Documente Academic
Documente Profesional
Documente Cultură
Risk management
Risk management ensures that an organization identifies and understands the risks to which it is exposed. Risk management also guarantees that the organization creates and implements an effective plan to prevent losses or reduce the impact if a loss occurs. A risk management plan includes strategies and techniques for recognizing and confronting these threats. Good risk management doesnt have to be expensive or time consuming; it may be as uncomplicated as answering these three questions: 1. What can go wrong? 2. What will we do, both to prevent the harm from occurring and in response to the harm or loss? 3. If something happens, how will we pay for it?
And it is a systematic process for the identification and evaluation of loss exposures faced by an organization or individual and for the selection and administration of the most appropriate
Avoidance Retention Loss prevention Loss reduction Transfer contractually Transfer through insurance
Risk management provides a clear and structured approach to identifying risks. Having a clear understanding of all risks allows an organization to measure and prioritize them and take the appropriate actions to reduce losses. Risk management has other benefits for an organization, including:
Saving resources: Time, assets, income, property and people are all valuable resources that can be saved if fewer claims occur. Protecting the reputation and public image of the organization. Preventing or reducing legal liability and increasing the stability of operations. Protecting people from harm. Protecting the environment. Enhancing the ability to prepare for various circumstances. Reducing liabilities. Assisting in clearly defining insurance needs.
An effective risk management practice does not eliminate risks. However, having an effective and operational risk management practice shows an insurer that your organization is committed to loss reduction or prevention. It makes your organization a better risk to insure.
Risk Management aims to facilitate the exchange of information and expertise across countries and across disciplines. Its purpose is
3
to generate ideas and promote good practice for those involved in the business of managing risk. All too often assessments of risk are crudely made and the consequences of getting things wrong can be serious, including lost opportunities, loss of business, loss of reputation and even life. This journal examines both the problems and potential solutions.
People are now more likely to sue. Taking the steps to reduce injuries could help in defending against a claim. Courts are often sympathetic to injured claimants and give them the benefit of the doubt. Organizations and individuals are held to very high standards of care. People are more aware of the level of service to expect, and the recourse they can take if they have been wronged. Organizations are being held liable for the actions of their employees/volunteers. Organizations are perceived as having a lot of assets and/or high insurance policy limits.
Objectives are more likely to be achieved; Damaging things will not happen or are less likely to happen; Beneficially things will be or are more likely to be achieved.
It is not a process for avoiding risk. The aim of risk management is not to eliminate risk, rather to manage the risks involved in all University activities to maximize opportunities and minimize adverse effects. Note: risk management is not the management of insurable risks. Insurance is an important way of transferring risk but most risks will be managed by other means. Good risk management provides upward assurance from business activities and administrative functions, from department to faculties, to the senior management team and ultimately to the governing body.
The potential benefits from risk management are: Supporting strategic and business planning; Supporting effective use of resources; Promoting continuous improvement; Fewer shocks and unwelcome surprises; Quick grasp of new opportunities; Enhancing communication between Schools and Departments; Reassuring stakeholders; Helping focus internal audit programmed
the biggest risk may be and therefore be able to manage the risk before it becomes a major problem.
These practices are based on three basic constructs for software risk management developed At the Software Engineering Institute (SEI): Risk Management Paradigm, Risk Taxonomy, Risk Clinic, and Risk Management Guidebooks. The three constructs and three practices will be discussed in subsequent sections. The complexity of software risk management cannot be understood nor appropriately addressed from the above methodological context alone. To capture the multifarious aspects of This complexity, we make use of hierarchical holographic modeling, where we consider two additional visions or dimensions: the temporal and human dimensions. Thus the three dimensions adopted in this paper to represent the holistic vision of software risk management are The temporal dimension, The methodological dimension And the human dimension.
