1 UNIVERSIDADE FEDERAL DO RIO GRANDE DO SUL INSTITUTO DE INFORMÁTICA PROGRAMA DE PÓS-GRADUAÇÃO EM COMPUTAÇÃO JULIANO ARAUJO WICKBOLDT A Framework for Risk Assessment Based on Analysis of Historical Information of Workow Execution in IT Systems Thesis presented in partial fulllment of the requirements for the degree of Master of Computer Science Prof. Dr. Lisandro Zambenedetti Granville Advisor Porto Alegre, May 20
2 CIP CATALOGING-IN-PUBLICATION Wickboldt, Juliano Araujo A Framework for Risk Assessment Based on Analysis of Historical Information of Workow Execution in IT Systems / Juliano Araujo Wickboldt. Porto Alegre: PPGC da UFRGS, f.: il. Thesis (Master) Universidade Federal do Rio Grande do Sul. Programa de Pós-Graduação em Computação, Porto Alegre, BRRS, 20. Advisor: Lisandro Zambenedetti Granville.. Risk assessment. 2. Risk management. 3. Change management. 4. Project management. I. Granville, Lisandro Zambenedetti. II. Título. UNIVERSIDADE FEDERAL DO RIO GRANDE DO SUL Reitor: Prof. Carlos Alexandre Netto Pró-Reitor de Coordenação Acadêmica: Prof. Rui Vicente Oppermann Pró-Reitora de Pós-Graduação: Prof. Aldo Bolten Lucion Diretor do Instituto de Informática: Prof. Flávio Rech Wagner Coordenador do PPGC: Prof. Álvaro Freitas Moreira Bibliotecária-chefe do Instituto de Informática: Beatriz Regina Bastos Haro
3 If I have seen farther than others, it is because I have stood on the shoulders of giants. Sir Isaac Newton
4 ACKNOWLEDGMENTS First, I must express my sincere thanks to my parents and brother for the unconditional support and for being my example of courage and perseverance. If today I am taking one more step ahead, both professionally and personally, this is mostly due to the fact that they have always believed in my potential and encouraged me to move on. To my grandpa Araujo and grandma Carmen, I thank you for teaching me what really matters in life. As a child, when I used to take vacations and enjoyed them with my grandparents in Pelotas, I have learned little things like respect, honesty, and humility, which turned me into better person. I also thank my advisor Lisandro, who in spite of the distance, has always been incredibly available (i.e., on-line) when I most needed. Lisandro, be sure you have been an excellent professor and also a great friend. Today, I realize how lucky I was to fall almost accidentally into the Computer Networks Group at UFRGS. I could not forget also to thank my unocial pseudo-co-advisor Luciano, who has always placed much trust on me and was also a great partner in our journeys (deadlines, travels, embarrassing videos, etc.). To the "gang" from HP's project I thank you guys for your friendship, for your sense of humor, for the endless philosophical discussions (after all, why do we need to manage risks in a system with automated rollback support?), and for long nights of deadlines on campus (with the guards and the dogs). Particularly, to my great friend "Rubão", fellow in exploring Europe and Japan (with only one expression in Japanese, biru mutsu); to Weverton (aka Mocorongo) and Machado, my veterans who I bothered to learn something about change management; to my favorite undergrads, Luis (aka Nautilus), the renowned creator of the coee bot, Fabrício the last active supporter of Juventude, and Alan (aka Lollipop), only those who have already worked as an undergrad intern in a research project know how hard it is; to Ricardo and Bruno, who later joined the group, but fell into place as if we've already known each other for years; to our managers Cristiano and Lincoln, who always found a way to organize our mess (it was not an easy task, I can assure that). I thank the other members of our group, Flávio "Cockroach", Paulo "Priumo", Rafael SBZ, Clarissa (our brother), Raniery, Jeferson, and all the others, for the friendship and for the gigantic battles fought during events organized by this selective group of which I'm proud to be part of. I could write a funny story involving with each of these guys, but this dissertation would become a real book. Finally, I thank from the heart to my girlfriend Carolina, who has all these years being there for me, patiently, supporting me when things got tough. She is the only one to know how many days and nights were needed to reach this point. Carol, looking back and realizing that my growth as a person and as a professional is directly associated to the support you have being providing me, makes me want to stand by your side forever. Thank you!
