Enterprise Resource Planning (ERP) system implementation is typically a massive undertaking for an enterprise. Due to the magnitude of an ERP implementation and the frequency of ERP failures, companies have greater incentives to proactively identify and mitigate the various risks associated with the implementation process. A Protiviti whitepaper addresses these ERM implementation issues and offers guidance on how to manage ERP implementation risk.
ERP Implementation Risk and Mitigation
ERP systems are designed to integrate internal and external information that enhances the flow of communication and decision-making across an enterprise, and focuses on business processes and functions. As a result of the vast nature of the ERP implementation process, the related risks are commensurate with the scale of the ERP system project. Risks range from broad to narrow and pervasively affect the outcome of business processes after the “go-live” date when the ERP system is fully operational and available to end users (employees, lower level managers, etc.). The scope of this Protiviti whitepaper explores both pre and post “go-live” issues.
Many businesses vastly underestimate the complexity and resources necessary to implement an effective ERP system. Therefore, they fail to adequately plan for unpredictable contingencies that push back schedules and deliverables. This is exacerbated by the interdependencies associated with ERP. That is, as one area of the ERP implementation process experiences a setback the other areas are also affected and the problem is compounded. The compounding effect of not meeting timelines is the reason why many other risks of ERP implementation are influenced by scheduling and contingency risk. Thus, this is one of the high risk areas that affect core strategic objectives. The authors suggest one way to effectively mitigate these risks is to establish milestones that each project team can develop plans around.
A common pitfall of management is to assume that ERP is solely an IT project. However, post ERP implementation is pervasive such that most business processes are, at a minimum, affected by the system and at times are completely removed or integrated. Change management is broader than ERP systems, although change management managers should work alongside ERP project managers to ensure an effective transition post ERP “go-live”. Protiviti suggests that the change management process—specifically for ERP implementation—should begin early on within the ERP implementation process. The result of initiating change management early is awareness created across the enterprise of the ERP project itself, and the impact and benefits of the change on end users, business processes, and technology. Additionally, later in the project’s life cycle, change management creates more specific awareness of the impact ERP has on job design and organizational structure.
Another risk in implementing an ERP system is the lack of involvement from cross-functional areas. Therefore, the authors suggest a full-time process owner who has the responsibility of making decisions regarding the business processes that will ensue after the completion of the implementation process. Also, it is important for management to consider retaining talented employees in the process owner positions sometimes even permanently.
Due to the discretionary nature of testing, many managers will shortcut testing of an ERP system to expedite or meet the “go-live” date. Extensive testing ensures less maintenance costs during the post “go-live” period. Testing is broken up into the following phases:
- Unit testing-stand-alone test that involves testing of individual transactions and subprocesses.
- Integration testing-end-to-end testing that simulates real business transactions.
- User acceptance testing (UAT)-allows end users to apply learned training skills and give feedback.
To mitigate ineffective testing, project managers should ensure timely unit testing so that the other tests don’t suffer time constraints and therefore test compression.
The risk associated with data conversion and validation is the inadequacy of planning the amount of time and required resources for mapping data structures. To manage data conversion programs, companies should thoroughly test the programs and proactively and continuously asses data risk.
The riskiness of technical issues is extremely broad such that some are not found through formal risk assessments. However, many stem from the fact that businesses attempt to implement an ERM system with as little customization as possible. Even though there is a desire for more standardization, customization of an ERP system is inevitable. Managers will procrastinate customizing the system until it pushes back schedules and increases costs of implementation. The authors suggest that customization should be aligned with the system development life cycle to counteract this risk.
Many organizations underestimate the importance of effectively designing security user access in order to minimize costs related to redesigning. This leads to unnecessary segregation of duties and a lack of means to remove access. Therefore, security end user access should be driven by segregation of duties and access rules that are approved by internal and external auditors.
ERP Internal Control Integration
Finally, a controls team should be created to work alongside the design team when designing post-implementation business processes. Controls are put in place within each business process to minimize manual control reliance. At the same time, the controls team communicates with internal and external auditors to help assure the effectiveness of internal controls and provide evidence as such.
Upper Level Engagement in ERP Implementation Risk Management
Engaging upper management in the ERP implementation process is essential for risk mitigation. That is because management can more adequately identify, assess, and monitor risks. As management works with the ERP project team, project risk assessments are better aligned with ERP implementation milestones and therefore more effective as to gauging project progress.
To conclude, because of the vastness and pervasiveness of implementing an ERP system (especially for first-time implementation) the risk are equally as prevalent in breadth and scale. Consequently, there are many mistakes that companies make when not adequately focusing efforts on both post and prior period implementation. In this whitepaper, Protiviti has tackled many of these issues and suggestive actions to take to mitigate them.