Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "EGI-Engage:Risk Plan"

From EGIWiki
Jump to navigation Jump to search
 
(18 intermediate revisions by the same user not shown)
Line 4: Line 4:


'''Help and support:''' quality@egi.eu  
'''Help and support:''' quality@egi.eu  
'''Risk registry:''' https://documents.egi.eu/document/2795 (access restricted to AMB, CB and PMB)


This page is proving rules regarding risk management within EGI-Engage project.  
This page is proving rules regarding risk management within EGI-Engage project.  
Line 10: Line 12:


#'''Risk:''' a risk is defined as an uncertain event or condition that if it occurs, has a negative (threads) or positive (opportunities) effect on a Project's Objectives. (Source: PMBOK) In EGI-Engage the risk management process has been limited to threads.  
#'''Risk:''' a risk is defined as an uncertain event or condition that if it occurs, has a negative (threads) or positive (opportunities) effect on a Project's Objectives. (Source: PMBOK) In EGI-Engage the risk management process has been limited to threads.  
#'''Risk Registry:''' a database of identified risks with the associated analysis and response planning as well the estimation of risk occurrence and the history of their treatment.  
#'''Risk Registry:''' a database of identified risks with the associated analysis and response planning as well the estimation of risk occurrence and the history of their treatment.


<br> [[Image:Risk process.png|center|500px|Risk process.png]]  
<br> [[Image:Risk process.png|center|500px|Risk process.png]]  
Line 17: Line 19:


#'''Risk identification'''  
#'''Risk identification'''  
#*'''goal:'''determining which risks can affect the project and documenting it in the Risk registry
#*'''goal:'''determining which risks can affect the project and documenting it in the Risk registry  
#*a process that is used to find, recognize, and describe the risks that could affect (prevent or undermine) the achievements of objectives.
#*a process that is used to find, recognize, and describe the risks that could affect (prevent or undermine) the achievements of objectives.  
#'''Risk analysis'''  
#'''Risk analysis'''  
#*'''goal: '''assessing likelihood and impact , evaluate the risk level
#*'''goal: '''assessing likelihood and impact , evaluate the risk level  
#*a process that is used to understand the nature, sources, and causes of the risks that have been identified and to estimate their level. It will also study impact and consequences and examine the controls (an activity that prevents or detects issues to mitigate risks) that currently exist.
#*a process that is used to understand the nature, sources, and causes of the risks that have been identified and to estimate their level. It will also study impact and consequences and examine the controls (an activity that prevents or detects issues to mitigate risks) that currently exist.  
#'''Risk response&nbsp;'''  
#'''Risk response&nbsp;'''  
#*'''goal: '''defining the actions to be taken in order to avoid the risks or to minimize their impact (risk response plan) for each risk
#*'''goal: '''defining the actions to be taken in order to avoid the risks or to minimize their impact (risk response plan) for each risk  
#*a process of developing options and actions to reduce threats to project objectives  
#*a process of developing options and actions to reduce threats to project objectives  
#'''Risk control'''  
#'''Risk control'''  
Line 29: Line 31:
#*a process for implementing the risk response plan, tracking identified risks, performing risk status review
#*a process for implementing the risk response plan, tracking identified risks, performing risk status review


<br>
Procedure of Risk risk is written under [https://wiki.egi.eu/wiki/PROC04_Risks_review https://wiki.egi.eu/wiki/PROC04_Risks_review ]


= Risk identification  =
<br>


'''Input: '''Expertise of actors involved ;  
== '''Risk identification'''  ==
 
'''Input: '''Expertise of actors involved&nbsp;;  


'''Output:''' Initial entry in risk registry  
'''Output:''' Initial entry in risk registry  


Risk identification is a process that involves finding, recognizing, and describing the risks that could affect the achievement of the project objectives. It is used to identify possible sources of risks in addition to the events and circumstances that could affect the achievement of objectives. It also includes the identification of potential consequences.
Risk identification is a process that involves finding, recognizing, and describing the risks that could affect the achievement of the project objectives. It is used to identify possible sources of risks in addition to the events and circumstances that could affect the achievement of objectives. It also includes the identification of potential consequences.  