5 AGRADECIMENTOS Primeiramente, devo meus sinceros agradecimentos aos meus pais e irmão pelo apoio incondicional e pelo exemplo de garra e perseverança que sempre foram para mim. Se hoje cumpro mais essa etapa com sucesso, tanto prossional quanto pessoal, isso se deve muito ao fato de eles sempre acreditarem no meu potencial e me incentivarem para seguir adiante. Ao vô Araujo e a vó Carmen, agradeço por me ensinarem os reais valores dessa vida. Desde criança, quando eu ainda tirava férias e as desfrutava com eles em Pelotas, aprendi pequenas coisas como respeito, honestidade e humildade, que me zeram ser hoje uma pessoa melhor. Agradeço também ao meu orientador Lisandro, que apesar da distância, sempre esteve incrivelmente disponível (i.e., on-line) nas horas que eu mais precisei. Lisandro, tenha certeza de que tu foste um excelente professor e também um ótimo amigo. Hoje percebo a sorte que tive ao cair de paraquedas no Grupo de Redes da UFRGS. Não poderia deixar de agradecer também ao meu pseudo-coorientador extraocial Luciano, que sempre me depositou muita conança e também foi um grande parceiro nas nossas empreitadas (deadlines, viagens, lmagens constrangedoras, etc.). À "cambada" do projeto da HP agradeço pelo companheirismo, bom humor, pelas intermináveis discussões losócas (anal, para que gerenciar riscos num sistema com rollback automático?) e pelas madrugadas de deadline no campus (nós, os guardas e os cachorros). Em especial, ao meu grande amigo "Rubão", companheiro desbravador da Europa e do Japão (conhecendo apenas uma expressão em japonês, biru mutso); ao Weverton (aka Mocorongo) e ao Machado, meus veteranos aos quais tanto incomodei até aprender alguma coisa sobre gerenciamento de mudanças; aos meus bolsistas preferidos, Luis (aka Nautilus) o ilustre criador do bot do café, Fabrício o último torcedor do Juventude em atividade, e o Alan (aka Pirulito), só quem já foi bolsista ou estagiário sabe o trabalho que dá; ao Ricardo e ao Bruno, que se juntaram mais tarde ao grupo, mas se encaixaram como se já nos conhecêssemos há anos; aos nossos gerentes Cristiano e Lincoln, que sempre deram um jeito de organizar essa nossa bagunça (e não foi nada fácil eu garanto). Agradeço ao restante dos membros do Grupo de Redes, Flávio "Barata", Paulo "Priumo", Rafael SBZ, Clarissa (é brother), Raniery, Jéferson e demais integrantes, pela amizade e pelas batalhas campais travadas nos eventos organizados por este seleto grupo do qual me orgulho de fazer parte. Gostaria de escrever apenas uma história divertida que vivi com cada um, mas esta dissertação viraria um livro. Por m, devo agradecer de todo o meu coração à minha namorada Carolina, que durante todos esses anos sempre esteve ao meu lado, pacientemente, me apoiando nos momentos mais difíceis. Só ela sabe quantas noites mal dormidas foram necessárias para chegar até este momento. Carol, olhar para trás e perceber que o meu crescimento como pessoa e como prossional está diretamente associado ao teu apoio, me faz desejar continuar ao teu lado para sempre. Muito obrigado!
6 CONTENTS LIST OF ABBREVIATIONS AND ACRONYMS LIST OF FIGURES LIST OF TABLES ABSTRACT RESUMO INTRODUCTION RELATED WORK Risk Management Framework by M_o_R Risk Management under IT Change Management Perspective Risk Management under IT Project Management Perspective 23 3 BACKGROUND IT Change Management According to ITIL Project Risk Management as Envisioned by PMBOK RISK ASSESSMENT FRAMEWORK Workow Information Model Log Records Information Model Risk Analyzer Framework Overview Similarity Calculation Probability Estimation Impact Estimation Risk Classication Risk Summarization EVALUATION Application to IT Change Management Failure Classication Request for Change Information Model Implementation Scenario and Results Application to IT Project Management IT Project Life Cycle Information Model Hypothetical Project Structure
7 5.2.3 Comprehensive Risk Reports CONCLUSION Main Contributions and Results Obtained Final Remarks and Future Work REFERENCES APPENDIX A PUBLISHED PAPER IM APPENDIX B PUBLISHED PAPER SBRC APPENDIX C PUBLISHED PAPER DSOM APPENDIX D PUBLISHED PAPER NOMS
8 LIST OF ABBREVIATIONS AND ACRONYMS AF AMN AR BN BPEL BsR BTO CAB CHAMPS CI CIM CMS COBIT CP CRUD CV DAO DML DMTF ET GLM HF HP IEEE IRM ISACA Failure Modeling Notation Absolute Relevance Bayesian Network Business Process Execution Language Business Relevance Business Technology Optimization Change Advisory Board Change Management with Planning and Scheduling Conguration Item Common Information Model Conguration Management System Control Objectives for Information and related Technologies Change Plan Create, Request, Update, and Delete Constraint Violation Data Access Object Denitive Media Library Distributed Management Task Force External Trigger Generalized Linear Model Human Failure Hewlett-Packard Institute of Electrical and Electronics Engineers Institute of Risk Management Information Systems Audit and Control Association
9 ISO IT ITIL IW M_o_R NA OASIS OGC PHP PMBOK PRM PMI RA RF RFC RM SD SNMP SQL TF WfMC XP International Organization for Standardization Information Technology Information Technology Infrastructure Library Inuential Workow Management of Risk No Action Advancing Open Standards for the Information Society Oce of Government Commerce PHP: Hypertext Processor Project Management Body of Knowledge Project Risk Management Project Management Institute Risk Anity Resource Failure Request for Change Remediation Service Disruption Simple Network Management Protocol Structured Query Language Time Failure Workow Management Coalition Extreme Programming
10 LIST OF FIGURES Figure 2.: Risk Management processes according to M_o_R (OGC, 2007a) 8 Figure 3.: Conceptual Architecture of a Change Management System Figure 3.2: Project Risk Management processes according to PMBOK (PMI, 2004) Figure 4.: Extension from the Workow Process Denition model Figure 4.2: Information Model to Represent Execution Traces of Workows. 33 Figure 4.3: Architecture of the Framework for Risk Assessment Figure 5.: Partial View of the Request for Change Information Model Figure 5.2: Service Disruption Example Figure 5.3: Change Plans for installation/conguration of development and production environments Figure 5.4: IT Project Life Cycle Information Model Figure 5.5: Comprehensive Risk Report in Project Hierarchy View Figure 5.6: Comprehensive Risk Report in Work Plan View
11 LIST OF TABLES Table 2.: Examples of Risk Probability Ranges Table 2.2: Examples of Risk Impact Ranges Table 4.: Classication ranges for probability and impact Table 4.2: Risks Classication Matrix Table 4.3: Risks Classication Grid Table 4.4: Tabular Risk Report Table 4.5: Summarized Risk Reports Table 5.: Risk Reports before the deployment of rst phase Table 5.2: Risk Reports before the deployment of second phase
12 ABSTRACT Products and services provided by modern organizations are usually designed, deployed, and supported by large-scale Information Technology (IT) infrastructures. In order to obtain the best performance out of provided products and services, it is essential that these organizations enforce rational practices for the management of resources that compose their infrastructures. For this purpose, in recent years a few standards and libraries of best practices for IT infrastructures and services management have been proposed. Among the most widely accepted proposals, in both academy and industry, is worth mentioning the Information Technology Infrastructure Library (ITIL). A common point in most of those standards and libraries is the explicit concern with the risks related to IT activities. Proactively dealing with adverse and favorable events that may arise during everyday operations might prevent, for example: delay on deployment of services, cost overrun in activities, predictable failures of handled resources, and, consequently waste of money. Although important, risk management in practice usually lacks in automation and standardization in IT environments. Generally, it is performed by stakeholders in interviews and brainstorms, which may be a very time/resource-consuming task and sometimes too imprecise to guide risk related decisions. Therefore, in this dissertation, a framework to support the automation of some key phases of risk management is proposed, aiming to make it simpler, faster, and more accurate. The proposed framework is targeted to workow-based IT management systems. The main approach is to learn from problems reported in the history of previously conducted workows in order to estimate risks for future executions. Furthermore, comprehensive and interactive risk reports are proposed aiming to ease the analysis of assessed risks by involved humans. The proposed framework had its applicability evaluated in two case studies both in IT related areas, namely: IT Change Management and IT Project Management. The results show how the framework is not only useful to speed up the risk assessment process, but also to assist the decision making of project managers and IT operators by organizing risk detailed information in a comprehensive way. In addition, the modular approach employed in the design of the proposed framework allows it to be generic enough to t in dierent contexts (changes and projects) and still customizable to adapt to more specic requirements. Keywords: Risk assessment, risk management, change management, project management.
