Enterprise resource planning (ERP) software is an essential platform for managing and supporting business operations. While ERP platforms can be transformational and add significant value, companies must be careful when implementing or upgrading systems to avoid risks that could limit return on investment, create vulnerabilities or cause regulatory concerns.
Recent Gartner research found that 75 percent of ERP initiatives fail; that rate is so high due to the number of risks that occur during implementations. Several risks are continuous throughout an ERP implementation, thus becoming costlier and creating delays as the project progresses.
We have identified seven critical ERP implementation risks that directly align with the success factors of an implementation. As an organization addresses and mitigates these risks, the potential for a successful ERP implementation greatly increases.
An organization must pay close attention to key governance processes, including the budget and timeline, and preplanning activities such as resource strategy, software and vendor selection, and deployment methodology. A governance failure can result in a company getting less than what they signed up for in an ERP implementation, with communication issues, delays, ineffective internal support, and budget overages.
During an ERP implementation or upgrade, an organization must accurately document business requirements, map them to new ERP capabilities and thoroughly test them. Not implementing effective business requirement processes can present several risks, including poor alignment of the ERP system with business operations, process flow gaps, inadequate documentation of testing errors and unnecessary custom functionality.
For successful ERP implementation, a business must employ a well-planned data classification process along with appropriate cleansing, mapping and migration processes. Potential data risks include improper classification of sensitive data, failure to identify data owners, failure to properly migrate or validate data, improper data cleansing, and inaccurate testing of data migration.
When implementing an ERP platform, an organization must consider applicable regulatory requirements such as Sarbanes-Oxley Act (SOX) or Payment Card Industry (PCI) and data privacy guidelines, and how ERP can support controls automation. A successful implementation integrates security controls, as well as effective cybersecurity controls, without segregation of duties conflicts. Improper planning and scoping can result in the inability to meet regulatory requirements after go-live, lack of optimized utilization of ERP capabilities from an automated controls perspective, significant security issues and cybersecurity vulnerabilities.
Before and during an ERP implementation, the company must encourage effective communication between the project team and other stakeholders. End-user training is also critical, with alignment to the security model. Not following these steps can result in misalignment between the project team and communications, rumors about the status of the ERP implementation, and inadequate training for how users will perform their jobs and security roles in the new ERP system.
From an operational standpoint, a post-go-live support strategy should be in place to effectively address emerging needs, while service level agreements with any third-party companies providing these support services should be reviewed for adequacy. Identification of critical batch programs associated with ERP along with assigned owners and backup strategy is essential.
The ERP itself must be designed specifically to meet the needs of business, with a future state technology landscape that includes additional interfaces and adequate infrastructure to meet performance demand. The company must also maintain awareness of new software releases and implement effective business continuity and disaster recovery processes. Potentially harmful technology risks include unclear identification of interfaces and third-party systems, disappointing system performance, unplanned functionality issues, and data errors.