Upload
oday-manhal-hadadden
View
216
Download
0
Embed Size (px)
Citation preview
7/31/2019 Risk ManagementF
1/30
MEU
Risk management
Oday Manhal Hadadden
7/31/2019 Risk ManagementF
2/30
2
What is risk management?
Risk Management StrategyRisk is defined as being the threat that an event or action willadversely affect an organization's ability to achieve its objectivesand to successfully execute its strategies. Risk Management isdefined as the process by which risks are identified, evaluated andcontrolled.The Council recognizes it has a responsibility to manage bothinternal and external risks as a key component of good corporategovernance and is committed to embedding risk management intothe daily operations of the Council from the setting of objectives, toservice and financial planning through to departmental processes. Itbelieves that effective risk management will help the Councilachieve its corporate objectives and provide better services.
Risk management ensures that an organization identifies andunderstands the risks to which it is exposed. Risk management alsoguarantees that the organization creates and implements aneffective plan to prevent losses or reduce the impact if a loss
occurs.
A risk management plan includes strategies and techniques forrecognizing and confronting these threats. Good risk managementdoesnt have to be expensive or time consuming; it may be asuncomplicated as answering these three questions:
1.What can go wrong?
2.What will we do, both to prevent the harm from occurring andin response to the harm or loss?
3. If something happens, how will we pay for it?
And it is a systematic process for the identification and
evaluation of loss exposures faced by an organization or individual
and for the selection and administration of the most appropriate
7/31/2019 Risk ManagementF
3/30
3
techniques for treating such exposures, including
Avoidance
Retention
Loss prevention
Loss reduction
Transfer contractually
Transfer through insurance
Risk managementprovides a clear and structured approachto identifying risks. Having a clear understanding of all risks allowsan organization to measure and prioritize them and take theappropriate actions to reduce losses. Risk management has otherbenefits for an organization, including:
Saving resources: Time, assets, income, property andpeople are all valuable resources that can be saved if fewerclaims occur.
Protecting the reputation and public image of theorganization.
Preventing or reducing legal liability and increasing thestability of operations.
Protecting people from harm.
Protecting the environment.
Enhancing the ability to prepare for various circumstances.
Reducing liabilities.
Assisting in clearly defining insurance needs.
An effective risk management practice does not eliminate risks.However, having an effective and operational risk managementpractice shows an insurer that your organization is committed toloss reduction or prevention. It makes your organization a betterrisk to insure.
Risk Management aims to facilitate the exchange of informationand expertise across countries and across disciplines. Its purpose is
7/31/2019 Risk ManagementF
4/30
4
to generate ideas and promote good practice for those involved inthe business of managing risk. All too often assessments of risk arecrudely made and the consequences of getting things wrong can beserious, including lost opportunities, loss of business, loss ofreputation and even life. This journal examines both the problems
and potential solutions.
Role of insurance in risk management
Insurance is a valuable risk-financing tool. Few organizationshave the reserves or funds necessary to take on the risk themselvesand pay the total costs following a loss. Purchasing insurance,however, is not risk management. A thorough and thoughtful riskmanagement plan is the commitment to prevent harm. Riskmanagement also addresses many risks that are not insurable,including brand integrity, potential loss of tax-exempt status forvolunteer groups, public goodwill and continuing donor support.
Why manage your risk?
An organization should have a risk management strategy because:
People are now more likely to sue. Taking the steps to reduceinjuries could help in defending against a claim.
Courts are often sympathetic to injured claimants and givethem the benefit of the doubt.
Organizations and individuals are held to very high standardsof care.
People are more aware of the level of service to expect, andthe recourse they can take if they have been wronged.
Organizations are being held liable for the actions of theiremployees/volunteers.
Organizations are perceived as having a lot of assets and/orhigh insurance policy limits.
7/31/2019 Risk ManagementF
5/30
5
The Benefits of Risk Management:
Risk management is a process which provides assurance that:
Objectives are more likely to be achieved; Damaging things will not happen or are less likely to happen; Beneficially things will be or are more likely to be achieved.
It is not a process for avoiding risk. The aim of risk management is
not to eliminate risk, rather to manage the risks involved in allUniversity activities to maximize opportunities and minimize
adverse effects.
Note: risk management is not the management of insurable risks.
