The Risk Management Structure

Week 03- Session 03

IT Risk Management and Audit
 Outline
• Risk Management Planning
• Risk Environment
• Identify Risks
• Perform Qualitative Analysis
• Perform Quantitative Analysis
 Learning Outcome
• LO1: Describe the fundamental concept of
IT Risk Management and Auditing, and
know its various frameworks/techniques of
them..
• LO2: Describe the characteristics of various
techniques of IT Risk Management and
Auditing and understand how each of them
works.
.
 Outline
• Risk Management Planning
• Risk Environment
• Identify Risks
• Perform Qualitative Analysis
• Perform Quantitative Analysis
 Risk Management Planning
• Risk—present in some form and to some degree
in most human activity—is characterized by the
following principles:
– Risk is usually (at least) partially unknown.
– Risk changes with time.
– Risk is manageable in the sense that the application
of human action may change its form and degree of
effect.
 Risk Management Planning
• The purpose of risk management planning is simply to
compel project managers to devote organized, purposeful
thought to project risk management and to provide
organizational infrastructure to aid them as they attempt to
– Determine which risks are worth an investment of time
and energy
– Isolate and optimize risk
– Eliminate negative risk and enhance positive risk where
possible and practical
– Develop alternative courses of action
 Risk Management Planning
• The purpose of risk management planning is simply to
compel project managers to devote organized, purposeful
thought to project risk management and to provide
organizational infrastructure to aid them as they attempt
to
– Establish time and money reserves to cover threats
that cannot be mitigated
– Ensure that organizational and project cultural risk
boundaries are not breached
Risk Management Planning
 Risk Management Planning
• As an integral part of normal project planning and
management, risk planning is sensibly done and repeated
and should occur at regular intervals. Some of the more
obvious times for evaluating the risk management plan
include
– In preparation for major decision points and changes
– In preparation for and immediately following evaluations
– As significant unplanned change occurs that influences the
project
 Risk Management Planning
• Most major projects are guided by a series of plans
that provide the rationale and intended processes
through which projects will be executed.
– A risk management plan is recommended as part of this
suite of guiding documents. Such a plan would publish the
results or the latest status of the risk management
planning process
 Risk Management Planning
• Compared to some other plans, risk planning has not
been developed as much in terms of content and
format, which allows project managers some latitude
to establish documents that suit their situation. One
approach to the content of a risk management plan is
illustrated in Table 3.1,
Risk Management Planning
 Outline
• Risk Management Planning
• Risk Environment
• Identify Risks
• Perform Qualitative Analysis
• Perform Quantitative Analysis
 Risk Environment
• In every project, there is a risk environment. There are
threats that must be faced and opportunities that may
present themselves, and there are myriad different ways
to deal with them.
• Risk management planning is the effort, organizationally,
to draw together the risk policies, practices, and
procedures of the organization into a cohesive whole that
will address the nature of risk peculiar to the project.
 Risk Environment
• According to the Project Management Institute, they are
the scope statement, the cost, schedule and
communications management plans, organizational
process assets, and environmental factors.
• The process assets can be reduced to the organizational
risk management policy, stakeholder risk tolerances, and
a template for the organization’s risk management plan.
In many organizations, these conventions simply do not
exist.
• They are essential to risk management success.
 Risk Environment
• Not only must the environment for the producing organization be
considered, the client organization and their environment must also
be taken into account. Their risk culture may, in some situations,
supersede that of the producing organization.
• The levels of depth and detail and their effect on the project risk
management effort should be communicated in the organizational
risk management policies.
• In some organizations, such policies are scant, if they exist at all. Risk
management policies will offer insight into the amount of
information and risk reporting that is required on projects, as well as
general guidance on risk qualification, quantification, and response
development.
 Risk Environment
• Stakeholder risk tolerances are a vital input because
different members of the customer, project, and
management teams may have different perspectives
on what constitutes “acceptable” risk.
• This is rarely preordained or predetermined.
• Project managers must gather this information by
vigorously pursuing the key stakeholders to identify
what they are and are not willing to accept.
 Risk Environment
• In some organizations, risk management is sufficiently
well entrenched that there are standard forms and
formats for risk management plans.
• This is more common in organizations where there is a
project management office (PMO) or project support
office (PSO).
• These formats encourage consistency and knowledge
transfer as risk management history is
 Outline
• Risk Management Planning
• Risk Environment
• Identify Risks
• Perform Qualitative Analysis
• Perform Quantitative Analysis
Identify Risks
 Identify Risks
• A critical step in the risk management process, risk
identification is an organized, thorough approach to
finding real risks associated with a project.
• It is not, however, a process of inventing highly
improbable scenarios in an effort to cover every
conceivable possibility.
• Risks cannot be assessed or managed until realistic
possibilities are identified and described in an
understandable way.
 Identify Risks
• The tools and techniques that are applied in risk
identification are as varied as the projects they
serve.
• However, some groups of tool and technique
types are most commonly applied. According to
PMI•, they include documentation reviews,
information-gathering techniques (including
SWOT analysis), checklists, assumptions analysis,
and diagramming techniques.
 Outline
• Risk Management Planning
• Risk Environment
• Identify Risks
• Perform Qualitative Analysis
• Perform Quantitative Analysis
 Perform Qualitative Analysis
• The identification process produces a well-
documented description of project risks.
