References and Citations
Definition of Business, Program, Project or Component Objectives
The project includes the installation of an automated double door at Royal North Shore Hospital RNSH) by Stanley Security Solutions, Australia.
The definition of the project has been specified by including the response from the internal and external stakeholders, such as hospital administration, project team members and manager, medical professionals, security experts, and end-users.
The basis of risk identification and analysis, for example, in the case of RNSH will be defined as per the project factors, stakeholders involved, and the requirements associated with the project.
Risk Management Standard
AS/NZS ISO 31000: 2009 is the risk management standard and framework that will be followed in this project.
This standard is preferred over the other because it covers the definition of risks and uncertainties and provides eleven principles for risk management that may be used and applied across the enterprise. These principles include creation and protection of value, being an integral part of the organization, being a part of decision-making process, explicitly addressing uncertainty, being systematic and timely, tailored approach, identification and analysis on the basis of current approach, transparency, taking human and cultural factors in account, being dynamic and responsive to change, and continuous improvement of the organization (Financegov, 2010).
Risk Context
Risk context for the project is developed on the basis of the information collection methods, such as interviews, brainstorming, domain analysis, and observation carried out with the internal and external stakeholders.
The example of the risk context for the current project is as illustrated below.
Definition
Risk context includes the description of the organizational environment, attitude of the personnel impacting the risk, and the behaviour towards the risks that are identified.
Risk Attitude
Risk Averse: Security Risks, Schedule/Budget Overrun, Legal Risks, Quality Risks, Ethical Risks, Environmental Risks
Risk Seeking: Operational Risks, Communication Risks, Resource Risks, Market Risks
Risk Neutral: Investment Risks, Technical Risks
Project
The project involves the installation of an auto double door at RNSH and the Project Manager shall take up the responsibility and accountability for the risks (Apm, 2018).
Programme
The acceptable level of the risk shall be identified wherein the risk does not cause severe damage to the project or the organization and may be transferred to the other parties, such as Technical Risks comprising of failure of a tool.
Portfolio
The risk management activities will cover identification, assessment, treatment, monitoring, control, and closure.
Risk Events & Categories
Risk Management Standard
Risk Register 1
The risk register has been prepared for the RNSH project.
|
Identification Number |
Risk Category |
Risk Source |
Risk Event |
Description of Effect/Consequences |
Existing Controls |
Risk Owner |
Analysis of Consequence (Major, High, Moderate, Minor, Low) |
Likelihood or Level (Very High, High, Moderate, Low, Very Low) |
Proposed Treatment |
Analysis |
Responsibility |
Status |
|
1 |
Information |
Network, People, Data Sets |
Security Violation |
Compromise of the information properties, such as confidentiality, integrity, and availability |
Access controls |
Security Expert |
Major |
High |
Risk Avoidance & Mitigation |
Risk review and inspection |
Security Expert |
Active |
|
2 |
Finance |
Project changes, resource inefficiencies |
Budget Overrun |
Poor customer satisfaction level, deterioration of the organization reputation in the market, employee disengagement |
Project reviews and audits |
Project Manager |
High |
Low |
Risk Avoidance |
Risk review and inspection |
Project Manager |
Active |
|
3 |
Project |
Project changes, resource inefficiencies |
Schedule Overrun |
Poor customer satisfaction level, deterioration of the organization reputation in the market, employee disengagement |
Project reviews and audits |
Project Manager |
High |
Low |
Risk Avoidance |
Risk review and inspection |
Project Manager |
Active |
|
4 |
Legal |
Project Resources |
Non-adherence to legal norms |
Legal punishments and obligations for the organization |
Project reviews and audits |
Legal Inspector |
Major |
Very Low |
Risk Avoidance |
Risk review and inspection |
Legal Inspector |
Active |
|
5 |
Quality |
Project Resources |
Non-adherence to quality standards |
Poor customer satisfaction level, deterioration of the organization reputation in the market |
Project reviews and audits |
Quality Manager |
Major |
