CDC UNIFIED PROCESS PRACTICES GUIDE

Transcription

1 Dcument Purpse The purpse f this dcument is t prvide guidance n the practice f Risk Management and t describe the practice verview, requirements, best practices, activities, and key terms related t these requirements. In additin, templates relevant t this practice are prvided at the end f this guide. Practice Overview Prject risk must be identified, managed, and addressed thrughut the prject in rder fr the prject t be successful. Risk management plays an imprtant rle in maintaining prject stability and efficiency thrughut the prject life cycle. It practively addresses ptential bstacles that may arise and hinder prject success and/r blck the prject team frm achieving its gals. Prject risk can be anything that threatens r limits the gals, bjectives, r deliverables f a prject. Prject risk is present in all prjects and may have ne r mre causes and, if it ccurs, ne r mre impacts. RISK VS. ISSUES There is ften cnfusin between Risk Management and Issue Management and hw the activities f each interface and interact with each ther. Accrding t the Prject Management Institute (PMI) Prject Management Bdy f Knwledge (PMBOK): A risk is an uncertain event r cnditin that, if it ccurs, has a psitive r negative impact n a prject s bjectives such as time, cst, scpe, quality, etc. An issue is a pint r matter in questin r in dispute, r a pint r matter that is nt settled and is under discussin r ver which there are ppsing views r disagreements. Often prject issues are first identified as a risk and thrugh the risk management planning prcess may already have a planned apprach t managing the issue. Prject risk management includes the prcesses fr cnducting risk management planning, identificatin, analysis, respnses, and mnitring and cntrl f a prject. The bjectives f prject risk management are t increase the prbability and impact f psitive events and decrease the prbability and impact f events adverse t prject bjectives. Prject issue management includes utilizing the utputs frm the prject risk management planning if the issue was identified as a risk during the risk planning prcesses. DEFINITION AND PURPOSE Risk management planning is the practice f deciding and dcumenting hw t cnduct risk management activities such as risk identificatin, analysis, respnse planning, and mnitring, cntrlling, and reprting. Nt all risks can be eliminated, but mitigatin and cntingency plans can be develped t lessen their impact if they ccur. Analysis f the risks may als identify unfreseen pprtunities that may be pursued t prvide additinal benefit. The purpse f cnducting risk management planning is t anticipate, identify, and address events that may impact prject success. The PMI PMBOK defines risk management planning as the prcess f deciding hw t apprach, plan, and execute risk management activities fr a prject. The actual practice f risk management planning identifies, analyzes, and develps strategies t manage, cntrl, and respnd t prject risk. The bjective f prject risk management is t increase the prbability and impact f events beneficial t the prject and t decrease the prbability and impact f negative events. PROCESS Prject risk management is an iterative prcess that begins in the early phases f a prject and is cnducted thrughut the prject life cycle. It is the practice f systematically thinking abut all pssible utcmes befre they happen and defining prcedures t accept, avid, r minimize the impact f risk n the prject. Types f risk that are cnsidered during this prcess are: Financial risk such as investments, funding, capital expenditure, etc. UP Versin: 11/30/06 Page 1 f 7

2 Legal risk such as lawsuits, change in law, etc. Gvernment/Plitical risk such as regulatry change, legislative change, plicy change, etc. Physical risk such as natural disasters, fire, accidents, death, etc. Intangible risk such as human resurces, knwledge, skill sets, relatinships, etc. Technical risk such as IT security, infrastructure, sftware, etc. Security risk such as facility, infrmatin, dcumentatin, etc. The Capital Planning and Investment Cntrl (CPIC) prcess fcuses specifically n the fllwing types f risk areas: Schedule Initial Csts Life-cycle Csts Technical Obslescence Feasibility Reliability f Systems Dependencies/Interperability Surety Cnsideratins Future Prcurements Prject Management Overall Prject Failure Organizatinal/Change Management Business Data/Infrmatin Technlgy Strategic Security Privacy Prject Resurces Effective risk management accmplishes: Identificatin f risk Evaluatin and priritizatin f identified risks Assignment f risk wners Develpment f risk respnse plans Tracking and reacting accrdingly Mnitring and cntrlling risks Prject teams shuld hld meetings t identify risk and t define an apprpriate strategy fr dealing with thse risks. These activities are dcumented and used in the develpment f a Risk Management Plan (RMP). The RMP describes the apprach and prcesses fr assessing and cntrlling risks in the prject. PMI PMBOK defines a RMP as a dcument that describes hw prject risk management will be structured and perfrmed n the prject. It is cntained in r is a subsidiary plan f the Prject Management Plan (PMP). During the creatin f the RMP a priritizatin prcess fllws the identificatin f risk whereby the risks with the greatest ptential impact are priritized first. COMPONENTS OF The RMP describes hw risk management activities will be perfrmed. It dcuments risks, hw risks were identified, analyzed, and priritized; hw the prject team will react t risk symptms and triggers; wh is respnsible fr managing which risks; hw risks will be tracked thrughut the prject lifecycle, and hw risks will be mitigated and/r what cntingency plans may be executed. The prcess f btaining the necessary infrmatin t prperly cmplete and execute the RMP is a fur part prcess that includes: Risk identificatin UP Versin: 11/30/06 Page 2 f 7