'''Risk are identified:'''  
'''Risk are identified:'''  


#Periodically:&nbsp;  
#Periodically:&nbsp;  
#*During Risk registry review through interviews and brainstorming conducted by Quality and Risk manager with Work Package leaders
#*During Risk registry review through interviews and brainstorming conducted by Quality and Risk manager with Work Package leaders  
#Continuously (whenever necessary):
#Continuously (whenever necessary):  
#*Work Package leaders are expected to inform the Quality and Risk manager in case of identification of new risks or occurrence of a risk
#*Work Package leaders are expected to inform the Quality and Risk manager in case of identification of new risks or occurrence of a risk


<br> Each risk is supposed to be described in following way:


 
*'''Risk number'''- (mandatory) unique risk identifier assigned by Quality and Risk Manager  
 
*'''Risk description''' - (mandatory) short description of the risk  
Each risk is supposed to be described in following way:
 
*'''Risk number'''- (mandatory) unique risk identifier assigned by Quality and Risk Manager
*'''Risk description''' - (mandatory) short description of the risk
*'''Likelihood '''- (mandatory) Likelihood (probability) is the chance that something is going to happen  
*'''Likelihood '''- (mandatory) Likelihood (probability) is the chance that something is going to happen  
**Options: Unlikely, Possible, Likely, Almost Certain
**Options: Unlikely, Possible, Likely, Almost Certain  
*'''Impact '''- (mandatory) A consequence (impact) is the outcome of an event and has an effect on objectives  
*'''Impact '''- (mandatory) A consequence (impact) is the outcome of an event and has an effect on objectives  
**Options: Minor/Moderate/Major/Catastrophic
**Options: Minor/Moderate/Major/Catastrophic  
*'''Risk level''' - (mandatory) The level of risk is its magnitude. It is estimated by considering and combining impact and likelihood. Likelihood is the chance that something might happen.  
*'''Risk level''' - (mandatory) The level of risk is its magnitude. It is estimated by considering and combining impact and likelihood. Likelihood is the chance that something might happen.  
**Options: Low/Medium/High/Extreme (automatically calculated based on Risk likelihood and impact matrix)
**Options: Low/Medium/High/Extreme (automatically calculated based on Risk likelihood and impact matrix)  
*'''Consequences '''- (mandatory) description of the consequences the risk will have in case of occurrence
*'''Consequences '''- (mandatory) description of the consequences the risk will have in case of occurrence  
*'''Deliverables '''- Deliverables which might be impacted in case of occurrence
*'''Deliverables '''- Deliverables which might be impacted in case of occurrence  
*'''KPIs ''' - Impacted KPIs  
*'''KPIs ''' - Impacted KPIs  
*'''Objective ''' - Impacted Objective
*'''WP1-WP6''' - (mandatory) Impacted WPs  
*'''WP1-WP6''' - (mandatory) Impacted WPs  
*'''Treatment '''- (mandatory) description of possible actions to avoid or mitigate the risk
*'''Treatment '''- (mandatory) description of possible actions to avoid or mitigate the risk  
*'''Owner '''- (mandatory) A risk owner is the WP leader that has been given the authority to manage a particular risk and is accountable for doing so.
*'''Owner '''- (mandatory) A risk owner is the WP leader that has been given the authority to manage a particular risk and is accountable for doing so.  
*'''Trend '''- (mandatory) Indication of risk trend comparing to the previous assessed risk status  
*'''Trend '''- (mandatory) Indication of risk trend comparing to the previous assessed risk status  
**Options: Stable, Improving, Degrading, New, Deprecated
**Options: Stable, Improving, Degrading, New, Deprecated  
*'''Comment for PMB''' - additional comments for PMB after Work Package leaders periodic rick review (every 3 months)
*'''Comment for PMB''' - additional comments for PMB after Work Package leaders periodic rick review (every 3 months)<br>