13 Um Framework para Estimativa de Riscos Baseado na Análise de Informações Históricas de Sistemas de TI RESUMO Produtos e serviços oferecidos pelas organizações modernas são geralmente projetados, implantados e mantidos por meio de infraestruturas de Tecnologia da Informação (TI) de grande escala. A m de obter o melhor desempenho dos produtos e serviços oferecidos, é essencial que essas organizações façam uso de práticas adequadas para o gerenciamento dos recursos que compõem as tais infraestruturas. Para esse m, foram propostos recentemente alguns padrões e bibliotecas de melhores práticas para o gerenciamento de infraestruturas e serviços de TI. Entre as mais amplamente aceitas, tanto da academia quanto na indústria, vale destacar o Information Technology Infrastructure Library (ITIL). Um ponto comum na maioria desses padrões e bibliotecas é a preocupação explícita com os riscos relacionados as atividades de TI. Lidar proativamente com eventos adversos e favoráveis que possam surgir durante as operações cotidianas pode evitar, por exemplo: atrasos na a implantação de serviços, extrapolação no custo de atividades, falhas previsíveis nos recursos manipulados, e consequentemente, desperdício de dinheiro. Apesar da sua importância, o gerenciamento de riscos em ambientes de TI, na prática, geralmente sofre pela falta de automação e padronização. Habitualmente, tal gerenciamento é realizado pelos participantes das atividades em entrevistas e brainstorms, o que geralmente acaba consumindo tempo/recursos de forma excessiva e sendo muito impreciso para guiar a tomada de decisão. Portanto, nesta dissertação, um framework para dar suporte a automação de algumas fases cruciais do gerenciamento de riscos é proposto com o objetivo de tornar tal gerenciamento mais simples, rápido e preciso. O framework proposto é direcionado para sistemas de gerenciamento baseados em workow. A ideia básica é aprender a partir de problemas relatados em workows executados no passado, a m de estimar os riscos para execuções futuras. Além disso, são propostos relatórios de risco compreensivos e interativos com o objetivo de facilitar a análise dos mesmos pelos humanos envolvidos. O framework proposto teve sua aplicabilidade avaliada em dois estudos de caso em áreas relacionadas à TI, a saber: Gerenciamento de Mudanças e Gerenciamento de Projetos de TI. Os resultados demonstram como o framework pode ser útil não apenas para acelerar o processo de estimativa de riscos, mas também para auxiliar a tomada de decisão dos gerentes de projetos e operadores de TI, ao organizar as informações relacionadas aos riscos de forma detalhada e ao mesmo tempo compreensiva. Além disso, a abordagem modular empregada na concepção do framework proposto permite que este seja genérico o suciente para ser utilizado em diferentes contextos (mudanças e projetos) e, ainda assim, personalizável para se adaptar às exigências mais especícas de cada contexto. Palavras-chave: Estimativa de Riscos, Gerenciamento de Riscos, Gerenciamento de Mudanças, Gerenciamento de Projetos.