Insurance is an important way of transferring risk but most risks
will be managed by other means.
Good risk management provides upward assurance from business
activities and administrative functions, from department to
faculties, to the senior management team and ultimately to the
governing body.
The potential benefits from risk management are:
Supporting strategic and business planning; Supporting effective use of resources;
Promoting continuous improvement;
Fewer shocks and unwelcome surprises;
Quick grasp of new opportunities;
Enhancing communication between Schools and Departments;
Reassuring stakeholders;
Helping focus internal audit programmed
7/31/2019 Risk ManagementF
6/30
6
Risk Management Tools Assessment:
Risk management tools provide a way to assess risk and thereforemanage ways to avoid these risks. It essentially provides a whatif?sort of theme by applying the inherent possible risks in anygiven activity and then determines the best ways to avoid thoserisks and/or what actions can be taken if these risks do occur. Riskmanagement tools usually take the form of software that allowsthese probable risks and outcomes and then determines what needsto be done to avoid those risks. These tools are very helpful for anyactivity and in particular for businesses as it can save them quite abit of money by managing possible risks and outcomes to preventthem from ever occurring in the first place. In essence, byunderstanding the possible risks they can manage ways to avoid it.For example: If the business does not complete a contract by acertain date they lose so much money and so they plot out ways toavoid this by making sure all aspects dealing with the contract fromemployees to computer data are completing their functions to avoidthis. That is just a tiny example and risk management tools go far
beyond this simple function.
Risk Management Tools Avoiding Risk
Risk management tools in business use a similar method by
creating mathematical and statistical data to determine risk. Once
the risk assessment is complete they can then manage every
possible action that may cause the risk and then determine in which
ways they can avoid it. This is useful not only in managing
employees but also in managing products and all activities
associated with your particular business. There are many software
applications available to fully utilize the application ofrisk
management tools available and help keep your business running
smoothly or for whatever particular activity you may be involved in
that can benefit.
7/31/2019 Risk ManagementF
7/30
7
Risk Management Software Tools
Multiple Applications
Risk management software tools provide a template with which to
assess risk and then use the software to manage possible risk. This
can be applied to many different activities including business which
uses the software to save money by being prepared for possible
risks and understanding what causes it. This allows them to avoid
that risk and therefore not lose money in the case of business. This
can also be used for many different activities and is useful where
there is an inherent risk in the activity, for instance in high rise
construction work, laboratories, and others where there may be a
high risk of danger. Even NASA uses riskmanagement software tools to
prevent possible risks and keep a safe work environment. Risk can
also involve the loss of money for business practices. For this
purpose you can assess what possible risks may take place
with risk management software tools that will cause this loss of
money and act accordingly to properly manage it and prevent it
from happening again.
Risk Management Software Tools Economics andBeyond
There have been many risk management software
tools developed by major universities for any number of
applications. Even a risk software tool developed for, say a
chemistry lab, can in many cases still be used for other activities
that may have nothing to do with chemistry because the basic
formula still applies. By laying it all out in an easily understandable
and readable format the individual is able to see every aspect of therisk management to determine possible causes and therefore fix
them before they become a problem. By following this process you
can also narrow downcauses of riskif something is continuously
becoming a problem and can then be traced back to one particular
area to be managed. This could be anything from a failure in data
and other software to an employee or particular group. Action can
then be taken to fix the problem and manage the risk. Risk
management tools may also use graphs and other visual media to
display risk management in one quick glance so you can see where
http://www.riskmanagementtools.net/http://www.riskmanagementtools.net/http://www.riskmanagementtools.net/http://www.riskmanagementtools.net/7/31/2019 Risk ManagementF
8/30
8
the biggest risk may be and therefore be able to manage the risk
before it becomes a major problem.
Risk Management Software Tools
PracticalityRisk management software tools are available online to help in
maintains a practical business model, particularly where it applies to
economics and business. First one must identify the possible risks,
then determine how detrimental this risk may be to the business or
activity, and then determine what actions must be taken to avoid
that risk. Software provides a valuable method of filtering through
this process efficiently and effectively while being able to maintain
and see at a glance the risks and therefore be able to nip it in the
bud and keep everything running smoothly. In business if figuresdont come in properly it can then be determined why. The uses and
practicality ofrisk management software tools are invaluable
and can be applied to basically any activity to maintain and manage
risk and allow things to run more smoothly.
