Professional Documents
Culture Documents
Project Name: Department: Project Manager: Date: California Statewide VINE Professional Services Stephen Adams November 19, 2007
INTRODUCTION.................................................................................................3 PURPOSE AND SCOPE.....................................................................................3 RISK MANAGEMENT PLANNING......................................................................4 RISK IDENTIFICATION.......................................................................................5 RISK ANALYSIS.................................................................................................6 RISK PLANNING.................................................................................................6 RISK MONITORING AND CONTROL.................................................................7 RISK MANAGEMENT ASSIGNMENTS..............................................................7 RISK CLASSIFICATION.....................................................................................8 REFERENCED DOCUMENTS..........................................................................11 DOCUMENT REVISION HISTORY....................................................................11
INTRODUCTION
The Appriss approach to risk management starts with a plan that defines the scope and process for the identification, assessment, and management of risks which could impact the implementation of the project. The objective of the Risk Management Plan is to define the strategy to manage projectrelated risks such that there is acceptable minimal impact on cost and schedule, as well as operational performance.
03/16/2012
Version 1.0
Individual Activities
Identify Risk
Analyze: Prioritize
Risk Statement
Individual Activities
Plan: Define Mitigation approach. Determine Mitigation plan
Track:
Control
LEGEND Decision
Decision
Status Reports
Activity Output
03/16/2012
Version 1.0
RISK IDENTIFICATION
A baseline set of risks will be created and entered into the project Risk Register. These baseline risks will be identified through the normal course of the project planning process. Risk statements will be written for each identified risk. Risk statements will be clear concise and contain only one risk condition and one or more consequences of that condition. All project stakeholders are responsible for identifying new risks. New risks identified during project related meetings shall be captured and added to the Risk Register within two working days of the meeting. It will be the responsibility of the Appriss Project Manager to make sure this is accomplished. Appriss brings ten years of experience to the project in implementing similar systems. This experience has provided Appriss with a unique insight to common operation and system risks. Some of the common risks are documented in the table below. This table is not intended to be an exhaustive list. Risk Area Project Scope and Complexity Potential Risk Scope is not understood Requirements not documented properly Requirements not agreed upon by customer Complexity not understood in terms of: o Technology o Adapters needed o Number of users o Business process Technology not proven Unreliable performance record of vendors Inexperience with the technologies to be used Vendor infrastructure is not sound Inadequate resources committed to the project Project team does not contain members that have experience with similar projects Resources pulled from project before completion Users not willing to make business process changes Customer does not make a strong
5 Version 1.0
Technology
Staffing
Culture
03/16/2012
Risk Management Plan Project Management commitment to project Organization changes within agency, removes key personnel Executive oversight committee is not actively engaged in project Project issues are not addressed Change is not controlled and project scope grows beyond original boundaries
RISK ANALYSIS
Appriss will use a qualitative approach to Risk Analysis. This methodology uses a risk level matrix based on probability and impact. This allows for an independent assessment of probability and consequence of risk. Each risk shall be evaluated to determine impact, probability of occurrence, and timeframe. Each risk shall be examined to determine its relationship to other risks identified. Initially, the identifier of the risk shall provide an estimate of these attributes. The Project Manager shall be responsible for further analyses and prioritization of the risks. The criteria for analyzing risks are established later in the Risk Classification section of this plan.
RISK PLANNING
Risk handling is the identification of a course of action or inaction selected for the purpose of effectively managing a given risk. All identified risks shall be handled. Specific handling methods should be selected after the probable impact on the project has been determined. The Appriss Project Manager will determine what action should be taken for each risk as it brought to his attention through weekly team meetings and database reports. The Appriss Project Manager shall determine whether to keep the risk, delegate responsibility, or transfer the risk responsibility up the project organization chain. The Project Manager, if necessary, may transfer a risk(s) to external organizations if that organization is best suited to handle the risk. Risk planning requires a decision to perform further research, accept the risk (document acceptance rationale in the Risk Register and close the risk), watch the risk attributes and status (define tracking requirements, document in the Risk Register, and assign a "watch" action), or mitigate the risk (create a Mitigation Plan, assign action items, and monitor the activities and risk). Mitigation activities shall be documented on the Risk Register or by creating a separate Mitigation Plan. A Mitigation Plan shall be written for any effort that requires re-allocation of project resources. The Project Manager shall determine when to use a Mitigation Plan.
