Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

EGI-Engage:Risk Plan

From EGIWiki
Revision as of 13:42, 15 October 2015 by Krakow (talk | contribs)
Jump to navigation Jump to search
EGI-Engage project: Main page WP1(NA1) WP3(JRA1) WP5(SA1) PMB Deliverables and Milestones Quality Plan Risk Plan Data Plan
Roles and
responsibilities 		WP2(NA2) WP4(JRA2) WP6(SA2) AMB Software and services Metrics Project Office Procedures



Help and support: quality@egi.eu

This page is proving rules regarding risk management within EGI-Engage project.

Following definitions are used in EGI-Engage Risk management process:

  1. Risk: a risk is defined as an uncertain event or condition that if it occurs, has a negative (threads) or positive (opportunities) effect on a Project's Objectives. (Source: PMBOK) In EGI-Engage risk management process the scope has been limited to threads.
  2. Risk Registry: a database of identified risks with recorded their analysis and response planning as well risk occurrence with history of treatment.


Risk process.png


  1. Risk identification
    • goal: determining which risk can affect the project and documenting it in Risk registry
    • a process that is used to find, recognize, and describe the risks that could affect the achievement of objectives.
  2. Risk analysis
    • goal: assessing likelihood and impact , calculate risk level
    • a process that is used to understand the nature, sources, and causes of the risks that you have identified and to estimate the level of risk. It is also used to study impacts and consequences and to examine the controls that currently exist.
  3. Risk response 
    • goal: defining risk response plan for each risk
    • a process of developing options and actions to reduce threats to project objectives
  4. Risk control
    • goal: improve efficiency of risk approach through continuously monitoring and adjustment 
    • a process of implementing risk response plan, tracking identified risks, performing risk reviews

Roles and responsibilities

Risk management team is formed from project team members who take part in risk management process. Team members have clearly assigned roles and responsibilities, which are defined as follow:

Quality and Risk Manager

Responsible for:

  • coordinating project risk management activity
  • defining and keeping up to date risk management plan
  • helping Work Package leaders in risk analysis and response
  • performing risk registry reviews
  • reporting to Project Management Board risk management status

Technical Coordinator

Responsible for:

  • coordinating with Work Package leaders implementation of risk response plan
  • performing risk analysis and coordinating contingency planning tasks within the project

Work Package leaders

Responsible for:

  • identifying and defining new risks
  • reviewing identified risks during risk registry review
  • implementing risk response plan
  • reporting on risk status and its occurrence

Project Management Board

Responsible for:

  • approving risk response for risks level high and extreme
  • supporting Technical Coordinator

Timing

This section describes when and how often the risk management processes will be performed during the project life cycle. Risk management process timing is as follow:

  • On daily basis (whenever necessary)
    • Work Package Leaders are
      • applying risks response
      • reporting on risk occurrence
      • reporting on new risks identified
  • On monthly basis
    • Quality and Risk Manager is
      • reporting to PMB risk occurrences and newly identified risks which require PMB attention.
  • Every 3 months
    • Quality and Risk Manager is conducting risk registry review with Work Package leaders, including:
      • identifying deprecated risks
      • reassessment of impact and probability of existing risks
      • reviewing of risk response
      • identification of new risks
    • Quality and Risk Manager is reporting to PMB outcome of the review.



Risk entry

Each risk is described as follow:

  • Risk no - unique risk identifier
  • Risk - one sentence description of the risk
  • Likelihood - (Unlikely, Possible, Likely, Almost Certain) Likelihood (probability) is the chance that something might happen.
  • Impact - (Minor/Moderate/Major/Catastrophic) A consequence (impact) is the outcome of an event and has an effect on objectives.
  • Risk level - (Low/Medium/High/Extreme) The level of risk is its magnitude. It is estimated by considering and combining consequences and likelihoods. A consequence is the outcome of an event and has an effect on objectives. Likelihood is the chance that something might happen. (based on Risk likelihood and consequences matrix)
  • Consequences - description of impact risk will have in case of occurrence
  • Deliverables - Deliverables which might me impacted in case of occurrence
  • KPIs - Impacted KPIs
  • Objective - Impacted Objective
  • WP1-WP6 - Impacted WPs
  • Treatment - (accept, mitigate, avoid) description of possible treatment of the risk
  • Owner - A risk owner is WP that has been given the authority to manage a particular risk and is accountable for doing so.
  • Trend - (Stable, Improving, Degrading, New, Deprecated) Indication of risk trend comparing to previous risk review period
  • Comment for PMB - additional comments for PMB after AMB review