Software Risk Management
The hierarchy of Software Risk Management (SRM) methodologiesdiscussed in this paper
Addresses two classes of functions: software acquisition and
software development. The basic methodological framework with
which functions are managed is composed of the Software
Acquisition-Capability Maturity Model (SA-CMMSM
) and the Software Capability Maturity Model (SW-CMMSM
) and their supporting practices and constructs. This framework for
software
Risk management is supported by three groups of practices:
1. Software Risk Evaluation (SRE)
2. Continuous Risk Management (CRM)
3. Team Risk Management (TRM)
7/31/2019 Risk ManagementF
9/30
9
These practices are based on three basic constructs for software
risk management developed
At the Software Engineering Institute (SEI): Risk Management
Paradigm, Risk Taxonomy,
Risk Clinic, and Risk Management Guidebooks. The three constructs
and three practices will be discussed in subsequent sections.
The complexity of software risk management cannot be understood
nor appropriately addressed from the above methodological context
alone. To capture the multifarious aspects of
This complexity, we make use of hierarchical holographic modeling,
where we consider two additional visions or dimensions: thetemporal and human dimensions. Thus the three dimensions
adopted in this paper to represent the holistic vision of software risk
management are
The temporal dimension,
The methodological dimension
And the human dimension.
The temporal dimension is decomposed into two sub-visions:
1. Macro vision represents the global perspective of the acquisitionlife cycle.
2. Micro vision represents the view of the project manager.
The methodological dimension has already been introduced.
The human dimension addresses the intellectual dimension ofsoftware acquisitionthe most
Critical dimension, since software development is such anintellectual activity. Four aspects
Are identified here:
1. Individual
2. Team
7/31/2019 Risk ManagementF
10/30
10
3. Management
4. Stakeholder (including customer and client)
The last section shares the experience gained through thedeployment of the above methodologies by SEI teams.
Ample literature exists on the process of risk assessment andmanagement. The majority of this literature, however, is devoted totheories and methodologies that have not been subjected to theultimate test of practice. This paper presents comprehensivetheories and processes developed at the SEI at Carnegie MellonUniversity that have been successfully deployed.
The goal of SEI Risk Program is to enable engineers, managers, andother decision makers to identify, sufficiently early, the risksassociated with software acquisition, development, integration, anddeployment so that appropriate management and mitigationstrategies can be developed on a timely basis. Time is critical andthe goal is to act early before a source of risk evolves into a majorcrisis.
In other words, being mainly reactive in risk mitigation and control
Rather than proactive in risk prevention and control is at the heartof good risk management.
Furthermore, should the system fail regardless of all riskmanagement efforts, then ensuring
The safe failure (e.g., safe shutdown) of the system must be themandate of the software risk Manager.
Clearly, the secret to effective risk management is the trade-off ofmitigation cost against the potential adverse effects of avoided risk.In this context, the value of the methodologies and tools forsoftware risk management is to buy smarter, manage moreeffectively
and identify opportunities for continuous improvement, useavailable information and databases more efficiently, improveindustry and raise the communitys playing field, and review and
Evaluate the progress made on risk management.
7/31/2019 Risk ManagementF
11/30
11
It is important to note that the developed software risk
methodologies have three fundamentally different, albeitcomplementary, objectives:
1. Risk prevention
2. Risk mitigation and correction
3. Ensuring safe system failure
The following seven risk management principles are
instrumental in the quest to achieve these
Three objectives:
Shared product vision
sharing product vision based upon common purpose, sharedownership, and
Collective commitment
focusing on results
Teamwork
working cooperatively to achieve a common goal
pooling talent, skills, and knowledge
Global perspective
viewing software development within the context of the largersystem-level
Definition, design, and development
recognizing both the potential value of opportunity and thepotential impact
Of adverse effects, such as cost overrun, time delay, or failure tomeet
Product specifications
7/31/2019 Risk ManagementF
12/30
12
Forward-looking view
thinking toward tomorrow, identifying uncertainties, anticipatingpotential
Outcomes
Managing project resources and activities while anticipatinguncertainties
Open communication
encouraging the free flow of information between all project levels
enabling formal, informal, and impromptu communication
using consensus-based process that values the individual voice(bringing
Unique knowledge and insight to identifying and managing risk)
Integrated management
making risk management an integral and vital part of projectmanagement
adapting risk management methods and tools to a projectsinfrastructure
And culture4 CMU/SEI-96-TR-012
Continuous process
maintaining constant vigilance
Identifying and managing risks routinely throughout all phases of
the projects Life cycle.
