RiskManagementPlanTemplateandGuide

1、risk management plan (template and guide)version: 2.0november 2003risk management plan (template and guide) ei toolkitphase: implementationdoc version: 2.0november 11, 2003page 1 of 31table of contentssectionpage1introduction.31.1purpose.31.2objectives.31.3scope & context.41.4guiding principles.51.5

2、reference documents.62.0risk management organization.72.1process responsibility.72.1.1pmo risk and issue manager/rim team .82.1.2risk originator .82.1.3risk owner.82.1.4project management office (pmo).92.1.5steering committee.92.1.6independent risk auditors.103.0risk management information .113.1det

3、ail risk attributes.113.2risk reference model.164.0risk management process.184.1risk management planning.184.2risk management execution.184.2.1risk management execution process steps.194.2.2risk escalation procedures.264.2.3risk and issue management (rim) team meeting .264.2.4feedback and reporting

4、processes.274.3risk management closeout.285.0risk management tool.295.1accessing the risk-tracking database.295.2using the risk input form.295.2.1accessing the risk input form.295.2.2creating a risk .295.2.3viewing/updating a risk .295.2.4create new action items.295.2.5viewing/updating an action ite

5、ms.295.3contact & administrative information.295.3.1program risks information.295.3.2risk-tracking database.296.0performance measures .30risk management plan (template and guide) ei toolkitphase: implementationdoc version: 2.0november 11, 2003page 2 of 31table of tablestablepagetable 1 pmo risk and

6、issue management decision authority based on severity.9table 2 risk data elements.11table 3 sei software risk taxonomy .16table 4 risk assessment severity level matrix.21table 5 risk response strategies/techniques .22table 6 - standard risk notices and reports.27table of figuresfigurepagefigure 1 ri

7、sk profile of a typical modern project across its life cycle.4figure 2 risk management organization.7figure 3a risk management planning.7figure 3b risk management execution.7figure 3c risk management closeout.7figure 4 risk management execution process steps.19figure 5 risk assignment matrix.24risk

8、management plan (template and guide) ei toolkitphase: implementationdoc version: 2.0november 11, 2003page 3 of 311introduction1.1purpose this risk management plan (rmp) provides the program a consistent method to manage risks to ensure success. unlike issues, risks relate to events that could occur

9、and may impact the programs scope, schedule, budget, business performance, or change management objectives. risks are measured in terms of their likelihood of occurrence and their impact, as they relate to the program. risk is defined as any concern that could impact the ability of the program to me

10、et its scope, schedule, budget, change management, or business performance objectives. risk management involves the process for identification, assessment, mitigation, and management of the programs risks. it drives decisions that affect the development of the business capability and the management

11、of the program. this rmp serves as a guide to all team members on managing program-wide and team level risks. the risk management process will enable the program to create strategies to effectively address potential barriers to program success.note that throughout this template document sections mar

12、ked with bold, italicized text that are demarked by leading and trailing right-brackets, , are directions to the author to revise the section.1.2objectivessuccessful management of the program requires informed, proactive, and timely management of risks. the specific objectives of this program risk m

13、anagement plan and approach are listed below.ensure critical risks impacting scope, schedule, budget, business performance, and/or change management are proactively identified, communicated, mitigated, and escalated in a timely manner.facilitate attention to key risks impacting the program and indiv

14、idual teams.produce meaningful information that allows program management to focus efforts on the “right” (e.g., high likelihood and high impact) risks with an effective coordination of effort.ensure appropriate stakeholders are informed and, if applicable, participate in the mitigation.record an au

15、dit trail of discussions and mitigation of program risks.the goal of this risk management plan is to proactively identify and address risks early in the program and throughout the program lifecycle in order to avoid surprises. refer to figure -1 below which illustrates that proactive risk management

16、 programs used today reduce and control risks better than in the past. risk management plan (template and guide) ei toolkitphase: implementationdoc version: 2.0november 11, 2003page 4 of 31 figure 1 risk profile of a typical modern project across its life cycle reprinted from software project manage

17、ment, a unified framework, by walker royce (addison wesley: 1998), p. 229.1.3scope & contextthe plan consists of the process and timing for identifying and managing risks, mitigation actions required and organizational responsible for monitoring and managing the risks throughout the entire lifecycle

18、 (initiation, acquisition and implementation). the risk reference model and a tracking database, explained in detail below, serve as tools to support the rmp.risk management starts at the very beginning of the project (initiation phase per the ei toolkit) with initial planning and assessing. risks i

19、dentified early should be addressed immediately. risks and potential risk areas are monitored and managed throughout the remainder of the project. scope of the risk management plan (rmp) is not limited to those risks identified early. rather, all areas should be monitored throughout. risk management

