Understanding Risk and Risk Management

1
Understanding Risk and Risk Management

• John Cvetko CISSP, CISA
• Principal Consultant
• TEK Associates, LLC
• Email cvet55_at_comcast.net
• Phone 503 799 2242

2
Overview

• Risk and Risk Frameworks
• Perspectives of risk frameworks
• Risk Management Process
• Review the basic elements of a Risk Management
  process
• Scenario
• Step though a scenario that demonstrates the Risk
  Management elements

3
How Do Organizations Use Risk Management
Techniques?

• Liability Tool
• Identify and manage liabilities
• Opportunity Tool
• Identify areas of high risk that can lead
  companies to new opportunities
• Organization Tool
• Understand how to organize and apply resources
• A guide for maximizing results
• Compliance Tool
• Demonstrate compliance
• Communications Tool
• Communicate progress and risk positions to
  management and the functional project teams

4
What is a Risk?

• Different disciplines have different definitions
  (EPA, Nuclear, Medical)
• PMI Definition (PMBOK, Third Edition)
• A risk is an uncertain event or condition, that
  if it occurs, has a positive or negative effect
  on at least one project objective
• COSO Enterprise Risk Management View
• (Committee of Sponsoring Organizations )
• a process, effected by an entity's board of
  directors, management and other personnel,
  applied in a strategy setting and across the
  enterprise, designed to identify potential events
  that may affect the entity, and manage risks to
  be within its risk appetite, to provide
  reasonable assurance regarding the achievement of
  entity objectives.
• Risk is Uncertainty

5
COSO Business Risk FrameworkCommittee of
Sponsoring Organizations for the Treadway
Commission

• Objectives can be viewed in the context of
  four categories
• Strategic
• Operations
• Reporting
• Compliance
• Spans all levels of the organization
• Enterprise-level
• Division or subsidiary
• Business unit processes
• Subsidiary
• Usually paired with IT benchmarking standards
• COBIT, ITIL

6
Project Based Risk Management Framework

• Project risk management
• Key differences are
• Objective setting is known as risk planning
• Information and Communications are assumed
• Tailored more for a specific project

7
Risk Management Plan

• What is in a good plan?
• State objective and expectations of the risk
  management effort.
• Responsibility for decision events
• Delegated authority for specific risk types
• Processes for Risk Identification, Assessment,
  Mitigation/Control and Monitoring. (Flow Charts).
• Show links to other processes and plans (project
  plan, change management process, schedule, for
  e.g.)
• Explain how risks will be communicated to
  management?
• Timeframe and Dashboard
• Emergency issues
• Independent Review
• Reporting structure

8
Common Plan Errors

• Not making the plan practical/realistic for the
  project at hand.
• Confuse risk management plan with the project
  plan.
• Lack of independent review/peer review.

9
Risk IdentificationUnderstanding the Project
Requirements

• Collect actionable/quantifiable requirements
• Business goals or requirements
• Product or service functionality, schedule and
  budget
• Service level or performance goals
• Sample of quantifiable requirements
• Start of production date, process transactions
  within 10 seconds, availability of system is
  99.999, increase efficiency by x.
• Unclear Requirements Unclear Risks
• Unclear requirements are a risk

10
Risk Identification

• Known Risks
• These are the obvious risks that jump out quickly
  at the beginning of every project.
• Unknown Risks
• Are usually a result of inexperience in
  particular areas
• Unknowable Risks
• Are risks that cant be predicted even with the
  best information and experience available.

11
Risk Identification

• Risks can come from many different sources
• Products
• configuration, technology, requirements, etc.
• Procedures
• development and operational processes, etc.
• Business environment
• cost, profit, regulations, competition, market
  fluctuations, etc.
• Project
• scope, schedule, resource availability, etc.
• People
• human error, skills, culture, blind spots, etc.
• External
• public opinion, economy, natural disasters etc.

