29047841-Risk-Management-Plan-03-25-2009

7/31/2019 29047841-Risk-Management-Plan-03-25-2009

http://slidepdf.com/reader/full/29047841-risk-management-plan-03-25-2009 1/18

2009 C‐IV

Procurement

Project

RISK MANAGEMENT

PLAN

This document sets out the procedures and processes whereby initial and ongoing risks will be identified,

categorized, quantified, controlled, and reported throughout the C‐IV Procurement Project.



11290 Pyrites Way, Suite 150, Rancho Cordova, CA 95670

C‐IV Procurement Project 2009

Blank Page





Revision History

RELEASE DATE

AUTHOR

SUMMARY OF CHANGE

3/25/2009 Leslie Johnson Initial Release





Blank Page





Table of Contents

1 Introduction ............................................................................................................................. 1 2 Risk

Management

Objective.................................................................................................... 2

3 Risk Management Process....................................................................................................... 3 3.1 RISK Process Flow............................................................................................................ 4

4 Risk Escalation ......................................................................................................................... 9 5 C‐IV Procurement Risk Management Forms ......................................................................... 10





Blank Page




11290 Pyrites Way, Suite 150, Rancho Cordova, CA 95670 1 | P a g e

1 Introduction

This document sets out the procedures and processes whereby initial and ongoing risks will be

identified, categorized, quantified, monitored, and reported.

It is

important

to

distinguish

between

issues

and

risks.

Issues

are

items

that

have

occurred

and

require resolution. Risks are uncertain events or conditions that, if they occur, have a positive

or negative effect on a project objective. Risk Management is a proactive look at identifying

possible events that could affect the project. If a risk is realized, it may become an issue and it

will be documented in the C ‐IV Procurement Project Issue Management Plan. Refer to

the

C ‐IV Procurement Project Issue Management Plan located in th e C‐IV Procurement

Library at http://www.c‐iv.org/ProcurementLibrary.shtml for more details.

The purpose of risk management is to:

1. Identify and

analyze

potential

threats

to

the

success

of

the

project;

2. Develop mitigation strategies and plans;

3. Mitigate or eliminate negative impacts on the project;

4. Ensure all Project Stakeholders are involved in risk management as appropriate; and

5. Develop contingency plans for risks where it is unlikely or uncertain that the mitigation

will be effective.

The C‐IV Procurement Management team is responsible for a continuous risk appraisal process

throughout the C‐IV Procurement Project lifecycle. During the initial phase of the Project, the

C‐IV

Procurement

Management

team

is

composed

of

the

C‐IV

Project

Director

and

the

C‐IV

Procurement Manager. During this phase, the activities will be focused on Project initiation and

acquiring the services of a Planning Consultant through a competitive procurement. Once a

Planning Consultant is contracted, the C‐IV Procurement Project will move into the next phase,

in which all activities will be focused on acquiring the services of a Maintenance and Operations

(M&O) contractor. At this point in the project, the C‐IV Procurement Management team will

include Planning Consultant staff.

This document will be reviewed at least annually and updated as needed. Currently, Project

Risk Meetings are held monthly.




11290 Pyrites

Way,

Suite

150,

Rancho

Cordova,

CA

95670

2 | P a g e

2 Risk Management Objective

The objectives of Risk Management are:

1. To minimize threats to the C‐IV Procurement Project objectives;

2. To provide a systematic approach for:

• Identifying, categorizing, and assessing risks;

• Quantifying cost‐effective risk mitigation actions; and

• Monitoring and reporting progress in reducing risk.

The overall goal of the Risk Management strategy is to apply a proactive approach to reducing

exposure to events that threaten the accomplishment of the C‐IV Procurement Project’s

objectives by:

1. Incorporating routine business practices that minimize or avoid risks;

2. Ensuring risks are identified in a timely manner, should they occur;

3. Developing proactive and contingent responses to identified risks; and

4. Rapidly implementing risk responses.

Additionally, it is important not to attempt to document all possible risks and outcomes, as this

can often introduce improbable scenarios, which:

1. Create unnecessary

concern

and

confusion;

2. Shift focus away from the real or probable risks;

3. Dilute the pool of risks; leading to diminishing returns on effort, and

4. Reduce credibility for the risk mitigation process.




11290 Pyrites

Way,

Suite

150,

Rancho

Cordova,

CA

95670

3 | P a g e

3 Risk Management Process

The Risk Management process is an interactive cycle that will be performed during regular

review meetings

throughout

the

C‐IV

Procurement

Project

lifecycle.