<br>
== '''Risk analysis''' ==
 
= Risk analysis  =


'''Input:''' entry in the Risk Registry  
'''Input:''' entry in the Risk Registry  
Line 83: Line 84:
The following table contains the risk likelihood descriptors:  
The following table contains the risk likelihood descriptors:  


{| width="768" height="376" cellspacing="1" cellpadding="1" border="1"
{| width="768" cellspacing="1" cellpadding="1" border="1"
|-
|-
| style="background-color: grey;" | Rating<br>  
| style="background-color: grey;" | '''Rating'''<br>  
| style="background-color: grey;" | Description<br>  
| style="background-color: grey;" | '''Description'''<br>  
| style="background-color: grey;" | Likelihood of occurrence<br>
| style="background-color: grey;" | '''Likelihood of occurrence<br>'''
|-
|-
| 1  
| 1  
Line 110: Line 111:
The following table contains the risk likelihood descriptors:  
The following table contains the risk likelihood descriptors:  


{| width="763" height="746" cellspacing="1" cellpadding="1" border="1"
{| width="763" cellspacing="1" cellpadding="1" border="1"
|-
|-
| style="background-color: grey;" | Rating<br>  
| style="background-color: grey;" | '''Rating<br>'''
| style="background-color: grey;" | Description<br>  
| style="background-color: grey;" | '''Description'''<br>  
| style="background-color: grey;" | Project Objectives impact<br>
| style="background-color: grey;" | '''Project Objectives impact'''<br>
|-
|-
| 1  
| 1  
| Minor  
| Minor  
| * Any risks which will have just a light impact on the project, still these must be addressed in time.  
|  
*Any risks which will have just a light impact on the project, still these must be addressed in time.  
*Degradation of deliverable quality barely noticeable.
*Degradation of deliverable quality barely noticeable.


Line 124: Line 126:
| 2<br>  
| 2<br>  
| Moderate  
| Moderate  
| * Risks which will cause some problems, but nothing too significant. Reduction of deliverable quality requires approval.
|  
*Risks which will cause some problems, but nothing too significant. Reduction of deliverable quality requires approval.
 
|-
|-
| 3<br>  
| 3<br>  
| Major  
| Major  
| * Risks which can significantly jeopardize some aspects of the project, but which will not compromise the success of the whole project.  
|  
*Risks which can significantly jeopardize some aspects of the project, but which will not compromise the success of the whole project.  
*Reduction of deliverable quality unacceptable
*Reduction of deliverable quality unacceptable


Line 134: Line 139:
| 4<br>  
| 4<br>  
| Catastrophic  
| Catastrophic  
| A risk that can be detrimental for the whole project
|  
*A risk that can be detrimental for the whole project
 
|}
|}


Line 145: Line 152:
{| width="200" cellspacing="1" cellpadding="1" border="1"
{| width="200" cellspacing="1" cellpadding="1" border="1"
|-
|-
| style="background-color: grey;" rowspan="2" | '''Likelihood'''  
| rowspan="2" style="background-color: grey;" | '''Likelihood'''  
| style="background-color: grey;" colspan="5" | '''Impact'''
| colspan="5" style="background-color: grey;" | '''Impact'''
|-
|-
| style="background-color: lightgrey;" | '''Minor'''  
| style="background-color: lightgrey;" | '''Minor'''  
Line 178: Line 185:
|}
|}


= Risk response&nbsp;  =
== '''Risk response&nbsp;''' ==


'''Input: '''Risk registry  
'''Input: '''Risk registry  
Line 184: Line 191:
'''Output: '''Risk response plan for each risk  
'''Output: '''Risk response plan for each risk  