14 4 INTRODUCTION Modern organizations that want to deliver high quality services to their internal and external customers often end up employing large-scale Information Technology (IT) infrastructures. As services are designed, deployed, maintained, and improved, these IT infrastructures become more complex in term of both management and scalability. In order to obtain the best performance out of the provided services, avoiding waste of resources, it is essential that organizations enforce rational practices for the management of their IT infrastructures. For this end, some best practices standards and libraries have been published, aiming at providing guidance for proper management of IT infrastructures and services. Two of the most widely recognized guides are the Information Technology Infrastructure Library (ITIL) (OGC, 200) proposed by the British Oce of Government Commerce (OGC) and the Control Objectives for Information and related Technologies (COBIT) (ISACA, 200) introduced by the North American Information Systems Audit and Control Association (ISACA). One key aspect about these guides of best practices is their concern on the necessity of managing the risks within organizations' IT activities. This is emphasized by the fact that both OGC and ISACA have published specic guides for corporative IT risk management, respectively, the Management of Risk (M_o_R) (OGC, 2007a) and the Risk IT (ISACA, 2009). According to M_o_R, to achieve their objectives organizations have to inevitably take a certain amount of risk. Thus, it is the role of Risk Management to help organizations to methodologically deal with the risks associated with their activities. Commonly, organizations face risks as uncertain future events or conditions that, if happen, might aect the accomplishment of business goals. These events that represent risk to the business should be identied and assessed in terms of probability of occurrence and possible impact to the business objectives. Although the literature recommends tackling risks as both negative (threats) and positive (opportunities) aspects, in practice, the negative side is far more considered, mainly in elds such as safety, construction, and health care. The actual result is that risk management becomes strongly focused on the prevention and mitigation of harm. This observation also holds in the investigations on risks associated to the design and operation of computational systems. Generally speaking, risk management is divided into four logically sequential and cyclic processes or phases (OGC, 2007a): Identication, Assessment, Response Planning, and Implementation. The rst process is focused in the denition of the context of risk management for the activity of the organization being analyzed and identication of possible threats and opportunities to the objectives of this activity. The risk assessment process takes place when the previously indentied risks are
15 5 evaluated in terms of probability of occurrence and associated impact (i.e., estimation of possible losses or earnings). Afterwards, based on prioritizations guided by risk assessment, preventive and reactive responses to risks are dened aiming to minimize threats and enhance opportunities. Finally, in the last phase, planned responses are implemented and risks are continuously monitored and controlled in order to evaluate the eectiveness of preventive actions and occasionally dispatching corrective ones. Along with all these processes, it is important that organizations adopt a common set of internal policies and strategies for risk management to be shared throughout their departments and teams. Some denitions such as tolerance thresholds, roles and responsibilities, scales for estimating probabilities and impact, tools for documenting, reporting, and communication of risks should be common on all organization's activities. In spite of all these best practices for IT infrastructures and services management, experience of practitioners shows that there is still little evidence that risk management is being applied eciently as a systematic and repeatable process. Some authors have investigated the actual benets and shortcomings of dierent approaches to risk management in real life environments (WYK; BOWEN; AKINTOYE, 2008; BAKKER; BOONSTRA; WORTMANN, 2009; KUTSCH; HALL, 200). These researches point out many issues found in companies' processes, such as: inadequate documentation about identied risks, making it more dicult to reuse the knowledge acquired; lack of tools for automation in order to assist in reporting, monitoring, and decision making about risks; quality of risk-related decisions is often too much dependent on the experience of stakeholders; and usually risk management processes involve an excessive number of people becoming a time/resource consuming task and sometimes being even counterproductive. One of the major problems in risk management is the lack of automation enforcement or system-assisted routines. Risk assessment, which is a key process where risks are evaluated in terms of probability and possible impact, for instance, is usually performed in interviews and meetings with stakeholders involved in each activity. In practice, there is little reuse of experiences that have been learned and documented in the past, then the accuracy of estimated values is subject to the empirical knowledge of the involved sta. Moreover, some critical activities, such as incident response, cannot wait for a committee to meet and deliberate about the risks in adopting one or another strategy to solve a problem, because of the immediacy that these activities require. Specially in the management of IT systems and services, where it is already possible to achieve high levels of automation in tasks like conguration, control, and logging, it is certainly possible to also automate procedures or create system-assisted solutions for risk management. In order to address these issues, in this master's dissertation it is introduced a framework to support the automation of some key phases of risk management, aiming to make it simpler, faster, and more accurate. The target is mainly in risk assessment for workow-based systems designed for the management of IT infrastructures and services. There are many types of IT management processes that can be modeled in the form of workows, such as: change management, project management, and incident management. The advantage of using workows lies in the fact that they dene a sequence of ne-grained activities to be executed in a given order, sequential or parallel, and the details of execution of these activities
16 6 (including adverse and favorable event reports) may be recorded to a log. The proposed approach to the problem encompasses the investigation of execution records of workows previously performed, trying to learn from events reported in the past, aiming to help in the design of better workows for future executions. Besides the proposed framework itself, some other contributions are outcome of this dissertation, as follows:. Firstly, the segregation of events that represent risks following risk classications that vary depending on the environment being analyzed is discussed. It is important to group events together in such a way that reects the concerns of each environment and assures that the results of automated risk assessment are meaningful to human managers; 2. Moreover, considering that workows used in IT management activities are constantly changing, a strategy to compute the similarity among these work- ows and to enable the reuse knowledge even if previous workows were slightly dierent is introduced; 3. Algorithms to allow automated estimation of probability and impact of events based on information retrieved from previously executed and documented workows are also proposed; 4. Finally, aiming to help in the decision making during risk response planning, comprehensive and interactive risk reports are presented. These reports are organized according to a widely used risk classication and, in addition, a strategy to summarize risk information in dierent level of details is proposed. In order to prove concept of the solution proposed in this dissertation, two IT related areas have been selected to be used as case studies, namely: IT Change Management and IT Project Management. The former provides general guidelines for consistently and safely conducting changes over IT infrastructures, from the early specication, planning, deployment, and nally evaluation and review (OGC, 2007b). On the other hand, IT Project Management is focused in the design phase of services aiming to ensure that a project meets its objectives avoiding waste of resources (OGC, 2007c; PMI, 2004). Both projects and changes can be organized in the form of workows and therefore may have their risks analyzed using the framework proposed in this thesis. The remainder of this dissertation is organized as follows. In Chapter 2 a review of the available literature on risk management specially related to IT Change Management and IT Project Management is presented. Afterwards, in Chapter 3, some background concepts that are fundamental to understand and motivate the proposal of the framework to automate risk assessment are presented. The conceptual framework itself, as well as algorithms used for impact and probability estimation and strategies for calculating similarity among workows and risk summarization are introduced in Chapter 4. In Chapter 5 a discussion about results obtained during evaluation of both case studies is presented. Finally, Chapter 6 discusses conclusions, nal remarks, and future work.
