Risk-2006 Week 1

Stage IV
Implement Risk
Management Processes
Week 1
3757G
Website Risk Management
 Introduction to the process for managing risks in
website development.
Discussion:
 Risk management is the process which is used to avoid, reduce
or control risks.
 There should be a balance between the cost of managing risk
and the benefits you expect from taking that risk. Note that risks
are acceptable as long as you have identified them and have a
plan to mitigate them.
 We need to be concerned about risk management at two points
for every website development project:
 when we initially consider a project being proposed for a customer,
 and as we run a project.
Stage IV, Semester 1, 2006 2

 The Website is increasingly critical to organisational
success, but corporate risk management programs
haven’t kept pace.
 Vast Opportunity Meeting Expanding Risk.
 What are the risks in Web Development?
For example…
 http://www.ipcubed.ca/articles/5webdevrisks.asp
 http://www.industryweek.com/CurrentArticles/asp/articles.asp?ArticleId=822
 http://www.7nights.com/asterisk/archives/the_risks_of_web_redesign.php
 You are encouraged to visit these links, and read them

as they help to establish the context of risk in the web
design process.

Main risks to websites
1. Quickly evolving technology
2. Immature standards
3. Insufficient support
4. Quality of external Web services
5. Security

1. Quickly evolving technology

The technology, tools, and servers
supporting Web services are still new and
evolving. In their current state, Web
services can only be used for non-
transactional call-and-response scenarios,
which severely limits the business value
companies can immediately gain.
2. Immature standards
Web services standards such as UDDI, WSDL,
and WSFL aren’t matured or finalised. Further,
the tools and servers you use to support your
Web services may be upgraded to support the
new standards. There is no guarantee that if you
implement a Web service today you won’t have
to modify it when the standards change.

3. Insufficient support
While virtually every big player in the server
software industry is providing initial support for
Web services, this trend may not continue.
Further, the support may not be sufficient to
build, deploy, and execute mission-critical Web
services.
 It is worth mentioning that the quality of service
offered by application servers and integration
brokers platform will rely and depend as much
on Web services standards and protocols as it
will on the maturity, scalability, and integrity of
the application server itself.
4. Quality of external Web services
The goal of Web services for many businesses will be
business-to-business integration (B2Bi), in which
systems and data are exposed to trading partners and/or
customers. It’s critical to identify the availability,
performance, and security of those external Web
services as potential risks.
 For example, foreseeably we will be using Web services
to create new products on the fly, dynamically, on a real-
time basis in a collaborative fashion with our trading
partners. In that scenario, it will be important to protect
the data that’s used to create or present these products.
Likewise, it will be important that the products will appear
as requested or promised to maintain good customer
service.
5. Security
Regardless of a company’s size or industry, security is a
primary factor for determining the adoption of Web
services. It poses the greatest risk for this technology
because secured interoperability holds the key to Web
services’ success in the long run.
 The key security requirements for the usage of Web
services are authentication, authorisation, data
protection, and non-repudiation. Be alert to potential
security loopholes in Web services since they are
vulnerable to a wide array of security threats like denial
of service and spoofing.
 Any implementation should not begin until the security
risks are considered, including the security policy and
existing solutions within the company.

Looking toward the future
The future holds a culmination of service-oriented
architecture visions, where applications will be nothing
but an orchestration of business processes. At that point,
companies will be able to buy Web services directly off
the shelf or get them from any Web services network.
 This future is quite far off, and reaching it will depend on
multiple criteria: the development of Web services
standards; the development of tools, services, and
servers that will enable the creation and execution of
Web services; and the development of vertical XML
standards.
 It may be that we are at least five to six years from
maturation, but we are moving in the right direction.

 Risk goes beyond the site – consider
also the server running the site.
 Security evaluation and security
assurance are important aspects of
trust in e-business.




 So what processes are required for
Risk Management?
 Letus examine what Risk Management is,
in more detail ...

