《RiskManagementPlanTemplateandGuide.doc》由会员分享,可在线阅读,更多相关《RiskManagementPlanTemplateandGuide.doc(30页珍藏版)》请在三一办公上搜索。
1、Risk Management Plan (Template and Guide)Version: 2.0November 2003TABLE OF CONTENTSSectionPage1INTRODUCTION31.1Purpose31.2Objectives31.3Scope & Context41.4Guiding Principles51.5Reference Documents62.0RISK MANAGEMENT ORGANIZATION72.1Process Responsibility72.1.1PMO Risk and Issue Manager/RIM Team82.1.
2、2Risk Originator82.1.3Risk Owner82.1.4Project Management Office (PMO)92.1.5Steering Committee92.1.6Independent Risk Auditors103.0RISK MANAGEMENT INFORMATION113.1Detail Risk Attributes113.2Risk Reference Model164.0RISK MANAGEMENT PROCESS184.1Risk Management Planning184.2Risk Management Execution184.2
3、.1Risk Management Execution Process Steps194.2.2Risk Escalation Procedures264.2.3Risk and Issue Management (RIM) Team Meeting264.2.4Feedback and Reporting Processes274.3Risk Management Closeout285.0RISK MANAGEMENT TOOL295.1Accessing the Risk-Tracking Database295.2Using the Risk Input Form295.2.1Acce
4、ssing the Risk Input Form295.2.2Creating a Risk295.2.3Viewing/Updating a Risk295.2.4Create New Action Items295.2.5Viewing/Updating an Action Items295.3Contact & Administrative Information295.3.1Program Risks Information295.3.2Risk-Tracking Database296.0PERFORMANCE MEASURES30TABLE OF TABLESTablePageT
5、able 1 PMO Risk and Issue Management Decision Authority based on severity9Table 2 Risk Data Elements11Table 3 SEI Software Risk Taxonomy16Table 4 Risk Assessment Severity Level Matrix21Table 5 Risk Response Strategies/Techniques22Table 6 - Standard Risk Notices and Reports27TABLE OF FIGURESFigurePag
6、eFigure 1 Risk profile of a typical modern project across its life cycle4Figure 2 Risk Management Organization7Figure 3a Risk Management Planning7Figure 3b Risk Management Execution7Figure 3c Risk Management Closeout7Figure 4 Risk Management Execution Process Steps19Figure 5 Risk Assignment Matrix24
7、1INTRODUCTION1.1 Purpose This Risk Management Plan (RMP) provides the Program a consistent method to manage risks to ensure success. Unlike issues, risks relate to events that could occur and may impact the Programs scope, schedule, budget, business performance, or change management objectives. Risk
8、s are measured in terms of their likelihood of occurrence and their impact, as they relate to the program. Risk is defined as any concern that could impact the ability of the Program to meet its scope, schedule, budget, change management, or business performance objectives. Risk management involves
9、the process for identification, assessment, mitigation, and management of the Programs risks. It drives decisions that affect the development of the business capability and the management of the program. This RMP serves as a guide to all team members on managing program-wide and team level risks. Th
10、e risk management process will enable the Program to create strategies to effectively address potential barriers to program success.Note that throughout this template document sections marked with bold, italicized text that are demarked by leading and trailing right-brackets, , are directions to the
11、 author to revise the section.1.2 ObjectivesSuccessful management of the Program requires informed, proactive, and timely management of risks. The specific objectives of this program risk management plan and approach are listed below. Ensure critical risks impacting scope, schedule, budget, business
12、 performance, and/or change management are proactively identified, communicated, mitigated, and escalated in a timely manner. Facilitate attention to key risks impacting the program and individual teams. Produce meaningful information that allows program management to focus efforts on the “right” (e
13、.g., high likelihood and high impact) risks with an effective coordination of effort. Ensure appropriate stakeholders are informed and, if applicable, participate in the mitigation. Record an audit trail of discussions and mitigation of program risks.The goal of this Risk Management Plan is to proac
14、tively identify and address risks early in the Program and throughout the program lifecycle in order to avoid surprises. Refer to Figure -1 below which illustrates that proactive risk management programs used today reduce and control risks better than in the past. Figure 1 Risk profile of a typical
15、modern project across its life cycle Reprinted from Software Project Management, A Unified Framework, by Walker Royce (Addison Wesley: 1998), p. 229.1.3 Scope & ContextThe plan consists of the process and timing for identifying and managing risks, mitigation actions required and organizational respo
