and                defined, but people   are defined; issues
                     used as appropriate             tend to circumvent    get resolved by
                     to handle issues and            them at times         executives or by the
                     problems                                              contract offices
  69 Use of standard performance and                 supplier uses its own acquirer request
     measures        progress measures               standard project and measures from the
                     defined in the                  product measures,     supplier as needed,
                     contract are provided           reporting them        accepting what the
                     by the supplier and             regularly to the      supplier has
                     monitored regularly             acquirer              available
                     by the acquirer

  70 Cost of                monitoring activities    monitoring activities     monitoring activities
     monitoring             are budgeted and         are budgeted for, but     are executed without
                            tracked to ensure        costs are not             considering the costs
                            that costs and           tracked.                  to the supplier or the
                            benefits of                                        acquirer
                            monitoring remain
                            aligned




            v. April 2007                                                                                                                                    Page 12
                                            Software Acquisition Management Risk Factors


            Risk Factors    Low Risk Cues            Medium Risk Cues High Risk Cues                                                                       Notes




                                                                                                            Medium


                                                                                                                            Not Applic
Factor ID




                                                                                                                                                     TBD
                                                                                                      Low


                                                                                                                     High


                                                                                                                                         Need Info
  71 Involvement of         acquirer technical       acquirer technical     either supplier or
     acquirer               staff provide            staff occasionally     acquirer staff is on
     technical staff        guidance to supplier,    take on the supplier's site with the other
                            on request and as        work, outside the      group; tends to lose
                            agreed in the            bounds of the          perspective of their
                            contract                 contractual            own organization and
                                                     agreement              "go native" or are
                                                                            unavailable when
                                                                            needed
  72 Acquirer Quality Qualified QA                   Qualified QA           QA staff have not
     Assurance        resources have been            resources have been been allocated or
     staffing         allocated to the               assigned, but don't don't have the
                      acquisition at levels          have the time          necessary skills
                      necessary to support           necessary to
                      the project                    satisfactorily execute
                                                     their tasks.
  73 Process support        QA process support       QA processes are       QA function has no
     for Quality            is mature and            ad hoc with checklist processes,
     Assurance of           enables monitoring       support and plans      checklists or other
     supplier               of supplier functions.   guiding monitoring     support to allow
                                                     activities             them to execute
                                                                            monitoring tasks
  74 Acquirer staffing Qualified CM                  Qualified CM           CM staff have not
     for Configuration resources have been           resources have been been allocated or
     Management        allocated to the              assigned, but don't don't have the
                       acquisition at levels         have the time          necessary skills
                       necessary to support          necessary to
                       the project                   satisfactorily execute
                                                     their tasks.
  75 Process support         CM process support      CM processes are       CM function has no
     for Configuration      is mature and            ad hoc with checklist processes,
     Management of          enables monitoring       support and plans      checklists or other
     supplier               of supplier functions.   guiding monitoring     support to allow
                                                     activities             them to execute
                                                                            monitoring tasks
  76 Change control         Change control           Change control         Change control
     processes              process is well          processes are well     process is difficult to
                            defined and contains     defined, but           execute and largely
                            the steps necessary      executed               ignored by the
                            to ensure                sporadically.          project
                            appropriate
                            agreements are
                            reached




            v. April 2007                                                                                                                                  Page 13
                                           Software Acquisition Management Risk Factors


            Risk Factors    Low Risk Cues           Medium Risk Cues High Risk Cues                                                                       Notes




                                                                                                           Medium


                                                                                                                           Not Applic
Factor ID




                                                                                                                                                    TBD
                                                                                                     Low


                                                                                                                    High


                                                                                                                                        Need Info
  77 Change control                         CCB contains only
                            CCB consists of only                             CCB consists of too
     board                                  key individuals, but
                            relevant supplier and                            many individuals,
     effectiveness                          those individuals are
                            acquirer decision                                making decisions
                            makers          too busy to                      onerous
                                            participate and have
                                            not designated
                                            representatives
     Verification, Validation, and Acceptance
  78 Acquirer          acquirer plans and   acquirer reviews                 supplier does all
     verification and performs verification results of supplier              verification and
     validation        and validation of    verification and                 validation activities
                       supplier solution to validation activities            during the
                       the customer         throughout the life              development cycle,
                       requirements         cycle, checking for              according to their
                       throughout the       conformance to                   own processes
                       solution development contract and
                       life cycle (reviews, customer
                       testing, etc.)       requirements

