Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "PROC04 Risks review"

From EGIWiki
Jump to navigation Jump to search
 
(8 intermediate revisions by 2 users not shown)
Line 21: Line 21:
|-
|-
| '''Related document'''<br>  
| '''Related document'''<br>  
| [https://documents.egi.eu/document/2595 https://documents.egi.eu/document/2595]<br>
|  
[https://documents.egi.eu/document/2595 https://documents.egi.eu/document/2595]
 
[https://wiki.egi.eu/wiki/EGI-Engage:Risk_Plan https://wiki.egi.eu/wiki/EGI-Engage:Risk_Plan]<br>  
 
|}
|}


Line 36: Line 40:
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.  
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.  


= Entities involved in the procedure =
= Timing =
 
Involved actors are project team members who take part in risk management process. All actors have clearly assigned roles and responsibilities, which are defined as follow:
 
== '''Quality and Risk Manager'''<br>  ==
 
Responsible for:<br>
 
*coordinating project risk management activity
*defining and keeping up to date risk management plan
*helping Work Package leaders in risk analysis and response
*performing risk registry reviews
*reporting to Project Management Board risk management status
 
== '''Technical Coordinator'''<br>  ==
 
Responsible for:
 
*coordinating with Work Package leaders implementation of risk response plan
*performing risk analysis and coordinating contingency planning tasks within the project
 
<br>
 
== '''Work Package leaders''' <br>  ==
 
Responsible for:
 
*identifying and defining new risks
*reviewing the status of identified risks during risk registry review
*implementing an appropriate risk response plan within their WP
*reporting on risk status and its occurrence to Quality and Risk Manager<br>
 
== '''Project Management Board'''  ==
 
Responsible for:


*approving risk response for risks level high and extreme
Risk review takes place every 6 months starting from October 2015<br>
*supporting Technical Coordinator in performing risk analysis
 
= Timing =
 
This section describes when and how often the Risk Management Process will be performed during the project life cycle. The Risk Management Process timing is as follow:
 
#'''Continuously (whenever necessary)'''
#*Work Package Leaders are
#**applying risks response measures
#**reporting by email on risk occurrence to the Quality and Risk Manager
#**reporting by email on new risks identified to the Quality and Risk Manager
#'''On a monthly basis (whenever necessary)'''
#*Quality and Risk Manager is
#**reporting by email to PMB about risks occurrence and newly identified risks which require PMB attention.
#'''Every 3 months'''
#*Quality and Risk Manager is conducting risk registry review with Work Package leaders (through Activity Management Board), including:
#**identifying deprecated risks
#**reassessment of impact and probability of existing risks
#**reviewing of risk response
#**identification of new risks
#*Quality and Risk Manager is reporting during PMB meeting about the results of the review.


= Steps  =
= Steps  =


== '''Step 1 Risk identification'''  ==
{| class="wikitable"
 
'''Input: '''Expertise of actors involved&nbsp;;
 
'''Output:''' Initial entry in risk registry
 
Risk identification is a process that involves finding, recognizing, and describing the risks that could affect the achievement of the project objectives. It is used to identify possible sources of risks in addition to the events and circumstances that could affect the achievement of objectives. It also includes the identification of potential consequences.
 
'''Risk are identified:'''
 
#Periodically:&nbsp;
#*During Risk registry review through interviews and brainstorming conducted by Quality and Risk manager with Work Package leaders
#Continuously (whenever necessary):
#*Work Package leaders are expected to inform the Quality and Risk manager in case of identification of new risks or occurrence of a risk
 
<br> Each risk is supposed to be described in following way:
 
*'''Risk number'''- (mandatory) unique risk identifier assigned by Quality and Risk Manager
*'''Risk description''' - (mandatory) short description of the risk
*'''Likelihood '''- (mandatory) Likelihood (probability) is the chance that something is going to happen
**Options: Unlikely, Possible, Likely, Almost Certain
*'''Impact '''- (mandatory) A consequence (impact) is the outcome of an event and has an effect on objectives
**Options: Minor/Moderate/Major/Catastrophic
*'''Risk level''' - (mandatory) The level of risk is its magnitude. It is estimated by considering and combining impact and likelihood. Likelihood is the chance that something might happen.
**Options: Low/Medium/High/Extreme (automatically calculated based on Risk likelihood and impact matrix)
*'''Consequences '''- (mandatory) description of the consequences the risk will have in case of occurrence
*'''Deliverables '''- Deliverables which might be impacted in case of occurrence
*'''KPIs ''' - Impacted KPIs
*'''WP1-WP6''' - (mandatory) Impacted WPs
*'''Treatment '''- (mandatory) description of possible actions to avoid or mitigate the risk
*'''Owner '''- (mandatory) A risk owner is the WP leader that has been given the authority to manage a particular risk and is accountable for doing so.
*'''Trend '''- (mandatory) Indication of risk trend comparing to the previous assessed risk status
**Options: Stable, Improving, Degrading, New, Deprecated
*'''Comment for PMB''' - additional comments for PMB after Work Package leaders periodic rick review (every 3 months)<br>
 
==  ==
 
== '''Step 2 ''''''Risk analysis'''  ==
 
'''Input:''' entry in the Risk Registry
 
'''Output: '''Prioritized list of risks (list of risks that pose the greatest threats), risk trends
 
During the analysis the risk level is evaluated by means of interviews to the Work Package leaders and other relevant actors performed by the Quality and Risk manager. Risk rating (level) is calculated according to likelihood and impact matrix.
 