17 7 2 RELATED WORK Risk management is a cross-discipline that is investigated and employed in several dierent elds. Risk assessment principles, for example, may be valuable for guiding nancial investments (FROOT; SCHARFSTEIN; STEIN, 993), health care decisions (DANAEI et al., 2005), and strategies of insurance companies (KLÜPPEL- BERG; KOSTADINOVA, 2008). The literature provides many denitions of what risk is and how it should be managed. For example, Holton (HOLTON, 2003) explains that risk denotes an uncertain event that will aect elements, and may occur in some present or future process. Chicken and Posner (CHICKEN; POSNER, 998) have conducted a wide research on how people deal with risks across many dierent areas, including: nancial, medical, industry, projects, transport, and sports. In their book named The Philosophy of Risk, the authors dene that risks should be assessed as a composition of two factors: (i) probability of occurrence of a possibly negative event and (ii) how the object of analysis is aected by this event. This denition seems to be commonsense among the majority of risk management guides and frameworks, especially in regards to corporative risk management. Nowadays, there are at least four main frameworks and standards for risk management that are well recognized and employed by organizations of any kind. Two of them have been already cited in this dissertation; they are the Management of Risk (M_o_R) from OGC (OGC, 2007a) and the Risk IT from ICASA (ISACA, 2009). Both of them are targeted to risk management for organizations' IT processes. Another two more general purpose standards are worth mentioning, the Risk Management Standard introduced by The Institute of Risk Management (IRM)(IRM, 2002) and the recently released ISO 3000:2009 Risk management Principles and Guidelines presented by the International Organization for Standardization (ISO) (ISO, 2009). The basic denitions of how risk management should be properly conducted are quite similar throughout the mentioned frameworks and standards. In this dissertation, the M_o_R framework was selected to serve as guide for the theoretical study since it is well connected to ITIL, which in turn is widely employed by organizations in order to rationally arrange IT infrastructures and services. Therefore, in this chapter, in a rst moment, the risk management framework as dened in M_o_R is detailed. Subsequently, some of the most relevant related work lying on the two areas chosen for the case studies i.e., IT Change Management and IT Project Management are presented.
18 8 2. Risk Management Framework by M_o_R The OGC has published the Management of Risk (M_o_R) framework aiming to help organizations taking decisions in regards to the risks that might aect the performance of any of their activities. This framework is based on four core concepts as depicted in Figure 2.: M_o_R Principles, M_o_R Approach, M_o_R Processes, and M_o_R Embed and Review. Management of Risk Principles Embed and Review Risk Register Implement Issue Log Plan Communicate Identify Risk Management Policy Assess Risk Management Strategy Risk Management Process Guide Figure 2.: Risk Management processes according to M_o_R (OGC, 2007a) M_o_R Principles: it is important that organizations dene principles for risk management as high level directions and guidelines to be applicable for all activities and to enforce the management of risk as a common practice. Examples of principles that should be dened are: organizational context and objectives, stakeholder involvement, roles and responsibilities, early warning indicators, risk reporting, and support structure. M_o_R Approach: the aforementioned principles have to be customized to be adopted in such a way that suits the activities of each organization. Basically, the dened approaches provide the basis on which risk management practices can be developed. In order to communicate these practices and the way they have to be implemented, ve main documents have to be released (represented by ve outer arrows in Figure 2.): Risk Management Policy: describes how risk management will be implemented throughout the organization or in each specic department;
19 9 Risk Management Process Guide: denes a sequence of steps to be followed in order to identify, measure, and treat risks associated with a given activity; Risk Management Strategy: species risk management procedures and parameters for each particular organizational activity. This includes denition of ranges for estimating probabilities and impacts, budgeting or allocation of man-hours for risk management, specic tools and techniques to be employed, and response categories (e.g., reduction, removal, transfer, retention, and share). Tables 2. and 2.2 present examples of possible ranges that may be used to estimate probabilities and impacts in risk management; Table 2.: Examples of Risk Probability Ranges Probability Statistical Likelihood Numerical Time Periods Range Criteria Equivalents Very High > 75% Almost certainly Less than Likely to occur once will occur chance in 0 2 within three months High 5 75% More likely to Less than Likely to occur once occur than not chance in 0 3 within one year Medium 26 50% Fairly likely to Less than Likely to occur once occur chance in 0 4 within ten years Low 6 25% Unlikely to occur Less than Unlikely to occur chance in 0 5 within ten years Very Low 0 5% Extremely unlikely One chance Unlikely to occur in 0 6 within fty years Table 2.2: Examples of Risk Impact Ranges Impact Range Cost Time Requirements Very High > 750k > 25 days Major shortfall in any of the critical requirements High 500k 750k 20 days 25 days Shortfall in any of the critical requirements Medium 250k 500k 0 days 20 days Shortfall in multiple requirements Low 50k 250k 5 days 0 days Shortfall in ancillary requirements Very Low < 50k < 5 days Minor shortfall in ancillary requirements Risk Register: organizes risk related information across all risk management processes of a given organizational activity. It is the purpose of the Risk Register to capture and maintain information about identied threats and opportunities, results of risk assessment, and all kind of information to enable risk response planning and subsequent control of risks; Issue Logs: maintain in a structured manner information regarding the identied issues that have actually occurred and might require response actions. These logs have to be coordinated with the Risk Register and usually will
20 20 describe risks that have been assessed as possible events and turned into real events. M_o_R Processes: as mentioned before in this dissertation, risk management according to the M_o_R framework is divided into four logically sequential and cyclic processes. These processes describe activities, inputs, and outputs responsible for ensuring that risks are identied, assessed, and controlled in each organizational activity. Also, it is important to communicate risk related information and decisions among involved personnel. The four processes and the communication activity are presented in the center of Figure 2. by four rounding arrows plus the Communicate circle: Identify: in a rst moment of this process one should collect information about the context of the activity. This includes, for example, understanding the main objectives, scope limitations, and primary assumptions made. Afterwards, the target is to identify the risks that might either reduce the likelihood of the organization reaching its objectives or enhance performance an organizational activity; Assess: the main objective of this process is to assess the threats and opportunities previously identied and estimate their associated probabilities and impacts. In real life, this is usually performed by humans involved in the activity (e.g., managers, operators, developers, testers) with no proper support of any automated method or tool; therefore the quality of risk assessment is subject to the experience of responsible personnel. More specic evaluations are recommended only for the most risky events. These evaluations might be obtained through experiments, simulations, or analytical models, which are commonly expensive and time consuming tasks to perform; Plan: this process is focused on the planning of specic management responses for the threats and opportunities previously identied and assessed. Plans developed are ideally intended to remove or attenuate likeliness and eects of threats and to enhance possible gains or earning from opportunities. Responses for threats are usually classied in reduction, removal, transfer, retention, and share, while classications of responses for opportunities are realization, enhancement, and exploitation; Implement: in this process planned risk response actions are implemented in order to guarantee that risks will are eectively dealt in a proactive way. Besides, monitoring procedures have to be started aiming to watch for possible risk events to materialize and also to evaluate eciency of preventive actions in practice. Corrective actions might have to be triggered in the case responses do not meet expectations; Communicate: in fact, communication does not take place before or after any of the aforementioned processes. It is indeed an activity that is carried out all the time when performing risk management. Communication plays a key role in risk management since it enforces the participation and engagement of sta across the organization. Eective communication allows easy identication of new threats and opportunities and may also change already identied and assessed risks.