Low |
Risk Avoidance |
Risk review and inspection |
Quality Manager |
Active |
|
6 |
Ethics |
Project Resources |
Non-adherence to ethical principles |
Poor customer satisfaction level, deterioration of the organization reputation in the market |
Project reviews and audits |
Project Leader |
Major |
Low |
Risk Avoidance |
Risk review and inspection |
Project Leader |
Active |
|
7 |
Environmental |
Nature |
Environmental hazards |
Delay in project deliveries, data loss and leakage, health and safety issues |
Fire alarms, earthquake resistant architecture |
HR Manager |
Major |
Low |
Risk Avoidance |
Risk review and inspection |
HR Manager |
Active |
|
8 |
Resource |
Organizational/project policies, senior management |
Drop in productivity or scarcity of resources |
Inability to meet the project deadlines, poor reputation of the organization in the market |
Employee assessment programs |
Project Manager |
High |
Moderate |
Risk Avoidance |
Risk review and inspection |
Project Manager |
Active |
|
9 |
Resource |
Poor training of the resources |
Operational Errors |
Major re-work causing enhancement of costs and schedule |
Employee assessment programs |
Project Manager |
Moderate |
High |
Risk Avoidance |
Risk review and inspection |
Project Manager |
Active |
|
10 |
Organization |
Organizational Environment |
Health & Safety Issues |
Temporary or permanent injuries |
First aid in the organization, non-slippery floors |
HR Manager |
Major |
Low |
Risk Avoidance |
Risk review and inspection |
HR Manager |
Active |
|
11 |
Project |
Project policies and resources |
Ineffective Communication |
Confusions for the employees |
Daily team meetings |
Project Manager |
Moderate |
Moderate |
Risk Avoidance |
Risk review and inspection |
Project Manager |
Active |
|
12 |
Market |
Market trends, customers |
Market Fluctuations |
Increased changes in the project causing re-work for the team members |
Market analytics using automated data analytics tools |
Market Analyst |
High |
High |
Risk Avoidance and Mitigation |
Risk review and inspection |
Market Analyst |
Active |
|
13 |
Technological |
Technical tools |
Technical Failures |
Disruption of the project continuity |
Availability of alternate tools |
Technical Expert |
Moderate |
Moderate |
Risk Transfer |
Risk review and inspection |
Technical Expert |
Active |
Risk Register 2
The risk register below is developed for the project of mobile application that is developed for a client.
|
Identification Number |
Risk Category |
Risk Source |
Risk Event |
Description of Effect/Consequences |
Existing Controls |
Risk Owner |
Analysis of Consequence (Major, High, Moderate, Minor, Low) |
Likelihood or Level (Very High, High, Moderate, Low, Very Low) |
Proposed Treatment |
Analysis |
Responsibility |
Status |
|
1 |
Information |
Network, People, Data Sets |
Security Violation |
Compromise of the information properties, such as confidentiality, integrity, and availability |
Access controls |
Security Expert |
Major |
High |
Risk Avoidance & Mitigation |
Risk review and inspection |
Security Expert |
Active |
|
2 |
Mobile Application |
Project Requirements, Project Resources |
Design Errors |
Poor Customer Satisfaction Level |
Responsive Web Design Principles, Design Overview |
System Designer |
High |
Moderate |
Risk Avoidance |
Risk review and inspection |
System Designer |
Active |
|
3 |
Mobile Application |
Application Code & Design |
Performance Lags |
Poor Customer Satisfaction Level |
Performance Testing |
Performance Tester, Application Developer |
Very High |
Moderate |
Risk Avoidance |
Risk review and inspection |
Performance Tester |
Active |
|
4 |
Technological |
Technical tools |
Technical Failures |
Disruption of the project continuity |
Availability of alternate tools |
Technical Expert |
Moderate |
Moderate |
Risk Transfer |
Risk review and inspection |
Technical Expert |
Active |
|
5 |
Finance |
Project changes, resource inefficiencies |
Budget Overrun |
Poor customer satisfaction level, deterioration of the organization reputation in the market, employee disengagement |
Project reviews and audits |
Project Manager |
High |
Low |
Risk Avoidance |
Risk review and inspection |
Project Manager |
Active |
|
6 |
Project |
Project changes, resource inefficiencies |
Schedule Overrun |
Poor customer satisfaction level, deterioration of the organization reputation in the market, employee disengagement |
Project reviews and audits |
Project Manager |
High |
Low |
Risk Avoidance |
Risk review and inspection |
Project Manager |
Active |
Methods of Risk Identification
The three different methods of risk identification have been listed and described below.