Within this process risk owner, who is responsible for given risk and its risk response, must be identified. Risk response should be appropriate for the significance of the risk (risk level), cost-effective, realistic and agreed by involved parties. <br>
Within this process the risk owner, who is responsible for given risk and its risk response, must be identified by Quality and Risk manager and Technical Coordinator. Risk response should be appropriate for the significance of the risk (risk level), cost-effective, realistic and agreed by impacted Work Packages leaders, Technical Coordinator and for high and extreme level risks also by PMB during periodic rick registry review (every 3 months). For each risk impact level the following table presents a suggested response, to be properly defined:  
 
Following response activities are foreseen:
 
*Accept
*Mitigate
*Avoid
 
<br>
 
Following response activities are foreseen:
 
*'''Mitigation activities''': activities designed to minimize the severity of the event once it has occurred.
*'''Recovery activities''': activities serve to bring back disrupted systems and infrastructure.  
*'''Contingency plan:''' process-level documents describe what an organization can do in the aftermath of a disruptive event; they are usually triggered based on input from the emergency management team.
*'''Controls:''' additional controls applied in order to reduce it to an acceptable level.<br>


<br>  
<br>  
Line 207: Line 199:
{| class="wikitable"
{| class="wikitable"
|-
|-
| '''Risk Impact'''<br>  
| style="background-color: grey;" | '''Risk Impact level'''<br>  
| '''Response'''
| style="background-color: grey;" | '''Response'''
|-
|-
| Minor<br>  
| style="background-color: grey;" | '''Minor'''<br>  
|  
|  
*'''Accept'''  
*'''Accept'''  
*Define  
*Define recovery activities
**recovery activities
*Monitor and review


|-
|-
| Moderate<br>  
| style="background-color: grey;" | '''Moderate'''<br>  
|  
|  
*'''Mitigate'''  
*'''Avoid or Mitigate'''  
*Define  
*Define and implement mitigation activities
**mitigation activities
*Managed by monitoring or response procedures


|-
|-
| Major<br>  
| style="background-color: grey;" | '''Major<br>'''
|  
|  
*'''Mitigate'''  
*'''Avoid or Mitigate '''  
*Define  
*Define and implement
**controls  
**controls  
**mitigation activities  
**mitigation activities  
**recovery activities
**recovery activities  
*requires Project Management Board attention and definition of management responsibility


|-
|-
| Catastrophic<br>  
| style="background-color: grey;" | '''Catastrophic'''<br>  
|  
|  
*'''Avoid/mitigate'''  
*'''Avoid or Mitigate'''  
*Define  
*Define and implement
**controls  
**controls  
**contingency plan  
**contingency plan  
**recovery activities  
**recovery activities  
**mitigation activities
**mitigation activities  
*Must be managed by Project Management Board with a detailed treatment plan.


|}
|}


<br>
For each risk level the following table presents a suggested involvement of the actors:


{| class="wikitable"
{| class="wikitable"
|-
|-
| rowspan="2" | '''Risk level'''<br>  
| style="background-color: grey;" rowspan="2" | '''Risk level'''<br>  
| colspan="4" | '''Involvement'''
| style="background-color: grey;" colspan="3" | '''Involvement'''
|-
|-
| '''Quality manager'''<br>
| '''Technical Coordinator'''  
| '''Technical Coordinator'''  
| '''Work Package leader'''<br>  
| '''Work Package leader'''<br>  
| '''PMB '''<br>
| '''PMB '''<br>
|-
|-
| Low<br>  
| style="background-color: grey;" | '''Low'''<br>  
| Informed  
| Informed  
| Informed
| Active engagement  
|
Accountable<br>
 
Active engagement  
 
| Informed<br>
| Informed<br>
|-
|-
| Medium<br>  
| style="background-color: grey;" | '''Medium'''<br>  
| Consulted  
| Consulted  
| Consulted
| Active engagement  
|
Accountable<br>
 
Active engagement  
 
| Informed
| Informed
|-
|-
| High<br>  
| style="background-color: grey;" | '''High'''<br>  
| Consulted
| Active engagement
| Active engagement  
| Active engagement  
|  
| Consulted
Accountable<br>
 
