Risk ManagementF

7/31/2019 Risk ManagementF

1/30

MEU

Risk management

Oday Manhal Hadadden


2/30

2

What is risk management?

Risk Management StrategyRisk is defined as being the threat that an event or action willadversely affect an organization's ability to achieve its objectivesand to successfully execute its strategies. Risk Management isdefined as the process by which risks are identified, evaluated andcontrolled.The Council recognizes it has a responsibility to manage bothinternal and external risks as a key component of good corporategovernance and is committed to embedding risk management intothe daily operations of the Council from the setting of objectives, toservice and financial planning through to departmental processes. Itbelieves that effective risk management will help the Councilachieve its corporate objectives and provide better services.

Risk management ensures that an organization identifies andunderstands the risks to which it is exposed. Risk management alsoguarantees that the organization creates and implements aneffective plan to prevent losses or reduce the impact if a loss

occurs.

A risk management plan includes strategies and techniques forrecognizing and confronting these threats. Good risk managementdoesnt have to be expensive or time consuming; it may be asuncomplicated as answering these three questions:

1.What can go wrong?

2.What will we do, both to prevent the harm from occurring andin response to the harm or loss?

3. If something happens, how will we pay for it?

And it is a systematic process for the identification and

evaluation of loss exposures faced by an organization or individual

and for the selection and administration of the most appropriate


3/30

3

techniques for treating such exposures, including

Avoidance

Retention

Loss prevention

Loss reduction

Transfer contractually

Transfer through insurance

Risk managementprovides a clear and structured approachto identifying risks. Having a clear understanding of all risks allowsan organization to measure and prioritize them and take theappropriate actions to reduce losses. Risk management has otherbenefits for an organization, including:

Saving resources: Time, assets, income, property andpeople are all valuable resources that can be saved if fewerclaims occur.

Protecting the reputation and public image of theorganization.

Preventing or reducing legal liability and increasing thestability of operations.

Protecting people from harm.

Protecting the environment.

Enhancing the ability to prepare for various circumstances.

Reducing liabilities.

Assisting in clearly defining insurance needs.

An effective risk management practice does not eliminate risks.However, having an effective and operational risk managementpractice shows an insurer that your organization is committed toloss reduction or prevention. It makes your organization a betterrisk to insure.

Risk Management aims to facilitate the exchange of informationand expertise across countries and across disciplines. Its purpose is


4/30

4

to generate ideas and promote good practice for those involved inthe business of managing risk. All too often assessments of risk arecrudely made and the consequences of getting things wrong can beserious, including lost opportunities, loss of business, loss ofreputation and even life. This journal examines both the problems

and potential solutions.

Role of insurance in risk management

Insurance is a valuable risk-financing tool. Few organizationshave the reserves or funds necessary to take on the risk themselvesand pay the total costs following a loss. Purchasing insurance,however, is not risk management. A thorough and thoughtful riskmanagement plan is the commitment to prevent harm. Riskmanagement also addresses many risks that are not insurable,including brand integrity, potential loss of tax-exempt status forvolunteer groups, public goodwill and continuing donor support.

Why manage your risk?

An organization should have a risk management strategy because:

People are now more likely to sue. Taking the steps to reduceinjuries could help in defending against a claim.

Courts are often sympathetic to injured claimants and givethem the benefit of the doubt.

Organizations and individuals are held to very high standardsof care.

People are more aware of the level of service to expect, andthe recourse they can take if they have been wronged.

Organizations are being held liable for the actions of theiremployees/volunteers.

Organizations are perceived as having a lot of assets and/orhigh insurance policy limits.


5/30

5

The Benefits of Risk Management:

Risk management is a process which provides assurance that:

Objectives are more likely to be achieved; Damaging things will not happen or are less likely to happen; Beneficially things will be or are more likely to be achieved.

It is not a process for avoiding risk. The aim of risk management is

not to eliminate risk, rather to manage the risks involved in allUniversity activities to maximize opportunities and minimize

adverse effects.

Note: risk management is not the management of insurable risks.

Insurance is an important way of transferring risk but most risks

will be managed by other means.