- SWOT Analysis: It is the qualitative analysis technique that identifies the strengths, weaknesses, opportunities, and threats associated with a particular project. The information used for the technique is collected for varied project sources and external resources and the strengths and opportunities may be used to ensure better performance and avoid the risks. The weaknesses and threats are then assessed to develop the strategies to prevent and avoid the same.
- Decision Trees: These are the graphical structures that are developed in a tree-like architecture wherein the probable events and the respective causes are represented. The risks may be identified in terms of the possible outcomes of every action associated with a project.
- Probability & Impact Matrix: A matrix of probability of the events and the possible consequences of the events is formed to identify the risks associated with a project and to develop the priorities for the same (Bock & Truck, 2011).
Analysis of Risk Events
The risk events for the project of RNSH are depicted in the risk register in the previous sections. The analysis has been done on the basis of the SWOT analysis techniques.
There were information gathering techniques that were used to understand the existing controls and analyse the risks.
- Interviews: The internal and external stakeholders associated with the project were identified and interviewed. These stakeholders included the internal staff members of the RNHS, medical authorities, regulatory bodies, supplier groups, etc. The list of interview questions were prepared for each of these entities and the interviews were conducted. The response provided by these entities was recorded through automated analytics tools (Cagliano, Grimaldi & Rafele, 2014).
- Domain Analysis: The domain of the organization is healthcare and the domain of the project is security. These two domains were analysed to understand the existing controls available with the organization to deal with the risk situations.
- Brainstorming Sessions: The different entities were brainstormed in groups to come up with unexplored ideas to determine the controls available with the organization.
- Documentation of Risk Evaluation
Risk Evaluation was carried out in the project after the determination and identification of the project risks and assessing the same on the basis of the consequences and probability of every risk.
The consequences of the risks in the risk register were marked with the values as Major, High, Moderate, Minor, or Low. Similarly, the likelihood of the risks was marked as Very High, High, Moderate, Low, or Very Low.
These values were assigned with a numerical value to come up with a risk score for every risk calculated as consequence x likelihood (Carvalho & Rabechini Junior, 2014).
|
Consequence |
Likelihood |
Score |
|
Major |
Very High |
5 |
|
High |
High |
4 |
|
Moderate |
Moderate |
3 |
|
Minor |
Low |
2 |
|
Low |
Very Low |
1 |
|
Identification Number |
Risk Category |
Risk Source |
Risk Event |
Analysis of Consequence (Major, High, Moderate, Minor, Low) |
Impact Score |
Likelihood or Level (Very High, High, Moderate, Low, Very Low) |
Likelihood Score |
Risk Score |
|
1 |
Information |
Network, People, Data Sets |
Security Violation |
Major |
5 |
High |
4 |
20 |
|
2 |
Finance |
Project changes, resource inefficiencies |
Budget Overrun |
High |
4 |
Low |
2 |
8 |
|
3 |
Project |
Project changes, resource inefficiencies |
Schedule Overrun |
High |
4 |
Low |
2 |
8 |
|
4 |
Legal |
Project Resources |
Non-adherence to legal norms |
Major |
5 |
Very Low |
1 |
5 |
|
5 |
Quality |
Project Resources |
Non-adherence to quality standards |
Major |
5 |
Low |
2 |
10 |
|
6 |
Ethics |
Project Resources |
Non-adherence to ethical principles |
Major |
5 |
Low |
2 |
10 |
|
7 |
Environmental |
Nature |
Environmental hazards |
Major |
5 |
Low |
2 |
10 |
|
8 |
Resource |
Organizational/project policies, senior management |
Drop in productivity or scarcity of resources |
High |
4 |
Moderate |
3 |
12 |
|
9 |
Resource |
Poor training of the resources |
Operational Errors |
Moderate |
3 |
High |
4 |
12 |
|
10 |
Organization |
Organizational Environment |
Health & Safety Issues |
Major |
5 |
Low |
2 |
10 |
|
11 |
Project |
Project policies and resources |
Ineffective Communication |
Moderate |
3 |
Moderate |
3 |
9 |
|
12 |
Market |
Market trends, customers |
Market Fluctuations |
High |
4 |
High |
4 |
16 |
|
13 |
Technological |
Technical tools |
Technical Failures |
Moderate |
3 |
Moderate |
3 |
9 |
Agreement of Priorities for Treatment
The priority for risk treatment is determined on the basis of the risk score that is identified above. The risks with higher score are given higher priority and vice versa.
