Understanding Risk and Risk Management - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Understanding Risk and Risk Management

Description:

COSO Business Risk Framework. Committee of Sponsoring Organizations for the Treadway Commission ... Develop a response plan to implement the strategy ... – PowerPoint PPT presentation

Number of Views:69
Avg rating:3.0/5.0
Slides: 31
Provided by: johnc100
Category:

less

Transcript and Presenter's Notes

Title: Understanding Risk and Risk Management


1
Understanding Risk and Risk Management
  • John Cvetko CISSP, CISA
  • Principal Consultant
  • TEK Associates, LLC
  • Email cvet55_at_comcast.net
  • Phone 503 799 2242

2
Overview
  • Risk and Risk Frameworks
  • Perspectives of risk frameworks
  • Risk Management Process
  • Review the basic elements of a Risk Management
    process
  • Scenario
  • Step though a scenario that demonstrates the Risk
    Management elements

3
How Do Organizations Use Risk Management
Techniques?
  • Liability Tool
  • Identify and manage liabilities
  • Opportunity Tool
  • Identify areas of high risk that can lead
    companies to new opportunities
  • Organization Tool
  • Understand how to organize and apply resources
  • A guide for maximizing results
  • Compliance Tool
  • Demonstrate compliance
  • Communications Tool
  • Communicate progress and risk positions to
    management and the functional project teams

4
What is a Risk?
  • Different disciplines have different definitions
    (EPA, Nuclear, Medical)
  • PMI Definition (PMBOK, Third Edition)
  • A risk is an uncertain event or condition, that
    if it occurs, has a positive or negative effect
    on at least one project objective
  • COSO Enterprise Risk Management View
  • (Committee of Sponsoring Organizations )
  • a process, effected by an entity's board of
    directors, management and other personnel,
    applied in a strategy setting and across the
    enterprise, designed to identify potential events
    that may affect the entity, and manage risks to
    be within its risk appetite, to provide
    reasonable assurance regarding the achievement of
    entity objectives.
  • Risk is Uncertainty

5
COSO Business Risk FrameworkCommittee of
Sponsoring Organizations for the Treadway
Commission
  • Objectives can be viewed in the context of
    four categories
  • Strategic
  • Operations
  • Reporting
  • Compliance
  • Spans all levels of the organization
  • Enterprise-level
  • Division or subsidiary
  • Business unit processes
  • Subsidiary
  • Usually paired with IT benchmarking standards
  • COBIT, ITIL

6
Project Based Risk Management Framework
  • Project risk management
  • Key differences are
  • Objective setting is known as risk planning
  • Information and Communications are assumed
  • Tailored more for a specific project

7
Risk Management Plan
  • What is in a good plan?
  • State objective and expectations of the risk
    management effort.
  • Responsibility for decision events
  • Delegated authority for specific risk types
  • Processes for Risk Identification, Assessment,
    Mitigation/Control and Monitoring. (Flow Charts).
  • Show links to other processes and plans (project
    plan, change management process, schedule, for
    e.g.)
  • Explain how risks will be communicated to
    management?
  • Timeframe and Dashboard
  • Emergency issues
  • Independent Review
  • Reporting structure

8
Common Plan Errors
  • Not making the plan practical/realistic for the
    project at hand.
  • Confuse risk management plan with the project
    plan.
  • Lack of independent review/peer review.

9
Risk IdentificationUnderstanding the Project
Requirements
  • Collect actionable/quantifiable requirements
  • Business goals or requirements
  • Product or service functionality, schedule and
    budget
  • Service level or performance goals
  • Sample of quantifiable requirements
  • Start of production date, process transactions
    within 10 seconds, availability of system is
    99.999, increase efficiency by x.
  • Unclear Requirements Unclear Risks
  • Unclear requirements are a risk

10
Risk Identification
  • Known Risks
  • These are the obvious risks that jump out quickly
    at the beginning of every project.
  • Unknown Risks
  • Are usually a result of inexperience in
    particular areas
  • Unknowable Risks
  • Are risks that cant be predicted even with the
    best information and experience available.

11
Risk Identification
  • Risks can come from many different sources
  • Products
  • configuration, technology, requirements, etc.
  • Procedures
  • development and operational processes, etc.
  • Business environment
  • cost, profit, regulations, competition, market
    fluctuations, etc.
  • Project
  • scope, schedule, resource availability, etc.
  • People
  • human error, skills, culture, blind spots, etc.
  • External
  • public opinion, economy, natural disasters etc.