Good risk management provides upward assurance from business

activities and administrative functions, from department to

faculties, to the senior management team and ultimately to the

governing body.

The potential benefits from risk management are:

Supporting strategic and business planning; Supporting effective use of resources;

Promoting continuous improvement;

Fewer shocks and unwelcome surprises;

Quick grasp of new opportunities;

Enhancing communication between Schools and Departments;

Reassuring stakeholders;

Helping focus internal audit programmed


6/30

6

Risk Management Tools Assessment:

Risk management tools provide a way to assess risk and thereforemanage ways to avoid these risks. It essentially provides a whatif?sort of theme by applying the inherent possible risks in anygiven activity and then determines the best ways to avoid thoserisks and/or what actions can be taken if these risks do occur. Riskmanagement tools usually take the form of software that allowsthese probable risks and outcomes and then determines what needsto be done to avoid those risks. These tools are very helpful for anyactivity and in particular for businesses as it can save them quite abit of money by managing possible risks and outcomes to preventthem from ever occurring in the first place. In essence, byunderstanding the possible risks they can manage ways to avoid it.For example: If the business does not complete a contract by acertain date they lose so much money and so they plot out ways toavoid this by making sure all aspects dealing with the contract fromemployees to computer data are completing their functions to avoidthis. That is just a tiny example and risk management tools go far

beyond this simple function.

Risk Management Tools Avoiding Risk

Risk management tools in business use a similar method by

creating mathematical and statistical data to determine risk. Once

the risk assessment is complete they can then manage every

possible action that may cause the risk and then determine in which

ways they can avoid it. This is useful not only in managing

employees but also in managing products and all activities

associated with your particular business. There are many software

applications available to fully utilize the application ofrisk

management tools available and help keep your business running

smoothly or for whatever particular activity you may be involved in

that can benefit.


7/30

7

Risk Management Software Tools

Multiple Applications

Risk management software tools provide a template with which to

assess risk and then use the software to manage possible risk. This

can be applied to many different activities including business which

uses the software to save money by being prepared for possible

risks and understanding what causes it. This allows them to avoid

that risk and therefore not lose money in the case of business. This

can also be used for many different activities and is useful where

there is an inherent risk in the activity, for instance in high rise

construction work, laboratories, and others where there may be a

high risk of danger. Even NASA uses riskmanagement software tools to

prevent possible risks and keep a safe work environment. Risk can

also involve the loss of money for business practices. For this

purpose you can assess what possible risks may take place

with risk management software tools that will cause this loss of

money and act accordingly to properly manage it and prevent it

from happening again.

Risk Management Software Tools Economics andBeyond

There have been many risk management software

tools developed by major universities for any number of

applications. Even a risk software tool developed for, say a

chemistry lab, can in many cases still be used for other activities

that may have nothing to do with chemistry because the basic

formula still applies. By laying it all out in an easily understandable

and readable format the individual is able to see every aspect of therisk management to determine possible causes and therefore fix

them before they become a problem. By following this process you

can also narrow downcauses of riskif something is continuously

becoming a problem and can then be traced back to one particular

area to be managed. This could be anything from a failure in data

and other software to an employee or particular group. Action can

then be taken to fix the problem and manage the risk. Risk

management tools may also use graphs and other visual media to

display risk management in one quick glance so you can see where
http://www.riskmanagementtools.net/http://www.riskmanagementtools.net/http://www.riskmanagementtools.net/http://www.riskmanagementtools.net/


8/30

8

the biggest risk may be and therefore be able to manage the risk

before it becomes a major problem.

Risk Management Software Tools

PracticalityRisk management software tools are available online to help in

maintains a practical business model, particularly where it applies to

economics and business. First one must identify the possible risks,

then determine how detrimental this risk may be to the business or

activity, and then determine what actions must be taken to avoid

that risk. Software provides a valuable method of filtering through

this process efficiently and effectively while being able to maintain

and see at a glance the risks and therefore be able to nip it in the

bud and keep everything running smoothly. In business if figuresdont come in properly it can then be determined why. The uses and

practicality ofrisk management software tools are invaluable

and can be applied to basically any activity to maintain and manage

risk and allow things to run more smoothly.