The temporal dimension is decomposed into two sub-visions: 1. Macro vision represents the global perspective of the acquisition life cycle. 2. Micro vision represents the view of the project manager. The methodological dimension has already been introduced. The human dimension addresses the intellectual dimension of software acquisitionthe most Critical dimension, since software development is such an intellectual activity. Four aspects Are identified here: 1. Individual 2. Team
9
The last section shares the experience gained through the deployment of the above methodologies by SEI teams. Ample literature exists on the process of risk assessment and management. The majority of this literature, however, is devoted to theories and methodologies that have not been subjected to the ultimate test of practice. This paper presents comprehensive theories and processes developed at the SEI at Carnegie Mellon University that have been successfully deployed.
The goal of SEI Risk Program is to enable engineers, managers, and other decision makers to identify, sufficiently early, the risks associated with software acquisition, development, integration, and deployment so that appropriate management and mitigation strategies can be developed on a timely basis. Time is critical and the goal is to act early before a source of risk evolves into a major crisis. In other words, being mainly reactive in risk mitigation and control Rather than proactive in risk prevention and control is at the heart of good risk management. Furthermore, should the system fail regardless of all risk management efforts, then ensuring The safe failure (e.g., safe shutdown) of the system must be the mandate of the software risk Manager. Clearly, the secret to effective risk management is the trade-off of mitigation cost against the potential adverse effects of avoided risk. In this context, the value of the methodologies and tools for software risk management is to buy smarter, manage more effectively and identify opportunities for continuous improvement, use available information and databases more efficiently, improve industry and raise the communitys playing field, and review and Evaluate the progress made on risk management.
10
It is important to note that the developed software risk methodologies have three fundamentally different, albeit complementary, objectives: 1. Risk prevention 2. Risk mitigation and correction 3. Ensuring safe system failure The following seven risk management principles are instrumental in the quest to achieve these Three objectives: Shared product vision sharing product vision based upon common purpose, shared ownership, and Collective commitment focusing on results Teamwork working cooperatively to achieve a common goal pooling talent, skills, and knowledge Global perspective viewing software development within the context of the larger system-level Definition, design, and development recognizing both the potential value of opportunity and the potential impact Of adverse effects, such as cost overrun, time delay, or failure to meet Product specifications
11
Forward-looking view thinking toward tomorrow, identifying uncertainties, anticipating potential Outcomes Managing project resources and activities while anticipating uncertainties Open communication encouraging the free flow of information between all project levels enabling formal, informal, and impromptu communication using consensus-based process that values the individual voice (bringing Unique knowledge and insight to identifying and managing risk) Integrated management making risk management an integral and vital part of project management adapting risk management methods and tools to a projects infrastructure And culture4 CMU/SEI-96-TR-012 Continuous process maintaining constant vigilance Identifying and managing risks routinely throughout all phases of the projects Life cycle.
Risk is commonly defined as a measure of the probability and severity of adverse effects. Software technical risk can be defined as a measure of the probability and severity of adverse effects
12
inherent in the development of software that does not meet its intended functions and performance requirements.
The need to manage risk increases with system complexity. Figure 2 demonstrates this concept by indicating that as the complexity of the system increases, both technical and nontechnical (cost and schedule) risks increase. There is an increasing need for more systematic methods and tools to supplement individual knowledge, judgment, and experience. These human traits are often sufficient to address less complex risks. It is worth noting that many managers believe that they are managing risk in its multifaceted dimensions. The fact of the matter is that they are merely managing cost and schedule along with isolated cases of technical risk. The SEI Risk Program provides a structured process, supported by methods and tools, for Identifying, analyzing, and mitigating the uncertainties encountered in a specific software engineering effort. Many of the most serious issues encountered in system acquisition are the result of risks that either remain unrecognized and/or are ignored until they have already created serious consequences. This focus on risk management is important because structured Techniques, even quite simple ones, can be effective in identifying risk, and approaches, procedures, and techniques do exist for risk mitigation.