20、 is carried out at all levels within the program: program, team, and sub team. the risk management process ensures that risks are mitigated at the appropriate level and communicated as appropriate. while this plan provides guidance on managing all levels of risks, the primary focus is on risks at th

21、e program level; assuming that similar processes are in effect within the individual teams and sub-teams that comprise the program. risk management plan (template and guide) ei toolkitphase: implementationdoc version: 2.0november 11, 2003page 5 of 31while risks must be identified and effective mitig

22、ations tailored for each project, there are standard risk factors, standard assessment criteria to identify and evaluate risks, and standard mitigation approaches that have been defined for software engineering projects in general, and enterprise application implementation projects specifically. the

23、se risk factors, assessment criteria, and mitigation approaches are referred to as a risk reference model. this risk management plan must ensure that both individual risks and risks that are common to the class of application of the program are both identified and mitigated. risk management is an in

24、tegral part of overall project planning and management. effective project planning and management requires effective identification and assessment of risks and determining what mitigating actions are required. managing the effective completion of mitigation actions should be integrated with overall

25、project tasks and assignments. risk management also works in concert with issue management. the key difference between issue management and risk management is the element of uncertainty inherent in risks. uncertain events that could impact the program should be identified and managed through this rm

26、p. note that risks could lead to identification of issues and issues could drive identification or resolution of risks.in addition to addressing identified risks through this risk management process, it is expected that the project planning process will also include quantitative risk assessment proc

27、esses to validate project schedule and budget estimates. these techniques, including monte carlo simulation and decision tree analysis, are beyond the scope of this document. 1.4guiding principlesin order to be successful, the principles listed below guide the use and implementation of the overall r

28、isk management process that is described in detail in section 3.0 of this document. decisions will not be revisited once made (unless substantively new facts become available).escalation of risks follows the defined process identified below. a single owner is assigned responsibility for a risk even

29、if several people work to mitigate it.work and communicate progress on most severe risks first.set realistic due dates and then work to meet the dates.mitigate risks at the appropriate level (i.e., program, team, sub-team).responsible team leads determine and agree on the risk severity level.documen

30、t the planned risk mitigation history and actual mitigation of a risk. this documentation serves as a key input to root cause analysis, key learning, metrics, and risk analysis.for high impact, unanticipated risks, a 24-hour decision turnaround may be required or as determined by the pms. in such ca

31、ses, available applicable team members will make the decision.risk management plan (template and guide) ei toolkitphase: implementationdoc version: 2.0november 11, 2003page 6 of 311.5reference documentsthis risk management plan builds on general project and risk management references including:a gui

32、de to the project management body of knowledge (pmbok guide) 2000 edition (project management institute, 2000)assessment and control of software risks, capers jones (prentice hall, 1994)chaos report and other publications, standish groupmanaging risk, methods for software systems development, elaine

33、 m. hall (addison wesley, 1998)project & program risk management, a guide to managing project risks & opportunities, r. max wideman, editor (project management institute, 1992)software engineering risk management, dale walter karolak (ieee, 1996)software project management, a unified framework, walk

34、er royce (addison wesley, 1998)risk management plan (template and guide) ei toolkitphase: implementationdoc version: 2.0november 11, 2003page 7 of 312.0risk management organizationthe following figure depicts the organization involved in risk management. roles and responsibilities are delineated in

35、the subsequent sections.figure 2 risk management organization2.1process responsibilitythe program management office (pmo) risk and issue manager is responsible for the risk management plan, its effective implementation throughout the program, trends and metric analysis, and training program personne

36、l on risk management. the risk and issue manager is also responsible for selecting risk tracking software, for identifying whether the program warrants an independent risk assessment, and for identifying any risk reference model to use as a basis for assessing program risks or identifying candidate

37、mitigation approaches. an overview of the risk management process is depicted in figure 3a, 3b, and 3c. key roles and responsibilities are then defined in the following subsections. a risk management checklist which supports the process and below and the appropriate signoffs is also included in the

38、ei toolkit.figure 3a risk management planningfigure 3b risk management executionfigure 3c risk management closeoutidentify risk reference modeldetermine need for independent risk assessmentselect risk tracking softwareidentify risksassess risksmitigate risksmanageriskscloseriskstransition any open r

39、isksproduce final risk metricsharvest results into reference modelwe should/ could insert a generic one that we recommend here.risk management plan (template and guide) ei toolkitphase: implementationdoc version: 2.0november 11, 2003page 8 of 312.1.1pmo risk and issue manager/rim teamthe pmo risk an

40、d issue manager has overall facilitative responsibility for the risk management process. the rim team is comprised of the risk and issue manager and the risk and issue management staff. specific responsibilities include the following activities.develop the risk mitigation plan by customizing this te