Software Risk Management

The hierarchy of Software Risk Management (SRM) methodologiesdiscussed in this paper

Addresses two classes of functions: software acquisition and

software development. The basic methodological framework with

which functions are managed is composed of the Software

Acquisition-Capability Maturity Model (SA-CMMSM

) and the Software Capability Maturity Model (SW-CMMSM

) and their supporting practices and constructs. This framework for

software

Risk management is supported by three groups of practices:

1. Software Risk Evaluation (SRE)

2. Continuous Risk Management (CRM)

3. Team Risk Management (TRM)


9/30

9

These practices are based on three basic constructs for software

risk management developed

At the Software Engineering Institute (SEI): Risk Management

Paradigm, Risk Taxonomy,

Risk Clinic, and Risk Management Guidebooks. The three constructs

and three practices will be discussed in subsequent sections.

The complexity of software risk management cannot be understood

nor appropriately addressed from the above methodological context

alone. To capture the multifarious aspects of

This complexity, we make use of hierarchical holographic modeling,

where we consider two additional visions or dimensions: thetemporal and human dimensions. Thus the three dimensions

adopted in this paper to represent the holistic vision of software risk

management are

The temporal dimension,

The methodological dimension

And the human dimension.

The temporal dimension is decomposed into two sub-visions:

1. Macro vision represents the global perspective of the acquisitionlife cycle.

2. Micro vision represents the view of the project manager.

The methodological dimension has already been introduced.

The human dimension addresses the intellectual dimension ofsoftware acquisitionthe most

Critical dimension, since software development is such anintellectual activity. Four aspects

Are identified here:

1. Individual

2. Team


10/30

10

3. Management

4. Stakeholder (including customer and client)

The last section shares the experience gained through thedeployment of the above methodologies by SEI teams.

Ample literature exists on the process of risk assessment andmanagement. The majority of this literature, however, is devoted totheories and methodologies that have not been subjected to theultimate test of practice. This paper presents comprehensivetheories and processes developed at the SEI at Carnegie MellonUniversity that have been successfully deployed.

The goal of SEI Risk Program is to enable engineers, managers, andother decision makers to identify, sufficiently early, the risksassociated with software acquisition, development, integration, anddeployment so that appropriate management and mitigationstrategies can be developed on a timely basis. Time is critical andthe goal is to act early before a source of risk evolves into a majorcrisis.

In other words, being mainly reactive in risk mitigation and control

Rather than proactive in risk prevention and control is at the heartof good risk management.

Furthermore, should the system fail regardless of all riskmanagement efforts, then ensuring

The safe failure (e.g., safe shutdown) of the system must be themandate of the software risk Manager.

Clearly, the secret to effective risk management is the trade-off ofmitigation cost against the potential adverse effects of avoided risk.In this context, the value of the methodologies and tools forsoftware risk management is to buy smarter, manage moreeffectively

and identify opportunities for continuous improvement, useavailable information and databases more efficiently, improveindustry and raise the communitys playing field, and review and

Evaluate the progress made on risk management.


11/30

11

It is important to note that the developed software risk

methodologies have three fundamentally different, albeitcomplementary, objectives:

1. Risk prevention

2. Risk mitigation and correction

3. Ensuring safe system failure

The following seven risk management principles are

instrumental in the quest to achieve these

Three objectives:

Shared product vision

sharing product vision based upon common purpose, sharedownership, and

Collective commitment

focusing on results

Teamwork

working cooperatively to achieve a common goal

pooling talent, skills, and knowledge

Global perspective

viewing software development within the context of the largersystem-level

Definition, design, and development

recognizing both the potential value of opportunity and thepotential impact

Of adverse effects, such as cost overrun, time delay, or failure tomeet

Product specifications


12/30

12

Forward-looking view

thinking toward tomorrow, identifying uncertainties, anticipatingpotential

Outcomes

Managing project resources and activities while anticipatinguncertainties

Open communication

encouraging the free flow of information between all project levels

enabling formal, informal, and impromptu communication

using consensus-based process that values the individual voice(bringing

Unique knowledge and insight to identifying and managing risk)

Integrated management

making risk management an integral and vital part of projectmanagement

adapting risk management methods and tools to a projectsinfrastructure

And culture4 CMU/SEI-96-TR-012

Continuous process

maintaining constant vigilance

Identifying and managing risks routinely throughout all phases of

the projects Life cycle.