  79 Plan for supplier adequate time has            the schedule for         very little time has
     integration and been allotted for              integration and          been allocated for
     systems testing integration and                system testing is        integration and
                       system testing               tight                    system testing

  80 Plan for user          an approved,            a few user             no user acceptance
     acceptance             documented user         acceptance test        testing will be done
     testing                acceptance test plan    cases will be run in a
                            exists and allocates    short time frame
                            sufficient time for
                            acceptance testing

  81 Acceptance test test coverage is               tests cover all     test coverage is not
     coverage        comprehensive,                 requirements, but   sufficient to find all
                     covering major                 requirements are    major problems
                     conditions expected            vague in some areas
                     for the solution               making coverage
                                                    unpredictable

  82 Field                  environmental           environmental            solution will be used
     environments for       requirements are        conditions for the       in environments that
     acceptance             specified and used to   solution are             were not originally
     testing                qualify field           specified, but rely on   anticipated
                            installation            local sites to
                                                    implement




            v. April 2007                                                                                                                                 Page 14
                                            Software Acquisition Management Risk Factors


            Risk Factors    Low Risk Cues            Medium Risk Cues High Risk Cues                                                                        Notes




                                                                                                             Medium


                                                                                                                             Not Applic
Factor ID




                                                                                                                                                      TBD
                                                                                                       Low


                                                                                                                      High


                                                                                                                                          Need Info
  83 Use of actual  test cases use actual            test cases use           test cases use
     data in        data from a live                 canned data from a       canned data from
     acceptance     system                           test environment         supplier
     testing
     Deployment, and Transition to Use
  84 Data migration an approved,                     a data                   data
     plan           documented data                  migration/conversion     migration/conversion
                    migration/conversion             strategy is              is assumed to be
                    plan exists                      documented in the        straight-forward
                                                     project plan             based on supplier
                                                                              representations, so
                                                                              no plan exists
  85 Training of            training included in     training being made      no training in plan;
     support staff          deployment plan          available as part of     expect to use staff
                                                     rollout                  with appropriate
                                                                              background
  86 Installation           installation of new      installation of new      installation of new
     difficulty             versions and             versions takes           versions is manual
                            upgrades into            moderate effort          and takes
                            multiple sites is well                            considerable effort
                            planned and/or
                            automated
  87 Quality of             documentation and        documentation and        documentation and
     supplier               training materials are   training materials are   training materials are
     documentation          complete, accurate,      adequate for             poor quality,
     and training           and well designed to     experienced users        inaccurate, or at
                            meet user needs                                   wrong level for user

  88 Adequate          the supplier provides         the documentation to     there is no
     documentation sufficient                        support making           documentation to
     for modifications documentation to              modifications is         support making
                       support those                 sketchy and/or           modifications
                       making modifications          incomplete

  89 Accountability in system faults can be system faults are                 system faults cannot
     fault allocation easily isolated and      somewhat difficult to          be isolated due to
     and correction    corrected               isolate due to                 interoperability with
                                               interoperability with          other systems
                                               other systems
  90 Hooks to add      hooks to add new        hooks to add new               there are no hooks to
     new features      features are readily features are                      add new features
                       available and easy to available, but not
                       use                     easy to implement
  91 Lag time for      lag time for repairs to lag time for repairs is        problems not
     repairs           deployed systems is moderate                           repaired until next
                       short                                                  release



            v. April 2007                                                                                                                                   Page 15
                                           Software Acquisition Management Risk Factors


            Risk Factors    Low Risk Cues          Medium Risk Cues High Risk Cues                                                                    Notes




                                                                                                       Medium


                                                                                                                       Not Applic
Factor ID




                                                                                                                                                TBD
                                                                                                 Low


                                                                                                                High


                                                                                                                                    Need Info
  92 Maintenance of         clearly defined        responsibility for     responsibility for
     modifications          responsibility for     maintenance of         maintenance of
                            maintenance of         modifications may be   modifications not
                            system modifications   supplier or acquirer   defined

  93 Input to system        supplier allows        supplier invites      supplier controls
     evolution              acquirer to have       review of options for product evolution
                            input into product     new releases          decisions
                            evolution decisions
  94 Compatibility          new versions are       new versions are       new versions are not
     with previous          both upward and        only upward            compatible with
     versions               downward               compatible             previous versions
                            compatible


                            Total Categories       10
                            Total Factors          94




            v. April 2007                                                                                                                             Page 16