-Tools and processes used to “fortify” your business by developing defenses ahead of time.
Alternate Data Centers
Contracting secondary locations will enable an organization to recover critical technologies if the primary technology infrastructure fails.
Alternate Suppliers
Seeking out and documenting contingency agreements with alternate suppliers for your organization’s critical inputs will allow you to continue normal activities in the event that one of your critical suppliers experiences an interruption or ceases to supply you for any reason.
Backup Power
Securing backup power will enable your core activities to continue as normal with minimal, if any, downtime or loss in productivity.
Change Management Processes
Initiating and controlling organizational, process, technology or resource adjustments with the end objective of ensuring an appropriate level of performance and availability throughout the transition.
Cross-Trained Personnel
Ensuring that multiple staff members can fulfill the duties of each critical job within your organization will remove any personnel single points of failure and enable regular activities to continue even if an employee is absent, unable to work or is no longer employed by the organization.
Data Backup
Replicating data at an alternate location and/or on alternate media will help protect against the loss of the primary data source and also simplify and expedite recovery efforts, thus minimizing downtime.
Fire Protection Systems
Developing working relationships with your local fire department and other first responders, as well as taking fire protective measures of your own (i.e. using fire retardant file cabinets and ensuring that sprinkler systems work properly), will not only help protect personnel, information and facilities, but also minimize the effects of a fire on your core operational activities.
Insurance
Carrying appropriate insurance can help minimize financial complications as a result of major facility or equipment loss, an inability to deliver products or services or if one or more of your employees are injured in an accident
IT Security Measures
Taking appropriate measures to protect hardware, software, data storage, and communications technology will reduce downtime and organization inefficiency (i.e. access controls, malware protections, etc.).
Media Monitoring
Employing a media monitoring process can provide your organization with early warning regarding reputational issues, as well as other threats that could result in a near-term interruption.
Physical Security Controls
Keeping unauthorized persons out of restricted areas will reduce the potential for data loss or business process disruption due to vandalism, theft or other forms of sabotage.
Safety Stock
Storing an appropriate amount of finished product or raw materials in an off-site location will limit the impact of downtime resulting from a loss of the organization’s primary storage or production capabilities.
Wednesday, June 29, 2011
Formal Risk Management Plan
The project development team's strategy to manage risk provides the project team with direction and basis for planning. The formal plan should be developed during the planning and scoping process and updated at subsequent project development phases. Since the agency and contractor team's ability to plan and build the facility affects the project's risks, industry can provide valuable insight into this area of consideration.
The plan is the road map that tells the agency and contractor team how to get from where the project is today to where the public wants it to be in the future. Since it is a map, it may be specific in some areas, such as the assignment of responsibilities for agency and contractor participants and definitions, and general in other areas to allow users to choose the most efficient way to proceed. The following is a sample risk management plan outline:
Introduction
Summary
Definitions
Organization
Risk management strategy and approach
Risk identification
Risk assessment and analysis
Risk planning
Risk allocation
Risk charter and risk monitoring
Risk management information system, documentation, and reports
Each risk plan should be documented, but the level of detail will vary with the unique attributes of each project. Red flag item lists, risk charters, and formal risk management plans provide flexibility in risk management documentation.
The plan is the road map that tells the agency and contractor team how to get from where the project is today to where the public wants it to be in the future. Since it is a map, it may be specific in some areas, such as the assignment of responsibilities for agency and contractor participants and definitions, and general in other areas to allow users to choose the most efficient way to proceed. The following is a sample risk management plan outline:
Introduction
Summary
Definitions
Organization
Risk management strategy and approach
Risk identification
Risk assessment and analysis
Risk planning
Risk allocation
Risk charter and risk monitoring
Risk management information system, documentation, and reports
Each risk plan should be documented, but the level of detail will vary with the unique attributes of each project. Red flag item lists, risk charters, and formal risk management plans provide flexibility in risk management documentation.
