How 'pre-mortem' analysis can support successful IT deployments

With high stakes involved in large-scale IT deployments, organisations are constantly seeking ways to mitigate risks and increase the likelihood of successful outcomes.

One strategic approach gaining traction is the concept of a ‘pre-mortem’ analysis. Initially highlighted in a 2007 Harvard Business Review article¹, the approach aims to improve project success rates by addressing potential pitfalls before they cause disruption.

The premise of pre-mortem analysis

A pre-mortem analysis is essentially the inverse of a post-mortem. Unlike the latter, which evaluates failures after a project has faced issues, a pre-mortem occurs before a project’s execution, envisioning potential failures and planning accordingly.

This method allows organisations to anticipate possible risks, thereby equipping them with the means to navigate obstacles more effectively during deployment and operation. By integrating this approach into project planning, companies can shift from a reactive to a proactive and problem-preventative mindset, leading to a more resilient project strategy.

Steps in a pre-mortem process

Implementing a successful pre-mortem analysis involves a series of structured steps that help organisations anticipate and mitigate risks. The steps include:

1. Project overview and goal setting: The process begins by clearly defining the project’s objectives, desired outcomes and constraints. It’s crucial to include input from all project stakeholders to establish a comprehensive understanding of the scope and priorities.
2. Identify potential risks and challenges: In this step, participants brainstorm a wide range of risks, including technical, operational, financial and human resource-related issues. The goal is to uncover as many potential challenges as possible that could derail the project and, if possible, their original causes.
3. Imagine project failure: At this step, the team assumes that the project has failed and works backwards to identify the most likely causes. This thought experiment helps bring hidden risks to the surface by exploring various failure scenarios.
4. Analyse potential failure scenarios: After imagining failure, the next step involves breaking down each scenario into its underlying causes. Teams analyse what actions — or lack thereof — could contribute to these failures.
5. Develop relevant mitigation strategies: Once potential risks are identified, the organisation must devise strategies to either prevent or mitigate these risks. Contingency plans and backup options are crafted to address potential setbacks.
6. Implement the mitigation strategies: Finally, these strategies are integrated into the project’s execution plan. Throughout the project’s life cycle, the team monitors and adjusts the strategies as needed, ensuring flexibility and adaptability.

Real-world applications

Pre-mortem analysis has found particular relevance in areas such as cybersecurity, where foreseeing potential threats is key to safeguarding sensitive information. For example, pre-mortem exercises can mimic a ‘tabletop penetration test’ scenario, allowing an organisation to identify security vulnerabilities through open discussion before conducting a formal pen test. This proactive dialogue helps to uncover common weaknesses that might otherwise remain unnoticed.

Consider the hypothetical scenario of a successful ransomware attack. A pre-mortem analysis could help a team explore how such an event might unfold, focusing less on the reactive steps and more on the initial vulnerabilities that enabled the breach. This allows for adjustments in security protocols before a threat materialises, reducing the likelihood of an attack.

Another example is an IT migration where security considerations are overlooked. Suppose a company undergoes a major system migration without involving its security and incident response teams.

A pre-mortem could identify this oversight and ensure that all possible risks, including those related to data breaches or system downtime, are addressed in advance. This type of analysis might have helped prevent high-profile incidents where migration processes exposed sensitive data to cyber threats.

Best practices and lessons learned

Pre-mortem analysis underscores the importance of preparedness. It emphasises the need to involve individuals who have a deep understanding of internal controls and who can identify where weaknesses may lie. By giving these voices a platform, organisations can ensure that potential risks are addressed before they become significant issues.

Incorporating diverse perspectives is crucial to a thorough pre-mortem process. Involving technical experts, operational staff and management helps create a comprehensive picture of potential risks.

Additionally, regular updates to the pre-mortem analysis, aligned with changes in the project’s scope or environment, keep the mitigation strategies relevant and effective throughout the project’s life cycle.

The value of proactive risk management

The benefits of pre-mortem analysis for IT projects are clear. It fosters a culture of proactive risk management, enabling organisations to identify and address issues before they impact project outcomes. By imagining failure and planning around it, companies can increase their chances of successful deployments, saving time, resources and reputational damage.

As IT projects become more complex and the risks associated with digital transformations grow, the adoption of pre-mortem analysis should be a standard practice. By embedding this approach into project management processes, organisations can better navigate the challenges of modern IT environments and achieve long-term success.

^{1. Klein G 2017, ‘Performing a Project Premortem’, Harvard Business Review, <<https://hbr.org/2007/09/performing-a-project-premortem>>}

*Scott Mann is Incident Response Team Lead – APAC for Check Point Software Technologies. He is an industry specialist in digital forensics and computer security incident response with more than 25 years of experience providing services to the private sector, government and law enforcement agencies. Previously Scott was a detective with the Victoria Police Computer Crime Investigation Squad, where he conducted computer crime investigations as well as supporting other investigators in research, seizure and examination of computer-based evidence.

Top image credit: istock.com/gorodenkoff