16、nsible for monitoring and managing the risks throughout the entire lifecycle (Initiation, Acquisition and Implementation). The Risk Reference Model and a tracking database, explained in detail below, serve as tools to support the RMP.Risk management starts at the very beginning of the project (Initi
17、ation Phase per the EI Toolkit) with initial planning and assessing. Risks identified early should be addressed immediately. Risks and potential risk areas are monitored and managed throughout the remainder of the project. Scope of the Risk Management Plan (RMP) is not limited to those risks identif
18、ied early. Rather, all areas should be monitored throughout. Risk management is carried out at all levels within the program: program, team, and sub team. The risk management process ensures that risks are mitigated at the appropriate level and communicated as appropriate. While this plan provides g
19、uidance on managing all levels of risks, the primary focus is on risks at the program level; assuming that similar processes are in effect within the individual teams and sub-teams that comprise the program. While risks must be identified and effective mitigations tailored for each project, there ar
20、e standard risk factors, standard assessment criteria to identify and evaluate risks, and standard mitigation approaches that have been defined for software engineering projects in general, and enterprise application implementation projects specifically. These risk factors, assessment criteria, and
21、mitigation approaches are referred to as a Risk Reference Model. This Risk Management Plan must ensure that both individual risks and risks that are common to the class of application of the Program are both identified and mitigated. Risk management is an integral part of overall project planning an
22、d management. Effective project planning and management requires effective identification and assessment of risks and determining what mitigating actions are required. Managing the effective completion of mitigation actions should be integrated with overall project tasks and assignments. Risk manage
23、ment also works in concert with issue management. The key difference between issue management and risk management is the element of uncertainty inherent in risks. Uncertain events that could impact the Program should be identified and managed through this RMP. Note that risks could lead to identific
24、ation of issues and issues could drive identification or resolution of risks.In addition to addressing identified risks through this risk management process, it is expected that the project planning process will also include quantitative risk assessment processes to validate project schedule and bud
25、get estimates. These techniques, including Monte Carlo simulation and decision tree analysis, are beyond the scope of this document. 1.4 Guiding PrinciplesIn order to be successful, the principles listed below guide the use and implementation of the overall Risk Management Process that is described
26、in detail in section 3.0 of this document. Decisions will not be revisited once made (unless substantively new facts become available). Escalation of risks follows the defined process identified below. A single owner is assigned responsibility for a risk even if several people work to mitigate it. W
27、ork and communicate progress on most severe risks first. Set realistic due dates and then work to meet the dates. Mitigate risks at the appropriate level (i.e., program, team, sub-team). Responsible team leads determine and agree on the risk severity level. Document the planned risk mitigation histo
28、ry and actual mitigation of a risk. This documentation serves as a key input to root cause analysis, key learning, metrics, and risk analysis. For high impact, unanticipated risks, a 24-hour decision turnaround may be required or as determined by the PMs. In such cases, available applicable team mem
29、bers will make the decision.1.5 Reference DocumentsThis Risk management Plan builds on general project and risk management references including:A Guide to the Project Management Body of Knowledge (PMBOK Guide) 2000 Edition (Project Management Institute, 2000)Assessment and Control of Software Risks,
30、 Capers Jones (Prentice Hall, 1994)Chaos Report and other publications, Standish GroupManaging Risk, Methods for Software Systems Development, Elaine M. Hall (Addison Wesley, 1998)Project & Program Risk Management, A Guide to Managing Project Risks & Opportunities, R. Max Wideman, Editor (Project Ma
31、nagement Institute, 1992)Software Engineering Risk Management, Dale Walter Karolak (IEEE, 1996)Software Project Management, A Unified Framework, Walker Royce (Addison Wesley, 1998)2.0 RISK MANAGEMENT ORGANIZATIONWe should/ could insert a generic one that we recommend here.The following figure depict
