Analyze Risks

Identify and understand the risk in evolving the IT, creating a plan to manage that risk.

Introduction Activities Roles and Responsibilities Artifacts Additional Resources

- HS IT Estimate of the Situation Select Risk Analysis and Management Techniques Perform Risk Analysis Review Risk Analysis Develop Risk Mitigation Strategies Commit To Risk Management Plan - HS IT Risk Management Plan - Risk Analyst - Evolution Management Team - Technical Architecture Team - Other Key Stakeholders

Introduction

Identifying and managing threats to the success of the IT evolution are integral parts of the IT evolution planning and management activities. These activities establish the risk analysis and management processes, perform a thorough risk analysis, and define strategies to mitigate and manage these threats. An RMP is produced, establishing measurements to indicate the level of risk  and setting decreasing thresholds for acceptable risk over time. The plan defines actions to be taken to mitigate the risk. Stakeholders participate in and reach consensus on the risks and how they will be managed.

Top

Activities

Consolidated guidelines are available to perform the following key activities:

1. Select Risk Analysis and Management Techniques. The approach to understanding and addressing a risk depends on the types of risks that an organization faces (e.g., cost, schedule, quality, or technical risks). This activity selects  the appropriate techniques and how they will be used to qualify and manage the risks. At a minimum, establish the following:

   • Responsibilities of the Risk Analyst.
   • Method(s) for identifying of risks.
   • Method(s) for the measuring the probability, consequence, and priority of each risk.
   • Method(s) for grouping the risks. 
   • Method(s) for measuring and tracking the amount of risk over time. Typically a risk referent, a measure against which to determine an amount of acceptable risk, is established for individual as well as overall risk. The risk tolerated at any point in time should decrease as the IT evolution proceeds, i.e., the closer to the end of a plateau, the greater the chance of success, as determined by declining risk.
   
   

2. Perform Risk Analysis. Comprehensively characterize potential IT evolution risk items. Examine the goals in the EoS with respect to available alternatives, constraints, and organizational and evolution-related assets; identify what can go wrong. Examine unsatisfactory outcomes and their effect on the evolution goals. Group the identified risks into logical groups. Groupings for State HS Agency IT development include:

   • Business Process Risks. These are risks that the technology will cause a significant change in the business processes that are currently in place within the HS Agency, as well as change interactions with external users (e.g., citizen services delivered directly over the Web).
   • Communication Risks. These are risks that information will not be communicated to the appropriate stakeholder in time for that individual to perform a required task in either the development or use of the new technical solutions (e.g., training a user on a new user interface).
   • Coordination Risks. These are risks affecting the coordination of the individual projects within one or more plateaus. The consequences may be realized when the results of one IT project impact another project, such as acquiring a low quality product from a vendor. Coordination risks also can  appear when automated systems must interface with other State or Federal systems not under control of the Evolution Management Team.
   • Financial Risks. These are risks in the funding sources for individual projects or groups of projects. These risks can be due to uncertainties in either the Federal or State budgeting process.
   • Management Risks. These are risks that the management practices may contribute to uncertainty in the project outcomes, (e.g., inability to accurately estimate, track, or staff projects in a timely manner).
   • Technical or Technology Risks. These are risks that the technical product design or fabrication processes may not be adequate for the solution required (e.g., lack of a scalable design or adequate development tools. These risks could be inherited from organizations outside the HS Agency, such as inadequate quality of service from a State-wide network.
   • Other Risks. These are risks that do not fit in any established categories. If there are a large number of risks in this category, then create new categories.

   As risks are identified, analyze them independently to determine how likely they are to occur (probability) and the effect of a risk situation occurring (consequence).  As you estimate the probability and consequences show any uncertainties in the estimates.

   Because the HS Agency does not have unlimited resources, you should prioritize the risks to determine those that must be addressed first. You can use the total effect of the risk, its risk factor, to determine the priorities. The risk factor is based on the combined effect of the probability and consequence. ISO-risk contours or other techniques can be used to visualize the risks as a whole. The Additional resources section offers some suggested techniques.

   Record the results of the analysis in the RMP.

3. Review Risk Analysis. Identification and analysis of risk is subjective and should have broad independent review and input. This review provides an opportunity for stakeholders to add their perspective by commenting on the results of the risk identification, analysis, and evaluation activities.

   Perform the following when reviewing risk analysis:

   • Provide a draft Risk Management Plan to the stakeholders for individual review, showing the risks but not any mitigation actions.
   • Hold a stakeholder meeting to refine the risk list by incorporating additional risks and deleting risks based on the perspectives of the stakeholders. For example, the management team may have felt that a change to the business process would be a significant risk, but during this review, it was found that the users welcome the change.
   • Elicit input from the stakeholders on the strategies to manage the identified risks, either separate risks or combined. Stakeholders should reach an understanding on the identified risks and high-priority risk items and begin to brainstorm on possible mitigation strategies and their potential impact.
   • Update the draft RMP with the change rationale from the meeting minutes referenced.
   
   

4. Develop Risk Mitigation Strategies. For each group of risks, develop a risk mitigation strategy. This risk mitigation strategy documents the specific actions that will be taken to reduce high- and medium-priority risks within the risk group. Risk mitigation strategies may introduce new risks that may negatively affect other risks; investigate any new risks.

   In general, consider the following when defining risk mitigation strategies:

   • Can the strategy reduce risk to an acceptable level?
   • Will the strategy affect another risk, possibly making it worse?
   • What is the potential impact of new risks, if any, introduced by the strategy?
   • Does the strategy support Plateau or evolution goals and success criteria?
   • Are the tactics and means for implementing the strategy consistent with Plateau or evolution constraints?
   • Is the strategy cost-effective?

   Assign a responsible individual to each mitigation strategy, and predict the level of risk when the mitigation action is completed. Document the results of this activity in the draft RMP.

5. Commit to Risk Management Plan. Firm commitment is needed to pursue and deal with the threats to the IT Evolution Plan's success. This activity provides a mechanism for formally briefing all stakeholders on the contents of the RMP and soliciting their commitment. Make changes to the RMP based on this review. Place the RMP under change control to track any updates made as the IT evolution activities progress.

Top

Roles and Responsibilities

The key roles and their responsibilities are as follows:

• Risk Analyst. As a member of the Evolution Management Team, the Risk Analyst is responsible for facilitating the risk identification and documentation of risk items.
• IT Evolution Management Team. The Evolution Team members participate by aiding the Risk Analyst in identifying, estimating, or defining strategies for the risks.
• Technical Architecture Team. Members of this team provide insight into technical and technology-related (e.g., vendor-product) risks.
• Other Key Stakeholders. These individuals or groups will be affected by the risks or have insight that can contribute to understanding and managing the risks. They may include IT management, IT Project Managers, HS Program Management and the HS Agency Decision Makers, among others.

Top

Artifacts

The following information is used or produced by these activities. Templates, examples, and checklists for identifying and documenting items are available through the Additional Resources section at the end of this page.

• HS IT Estimate of the Situation. This is a major input to the Analyze Risks activities because it defines the context for the analysis and insight into feasible approaches to dealing with the risks (e.g., within constraints).
• HS IT Risk Management Plan. This is the major product of this activity, documenting a consensus on the most important risks to address and a shared commitment from the stakeholders to address them.

Top

Additional Resources

Items that can be used to perform these and other activities are consolidated in the Resources portion of the IT Planning and Management Guides. Resources specific to this activity are cataloged below.