|
Identification Number |
Risk Category |
Risk Source |
Risk Event |
Impact Score |
Likelihood Score |
Risk Score |
Evaluated Priority for the Risk |
|
1 |
Information |
Network, People, Data Sets |
Security Violation |
5 |
4 |
20 |
1 |
|
2 |
Finance |
Project changes, resource inefficiencies |
Budget Overrun |
4 |
2 |
8 |
6 |
|
3 |
Project |
Project changes, resource inefficiencies |
Schedule Overrun |
4 |
2 |
8 |
6 |
|
4 |
Legal |
Project Resources |
Non-adherence to legal norms |
5 |
1 |
5 |
7 |
|
5 |
Quality |
Project Resources |
Non-adherence to quality standards |
5 |
2 |
10 |
4 |
|
6 |
Ethics |
Project Resources |
Non-adherence to ethical principles |
5 |
2 |
10 |
4 |
|
7 |
Environmental |
Nature |
Environmental hazards |
5 |
2 |
10 |
4 |
|
8 |
Resource |
Organizational/project policies, senior management |
Drop in productivity or scarcity of resources |
4 |
3 |
12 |
3 |
|
9 |
Resource |
Poor training of the resources |
Operational Errors |
3 |
4 |
12 |
3 |
|
10 |
Organization |
Organizational Environment |
Health & Safety Issues |
5 |
2 |
10 |
4 |
|
11 |
Project |
Project policies and resources |
Ineffective Communication |
3 |
3 |
9 |
5 |
|
12 |
Market |
Market trends, customers |
Market Fluctuations |
4 |
4 |
16 |
2 |
|
13 |
Technological |
Technical tools |
Technical Failures |
3 |
3 |
9 |
5 |
Options for Risk Treatment
There are five possible treatment options that may be applied on the risks.
- Risk Avoidance (Negative Consequences/Threats): The treatment strategy is applied by using and implementing the control so that the risk situation does not occur. This treatment option is used for the risks that may have negative outcomes and consequences.
- Pursuing Opportunities (Positive Consequences): There may be certain risks that may provide enhanced opportunities to the project if they occur. In such cases, the respective opportunity shall be pursued and explored.
- Minimising/Risk Mitigation: The likelihood or consequence of the risks can be controlled by using preventive and detective measures (Pimchangthong & Boonjing, 2017).
- Sharing/Transfer the Risk: The risk responsibility may be transferred to another party in case of the ownership of a specific tool or component by a third-party.
- Risk Acceptance: The risks that may be neutral and may cause no damage may be accepted.
The risks, such as security risks associated with the project have been mapped with the treatment strategy as risk avoidance and risk mitigation. The avoidance of the risks may be done with the use and application of multi-fold authentication, advanced identity and access control, advanced network security tools, and likewise. However, there may be certain risks that may occur in spite of the implementation of all of these controls. Such events may be avoided and controlled with the use of minimising and mitigation techniques as data backups and encryption of the information sets (Sanchez, Robert, Bourgault & Pellerin, 2009).
Similarly, the risks that may not have any impact may be accepted in the project.
Scenarios for Risk Acceptance
There may be certain scenarios wherein the risks may be accepted.
For example, in the investment projects, there are certain investments that are subject to risk of market alterations but will not provide any profit and will also not cause any loss. Such risks may be accepted by the project team. Similarly, there may be situation wherein cosmetic defects may be present in a website or a mobile application that may not have an impact on the customer satisfaction level. Such risks will be accepted and the resolution may be provided in the next builds (Hilson, 2012).
