Understanding Risk and Risk

Management
John Cvetko CISSP, CISA
Principal Consultant
TEK Associates, LLC
Email cvet55@comcast.net
Phone 503 799 2242

Overview
Risk and Risk Frameworks
Perspectives of risk frameworks

Risk Management Process

Review the basic elements of a Risk Management
process

Scenario
Step though a scenario that demonstrates the Risk
Management elements
2

How Do Organizations Use Risk

Management Techniques?

Liability Tool
Identify and manage liabilities

Opportunity Tool
Identify areas of high risk that can lead companies to new
opportunities

Organization Tool
Understand how to organize and apply resources
A guide for maximizing results

Compliance Tool
Demonstrate compliance

Communications Tool
Communicate progress and risk positions to management and the
functional project teams

What is a Risk?
Different disciplines have different definitions (EPA,
Nuclear, Medical)
PMI Definition (PMBOK, Third Edition)
A risk is an uncertain event or condition, that if it occurs, has a
positive or negative effect on at least one project objective

COSO Enterprise Risk Management View

(Committee of Sponsoring Organizations )

a process, effected by an entity's board of directors,

management and other personnel, applied in a strategy setting and
across the enterprise, designed to identify potential events that may
affect the entity, and manage risks to be within its risk appetite, to
provide reasonable assurance regarding the achievement of entity
objectives.

Risk is Uncertainty

COSO Business Risk Framework

Committee of Sponsoring Organizations for the Treadway Commission

Objectives can be viewed in the context of four

categories:
Strategic
Operations
Reporting
Compliance

Spans all levels of the organization:

Enterprise-level
Division or subsidiary
Business unit processes
Subsidiary

Usually paired with IT benchmarking standards

COBIT, ITIL

Project Based Risk Management Framework

Project risk management
Key differences are:
Objective setting is known as risk planning
Information and Communications are assumed
Tailored more for a specific project

Risk
Management
Planning

Risk
Identification

Risk
Assessment

Risk
Response
Planning
and Control

Risk
Monitoring

Risk
Management
Planning

Risk
Identification

Risk Management Plan

What is in a good plan?
State objective and expectations of the risk
management effort.
Responsibility for decision events
Delegated authority for specific risk types

Risk
Assessment

Risk
Response
Planning
and Control

Risk
Monitoring

Processes for Risk Identification, Assessment,

Mitigation/Control and Monitoring. (Flow Charts).
Show links to other processes and plans (project
plan, change management process, schedule, for
e.g.)
Explain how risks will be communicated to
management?
Timeframe and Dashboard
Emergency issues

Independent Review
Reporting structure

Common Plan Errors

Not making the plan practical/realistic for the
project at hand.
Confuse risk management plan with the project
plan.
Lack of independent review/peer review.

Risk Identification:
Understanding the Project Requirements
Collect actionable/quantifiable requirements
Business goals or requirements
Product or service functionality, schedule and budget
Service level or performance goals

Sample of quantifiable requirements

Start of production date, process transactions within 10
seconds, availability of system is 99.999%, increase
efficiency by x%.

Unclear Requirements = Unclear Risks

Unclear requirements are a risk
9

Risk Identification
Known Risks
These are the obvious risks that jump out quickly at the
beginning of every project.

Unknown Risks
Are usually a result of inexperience in particular areas

Unknowable Risks
Are risks that cant be predicted even with the best
information and experience available.
10

Risk Identification
Risks can come from many different sources:
Products

Procedures

scope, schedule, resource availability, etc.

People

cost, profit, regulations, competition, market fluctuations, etc.

Project

development and operational processes, etc.

Business environment

configuration, technology, requirements, etc.

human error, skills, culture, blind spots, etc.

External

public opinion, economy, natural disasters etc.

11

Risk Identification Process

Cross Functional Team
Populate a well rounded team when identifying and assessing risks

Methods for teasing out risk items

Brainstorming
Interviews/Questionnaires
Review of similar projects
Subject matter experts
External experienced consultants
Technical Standards
Program specific Best Practice Guides, e.g., IT= CoBit, ITIL,
ISO17799

GAP analysis, SWOT, Cause and Effect, Fault Tree, Hazard and
Operability (HAZOP), business impact analysis techniques
Prototyping

12

Risk Identification Process (cont)

Capture each risk item using wording such as:
Due to/As a of result <definitive cause>, a/an <uncertain event>
may occur which could lead to <some effect on program
objective(s)>