Risk identification

Input: Work Package leaders expertise 

Output: Initial Risk entry in Risk registry

Risk identification is a process that involves finding, recognizing, and describing the risks that could affect the achievement of an organization’s objectives. It is used to identify possible sources of risk in addition to the events and circumstances that could affect the achievement of objectives. It also includes the identification of potential consequences.

Risk are identified:

  1. Periodically: 
    • During Risk registry review through interviews and brainstorming with Work Package leaders
  2. On daily basis:
    • For all newly identified risks EGI Engage risk entry template should be filled in (Part Risk Description)
    • Sent the document to Quality Manager (quality@egi.eu)

Risk analysis

Input: risk entry in Risk registry

Output: prioritized list of risks (list of risks that pose the greatest threat), risk trends 

The level of likelihood and impact for each risk is evaluated during the interviews with Work Package leaders performed by Quality manager. 

Risk rating (level) is calculated according to Likelihood and impact matrix:

Risk likelihood and impact matrix (risk level)

The matrix is a grid for mapping the impact and likelihood of each risk occurrence and its impact to the project objectives if that risk occurs. Risks are prioritized according to their potential implications on project objectives.

Likelihood Impact
Minor Moderate Major Catastrophic
Unlikely Low Low Medium Medium
Possible Low Medium High High
Likely Medium High High Extreme
Almost Certain Medium High Extreme Extreme

Risk response 

Input: Risk registry

Output: Risk response plan for each risk

Within this process risk owner, who is responsible for given risk and its risk response, must be identified. Risk response should be appropriate for the significance of the risk (risk level), cost-effective, realistic and agreed by involved parties.

Following response activities are foreseen:

  • Accept
  • Mitigate
  • Avoid


Following response activities are foreseen:

  • Mitigation activities: activities designed to minimize the severity of the event once it has occurred.
  • Recovery activities: activities serve to bring back disrupted systems and infrastructure.
  • Contingency plan: process-level documents describe what an organization can do in the aftermath of a disruptive event; they are usually triggered based on input from the emergency management team.
  • Controls: additional controls applied in order to reduce it to an acceptable level.


Following table presents for each Risk level expected response to be defined and involvement of Risk management team members.

Risk Impact
 Response
Minor
  • Accept
  • Define
    • recovery activities
Moderate
  • Mitigate
  • Define
    • mitigation activities
Major
  • Mitigate
  • Define
    • controls
    • mitigation activities
    • recovery activities
Catastrophic
  • Avoid/mitigate
  • Define
    • controls
    • contingency plan
    • recovery activities
    • mitigation activities


Risk level
 Involvement
Quality manager
 Technical Coordinator Work Package leader
 PMB
Low
 Informed Informed

Accountable

Active engagement

Informed
Medium
 Consulted Consulted

Accountable

Active engagement

Informed
High
 Consulted Active engagement

Accountable

Active engagement

Informed

Consulted

Extreme
 Responsible Active engagement

Accountable

Active engagement

Active engagement


Risk control

Input: Risk registry

Output: Improved efficiency of risk approach

Risk control is a process which goal is to improve efficiency of risk approach through continuously monitoring and adjustment. It  is implementing risk response plan, tracking identified risks, performing risk reviews.

Activities

  1. Periodically - every 3 months (AMB and PMB):
    • performing Risk registry review through interviews and brainstorming with Work Package leaders. Outcome is reported by Quality manager to PMB.
  2. On daily basis (Work Package Leavers):
    • implementation of risk response plan
    • tracking identified risks
    • report on risk occurrence to Quality manager
Retrieved from "https://wiki.egi.eu/w/index.php?title=EGI-Engage:Risk_Plan&oldid=84184"