Risk Analysis Techniques
Risk Treatment Plan
Scenario 1
Risk Details
|
Identification Number |
Risk Category |
Risk Source |
Risk Event |
Description of Effect/Consequences |
Existing Controls |
Risk Owner |
Analysis of Consequence (Major, High, Moderate, Minor, Low) |
Likelihood or Level (Very High, High, Moderate, Low, Very Low) |
Proposed Treatment |
Analysis |
Responsibility |
Status |
|
1 |
Information |
Network, People, Data Sets |
Security Violation |
Compromise of the information properties, such as confidentiality, integrity, and availability |
Access controls |
Security Expert |
Major |
High |
Risk Avoidance & Mitigation |
Risk review and inspection |
Security Expert |
Active |
Recommended Risk Treatment/Response Strategy
Risk Avoidance and Mitigation
Steps for Risk Treatment
The following steps shall be followed for treating the risk.
- The possible security events that may come up shall be listed down.
- The security events shall be mapped with the avoidance and mitigation strategy as shown below.
- Malware Attacks: Anti-malware Tools
- Denial of Service Attacks: Anti-denial tools
- Network eavesdropping and man in the middle attacks: Intrusion Detection & Prevention Tools
- Data Breaches & Leakage: Access control, multi-fold authentication, Data encryption and backups (Govan & Damnjanovic, 2016)
- The other security controls that shall be implemented shall be device security, firewalls, and anti-phishing tools
- The security controls shall be implemented
Monitoring & Control
The controls and treatment strategies that are mapped with the risk shall be monitored and controlled by carrying out the weekly reviews and audits on the risk status.
Communication & Reporting
There shall be a formal risk report prepared every week on the risk status and activities. The risk shall be marked as closed when all of the activities are accomplished.
Scenario 2
|
Identification Number |
Risk Category |
Risk Source |
Risk Event |
Description of Effect/Consequences |
Existing Controls |
Risk Owner |
Analysis of Consequence (Major, High, Moderate, Minor, Low) |
Likelihood or Level (Very High, High, Moderate, Low, Very Low) |
Proposed Treatment |
Analysis |
Responsibility |
Status |
|
1 |
Finance |
Project changes, resource inefficiencies |
Budget Overrun |
Poor customer satisfaction level, deterioration of the organization reputation in the market, employee disengagement |
Project reviews and audits |
Project Manager |
High |
Low |
Risk Avoidance |
Risk review and inspection |
Project Manager |
Active |
Recommended Risk Treatment/Response Strategy
Risk Avoidance
Steps for Risk Treatment
The following steps shall be followed for treating the risk.
- The possible events that may lead to the situation of budget overrun shall be listed down.
- The events shall be mapped with the avoidance as shown below.
- Increased number of project changes: Change planning, execution, and management
- Drop in resource productivity: Resource trainings and assessment programs
- Communication Issues: Enhanced communication guidelines
- The budget estimated for the project shall also be analysed in terms of the funds allocated to every activity.
- There shall be assessment of the gap analysis that shall be done regularly to find out the cost variance, if any.
Monitoring & Control
The controls and treatment strategies that are mapped with the risk shall be monitored and controlled by carrying out the weekly reviews and audits on the risk status.
Communication & Reporting
There shall be a formal risk report prepared every week on the risk status and activities. The risk shall be marked as closed when all of the activities are accomplished.
Monitoring of Treatment Actions
In case of the absence of a detailed risk treatment plan, the monitoring of the risks shall be done by evaluating the strategies in daily team meetings.
The resources shall be responsible for treating the risks during the meeting and they shall be communication on the plan of action. A senior leader or manager must monitor and inspect the entire activity and there shall be reviews carried out at frequent intervals (Raz, Shenhar & Dvir, 2011).
Extension of Qualitative Risk Analysis to Quantitative Analysis
The qualitative risk analysis methods are extended to quantitative analysis when the former does not succeed in controlling the risks. There are quantitative analysis strategies that are in place, such as Project Evaluation & Review Technique (PERT), and Monte Carlo Simulation.
Monte Carlo Simulation is done to develop cost contingency and schedule contingency. There is a probability factor, target value, and low/high estimates assigned for every milestone. PERT is a technique that is used to find out three durations for each of the activity that is scheduled. These include the most pessimistic, most probable, and most optimistic values of the schedule.
Task 2: Monitor & Control Project Risks
Up-to-date with Risks
There is a daily meeting that is carried out among the project team members to discuss the issues present in a project, conflicts among the resources, project progress, and risk areas.
