Hello
This is one of my specialised subjects, as I am an IT
manager/contractor and I have worked as a Risk Manager on several
projects. Most of the following is from personal experience, or taken
from Davion Systems: The Project Risk Management Website , a site
Ive found very useful in my own work. (links later)
Introduction
____________
A risk is an uncertain event or condition that, if it occurs, will
affect your IT system/project objectives (or targets, or goals) and
may have a positive or a negative effect. There are usually far more
things that are likely to go wrong with an IT system or project than
are likely to go right, so risk management is generally the art of
trying to prevent things going wrong.
For most IT systems we can identify at least four objectives:
-Functionality: the characteristics or performance of the expected
system
-Quality: the level of excellence of the system deliverables
-Schedule: the dates by which functionality has to be delivered
-Cost: the budget under which the system has to be delivered
There may also be other objectives, such as:
-Safety: The system will have to work within a safety regulatory
framework, or, at minimum, must be safe to operate
-Environmental: Again, The system may have to work within a safety
regulatory framework, for example, in a power station or in a gas
pipeline
-Political: There may be a need for the system in avoidance of
political embarrassment, for example
A risk is any future event that would cause your costs or schedule to
increase, or would result in reduced functionality or quality of the
project deliverables or would impact on any subsidiary deliverables
you have identified.
The risk management process can be divided into six operational areas:
- management planning
- identification
- assessment
- quantification
- response planning
- monitoring & control
The job of a risk manager is to manage all these processes. Lets have
a look at them in turn:
..o0o..
Risk Management Planning
_________________________
A typical plan will define:
1. Activities that are to be carried out. including risk
identification, assessment, documentation, customer response, tracking
of responses and execution of responses (see later for definition)
2. Roles and responsibilities
3. Timescales and work breakdown of who does what
4. Criteria to use when assessing risks eg are we assessing based on
cost to the project, or effect on timescales, or both
5. Reporting method
6. Review timescales
..o0o..
Risk Identification
____________________
The process of identifying what might go wrong with your project.
Identifying risks is a matter of accessing information that is
available to you as a corporate body.
Typically this uses:
-Risk Databases: a collection of information derived from experience
on previous projects. projects.
-Risk Checklists: a list of areas where you might expect problems to
occur.
- Information Gathering Techniques: getting information from a wide
range of individuals using techniques include brainstorming, Delphi
technique, and interviewing.
-Strengths, Weaknesses, Opportunities and Threats (SWOT) Analysis: can
identify risks in the client company which might impact on the
system..
- Specialized Techniques: such as cause-and-effect diagrams and
various forms of flowcharts.These are often used when interviewing
people with specialised knowledge of the proposed systems functions eg
engineers or accountants
..o0o..
Assessment
___________
This means estimating the severity of a risk in order that you can
prioritise and deal with the severe risks first.
Risk severity is usually defined in 3 quantities:
Impact: the effect if it happens
Likelihood: the possibility of ot happening
Precision: the degree to which the risk is understood
..o0o..
Risk Quantification
__________________
Risk quantification is the process of measuring the probability of a
risk and its impact on project objectives. Unlike risk assessment,
risk quantification aims to produce verifiable numerical values.
Risk quantification typically uses techniques to:
1. Determine how risks will effect the costs and timescales of the
project
2. Determine probabilities of finishing on time and budget
3. Make appropriate amendments to project plans depending on the risk
factors quantified
..o0o..
Risk Response Planning
______________________
There are four ways in which you can respond to any risk:
- Avoidance: Arranging the system ( or the customers business) so the
risk is no longer relevant.
- Acceptance: Acceptance means deciding to live with a risk, i.e.
accepting it. (Note, if you do this, you MUST document your reasons)
- Mitigation: taking positive action to reduce the severity of a risk
either by reducing the likelihood that the risk will occur (risk
abatement) or by reducing the impact that a risk will have when it
occurs (sensitivity reduction).
- Transfer: the process of transferring the effects of a risk (usually
the financial effects) to another party eg by outsourcing suppoort
..o0o..
Risk Monitoring and Control
__________________________
Risk monitoring and control is an on-going process which should last
for the life of the project. Its chief requirements are:
1. An organized method of monitoring risks.. Typically this is done as
a part of regular project meetings
2. Individual ownership of risks. Each risk must have a person who
will be responsible for keeping the information about that risk up to
date, and ensuring that response actions are carried out.