3 Risk analysis Risk respnse planning Risk mnitring, cntrlling, and reprting CDC UNIFIED PROCESS Risk Identificatin Risk identificatin is an iterative prcess that is cnducted thrughut the entire prject life cycle. Any persn assciated with the prject shuld be encuraged t cntinually identify ptential prject risks. PMI PMBOK defines risk identificatin as the prcess f determining which risks might affect the prject and then dcumenting characteristics f thse risks. Frmal risk identificatin is perfrmed in the early part f the prject life cycle and may be dne as a risk identificatin meeting that might include the fllwing types f participants: Prject managers Prject team members Stakehlders Subject matter experts A risk s severity is perceived as it relates t threats t prject success, pprtunities, and impact n schedule, cst, scpe, quality, prductivity, etc. There are tw types f risk: knwn risk and unknwn risk. Knwn risk is risk that has been identified and can be analyzed. Examples f knw risk may include aspects f the prject envirnment such as pr prject management practices, lack f resurces, multiple prjects, external dependencies, etc. Identified risks need t be practively managed thrughut the prject life cycle by identifying wh wns the management f that risk and by utlining risk symptms, triggers, and cntingency plans that wuld prevent the risk frm ccurring r that wuld lessen the prject impact shuld it ccur. At times risks may simply be accepted by the prject if the reward fr taking that risk is in balance with the ptential cnsequences. Unknwn risk is risk that has nt yet been identified. Examples f unknwn risk may include unexpected legal changes, natural disasters, resurce lsses, etc. Unknwn risk cannt be managed practively and thus mst ften is addressed by allcating an acceptable level f general cntingency against the prject as a whle that is adequate enugh t manage a reasnable level f unknwn risk. Additinal advanced risk identificatin techniques exist utside the scpe f this dcument. These techniques can be further researched by the reader, if needed, and include techniques such as: Delphi Technique Rt Cause Analysis SWOT Analysis Cause-and-Effect Diagramming Influence Diagramming Flw Charting Brainstrming Interviewing Risk Analysis Risk analysis is primarily cncerned with priritizing and classifying risks and then determining which risks require the develpment f mitigatin strategies and/r cntingency plans. Risk analysis reflects the prject s tlerance fr risk and defines threshlds and tlerance levels in areas such as cst, schedule, staffing, resurces, quality, etc. that, if triggered, may require implementatin f defined cntingency plans. Risk analysis is nt a ne-time event, it is an iterative prcess that is perfrmed cntinuusly thrughut the life f the prject as new risks are identified and existing risks change. The PMI PMBOK identifies a number f appraches t risk analysis. Hwever, tw high-level types f risk analysis apply best t mst every prject type, they include: UP Versin: 11/30/06 Page 3 f 7

4 Qualitative Risk Analysis includes methds fr priritizing the identified risks fr further actin, such as Quantitative Risk Analysis r Risk Respnse Planning. It assesses the pririty f identified risks using their prbability f ccurring, the crrespnding impact n prject bjectives if the risks d ccur, as well as ther factrs such as the time frame and risk tlerance f the prject cnstraints f cst, schedule, scpe, and quality. Quantitative Risk Analysis is perfrmed n risks that have been priritized by the Qualitative Risk Analysis prcess as ptentially and substantially impacting the prject s cmpeting demands. It analyzes the effect f thse risk events and assigns a numerical rating t thse risks. When cmplete, it als presents a quantitative apprach t decisin making when uncertainty arises. The prbability f ccurrence fr each identified risk can be assessed as ne f the fllwing three categries and shuld be based n an assessment by the prject manager, with input frm the prject team. High Greater than 70% prbability f ccurrence Medium Between 30% and 70% prbability f ccurrence Lw Belw 30% prbability f ccurrence The impact f each identified risk can be assessed as ne f the fllwing three categries and shuld be based n an assessment by the prject manager, with input frm the prject team. High Risk that has the ptential t greatly impact prject cst, prject schedule r perfrmance Medium Risk that has the ptential t slightly impact prject cst, prject schedule r perfrmance Lw Risk that has relatively little impact n cst, schedule r perfrmance Based n the prbability and impact assessments f each risk, the prject manager may map the risks using red/green/yellw clr-cding. Green: LL (Lw Prbability, Lw Impact), LM (Lw Prbability, Medium H Impact), ML (Medium Prbability, Lw Impact) M Yellw: LH (Lw Prbability, High Impact), MM (Medium Prbability, Medium Impact), HL (High Prbability, Lw Impact) L Red: MH (Medium Prbability, High Impact), HM (High Prbability L M H Medium Impact), HH (High Prbability, High Impact) Prbability Additinal advanced risk analysis techniques exist utside the scpe f this dcument. These techniques can be further researched by the reader, if needed, and include techniques such as: Prcess Assessment Prbability and Impact Analysis Prbability Distributins Sensitivity Analysis Decisin Tree Analysis Mdeling and Simulatin Risk Respnse Planning Risk respnse planning includes the identificatin and assignment f ne r mre persns t take respnsibility fr each identified risk and defines the actins t be taken against that risk thrugh the develpment f measures and actin plans t respnd t risk shuld it ccur. PMI PMBOK defines Risk Respnse Planning as the prcess f develping ptins and actins t enhance pprtunities and t reduce threats t prject bjectives. Risk respnse actins may include: Mitigatin Risk mitigatin invlves taking early actin t prevent r reduce the likelihd f risk. Cntingency Cntingency plans define actins t be taken in respnse t identified risk triggers in hpes f reducing ptential prject impact frm identified risk. Transfer Risk transfer invlves shifting the respnsibility/wnership f the risk t anther party. This is typically dne by purchasing insurance against the type f risk. Impact UP Versin: 11/30/06 Page 4 f 7