Monitoring of Treatment Actions
The risks that are identified and assessed by every group or individual are discussed and communicated to all. The risks identified previously and being handled by the project team members is also informed about their status to the resources. The likelihood and consequences of the risks identified also keep on changing on the basis of the project variables and factors.
The minutes of meeting from one such daily meeting discussing the active project risks are included below.
Minutes of Meeting
Meeting Date
12th May 2018
Meeting Duration & Time
Start Time: 9:00 AM
End Time: 9:45 AM
Duration: 45 Minutes
Updated Risk Register
|
Identification Number |
Risk Category |
Risk Source |
Risk Event |
Description of Effect/Consequences |
Existing Controls |
Risk Owner |
Analysis of Consequence (Major, High, Moderate, Minor, Low) |
Likelihood or Level (Very High, High, Moderate, Low, Very Low) |
Proposed Treatment |
Analysis |
Responsibility |
Status |
|
1 |
Information |
Network, People, Data Sets |
Security Violation |
Compromise of the information properties, such as confidentiality, integrity, and availability |
Access controls |
Security Expert |
Major |
High |
Risk Avoidance & Mitigation |
Risk review and inspection |
Security Expert |
Active |
|
2 |
Finance |
Project changes, resource inefficiencies |
Budget Overrun |
Poor customer satisfaction level, deterioration of the organization reputation in the market, employee disengagement |
Project reviews and audits |
Project Manager |
High |
Low |
Risk Avoidance |
Risk review and inspection |
Project Manager |
Closed |
|
3 |
Project |
Project changes, resource inefficiencies |
Schedule Overrun |
Poor customer satisfaction level, deterioration of the organization reputation in the market, employee disengagement |
Project reviews and audits |
Project Manager |
High |
Low |
Risk Avoidance |
Risk review and inspection |
Project Manager |
Active |
|
4 |
Legal |
Project Resources |
Non-adherence to legal norms |
Legal punishments and obligations for the organization |
Project reviews and audits |
Legal Inspector |
Major |
Very Low |
Risk Avoidance |
Risk review and inspection |
Legal Inspector |
Active |
|
5 |
Quality |
Project Resources |
Non-adherence to quality standards |
Poor customer satisfaction level, deterioration of the organization reputation in the market |
Project reviews and audits |
Quality Manager |
Major |
Low |
Risk Avoidance |
Risk review and inspection |
Quality Manager |
Active |
|
6 |
Ethics |
Project Resources |
Non-adherence to ethical principles |
Poor customer satisfaction level, deterioration of the organization reputation in the market |
Project reviews and audits |
Project Leader |
Major |
Low |
Risk Avoidance |
Risk review and inspection |
Project Leader |
Closed |
|
7 |
Environmental |
Nature |
Environmental hazards |
Delay in project deliveries, data loss and leakage, health and safety issues |
Fire alarms, earthquake resistant architecture |
HR Manager |
Major |
Low |
Risk Avoidance |
Risk review and inspection |
HR Manager |
Active |
|
8 |
Resource |
Organizational/project policies, senior management |
Drop in productivity or scarcity of resources |
Inability to meet the project deadlines, poor reputation of the organization in the market |
Employee assessment programs |
Project Manager |
High |
Moderate |
Risk Avoidance |
Risk review and inspection |
Project Manager |
Active |
|
9 |
Resource |
Poor training of the resources |
Operational Errors |
Major re-work causing enhancement of costs and schedule |
Employee assessment programs |
Project Manager |
Moderate |
High |
Risk Avoidance |
Risk review and inspection |
Project Manager |
Closed |
|
10 |
Organization |
Organizational Environment |
Health & Safety Issues |
Temporary or permanent injuries |
First aid in the organization, non-slippery floors |
HR Manager |
Major |
Low |
Risk Avoidance |
Risk review and inspection |
HR Manager |
Closed |
|
11 |
Project |
Project policies and resources |
Ineffective Communication |
Confusions for the employees |
Daily team meetings |
Project Manager |
Moderate |
Moderate |
Risk Avoidance |
Risk review and inspection |
Project Manager |
Active |
|
12 |
Market |
Market trends, customers |
Market Fluctuations |
Increased changes in the project causing re-work for the team members |
Market analytics using automated data analytics tools |
Market Analyst |
High |
High |
Risk Avoidance and Mitigation |
Risk review and inspection |
Market Analyst |
Closed |
|
13 |
Technological |
Technical tools |
Technical Failures |
Disruption of the project continuity |
Availability of alternate tools |
Technical Expert |
Moderate |
Moderate |
Risk Transfer |
Risk review and inspection |
Technical Expert |
Closed |
Highest Priority Risk
Security Risks & Attacks
Treatment Strategy for the Risk
- The possible security events that may come up shall be listed down.