Risk Management
Definition:
 Risk management is the activity
consisting of the cohesive collection of all
tasks that are primarily performed to lower
risks to acceptable levels.

Risk Management
Risk Management Activity, Tasks, and Work Products

Risk Management
Goals:
 The typical goals of risk management are to:
 Reduce risks to acceptable levels.
Objectives:
 The typical objectives of risk management
are to:
 Identifyand understand the major risks.
 Avoid the risks that can be avoided.
 Mitigate the impact of risks that cannot be
avoided.
Risk Management
Examples:
 Typical examples of risk management include:
 Application Risk Management.
 Business Risk Management.
 Contact Center Risk Management.
 Data Center Risk Management.
 Reuse Center Management.
 Enterprise Risk Management.
 Program Risk Management.
 Project Risk Management.

Risk Management
Preconditions:
 Risk management typically may begin
when the following conditions hold:
 The application, business, center, or
endeavor is started.
 The application, business, center, or
endeavor team is:
 Initially staffed.
 Adequately trained in risk management.

Risk Management
Completion Criteria:
 Risk management is typically complete
when the following postconditions hold:
 The
application, business, center, or
endeavor is retired or completed.

Risk Management
Tasks:
 Risk management typically involves the
following tasks in an iterative, incremental,
parallel, and time-boxed manner:
 Risk Management Planning
 Risk Identification
 Risk Analysis
 Risk Monitoring
 Risk Control

Risk Management
Environments:
 Risk management is typically performed
using the following environment(s) and
associated tools:
 Management Environment:
 Risk management tool

Risk Management
Work Products:
 Risk management typically results in the
production of all or part of the following
management work products:
 Risk Management Plan
 Risk Analysis
 Risk Monitoring Report
Refer diagram, slide 4

Risk Management
Phases:
 Risk management tasks are typically performed
during the following phases:
Phase Relevant Tasks
Business Strategy Risk Management Planning, Risk Identification, Risk Analysis, Risk Control, and Risk Monitoring
Business Optimization Risk Management Planning, Risk Identification, Risk Analysis, Risk Control, and Risk Monitoring
Initiation Risk Management Planning, Risk Identification, Risk Analysis, Risk Control, and Risk Monitoring
Construction Risk Management Planning, Risk Identification, Risk Analysis, Risk Control, and Risk Monitoring
Delivery Risk Management Planning, Risk Identification, Risk Analysis, Risk Control, and Risk Monitoring
Usage Risk Management Planning, Risk Identification, Risk Analysis, Risk Control, and Risk Monitoring
Retirement Risk Management Planning, Risk Identification, Risk Analysis, Risk Control, and Risk Monitoring

Risk Management
Guidelines:
 Risk management should be everyone’s business,
not just the responsibility of some manager or
technical leader.
 A repeatable risk management activity with well
defined tasks and work products is a major approach
to risk avoidance and mitigation.
 Risk management overlaps security engineering
because many important risks are security risks.
 It is typically better to avoid a risk that to mitigate its
damage once it has occured.
…more

Risk Management
Guidelines:
 Risks can be divided into the
following categories:
 Business Risks
 Financial Risks
 Resource Risks
 Schedule Risks
 Technical Risks
…more

Risk Management
Guidelines:
 This activity is documented using the typical
configuration for large projects. It is intended to
be configured (i.e., instantiated, extended, and
tailored) to meet the needs of specific projects.
 The preconditions of this activity should be the
union of the preconditions of its constituent tasks.
 The completion criteria for this activity should be
the union of the postconditions of its constituent
tasks.

Risk Management Planning
identified above as the first task in Risk Management
Definition:
 Risk management planning is the risk management
task of planning the performance of the other risk
management tasks:
 Risk Identification
 Risk Analysis
 Risk Monitoring
 Risk Control

Objectives:
 The typical objectives of risk management
planning are to:
 Determine the scope of the risk management activity (e.g.,
determine which of the potential risks may be relevant).
 Plan the other risk management plans.
 Develop the risk management plan.
 Communicate these plans to their stakeholders.

