ANTON JORDAAN: Today we are joined

by Nathan Morelli, ICT Assurance Manager

at the Department of Education.
Welcome, Nathan.
NATHAN MORELLI: Thanks for having me.
ANTON JORDAAN: Pleasure.
Maybe we could start by you giving us
a bit of very brief background of your role in the ICT
assurance area.
NATHAN MORELLI: Yes.
So our team's role is to help the Department of Education
Child Develop manage ICT-related risk.
That's risk for both our corporate teams
and for our schools, and our preschool teams as well.
ANTON JORDAAN: OK.
So I guess you guys get involved in many projects
within the schools and high schools, primary schools,
and so forth.
So if we bring it into a project context,
when you set out with a new project,
you're at the initiation stage of the project,
you'd be involved in identifying risks, would you?
You'd be part of a team or perhaps lead a team?
NATHAN MORELLI: Yeah.
Our team's role is to be part of that team from early on.
We actually really engage with the biggest projects
really early on in terms of helping them identify
ICT-related risk and how we can help them track their risk
registers and help them shape their risk management plans as
well throughout the projects.
ANTON JORDAAN: OK so let's zoom in to the risk identification
stage, I think.
So with our students, we've gone through risk identification
as a concept and how to go about it.
But I think what we'd like to hear from you is, practically,
how do you guys go about ensuring that you pick
a broad set of risks in your projects
at the really early initiation stage of the project?
NATHAN MORELLI: Yeah.
I think it's really important for us to be involved almost
during project scoping as well so we can help understand
the purpose of the project and the deliverables it's trying
to achieve for the business, and what the organisation is trying
to achieve from the project.
So then we can have a really good understanding
of the goals of the project, so then we
can understand the IT-related risks for them.
So we may sit with the project teams in their scoping meetings
or how they're dealing with the business.
We might sit in those meetings so we've
got that really good understanding so then we
can start identifying the risks when we come down to meeting
with the teams, and helping them set up their risk registers.
So one of the ways that's worked really well at the department
and in my previous work places is
that we have risk workshops with, both the project
and the business people involved,
where we might take the lead on identifying risks associated
with delivery of the project and what it's trying to deliver
for the business, and
those risk workshops, in being a risk specialist,
you try and tease out of the business and the project team,
how they're going to deliver the project, what they're
trying to achieve, and then work out the risk areas that might
impact the successful delivery of the project and the business
objectives.
You might use some frameworks and try and incorporate
that into your conversations with the business.
You might try and consider not only technology risks
as well when you've got an IT-based project.
There's a lot of technical people on the project,
and they quite often only focus on technical risks
and availability of servers or other IT resources.
But there's more than that.
There's the political, there's the economical, the social
and the legal risks, so we will try and tease out
of the business and the project representatives
in a risk workshop.
If you're talking about legal risks,
you want to talk about some of the contractual risks that
might be involved with the project,
especially if you're procuring a software.
You might try and talk about some of the security risks
as well, from a technical perspective and the frameworks
that they might align to throughout the project,
and try and identify those risks that you need to make sure
that you're managing throughout the project's lifecycle.
ANTON JORDAAN: Just getting back to your risk workshops
that you were holding, would you be
involving the client in those workshops in terms of the risk
identification?
NATHAN MORELLI: Yeah, definitely.
We try and include as many of the key stakeholders
as possible, because that way we get
as many perspectives on the project
and the requirements for the project,
and where it's trying to get to.
So then we can identify as many risks as possible.
The more people you have in the room that
know about what's getting done and how it's going to be done,
the better you are going to be at identifying the risks,
and identifying potential management strategies for them,
and also identifying the controls they have already
thought of, they're already putting in place,
so you can document them and help the team manage the risk.
ANTON JORDAAN: So in this collective workshop,
how do we ensure that we get a good spread of risks?
And do you guys give consideration, perhaps,
to bring people into the workshop which may not
be involved in a particular project,
but bringing them in purely to draw off their past experience,
perhaps, of similar projects?
So do you actually make a conscious point of doing that?
NATHAN MORELLI: Yeah, we definitely
have some of the most successful workshops that we've
run have had representatives from our internal audit
and risk team, our internal procurement team, and also
anybody who's been involved in similar-sized projects
before so they can impart those learnings to that project,
and we can have the most effective risk management
that we possibly could.
Bringing in other internal resources
that know how the department does things
or how the business already does things
really helps in identifying the existing risk management
strategies and controls that we already
have in place to manage a lot of the risks
that you're talking about as a project and business team.
Having those people involved is really
critical to making sure that it's a successful workshop.
ANTON JORDAAN: Good.
OK.
So you make sure you capture the learnings from previous
projects, which is a weakness in many organisations that we
don't see that being carried through...
end up making the same sort of mistakes.
So just to wrap up the bit around the identification
of the risks, would you make use of brainstorming
or this type of methodology during such a session
to make sure you get a broad spectrum of risks represented?
Or just, perhaps, share with us how
you ensure, as you referenced, it's not just technical,
which is the sort of game that you're in to make sure
that the risks, beyond the technical risks,
are identified as well.
NATHAN MORELLI: So our approach probably depends a lot
on the people in the room.
We try and adapt that approach depending
upon people in the room, but generally,
being the risk professional in the room,
you've kind of got to lead them a little bit.
So you've really got to draw on that past experience
and draw on those other people in the room
to pull out examples from previous projects or examples
that you already know of that can prompt that discussion
and that thought about oh, how can I apply those risks
to my own project?
So you've really got to draw on that past experience...
and that kind of creates that brainstorming-like discussion.
ANTON JORDAAN: OK.
That free environment for people to jump in...
NATHAN MORELLI: ...to jump in.
ANTON JORDAAN: Unstructured and it's...
NATHAN MORELLI: Yeah.
I think it's really important when
you're having those conversations to let people
have, either that time to think, or that time to talk through it
in that open environment with people who understand where
they are trying to go.
And that really helps you understand the true risks,
and not just the generic...
I've picked that up, I've picked this up as I know this
is a risk to major projects.
You really start drawing upon the business-specific risks
and the specific risks delivered to that project.
ANTON JORDAAN: Right.