- The security events shall be mapped with the avoidance and mitigation strategy as shown below.
- Malware Attacks: Anti-malware Tools
- Denial of Service Attacks: Anti-denial tools
- Network eavesdropping and man in the middle attacks: Intrusion Detection & Prevention Tools
- Data Breaches & Leakage: Access control, multi-fold authentication, Data encryption and back ups
- The other security controls that shall be implemented shall be device security, firewalls, and anti-phishing tools
- The security controls shall be implemented
Resource Responsible
Security Expert
Review of Risk Register & Risk Management Plan
The risk register and risk management plan is updated weekly. There is a weekly meeting that is facilitated by the Project Manager and the meeting includes internal as well as external stakeholders.
The comments from all the resources are gathered and the risk register along with the management plan is accordingly updated.
Example of a Risk Managed
Name of the Risk
Financial Risk – Budget Overrun
Original Treatment Strategy
Risk Avoidance
Factors that Occurred after Original Strategy
There were massive changes in the original project requirements that came up after the original strategy as risk avoidance was determined to control and treat the risk.
The change was approved by the Project Sponsor and it could not be carried out without an extra share of budget (Lombard, 2008).
Reflection
The alternate strategy was then utilized to treat the risk as it included the mitigation measures along with the avoidance measures. The budget for the pending activities was re-designed and there was a tolerance of 10% variation in the budget that was acceptable.
It allowed the project team to carry out the change that was requested by the client along with the regular project activities without causing any alteration to the overall project budget.
Risk identified after the Project was commenced
The risk that was detected in the project after it commenced was an access control issues that was detected. The risk could not be detected earlier as the infrastructure at the client side was modified at the last moment. The potential impact of the risk would be compromise of the security of the client’s organization and the associated data and information sets.
The risk could be treated after the completion of the project as the end-product delivered to the customer was flexible and scalable. The project team went to the client-side and fixed the issue using automated access control measures.
Quantitative Risk Analysis
Task 3: Assess Risk Management Outcomes
Review Project Outcomes
The project outcomes were reviewed on the basis of the critical success factors of the project.
Project Review
The following Key Performance Indicators (KPIs) and critical success factors were used to review the project, its success, and the success of the implementation of risk treatment strategy.
- Cost Variance: Earned Value Management (EVM) was used to determine the gaps present between the estimated and actual values of the project costs. The difference between the two was calculated and there was negligible variance observed indicating project success.
- Schedule Variance: Earned Value Management (EVM) was used to determine the gaps present between the estimated and actual values of the project schedule. The difference between the two was calculated and there was negligible variance observed indicating project success.
- 360-degree Feedback: There was feedback collected from every project entity, such as the project sponsor, supplier groups, end users, partners, internal resources, and management. The feedback provided was mostly positive and there were a few areas of improvements detected. This was also an indication of success (Kwan & Leung, 2011).
- Net Present Value (NPV): The different between the cash inflows and outflows were used to calculate the NPV which was found to be positive indicating project success.
- Internet Rate of Return (IRR): The different between the cash inflows and outflows were used to calculate the IRR which was found to be 18% indicating project success.
- Lessons Learned
There were many lessons that were learned during the project timeline.
The lessons from the risk management perspective included the risk management methodology and phases that shall be used. It is necessary to have a defined risk management plan in a project so as to deal with the probable risks that may come up during the project life cycle. The necessary phases that must be included and described in a risk management plan include risk identification, risk assessment, risk evaluation, risk treatment, risk monitoring and risk closure. The risk shall be identified, assessed, and evaluated through the techniques as SWOT analysis, information gathering, PERT, and others. There shall be a risk register developed comprising of the name of the risk, description, impact, likelihood, responsible resource, status, risk score, and priority.
