Title: Understanding Risk and Risk Management
1Understanding Risk and Risk Management
- John Cvetko CISSP, CISA
- Principal Consultant
- TEK Associates, LLC
- Email cvet55_at_comcast.net
- Phone 503 799 2242
2Overview
- Risk and Risk Frameworks
- Perspectives of risk frameworks
- Risk Management Process
- Review the basic elements of a Risk Management
process - Scenario
- Step though a scenario that demonstrates the Risk
Management elements
3How Do Organizations Use Risk Management
Techniques?
- Liability Tool
- Identify and manage liabilities
- Opportunity Tool
- Identify areas of high risk that can lead
companies to new opportunities - Organization Tool
- Understand how to organize and apply resources
- A guide for maximizing results
- Compliance Tool
- Demonstrate compliance
- Communications Tool
- Communicate progress and risk positions to
management and the functional project teams
4What is a Risk?
- Different disciplines have different definitions
(EPA, Nuclear, Medical) - PMI Definition (PMBOK, Third Edition)
- A risk is an uncertain event or condition, that
if it occurs, has a positive or negative effect
on at least one project objective - COSO Enterprise Risk Management View
- (Committee of Sponsoring Organizations )
- a process, effected by an entity's board of
directors, management and other personnel,
applied in a strategy setting and across the
enterprise, designed to identify potential events
that may affect the entity, and manage risks to
be within its risk appetite, to provide
reasonable assurance regarding the achievement of
entity objectives. -
- Risk is Uncertainty
5COSO Business Risk FrameworkCommittee of
Sponsoring Organizations for the Treadway
Commission
- Objectives can be viewed in the context of
four categories - Strategic
- Operations
- Reporting
- Compliance
- Spans all levels of the organization
- Enterprise-level
- Division or subsidiary
- Business unit processes
- Subsidiary
- Usually paired with IT benchmarking standards
- COBIT, ITIL
6Project Based Risk Management Framework
- Project risk management
- Key differences are
- Objective setting is known as risk planning
- Information and Communications are assumed
- Tailored more for a specific project
7Risk Management Plan
- What is in a good plan?
- State objective and expectations of the risk
management effort. - Responsibility for decision events
- Delegated authority for specific risk types
- Processes for Risk Identification, Assessment,
Mitigation/Control and Monitoring. (Flow Charts). - Show links to other processes and plans (project
plan, change management process, schedule, for
e.g.) - Explain how risks will be communicated to
management? - Timeframe and Dashboard
- Emergency issues
- Independent Review
- Reporting structure
8Common Plan Errors
- Not making the plan practical/realistic for the
project at hand. - Confuse risk management plan with the project
plan. - Lack of independent review/peer review.
9Risk IdentificationUnderstanding the Project
Requirements
- Collect actionable/quantifiable requirements
- Business goals or requirements
- Product or service functionality, schedule and
budget - Service level or performance goals
- Sample of quantifiable requirements
- Start of production date, process transactions
within 10 seconds, availability of system is
99.999, increase efficiency by x. - Unclear Requirements Unclear Risks
- Unclear requirements are a risk
10Risk Identification
- Known Risks
- These are the obvious risks that jump out quickly
at the beginning of every project. - Unknown Risks
- Are usually a result of inexperience in
particular areas - Unknowable Risks
- Are risks that cant be predicted even with the
best information and experience available.
11Risk Identification
- Risks can come from many different sources
- Products
- configuration, technology, requirements, etc.
- Procedures
- development and operational processes, etc.
- Business environment
- cost, profit, regulations, competition, market
fluctuations, etc. - Project
- scope, schedule, resource availability, etc.
- People
- human error, skills, culture, blind spots, etc.
- External
- public opinion, economy, natural disasters etc.