32、s the organization involved in risk management. Roles and responsibilities are delineated in the subsequent sections.Figure 2 Risk Management Organization2.1 Process ResponsibilityThe Program Management Office (PMO) Risk and Issue Manager is responsible for the Risk Management Plan, its effective im
33、plementation throughout the Program, trends and metric analysis, and training Program personnel on risk management. The Risk and Issue Manager is also responsible for selecting risk tracking software, for identifying whether the Program warrants an independent risk assessment, and for identifying an
34、y risk reference model to use as a basis for assessing Program risks or identifying candidate mitigation approaches. An overview of the risk management process is depicted in Figure 3a, 3b, and 3c. Key roles and responsibilities are then defined in the following subsections. A Risk Management Checkl
35、ist which supports the process and below and the appropriate signoffs is also included in the EI Toolkit.Identify Risk Reference ModelDetermine need for Independent Risk AssessmentSelect Risk Tracking SoftwareFigure 3a Risk Management PlanningIdentify RisksAssess RisksMitigate RisksManageRisksCloseR
36、isksFigure 3b Risk Management ExecutionTransition any Open RisksProduce final risk metricsHarvest results into Reference ModelFigure 3c Risk Management Closeout2.1.1 PMO Risk and Issue Manager/RIM TeamThe PMO Risk and Issue Manager has overall facilitative responsibility for the risk management proc
37、ess. The RIM Team is comprised of the Risk and Issue Manager and the Risk and Issue Management Staff. Specific responsibilities include the following activities. Develop the Risk Mitigation Plan by customizing this template. Select Risk Tracking tool. Identify Risk Reference Model if applicable for
38、the application class. Assist in determining need for independent risk assessment, support sourcing if required. Maintain the Risk Management Plan in line with configuration management procedures. Plan and coordinate RIM meetings. Plan and manage RIM training. Generate risk reports, including trends
39、 and metric analysis, for risk meetings and ad-hoc requests. Clarify, consolidate and document risks. Maintain and monitor data in the risk-tracking tool. Establish initial priority, owner, and target due date. Monitor the status of risk mitigation. Communicate status to risk originators and risk ow
40、ners. Escalate communication if expected mitigation action deadlines are not met. Execute the risk closure process. Work with the Risk and Issue Management team to facilitate risk mitigation.2.1.2 Risk OriginatorThe Risk Originator is any person in the Program who identifies a Program risk. Specific
41、 responsibilities include the following activities. Identify any significant risk to the Program. Complete “Create Risk” form. Present new risks at Risk and Issue Management (RIM) team meetings. Verify that the risk is eventually mitigated.2.1.3 Risk OwnerThe Risk Owner is the person to whom the RIM
42、 team assigns primary responsibility for mitigating the risk. This assignment is based on the type of risk and should be assigned to the team member who is empowered to assure this risk is mitigated. This will typically be a team lead and/or their respective co-lead. Program sponsors, directors and/
43、or managers may also need to be aligned with a risk to assure adequate support. The Risk Owner has the following responsibilities: Assess the risk and create a risk mitigation plan that meets RIM team approval. Update risk information in risk database as described below. Mitigate risk per the risk m
44、itigation plan. Recommend risk closure to RIM team. Present risk status at RIM team meetings as required2.1.4 Project Management Office (PMO)The Project Management Office (PMO) has the authority to approve the risk mitigation proposed by the Risk Owner. This authority varies by the severity of the r
45、isk, as noted in Table 1 below. Additionally, the PMO members are notified of risk mitigation, as noted in Table 1 below. It is anticipated that the majority of risk mitigation will take place at the project team level. Table 1 PMO Risk and Issue Management Decision Authority based on severityRisk M
46、itigation approval Required Risk/Issue Notification RequiredSteering CommitteeVery HighHighPMHigh/MediumLowDeputy PMTeam LeadsLow/Very LowN/ASpecific responsibilities include the following. Accountable for ensuring timely mitigation of risks and escalating risks to the Steering Committee for support as needed. Champion mitigation implementation. Review status, severity, ownership, and completeness of risks. Determine risks to be returned to the appropriate project teams.