Risk is commonly defined as a measure of the probability andseverity of adverse effects. Software technical risk can be defined
as a measure of the probability and severity of adverse effects
7/31/2019 Risk ManagementF
13/30
7/31/2019 Risk ManagementF
14/30
14
A Holistic Vision of Software Risk Management
The complex process of software acquisition encompasses most, if not all,
aspects associated with software risk management. Thus, it seems natural
to focus on the entire life cycle of the software acquisition process indeveloping a holistic vision of risk management. Indeed, risk management
of software engineering cannot be restricted to any subset or a single
phase of
the life cycle of software development the following objectives of the
overall methodological framework for software risk management apply to
software-intensive systems
7/31/2019 Risk ManagementF
15/30
15
Improve the process of software acquisition in organizations.1.
2. Improve software risk management methodology, technology, and
practice in the acquisition process
3. Improve the access to, acquisition, repository, use, and integration ofinformation and data for software acquisition in industry and government.
4. In general, institutionalize risk management and decision support
within the software acquisition community and make it an integral part of
the communitys practice.
Temporal Dimension
It is plausible to assert that the genesis of a formal acquisition process
can be traced to the Statement of Needs and Requirements. In terms of
risk management, the seeds of critical sources of risk are often sown at
this seemingly benign stage. An example from urban development
demonstrates this point. A mayor and the city council identify a need for a
new housing development. Given the high cost of land due to its scarcity,
the requirements for meeting these needs evolve into the construction of
high rise apartments.
At this stage, the risks that the new project might become a major slum
and a magnet for crime and drug distribution are not considered.
The goal of risk management is in the prevention of such risks. The
importance the Needs and Requirements stage places this stage at the
foundation of the holistic vision of software risk management depicted in
Figure 2, which follows the introduction of all components of the
hierarchical holographic model for software risk management..
The total acquisition life cycle is presented in two separate yet overlapping
visions. The micro vision primarily represents the view of the project
manager.
The macro vision represents the more global and broader perspective
of the acquisition life cycle. It is worth noting that within each stage of the
temporal domain, the human dimension (individual, team, manager, or
Stakeholder) has a different and unique role to play.
7/31/2019 Risk ManagementF
16/30
16
Micro vision
Specification1.
Solicitation (including request for proposal and contractor selection)2.
.Design and development (including architecture)3.
.Systems integration (including deployment and maintenance)4.
Macro vision
.Conceptual design1.
.Demonstration/validation2.
.Engineering, manufacturing, development, and production3.
Maintenance and major upgrade (including termination)4.
7/31/2019 Risk ManagementF
17/30
17
.
7/31/2019 Risk ManagementF
18/30
18
Team Risk Management_TRM_
TRM extends risk management with team-oriented activities involving the
customer and supplier (e.g., government and contractor), where both
customer and supplier apply the methodologies together .
TRM establishes an environment built on a set of processes,methods, and
tools that enables the customer and supplier to work cooperatively,
continuously managing risks throughout the life cycle of a software-
dependent development program.
It is built on a foundation of the seven principles of risk management
discussed in the preface of this paper, and on the philosophy of
cooperative teams.
Guided by the seven principles,TRM further extends the SEI RiskManagement paradigm by adding two functionsinitiate and team. Each
risk goes through these functions sequentially, but the activity occurs
continuously, concurrently, and iteratively throughout the project life cycle
(e.g., planning for one risk
may identify another).
The TRM Guidebook provides an effective instrument with which to
militarize the reader with the concepts, functions, processes, methods,
and products of TRM.
The guidebook accomplishes this through a description of the overall
methodology, a road map for applying it within a project, and detailed
descriptions of the processes and methods used to implement the
functions of TRM. Figure 3 depicts the extension of the SEI Risk
Management Paradigm by incorporating the TRM functions (initiate and
team.