Risk is commonly defined as a measure of the probability andseverity of adverse effects. Software technical risk can be defined

as a measure of the probability and severity of adverse effects


13/30


14/30

14

A Holistic Vision of Software Risk Management

The complex process of software acquisition encompasses most, if not all,

aspects associated with software risk management. Thus, it seems natural

to focus on the entire life cycle of the software acquisition process indeveloping a holistic vision of risk management. Indeed, risk management

of software engineering cannot be restricted to any subset or a single

phase of

the life cycle of software development the following objectives of the

overall methodological framework for software risk management apply to

software-intensive systems


15/30

15

Improve the process of software acquisition in organizations.1.

2. Improve software risk management methodology, technology, and

practice in the acquisition process

3. Improve the access to, acquisition, repository, use, and integration ofinformation and data for software acquisition in industry and government.

4. In general, institutionalize risk management and decision support

within the software acquisition community and make it an integral part of

the communitys practice.

Temporal Dimension

It is plausible to assert that the genesis of a formal acquisition process

can be traced to the Statement of Needs and Requirements. In terms of

risk management, the seeds of critical sources of risk are often sown at

this seemingly benign stage. An example from urban development

demonstrates this point. A mayor and the city council identify a need for a

new housing development. Given the high cost of land due to its scarcity,

the requirements for meeting these needs evolve into the construction of

high rise apartments.

At this stage, the risks that the new project might become a major slum

and a magnet for crime and drug distribution are not considered.

The goal of risk management is in the prevention of such risks. The

importance the Needs and Requirements stage places this stage at the

foundation of the holistic vision of software risk management depicted in

Figure 2, which follows the introduction of all components of the

hierarchical holographic model for software risk management..

The total acquisition life cycle is presented in two separate yet overlapping

visions. The micro vision primarily represents the view of the project

manager.

The macro vision represents the more global and broader perspective

of the acquisition life cycle. It is worth noting that within each stage of the

temporal domain, the human dimension (individual, team, manager, or

Stakeholder) has a different and unique role to play.


16/30

16

Micro vision

Specification1.

Solicitation (including request for proposal and contractor selection)2.

.Design and development (including architecture)3.

.Systems integration (including deployment and maintenance)4.

Macro vision

.Conceptual design1.

.Demonstration/validation2.

.Engineering, manufacturing, development, and production3.

Maintenance and major upgrade (including termination)4.


17/30

17

.


18/30

18

Team Risk Management_TRM_

TRM extends risk management with team-oriented activities involving the

customer and supplier (e.g., government and contractor), where both

customer and supplier apply the methodologies together .

TRM establishes an environment built on a set of processes,methods, and

tools that enables the customer and supplier to work cooperatively,

continuously managing risks throughout the life cycle of a software-

dependent development program.

It is built on a foundation of the seven principles of risk management

discussed in the preface of this paper, and on the philosophy of

cooperative teams.

Guided by the seven principles,TRM further extends the SEI RiskManagement paradigm by adding two functionsinitiate and team. Each

risk goes through these functions sequentially, but the activity occurs

continuously, concurrently, and iteratively throughout the project life cycle

(e.g., planning for one risk

may identify another).

The TRM Guidebook provides an effective instrument with which to

militarize the reader with the concepts, functions, processes, methods,

and products of TRM.

The guidebook accomplishes this through a description of the overall

methodology, a road map for applying it within a project, and detailed

descriptions of the processes and methods used to implement the

functions of TRM. Figure 3 depicts the extension of the SEI Risk

Management Paradigm by incorporating the TRM functions (initiate and

team.


