Revision as of 15:44, 9 September 2015

EGI-Engage project:	Main page	WP1(NA1)	WP3(JRA1)	WP5(SA1)	PMB	Deliverables and Milestones	Quality Plan	Risk Plan	Data Plan
	Roles and responsibilities	WP2(NA2)	WP4(JRA2)	WP6(SA2)	AMB	Software and services	Metrics	Project Office	Procedures

This page is under construction.

Help and support: quality@egi.eu

This page is proving rules regarding risk management within EGI-Engage project.

Risk identification is a process that is used to find, recognize, and describe the risks that could affect the achievement of objectives.
Risk analysis is a process that is used to understand the nature, sources, and causes of the risks that you have identified and to estimate the level of risk. It is also used to study impacts and consequences and to examine the controls that currently exist.
Risk treatment is a process that is used to compare risk analysis results with risk criteria in order to determine whether or not a specified level of risk is acceptable or tolerable.

Risk identification

Risk analysis

Risk description

Each risk in Risk Management Database is described as follow:

Risk no - unique risk identifier
Risk - one sentence description of the risk
Risk level - (Low/Medium/High/Extreme) The level of risk is its magnitude. It is estimated by considering and combining consequences and likelihoods. A consequence is the outcome of an event and has an effect on objectives. Likelihood is the chance that something might happen.

Likelihood - (Unlikely, Possible, Likely, Almost Certain) Likelihood is the chance that something might happen.

Consequences - (Minor/Moderate/Major/Catastrophic) A consequence is the outcome of an event and has an effect on objectives.
Treatment - (Protective, mitigation measures, recovery activities, controls) description of possible treatment of the risk
Impact - description of impact risk will have in case of occurance
Deliverables - Deliverables which might me impacted in case of occurance
KPIs
WP1-WP6 - Imapcted WPs
Owner - A risk owner is WP that has been given the authority to manage a particular risk and is accountable for doing so.
Trend - (Stable, Improving, Degrading) Indication of risk trend comparing to previous risk review period
Comment for PMB - additional comments for PMB after AMB review

Risk treatment

Low/Medium/High/Extreme

Make a Decision: once the above process is complete, if there are still some risks that are rated as High or Extreme, a decision has to be made as to whether the activity will go ahead. There will be occasions when the risks are higher than preferred but there may be nothing more that can be done to mitigate that risk ie. they are out of the control of the work unit but the activity must still be carried out. In such situations, monitoring the circumstances and regular review is essential.

Add other Controls: generally speaking, any risk that is rated as High or Extreme should have additional controls applied to it in order to reduce it to an acceptable level. What the appropriate additional controls might be, whether they can be afforded, what priority might be placed on them etc etc is something for the group to determine in consultation with the Head of the work unit who, ideally, should be a member of the group doing the analysis in the first place.

Processes

Risk review process

A review is an activity. Review activities are carried out in order to determine whether something is a suitable, adequate, and effective way of achieving established objectives.

In general, ISO 31000 expects you to review your risk management framework and your risk management process. It specifically expects you to review your risk management policy and plans as well as your risks, risk criteria, risk treatments, controls, residual risks, and risk assessment process.