7/31/2019 Risk ManagementF
19/30
19
Project Management: Risk Management
In many projects, risks are identified and analyzed in a random,
brainstorming, fashion. This is often fatal to the success of the project, as
unexpected risks arise, which have not been assessed or planned for and
have to be dealt with on an emergency basis, rather than be prepared for
and defended against in a planned, measured, manner.
.
7/31/2019 Risk ManagementF
20/30
20
10 Golden Rules of Project Risk
Management:
Rule 1: Make Risk Management Part of Your Project.
Rule 2: Identify Risks Early in Your Project.
Rule 3: Communicate About Risks.
Rule 4: Consider Both Threats and Opportunities.
Rule 5: Clarify Ownership Issues.
Rule 6: Priorities Risks.
Rule 7:Analyses Risks.
Rule 8: Plan and Implement Risk Responses.
Rule 9: Register Project Risks.
Rule 10: Track Risks and Associated Tasks.
Risk Management Analysis:
What is Risk Analysis?
Risk analysis helps you identify and manage factors that could
undermine the success of key business objectives or projects.
Risk is made up of two things: the likelihood of something going
wrong, and the negative consequences that will happen if it does.
You carry out a risk analysis by first identifying the possible threats
that you face, and by then assessing the likelihood of these threats
occurring.
Risk analysis can be as simple or as involved as you want, and it's
useful in a variety of situations. However, if you want to do an in-
depth analysis, you'll need to draw on detailed information such as
project plans, financial data, security protocols, marketing
forecasts, or other relevant reports.
7/31/2019 Risk ManagementF
21/30
21
Risk management analysisis very helpful in examining the risksand following a well planned process to hedge the risk. At the same time, theeffectiveness of the process and the financial factors related to the processare also discussed through this analysis.The business sector always faces some kind of risk. The risk management
initiatives are becoming all the more important with the growing competition in
the global market. In the highly competitive global market there is hardly any
scope to afford any kind of loss. As a result of this, the concept of risk
management has gained considerable importance over the passage of time.
The risk management analysis is very important for proper application of the
risk management policies. This analysis is necessary because the demand of
the market and the trends are changing constantly and only proper analysis of
risks can help the businesses to achieve the set targets.
There are a number of risks that can be handled through the riskmanagement analysis. Different factors are related to the process of risk
management analysis. These are the following:
Discovering the Risk:The first step of risk management analysis is to
mark the areas where risk factors are related and causing major
threats to the businesses or the organizations. These risks are of
different types like financial risk, political risk, technical risk, risk
related to the operations or reputation of the business and many
more. People related to the business may provide some kinds ofthreats.
Estimating the Risk Factor:It is the second step of risk
management analysis and starts after the identification of the risk
factors. In this step, the possible losses and their impacts on the
business are decided. At the same time, necessary finances for the
prevention or recovery process are also decided.
Managing the Risk Factor:After the impacts of the risk aredecided, the company can look for the proper ways of managing
these risks. Once the strategies are set, the process starts working.
One of the most important factors is to select such a strategy that
can be economical and can provide effective services to the
business. Risk management can be done through different
processes. The existing assets of the particular company can be
used or new resources can be developed for the purpose. It can be
done through contingency planning or through business continuity
planning.
7/31/2019 Risk ManagementF
22/30
22
Regular Monitoring of the Applied Strategy:This is very
necessary for the success of the risk management strategy because
if the strategy does not work properly, it can be detected through
the monitoring process and a new strategy can be applied.
When to Use Risk Analysis?
Risk analysis is useful in many situations, for example, when you're:
Planning projects, to help you anticipate and neutralize
problems, or assess, say, the impact of going over budget.
Deciding whether or not to move forward with a project.
Improving safety and managing potential risks in the
workplace.
Preparing for events such as equipment or technology failure,
theft, staff sickness, or natural disasters.
Planning for changes in your environment, such as new
competitors coming into the market, or changes to
government policy.
How to Use Risk Analysis:
To carry out a risk analysis, follow these steps:
1. Identify Threats
The first step in risk analysis is to identify the existing and possible
threats that you might face. These can come from many different
areas. For instance:
Human From illness, death, injury, or other loss of a key
individual.
Operational From disruption to supplies and operations, loss
of access to essential assets, or failures in distribution.