Preconditions:
 Risk management planning can typically begin
when the following preconditions hold:
 The endeavor is started.
 The associated teams are initially staffed.
 At least one of these teams is adequately trained in risk
management planning.

 Risk management planning is typically
complete when the following postconditions
hold:
 The scope of risk management has been determined.
 The risk management plan has been produced and
approved by the customer organization.

Steps:
 Risk management planning typically involves
members of the endeavor’s teams performing
the following steps in an iterative, incremental,
parallel, and timeboxed manner:
 Determine scope of the risk management activity.

Techniques:
 Risk management planning can typically be
performed using the following techniques:
 Content and format standards
 Documentation templates
 Automatic documentation generation from a
database of document content

Work Products:
 Risk management planning results in the
production of the following work products:
 Risk Management Plan (RMP)

Guidelines
 Perform this task concurrently with the risk
identification and risk analysis tasks.

Risk Identification
Definition:
 Risk identification is the ongoing risk
management task of identifying the significant
risks to the success of an endeavor.

Risk Identification
Objectives:
 The typical objectives of risk identification are
to:
 Identify all significant risks associated with an
endeavor including their associated risk factors:
 Assets that are at risk
 Business processes that are at risk
 Threats to these assets and business processes
 Vulnerabilities to these threats

Risk Identification
Preconditions:
 Risk identification can typically begin when
the following preconditions hold:
 At least one of these teams is adequately trained in
risk identification.

Risk Identification
 Risk identification is typically complete when the
following postconditions hold:
 All significant risks have been identified including the:
 Assets at risk.
 Business processes at risk.
 Threats to these assets and business processes.
 Vulnerabilities to these threats.
 All associated work products have been produced.

Risk Identification
Identify risk factors:
 Identify all assets that are at risk:
 Applications:
 Systems.
 Software.
 Components:
 Hardware components.
 Software components.
 Data components.
 Personnel components (a.k.a., wetware such as people who
operate the applications).
 Documentation components (a.k.a., paperware such as manuals
and administrative procedures).
 Facilities
…more

Risk Identification
Identify risk factors:
 Identify all assets that are at risk:
(continued)
 Supplies: paper forms, magnetic media, toner cartridges, etc.
 Money
 Intangibles:
 User and customer organization goodwill
 Organisation confidence
 Organisation reputation and image
 Identify all business processes at risk.
 Identify all threats to these assets:
 Harm can happen to the assets and business processes.
 Harm can happen to the owner of the assets and business
processes (e.g., through lack of income or use).
 Identify all vulnerabilities to these threats.

Risk Identification
Vulnerabilities: Interception
Interuption (Theft)
(Denial of
Service)
Interruption
Interuption HARDWARE (Loss)
(Deletion)
Interception
EXPERTISE
SOFTWARE DATA
Interception Interruption
(Loss) Modification
Modification Fabrication
Risk Identification
Techniques:
 Risk identification can be performed using the
following techniques:
 Checklists of risks and their factors
 Brainstorming of risks and their factors
 Cross Functional Teams to provide multiple viewpoints
so that a comprehensive list of risks and their factors is
developed.
 Documentation Studies of risk identification literature
and previous risk management plans
 Incremental Development of the risks and their factors
 Interviews with stakeholders and domain experts
 Iteration of the identified risks and their factors
 Joint Application Development (JAD) of the risks and
their factors
 Parallel Development of the risks with other tasks and
other teams
 Re-use of previously identified risks
Risk Identification
Work Products:
 Risk identification typically results in the
production of all or part of the following work
products:
 An informal context diagram of potential risk factors.
 An informal list of unprioritised potential risks:
 Assets and business processes at risk
 Threats to these assets and business processes
 Vulnerabilities to these threats
 This information can also be stored in a risk
management database or directly documented in an
evolving risk management plan (RMP).

