Risk Management Plan - OSI Risk Management Plan Template

1、Risk Management PlanHealth and Human Services Agency, Office of Systems IntegrationRevision HistoryREVISION HISTORYREVISION/WORKSITE #DATE OF RELEASEOWNERSUMMARY OF CHANGESSID Docs #3164v406/23/2004SID - PMOInitial ReleaseOSIAdmin 328308/29/2008OSI - PMOMajor revisions made. Incorporated tailoring g

2、uide information into this templateRemove template revision history and insert Project Risk Management Plan revision history.ApprovalsNAME ROLEDATEInsert Project Approvals here.Template Instructions: This template is color coded to differentiate between boilerplate language, instructions, sample lan

3、guage, and hyperlinks. In consideration of those reviewing a black and white hard copy of this document we have also differentiated these sections of the document using various fonts and styles. Details are described below. Please remove the template instructions when the document is finalized.Stand

4、ard boilerplate language has been developed for this management plan. This language is identified in black Arial font and will not be modified without the prior approval of the OSI Project Management Office (PMO). If the project has identified a business need to modify the standard boilerplate langu

5、age, the request must be communicated to the PMO for review. Instructions for using this template are provided in blue Times New Roman font and describe general information for completing this management plan. All blue text should be removed from the final version of this plan.Sample language is ide

6、ntified in red italic Arial font. This language provides suggestions for completing specific sections. All red text should be replaced with project-specific information and the font color replaced with black text.Hyperlinks are annotated in purple underlined Arial text and can be accessed by followi

7、ng the on-screen instructions. To return to the original document after accessing a hyperlink, click on the back arrow in your browsers toolbar. The “File Download” dialog box will open. Click on “Open” to return to this document. Table of Contents1.INTRODUCTION .1PURPOSE.1SCOPE.1REFERENCES.1Best Pr

8、actices Website.1External References .1Project Risk Database (PRD) .1ACRONYMS.1DOCUMENT MAINTENANCE.22.PARTICIPANTS ROLES AND RESPONSIBILITIES.2OFFICE OF SYSTEMS INTEGRATION (OSI).2Project Director.2Project Manager (PM).2Risk Manager.3Risk Analyst.3Project Stakeholders and Vendors .33. PROJECT RISK

9、MANAGEMENT .3RISK MANAGEMENT PROCESS.34.RISK MANAGEMENT TOOL PROJECT RISK DATABASE (PRD).19RISK RADAR .19RISK CATEGORIZATION.19Risk Area .19Current Status.19Control .20RISK RATINGS.205.PROJECT CLOSEOUT.20RISK REVIEW.20LESSONS LEARNED.21ARCHIVE AND STORAGE.21APPENDIX A : LIST OF SEI RISK TAXONOMY QUE

10、STIONNAIRE TOPICS.A-1APPENDIX B : PROJECT RISK DATABASE DATA ELEMENTS .B-1APPENDIX C : RISK CANDIDATE IDENTIFICATION FORM .C-1APPENDIX D : SOFTWARE INTEGRITY LEVEL SCHEME.D-1APPENDIX E : MITIGATION STRATEGY & CONTINGENCY PLANNING MEASURES.E-1APPENDIX F : SOFTWARE ENGINEERING INSTITUTE RISK TAXONOMY

11、CATEGORIES.F-1APPENDIX G : KEY TERMS.G-1FIGURE 1: PROJECT RISK MANAGEMENT PARADIGM.3FIGURE 2: RISK MANAGEMENT RESPONSIBILITIES AT A GLANCE.5TABLE 1: CRITERIA FOR RISK IDENTIFICATION.7TABLE 2: RISK IDENTIFICATION COMPONENTS.8TABLE 3: CRITERIA FOR RISK IMPACT.10TABLE 4: CRITERIA FOR RISK PROBABILITY.1

12、1TABLE 5: CRITERIA FOR RISK TIMEFRAME.12TABLE 6: GUIDE FOR DETERMINATION OF RISK EXPOSURE.13TABLE 7: GUIDE FOR DETERMINATION OF RISK SEVERITY.13TABLE 8: GUIDE FOR DETERMINATION OF RISK ESCALATION.181. INTRODUCTION1.1 PurposeThe purpose of this Risk Management Plan (RMP) is to describe the methodolog

13、y for identifying, tracking, mitigating, and ultimately retiring Project risks. This document defines the risk management roles and responsibilities of the Team1.2 ScopeThe scope of this document pertains to the Project and its internal and external risks. The risk management methodology identified