New

risks

may

arise

from

a

variety of sources:

1. New risks previously missed or unforeseen;

2. New risks identified during project activities, such as:

• Meetings;

• Workgroup sessions; and

• Document reviews.

3. New risks arising from the investigation or mitigation of an existing risk.

The C‐IV Procurement Project Risk Management Plan is adapted from the Software Engineering

Institute (SEI) Risk Management approach:

1. Identify ‐ Risk identification is an ongoing process, which is monitored and updated

regularly. Risk identification provides opportunities, cues, and information that bring up

major risks before they adversely affect the C‐IV Procurement Project.

2. Track/Control ‐ Risk tracking and control follows the progress of the risk and its

probability, as well as the status of any mitigation/contingency strategies that have been

executed. When changes to the risk profile occur, the basic cycle of identify, analyze,

and plan will be repeated. Existing action plans may be modified to change the approach

if the

desired

effect

is

not

being

achieved.

3. An aly ze ‐ Risk analysis includes the determination of:

• Impact to cost, schedule, or resources;

• Probability of occurrence;

• Level of control;

• Exposure of potential risk item occurrence; and

• Priority of each risk.

4. Plan‐

Risk planning

consists

of

the

development

of

detailed

plans

for

either

mitigation

and/or contingency actions for a specific risk.

5. Implement ‐ Plan implementation is the act of executing the decisions made and

documented in the risk mitigation plans. A mitigation plan will be either tied to a trigger

event and executed upon occurrence of that event, or implemented immediately.

6. Report ‐ In an effort to provide visibility of risks and progress in mitigating them, both

verbal and written reports will be provided as needed, at least on a monthly basis.




11290 Pyrites

Way,

Suite

150,

Rancho

Cordova,

CA

95670

4 | P a g e

3.1 RISK Process Flow

Manage Risks

1. Identify Risk

Risk or Issue?

2. Analyze Risk

3. DetermineApproach andCreate Risk

Mitigation Plan

4. Create RiskContingency Plan

Risk MitigationRequired?

5. Implement RiskMitigation Plan

IssueManagement

Issue

Risk

6. Monitor Risk

EscalationManagement

Risk ConditionTriggered?

Handle asIssue?

7. Implement RiskContingency Plan

IssueManagement

8. Close Risk

No

No

Yes

No

Yes

Yes

Step Responsible Action

1. Risk Originator Identify Risk

Any person associated with the C‐IV Procurement Project is expected to

identify and document potential risks. Any Project team member or

stakeholder may inform the C‐IV Procurement Manager or PMO of a

potential risk. Identified risks will be documented in meeting minutes

and/or submitted directly to the C‐IV Procurement Manager or PMO via e‐

mail using the C‐IV Procurement Risk Form (see attached Appendix A) .

Risks are then categorized according to the potential impact on the C‐IV

Procurement Project. Risks can be categorized as cost, schedule,

technology,

operations,

or

external.




11290 Pyrites

Way,

Suite

150,

Rancho

Cordova,

CA

95670

5 | P a g e

2. C‐IV

Procurement

Manager

and/or PMO

Track an d Control

The risk are logged into the C ‐IV Procurement Risk Matrix and assigned a

status of Identified . During Phase 1, the C‐IV Procurement Manager will have responsibility for documenting and tracking risk identification activities and coordinating risk

analysis.

During Phase 2, the Project Management Office (PMO) support provided by

the Planning Consultant will have this responsibility.

3. C‐IV

Procurement

Manager

and/or PMO

Analyze Risk Similar and related risks are grouped prior to analyzing the probability,

impact, and

level

of

control

for

each

risk.

Risk Impact measures the effect that a risk will have on the project. Each

risk will be rated on its impact, if it does occur.

IMPACT RATING SCALE

Low (1) The risk does not represent a material impact on the project

budget, schedule, or quality.

Medium

(2)

The risk would disrupt project progress, extend the schedule,

or reduce

the

budget

over

the

short

term,

but

is

manageable.