Risk Identification
Guidelines:
 Perform this task concurrently with the risk
analysis and risk documentation tasks.
 Security risks can be identified by the security
team.
 Consider all risks, both intentional (security
risks), accidental, and environmental.
 Risk identification involves both management and
technical expertise.

Risk Analysis
Definition:
 Risk analysis (a.k.a., risk assessment, risk
quantification) is the ongoing risk
management task of analysing the
identified risks to the endeavor.

Risk Analysis
Objectives:
 The typical objectives of risk analysis are to:
 Understand the identified risks.
 Analyze the identified risks
 Develop steps and techniques to:
 Avoid each significant risk.
 Mitigate each significant risk if it occurs.
 Monitor each significant risk.
 Assign responsibilities and resources to perform
risk avoidance, mitigation, and monitoring.
Risk Analysis
Preconditions:
 Risk analysis can typically begin when the
following preconditions hold:
 At least one of these teams is adequately trained
in risk analysis.
 Some potential risks have been identified.

Risk Analysis
 Risk analysis is typically complete when the
 Allsignificant risks have been analysed.
 Steps and techniques have been determined to:
 Control each significant risk.
 Allassociated work products have been
produced.

Risk Analysis
Steps:
 Risk analysis typically involves members of the
endeavor’s teams performing the following steps in
an iterative, incremental, parallel, timeboxed, and
ongoing manner:
 Understand the identified risks:
 Assets at risk.
…more

Risk Analysis
Steps:
 Analyze the identified risks:
 Analyze the threats to these assets and business processes.
 Analyze the vulnerabilities of the assets and business
processes to these threats.
 Estimate the risks’ probabilities of occurrance.
 Estimate the potential impact of each risk to the success of the
endeavor.
 Thereby estimate the importance and priority of each risk.
 Categorize the risks.
 Develop specific actions and techniques to:
 Control each significant risk.
 Assign responsibilities and resources to perform risk
avoidance, mitigation, and monitoring.

Risk Analysis
Techniques:
 Risk analysis can typically be performed using the
following techniques:
 Categorisation of risks, threats, and vulnerabilities
 Cost/Benefit Analysis to determine cost-effectiveness of
risk avoidance/mitigation/and monitoring steps and
techniques
 Cross Functional Teams to provide multiple viewpoints so
that a comprehensive analysis of risks and their factors is
performed
 Documentation Studies of risk analysis literature and
previous risk management plans
 Gap Analysis to determine gap between current risk
management measures and needed risk management
measures
…more

Risk Analysis
 Techniques (continued)
 Incremental Development of the risk analysis work product
 Interviews with stakeholders and domain experts
 Iteration of the risk analysis work product
 Joint Application Development (JAD) of the risk analyses
 Parallel Development of the risk analysis with other tasks,
teams, and work products
 Pareto Analysis to determine the most important risks and
risk factors
 Reuse of previously risk analyses
 Threat trees
 Threat categorization

Risk Analysis
Work Products:
 Risk analysis typically results in the production of all or part of
the following work products:
 Updated list of risks:
 Assets at risk.
 Risk Table:
 Risk Name
 Risk Description
 Asset or Business Process Threatened
 Vulnerabilities to these threats (e.g., high/medium/low).
 Estimated risk impact (a.k.a.,loss magnatude) (e.g., high/medium/low).
 Estimated risk (i.e., loss, probability of occurrance) probability (e.g.,
high/medium/low).
 Risk prioritization (e.g., high/medium/low).
…more
Risk Analysis
Work products (continued):
 Risk avoidance actions and techniques.
 Risk mitigation actions and techniques.
 Risk monitoring actions and techniques.
 Associated responsibilities and resources.
 This information can also be stored in a risk management
database or directly documented in an evolving Risk
Management Plan (RMP).