14、in this document will be primarily used by and is to be used during the entire Project. The Vendors risk management methodology will be provided as a contractual deliverable and will develop a separate Risk Management Plan. The Vendor will be responsible for managing their project risk and reporting

15、 to Project Managers.1.3 References1.3.1 Best Practices WebsiteFor guidance on the Office of Systems Integration (OSI) risk management methodology refer to the OSI Best Practices website (BPWeb) ().1.3.2 External ReferencesPMBOK Guide, 3rd Edition, Section 11 - Project Risk Management Office of the

16、Chief Information Officer Information Technology Project Oversight Framework- Section 5: Risk Management and Escalation ProceduresIEEE Standard 1012-1998: IEEE Standard for Software Verification and Validation, 1.3.3 Project Risk Database (PRD)Refer to the Risk Radar Database located at . If the pro

17、ject is not using Risk Radar, indicate the name and location of the Project Risk Database the Project is employing. Update the document as appropriate to reflect the name of the PRD.1.4 AcronymsList only acronyms that are applicable to this document.BPWebOSI Best Practices Website CHHSACalifornia He

18、ath and Human Services AgencyIEEEInstitute of Electrical and Electronics EngineersIPOCIndependent Project Oversight ContractorMTSIIManagement Tracking System IIOCIOOffice of the Chief Information OfficerOSIOffice of Systems IntegrationPMIProject Management InstitutePMOProject Management OfficePRDPro

19、ject Risk DatabaseRMPRisk Management PlanSEISoftware Engineering Institute1.5 Document MaintenanceThis document will be reviewed annually and updated as needed, as the project proceeds through each phase of the system development life cycle. If the document is written in an older format, the documen

20、t should be revised into the latest OSI template format at the next annual review. This document contains a revision history log. When changes occur, the documents revision history log will reflect an updated version number as well as the date, the owner making the change, and change description wil

21、l be recorded in the revision history log of the document. 2. PARTICIPANTS ROLES AND RESPONSIBILITIES This section describes the roles and responsibilities of the staff with regard to the Risk Management Plan. Note that these are roles, not positions or titles. One person may fulfill more than one r

22、ole. Avoid listing specific names as this will lead to frequent maintenance updates to the plan. There are various staff resources and stakeholders involved in managing project risks. In some cases, one individual may perform multiple roles in the process. 2.1 Office of Systems Integration (OSI)2.1.

23、1 Project DirectorThe Project Director is involved in monitoring risk action effectiveness and participating in risk escalation. The Project Director also has the responsibility to communicate to certain project stakeholders, on an as needed basis.2.1.2Project Manager (PM)The role of the Project Man

24、ager is to write and approve the Project Risk Management Plan, define the Risk Management process, participate in the Risk Management process, and take ownership of risk mitigation planning and execution.2.1.3 Risk ManagerThe Risk Manager is responsible for leading the risk management effort, sponso

25、ring risk identification activities, facilitating communication throughout the execution of the risk management process, and ensuring the PRD is maintained and the statuses assigned to risks and risk activities are current. The Risk Manager is responsible for providing the Project Manager with recom

26、mendations and statuses on risk actions. 2.1.4 Risk AnalystThe Risk Analysts role is to evaluate risks, maintain the Risk Management database, and facilitate communication throughout the execution of the process.2.1.5 Project Stakeholders and VendorsThe role of Project stakeholders and vendors is to

27、 participate in the Risk Management process by providing candidate risk input, and supporting risk mitigation planning and execution activities.3. PROJECT RISK MANAGEMENT3.1Risk Management ProcessThe Project Risk Management Paradigm, depicted in Figure 1, summarizes the Risk Management process for t

28、he Project. This paradigm portrays the high-level process steps of the Risk Management process, which are:Step 1 IdentifyStep 2 AnalyzeStep 3 PlanStep 4 ImplementStep 5 Track and ControlContinuous Process CommunicateFigure 1: Project Risk Management ParadigmCommunication is an essential part of the

29、Risk Management and occurs at every step of the process among the stakeholders and contractors.A key component of the Risk Management Process is the Risk Management Database (RMD). team will use this database as a repository for Project risk information. The proposed Risk Management Database field d

30、escriptions in Table XXX identify and describe the proposed data elements to be incorporated into the RMD. Risk Manager is responsible for maintaining the RMD. Figure 2 depicts the Risk Management Process flow. IdentifyAnalyzePlanImplementTrack/ControlCommunicateIdentifySearch and locate risks BEFOR