=== Risk likelihood descriptors  ===
 
The following table contains the risk likelihood descriptors:
 
{| width="768" cellspacing="1" cellpadding="1" border="1"
|-
| style="background-color: grey;" | '''Rating'''<br>
| style="background-color: grey;" | '''Description'''<br>
| style="background-color: grey;" | '''Likelihood of occurrence<br>'''
|-
|-
! Step
! <br>
! Responsible
! Action
|- valign="top"
| 1  
| 1  
| Unlikely
| <br>  
| Not expected, but there's a slight possibility it may occur at some time.
| QM
|-
| Organize face to face meetings with all WP leader<br>
| 2<br>  
|- valign="top"
| Possible
| 2
| The event may occur at some time.
| <br>  
|-
| WP leaders<br>  
| 3<br>  
| Likely
| There is a strong possibility the event will occur
|-
| 4<br>
| Almost Certain
| Very likely. The event is expected to occur in most circumstances
|}
 
=== Risk impact descriptors  ===
 
The following table contains the risk likelihood descriptors:
 
{| width="763" cellspacing="1" cellpadding="1" border="1"
|-
| style="background-color: grey;" | '''Rating<br>'''
| style="background-color: grey;" | '''Description'''<br>  
| style="background-color: grey;" | '''Project Objectives impact'''<br>
|-
| 1
| Minor
|  
|  
*Any risks which will have just a light impact on the project, still these must be addressed in time.
With QM review risks assigned to WP.  
*Degradation of deliverable quality barely noticeable.


|-
*identifying deprecated risks<br>
| 2<br>  
*reassessment of impact and probability of existing risks<br>  
| Moderate
*reviewing of risk response<br>
|
*identification of new risks <br>
*Risks which will cause some problems, but nothing too significant. Reduction of deliverable quality requires approval.


|-
|- valign="top"
| 3<br>  
| 3  
| Major
| <br>  
| Technical Coordinator (TC)<br>
|  
|  
*Risks which can significantly jeopardize some aspects of the project, but which will not compromise the success of the whole project.
Approve/reject/suggest changes in Risk registry<br>
*Reduction of deliverable quality unacceptable


|-
|- valign="top"
| 4<br>  
| 4<br>  
| Catastrophic
| <br>
| QM<br>
| Inform WP leader about outcome of TC review<br>
|- valign="top"
| 5<br>
| <br>
| QM<br>
| Circulate final version of risk registry to AMB and PMB<br>
|- valign="top"
| 6<br>
| <br>
| QM<br>
|  
|  
*A risk that can be detrimental for the whole project
If no comments were provided by AMB&nbsp;and PMB:
 
|}
 
<br>
 
=== Risk likelihood and impact matrix (risk level)  ===


The risk likelihood and impact matrix is a grid for mapping likelihood of each risk occurrence and its impact to the project objectives in case the risk occurs. Risks are prioritized according to their potential consequences on the project objectives.
Circulate final version of risk registry to CB


{| width="200" cellspacing="1" cellpadding="1" border="1"
|-
| style="background-color: grey;" rowspan="2" | '''Likelihood'''
| style="background-color: grey;" colspan="5" | '''Impact'''
|-
| style="background-color: lightgrey;" | '''Minor'''
| style="background-color: lightgrey;" | '''Moderate'''
| style="background-color: lightgrey;" | '''Major'''
| style="background-color: lightgrey;" | '''Catastrophic'''
|-
| style="background-color: lightgrey;" | '''Unlikely'''
| style="background-color: green;" | Low
| style="background-color: green;" | Low
| style="background-color: yellow;" | Medium
| style="background-color: yellow;" | Medium
|-
| style="background-color: lightgrey;" | '''Possible'''
| style="background-color: green;" | Low
| style="background-color: yellow;" | Medium
| style="background-color: orange;" | High
| style="background-color: orange;" | High
|-
| style="background-color: lightgrey;" | '''Likely'''
| style="background-color: yellow;" | Medium
| style="background-color: orange;" | High
| style="background-color: orange;" | High
| style="background-color: red;" | Extreme
|-
| style="background-color: lightgrey;" | '''Almost Certain'''
| style="background-color: yellow;" | Medium
| style="background-color: orange;" | High
| style="background-color: red;" | Extreme
| style="background-color: red;" | Extreme
|}
|}


== '''Step 3 Risk response&nbsp;'''  ==
<br>
 
'''Input: '''Risk registry
 
'''Output: '''Risk response plan for each risk
 
Within this process the risk owner, who is responsible for given risk and its risk response, must be identified by Quality and Risk manager and Technical Coordinator. Risk response should be appropriate for the significance of the risk (risk level), cost-effective, realistic and agreed by impacted Work Packages leaders, Technical Coordinator and for high and extreme level risks also by PMB during periodic rick registry review (every 3 months). For each risk impact level the following table presents a suggested response, to be properly defined:
 