12Risk Identification Process
- Cross Functional Team
- Populate a well rounded team when identifying and
assessing risks - Methods for teasing out risk items
- Brainstorming
- Interviews/Questionnaires
- Review of similar projects
- Subject matter experts
- External experienced consultants
- Technical Standards
- Program specific Best Practice Guides, e.g., IT
CoBit, ITIL, ISO17799 - GAP analysis, SWOT, Cause and Effect, Fault Tree,
Hazard and Operability (HAZOP), business impact
analysis techniques - Prototyping
13Risk Identification Process (cont)
- Capture each risk item using wording such as
- Due to/As a of result ltdefinitive causegt, a/an
ltuncertain eventgt may occur which could lead to
ltsome effect on program objective(s)gt - Document each item in a risk event list/database
- Ensure a clear description of the consequence is
included - Define the so what
14Common Risk Identification Errors
- Lack of experience in a crucial subject area
- Not understanding what constitutes a risk not
listening with a risk management perspective - Not understanding blind spots
- Not prepared for a significant amount of
information - Over focus on a particular risk
15Risk Assessment Process
- Once risks are identified, each risk event needs
to be assessed for - Impact to the project if the risk event occurs
- Qualitative vs. Quantitative Assessments
- Probability that the risk event will occur
- Qualitative vs. Quantitative Assessments
- Initially let each team member assess their own
risks - Likely result
- A predominance of events characterized as high
likelihood, high consequence - Everyone thinks their risk items are the most
important, i.e. high consequence, high likelihood
- Assessments should then be made jointly by all
the team members to gain agreement - The assessment results will impact what resources
are devoted to which tasks
16Risk Assessment Process
- Risk index numbering establishes priorities
- Enables the team to agree on the relative ranking
of risk items - Caution dont let the debate divert the process
17Common Assessment Errors
- Not breaking the problem or risk down to
manageable pieces. - Not having enough information to fully assess the
risk - Not having the authority to make decisions
- Being overwhelmedwhen in doubt ask for help.
18Risk Response Strategies
- Response strategies for dealing with identified
risks - Avoidance (Elimination)
- pursue a completely different approach (e.g. use
another supplier) - Transfer
- move risk elsewhere (e.g. back to the customer,
buy insurance.) - Mitigation (Reduction)
- take steps to minimize the consequence and/or
likelihood of the risk occurring (e.g. develop
secondary approach, train multiple personnel) - Acceptance
- if it happens, it happens and well deal with
it - Strategy use
- Multiple strategies can be used per risk event
and strategies may change with time
19Risk Response Planning
- Develop a response plan to implement the strategy
- What is to be done, what is the budget, what is
the schedule - Develop a plan B
- Determine who is responsible for implementing the
plan - Accountability
- Communicate
- Inform management and project team of the plan
20Common Response Plan Errors
- Not clearly assigning accountability for
individual plans. - Not having a plan B
- Creating a plan on half an assessment.
- Not understanding residual risk
21Risk Event Monitoring
- Continuous monitoring and proactively addressing
developments are vital to a successful risk
management process - Review Red items an upcoming trigger events at
least weekly - Track actual closure of risk items
- Closure date, how/why closed, any special issues
or circumstances
22Risk Management Status Tracking
- Summary Matrix
- A risk summary matrix of risk priorities is
quick look approach to monitoring and
communicating status
23Risk Scenario
S1
- You work for the ACME car insurance company. ACME
is a 1 billion dollar public company that is
implementing a new collection system to enable
customers to review their bills and take credit
card and direct deposit payments on-line. This
system will replace an existing manual system
that requires 250 people to manage. The cost of
this system is 20 million dollars and is
expected to save the company 26k dollars a day. - This software system is a commercial off the
shelf (COTS) system with the exception of the
on-line (credit card and direct deposit) payment
module. The module is currently being developed
by the software supplier. The supplier is new to
the world of on-line financial transactions.
Monday Morning Team Meeting Status
24Risk Identification Build-up List
S2
Monday Morning Team Meeting
Team Members Project Manager Engineering
Manager Business Owner Security Officer Finance
25Initial Risk Impact Ranking
S3
26Risk Management Status Tracking
S4
Monday Afternoon Weekly Executive Briefing
27Risk Assessment Process
S5
Tuesday Afternoon
28Risk Response Development and Implementation
S6
Wednesday Afternoon
29Updated Risk Impact Ranking
S7
Wednesday Afternoon
30Summary
- Apply some form of a risk management process to
all your projects - Every project has risks if you listen for them
you can manage and communicate them appropriately - Apply the KISS principle
- Use risk management as a tool that facilitates
- Communications
- Organization
- Opportunity identification
- Liability and Compliance Management
- Learn each time you use an RM process
- It is a skill that can be learned and mastered
with practice