Risk Charters
The creation of a risk charter is a more formal identification of risks than the listing of red flag items. Typically, it is completed as part of a formal and rigorous risk management plan. The risk charter provides project managers with a list of significant risks and includes information about the cost and schedule impacts of these risks. It also supports the contingency resolution process described in Chapter 6 by tracking changes in the magnitude of potential cost and schedule risk impacts as the project progresses through the development process and the risks are resolved.
A risk charter is a document containing the results of a qualitative or quantitative risk analysis. It is similar to a list of red flag items, but typically contains more detailed information about the potential impact of the risks and the mitigation planning. The risk charter contains a list of identified risks, including description, category, and cause. It may contain measurements of magnitude such as the probability and impact of occurrence. It may also include proposed mitigation responses, "owners" of the risk, and current status. This method may be more effective than simply listing potential problem areas through red flagging because it integrates with the risk monitoring and control processes. The terms "risk charter" and "risk register" are synonymous in the highway industry.
A risk charter is used as a management tool to identify, communicate, monitor, and control risks. It provides assistance in setting appropriate contingencies and equitably allocating risks. As part of a comprehensive risk management plan, the risk charter can help control cost escalation. It is appropriate for large or complex projects that have significant uncertainty.
The charter organizes risks that can impact cost estimates and project delivery. A risk charter is typically based on either a qualitative or quantitative assessment of risk, rather than simple engineering judgment. The identified risks are listed with relevant information for quantifying, controlling, and monitoring. The risk charter may include relevant information such as the following:
Risk description
Status
Date identified
Project phase
Functional assignment
Risk trigger
Probability of occurrence (percent)
Impact ($ or days)
Response actions
Responsibility (task manager)
Two examples of risk charters are in Appendix D. The first example, from Caltrans, is a spreadsheet that forms the basis of the agency's risk management plan.The spreadsheet contains columns for identification, analysis, response strategy, and monitoring and control. The second example is from an FTA report on risk assessment, which uses the term risk register synonymously with risk charter.The FTA risk register contains more quantitative risk assessment information than the Caltrans example, but the goal of the documentation is similar. FTA adds issues such as correlation among dependent components, type of distribution used to model the risk, and expected value of the risks.
A risk charter is a document containing the results of a qualitative or quantitative risk analysis. It is similar to a list of red flag items, but typically contains more detailed information about the potential impact of the risks and the mitigation planning. The risk charter contains a list of identified risks, including description, category, and cause. It may contain measurements of magnitude such as the probability and impact of occurrence. It may also include proposed mitigation responses, "owners" of the risk, and current status. This method may be more effective than simply listing potential problem areas through red flagging because it integrates with the risk monitoring and control processes. The terms "risk charter" and "risk register" are synonymous in the highway industry.
A risk charter is used as a management tool to identify, communicate, monitor, and control risks. It provides assistance in setting appropriate contingencies and equitably allocating risks. As part of a comprehensive risk management plan, the risk charter can help control cost escalation. It is appropriate for large or complex projects that have significant uncertainty.
The charter organizes risks that can impact cost estimates and project delivery. A risk charter is typically based on either a qualitative or quantitative assessment of risk, rather than simple engineering judgment. The identified risks are listed with relevant information for quantifying, controlling, and monitoring. The risk charter may include relevant information such as the following:
Risk description
Status
Date identified
Project phase
Functional assignment
Risk trigger
Probability of occurrence (percent)
Impact ($ or days)
Response actions
Responsibility (task manager)
Two examples of risk charters are in Appendix D. The first example, from Caltrans, is a spreadsheet that forms the basis of the agency's risk management plan.The spreadsheet contains columns for identification, analysis, response strategy, and monitoring and control. The second example is from an FTA report on risk assessment, which uses the term risk register synonymously with risk charter.The FTA risk register contains more quantitative risk assessment information than the Caltrans example, but the goal of the documentation is similar. FTA adds issues such as correlation among dependent components, type of distribution used to model the risk, and expected value of the risks.