12
Risk Identification Process

• Cross Functional Team
• Populate a well rounded team when identifying and
  assessing risks
• Methods for teasing out risk items
• Brainstorming
• Interviews/Questionnaires
• Review of similar projects
• Subject matter experts
• External experienced consultants
• Technical Standards
• Program specific Best Practice Guides, e.g., IT
  CoBit, ITIL, ISO17799
• GAP analysis, SWOT, Cause and Effect, Fault Tree,
  Hazard and Operability (HAZOP), business impact
  analysis techniques
• Prototyping

13
Risk Identification Process (cont)

• Capture each risk item using wording such as
• Due to/As a of result ltdefinitive causegt, a/an
  ltuncertain eventgt may occur which could lead to
  ltsome effect on program objective(s)gt
• Document each item in a risk event list/database
• Ensure a clear description of the consequence is
  included
• Define the so what

14
Common Risk Identification Errors

• Lack of experience in a crucial subject area
• Not understanding what constitutes a risk not
  listening with a risk management perspective
• Not understanding blind spots
• Not prepared for a significant amount of
  information
• Over focus on a particular risk

15
Risk Assessment Process

• Once risks are identified, each risk event needs
  to be assessed for
• Impact to the project if the risk event occurs
• Qualitative vs. Quantitative Assessments
• Probability that the risk event will occur
• Qualitative vs. Quantitative Assessments
• Initially let each team member assess their own
  risks
• Likely result
• A predominance of events characterized as high
  likelihood, high consequence
• Everyone thinks their risk items are the most
  important, i.e. high consequence, high likelihood
  
• Assessments should then be made jointly by all
  the team members to gain agreement
• The assessment results will impact what resources
  are devoted to which tasks

16
Risk Assessment Process

• Risk index numbering establishes priorities
• Enables the team to agree on the relative ranking
  of risk items
• Caution dont let the debate divert the process

17
Common Assessment Errors

• Not breaking the problem or risk down to
  manageable pieces.
• Not having enough information to fully assess the
  risk
• Not having the authority to make decisions
• Being overwhelmedwhen in doubt ask for help.

18
Risk Response Strategies

• Response strategies for dealing with identified
  risks
• Avoidance (Elimination)
• pursue a completely different approach (e.g. use
  another supplier)
• Transfer
• move risk elsewhere (e.g. back to the customer,
  buy insurance.)
• Mitigation (Reduction)
• take steps to minimize the consequence and/or
  likelihood of the risk occurring (e.g. develop
  secondary approach, train multiple personnel)
• Acceptance
• if it happens, it happens and well deal with
  it
• Strategy use
• Multiple strategies can be used per risk event
  and strategies may change with time

19
Risk Response Planning

• Develop a response plan to implement the strategy
• What is to be done, what is the budget, what is
  the schedule
• Develop a plan B
• Determine who is responsible for implementing the
  plan
• Accountability
• Communicate
• Inform management and project team of the plan

20
Common Response Plan Errors

• Not clearly assigning accountability for
  individual plans.
• Not having a plan B
• Creating a plan on half an assessment.
• Not understanding residual risk

21
Risk Event Monitoring

• Continuous monitoring and proactively addressing
  developments are vital to a successful risk
  management process
• Review Red items an upcoming trigger events at
  least weekly
• Track actual closure of risk items
• Closure date, how/why closed, any special issues
  or circumstances

22
Risk Management Status Tracking

• Summary Matrix
• A risk summary matrix of risk priorities is
  quick look approach to monitoring and
  communicating status

23
Risk Scenario
S1

• You work for the ACME car insurance company. ACME
  is a 1 billion dollar public company that is
  implementing a new collection system to enable
  customers to review their bills and take credit
  card and direct deposit payments on-line. This
  system will replace an existing manual system
  that requires 250 people to manage. The cost of
  this system is 20 million dollars and is
  expected to save the company 26k dollars a day.
• This software system is a commercial off the
  shelf (COTS) system with the exception of the
  on-line (credit card and direct deposit) payment
  module. The module is currently being developed
  by the software supplier. The supplier is new to
  the world of on-line financial transactions.

Monday Morning Team Meeting Status
24
Risk Identification Build-up List
S2
Monday Morning Team Meeting
Team Members Project Manager Engineering
Manager Business Owner Security Officer Finance
25
Initial Risk Impact Ranking
S3
26
Risk Management Status Tracking
S4
Monday Afternoon Weekly Executive Briefing
27
Risk Assessment Process
S5
Tuesday Afternoon
28
Risk Response Development and Implementation
S6
Wednesday Afternoon
29
Updated Risk Impact Ranking
S7
Wednesday Afternoon
30
Summary

• Apply some form of a risk management process to
  all your projects
• Every project has risks if you listen for them
  you can manage and communicate them appropriately
• Apply the KISS principle
• Use risk management as a tool that facilitates
• Communications
• Organization
• Opportunity identification
• Liability and Compliance Management
• Learn each time you use an RM process
• It is a skill that can be learned and mastered
  with practice