31、E theymaterializeAnalyzeProcess risk data into decision-makinginformationPlanTranslate risk information into decisions andactions (mitigations)CommunicateInformation and feedback throughout all riskmanagement functions and project organizationsImplementExecute decisions andmitigation action plansTra

32、ck/ControlMonitor risk indicators andmitigation actionsCorrect for deviations fromplanned risk actionsIdentifyAnalyzePlanImplementTrack/ControlCommunicateIdentifySearch and locate risks BEFORE theymaterializeAnalyzeProcess risk data into decision-makinginformationPlanTranslate risk information into

33、decisions andactions (mitigations)CommunicateInformation and feedback throughout all riskmanagement functions and project organizationsImplementExecute decisions andmitigation action plansTrack/ControlMonitor risk indicators andmitigation actionsCorrect for deviations fromplanned risk actionsIdentif

34、yAnalyzePlanImplementTrack/ControlCommunicateIdentifySearch and locate risks BEFORE theymaterializeAnalyzeProcess risk data into decision-makinginformationPlanTranslate risk information into decisions andactions (mitigations)CommunicateInformation and feedback throughout all riskmanagement functions

35、 and project organizationsImplementExecute decisions andmitigation action plansTrack/ControlMonitor risk indicators andmitigation actionsCorrect for deviations fromplanned risk actionsIdentifyAnalyzePlanImplementTrack/ControlCommunicateIdentifySearch and locate risks BEFORE theymaterializeAnalyzePro

36、cess risk data into decision-makinginformationPlanTranslate risk information into decisions andactions (mitigations)CommunicateInformation and feedback throughout all riskmanagement functions and project organizationsImplementExecute decisions andmitigation action plansTrack/ControlMonitor risk indi

37、cators andmitigation actionsCorrect for deviations fromplanned risk actionsIdentifyAnalyzePlanImplementTrack/ControlCommunicateIdentifySearch and locate risks BEFORE theymaterializeAnalyzeProcess risk data into decision-makinginformationPlanTranslate risk information into decisions andactions (mitig

38、ations)CommunicateInformation and feedback throughout all riskmanagement functions and project organizationsImplementExecute decisions andmitigation action plansTrack/ControlMonitor risk indicators andmitigation actionsCorrect for deviations fromplanned risk actionsIdentifyAnalyzePlanImplementTrack/

39、ControlCommunicateIdentifySearch and locate risks BEFORE theymaterializeAnalyzeProcess risk data into decision-makinginformationPlanTranslate risk information into decisions andactions (mitigations)CommunicateInformation and feedback throughout all riskmanagement functions and project organizationsI

40、mplementExecute decisions andmitigation action plansTrack/ControlMonitor risk indicators andmitigation actionsCorrect for deviations fromplanned risk actionsIdentifyAnalyzePlanImplementTrack/ControlCommunicateIdentifySearch and locate risks BEFORE theymaterializeAnalyzeProcess risk data into decisio

41、n-makinginformationPlanTranslate risk information into decisions andactions (mitigations)CommunicateInformation and feedback throughout all riskmanagement functions and project organizationsImplementExecute decisions andmitigation action plansTrack/ControlMonitor risk indicators andmitigation action

42、sCorrect for deviations fromplanned risk actionsIdentifyAnalyzePlanImplementTrack/ControlCommunicateIdentifySearch and locate risks BEFORE theymaterializeAnalyzeProcess risk data into decision-makinginformationPlanTranslate risk information into decisions andactions (mitigations)CommunicateInformati

43、on and feedback throughout all riskmanagement functions and project organizationsImplementExecute decisions andmitigation action plansTrack/ControlMonitor risk indicators andmitigation actionsCorrect for deviations fromplanned risk actionsFigure 2: Risk Management Process Risk IDOriginatorOriginatio

44、n DateRisk TitleRisk StatementRisk ContextStatus=IdentifiedRisk Manager/Risk AnalystProject Director &/or DesigneeProject Risk Database (PRD) 1-1 Identify Candidate Risks1-3 Review Candidate Risks1-4 Record Identified Risks in Project Risk Database (PRD)2-1 Determine Risk Classification2-2 Determine