Red Flag Item Lists
A red flag item list is created at the earliest stages of project development and maintained as a checklist during project development. It is perhaps the simplest form of risk identification and risk management. Not all projects will require a comprehensive and quantitative risk management process. A red flag item list can be used in a streamlined qualitative risk management process.
A red flag item list is a technique to identify risks and focus attention on critical items that can impact the project's cost and schedule. Issues and items that can potentially impact project cost or schedule in a significant way are identified in a list, or red flagged, and the list is kept current as the project progresses through development and construction management. By listing items that can potentially impact a project's cost or schedule and by keeping the list current, the project team has a better perspective for setting proper contingencies and controlling risk. Occasionally, items considered risky are mentioned in planning but soon forgotten. The red flag item list facilitates communication among planners, engineers, and construction managers about these items. By maintaining a running list, these items will not disappear from consideration and then later cause problems.
Caltrans has developed a sample list of risks in its Project Risk Management Handbook.While this sample list can be used to create a list of red flag items for a project, it is quite comprehensive and any single project's list of red flag items should not include all of these elements. The next section discusses risk charters, which is a more formalized and typically more quantitative extension of a red flag list.
A red flag item list is a technique to identify risks and focus attention on critical items that can impact the project's cost and schedule. Issues and items that can potentially impact project cost or schedule in a significant way are identified in a list, or red flagged, and the list is kept current as the project progresses through development and construction management. By listing items that can potentially impact a project's cost or schedule and by keeping the list current, the project team has a better perspective for setting proper contingencies and controlling risk. Occasionally, items considered risky are mentioned in planning but soon forgotten. The red flag item list facilitates communication among planners, engineers, and construction managers about these items. By maintaining a running list, these items will not disappear from consideration and then later cause problems.
Caltrans has developed a sample list of risks in its Project Risk Management Handbook.While this sample list can be used to create a list of red flag items for a project, it is quite comprehensive and any single project's list of red flag items should not include all of these elements. The next section discusses risk charters, which is a more formalized and typically more quantitative extension of a red flag list.
Risk Planning Documentation
Each risk plan should be documented, but the level of detail will vary with the unique attributes of each project. Large projects or projects with high levels of uncertainty will benefit from detailed and formal risk management plans that record all aspects of risk identification, risk assessment, risk analysis, risk planning, risk allocation, and risk information systems, documentation, and reports. Projects that are smaller or contain minimal uncertainties may require only the documentation of a red flag item list that can be updated at critical milestones throughout the project development and construction.
Risk Planning
Risk planning involves the thoughtful development, implementation, and monitoring of appropriate risk response strategies. The DOE's Office of Engineering and Construction Management defines risk planning as the detailed formulation of a plan of action for the management of risk.(4) It is the process to do the following:
Develop and document an organized, comprehensive, and interactive risk management strategy.
Determine the methods to be used to execute a risk management strategy.
Plan for adequate resources.
Risk planning is iterative and includes describing and scheduling the activities and processes to assess (identify and analyze), mitigate, monitor, and document the risk associated with a project. For large projects or projects with a high degree of uncertainty, the result should be a formal risk management plan.
Planning begins by developing and documenting a risk management strategy. Early efforts establish the purpose and objective, assign responsibilities for specific areas, identify additional technical expertise needed, describe the assessment process and areas to consider, delineate procedures for consideration of mitigation and allocation options, dictate the reporting and documentation needs, and establish report requirements and monitoring metrics. This planning should also address evaluation of the capabilities of potential sources as well as early industry involvement.
Develop and document an organized, comprehensive, and interactive risk management strategy.
Determine the methods to be used to execute a risk management strategy.
Plan for adequate resources.
Risk planning is iterative and includes describing and scheduling the activities and processes to assess (identify and analyze), mitigate, monitor, and document the risk associated with a project. For large projects or projects with a high degree of uncertainty, the result should be a formal risk management plan.