19/30

19

Project Management: Risk Management

In many projects, risks are identified and analyzed in a random,

brainstorming, fashion. This is often fatal to the success of the project, as

unexpected risks arise, which have not been assessed or planned for and

have to be dealt with on an emergency basis, rather than be prepared for

and defended against in a planned, measured, manner.

.


20/30

20

10 Golden Rules of Project Risk

Management:

Rule 1: Make Risk Management Part of Your Project.

Rule 2: Identify Risks Early in Your Project.

Rule 3: Communicate About Risks.

Rule 4: Consider Both Threats and Opportunities.

Rule 5: Clarify Ownership Issues.

Rule 6: Priorities Risks.

Rule 7:Analyses Risks.

Rule 8: Plan and Implement Risk Responses.

Rule 9: Register Project Risks.

Rule 10: Track Risks and Associated Tasks.

Risk Management Analysis:

What is Risk Analysis?

Risk analysis helps you identify and manage factors that could

undermine the success of key business objectives or projects.

Risk is made up of two things: the likelihood of something going

wrong, and the negative consequences that will happen if it does.

You carry out a risk analysis by first identifying the possible threats

that you face, and by then assessing the likelihood of these threats

occurring.

Risk analysis can be as simple or as involved as you want, and it's

useful in a variety of situations. However, if you want to do an in-

depth analysis, you'll need to draw on detailed information such as

project plans, financial data, security protocols, marketing

forecasts, or other relevant reports.


21/30

21

Risk management analysisis very helpful in examining the risksand following a well planned process to hedge the risk. At the same time, theeffectiveness of the process and the financial factors related to the processare also discussed through this analysis.The business sector always faces some kind of risk. The risk management

initiatives are becoming all the more important with the growing competition in

the global market. In the highly competitive global market there is hardly any

scope to afford any kind of loss. As a result of this, the concept of risk

management has gained considerable importance over the passage of time.

The risk management analysis is very important for proper application of the

risk management policies. This analysis is necessary because the demand of

the market and the trends are changing constantly and only proper analysis of

risks can help the businesses to achieve the set targets.

There are a number of risks that can be handled through the riskmanagement analysis. Different factors are related to the process of risk

management analysis. These are the following:

Discovering the Risk:The first step of risk management analysis is to

mark the areas where risk factors are related and causing major

threats to the businesses or the organizations. These risks are of

different types like financial risk, political risk, technical risk, risk

related to the operations or reputation of the business and many

more. People related to the business may provide some kinds ofthreats.

Estimating the Risk Factor:It is the second step of risk

management analysis and starts after the identification of the risk

factors. In this step, the possible losses and their impacts on the

business are decided. At the same time, necessary finances for the

prevention or recovery process are also decided.

Managing the Risk Factor:After the impacts of the risk aredecided, the company can look for the proper ways of managing

these risks. Once the strategies are set, the process starts working.

One of the most important factors is to select such a strategy that

can be economical and can provide effective services to the

business. Risk management can be done through different

processes. The existing assets of the particular company can be

used or new resources can be developed for the purpose. It can be

done through contingency planning or through business continuity

planning.


22/30

22

Regular Monitoring of the Applied Strategy:This is very

necessary for the success of the risk management strategy because

if the strategy does not work properly, it can be detected through

the monitoring process and a new strategy can be applied.

When to Use Risk Analysis?

Risk analysis is useful in many situations, for example, when you're:

Planning projects, to help you anticipate and neutralize

problems, or assess, say, the impact of going over budget.

Deciding whether or not to move forward with a project.

Improving safety and managing potential risks in the

workplace.

Preparing for events such as equipment or technology failure,

theft, staff sickness, or natural disasters.

Planning for changes in your environment, such as new

competitors coming into the market, or changes to

government policy.

How to Use Risk Analysis:

To carry out a risk analysis, follow these steps:

1. Identify Threats

The first step in risk analysis is to identify the existing and possible

threats that you might face. These can come from many different

areas. For instance:

Human From illness, death, injury, or other loss of a key

individual.

Operational From disruption to supplies and operations, loss

of access to essential assets, or failures in distribution.

Reputational From loss of customer or employee confidence,

or damage to reputation in the market.