03/16/2012
Version 1.0
03/16/2012
Version 1.0
Risk Management Plan The following table describes the criteria for communicating and documenting risk Who Individual Members to Project Manager Responsibilities Any risk that impacts performance Any risk that impacts >10 percent of budget Any risk that exceeds schedule milestones Any risk that needs to be transferred to another team Mitigation activity status Any risk that impacts mission success Any risk that causes the project budget to be exceeded by more that 10 percent Any risk that may negatively impact Appriss or their customers Risk status
RISK CLASSIFICATION
Risk shall be analyzed qualitatively using impact, likelihood and timeframe classifications defined in this section. Impact is based on project success, resources, cost, and schedule. Likelihood is used to provide an order of magnitude based on quantitative data and qualitative experience. Impact Classification High Schedule Slip Slip of delivery beyond two month of milestone schedules. Cost Overrun - > 10 percent increase in budget allocation. Technical Loss of critical function or major objective. Political Bad press for TOHS, DIR, TDEx, or other entities
Significant Schedule Slip - > 1 month <2 month delivery from milestone schedules Cost Overrun - > 5 percent but < 10 percent increase to budget Technical -Major function objective not fully met. Political - Senior Management has concerns about project success or development progress Low Negligible
03/16/2012
Schedule Slip - > 2 weeks <1 month delivery from milestone schedules Cost Overrun - < 5 percent increase to budget Technical Some wanted or desired functions are not met. Schedule Slip - < 2 weeks delivery from milestone schedules
8 Version 1.0
Risk Management Plan Cost Overrun minor impact Technical Small impact to technical performance
Likelihood Classification High (>70% chance of occurrence) Occurrence is very likely and may not be controlled by following existing processes, procedures and plans. Significant (40% - 70% chance of occurrence) Occurrence is likely and may not be entirely controlled by following existing processes, procedures and plans. Low (20% - 39% chance of occurrence) Occurrence is unlikely and may not be entirely controlled by following existing processes, procedures and plans. Negligible (<20% chance of occurrence) Occurrence is very unlikely and is generally controlled by following existing processes, procedures and plans. Timeframe Classification Near - Action or mitigation needs to take place within the next 4 months Mid - Action or mitigation needs to take place between 2 months and 4 months Far - Action or mitigation needs to take place beyond 4 months Once risk items are entered they will be assigned an exposure grade red, yellow, or green based on the following combinations of impact/likelihood:
03/16/2012
Version 1.0
High
RED
Significant
YELLOW
Negligible
Low
Significant
High
Risk Classification Chart Green - Items classified as green are acceptable without further mitigation and will be routinely tracked. Yellow - Items classified as yellow may require mitigation. For these items, alternative dispositions will be identified and trade-offs conducted to determine the mitigation required. Red - Items classified as red are considered primary risk drivers. For these items, mitigation options will be developed. Red risks will be assessed for impact to budget reserves and will be tracked to closure.
03/16/2012
10
Version 1.0
Risk Management Plan Timeframe is used in conjunction with the Risk Classification Chart to determine priorities, establish when risks need to have actions taken, and how long risks may need to be watched or tracked before they no longer are a concern or can be closed. Each project review meeting will result in an update to the project Risk Register that will be sent to all project personnel.
REFERENCED DOCUMENTS
1. Risk Register 2. Mitigation Plan 3. Stoplight Status Report
Document Revision History Version 1.0 Date 4/30/07 Changes Original document Updated By C. Higginbotham
03/16/2012
11
Version 1.0