Difference between revisions of "EGI-Engage:Risk Plan"
Line 19: | Line 19: | ||
#*a process that is used to find, recognize, and describe the risks that could affect the achievement of objectives.<br> | #*a process that is used to find, recognize, and describe the risks that could affect the achievement of objectives.<br> | ||
#'''Risk analysis''' | #'''Risk analysis''' | ||
#*'''goal: '''assessing likelihood and consequences | #*'''goal: '''assessing likelihood and consequences, calculate risk level | ||
#*a process that is used to understand the nature, sources, and causes of the risks that you have identified and to estimate the level of risk. It is also used to study impacts and consequences and to examine the controls that currently exist.<br> | #*a process that is used to understand the nature, sources, and causes of the risks that you have identified and to estimate the level of risk. It is also used to study impacts and consequences and to examine the controls that currently exist.<br> | ||
#'''Risk | #'''Risk response ''' | ||
#**a process that is used to compare risk analysis results with risk criteria in order to determine whether or not a specified level of risk is acceptable or tolerable. | #*'''goal: ''' | ||
#*a process that is used to compare risk analysis results with risk criteria in order to determine whether or not a specified level of risk is acceptable or tolerable. | |||
#'''Risk monitor''' | #'''Risk monitor''' | ||
#*'''goal: '''assessing likelihood and consequences | |||
#*a process which goal is to review of existing Risk database conducted periodically <br> | #*a process which goal is to review of existing Risk database conducted periodically <br> | ||
Line 108: | Line 110: | ||
'''Input:''' risk entry in Risk registry | '''Input:''' risk entry in Risk registry | ||
'''Output: ''' | '''Output: '''prioritized list of risks (list of risks that pose the greatest threat), risk trends | ||
The level of likelihood and consequences for each risk is evaluated during the interviews with Work Package leaders performed by Quality manager. | The level of likelihood and consequences for each risk is evaluated during the interviews with Work Package leaders performed by Quality manager. | ||
Line 153: | Line 155: | ||
|} | |} | ||
= Risk | = Risk response = | ||
'''Input: '''Risk registry | |||
'''Output: ''' | |||
Identification fo risk owner who is responsible for given risk and its risk response. | |||
Risk response should be appropriate for the significance of the risk (risk level), cost-effective, realistic and agreed by inolved parites. <br> | |||
<br> | |||
<br> | <br> | ||
Line 164: | Line 172: | ||
|- | |- | ||
| '''Risk level'''<br> | | '''Risk level'''<br> | ||
| ''' | | '''Response'''<br> | ||
| '''PMB involvement'''<br> | | '''PMB involvement'''<br> | ||
|- | |- | ||
| Low<br> | | Low<br> | ||
| | | | ||
* | *'''Accept''' | ||
* | *Define recovery activities | ||
| Informed<br> | | Informed<br> | ||
Line 176: | Line 184: | ||
| Medium<br> | | Medium<br> | ||
| | | | ||
* | *'''Mitigate''' | ||
*Define | |||
**mitigation activities | |||
| Informed | | Informed | ||
Line 182: | Line 192: | ||
| High<br> | | High<br> | ||
| | | | ||
* | *'''Mitigate''' | ||
* | *Define | ||
**controls | |||
**mitigation activities | |||
**recovery activities | |||
| Consulted<br> | | Consulted<br> | ||
Line 189: | Line 202: | ||
| Extreme<br> | | Extreme<br> | ||
| | | | ||
* | *'''Avoid/mitigate''' | ||
* | *Define | ||
* | **controls | ||
**contingency plan | |||
**recovery activities | |||
**mitigation activities | |||
| Responsible<br> | | Responsible<br> |
Revision as of 10:32, 15 September 2015
This page is under construction. |
Help and support: quality@egi.eu
This page is proving rules regarding risk management within EGI-Engage project.
- Risk identification
- goal: determining which risk can affect the project and documenting it in Risk registry
- a process that is used to find, recognize, and describe the risks that could affect the achievement of objectives.
- Risk analysis
- goal: assessing likelihood and consequences, calculate risk level
- a process that is used to understand the nature, sources, and causes of the risks that you have identified and to estimate the level of risk. It is also used to study impacts and consequences and to examine the controls that currently exist.
- Risk response
- goal:
- a process that is used to compare risk analysis results with risk criteria in order to determine whether or not a specified level of risk is acceptable or tolerable.