Active engagement
 
|
Informed<br>
 
Consulted  
 
|-
|-
| Extreme<br>  
| style="background-color: grey;" | '''Extreme'''<br>  
| Responsible
| Active engagement
| Active engagement  
| Active engagement  
|
Accountable<br>
Active engagement
| Active engagement<br>
| Active engagement<br>
|}
|}
Line 303: Line 272:
<br>  
<br>  


= Risk control  =
== '''Risk control''' ==


'''Input:''' Risk registry<br>  
'''Input:''' Risk registry<br>  


'''Output:''' Improved efficiency of risk approach  
'''Output:''' Improved success of risk approach  


Risk control is a process which goal is to improve efficiency of risk approach through continuously monitoring and adjustment. It&nbsp; is implementing risk response plan, tracking identified risks, performing risk reviews.  
Risk control is a process to improve efficiency of the risk management through continuously monitoring and adjustment. It implements risk response plan, tracking identified risks, performing risk reviews.<br> The main activities planned as part of risk control are:<br>


Activities
#'''Continuously (whenever necessary)'''
#*Work Package Leaders are
#**applying risks response
#**reporting on risk occurrence
#**reporting on new risks identified
#'''On a monthly basis'''
#*Quality and Risk Manager is
#**reporting to PMB risk occurrences and newly identified risks which require PMB attention.
#'''Every 6 months'''
#*Quality and Risk Manager is conducting the risk registry review with Work Package leaders, including:
#**identification of deprecated risks
#**reassessment of impact and probability of existing risks
#**review of risk response
#**identification of new risks
#*Quality and Risk Manager is reporting to PMB the results of the review.


#Periodically - every 3 months (AMB and PMB):
= Roles =
#*performing Risk registry review through interviews and brainstorming with Work Package leaders. Outcome is reported by Quality manager to PMB.
#On daily basis (Work Package Leavers):
#*implementation of risk response plan
#*tracking identified risks
#*report on risk occurrence to Quality manager<br>
 
== Roles and responsibilities  ==


Involved actors are project team members who take part in risk management process. All actors have clearly assigned roles and responsibilities, which are defined as follow:  
Involved actors are project team members who take part in risk management process. All actors have clearly assigned roles and responsibilities, which are defined as follow:  


=== '''Quality and Risk Manager'''<br>  ===
== '''Quality and Risk Manager'''<br>  ==


Responsible for:<br>  
Responsible for:<br>  


*coordinating project risk management activity  
*coordinating project risk management activity  
*defining and keeping up to date risk management plan
*defining and keeping up to date risk management plan  
*helping Work Package leaders in risk analysis and response  
*helping Work Package leaders in risk analysis and response  
*performing risk registry reviews  
*performing risk registry reviews  
*reporting to Project Management Board risk management status  
*reporting to Project Management Board risk management status


=== '''Technical Coordinator'''<br>  ===
== '''Technical Coordinator'''<br>  ==


Responsible for:  
Responsible for:  


*coordinating with Work Package leaders implementation of risk response plan
*coordinating with Work Package leaders implementation of risk response plan  
*performing risk analysis and coordinating contingency planning tasks within the project  
*performing risk analysis and coordinating contingency planning tasks within the project
 
<br>


=== '''Work Package leaders''' <br>  ===
== '''Work Package leaders''' <br>  ==


Responsible for:  
Responsible for:  


*identifying and defining new risks<br>
*identifying and defining new risks  
*reviewing identified risks during risk registry review
*reviewing the status of identified risks during risk registry review  
*implementing risk response plan  
*implementing an appropriate risk response plan within their WP
*reporting on risk status and its occurrence
*reporting on risk status and its occurrence to Quality and Risk Manager<br>


=== '''Project Management Board'''  ===
== '''Project Management Board'''  ==


Responsible for:  
Responsible for:  