Procedural From failures of accountability, internal systems

and controls; or from fraud.


23/30

23

Project From going over budget, taking too long on key

tasks, or experiencing issues with product or service quality.

Financial From business failure, stock market fluctuations,

interest rate changes, or non-availability of funding.

Technical From advances in technology, or from technical

failure.

Natural From weather, natural disasters, or disease.

Political From changes in tax, public opinion, government

policy, or foreign influence.

Structural From dangerous chemicals, poor lighting, falling

boxes, or any situation where staff, products, or technologycan be harmed.

Example - IT Reorganization Project

Background

Contoso, Inc. has initiated a project to reorganize its ITdepartments. Contoso's primary infrastructure is shifting to a

distributed environment from a centralized one.

Risk Identification

Using sound risk management practices, Contoso conducted various

risk identification discussions to come up with a master risks list.

Two of those risks are listed in the following table.

Table: Contoso IT Reorganization Risk ID 0001


24/30

24

Business Effect

Cost, Performance

Root Cause

Process

Risk ID

0001

Project ID

ITREORG010

Downstream Effect

Extended service outagesas well as inadequate

communications regarding

willstatus of resolutions

further alienate the

customer from IT. This will

enforce the view of IT as

not being aligned with the

needs of the business. The

perceived value of the

services provided by IT willbe diminished.

Consequence

Without acomprehensive,

shared knowledge

ase of incidents,b

problems, and

resolutions,

-redundant incident

management and

-problem

management activity

will be performedthroughout the

support organization.

Situation

Field office support is not acoordinated effort with

centralized help desk

s. Often fieldfunction

support professionals

respond to and resolve

incidents without those

incidents being recorded

and a knowledge base

being populated.

Risk

Present service deskprocess inefficiencies

could lead to

increased cost to

support current IT

services.

Table: Contoso IT Reorganization Risk ID 0002

Business Effect

Cost, Performance

Root Cause

People, Process

Risk ID

0002

Project ID

ITREORG010

Downstream

Effect

Service disruptions

caused by failed

changes will

interrupt business

functions.

Additionally, failure

to communicate

planned downtime

critical-of mission

services to users

and the help desk

will result inreduced trust in IT.

Consequence

Lack of commitment

to a standard set of

operationalprocesses will lead to

business units that

fail to trust each

other. Frustration

between IT groups

ill occur as systemsw

under the

responsibility of one

group will be

affected by others

Situation

Although change

management exists

within some

groups, a common

-formal change

management

process does not

exist across all IT

groups.

Additionally, some

changes, when

reviewed during

the weekly statusmeeting, have not

Risk

Changes

implemented by

one IT group could

negatively affect

systems and

services delivered

by other IT groups.


25/30

25

This will force the

obusiness t

question the value

of the current IT

operations and to

consider

outsourcing IT

functions.

been properly

assessed for impact

ll groups.to a

Risk Prioritization

Once these risks were identified, the project team then focused on risk

prioritization.

Table: Contoso Prioritization of Risk ID 0001

Business

Effect

Cost,Performance

Root Cause

Process

Risk ID

0001

Project ID

ITREORG010

Exposure

3.5

Impact (1-5)

5

Probability

70%

Exposure Analysis

Probability is based on best effort

analysis of past experience. Impact

could not be easily measured by

monetary means. Impact was instead

5 scale for the risk effect-based on a 1

on potential service disruption.


26/30

26

Table: Contoso Prioritization of Risk ID 0002

Business Effect

Cost, Performance

Root Cause

Process

Risk ID

0002

Project ID

ITREORG010

Exposure

3.25

Impact (1-5)

5

Probability

65%

Exposure Analysis

Probability is based

on best effort

analysis of past

experience. Impact

could not be easily

measured by

monetary means.

Impact was instead

5-based on a 1

r the riskscale fo

effect on potential

service disruption.

Risk Planning and Tracking

Risks ID 0001 and ID 0002 were identified as the top risks for the project. They werethe only two risks with an exposure of 3.0 or greater. The project team then went

through an exercise to devise mitigations, triggers, and contingencies as part of the

risk planning and tracking step. Project team members were assigned responsibilities

to continually monitor their risks for potential changes and action items.