Document each item in a risk event list/database

Ensure a clear description of the consequence is
included
Define the so what

13

Common Risk Identification Errors

Lack of experience in a crucial subject area
Not understanding what constitutes a risk not listening
with a risk management perspective
Not understanding blind spots
Not prepared for a significant amount of information
Over focus on a particular risk

14

Risk Assessment Process

Once risks are identified, each risk event needs to be
assessed for:
Impact to the project if the risk event occurs
Qualitative vs. Quantitative Assessments

Probability that the risk event will occur

Qualitative vs. Quantitative Assessments

Initially let each team member assess their own risks

Likely result:
A predominance of events characterized as high likelihood, high
consequence
Everyone thinks their risk items are the most important, i.e. high
consequence, high likelihood

Assessments should then be made jointly by all the

team members to gain agreement
The assessment results will impact what resources are devoted to
which tasks

15

Risk Assessment Process

Risk index numbering establishes priorities
Enables the team to agree on the relative ranking of risk items
Caution: dont let the debate divert the process

Risk Ranking

High
Impact
Exposure Medium
Low

Probability
High Medium Low
1
2
4
3

16

Common Assessment Errors

Not breaking the problem or risk down to
manageable pieces.
Not having enough information to fully assess the
risk
Not having the authority to make decisions
Being overwhelmedwhen in doubt ask for help.

17

Risk Response Strategies

Response strategies for dealing with identified risks
Avoidance (Elimination)
pursue a completely different approach (e.g. use another
supplier)
Transfer
move risk elsewhere (e.g. back to the customer, buy insurance.)
Mitigation (Reduction)
take steps to minimize the consequence and/or likelihood of the
risk occurring (e.g. develop secondary approach, train multiple
personnel)
Acceptance
if it happens, it happens and well deal with it

Strategy use
Multiple strategies can be used per risk event and strategies may
change with time

18

Risk Response Planning

Develop a response plan to implement the strategy
What is to be done, what is the budget, what is the schedule
Develop a plan B

Determine who is responsible for implementing the plan

Accountability

Communicate
Inform management and project team of the plan

19

Common Response Plan Errors

Not clearly assigning accountability for individual
plans.
Not having a plan B
Creating a plan on half an assessment.
Not understanding residual risk

20

Risk Event Monitoring

Continuous monitoring and proactively addressing
developments are vital to a successful risk
management process
Review Red items an upcoming trigger events at
least weekly
Track actual closure of risk items
Closure date, how/why closed, any special issues or
circumstances

21

Risk Management Status Tracking

Summary Matrix
A risk summary matrix of risk priorities is quick look
approach to monitoring and communicating status

22

Risk Scenario

S1

You work for the ACME car insurance company. ACME is a $1 billion
dollar public company that is implementing a new collection system to
enable customers to review their bills and take credit card and direct deposit
payments on-line. This system will replace an existing manual system that
requires 250 people to manage. The cost of this system is $20 million dollars
and is expected to save the company $26k dollars a day.

This software system is a commercial off the shelf (COTS) system with the
exception of the on-line (credit card and direct deposit) payment module.
The module is currently being developed by the software supplier. The
supplier is new to the world of on-line financial transactions.

Monday Morning
Team Meeting
Status

23

Risk Identification Build-up List

S2

Monday Morning Team Meeting

Team Members:
Project Manager
Engineering Manager
Business Owner
Security Officer
Finance

24

Initial Risk Impact

Ranking

S3

25

Risk Management Status Tracking

S4

Monday Afternoon Weekly Executive Briefing

7
6
5
4
3
2
1
0

Green
Yellow

Operations

Purchasing

Material
Control

Financial

Product
Support

Sales

Red

Engineering

# of Events in Category

By Functional Area

26

Risk Assessment Process

S5

Tuesday Afternoon

27

Risk Response Development and

Implementation

S6

Wednesday Afternoon

28

Updated Risk Impact Ranking

S7

Wednesday Afternoon

29

Risk
Management
Planning

Risk
Identification

Summar
y

Apply some form of a risk management

process to all your projects
Every project has risks: if you listen for them you can
manage and communicate them appropriately

Apply the KISS principle

Risk
Assessment

Risk
Response
Planning
and Control

Use risk management as a tool that facilitates:

Communications
Organization
Opportunity identification
Liability and Compliance Management

Learn each time you use an RM process

Risk
Monitoring

It is a skill that can be learned and mastered with

practice

30