| A risk is an uncertain event or condition that, if it | | | | client company which might impact on the system.. |
| occurs, will affect your IT system/project objectives | | | | 2.5. Specialized Techniques: such as cause-and-effect |
| (or targets, or goals) and may have a positive or a | | | | diagrams and various forms of flowcharts.These are |
| negative effect. There are usually far more things | | | | often used when interviewing people with specialised |
| that are likely to go wrong with an IT system or | | | | knowledge of the proposed systems functions eg |
| project than are likely to go right, so risk | | | | engineers or accountants |
| management is generally the art of trying to prevent | | | | 3. Assessment |
| things going wrong. | | | | This means estimating the severity of a risk in order |
| For most IT systems we can identify at least four | | | | that you can prioritise and deal with the severe risks |
| objectives: | | | | first. |
| 1. Functionality: the characteristics or performance of | | | | Risk severity is usually defined in 3 quantities: |
| the expected system | | | | 3.1 Impact: the effect if it happens |
| 2. Quality: the level of excellence of the system | | | | 3.2 Likelihood: the possibility of it happening |
| deliverables | | | | 3.3 Precision: the degree to which the risk is |
| 3. Schedule: the dates by which functionality has to | | | | understood |
| be delivered | | | | 4. Risk Quantification |
| 4. Cost: the budget under which the system has to | | | | Risk quantification is the process of measuring the |
| be delivered | | | | probability of a risk and its impact on project |
| There may also be other objectives, such as: | | | | objectives. Unlike risk assessment, risk quantification |
| 5. Safety: The system may have to work within a | | | | aims to produce verifiable numerical values. Risk |
| safety regulatory framework, or, at minimum, must | | | | quantification typically uses techniques to: |
| be safe to operate | | | | 4.1. Determine how risks will effect the costs and |
| 6. Environmental: The system may need to work | | | | timescales of the project |
| within an environmental regulatory framework, for | | | | 4.2. Determine probabilities of finishing on time and |
| example, in a power station or in a gas pipeline | | | | budget |
| 7. Political: There may be a need for the system in | | | | 4.3. Make appropriate amendments to project plans |
| avoidance of political embarrassment e.g. a new | | | | depending on the risk factors quantified |
| passport control system to replace a discredited one. | | | | 5. Risk Response Planning |
| A risk is any future event that would cause your | | | | There are four ways in which you can respond to |
| costs or schedule to increase, or would result in | | | | any risk: |
| reduced functionality or quality of the project | | | | 5.1 Avoidance: Arranging the system ( or the |
| deliverables or would impact on any subsidiary | | | | customers business) so the risk is no longer relevant. |
| deliverables you have identified. | | | | 5.2 Acceptance: Acceptance means deciding to live |
| The risk management process can be divided into six | | | | with a risk, i.e. accepting it. (Note, if you do this, you |
| operational areas: | | | | MUST document your reasons) |
| 1. management planning | | | | 5.3 Mitigation: taking positive action to reduce the |
| 2. identification | | | | severity of a risk either by reducing the likelihood |
| 3. assessment | | | | that the risk will occur (risk abatement) or by |
| 4. quantification | | | | reducing the impact that a risk will have when it |
| 5. response planning | | | | occurs (sensitivity reduction). |
| 6. monitoring & control | | | | 5.4 Transfer: the process of transferring the effects |
| The job of a risk manager is to manage all these | | | | of a risk (usually the financial effects) to another |
| processes. Lets have a look at them in turn: | | | | party eg by outsourcing support |
| 1. Risk Management Planning | | | | 6. Risk Monitoring and Control |
| A typical plan will define: | | | | Risk monitoring and control is an on-going process |
| 1.1. Activities that are to be carried out. including risk | | | | which should last for the life of the project. Its chief |
| identification, assessment, documentation, customer | | | | requirements are: |
| response, tracking of responses and execution of | | | | 6.1. An organized method of monitoring risks.. |
| responses | | | | Typically this is done as a part of regular project |
| 1.2. Roles and responsibilities | | | | meetings |
| 1.3. Timescales and work breakdown of who does | | | | 6.2. Individual ownership of risks. Each risk must have |
| what | | | | a person who will be responsible for keeping the |
| 1.4. Criteria to use when assessing risks eg are we | | | | information about that risk up to date, and ensuring |
| assessing based on cost to the project, or effect on | | | | that response actions are carried out. |
| timescales, or both | | | | 6.3. A risk information system. A standardized |
| 1.5. Reporting method | | | | reporting system is advisable to help remove |
| 1.6. Review timescales | | | | subjective interpretations of risk severity. This is |
| 2. Risk Identification | | | | usually an on-line database accessible by everybody |
| The process of identifying what might go wrong with | | | | on the project. |
| your project. Identifying risks is a matter of | | | | 6.4. Periodic risk reviews. Carried out at intervals |
| accessing information that is available to you as a | | | | throughout projects to determine if risks have |
| corporate body. | | | | changes |
| Typically this uses: | | | | 6.5. Independent risk analysis.. External risk |
| 2.1. Risk Databases: a collection of information derived | | | | management contractors are often used to obtain an |
| from experience on previous projects. | | | | outside view and ensure the risks are being managed |
| 2.2. Risk Checklists: a list of areas where you might | | | | objectively. |
| expect problems to occur. | | | | Make sure you think about all of the above topics |
| 2.3. Information Gathering Techniques: getting | | | | -before- you start any IT project, and you'll be well |
| information from a wide range of individuals using | | | | on the way to managing and controlling the risks. |
| techniques including brainstorming, Delphi technique, | | | | There will always be something in a project to trap |
| and interviewing. | | | | you up, but with a decent Risk management plan, |
| 2.4. Strengths, Weaknesses, Opportunities and | | | | you'll have the tools at hand to deal with it and |
| Threats (SWOT) Analysis: can identify risks in the | | | | minimise its impact in the long run. |