5 Avidance Risk avidance invlves changing the prject t eliminate the threat frm identified risk. Acceptance Risk acceptance simply invlves acknwledging the risk as part f the prject and accepting the cnsequences f its ccurrence. An example f this is plitical r legislative risk that is ut f the cntrl f the prject team. Fr the mst part, prject risk respnse planning will cnsist f defining risk threshlds, identifying risk triggers, and then planning a mitigatin strategy and develping cntingency plans. A risk trigger is an event r events that activate the executin f a particular actin, usually assciated with mitigatin strategy r executin f cntingency plans. Risk threshlds define the bundaries f fluctuatin allwed frm expected levels t thse defined as triggers. Mitigatin strategies identify actins that may minimize r eliminate prject risks befre it ccurs. A risk may have several mitigatin activities that attempt t balance the prbability and severity f the risk ccurrence with the cst-effectiveness f the mitigatin strategy. Risk triggers shuld be identified that indicate when the mitigatin strategy is n lnger effective and cntingency plans shuld be executed. Risk tracking and cntrl fllws the prgress f the prbability f risk ccurrence and, if necessary, identifies when risk symptms escalate t a pint requiring implementatin f cntingency plans. By mnitring risk, plans can be adjusted t deal with prject change that may alter risk levels. If a risk prbability/impact drps and/r the risk actually ccurs, the risk may be a candidate fr retirement r clsure. If the risk des ccur, defined cntingency plans minimize the risk s effect n prject deliverables. Risk Mnitring and Cntrlling, and Reprting The Prject Manager is ultimately respnsible fr managing risks and shuld regularly review and update the status f each identified risk and ensure that risks are under cntrl. Risk mnitring and cntrl is the prcess f identifying, analyzing, and planning fr risk, keeping track f identified risks, and reanalyzing existing risks, mnitring risk symptms and triggers, and reviewing the executin f risk respnses strategies while evaluating their effectiveness. Risk reprting is the prcess f regularly reviewing and prviding status abut identified risk. Prject wrk shuld be cntinuusly mnitred fr updates and changes, this practice shuld als include the review and update f risk. When reprting r reviewing prject prgress, risk management status shuld be included. Develping the Risk Management Plan A RMP is the fundatin dcument fr early identificatin f ptential prject prblems. A gd RMP is nt necessarily lengthy. A RMP can be very shrt and still have great value r can simply be incrprated int the Prject Management Plan. The cntent f the RMP will vary depending upn the cmplexity f the prject. The size f and time invested t develp a RMP shuld be balanced with the size and cmplexity f the prject. Large, mre cmplex prjects justify a significant effrt in develping a cmprehensive RMP. The infrmatin dcumented within the RMP identifies risk reductin techniques, develped cntingency plans, and describes the prcess that will be used t identify, analyze, and manage risks thrughut the prject life cycle. Either directly r by reference t ther dcuments, the RMP shuld address the fllwing: Risk Management Prcedures Summarize hw risk management activities will be perfrmed during the prject. Prcess Summarize the steps necessary fr respnding t prject risk. Risk Identificatin Summarize the apprach that will be used t identify risk and the risks identified during that prcess. Amng ther things, risks identified shuld include technical, plitical, and managerial aspects f the prject that may impact areas such as schedule, cst, UP Versin: 11/30/06 Page 5 f 7