*approving risk response for risks level high and extreme
*approving risk response for risks level high and extreme  
*supporting Technical Coordinator
*supporting Technical Coordinator in performing risk analysis


== Timing  ==
= Timing  =
 
This section describes when and how often the risk management processes will be performed during the project life cycle. 
Risk management process timing is as follow:
 
* On daily basis (whenever necessary)
**Work Package Leaders are
***applying risks response
***reporting on risk occurrence
***reporting on new risks identified
*On monthly basis
**Quality and Risk Manager is
***reporting to PMB risk occurrences and newly identified risks which require PMB attention.
*Every 3 months
**Quality and Risk Manager is conducting risk registry review with Work Package leaders, including:
***identifying deprecated risks
***reassessment of impact and probability of existing risks
***reviewing of risk response
***identification of new risks
**Quality and Risk Manager is reporting to PMB outcome of the review.


This section describes when and how often the Risk Management Process will be performed during the project life cycle. The Risk Management Process timing is as follow:


#'''Continuously (whenever necessary)'''
#*Work Package Leaders are
#**applying risks response measures
#**reporting by email on risk occurrence to the Quality and Risk Manager
#**reporting by email on new risks identified to the Quality and Risk Manager
#'''On a monthly basis (whenever necessary)'''
#*Quality and Risk Manager is
#**reporting by email to PMB about risks occurrence and newly identified risks which require PMB attention.
#'''Every 6 months'''
#*Quality and Risk Manager is conducting risk registry review with Work Package leaders (through Activity Management Board), including:
#**identifying deprecated risks
#**reassessment of impact and probability of existing risks
#**reviewing of risk response
#**identification of new risks
#*Quality and Risk Manager is reporting during PMB meeting about the results of the review.


<br>


[[Category:EGI-Engage]]
[[Category:EGI-Engage]]

Latest revision as of 12:00, 12 October 2016

EGI-Engage project: Main page WP1(NA1) WP3(JRA1) WP5(SA1) PMB Deliverables and Milestones Quality Plan Risk Plan Data Plan
Roles and
responsibilities 		WP2(NA2) WP4(JRA2) WP6(SA2) AMB Software and services Metrics Project Office Procedures



Help and support: quality@egi.eu

Risk registry: https://documents.egi.eu/document/2795 (access restricted to AMB, CB and PMB)

This page is proving rules regarding risk management within EGI-Engage project.

Following definitions are used in EGI-Engage Risk management process:

  1. Risk: a risk is defined as an uncertain event or condition that if it occurs, has a negative (threads) or positive (opportunities) effect on a Project's Objectives. (Source: PMBOK) In EGI-Engage the risk management process has been limited to threads.
  2. Risk Registry: a database of identified risks with the associated analysis and response planning as well the estimation of risk occurrence and the history of their treatment.


Risk process.png


  1. Risk identification
    • goal:determining which risks can affect the project and documenting it in the Risk registry
    • a process that is used to find, recognize, and describe the risks that could affect (prevent or undermine) the achievements of objectives.
  2. Risk analysis
    • goal: assessing likelihood and impact , evaluate the risk level
    • a process that is used to understand the nature, sources, and causes of the risks that have been identified and to estimate their level. It will also study impact and consequences and examine the controls (an activity that prevents or detects issues to mitigate risks) that currently exist.
  3. Risk response 
    • goal: defining the actions to be taken in order to avoid the risks or to minimize their impact (risk response plan) for each risk
    • a process of developing options and actions to reduce threats to project objectives
  4. Risk control
    • goal: improve success of risk management activities through continuously monitoring and adjustment
    • a process for implementing the risk response plan, tracking identified risks, performing risk status review


Procedure of Risk risk is written under https://wiki.egi.eu/wiki/PROC04_Risks_review


Risk identification

Input: Expertise of actors involved ;

Output: Initial entry in risk registry

Risk identification is a process that involves finding, recognizing, and describing the risks that could affect the achievement of the project objectives. It is used to identify possible sources of risks in addition to the events and circumstances that could affect the achievement of objectives. It also includes the identification of potential consequences.