Reputational From loss of customer or employee confidence,
or damage to reputation in the market.
Procedural From failures of accountability, internal systems
and controls; or from fraud.
7/31/2019 Risk ManagementF
23/30
23
Project From going over budget, taking too long on key
tasks, or experiencing issues with product or service quality.
Financial From business failure, stock market fluctuations,
interest rate changes, or non-availability of funding.
Technical From advances in technology, or from technical
failure.
Natural From weather, natural disasters, or disease.
Political From changes in tax, public opinion, government
policy, or foreign influence.
Structural From dangerous chemicals, poor lighting, falling
boxes, or any situation where staff, products, or technologycan be harmed.
Example - IT Reorganization Project
Background
Contoso, Inc. has initiated a project to reorganize its ITdepartments. Contoso's primary infrastructure is shifting to a
distributed environment from a centralized one.
Risk Identification
Using sound risk management practices, Contoso conducted various
risk identification discussions to come up with a master risks list.
Two of those risks are listed in the following table.
Table: Contoso IT Reorganization Risk ID 0001
7/31/2019 Risk ManagementF
24/30
24
Business Effect
Cost, Performance
Root Cause
Process
Risk ID
0001
Project ID
ITREORG010
Downstream Effect
Extended service outagesas well as inadequate
communications regarding
willstatus of resolutions
further alienate the
customer from IT. This will
enforce the view of IT as
not being aligned with the
needs of the business. The
perceived value of the
services provided by IT willbe diminished.
Consequence
Without acomprehensive,
shared knowledge
ase of incidents,b
problems, and
resolutions,
-redundant incident
management and
-problem
management activity
will be performedthroughout the
support organization.
Situation
Field office support is not acoordinated effort with
centralized help desk
s. Often fieldfunction
support professionals
respond to and resolve
incidents without those
incidents being recorded
and a knowledge base
being populated.
Risk
Present service deskprocess inefficiencies
could lead to
increased cost to
support current IT
services.
Table: Contoso IT Reorganization Risk ID 0002
Business Effect
Cost, Performance
Root Cause
People, Process
Risk ID
0002
Project ID
ITREORG010
Downstream
Effect
Service disruptions
caused by failed
changes will
interrupt business
functions.
Additionally, failure
to communicate
planned downtime
critical-of mission
services to users
and the help desk
will result inreduced trust in IT.
Consequence
Lack of commitment
to a standard set of
operationalprocesses will lead to
business units that
fail to trust each
other. Frustration
between IT groups
ill occur as systemsw
under the
responsibility of one
group will be
affected by others
Situation
Although change
management exists
within some
groups, a common
-formal change
management
process does not
exist across all IT
groups.
Additionally, some
changes, when
reviewed during
the weekly statusmeeting, have not
Risk
Changes
implemented by
one IT group could
negatively affect
systems and
services delivered
by other IT groups.
7/31/2019 Risk ManagementF
25/30
25
This will force the
obusiness t
question the value
of the current IT
operations and to
consider
outsourcing IT
functions.
been properly
assessed for impact
ll groups.to a
Risk Prioritization
Once these risks were identified, the project team then focused on risk
prioritization.
Table: Contoso Prioritization of Risk ID 0001
Business
Effect
Cost,Performance
Root Cause
Process
Risk ID
0001
Project ID
ITREORG010
Exposure
3.5
Impact (1-5)
5
Probability
70%
Exposure Analysis
Probability is based on best effort
analysis of past experience. Impact
could not be easily measured by
monetary means. Impact was instead
5 scale for the risk effect-based on a 1
on potential service disruption.
7/31/2019 Risk ManagementF
26/30
26
Table: Contoso Prioritization of Risk ID 0002
Business Effect
Cost, Performance
Root Cause
Process
Risk ID
0002
Project ID
ITREORG010
Exposure
3.25
Impact (1-5)
5
Probability
65%
Exposure Analysis
Probability is based
on best effort
analysis of past
experience. Impact
could not be easily
measured by
monetary means.
Impact was instead
5-based on a 1
r the riskscale fo
effect on potential
service disruption.
Risk Planning and Tracking
Risks ID 0001 and ID 0002 were identified as the top risks for the project. They werethe only two risks with an exposure of 3.0 or greater. The project team then went
through an exercise to devise mitigations, triggers, and contingencies as part of the
risk planning and tracking step. Project team members were assigned responsibilities
to continually monitor their risks for potential changes and action items.