6 CDC UNIFIED PROCESS functinality, perfrmance, reliability, availability, resurces, etc. Fr C&A infrmatin security risk requirements refer t Fr NIST risk requirements refer t SP lcated at Risk Analysis Summarize the prbability f risk ccurrence and assess the likelihd f the risk ccurring. Summarize the ptential impact f the risk n the prject s bjectives. Based n the prbability and impact assessments fr each risk, map the risks using red/green/yellw clr-cding. Qualitative Risk Analysis Summarize the prbability f ccurrence fr each identified risk based n an assessment by the prject manager, with input frm the prject team. Quantitative Risk Analysis Summarize the prbability and impact assessments f each risk, the prject manager may map the risks using red/green/yellw clr-cding. Respnse Summarize the techniques and actins that will be taken t respnd t identified risks. Priritize risk based n identified qualitative and quantitative characteristics. Define risk threshlds and assign versight respnsibility f the risk t team members. Identify the risk symptms and triggers and then dcument mitigatin and cntingency plans, risk transfer, avidance, and/r acceptance strategies. Risk Mnitring, Cntrlling, and Reprting Summarize hw risk will be mnitred and reprted thrughut the prject s life. Tls and Practices Summarize any tls that will be used t lg and track risk and risk status updates, where the tls are lcated, where infrmatin will be stred, etc. Summarize prcesses defined specifically fr the purpse f risk management such as hw risk will be evaluated, measured, reprted n, etc. Best Practices The fllwing best practices are recmmended fr Prject Risk Management: Identify Early Identify ptential prject risks as early in the prject life cycle as pssible. Dcument these initially identified risks in the prject charter and clearly cmmunicate their ptential cnsequences t prject spnsrs and stakehlders. Identify Cntinuusly Cntinually identify and reevaluate prject risk. When new risk is identified cmmunicate updates as needed. Analyze Analyze the ptential impact f identified prject risk. Repeat this analysis prcess thrughut the prject life cycle, make updates, and cmmunicate changes as needed. Repriritize As risks are cntinually analyzed thrughut the prject life cycle, repriritize risks as ptential prject impact adjusts t changing prject events. Define and Plan - Define risk threshlds and triggers, mitigatin strategies, and cntingency plans. The greater prbability f ccurrence and/r impact n prject gals, the mre detailed this infrmatin shuld be. Cmmunicate Cmmunicate regularly regarding risk status and changes in the level r verall prject risk. Slicit feedback frm prject team members and stakehlders regarding knwn risk and the prspects f unknwn risk. Stre the risk management lg in a lcatin accessible t the prject team s that, if necessary, anyne can btain updates at any time. Update Update the risk management lg n a regular basis, bth infrmally and frmally. Educate Educate the entire prject team and stakehlders n risk management and encurage them t actively identify, cmmunicate, and mitigate risk. Practice Activities Fr sftware develpment prjects the fllwing practice activities are apprpriate: Identify Identify prject risk. Evaluate/Analyze Analyze identified risks and evaluate ptential impact n prject gals. Priritize Priritize risks based n prbability f ccurrence and ptential impact n prject gals. UP Versin: 11/30/06 Page 6 f 7

7 Plan Develp risk mitigatin strategies and cntingency plans. Dcument risk symptms and triggers used t identify when implementatin f planned risk actin shuld be executed. Track/Mnitr Track risk using sme frm f risk management lg. Cntinuusly mnitr risk status as the prject prgresses and reprt status f change. React When apprpriate react t escalating risk by executing mitigatin strategies r executing cntingency plans. Clse When risk is n lnger a reasnable threat, r the risk has ccurred and is nw an issue, that particular risk may be clsed in the risk management lg. Practice Attributes This sectin prvides a list f practice attributes t help prject teams determine when and hw develpment f a Prject Risk Management Plan impacts a prject. Practice Owner Criteria Estimated Level f Effrt Prerequisites Practice Dependencies Practice Timing in Prject Life Cycle Templates/Tls Additinal Infrmatin CDC UP Prject Office NCPHI All prjects regardless f type r size shuld have sme type f dcument utlining hw prject risk will be managed and tracked. On small prjects the RMP culd be cntained within a sectin f the Prject Management Plan. Mderate N/A N/A Develping a Prject Risk Management Plan is an activity that takes place early in the prject life cycle with updates and refinements made thrughut the prject life cycle as necessary. Risk Management Plan Template Risk Lg Template Risk Management Checklist N/A Key Terms Fllw the link belw t fr definitins f prject management terms and acrnyms used in this dcument. Related Templates/Tls Belw is a list f template(s) related t this practice. Fllw the link belw t dwnlad the dcument(s). Risk Management Plan Template Risk Lg Template Risk Management Checklist UP Versin: 11/30/06 Page 7 f 7