There are five possible treatment strategies that may be applied, as Risk Avoidance (Negative Consequences/Threats) is applied by using and implementing the control so that the risk situation does not occur. This treatment option is used for the risks that may have negative outcomes and consequences. There may be certain risks that may provide enhanced opportunities to the project if they occur. In such cases, the respective opportunity shall be pursued and explored. The likelihood or consequence of the risks can be controlled by using preventive and detective measures. The risk responsibility may be transferred to another party in case of the ownership of a specific tool or component by a third-party. The risks that may be neutral and may cause no damage may be accepted.
Identification & Documentation of Risk-Management Issues
The identification and documentation of the possible risk management issues are done during the project closure stages.
There are final reviews and assessment that is carried out for every project activity in the closure stage. There is also reflection on the project activities, performance of the resources, and lessons acquired that is carried out. The possible risk management issues can be identified on the basis of the final risk review report. The risks left untreated or pending in a project shall be assessed to understand the possible gaps.
The results shall then be documented in a formal report.
Future Improvements
The process of risk management is subject to improvements as there are newer technical tools that are being developed that may be used in the process of risk management.
Also, the customer expectations, organizational policies, quality and legal standards are also changing at rapid scale. All of these factors lead to the possibility of the improvements in the risk management process that may be applied to future projects.
There shall be continuous improvement plan developed for this purpose that shall include the steps as identify, plan, act, and review. The possible areas shall be identified in the first stage, the execution plan shall be determined in the next stage, the possible actions and the review processes shall also be listed.
Some of the improvements that may be done are in the areas of the use of technology in the process of risk management. There are automated reporting and communication tools, project management and organization tools that may be used in the process. The review, inspection, and audit cycles are also subject to improvement in terms of the frequency of these processes. There shall be increased number of reviews that shall be carried out and there shall also be surprise audits that shall be executed to detect the possible flaws and errors in the process.
The risk register shall be updated weekly and there must be secure communication methods, such as use of SharePoint location that shall be done to maintain the security and privacy of the information and data sets.
References
Apm. (2018). Risk context | APM.
Bock, K., & Truck, S. (2011). Assessing Uncertainty and Risk in Public Sector Investment Projects. Technology And Investment, 02(02), 105-123. doi: 10.4236/ti.2011.22011
Cagliano, A., Grimaldi, S., & Rafele, C. (2014). Choosing project risk management techniques. A theoretical framework. Journal Of Risk Research, 18(2), 232-248. doi: 10.1080/13669877.2014.896398
Carvalho, M., & Rabechini Junior, R. (2014). Impact of risk management on project performance: the importance of soft skills. International Journal Of Production Research, 53(2), 321-340. doi: 10.1080/00207543.2014.919423
Financegov. (2010). AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines
Govan, P., & Damnjanovic, I. (2016). The Resource-Based View on Project Risk Management. Journal Of Construction Engineering And Management, 142(9), 04016034. doi: 10.1061/(asce)co.1943-7862.0001136
Hillson, D. (2012). Extending the risk process to manage opportunities. International Journal Of Project Management, 20(3), 235-240. doi: 10.1016/s0263-7863(01)00074-6
Kwan, T., & Leung, H. (2011). A Risk Management Methodology for Project Risk Dependencies. IEEE Transactions On Software Engineering, 37(5), 635-648. doi: 10.1109/tse.2010.108
Lombard, P. (2008). Project scheduling and cost control: Planning, monitoring and controlling the baseline. Project Management Journal, 39(2), 115-115. doi: 10.1002/pmj.20049
Pimchangthong, D., & Boonjing, V. (2017). Effects of Risk Management Practice on the Success of IT Project. Procedia Engineering, 182, 579-586. doi: 10.1016/j.proeng.2017.03.158
Raz, T., Shenhar, A., & Dvir, D. (2011). Risk management, project success, and technological uncertainty. R And D Management, 32(2), 101-109. doi: 10.1111/1467-9310.00243
Sanchez, H., Robert, B., Bourgault, M., & Pellerin, R. (2009). Risk management applied to projects, programs, and portfolios. International Journal Of Managing Projects In Business, 2(1), 14-35. doi: 10.1108/17538370910930491
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