45、 Risk Impact2-3 Determine Risk Probability2-4 Determine Risk Timeframe2-5 Determine Risk Exposure2-6 Determine Risk Severity2-7 Develop Recommended Mitgations/ Contingencies Risk ClassRisk Impact, Probability, Timeframe, PriorityRecommended MitigationsRecommended MeasurementsStatus=ConfirmedStatus C

46、hange DateIdentifyAnalyzePlanImplementTrack/Control3-1 Assign Risk Owner3-4 Review Mitigations & Measurements3-5 Approve Mitigation & MeasurementsWeekly Status ReportRisk Status5-1 Oversee Action Plan Execution5-4 Report Risk Status5-7 Risk Retirement5-2 Track Action Plan & Provide Feedback5-3 Re-As

47、sess Risks5-4 Report Risk Status5-5 Maintain PRD5-6 Escalation of Project Risk5-7 Risk RetirementRisk OwnerMitigationsMeasurementsAction PlansStatus=Assigned, Approved, PlannedStatus Change DateMitigation ProgressStatus=MitigatedStatus Change DateMitigation ProgressStatus=Mitigated, RetiredStatus Ch

48、ange DateFeedbackProcessSteps1-2 Provide Candidate Risk Inputs to RM1-3 Review Candidate Risks2-8 Review Risks3-4 Review Mitigations & Measurements3-7 Update PRD4-2 Update PRD1-2 Provide Candidate Risk Inputs to RM Stakeholders, Vendors & Project TeamRisk OwnersProject Sponsor3-2 Develop Mitigations

49、/Contin.3-3 Develop Measurements3-6 Develop Mitigation/Contig. Action Plans 2-8 Review Risks as needed 2-8 Review Risks at least monthly4-1 Execute Mitigation/Conting. Action Plans5-4 Review Risk as needed5-4 Report Risk Status at least monthly4-1 Execute Mitigation Action Plans1-2 Provide Candidate

50、 Risk Inputs to RM5-2 Track Action Plan & Provide FeedbackCommunicateStep 1 IdentifyThe objective of Step 1 Identify is to search and find risks before they become problems using risk identification. Risk identification involves a process where concerns about a project are transformed into identifie

51、d risks. Identified risks can be described and measured. A detailed discussion of the identification process is provided in the sub-paragraphs below. 1-1 Identify and Collect Candidate RisksThrough the use of risk identification methods and the application of industry standards (e.g., OCIO, IEEE, PM

52、I), the Risk Manager and Risk Analyst search for and identify potential issues and concerns which could impact the overall success of the project. Methods to identify risks may include: monitoring project activities, examining artifacts and documentation, observing, interviewing, polling, surveying,

53、 brainstorming, participating in discussions and meetings, conducting focus sessions, and applying the OCIO Oversight guidelines. These potential issues and concerns result in candidate risks.Risk identification methods will collect candidate risk inputs from the Project participants. Project partic

54、ipants include the Project team, stakeholders, vendors, and the Project team. 1-2 Identify and Provide Candidate Risk Input to the Risk Manager/Risk AnalystThe Project participants, including the project team, stakeholders, and vendors, are key sources for identifying issues and concerns and submitt

55、ing these as candidate risks to input to the Risk Management process. The Project participants voluntarily submit candidate risks to the Risk Manager/Risk Analyst as input to Step 1-3.The methods used by the Project participants to submit candidate risks to the Risk Manager include, but are not limi

56、ted to, the following: verbal, email, or written communication.Project participants may submit candidate risks to the Risk Manager using the Risk Candidate Identification Form provided in Appendix B, ensuring the key risk identification components identified in Table 2 are captured. While this form

57、will be the primary tool used for this process, any communication method is acceptable. If this form is not used for submission, the Risk Manager/Risk Analyst will enter the risk data directly into Risk Radar and provide a copy of the data entered to the originator for verification. 1-3 Review Candi

58、date RisksThis step involves collecting candidate risk input from Project participants and reviewing these candidate risks. Candidate risks that can be described and measured become “identified risks”. The Risk Manager/Risk Analyst will work with risk originators and the Project Director and/or desi

59、gnee to achieve consensus on deciding whether or not candidate risks become identified risks.Reviewing candidate risks includes defining the risk and capturing appropriate information about the candidate risk to support risk analysis in Step 2 Analyze. “Defining the risk” involves understanding the

60、definition of a risk (see Appendix G: Key Terms), and applying the Criteria for Risk Identification provided in Table 1 as a guide. Table 1: Criteria for Risk Identification1. Is it a risk? Is the concern a risk? A risk is a potential event that would have an impact on the success of the project if