12
Risk Identification Process
  • Cross Functional Team
  • Populate a well rounded team when identifying and
    assessing risks
  • Methods for teasing out risk items
  • Brainstorming
  • Interviews/Questionnaires
  • Review of similar projects
  • Subject matter experts
  • External experienced consultants
  • Technical Standards
  • Program specific Best Practice Guides, e.g., IT
    CoBit, ITIL, ISO17799
  • GAP analysis, SWOT, Cause and Effect, Fault Tree,
    Hazard and Operability (HAZOP), business impact
    analysis techniques
  • Prototyping

13
Risk Identification Process (cont)
  • Capture each risk item using wording such as
  • Due to/As a of result ltdefinitive causegt, a/an
    ltuncertain eventgt may occur which could lead to
    ltsome effect on program objective(s)gt
  • Document each item in a risk event list/database
  • Ensure a clear description of the consequence is
    included
  • Define the so what

14
Common Risk Identification Errors
  • Lack of experience in a crucial subject area
  • Not understanding what constitutes a risk not
    listening with a risk management perspective
  • Not understanding blind spots
  • Not prepared for a significant amount of
    information
  • Over focus on a particular risk

15
Risk Assessment Process
  • Once risks are identified, each risk event needs
    to be assessed for
  • Impact to the project if the risk event occurs
  • Qualitative vs. Quantitative Assessments
  • Probability that the risk event will occur
  • Qualitative vs. Quantitative Assessments
  • Initially let each team member assess their own
    risks
  • Likely result
  • A predominance of events characterized as high
    likelihood, high consequence
  • Everyone thinks their risk items are the most
    important, i.e. high consequence, high likelihood
  • Assessments should then be made jointly by all
    the team members to gain agreement
  • The assessment results will impact what resources
    are devoted to which tasks

16
Risk Assessment Process
  • Risk index numbering establishes priorities
  • Enables the team to agree on the relative ranking
    of risk items
  • Caution dont let the debate divert the process

17
Common Assessment Errors
  • Not breaking the problem or risk down to
    manageable pieces.
  • Not having enough information to fully assess the
    risk
  • Not having the authority to make decisions
  • Being overwhelmedwhen in doubt ask for help.

18
Risk Response Strategies
  • Response strategies for dealing with identified
    risks
  • Avoidance (Elimination)
  • pursue a completely different approach (e.g. use
    another supplier)
  • Transfer
  • move risk elsewhere (e.g. back to the customer,
    buy insurance.)
  • Mitigation (Reduction)
  • take steps to minimize the consequence and/or
    likelihood of the risk occurring (e.g. develop
    secondary approach, train multiple personnel)
  • Acceptance
  • if it happens, it happens and well deal with
    it
  • Strategy use
  • Multiple strategies can be used per risk event
    and strategies may change with time

19
Risk Response Planning
  • Develop a response plan to implement the strategy
  • What is to be done, what is the budget, what is
    the schedule
  • Develop a plan B
  • Determine who is responsible for implementing the
    plan
  • Accountability
  • Communicate
  • Inform management and project team of the plan

20
Common Response Plan Errors
  • Not clearly assigning accountability for
    individual plans.
  • Not having a plan B
  • Creating a plan on half an assessment.
  • Not understanding residual risk

21
Risk Event Monitoring
  • Continuous monitoring and proactively addressing
    developments are vital to a successful risk
    management process
  • Review Red items an upcoming trigger events at
    least weekly
  • Track actual closure of risk items
  • Closure date, how/why closed, any special issues
    or circumstances

22
Risk Management Status Tracking
  • Summary Matrix
  • A risk summary matrix of risk priorities is
    quick look approach to monitoring and
    communicating status

23
Risk Scenario
S1
  • You work for the ACME car insurance company. ACME
    is a 1 billion dollar public company that is
    implementing a new collection system to enable
    customers to review their bills and take credit
    card and direct deposit payments on-line. This
    system will replace an existing manual system
    that requires 250 people to manage. The cost of
    this system is 20 million dollars and is
    expected to save the company 26k dollars a day.
  • This software system is a commercial off the
    shelf (COTS) system with the exception of the
    on-line (credit card and direct deposit) payment
    module. The module is currently being developed
    by the software supplier. The supplier is new to
    the world of on-line financial transactions.

Monday Morning Team Meeting Status
24
Risk Identification Build-up List
S2
Monday Morning Team Meeting
Team Members Project Manager Engineering
Manager Business Owner Security Officer Finance
25
Initial Risk Impact Ranking
S3
26
Risk Management Status Tracking
S4
Monday Afternoon Weekly Executive Briefing
27
Risk Assessment Process
S5
Tuesday Afternoon
28
Risk Response Development and Implementation
S6
Wednesday Afternoon
29
Updated Risk Impact Ranking
S7
Wednesday Afternoon
30
Summary
  • Apply some form of a risk management process to
    all your projects
  • Every project has risks if you listen for them
    you can manage and communicate them appropriately
  • Apply the KISS principle
  • Use risk management as a tool that facilitates
  • Communications
  • Organization
  • Opportunity identification
  • Liability and Compliance Management
  • Learn each time you use an RM process
  • It is a skill that can be learned and mastered
    with practice
Write a Comment
User Comments (0)
About PowerShow.com