<br>  
 
Following table presents for each Risk level expected response to be defined and involvement of Risk management team members.<br>
 
{| class="wikitable"
|-
| style="background-color: grey;" | '''Risk Impact level'''<br>
| style="background-color: grey;" | '''Response'''
|-
| style="background-color: grey;" | '''Minor'''<br>
|
*'''Accept'''
*Define recovery activities
*Monitor and review
 
|-
| style="background-color: grey;" | '''Moderate'''<br>
|
*'''Avoid or Mitigate'''
*Define and implement mitigation activities
*Managed by monitoring or response procedures
 
|-
| style="background-color: grey;" | '''Major<br>'''
|
*'''Avoid or Mitigate '''
*Define and implement
**controls
**mitigation activities
**recovery activities
*requires Project Management Board attention and definition of management responsibility
 
|-
| style="background-color: grey;" | '''Catastrophic'''<br>
|
*'''Avoid or Mitigate'''
*Define and implement
**controls
**contingency plan
**recovery activities
**mitigation activities
*Must be managed by Project Management Board with a detailed treatment plan.
 
|}
 
For each risk level the following table presents a suggested involvement of the actors:
 
{| class="wikitable"
|-
| rowspan="2" style="background-color: grey;" | '''Risk level'''<br>
| colspan="3" style="background-color: grey;" | '''Involvement'''
|-
| '''Technical Coordinator'''
| '''Work Package leader'''<br>
| '''PMB '''<br>
|-
| style="background-color: grey;" | '''Low'''<br>
| Informed
| Active engagement
| Informed<br>
|-
| style="background-color: grey;" | '''Medium'''<br>
| Consulted
| Active engagement
| Informed
|-
| style="background-color: grey;" | '''High'''<br>
| Active engagement
| Active engagement
| Consulted
|-
| style="background-color: grey;" | '''Extreme'''<br>
| Active engagement
| Active engagement
| Active engagement<br>
|}
 
<br>
 
== '''Step 4 Risk control'''  ==
 
'''Input:''' Risk registry<br>
 
'''Output:''' Improved success of risk approach
 
Risk control is a process to improve efficiency of the risk management through continuously monitoring and adjustment. It implements risk response plan, tracking identified risks, performing risk reviews.<br> The main activities planned as part of risk control are:<br>
 
#'''Continuously (whenever necessary)'''
#*Work Package Leaders are
#**applying risks response
#**reporting on risk occurrence
#**reporting on new risks identified
#'''On a monthly basis'''
#*Quality and Risk Manager is
#**reporting to PMB risk occurrences and newly identified risks which require PMB attention.
#'''Every 3 months'''
#*Quality and Risk Manager is conducting the risk registry review with Work Package leaders, including:
#**identification of deprecated risks
#**reassessment of impact and probability of existing risks
#**review of risk response
#**identification of new risks
#*Quality and Risk Manager is reporting to PMB the results of the review.


= Revision History  =
= Revision History  =
Line 363: Line 104:
|-
|-
! Version  
! Version  
! Authors
! Reviewer
! Date  
! Date  
! Comments
! Comments
|-
|-
| <br>  
| <br> 1.0
| <br>  
| <br> T. Ferrari
| <br>  
| <br> 30-10-2016
| <br>
| <br> No change applied
|}
|}


<br>
<br>

Latest revision as of 22:54, 30 October 2016

EGI-Engage project: Main page WP1(NA1) WP3(JRA1) WP5(SA1) PMB Deliverables and Milestones Quality Plan Risk Plan Data Plan
Roles and
responsibilities 		WP2(NA2) WP4(JRA2) WP6(SA2) AMB Software and services Metrics Project Office Procedures




Title Risks review
Link https://wiki.egi.eu/wiki/PROC04_Risks_review
Owner
 		Quality Manager
Status Approved
Approval date 28 Oct 2015
Related document

https://documents.egi.eu/document/2595

https://wiki.egi.eu/wiki/EGI-Engage:Risk_Plan


Overview

The goal of this procedure is to identify risks and plan proper response to prevent risk occurrence. 

Definitions

Please refer to the EGI Glossary for the definitions of the terms used in this procedure.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", “MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Timing

Risk review takes place every 6 months starting from October 2015

Steps

Step
Responsible Action
1
QM Organize face to face meetings with all WP leader
2
WP leaders

With QM review risks assigned to WP.

  • identifying deprecated risks
  • reassessment of impact and probability of existing risks
  • reviewing of risk response
  • identification of new risks
3
Technical Coordinator (TC)

Approve/reject/suggest changes in Risk registry

4
QM
 Inform WP leader about outcome of TC review
5
QM
 Circulate final version of risk registry to AMB and PMB
6
QM

If no comments were provided by AMB and PMB:

Circulate final version of risk registry to CB


Revision History

Version Reviewer Date Comments

1.0
T. Ferrari
30-10-2016
No change applied


Retrieved from "https://wiki.egi.eu/w/index.php?title=PROC04_Risks_review&oldid=91307"