Invitation to tender N EMSA/OP/11/2016 for Provision of testing and quality assurance services for EMSA maritime applications Question 01 (07/07/2016-08 h59): Questions and Answers In order to assess this
CRM: customer relationship management: o revolucionário marketing de relacionamento com o cliente Download: CRM: customer relationship management: o revolucionário marketing de relacionamento com o cliente
QUESTÕES QUE COBRAM O CONHECIMENTO DOS CONECTIVOS: 1 UFPR 77 - Which alternative can replace thus (line 5) in the text without changing the meaning? -) nevertheless -) though -) consequently -) despite
Inovando sistemas com arquiteturas elásticas Renato Bognar Principal System Engineer 1 Agenda Quais são os desafios de construir ua aplicação? Quais os pontos de atenção? Vai construir Apps móveis? Desfazendo
Appendix V Risk Management Plan Template Version 2 March 7, 2005 This page is intentionally left blank. Version 2 March 7, 2005 Title Page Document Control Panel Table of Contents List of Acronyms Definitions
Guidelines for a risk management methodology for product design Viviane Vasconcellos Ferreira Federal University of Santa Catarina email@example.com André Ogliari Federal University of Santa Catarina
Grandparents 2: Well grandma, there is an easier way to do it http://coerll.utexas.edu/brazilpod/cob/lesson.php?p=16 Conversa Brasileira Grandparents 2: Well grandma, there is Ruth s recipe has to be in
ArcHC_3D research case studies (FCT:PTDC/AUR/66476/2006) Casos de estudo do projecto ArcHC_3D (FCT:PTDC/AUR/66476/2006) 1 Casa de Valflores - Loures 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Capela de S. Frutuoso
Expert Reader 1000 Chapter 5 by Elen Fernandes 5- A Dog Barbara wants a dog. She lives alone, so she thinks a dog can be a very nice friend. She decides to go to a pet shop. Barbara sees the animals at
Project Risk Management Study Notes PMI, PMP, CAPM, PMBOK, PM Network and the PMI Registered Education Provider logo are registered marks of the Project Management Institute, Inc. Points to Note Risk Management
SYSTEMS AND SOFTWARE REQUIREMENTS SPECIFICATION (SSRS) TEMPLATE Version A.4, January 2014 FOREWORD This document was written to provide software development projects with a template for generating a System
PROJECT RISK MANAGEMENT DEFINITION OF A RISK OR RISK EVENT: A discrete occurrence that may affect the project for good or bad. DEFINITION OF A PROBLEM OR UNCERTAINTY: An uncommon state of nature, characterized
Root Cause Analysis Concepts and Best Practices for IT Problem Managers By Mark Hall, Apollo RCA Instructor & Investigator A version of this article was featured in the April 2010 issue of Industrial Engineer
HP Change Configuration and Release Management (CCRM) Solution HP Service Manager, HP Release Control, and HP Universal CMDB For the Windows Operating System Software Version: 9.30 Concept Guide Document
Evaluating Workow and Process Automation in Wide-Area Software Development D. E. Perry A. Porter? Software Production Research Dept Computer Science Dept Bell Laboratories University of Maryland Murray
Previews of TDWI course books are provided as an opportunity to see the quality of our material and help you to select the courses that best fit your needs. The previews can not be printed. TDWI strives
Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
CAPACITY AND AVAILABILITY MANAGEMENT A Project Management Process Area at Maturity Level 3 Purpose The purpose of Capacity and Availability Management (CAM) is to plan and monitor the effective provision
White Paper Change Management: A CA IT Service Management Process Map Peter Doherty Senior Consultant, Technical Service, CA, Inc. Peter Waterhouse Director, Business Service Optimization, CA Inc. June
ISO, CMMI and PMBOK Risk Management: a Comparative Analysis Cristine Martins Gomes de Gusmão Federal University of Pernambuco / Informatics Center Hermano Perrelli de Moura Federal University of Pernambuco
UNIVERSIDADE FEDERAL DE SANTA CATARINA CENTRO DE COMUNICAÇÃO E EXPRESSÃO PÓS-GRADUAÇÃO EM INGLÊS: ESTUDOS LINGUÍSTICOS E LITERÁRIOS GUIDELINES AND FORMAT SPECIFICATIONS FOR PROPOSALS, THESES, AND DISSERTATIONS
THINK SUCCESS MAKE IT HAPPEN ANNA NOT MISSING HER ENGLISH CLASS myclass AN ENGLISH COURSE THAT FITS YOUR LIFE Porquê myclass Why myclass? A importância do Inglês é fundamental tanto na construção da sua
Available online at www.sciencedirect.com ScienceDirect Procedia Technology 9 (2013 ) 505 510 CENTERIS 2013 - Conference on ENTERprise Information Systems / PRojMAN 2013 - International Conference on Project
Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
Artigo Original Revista Brasileira de Física Médica.2011;5(1):57-62. Reproducibility of radiant energy measurements inside light scattering liquids Reprodutibilidade de medidas de energia radiante dentro
UNIVERSIDADE FEDERAL DO RIO GRANDE DO SUL INSTITUTO DE INFORMÁTICA PROGRAMA DE PÓS-GRADUAÇÃO EM COMPUTAÇÃO JULIANO ARAUJO WICKBOLDT Flexible and Integrated Resource Management for IaaS Cloud Environments
CPM -100: Principles of Project Management Lesson E: Risk and Procurement Management Presented by Sam Lane firstname.lastname@example.org Ph: 703-883-7149 Presented at the IPM 2002 Fall Conference Prepared by the Washington,
Introduction: ITIL Version 3 and the ITIL Process Map V3 IT Process Maps www.it-processmaps.com IT Process Know-How out of a Box IT Process Maps GbR, 2009-2 - Contents HISTORY OF ITIL... 4 The Beginnings...