41、mplate.select risk tracking tool.identify risk reference model if applicable for the application class.assist in determining need for independent risk assessment, support sourcing if required.maintain the risk management plan in line with configuration management procedures.plan and coordinate rim m

42、eetings.plan and manage rim training.generate risk reports, including trends and metric analysis, for risk meetings and ad-hoc requests.clarify, consolidate and document risks.maintain and monitor data in the risk-tracking tool.establish initial priority, owner, and target due date.monitor the statu

43、s of risk mitigation.communicate status to risk originators and risk owners.escalate communication if expected mitigation action deadlines are not met.execute the risk closure process.work with the risk and issue management team to facilitate risk mitigation.2.1.2risk originatorthe risk originator i

44、s any person in the program who identifies a program risk. specific responsibilities include the following activities.identify any significant risk to the program.complete “create risk” form.present new risks at risk and issue management (rim) team meetings. verify that the risk is eventually mitiga

45、ted.2.1.3risk ownerthe risk owner is the person to whom the rim team assigns primary responsibility for mitigating the risk. this assignment is based on the type of risk and should be assigned to the team member who is empowered to assure this risk is mitigated. this will typically be a team lead an

46、d/or their respective co-lead. program sponsors, directors and/or managers may also need to be aligned with a risk to assure adequate support. the risk owner has the following responsibilities:assess the risk and create a risk mitigation plan that meets rim team approval.risk management plan (templa

47、te and guide) ei toolkitphase: implementationdoc version: 2.0november 11, 2003page 9 of 31update risk information in risk database as described below. mitigate risk per the risk mitigation plan.recommend risk closure to rim team.present risk status at rim team meetings as required2.1.4project manage

48、ment office (pmo)the project management office (pmo) has the authority to approve the risk mitigation proposed by the risk owner. this authority varies by the severity of the risk, as noted in table 1 below. additionally, the pmo members are notified of risk mitigation, as noted in table 1 below. it

49、 is anticipated that the majority of risk mitigation will take place at the project team level. table 1 pmo risk and issue management decision authority based on severityrisk/issue management level risk mitigation approval required risk/issue notification requiredsteering committeevery highhighpmhig

50、h/mediumlowdeputy pmteam leadslow/very lown/aspecific responsibilities include the following.accountable for ensuring timely mitigation of risks and escalating risks to the steering committee for support as needed. champion mitigation implementation.review status, severity, ownership, and completene

51、ss of risks.determine risks to be returned to the appropriate project teams.establish severity of risks and define target dates.establish ownership of risk and confirm target dates.identify risks for escalation to the steering committee.work with project teams, subject matter experts, and the risk a

52、nd issue manager to facilitate solutions to risks.2.1.5steering committeethe steering committee has overall responsibility for ensuring the risk management plan is executed fully. specific responsibilities include the following activities.approve the mitigation of very high severity level risks.supp

53、ort mitigation implementation.risk management plan (template and guide) ei toolkitphase: implementationdoc version: 2.0november 11, 2003page 10 of 31assist in cross-organization and controversial risk mitigation to include determining the involvement of senior management and other organizational res

54、ources.optionally include the use of independent auditors if project complexity and staff availability / capability warrant the use of 3rd party risk identification.a third party should be engaged if:project resources have inadequate experience with the type or size of project;project resources have

55、 inadequate capacity to complete a risk assessment;there is inadequate objectivity in identifying or assessing risks across different business units or development organizations;benefits of using a third party to conduct an independent risk audit include:access to a risk reference model a set of ris

56、k factors and effective mitigation plans that have been relevant for similar projects;trained skills in conducting structured interviews to identify and assess risks;effective change management skills to drive the project team to execute mitigation plans.2.1.6independent risk auditorsthe independent

57、 auditor is responsible for identifying program risks based on conducting objective review of project documents and interviewing key project personnel. the independent auditor should have proven experience in assessing similar class projects in size, scope, and process domain. the independent audito

58、r should have a specific risk reference model that they can provide to the program. specific responsibilities include the following activities.conduct interviews with key project personnel including stakeholders, steering committee, process owners, project managers, and team leads.review project doc

59、uments including charter, project plans, organizational roles and responsibilities, testing, training, and change management strategy, architectural design and blueprint documents as they exist, etc.identify and assess program risks and capture risk scorecard and mitigation approach / actions.commun

60、icate risk report to project managers and sponsors.risk management plan (template and guide) ei toolkitphase: implementationdoc version: 2.0november 11, 2003page 11 of 313.0risk management informationto effectively manage risks standard information must be captured about each identified risk. this s