• As analysis begins, it helps to organize and
stratify the identified risks.
• By using the information for conducting risk
identification plus the outputs from risk
identification, it’s possible to begin a basic
analysis of the risks identified.
 Baselining Risk
• Risk exists only in relation to the two absolute states of
uncertainty: total uncertainty (usually expressed as 0 percent
probability) and total certainty (usually expressed as 100
percent probability).
• Risk will always fall somewhere within this range. Risk
qualification is a first, best effort to sort risk in relation to its
probabilities and impacts.
• The process is simplified significantly by defining the total
failure and total success so that the full range of possibilities
can be understood.
 Baselining Risk
• Defining one or both of the performance
measurement baselines (cost and schedule)
helps set a benchmark on the curves (see Figure
3.3).
 Rating Schemes and Definitions
• The degree of risk assigned in a given situation
reflects the personality of the risk analyst.
Twenty people can look at the same situation,
and each would come up with a different risk
value.
• Consequently, a risk-rating scheme built against
an agreed-to set of criteria helps minimize
discrepancies.
Rating Schemes and Definitions
Rating Schemes and Definitions
 Assumptions Testing
• During risk identification, assumptions are
identified and validated.
• During qualification, assumptions are tested.
Such testing is performed not to establish the
validity of the assumption; presumably, that has
already been done.
 Assumptions Testing
• Rather, the assumption tests evaluate stability and
consequences.
– Stability—This is the evaluation of the potential for
change in a given assumption. Some assumptions, by
their very nature, will change; they will not remain
stable. This assessment should be used to determine
the degree of stability for a given assumption.
– Consequences—This is the evaluation of the potential
impact to the project if the assumption proves invalid.
 Risk Modeling
• The technique consists of constructing a set of questions
that, when answered candidly, will provide a metric value as
to the overall risk and opportunity associated with a project.
• The questions should span the organization’s experiences
and concerns and should reflect the organization’s risk
tolerances.
• Because this involves a clear understanding of what risk
tolerances exist within an organization, it is prudent to
develop rating schemes prior to attempting to build an
organizational risk model.
Risk Modeling
Risk Modeling
 Using Analogies
• Analogy comparison is an attempt to learn from
other projects or situations and is used for many
actions, such as cost estimating and scheduling.
• It is important to distinguish between analogous
projects and projects with analogous risks.
 Conducting Data Quality
Assessments
• Data quality assessments need to be done at
some point during this process to ensure that
the sources of data are sufficiently valid to
warrant inclusion of the data in the process.
– Bad data quality means weak qualification;
– good data quality improves the chances that the
risk qualification will be valid.
 Risk Categorization
• In the PMBOK• Guide (2013), the risk breakdown
structure is identified as a categorization tool .
• Other tools, such as the affinity diagram or the work
breakdown structure, can also serve as structures
against which to sort project risks. Sorting and
categorizing risks during risk qualification can provide
a sense of which areas of risk are driving the greatest
concern and which (by sheer volume) warrant greater
attention.
Risk Categorization
 Outline
• Risk Management Planning
• Risk Environment
• Identify Risks
• Perform Qualitative Analysis
• Perform Quantitative Analysis
 Perform Quantitative Analysis
• Quantitative risk analysis is the effort to examine risk
and assign hard metric values to both the project risk
as a whole and to the most significant risks (as
established through risk qualification).
• Project managers conduct risk quantification to
establish the odds of achieving project goals, to justify
contingency reserves, to validate targets associated
with the triple constraint, and to conduct in-depth
“what-if” analyses.
 Experts Interview
• The interviews provide the basis for taking qualitative
information and transforming it into quantitative risk
estimates.
• Nearly all risk analysis techniques require some expert
judgment.
• The expert interview technique is relatively simple.
– Basically, it consists of identifying appropriate experts and
then methodically questioning them about risks in their
areas of expertise as related to the project.
 Experts Interview
• The technique can be used with individuals or groups
of experts.
• The process normally obtains information on risk
associated with all three facets of the classic triple
constraint: schedule, cost, and performance.
• In addition, the process may identify risks associated
with other environmental and organizational
considerations.
 Expected Monetary Value (EMV)
• Expected monetary value is a statistical concept
that takes into account the probability and
impact of risks by multiplying those values
together to generate a numeric value to be
applied in risk decision making
 Decision Tree Analysis
• Decision trees are classic project risk tools that
provide a wealth of information in an easy-to-
interpret format. They are particularly helpful in
risk quantification as they provide information
on the options, the probabilities of events
associated with those options, the expected
value of those options, and the potential
impacts of all possible outcomes.
 Program Evaluation and Review
Technique
• The program evaluation and review technique
takes the network analyses (briefly mentioned
under risk identification) a step further by
embedding multi-data-point duration estimates
to establish risk values for schedules.
 Sensitivity Analysis
• Sensitivity analysis examines risk from a one-at-
a-time perspective. In a sensitivity analysis,
individual variables are modified one by one to
assess their relative impact on the project’s
outcomes. Sensitivity analyses are normally
conducted in the context of a risk simulation.
 Simulations
• Both cost and schedule risks can be evaluated
using risk simulation tools, the most popular of
which is the Monte Carlo analysis.
• These tools provide ranges of possible
outcomes and the likelihood of achieving these
outcomes.
Thank You