A Componentware Methodology based on Process Patterns Klaus Bergner, Andreas Rausch Marc Sihling, Alexander Vilbig Institut fur Informatik Technische Universitat Munchen D-80290 Munchen http://www4.informatik.tu-muenchen.de
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
ITIL Event Management in the Cloud An AWS Cloud Adoption Framework Addendum July 2015 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational
03 infra TI Ambiente de Armazenamento Principais componentes de Hosts e Armazenamento; Tipos de conectividade PCI, IDE/ATA, SCSI etc.; Componentes de um drive de disco; Desempenho de drives de disco; Sistemas
Integrating Project and Integrating Project and By Reg Lo with contributions from Michael Robinson. 1 Introduction Project has become a well recognized management discipline within IT. is also becoming
Business Process Management and its results in a Blinds Manufacturing Company Eduarda Espindola email@example.com Luiz Henrique Dias Alves firstname.lastname@example.org Universidade Federal
JISTEM - Journal of Information Systems and Technology Management Revista de Gestão da Tecnologia e Sistemas de Informação Vol. 10, No. 3, Sept/Dec., 2013 pp.597-620 ISSN online: 1807-1775 DOI: 10.4301/S1807-17752013000300008
PROJECT MANAGEMENT PLAN Outline VERSION 0.0 STATUS: OUTLINE DATE: Project Name Project Management Plan Document Information Document Title Version Author Owner Project Management Plan Amendment History
ITIL v3 Service transition glossary Term Assembly Assessment Asset management Asset register Attribute Audit Authority matrix Back out Best practice British Standards Institution (BSI) Build Build environment
iii Contents List of figures List of tables OGC s foreword Chief Architect s foreword Preface Acknowledgements v vii viii 1 Introduction 1 1.1 Overview 4 1.2 Context 4 1.3 Purpose 8 1.4 Usage 8 2 Management
Requirements and Recommendations for the Realization of a Configuration Management Database Thomas Schaaf 1, Boran Gögetap 2 1 MNM Team, Ludwig Maximilians University, Munich, Germany Thomas.Schaaf@mnm-team.org
ITIL by Test-king Number: ITIL-F Passing Score: 800 Time Limit: 120 min File Version: 15.0 Sections 1. Service Management as a practice 2. The Service Lifecycle 3. Generic concepts and definitions 4. Key
MZ:2012:04r NADABAS Report from a short term mission to the National Statistical Institute of Mozambique, Maputo Mozambique 16-27 April 2012 within the frame work of the AGREEMENT ON CONSULTING ON INSTITUTIONAL
Risk Management Model in ITIL Sarah Vila-Real Vilarinho Friday, June 29, 2012 ITIL is considered a framework of best practice guidance for IT Service Management and it is widely used in the business world.
Evaluating project manager performance: a case study Veridiana Rotondaro Pereira, Marly Monteiro de Carvalho University of São Paulo e-mail: email@example.com; firstname.lastname@example.org Abstract: A project
QUALITY KNOWLEDGE INTEGRATION: A BRAZILIAN COMPARISON ANALYSIS Úrsula Maruyama email@example.com CEFET/RJ, Departamento de Ensino e Administração (DEPEA) Av. Maracanã 229, Maracanã CEP 20.271-110
What is a life cycle model? Framework under which a software product is going to be developed. Defines the phases that the product under development will go through. Identifies activities involved in each
Network Management Slide Set 3 1 Learning Objectives Understand what is required to manage the day today operation of networks Be familiar with the network management organization Understand configuration
03 infra TI RAID MTBF; RAID Protection; Mirroring and Parity; RAID levels; write penalty Por que RAID? Redundant Array Inexpensive Disks x Redudant Array Independent Disks Performance limitation of disk
Service quality management solutions To support your business objectives Implement a unified approach to service quality management. Highlights Deliver high-quality software applications that meet functional
white paper Applying ITIL v3 Best Practices to improve IT processes Rocket bluezone.rocketsoftware.com Applying ITIL v. 3 Best Practices to Improve IT Processes A White Paper by Rocket Software Version
MCSD Azure Solutions Architect [Ativar Portugal] Microsoft - Percursos Com certificação Nível: Avançado Duração: 78h Sobre o curso A GALILEU integrou na sua oferta formativa, o Percurso de Formação e Certificação
Observing Data Quality Service Level Agreements: Inspection, Monitoring and Tracking WHITE PAPER SAS White Paper Table of Contents Introduction.... 1 DQ SLAs.... 2 Dimensions of Data Quality.... 3 Accuracy...
OpenStax-CNX module: m31434 1 A Glossary of Project Management Terms Merrie Barron, PMP, CSM Andrew R. Barron This work is produced by OpenStax-CNX and licensed under the Creative Commons Attribution License
White Paper from Global Process Innovation by Jim Boots Fourteen Metrics for a BPM Program This white paper presents 14 metrics which may be useful for monitoring progress on a BPM program or initiative.