13
14
1. .Improve the process of software acquisition in organizations 2. Improve software risk management methodology, technology, and practice in the acquisition process 3. Improve the access to, acquisition, repository, use, and integration of .information and data for software acquisition in industry and government 4. In general, institutionalize risk management and decision support within the software acquisition community and make it an integral part of the communitys practice.
Temporal Dimension
It is plausible to assert that the genesis of a formal acquisition process can be traced to the Statement of Needs and Requirements. In terms of risk management, the seeds of critical sources of risk are often sown at this seemingly benign stage. An example from urban development demonstrates this point. A mayor and the city council identify a need for a new housing development. Given the high cost of land due to its scarcity, the requirements for meeting these needs evolve into the construction of high rise apartments. At this stage, the risks that the new project might become a major slum and a magnet for crime and drug distribution are not considered.
15
Micro vision
1. Specification 2. )Solicitation (including request for proposal and contractor selection 3. )Design and development (including architecture . 4. )Systems integration (including deployment and maintenance .
Macro vision
1. Conceptual design . 2. Demonstration/validation . 3. Engineering, manufacturing, development, and production . 4. )Maintenance and major upgrade (including termination
16
17
18
. 19
20
21
Regular Monitoring of the Applied Strategy: This is very necessary for the success of the risk management strategy because if the strategy does not work properly, it can be detected through the monitoring process and a new strategy can be applied.
When to Use Risk Analysis? Risk analysis is useful in many situations, for example, when you're: Planning projects, to help you anticipate and neutralize problems, or assess, say, the impact of going over budget. Deciding whether or not to move forward with a project. Improving safety and managing potential risks in the workplace. Preparing for events such as equipment or technology failure, theft, staff sickness, or natural disasters. Planning for changes in your environment, such as new competitors coming into the market, or changes to government policy.
How to Use Risk Analysis: To carry out a risk analysis, follow these steps: 1. Identify Threats The first step in risk analysis is to identify the existing and possible threats that you might face. These can come from many different areas. For instance:
Human From illness, death, injury, or other loss of a key individual. Operational From disruption to supplies and operations, loss of access to essential assets, or failures in distribution. Reputational From loss of customer or employee confidence, or damage to reputation in the market. Procedural From failures of accountability, internal systems and controls; or from fraud.
22
Project From going over budget, taking too long on key tasks, or experiencing issues with product or service quality. Financial From business failure, stock market fluctuations, interest rate changes, or non-availability of funding. Technical From advances in technology, or from technical failure. Natural From weather, natural disasters, or disease. Political From changes in tax, public opinion, government policy, or foreign influence. Structural From dangerous chemicals, poor lighting, falling boxes, or any situation where staff, products, or technology can be harmed.
Example - IT Reorganization Project Background Contoso, Inc. has initiated a project to reorganize its IT departments. Contoso's primary infrastructure is shifting to a distributed environment from a centralized one. Risk Identification Using sound risk management practices, Contoso conducted various risk identification discussions to come up with a master risks list. Two of those risks are listed in the following table. Table: Contoso IT Reorganization Risk ID 0001
23
Project ID ITREORG010
Risk ID 0001
Risk Present service desk process inefficiencies could lead to increased cost to support current IT services.
Situation Field office support is not a coordinated effort with centralized help desk functions. Often field support professionals respond to and resolve incidents without those incidents being recorded and a knowledge base being populated.
Consequence Without a comprehensive, shared knowledge base of incidents, problems, and resolutions, redundant incidentmanagement and problemmanagement activity will be performed throughout the support organization.
Downstream Effect Extended service outages as well as inadequate communications regarding status of resolutions will further alienate the customer from IT. This will enforce the view of IT as not being aligned with the needs of the business. The perceived value of the services provided by IT will be diminished.
Project ID ITREORG010 Risk Changes implemented by one IT group could negatively affect systems and services delivered by other IT groups.
