Risk Management Strategy 1.0.0

Scope

This document provides the framework for managing all the necessary processes for tackling all risks and opportunities that could influence the project’s output, from the very initial phase (i.e. The Business Case). For this reason, this document should be part of the company’s standard policies and then updated with the project’s needs.

Further modifications and enhancements should be done only through a formal process (i.e. Learned Lessons).

Quality

The required processes manage different values and use diverse scales for measuring figures and times. Thereby each process shall unambiguously state every reference to be used either within the document or as its output.

Each process has to contain its tools for checking the expected results (e.g. follow on, check lists – duly signed by the accountable person)

Every person involved in one of the processes has to be registered. This includes the fully acceptance of the role and its responsibilities.

The content of this document has to be checked against any existing policy of all involved organizations.

Operational steps

The operational details for the main phases:

  1. Inception – establishing the guidelines at company/program level.
  2. Definition – issuing the Risk Governance Strategy.
    1. Receiving the full acceptance of the propositions stated in the above mentioned document.
    2. Adoption of specific tools (e.g. Monte Carlo software, MS Project etc)
    3. Setting the timing for each process (meetings and reporting).
    4. Staffing all the required roles.
    5. Planning policies in accordance with the forming schedules and plans.
    6. Finance aspects.
    7. Evaluation criteria (e.g. Finance, time and processes)
  3. Implementation:
    1. Verifying that the Risk Analysis (especially assumptions) is aligned with the guidelines.
    2. Obtaining the proactive participation of all stakeholders.
    3. Auditing the quality (adherence to the set standards) of the actual procedures.
    4. Producing “Contingency” plans that would allow the continuation of the project within the existing Business Case.
    5. Verifying that every registered risk’s values (e.g. impact, the likelihood etc.) are consistent.
    6. Check the alignment between the Issue and Risk registers (auditing the efficiency of the Risk Analysis).
  4. Handover – reporting on these topics
    1. Quality (Acceptance Criteria, unresolved issues)
    2. Technical (operational standards)
    3. Commercial (“Expected Benefits” as described in the Business Case)

RACI (who does what)

In order to maintain the necessary modularity, the RACI tables are split into the four phases. The indicated roles need to be better defined in each “real” situation.

Inception

Operation desc./Roles Owner Spr PM SME BA Stkhd
Reviewing the “standard” version of this document C A C C R C
Verifying that all necessary information is consisted with the company’s current standards. I A C I R I
Assessing the feasibility of the proposed modifications C A C C C C

Definition

Operation desc./Roles Owner Spr PM SME BA Stkhd
Reviewing the technical aspects (e.g. tools) I C A C R I
Reviewing the organizational matters (RACI, timing, meeting, resources) I C A I R C
Assessing the feasibility of the proposed settings (e.g. financial reserves, thresholds values – triage) C C A C R C

Implementation

Operation desc./Roles Owner Spr PM SME BA Stkhd
Preparing the Risk Management Plan(s) I C A C R C
Reviewing the processes (particular attention has to be spent on s/holder involvement) I C A I R C
Acting as required by plans/procedures I C A C R C

Hand over

Operation desc./Roles Owner Spr PM SME BA Stkhd
Collecting all references for auditing the existing version of the processes I C A C R C
Reviewing the processes in view of compiling the Learned Lessons I C A I R C
Acting as required by plans/procedures I C A C R C

Document structure

Distribution list

This kind of information can be considered highly important. Therefore, it is suggested to inform all the interested stakeholders as described in the “Communication Management Strategy”.

Registrar section

These are the key fields

Risk Analysis How the information that make possible to identify and prevent/limiting (increasing) the potential variations are collected and assessed.
Define the scale For money (1k to 10M) and time (to be used for calculating both proximity (when it could happen) and impact (delay).These values are not related with the Acceptance Criteria (e.g. system’s responding time).
Set thresholds’ values In essence the scale to be used for evaluating (from triage onward) the importance of the variation either in terms of volumes (budget/time) or priority.
Set reserves (financial) policies The total amount of money that needs to be available for covering the extra expenses due to the happening of the event. These have to be calculated in view of the possible timing (i.e. not all risks can happen in the very same time). Moreover, these sums are to be assessed in relation with existing contracts (e.g. outsourcing, insurers etc.)
Setting allowances Beside the Project’s allowance (either money or time or both). It is important to detail whether specific restrictions are to be set for stages.
Communications
  1. The Risk’s register set up needs to be agreed with stakeholders for any request of profiling the access to specific “sensitive” areas.
  2. Periodically “brainstorming” meeting is held for collecting information about the “depicted” scenario, and then checking its validity.
  3. Setting the rules for periodic meetings destined to evaluate issues, risks on the outputs of the “Impact Analysis”.
Tools and settings They cover the planning areas and estimations (e.g. Monte Carlo) in the latter, the correct and shared settings are essential for the meaningful results.
Roles and responsibilities The RACI’s tables are to be filled with real names as described in the Communications strategy (stakeholders).
Risk category The “standard” list has to be customized for the specific (foreseen) difficulties
Risk response categories These are the common strategies:

  1. Assumption – the risk (opportunity) is proactively accepted.
  2. Mitigation – some activities will be undertaken for alleviating the impact of the potential event
  3. Transference – finding other suppliers than the existing ones
  4. Avoidance – elimination of the risk’s root (changing the existing settings)

All these actions require a specific link to the existing/proposed (Contingency) plans.
Approved by Project Manager

Technical domains

Everything

Financial / Commercial domains

Everything

Notes