Vivek Shrivastava Speaker Introduction Vivek Shrivastava Experienced in numerous aspects of IT during a 15 year career (Dev, QA, Bus Analysis, Project Management, Process Improvement, Service Management,
Abstract Number: 002-0427 Critical Issues about the Theory Of Constraints Thinking Process A Theoretical and Practical Approach Second World Conference on POM and 15th Annual POM Conference, Cancun, Mexico,
OpenStax-CNX module: m14619 1 Software development process Trung Hung VO This work is produced by OpenStax-CNX and licensed under the Creative Commons Attribution License 2.0 Abstract A software development
Pvt. Ltd. Capacity Management Policy, Process & Procedures Document Client: Pvt. Ltd. Date : 03/04/2011 Version : 0.6 GENERAL Description Purpose Applicable to Supersedes This document establishes a Capacity
MCSA Office 365 [Ativar Portugal] Microsoft - Percursos Com certificação Nível: Avançado Duração: 41h Sobre o curso A GALILEU integrou na sua oferta formativa o Percurso de Formação e Certificação MCSA
Risk Mitigation, Monitoring and Management Plan Introduction Scope and intent of RMMM activities The goal of the risk mitigation, monitoring and management plan is to identify as many potential risks as
Questions? Assignment Why is proper project management important? What is goal of domain analysis? What is the difference between functional and non- functional requirements? Why is it important for requirements
The ITIL Foundation Examination Sample Paper A, version 4.2 Multiple Choice Instructions 1. All 40 questions should be attempted. 2. All answers are to be marked on the answer grid provided. 3. You have
Document: EB 2008/94/R.4 Agenda: 5 Date: 6 August 2008 Distribution: Public Original: English E IFAD Policy on Enterprise Risk Management Executive Board Ninety-fourth Session Rome, 10-11 September 2008
Evaluating Building Systems Based on Production Process Management and Lean Construction Concepts EVALUATING BUILDING SYSTEMS BASED ON PRODUCTION PROCESS MANAGEMENT AND LEAN CONSTRUCTION CONCEPTS Alberto
HYBRID INTELLIGENT SUITE FOR DECISION SUPPORT IN SUGARCANE HARVEST FLÁVIO ROSENDO DA SILVA OLIVEIRA 1 DIOGO FERREIRA PACHECO 2 FERNANDO BUARQUE DE LIMA NETO 3 ABSTRACT: This paper presents a hybrid approach
SUITABILITY OF RELATIVE HUMIDITY AS AN ESTIMATOR OF LEAF WETNESS DURATION PAULO C. SENTELHAS 1, ANNA DALLA MARTA 2, SIMONE ORLANDINI 2, EDUARDO A. SANTOS 3, TERRY J. GILLESPIE 3, MARK L. GLEASON 4 1 Departamento
Risk management in scientific research: a proposal guided in Project Management Book of Knowledge and Failure Mode and Effects Analysis Pollyana Notargiacomo Mustaro Graduate Program in Electrical Engineering
TECHNOLOGY BRIEF: PROBLEM MANAGEMENT Problem : A CA Service Process Map MARCH 2009 Randal Locke DIRECTOR, TECHNICAL SALES ITIL SERVICE MANAGER Table of Contents Executive Summary 1 SECTION 1: CHALLENGE
TechExcel ITIL Process Guide Sample Project for Incident Management, Management, and Problem Management. Certified Incident Management Red Arrows indicate that the transition is done automatically using
Integration of Risk Management into Strategic Planning: A New Comprehensive Approach Isabela Ribeiro Damaso Maia 1 George Montgomery Machado Chaves 2 2016 Enterprise Risk Management Symposium April 2016
EFTWeb: a working model proposal to support Education, Learning and Training Luís Gouveia a e Joaquim Borges Gouveia b e Francisco Restivo b firstname.lastname@example.org, email@example.com, firstname.lastname@example.org a Associate
s Risk Management Model In ITIL Sarah Vila-Real Vilarinho Dissertation for the Degree of Master of Information Systems and Computer Engineering President: Supervisor: Member: Jury Prof. Dr. Joaquim Armando
Certification Protocol For Certifica Minas Café - UTZ Certified Certification Protocol Version 1.1, February 2014 www.utzcertified.org Copies of this document are available for free in electronic format
RISK MANAGEMENT IN CITIZEN ORIENTED INNOVATIVE SOFTWARE DEVELOPMENT PROJECTS ABSTRACT Emanuel Herteliu 1 Mihai Liviu Despa 2 This paper tackles the subject of risk management in the specific context of
Tutorial on Service Level Management in e- Infrastructures State of the Art and Future Challenges The FedSMProject Thomas Schaaf & Owen Appleton Contents IntroducCon Background: why ITSM in e- Infrastructure?
Development, Acquisition, Implementation, and Maintenance of Application Systems Part of a series of notes to help Centers review their own Center internal management processes from the point of view of
Risk Management Motivations When we looked at project selection we just took into account financial data In the scope management document we emphasized the importance of making our goals achievable, i.e.
ITIL Essentials Study Guide Introduction Service Support Functions: Service Desk Incident Management Problem Management Change Management Configuration Management Release Management Service Delivery Functions:
A Maturity Model for Implementing ITIL v3 Rúben Filipe de Sousa Pereira Dissertação para obtenção do Grau de Mestre em Engenharia Informática e Computadores Presidente: Orientador: Vogais: Júri Professor
Security Characterisation and Integrity Assurance for Software Components and Component-Based Systems Jun Han and Yuliang Zheng Peninsula School of Computing and Information Technology Monash University,
ITIL A guide to service asset and configuration management The goal of service asset and configuration management The goals of configuration management are to: Support many of the ITIL processes by providing
ECSS-M-ST-80C Space project management Risk management ECSS Secretariat ESA-ESTEC Requirements & Standards Division Noordwijk, The Netherlands Foreword This Standard is one of the series of ECSS Standards