Risk ID 0002 Situation Although change management exists within some groups, a common formal changemanagement process does not exist across all IT groups. Additionally, some changes, when reviewed during the weekly status meeting, have not
Root Cause People, Process Consequence Lack of commitment to a standard set of operational processes will lead to business units that fail to trust each other. Frustration between IT groups will occur as systems under the responsibility of one group will be affected by others
Business Effect Cost, Performance Downstream Effect Service disruptions caused by failed changes will interrupt business functions. Additionally, failure to communicate planned downtime of mission-critical services to users and the help desk will result in reduced trust in IT.
24
This will force the business to question the value of the current IT operations and to consider outsourcing IT functions.
Risk Prioritization
Once these risks were identified, the project team then focused on risk prioritization. Table: Contoso Prioritization of Risk ID 0001
Project ID ITREORG010
Risk ID 0001
Exposure Analysis Probability is based on best effort analysis of past experience. Impact could not be easily measured by monetary means. Impact was instead based on a 1-5 scale for the risk effect on potential service disruption.
25
Project ID ITREORG010 Exposure Analysis Probability is based on best effort analysis of past experience. Impact could not be easily measured by monetary means. Impact was instead based on a 1-5 scale for the risk effect on potential service disruption.
Project ID ITREORG010
Mitigation Implement Microsoft Operations Framework (MOF) incident and problem management processes. Coordinate secondline and third-line support groups.
Risk ID 0001 Contingencies Allocation of excessive resources to accommodate resolution of reactive issues. Fund the costs of increased support activities and staff.
Root Cause Process Triggers Continual incident resolution. Repeated problems occur. Uncoordinated and recurring changes. Poor average time to resolution.
26
Project ID ITREORG010 Mitigation A standard formalized and communicated MOF-based change management process will be implemented across all IT groups.
Risk ID 0002 Contingencies Assign additional resources to reactive problem management. Communication to customers and end-users in a prompt, descriptive and meaningful manner can reduce the negative effect on customer satisfaction.
Root Cause Process Triggers Information gathered during project status meetings and operations management reviews (OMRs) regarding process and service outages indicate that this risk is currently being actualized at some level.
------
These two risks became the top risks list for the Contoso IT reorganization project. These risks were discussed at each OMR and various project status meetings. The purpose of this discussion was to discuss the progress of mitigation steps, to determine whether triggers were being fulfilled in the environment, and to ensure that the probability and impact levels were still properly set. This discussion was vital to the project to determine if contingencies identified in the master risks list needed to be acted upon to avoid service disruptions where possible. Risk Exposure Analysis As the project progressed, various mitigation activities around MOF-based change management processes and incident and problem management processes began to reduce the probability of these risks occurring. The project team then modified the probability, which in turn also reduced the exposure of the risks as noted in the following table. Table: Contoso Exposure Analysis of Risk ID 0001 27
Project ID ITREORG010
Modified Exposure Analysis Probability has decreased due to the implementation of MOF-based incident and problem management processes. Original probability will be kept in the master risks list and risk knowledge base for historical purposes.
Project ID ITREORG010 Modified Exposure Analysis Probability has decreased due to the implementation of MOF-based change management processes. Original probability will be kept in the master risks list and risk knowledge base for historical purposes.
28
References:
. .
Management of Software Technical Risk, IEEE Transactions on Systems, Man, and Cybernetics 24, 2 (February 1994): 187-202
Software Development Risk Management: An SEI Appraisal, Software Engineering Institute Technical Review 92 (CMU/SEI-92-REV). Pittsburgh, Pa.: Software Engineering Institute, Carnegie Mellon University, 1992
C. Team Risk Management: A New Model for Customer-Supplier Relationships (CMU/SEI-94-SR-005, ADA283987). Pittsburgh, Pa.: Software Engineering Institute, Carnegie Mellon University, 1994
Transactions on Systems, Man, and Cybernetics 11, 9 (September 1981): 606.617 ..1991
29
30