Project governance
An organization must pay close attention to key governance processes, including the budget and timeline, and preplanning activities such as resource strategy, software and vendor selection, and deployment methodology. A governance failure can result in a company getting less than what they signed up for in an ERP implementation, with communication issues, delays, ineffective internal support, and budget overages.
Business requirements
During an ERP implementation or upgrade, an organization must accurately document business requirements, map them to new ERP capabilities, and thoroughly test them. Not implementing effective business requirement processes can present several risks, including poor alignment of the ERP system with business operations, process flow gaps, inadequate documentation of testing errors, and unnecessary custom functionality.
Data
For successful ERP implementation, a business must employ a well-planned data classification process along with appropriate cleansing, mapping, and migration processes. Potential data risks include improper classification of sensitive data, failure to identify data owners, failure to properly migrate or validate data, improper data cleansing, and inaccurate testing of data migration.
Regulatory requirements, security and controls
When implementing an ERP platform, an organization must consider applicable regulatory requirements such as Sarbanes-Oxley Act (SOX) or Payment Card Industry (PCI) and data privacy guidelines, and how ERP can support controls automation. A successful implementation integrates security controls, as well as effective cybersecurity controls, without segregation of duties conflicts. Improper planning and scoping can result in the inability to meet regulatory requirements after go-live, lack of optimized utilization of ERP capabilities from an automated controls perspective, significant security issues, and cybersecurity vulnerabilities.
Organizational change management
Before and during an ERP implementation, the company must encourage effective communication between the project team and other stakeholders. End-user training is also critical, with alignment to the security model. Not following these steps can result in misalignment between the project team and communications, rumors about the status of the ERP implementation, and inadequate training for how users will perform their jobs and security roles in the new ERP system.
Operations
From an operational standpoint, a post-go-live support strategy should be in place to efficiently address emerging needs, while service level agreements with any third-party companies providing these support services should be reviewed for adequacy. Identification of critical batch programs associated with ERP along with assigned owners and backup strategy is essential. The organization must also consider other company priorities that could affect the time allocation of project resources. Without effective processes, risks can include post-go-live support not addressing operational needs, resource allocation not properly maintaining operational state during implementation and the organization being vulnerable to losing critical data.
Technology
The ERP itself must be designed specifically to meet the needs of business, with a future state technology landscape that includes additional interfaces and adequate infrastructure to meet performance demand. The company must also maintain awareness of new software releases and implement effective business continuity and disaster recovery processes. Potentially harmful technology risks include unclear identification of interfaces and third-party systems, disappointing system performance, unplanned functionality issues, and data errors.
To identify and begin to address ERP implementation risks, organizations can initiate several assessments and strategy review processes. For example, if implementation tasks are not completed by the agreed-upon timeline, an implementation health check can uncover and reveal potential issues. Additionally, if cybersecurity issues are identified, an ERP security vulnerability assessment can address concerns before go-live. If an organization does not have the necessary ERP experience in-house, a qualified advisor can help to understand risks and implement risk mitigation strategies.
ERP project risk is real and can happen at any point in the ERP implementation life cycle, including before the project even starts. These project risks cannot always be prevented, but they can be identified, monitored, and mitigated before they result in significant issues.