High (3) The risk represents a significant negative impact on project

budget, schedule, or quality and threatens overall project

success.

Risk Probability is the likelihood that an event will actually occur. Each risk

will be rated on the probability of it occurring.

PROBABILITY RATING SCALE

Low

(1)

The

risk

is

unlikely

to

occur

or

will

probably

not

occur.

Medium

(2) The risk may occur or has a 50/50 chance of occurring.

High (3) The risk is almost certain or very likely to occur.




11290 Pyrites

Way,

Suite

150,

Rancho

Cordova,

CA

95670

6 | P a g e

Level of Control is the influence that the C‐IV Procurement Project has

regarding the outcome of the risk.

LEVEL OF CONTROL SCALE

No Control (1) None of the Stakeholders can control the outcome of

the

risk.

Minimal

Control (2)

State or Federal Stakeholders have the authority to

control the outcome of the risk.

Moderate

Control (3)

The C‐IV Procurement Project Management team has

the authority to control the outcome of the risk.

High Control

(4)

The C‐IV Procurement Manager has the authority to

control the outcome of the risk.

Risk Exposure will measure the overall threat of risks by assuming a risk

factor.

A numeric

score

will

be

used

to

determine

a Low

exposure

(1

or

2),

Medium

exposure (3 or 4) or High exposure (6 or 9).

The risk exposure is computed using probability and level of control.

The following risk calculation expresses the overall risk exposure.

Determine Risk

Priority

Using the Risk Exposure Factor, the C‐IV Procurement Management Team

will then review the newly identified risk to establish its relative rank or

priority among existing risks. C‐IV Procurement Management Team may

adjust resource assignments, action plans, or other priorities to ensure the

risk is adequately addressed.

= Probability x Impact Risk Exposure

Factor Level of Control




11290 Pyrites

Way,

Suite

150,

Rancho

Cordova,

CA

95670

7 | P a g e


Determine Approach

and

Create

Risk

Mitigation

Plan

This step involves developing actions to address individual risks, prioritizing

risk actions, and creating an integrated risk action plan.

Note: the C ‐IV Procurement Risk Matrix will be updated throughout the Risk

Mitigation lifecycle.

There are six responses to consider when formulating risk action plans.

1. Investigate. Risks that relate to a lack of knowledge may often be

resolved or managed most effectively by learning more before

proceeding.

2. Accept. This describes the risk factors that may directly affect the C‐IV

Procurement Project, but are outside of the sphere of influence of the

engagement, and therefore, can only be “accepted.” In addition,

acceptance of risks as a response may be based on the relative cost‐

effectiveness of any available response or solution. For example,

acceptance response could be created from a legislative or legal risk,

over which no control can be leveraged. The risk action plan will

include development of a documented rationale for accepting the risk

but not developing mitigation or contingency plans. It is prudent to

continue monitoring

such

risks

in

the

event

that

changes

occur

in

probability, impact, or level of control related to this risk.

3. Avoid. Risk avoidance prevents the Project from taking actions that

increase exposure too much to justify the benefit.

4. Assign. Assign‐based responses target the individual or entity best

placed to analyze and implement the response to the risk, based on

their expertise, experience, and suitability. This individual/entity

becomes the Risk Owner.

4. Risk Owner

5.

Mitigate. Mitigation (control)‐based responses are typically the most

common response. They identify an action that becomes part of the

domain working plans, and which are monitored and reported as part of

the regular performance analysis and progress reporting of the

engagement. Risk mitigation planning involves performing actions and

activities ahead of time either to prevent a risk from occurring

altogether, or to reduce the impact or consequences of its occurring.




11290 Pyrites

Way,

Suite

150,

Rancho

Cordova,

CA

95670

8 | P a g e


6. Share. Share‐based responses identify and negotiate the sharing of risk

exposure with one or more involved parties. It is used to reduce impact

when the

risk

influence

is

seen

as

being

shared

between

these

parties.

The parties in question are generally the client, a third party supplier, a

business partner, or some combination of these. Like the Transfer

response, the Share response leaves the risk intact, but “shares” the

responsibility for actions and planning, and any consequences of risk

fulfillment. This option is the most complex to implement, as it requires

close communication and coordination with the involved parties.