Risk Analysis
Guidelines:
 Perform this task concurrently with the risk identification task.
 If this task concurrently with the risk documentation task, then there
does not need to be any separate work products.
 Security risks can be analyzed by the security team.
 The importance of a risk equals the product of the
(probability of the threat to the asset or business process occurring)
times
(the vulnerability of the asset or the business process to the threat)
times
(the impact of the threat if it occurs).
 Many assets are hard to value, especially in monetary units.
 Probability of occurrance is often difficult to estimated due to changing
circumstances.
 It is typically better to use high/medium/low instead of strict numerical
values.
 Risks should be organized appropriately (e.g., first by priority,
alphabetical within priority, associated with work breakdown schedule).
 Ensure accountability by assigning responsibilities.
…more
Risk Analysis
Guidelines (Continued):
 Risks can be divided into the following categories:
 Business Risks:
 Requirements Scope Creep
 Changing Market Pressures
 Loss of Market Share
 Bad Public Relations
 Loss of Life or Property
 Litigation
 Financial Risks:
 Cost Overrun
 Inadequate Cost Estimates
 Resource Risks:
 Inadequate Staffing
 Inadequately Trained Staff
 Inadequate Staff Productivity
 Inadequate Development Tools
…more
Risk Analysis
Guidelines (Continued):
 Risk categories (continued):
 Schedule Risks:
 Unrealistic Schedule
 Inadequate Schedule Estimates
 Upgrades to COTS components and tools not available when promised
(vaporware)
 Excessive Time To Market
 Technical Risks:
 The application will not provide all required functionality.
 The application’s transactions will not be auditable.
 The application will not adequately support internationalization.
 The application will not provide personalization.
 The application will contain excessive defects.
 The application’s outputs will be inadequately accurate or precise.

Risk Monitoring
Definition:
 Risk monitoring is the ongoing risk
management task of monitoring the success
and status of the other risk management
tasks.

Risk Monitoring
Objectives:
 The typical objectives of risk monitoring are
to determine if:
 Any aspect of the risk analysis has changed and
therefore should be repeated.
 Any undesirable event defining a risk has actually
occurred.
 The other risk tasks are being performed
effectively and efficiently.

Risk Monitoring
Preconditions:
 Risk monitoring can typically begin when the
in risk identification.
 At least some risks have been identified,
analyzed, and documented.

Risk Monitoring
 Risk monitoring is typically complete when
the following postconditions hold:
 The endeavor is completed so that no more risks
exist to be monitored.

Risk Monitoring
Steps:
 Risk monitoring typically involves members
of the endeavor’s teams performing the
following steps in an iterative, incremental,
parallel, time-boxed, and ongoing manner:
 Determine is any risks have changed.
 Determine if risk control actions and techniques
are effective.

Risk Monitoring
Techniques:
 Risk monitoring can typically be performed using
the following techniques:
 Assessment of current situation
 Auditing of current situation
 Cross Functional Teams to provide multiple viewpoints so
that all aspects of risk management can be monitored
 Inspecting of current development or usage tasks
 Interviews with stakeholders, domain experts, and
members of the development and operations organizations
 Incremental Development of the risk monitoring report
 Iteration of the risk monitoring report
 Observation of current development or usage tasks
 Parallel Development of the risk monitoring with other tasks
 Reviewing of current development situation

Risk Monitoring
Work Products:
 Risk monitoring typically results in the
production of all or part of the following work
products:
 Risk Monitoring Report

Risk Control
Definition:
 Risk control is the ongoing risk management
task of taking steps that help ensure that
significant risks to the endeavor are
controlled.

Risk Control
Objectives:
 The typical objectives of risk control are to
(where appropriate and practical):
 Accept tolerable risks.
 Avoid the occurance of significant risks to the
endeavor.
 Mitigate the impact of significant risks to the
endeavor that occur.
 Transfer significant risks to other parties.