Table: Contoso Tracking of Risk ID 0001

Project IDITREORG010

Risk ID0001

Root CauseProcess

Business EffectCost, Performance

Mitigation

Implement Microsoft

Operations

Framework (MOF)

incident and problem

management

processes.

Coordinate second-

line and third-line

support groups.

Contingencies

Allocation of

excessive resources

to accommodate

resolution of

reactive issues.

Fund the costs of

increased support

activities and staff.

Triggers

Continual incident

resolution.

Repeated problems

occur.

Uncoordinated and

recurring changes.

Poor average time

to resolution.

-----


27/30

27

Table: Contoso Tracking of Risk ID 0002

Business Effect

Cost, Performance

Root Cause

Process

Risk ID

0002

Project ID

ITREORG010

------Triggers

Information

gathered during

project status

meetings and

operations

management

reviews (OMRs)regarding process

and service

outages indicate

that this risk is

currently being

actualized at some

level.

Contingencies

Assign additional

resources to

reactive problem

management.

Communication to

customers and

rs in ause-endprompt, descriptive

and meaningful

manner can reduce

the negative effect

on customer

satisfaction.

Mitigation

A standard

formalized and

communicated

based change-MOF

management

process will be

implementedacross all IT groups.

These two risks became the top risks list for the Contoso IT reorganization project.

These risks were discussed at each OMR and various project status meetings. The

purpose of this discussion was to discuss the progress of mitigation steps, to

determine whether triggers were being fulfilled in the environment, and to ensure

that the probability and impact levels were still properly set. This discussion was vital

to the project to determine if contingencies identified in the master risks list neededto be acted upon to avoid service disruptions where possible.

Risk Exposure Analysis

As the project progressed, various mitigation activities around MOF-based change

management processes and incident and problem management processes began to

reduce the probability of these risks occurring. The project team then modified the

probability, which in turn also reduced the exposure of the risks as noted in the

following table.

Table: Contoso Exposure Analysis of Risk ID 0001


28/30

28

Business Effect

Cost, Performance

Root Cause

Process

Risk ID

0001

Project ID

ITREORG010

Modified

Exposure

2

Impact (1-5)

5

Modified

Probability

40%

Modified Exposure

Analysis

Probability has

decreased due to theimplementation of

based incident-MOF

and problem

management

processes. Original

probability will be

in the masterkept

risks list and risk

knowledge base for

historical purposes.

Table: Contoso Exposure Analysis of Risk ID 0002

Business Effect

Cost, Performance

Root Cause

Process

Risk ID

0001

Project ID

ITREORG010

Modified

Exposure

1.75

Impact (1-5)

5

Modified

Probability

35%

Modified

Exposure Analysis

Probability has

decreased due to

the implementation

based-of MOF

changemanagement

processes. Original

probability will be

kept in the master

risks list and risk

knowledge base for

historical purposes.


29/30

29

References:

.Chittister, Clyde & Haimes, Yacov. Assessment and

Management of Software Technical Risk, IEEE Transactions

on Systems, Man, and Cybernetics 24, 2 (February 1994):

187-202

.Kirkpatrick, Robert J.; Walker, Julie; & Firth, Robert.Software Development Risk Management: An SEI Appraisal,Software Engineering Institute

Technical Review 2 (CMU/SEI-92-REV). Pittsburgh, Pa.:

Software Engineering Institute, Carnegie Mellon University,

1992

. Higuera, Ronald P.; Dorofee, Audrey J.; Walker, JulieA.; & Williams, Ray

C. Team Risk Management: A New Model for Customer-Supplier

Relationships (CMU/SEI-94-SR-005, ADA283987). Pittsburgh, Pa.:

Software Engineering Institute, Carnegie Mellon University, 1994

. Haimes, Yacov Y. Hierarchical Holographic Modeling, IEEETransactions

on Systems, Man, and Cybernetics 11, 9 (September 1981): 606-

617.

191..


30/30

Documents

Risk ManagementF