5. Risk Owner Create Risk Contingency Plan

Risk contingency

planning

involves

creating

one

or

more

fallback

plans

that

can be activated in case efforts to prevent the adverse event fail.

Contingency plans are necessary for all risks, including those that have

mitigation plans. They address what to do if the risk occurs and how to

minimize its impact.

Triggers are established for the contingency plan based on the type of risk or

the type of impact that may be encountered.

Triggers are indicators that tell the C‐IV Project a certain condition is about to

occur, or

has

occurred,

and,

therefore,

it

is

time

to

put

the

contingency

plan

into effect.

If the risk is to have a Mitigation Plan, continue with Step 5; otherwise,

proceed to Step 6.

6. Risk Owner Implement Risk Plan

When the trigger event occurs or is imminent, the Risk Owner will initiate the

mitigation plan and notify the C‐IV Procurement Manager and/or PMO of the

plan execution. The Risk Owner will notify all parties identified in the

mitigation/contingency plan

and

ensure

all

activities

are

coordinated.

The

Risk

Owner will also take the specific measurements to determine the effectiveness

of the activities. If it appears the activities are not producing the desired

effective, the Risk Owner will propose changes to address the deficiencies.




11290 Pyrites

Way,

Suite

150,

Rancho

Cordova,

CA

95670

9 | P a g e


7. Risk Owner,

C‐

IV

Procurement

Manager

and/or PMO

Report

The Risk Owner will inform the C‐IV Procurement Manager or PMO of risk

status updates as needed. The C‐IV Procurement Manager or PMO will

provide risk activity status and effectiveness reports to the C‐IV Procurement

Project Management team during monthly C‐IV Procurement Project Risk

Management Meeting.

8. C‐IV

Procurement

Manager

and/or PMO

Risk Closure

Where risks are determined not to be valid or have been removed through the

implementation of a mitigation plan/contingency plan, the risk is closed.

Consensus at

the

risk

meeting

must

be

achieved

before

a risk

is

closed.

4 Risk Escalation

The C‐IV Procurement Manager will be responsible for risk escalation. If consensus regarding a

risk cannot be reached within the C‐IV Procurement Management team, the risk will be

escalated to the next higher authoritative level for resolution. The Risk escalation process and

procedures mirror the Issue Tracking and Escalation Process as detailed in the C‐IV

Procurement Project Issue Management Plan. The C‐IV Procurement Project Issue Management

Plan can be access through the C‐IV Procurement Library located at:

http://www.c‐iv.org/ProcurementLibrary.shtml




11290 Pyrites

Way,

Suite

150,

Rancho

Cordova,

CA

95670

10

| P a g e

5 C‐IV Procurement Risk Management Forms

The C‐IV Procurement Project will use the C‐IV Procurement Project Risk Management Form

(see Attachment

1)

and

C‐IV

Procurement

Project

Risk

Log

(see

sample

below).

Until Planning Consultant services are acquired, risk documentation will be stored on a

restricted drive on the C‐IV Project local area network (LAN) and the C‐IV Procurement Manager

will be responsible for risk tracking and control.

Following acquisition of Planning Consultant services, risk documentation will be stored on the

Planning Consultant’s Project local area network (LAN), and the Project Management Office

(PMO) will be responsible for risk tracking and control.

C‐IV Procurement Project Risk Log

ID Risk Name Risk Status Risk Category

Date

Raised

Risk

Originator Risk Description Owner Priority

Notes

(Date‐ Update, Analysis or Resolution)

Date Risk

Closed




11290 Pyrites

Way,

Suite

150,

Rancho

Cordova,

CA

95670

11

| P a g e

RISK MANAGEMENT PLAN

ATTACHMENT 1

RISK MANAGEMENT FORM




C‐IV Procurement Projec

Risk Management

FormRisk Name

Issue Status Opened Assigned Deferred Escalated Closed

Date Raised

Risk Originator Name &

Contact Information

Risk Category Cost/Budget Schedule Resources Strategic Direction Process

Technology External

Risk Trigger Event Description

Risk Owner

Risk Mitigation Plan

Contingency Plan

Project Use Only

Date Received

Risk ID

29047841-Risk-Management-Plan-03-25-2009

Documents