Planning begins by developing and documenting a risk management strategy. Early efforts establish the purpose and objective, assign responsibilities for specific areas, identify additional technical expertise needed, describe the assessment process and areas to consider, delineate procedures for consideration of mitigation and allocation options, dictate the reporting and documentation needs, and establish report requirements and monitoring metrics. This planning should also address evaluation of the capabilities of potential sources as well as early industry involvement.
Risk Response Options
Risk identification, assessment, and analysis exercises form the basis for sound risk response options. A series of risk response actions can help agencies and their industry partners avoid or mitigate the identified risks. Wideman, in the Project Management Institute standard Project and Program Risk Management: A Guide to Managing Risks and Opportunities, states that a risk may be the following:
Unrecognized, unmanaged, or ignored (by default).
Recognized, but no action taken (absorbed by a mater of policy).
Avoided (by taking appropriate steps).
Reduced (by an alternative approach).
Transferred (to others through contract or insurance).
Retained and absorbed (by prudent allowances).
Handled by a combination of the above.
The above categorization of risk response options helps formalize risk management planning. The Caltrans Project Risk Management Handbook suggests a subset of strategies from the categorization defined by Wideman above.(6) The Caltrans handbook states that the project development team must identify which strategy is best for each risk and then design specific actions to implement that strategy. The strategies and actions in the handbook include the following:
Avoidance-The team changes the project plan to eliminate the risk or to protect the project objectives from its impact. The team might achieve this by changing scope, adding time, or adding resources (thus relaxing the so-called triple constraint).
Transference-The team transfers the financial impact of risk by contracting out some aspect of the work. Transference reduces the risk only if the contractor is more capable of taking steps to reduce the risk and does so. (This strategy is discussed in depth in Chapter.
Mitigation-The team seeks to reduce the probability or consequences of a risk event to an acceptable threshold. It accomplishes this via many different means that are specific to the project and the risk. Mitigation steps, although costly and time consuming, may still be preferable to going forward with the unmitigated risk.
Acceptance-The project manager and team decide to accept certain risks. They do not change the project plan to deal with a risk or identify any response strategy other than agreeing to address the risk if it occurs.
Given a clear understanding of the risks, their magnitude, and the options for response, an understanding of project risk will emerge. This understanding will include where, when, and to what extent exposure will be anticipated. The understanding will allow for thoughtful risk planning.
Unrecognized, unmanaged, or ignored (by default).
Recognized, but no action taken (absorbed by a mater of policy).
Avoided (by taking appropriate steps).
Reduced (by an alternative approach).
Transferred (to others through contract or insurance).
Retained and absorbed (by prudent allowances).
Handled by a combination of the above.
The above categorization of risk response options helps formalize risk management planning. The Caltrans Project Risk Management Handbook suggests a subset of strategies from the categorization defined by Wideman above.(6) The Caltrans handbook states that the project development team must identify which strategy is best for each risk and then design specific actions to implement that strategy. The strategies and actions in the handbook include the following:
Avoidance-The team changes the project plan to eliminate the risk or to protect the project objectives from its impact. The team might achieve this by changing scope, adding time, or adding resources (thus relaxing the so-called triple constraint).
Transference-The team transfers the financial impact of risk by contracting out some aspect of the work. Transference reduces the risk only if the contractor is more capable of taking steps to reduce the risk and does so. (This strategy is discussed in depth in Chapter.
Mitigation-The team seeks to reduce the probability or consequences of a risk event to an acceptable threshold. It accomplishes this via many different means that are specific to the project and the risk. Mitigation steps, although costly and time consuming, may still be preferable to going forward with the unmitigated risk.
Acceptance-The project manager and team decide to accept certain risks. They do not change the project plan to deal with a risk or identify any response strategy other than agreeing to address the risk if it occurs.
Given a clear understanding of the risks, their magnitude, and the options for response, an understanding of project risk will emerge. This understanding will include where, when, and to what extent exposure will be anticipated. The understanding will allow for thoughtful risk planning.
Subscribe to:
Comments (Atom)