3. A risk information system. A standardized reporting system is
advisable to help remove subjective interpretations of risk severity.
This is usually an on-line database accessible by everybody on the
project.
In addition, projects may want to consider additional monitoring and
control activities such as:
4. Periodic risk reviews. Carried out at intervals throughout projects
to determine if risks have changes
5. Independent risk analysis.. External risk management contractors
are often used to obtain an outside view and ensure the risks are
being managed objectively.
..o0o..
So thats the main management processes, and a Risk Manager will be
expected to be competent in them all.. So far this has all come from
my own personal experience as an IT manager and Risk manager, but you
asked for links and articles.
Here are some areas that a Risk Manager would be expected to be
competent in.
Monte Carlo technique
"Monte Carlo simulation is a technique for predicting the outcome of a
project, particularly in terms of budget and schedule, by 'running'
the project on a computer. By predicting the outcome in advance you
can ensure that your budgets and schedules are realistic."
(http://www.davion.com/monte_carlo1.htm )
The development of Risk Checklists
"Risk checklists are specific to a particular business or industry,
and must be developed for risk identification purposes by each
organization. However, in general terms, all checklists should cover
the same territory:"
( http://www.davion.com/checklists.htm )
Impact Analysis
"The impact of a risk is a numerical rating of the effect that the
risk would have on the project, should it occur. (Impact is sometimes
known as consequence)."
( http://www.davion.com/impact.htm )
Likelihood / Probability Analysis
"The likelihood of a risk is a numerical rating of the extent to which
the effects of the risk are likely to occur"
(http://www.davion.com/likelihood.htm )
"The probability of an event is defined, for risk management purposes,
as the probability of that event occurring in the absence of any
actions to forestall it."
(http://www.davion.com/probability_scales.htm )
Precision Analysis
"Precision defines the extent of your current knowledge about a risk."
(http://www.davion.com/precision.htm )
There are also several computerised techniques for Risk Analysis.
Theres a good overview of one of them, "Crystal Ball 2000" here:
Risk Analysis Overview
( http://www.decisioneering.com/risk-analysis-print.html )
The UK Government developed a Risk analysis and Management system
specifically to manage IT risks. Theres a very good overview, which
covers some specific areas such as hardware risks that I havent
already covered in this answer. Read about it here:
Applying Risk Analysis Methods to University Systems
( http://www.lmcp.jussieu.fr/eunis/html3/congres/EUNIS97/papers/022701.html
)
IT risk analysis has evolved from techniques used in engineering, and
you can see one of the engineering models of risk analysis as used in
an oil field situation here:
Risk Analysis Overview / Methodology
( http://www.oilfield-risk.com/webPages/RiskAnalysis0.htm )
..o0o..
Here are some current job descriptions advertised for IT Risk Managers
on Jobserve
( http://www.jobserve.com )
"Required to undertake thorough review of current risk and performance
systems that cover both business and IT functions - including:
business planning, finance, assets, service agreements, IT systems,
audit and CRM. Must have strong experience in risk analysis techniques
and performance management to help integrate these disciplines into
broader business planning. Will need to have a hands on approach to
Variance analysis and be able to communicate and implement changes
required for the risk and performance systems. A Change management
background may be suitable, but more likely a track record in business
risk and management consultancy"
"The role will involve risk identification, assessment and reporting,
identification of emerging risk areas and new regulatory requirements
and working with the business to ensure systems and controls are
capable of coping with requirements. You will contribute to design and
implementation of group wide risk control framework, report key risks
and influence the business to deliver solutions. It is mandatory to
have at least 2 years recent and relevant experience within the risk
division in a financial organisation. Experience with project
management would be advantageous."
As you can see, a Risk Manager is expected to have a range of
competencies, covering planning, change management, analysis,
reporting and people skills to cope with interviewing a wide variety
of individuals across a project/system. It is a high profile role on a
project, and demands a disciplined, professional approach, but I
personally have found it to be rewarding, especially when a foreseen
risk that you have identified crops up during a project, and you have
a plan in hand to deal with it and eliminate it.
Hope that all helps. If you need clarification on anything, just ask.
willie-ga
Google searches used
"IT Risk management" competencies
"IT Risk management" overview
"Risk Analysis" overview |