Risk are identified:

  1. Periodically: 
    • During Risk registry review through interviews and brainstorming conducted by Quality and Risk manager with Work Package leaders
  2. Continuously (whenever necessary):
    • Work Package leaders are expected to inform the Quality and Risk manager in case of identification of new risks or occurrence of a risk


Each risk is supposed to be described in following way:

  • Risk number- (mandatory) unique risk identifier assigned by Quality and Risk Manager
  • Risk description - (mandatory) short description of the risk
  • Likelihood - (mandatory) Likelihood (probability) is the chance that something is going to happen
    • Options: Unlikely, Possible, Likely, Almost Certain
  • Impact - (mandatory) A consequence (impact) is the outcome of an event and has an effect on objectives
    • Options: Minor/Moderate/Major/Catastrophic
  • Risk level - (mandatory) The level of risk is its magnitude. It is estimated by considering and combining impact and likelihood. Likelihood is the chance that something might happen.
    • Options: Low/Medium/High/Extreme (automatically calculated based on Risk likelihood and impact matrix)
  • Consequences - (mandatory) description of the consequences the risk will have in case of occurrence
  • Deliverables - Deliverables which might be impacted in case of occurrence
  • KPIs - Impacted KPIs
  • WP1-WP6 - (mandatory) Impacted WPs
  • Treatment - (mandatory) description of possible actions to avoid or mitigate the risk
  • Owner - (mandatory) A risk owner is the WP leader that has been given the authority to manage a particular risk and is accountable for doing so.
  • Trend - (mandatory) Indication of risk trend comparing to the previous assessed risk status
    • Options: Stable, Improving, Degrading, New, Deprecated
  • Comment for PMB - additional comments for PMB after Work Package leaders periodic rick review (every 3 months)

Risk analysis

Input: entry in the Risk Registry

Output: Prioritized list of risks (list of risks that pose the greatest threats), risk trends

During the analysis the risk level is evaluated by means of interviews to the Work Package leaders and other relevant actors performed by the Quality and Risk manager. Risk rating (level) is calculated according to likelihood and impact matrix.

Risk likelihood descriptors

The following table contains the risk likelihood descriptors:

Rating
 Description
 Likelihood of occurrence
1 Unlikely Not expected, but there's a slight possibility it may occur at some time.
2
 Possible The event may occur at some time.
3
 Likely There is a strong possibility the event will occur
4
 Almost Certain Very likely. The event is expected to occur in most circumstances

Risk impact descriptors

The following table contains the risk likelihood descriptors:

Rating
 		Description
 Project Objectives impact
1 Minor
  • Any risks which will have just a light impact on the project, still these must be addressed in time.
  • Degradation of deliverable quality barely noticeable.
2
 Moderate
  • Risks which will cause some problems, but nothing too significant. Reduction of deliverable quality requires approval.
3
 Major
  • Risks which can significantly jeopardize some aspects of the project, but which will not compromise the success of the whole project.
  • Reduction of deliverable quality unacceptable
4
 Catastrophic
  • A risk that can be detrimental for the whole project


Risk likelihood and impact matrix (risk level)

The risk likelihood and impact matrix is a grid for mapping likelihood of each risk occurrence and its impact to the project objectives in case the risk occurs. Risks are prioritized according to their potential consequences on the project objectives.

Likelihood Impact
Minor Moderate Major Catastrophic
Unlikely Low Low Medium Medium
Possible Low Medium High High
Likely Medium High High Extreme
Almost Certain Medium High Extreme Extreme

Risk response 

Input: Risk registry

Output: Risk response plan for each risk

Within this process the risk owner, who is responsible for given risk and its risk response, must be identified by Quality and Risk manager and Technical Coordinator. Risk response should be appropriate for the significance of the risk (risk level), cost-effective, realistic and agreed by impacted Work Packages leaders, Technical Coordinator and for high and extreme level risks also by PMB during periodic rick registry review (every 3 months). For each risk impact level the following table presents a suggested response, to be properly defined:


Following table presents for each Risk level expected response to be defined and involvement of Risk management team members.

