Security optimize

Risk management: Defining the threat and developing the framework

In part 2 of his series on risk management, contributor George Sifri outlines the steps his company took to define threats and opportunities and rate their possible impacts. Find out how you can prepare your company to handle risk.

A successful strategy for managing IT project risks must be built on a solid foundation of corporate understanding, commitment, and support. To establish that framework, a risk management strategy must begin with a three-part effort:
  • Establish a risk glossary for a consistent understanding of terminology.
  • Set up processes for identifying, analyzing, planning, monitoring, and controlling risks.
  • Identify the tools and techniques that would support the framework.

Defining risk terminology
For my company, the first step was to define and document what we meant by risk and the processes associated with risk management. It was a time-consuming step because the exercise of defining terminology triggered an inordinate amount of political and emotional sentiment. Nevertheless, we could not move ahead without it. The early understanding and agreement on terminology was a key building block needed for sending consistent messages across the organization concerning our risk management program.

Risk management: The series
This is the second of three articles dealing with the real-world implementation of a risk management program. In the first installment, Builder.com contributor George Sifri looked at how his company, with 45,000 employees around the globe, identified the need for a risk management program.
Up next: Lessons learned through implementing a risk management strategy.


We wanted to adopt a proactive management approach to risk management in order to be able to deal with risks before they became problems. In addition, we wanted to convey the message that we should also pursue opportunities. Thus, the definition of a risk should cover these three areas: an event in the future, a potential threat, or a potential opportunity. The definition that we adopted was as follows:

Every risk consists of three components:
  • An event
  • A probability of occurrence
  • An impact

We defined a risk event as a discrete possible future occurrence that may affect the project for better or worse. It could be a wanted event, an opportunity with a potential positive impact, or an unwanted event or threat with a potential negative outcome. We wanted to answer the question: What could happen, good or bad, to my project?

We defined the probability as the likelihood that this event will happen. We could express it as a numerical value between 1.0 (certain to happen) and 0 (impossible). We could also express it as a qualitative rating such as high, medium, or low. Frequently, we used quantitative and qualitative ratings interchangeably.

We defined the impact as the consequence of the risk, if it occurred. We could express it as a qualitative rating such as high, medium, or low. We could also express it as a numerical measure between 0 (not serious) and 1.0 (catastrophic).

Raising awareness
Once we defined the terminology, we began a campaign throughout the organization to raise the general level of awareness of the Risk Management Program. This was part of our strategy to manage the cultural change required in the organization and foster the involvement and commitment at an early stage. The campaign consisted of articles in our in-house bulletin, and formal and informal presentations to individuals and groups. In addition, we built a Web site that contained the latest versions of the relevant documents, discussion forums, latest news, useful links, contact information, etc. This was an extremely time-consuming activity that we had originally underestimated.

Building the risk management processes
Once we had achieved considerable progress on establishing the terminology, we started developing our risk management processes in cooperation with the external consultant, who offered several models for risk management that we could customize. This enabled us to develop a flexible framework that was tailored to our needs and saved us a considerable amount of time and effort.

Our risk management framework consisted of the following processes:
  • Risk management planning: Deciding how to approach and plan the risk management activities for a project
  • Risk identification: Determining which risks might affect the project and documenting their characteristics
  • Risk analysis: Examining the risks in detail to determine the extent of the risks, how they relate to each other, and which are most relevant
  • Risk response planning: Developing procedures and techniques to enhance opportunities and reduce threats to the project’s objectives
  • Risk monitoring and control: Monitoring residual risks, identifying new risks, executing risk reduction plans, and evaluating their effectiveness throughout the project life cycle
  • Risk documentation and communication: Documenting and communicating risk information to facilitate the decision-making process

We had to compile information on risk tools and techniques that we could use in our framework. The external consultant helped us to catalog these tools and techniques in our risk management handbook. For each tool and technique, we included a brief description, when applicable, input and output, the process, resource requirements, and issues.

Piloting the risk management framework
Because my company has 45,000 employees across the globe, we decided to test the framework by piloting it in different areas of the business. Selecting the appropriate pilots was critical to the success of our project. We needed to identify pilots that represented typical projects such as building an infrastructure, upgrading a system, implementing a new process, acquiring a company, moving premises, or developing software.

The next challenge was how to measure the success of each pilot:
  • How could we prove that the framework was successful in identifying unforeseen risks?
  • How effective was the framework in enhancing productivity?

We worked with the external consultant on identifying metrics that enabled us to assess the effectiveness of the framework. For example, in the case of software development projects, we used the metrics defined in IEEE Standard Dictionary of Measures to Produce Reliable Software to assess the effectiveness of the process.

Obtaining feedback from the participants, who completed a questionnaire after the piloting exercise, was one of the major objectives of the piloting phase.

The marketing campaign
We used the successful pilots in our internal marketing campaign. We asked the individuals who were involved in these pilots to share their experiences with others. We used presentations, workshops, an in-house bulletin, and more.

One of our biggest challenges was managing users’ expectations. They expected immediate benefits. We had to keep reminding them that the most valuable benefits were long term ones.

Training
We knew that training was essential for the success of the framework. We had designed several training courses on general project management, and we fully integrated risk management training into these courses. We also provided specialized workshops on the various risk management tools and techniques. On these training courses, we utilized real projects that the company performed. This approach enabled us to assess the effectiveness of the framework in predicting unforeseen risks and enhancing the decision making process.

Do you practice risk management?
Have you implemented a risk management program in your organization? Join the discussion below to tell us about your experiences or send us an e-mail.

 
0 comments