CONTENTS LEARNING OUTCOMES... 2 INTRODUCTION... 3 RISK DEFINITION OVERVIEW... 3 RISK MANAGEMENT ROLES AND RESPONSIBILITIES... 3 RISK MANAGEMENT APPROACH... 4 RISK IDENTIFICATION... 4 RISK QUALIFICATION AND IDENTIFICATION... 4 RISK MITIGATION AND AVOIDANCE... 5 RISK MONITORING... 6 RISK REGISTER... 6
LEARNING OUTCOMES Training Opportunities Overview of project risk management Overview of roles and responsibilities Overview of DSA project risk assessment and identification Definition of mitigating, avoidance, and monitoring Discussion on how identified risks are qualified and monitored Overview of where and when risks are recorded throughout the project life cycles Knowledge Goals and Takeaways Understand project risk in a variety of project samples Comprehend who is involved in identifying and managing risk Know the difference between qualification, mitigation, and avoidance Know where risks are recorded and stored Page 2
INTRODUCTION The purpose of the Risk Management Plan is to establish the risk management framework for projects undertaken by the Department of Information Technology in the Division of Student Affairs (DSA IT). This document defines the procedures involved in identifying risks and the strategies to mitigate or avoid those risks. The tracking documents & templates used to manage finances on projects are provided by the DSA IT PMO. RISK DEFINITION OVERVIEW The DSA Project Management Office (DSA IT PMO) has established predefined risk level definitions for overall risk scores based on the Initial Risk and Complexity Assessment: Low Risk Project: Risk Score = 100 to 150 Medium Risk Project: Risk Score = 151 to 199 High Risk Project: Risk Score = 200 + Projects with a medium or high risk score are subject to project reclassification (activity, small large). The following project elements are managed on a continual basis in order to ensure proper iterative risk reporting. Project Schedule Project Cost Estimate Team/Resource Allocation RISK MANAGEMENT ROLES AND RESPONSIBILITIES The Project Manager is responsible for coordinating, managing, recording, and reporting risk assessment activities on the project. The project team, key stakeholders, Page 3
and project sponsor participate in risk assessment activities throughout the duration of the project. The project manager is responsible for distributing current risk information as defined in the Communications Management Plan. RISK MANAGEMENT APPROACH The Project Manager uses two tools to record project risks. 1. Initial Risk and Complexity Assessment (Stored in PowerSteering) 2. Project Risk Register (Stored in PowerSteering) Throughout the project life cycle all project managers and project teams for DSA IT use a process by which the project team identifies, scores, and ranks various risks. Risks are recorded and ranked in the Project Risk Register for both small and large projects. The most likely and highest impact risks are added to the project schedule to ensure that the assigned risk owners take the necessary steps to implement mitigation response at the appropriate time during the schedule. Risk owners will provide status updates on their assigned risks during project team meetings. Upon completion of the project, during the closing process, the project manager analyzes each risk as well as the risk management process. Based on this analysis, the project manager identifies any improvements that can be made to the risk management process for future projects. These improvements are captured as part of the project Lessons Learned document. RISK IDENTIFICATION Methods used for identifying risks are: 1. Review of historical information from similar projects 2. Dedicating time in project meetings to assess and identify risks. RISK QUALIFICATION AND IDENTIFICATION Page 4
Once risks are identified the probability and impact of each one is determined in order to allow the project manager to prioritize risk avoidance and mitigation strategies. Risks are listed and prioritized in the Project Risk Register. RISK MITIGATION AND AVOIDANCE Once risks have been qualified, the team determines how to address those risks which have the greatest potential, probability, and impact on the project. In addition to defining the severity, a risk strategy is determined for both preventative and corrective actions for each risk. This strategy includes reviewing the severity of the risk impact, the cost-effectiveness of possible actions or contingency plans, the project timeline, and the practicality of the potential response. Response strategies for risks that have a negative impact on the project include: Accepting the risk, with no investment of effort or cost. Transferring the risk to or sharing the risk with a third party who is better able to handle the risk. Avoiding the risk by funding or staffing efforts to reduce the probability the risk will become a threat to project success. Establishing contingency plans for significant risks that cannot be mitigated or otherwise resolved. These plans are executed only under certain predefined conditions and may require additional work that must be budgeted and planned. Not all project risks are negative. Response strategies for risks that have a positive impact on the project include: Exploiting the risk to make sure the condition or event that is favorable to the project happens. Sharing the risk with a third party. Enhancing the risk to increase the probability of occurrence and/or positive impact. Accepting the risk by doing nothing. Page 5
Establishing contingency plans to be executed under certain predefined conditions. All risk response strategies are included in the risk register. The project team is responsible for assigning one or more options to the risk. (Avoid, transfer, mitigate, and/or accept for negative risks; exploit, share, enhance, or accept for positive risks.) RISK MONITORING Risks on all projects are actively monitored. Highest ranking risks are added to project status reports and assigned risk owner. Triggers and aggravating conditions are documented in the Risk Register. RISK REGISTER Every small and large project must maintain a Risk Register in order to track risks and associated mitigation strategies. The Risk Register for DSA IT project is a log of all identified risks, their probability and impact to the project, the category they belong to, mitigation strategy, and when the risk will occur. The project Risk Register is a required project document. The Project Risk Register for all projects is located in the Risk module within PowerSteering. Page 6