Risk Impact level
 Response
Minor
  • Accept
  • Define recovery activities
  • Monitor and review
Moderate
  • Avoid or Mitigate
  • Define and implement mitigation activities
  • Managed by monitoring or response procedures
Major
  • Avoid or Mitigate
  • Define and implement
    • controls
    • mitigation activities
    • recovery activities
  • requires Project Management Board attention and definition of management responsibility
Catastrophic
  • Avoid or Mitigate
  • Define and implement
    • controls
    • contingency plan
    • recovery activities
    • mitigation activities
  • Must be managed by Project Management Board with a detailed treatment plan.

For each risk level the following table presents a suggested involvement of the actors:

Risk level
 Involvement
Technical Coordinator Work Package leader
 PMB
Low
 Informed Active engagement Informed
Medium
 Consulted Active engagement Informed
High
 Active engagement Active engagement Consulted
Extreme
 Active engagement Active engagement Active engagement


Risk control

Input: Risk registry

Output: Improved success of risk approach

Risk control is a process to improve efficiency of the risk management through continuously monitoring and adjustment. It implements risk response plan, tracking identified risks, performing risk reviews.
The main activities planned as part of risk control are:

  1. Continuously (whenever necessary)
    • Work Package Leaders are
      • applying risks response
      • reporting on risk occurrence
      • reporting on new risks identified
  2. On a monthly basis
    • Quality and Risk Manager is
      • reporting to PMB risk occurrences and newly identified risks which require PMB attention.
  3. Every 6 months
    • Quality and Risk Manager is conducting the risk registry review with Work Package leaders, including:
      • identification of deprecated risks
      • reassessment of impact and probability of existing risks
      • review of risk response
      • identification of new risks
    • Quality and Risk Manager is reporting to PMB the results of the review.

Roles

Involved actors are project team members who take part in risk management process. All actors have clearly assigned roles and responsibilities, which are defined as follow:

Quality and Risk Manager

Responsible for:

  • coordinating project risk management activity
  • defining and keeping up to date risk management plan
  • helping Work Package leaders in risk analysis and response
  • performing risk registry reviews
  • reporting to Project Management Board risk management status

Technical Coordinator

Responsible for:

  • coordinating with Work Package leaders implementation of risk response plan
  • performing risk analysis and coordinating contingency planning tasks within the project


Work Package leaders

Responsible for:

  • identifying and defining new risks
  • reviewing the status of identified risks during risk registry review
  • implementing an appropriate risk response plan within their WP
  • reporting on risk status and its occurrence to Quality and Risk Manager

Project Management Board

Responsible for:

  • approving risk response for risks level high and extreme
  • supporting Technical Coordinator in performing risk analysis

Timing

This section describes when and how often the Risk Management Process will be performed during the project life cycle. The Risk Management Process timing is as follow:

  1. Continuously (whenever necessary)
    • Work Package Leaders are
      • applying risks response measures
      • reporting by email on risk occurrence to the Quality and Risk Manager
      • reporting by email on new risks identified to the Quality and Risk Manager
  2. On a monthly basis (whenever necessary)
    • Quality and Risk Manager is
      • reporting by email to PMB about risks occurrence and newly identified risks which require PMB attention.
  3. Every 6 months
    • Quality and Risk Manager is conducting risk registry review with Work Package leaders (through Activity Management Board), including:
      • identifying deprecated risks
      • reassessment of impact and probability of existing risks
      • reviewing of risk response
      • identification of new risks
    • Quality and Risk Manager is reporting during PMB meeting about the results of the review.


Retrieved from "https://wiki.egi.eu/w/index.php?title=EGI-Engage:Risk_Plan&oldid=90536"