Risk Control
Preconditions:
 Risk control can typically begin when the
in risk control.
 Some potential risks have been identified and
analysed.
 Actions and techniques to control the risks have
been identified.
Risk Control
 Risk control is typically complete when the
 Theendeavor is completed so that no risks
remain to be controlled.

Risk Control
Steps:
 Risk control typically involves members of the
endeavor’s teams performing the following steps in
an iterative, incremental, parallel, timeboxed, and
ongoing manner:
 Identify subset of risks to address.
 Perform risk control actions identified during the risk
analysis task.
 Document specific risk control actions taken including
associated information (e.g., schedule, responsible party,
time, cost and other resources used).
 Iterate and repeat as necessary

Risk Control
Techniques:
 Risk control can typically be performed
using the following techniques:
 Risk Acceptance
 Risk Avoidance
 Risk Mitigation
 Risk Transfer

Risk Control
Work Products:
 Risk control typically results in the
production of all or part of the following
work products:
 No specific reporting, Risk Monitoring Report
covers this.

Risk-2006 Week 1

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Risk-2006 Week 1

Încărcat de

Drepturi de autor:

Formate disponibile

Stage IV

Stage IV, Semester 1, 2006 2

 You are encouraged to visit these links, and read them

Stage IV, Semester 1, 2006 3

Stage IV, Semester 1, 2006 4

1. Quickly evolving technology

Stage IV, Semester 1, 2006 6

Stage IV, Semester 1, 2006 9

Stage IV, Semester 1, 2006 10

Stage IV, Semester 1, 2006 11

Stage IV, Semester 1, 2006 12

Stage IV, Semester 1, 2006 13

Stage IV, Semester 1, 2006 14

Stage IV, Semester 1, 2006 15

Stage IV, Semester 1, 2006 16

Risk Management Activity, Tasks, and Work Products

Stage IV, Semester 1, 2006 17

Stage IV, Semester 1, 2006 19

Stage IV, Semester 1, 2006 20

Stage IV, Semester 1, 2006 21

Stage IV, Semester 1, 2006 22

Stage IV, Semester 1, 2006 23

Refer diagram, slide 4

Stage IV, Semester 1, 2006 24

Stage IV, Semester 1, 2006 25

Stage IV, Semester 1, 2006 26

Stage IV, Semester 1, 2006 27

Stage IV, Semester 1, 2006 28

Stage IV, Semester 1, 2006 29

Stage IV, Semester 1, 2006 30

Stage IV, Semester 1, 2006 31

Stage IV, Semester 1, 2006 32

Stage IV, Semester 1, 2006 33

Stage IV, Semester 1, 2006 34

Stage IV, Semester 1, 2006 35

Stage IV, Semester 1, 2006 36

Stage IV, Semester 1, 2006 37

Stage IV, Semester 1, 2006 38

Stage IV, Semester 1, 2006 39

Stage IV, Semester 1, 2006 40

Stage IV, Semester 1, 2006 41

Stage IV, Semester 1, 2006 42

Stage IV, Semester 1, 2006 45

Stage IV, Semester 1, 2006 46

Stage IV, Semester 1, 2006 47

Stage IV, Semester 1, 2006 49

Stage IV, Semester 1, 2006 50

Stage IV, Semester 1, 2006 51

Stage IV, Semester 1, 2006 52

Stage IV, Semester 1, 2006 53

Stage IV, Semester 1, 2006 54

Stage IV, Semester 1, 2006 56

Stage IV, Semester 1, 2006 59

Stage IV, Semester 1, 2006 60

Stage IV, Semester 1, 2006 61

Stage IV, Semester 1, 2006 62

Stage IV, Semester 1, 2006 63

Stage IV, Semester 1, 2006 64

Stage IV, Semester 1, 2006 65

Stage IV, Semester 1, 2006 66

Stage IV, Semester 1, 2006 67

Stage IV, Semester 1, 2006 68

Stage IV, Semester 1, 2006 70