Table: Contoso Tracking of Risk ID 0001
Project IDITREORG010
Risk ID0001
Root CauseProcess
Business EffectCost, Performance
Mitigation
Implement Microsoft
Operations
Framework (MOF)
incident and problem
management
processes.
Coordinate second-
line and third-line
support groups.
Contingencies
Allocation of
excessive resources
to accommodate
resolution of
reactive issues.
Fund the costs of
increased support
activities and staff.
Triggers
Continual incident
resolution.
Repeated problems
occur.
Uncoordinated and
recurring changes.
Poor average time
to resolution.
-----
7/31/2019 Risk ManagementF
27/30
27
Table: Contoso Tracking of Risk ID 0002
Business Effect
Cost, Performance
Root Cause
Process
Risk ID
0002
Project ID
ITREORG010
------Triggers
Information
gathered during
project status
meetings and
operations
management
reviews (OMRs)regarding process
and service
outages indicate
that this risk is
currently being
actualized at some
level.
Contingencies
Assign additional
resources to
reactive problem
management.
Communication to
customers and
rs in ause-endprompt, descriptive
and meaningful
manner can reduce
the negative effect
on customer
satisfaction.
Mitigation
A standard
formalized and
communicated
based change-MOF
management
process will be
implementedacross all IT groups.
These two risks became the top risks list for the Contoso IT reorganization project.
These risks were discussed at each OMR and various project status meetings. The
purpose of this discussion was to discuss the progress of mitigation steps, to
determine whether triggers were being fulfilled in the environment, and to ensure
that the probability and impact levels were still properly set. This discussion was vital
to the project to determine if contingencies identified in the master risks list neededto be acted upon to avoid service disruptions where possible.
Risk Exposure Analysis
As the project progressed, various mitigation activities around MOF-based change
management processes and incident and problem management processes began to
reduce the probability of these risks occurring. The project team then modified the
probability, which in turn also reduced the exposure of the risks as noted in the
following table.
Table: Contoso Exposure Analysis of Risk ID 0001
7/31/2019 Risk ManagementF
28/30
28
Business Effect
Cost, Performance
Root Cause
Process
Risk ID
0001
Project ID
ITREORG010
Modified
Exposure
2
Impact (1-5)
5
Modified
Probability
40%
Modified Exposure
Analysis
Probability has
decreased due to theimplementation of
based incident-MOF
and problem
management
processes. Original
probability will be
in the masterkept
risks list and risk
knowledge base for
historical purposes.
Table: Contoso Exposure Analysis of Risk ID 0002
Business Effect
Cost, Performance
Root Cause
Process
Risk ID
0001
Project ID
ITREORG010
Modified
Exposure
1.75
Impact (1-5)
5
Modified
Probability
35%
Modified
Exposure Analysis
Probability has
decreased due to
the implementation
based-of MOF
changemanagement
processes. Original
probability will be
kept in the master
risks list and risk
knowledge base for
historical purposes.
7/31/2019 Risk ManagementF
29/30
29
References:
.Chittister, Clyde & Haimes, Yacov. Assessment and
Management of Software Technical Risk, IEEE Transactions
on Systems, Man, and Cybernetics 24, 2 (February 1994):
187-202
.Kirkpatrick, Robert J.; Walker, Julie; & Firth, Robert.Software Development Risk Management: An SEI Appraisal,Software Engineering Institute
Technical Review 2 (CMU/SEI-92-REV). Pittsburgh, Pa.:
Software Engineering Institute, Carnegie Mellon University,
1992
. Higuera, Ronald P.; Dorofee, Audrey J.; Walker, JulieA.; & Williams, Ray
C. Team Risk Management: A New Model for Customer-Supplier
Relationships (CMU/SEI-94-SR-005, ADA283987). Pittsburgh, Pa.:
Software Engineering Institute, Carnegie Mellon University, 1994
. Haimes, Yacov Y. Hierarchical Holographic Modeling, IEEETransactions
on Systems, Man, and Cybernetics 11, 9 (September 1981): 606-
617.
191..
7/31/2019 Risk ManagementF
30/30