- Risk monitor
- goal: assessing likelihood and consequences
- a process which goal is to review of existing Risk database conducted periodically
Roles and responsibilities
Quality and Risk Manager:
Risk Manager
Technical Coordinator:
Work Package leaders:
Risk management team members
Timing
Risk management process is daily responsibility of EGI-Engage Work Package leaders. Risks should be treated and identified on daily basis.
Periodically as part of the review process Project Management Board is involved to review status of risk management performed by Work Package leaders.
Definitions
Risk
- iso 31000: a risk is defined as the effect of uncertainty on objectives
- PMBok: a risk is an uncertain event or condition that if it occurs, has a positive or negative effect on a Project's Objectives
Risk Registry (Access restricted)
- database of identified risks with recorded their analysis and response planning
Each risk in Risk Registry is described as follow:
- Risk no - unique risk identifier
- Risk - one sentence description of the risk
- Risk level - (Low/Medium/High/Extreme) The level of risk is its magnitude. It is estimated by considering and combining consequences and likelihoods. A consequence is the outcome of an event and has an effect on objectives. Likelihood is the chance that something might happen.
- Likelihood - (Unlikely, Possible, Likely, Almost Certain) Likelihood (probability) is the chance that something might happen.
- Consequences - (Minor/Moderate/Major/Catastrophic) A consequence (impact) is the outcome of an event and has an effect on objectives.
- Treatment - (Protective, mitigation measures, recovery activities, controls) description of possible treatment of the risk
- Impact - description of impact risk will have in case of occurrence
- Deliverables - Deliverables which might me impacted in case of occurrence
- KPIs - Impacted KPIs
- Objective - Impacted Objective
- WP1-WP6 - Impacted WPs
- Owner - A risk owner is WP that has been given the authority to manage a particular risk and is accountable for doing so.
- Trend - (Stable, Improving, Degrading, New, Deprecated) Indication of risk trend comparing to previous risk review period
- Comment for PMB - additional comments for PMB after AMB review
Risk identification
Input: Work Package leaders expertise
Output: Initial Risk entry in Risk registry
Risk identification is a process that involves finding, recognizing, and describing the risks that could affect the achievement of an organization’s objectives. It is used to identify possible sources of risk in addition to the events and circumstances that could affect the achievement of objectives. It also includes the identification of potential consequences.
Risk are identified:
- Periodicaly:
- During Risk registry review through interviews and brainstorming with Work Package leaders
- During Risk registry review through interviews and brainstorming with Work Package leaders
- On daily basis:
- For all newly identified risks EGI Engage risk entry template should be filled in (Part Risk Description)
- Sent the document to Quality Manager (quality@egi.eu)
Risk analysis
Input: risk entry in Risk registry
Output: prioritized list of risks (list of risks that pose the greatest threat), risk trends
The level of likelihood and consequences for each risk is evaluated during the interviews with Work Package leaders performed by Quality manager.
Risk rating (level) is calculated according to Likelihood and consequences matrix:
Risk likelihood and consequences matrix (risk level)
The matrix is a grid for mapping the consequences and likelihood of each risk occurrence and its impact to the project objectives if that risk occurs. Risks are prioritized according to their potential implications on project objectives.
Likelihood | Consequences | ||||
Minor | Moderate | Major | Catastrophic | ||
Unlikely | Low | Low | Medium | High | |
Possible | Low | Medium | High | High | |
Likely | Medium | High | High | Extreme | |
Almost Certain | High | High | Extreme | Extreme |
Risk response
Input: Risk registry
Output:
Identification fo risk owner who is responsible for given risk and its risk response.
Risk response should be appropriate for the significance of the risk (risk level), cost-effective, realistic and agreed by inolved parites.
Risk level |
Response |
PMB involvement |
Low |
|
Informed |
Medium |
|
Informed |
High |
|
Consulted |
Extreme |
|
Responsible |
Protective measures: (activities designed to reduce the chances of a disruptive event occurring - likelihood)
Mitigation measures: (activities designed to minimize the severity of the event once it has occurred.)
Recovery activities: (activities serve to bring back disrupted systems and infrastructure.)
Contingency plans: (process-level documents describe what an organization can do in the aftermath of a disruptive event; they are usually triggered based on input from the emergency management team.)
Controls: (additional controls applied to it in order to reduce it to an acceptable level. What the appropriate additional controls might be, whether they can be afforded.)
Risk monitor
Input:
Output:
Risk review process
A review is an activity. Review activities are carried out in order to determine whether something is a suitable, adequate, and effective way of achieving established objectives.
In general, ISO 31000 expects you to review your risk management framework and your risk management process. It specifically expects you to review your risk management policy and plans as well as your risks, risk criteria, risk treatments, controls, residual risks, and risk assessment process.