Defense Logistics Information Service

Defense Logistics Information Service

Risk Management Plan (RMP)

Seven Domains of a Typical IT Infrastructure

• User Domain
• Workstation Domain
• LAN Domain
• LAN-to-WAN Domain
• WAN Domain
• Remote Access Domain
• System/Application Domain

"The process involved with identifying, analyzing, and responding to risk. It includes maximizing the results of positive risks and minimizing the consequences of negative events"

By: Sean Rowe

David McKee

Troy Jones

" It's not "if" it's "when!"

Risk Breakdown Structure

Probability and Impact Matrix

Why do we Manage Risk?

• Lists categories and subcateogories where risks may arise

Define Probability Scale & Impact Scale

Probability Scale

Impact Scale

Likelihood of Occurrence

Likelihood Class

Consequence

Extreme =

Fatal damage is expected

High =

Severe damage or potential damage

• Project problems can be reduced as much as 90% by using risk analysis
• Postitives - More information is available during planning.

Improved probability of success/ optimum project.

• Negatives: Belief that all risks are avoidable.

Project can be cut short because of risk level.

Moderate =

Lost time or some potential down time, small risk

<0.01% chance

0.01 -0.1% chance

0.1-1% chance

1 - 10% chance

>10% chance

Not Likely (NL) =

Low (L) =

Moderate (M) =

High (H) =

Expected (E) =

Low =

Small risk or little damage

Negligible =

No concern

Probability and Impact Plots

Identify Risks

How Do we Manage Risk?

Tools & Techniques

• Document Reviews
• Information Gathering Techniques
• Checklist Analysis
• Diagramming Techniques
• SWOT Analysis
• Expert Judgement

Use the six risk mangement processes:

• Plan Risk Management
• Identify Risk
• Perform Qualitative Risk Analysis
• Perform Quantitative Risk Analysis
• Plan Risk Responses
• Monitor and Control Risks

Inputs

Outputs

• Rate each risk on scales then plot on matrix
• Develop mitigation technique for risks above tolerence

• Risk management Plan
• Activity Cost Estimates
• Scope Baseline
• Stakeholder Register
• Cost Management Plan
• Quality Management Plan
• Project Documents
• Enterprise Enviromental Factors
• Organizational Process Assets

Risk Register

Perform Quantitative Risk Analysis

Tools & Techniques

Inputs

Plan Risk Management

Information Gathering Techniques

• Data gathering and representation technique

• Quantitative risk analysis and modeling

• Expert Judgement

Risk Register

Risk Management Plan

Cost Management Plan

Schedule Management Plan

Organizational Process Assets

Tools & Techniques

Outputs

Planning Meetings and Analysis

Risk Register Updates

Outputs

• Brainstorming
• Delphi Technique
• Interviewing
• Root cause identification
• Strengths, weaknesses, opportunities, and threats (SWOT) analysis

• Project Scope Statement
• Cost Management Plan
• Schedule Management Plan
• Enterprose Enviroment Factors
• Organizational Process Assets

Plan Risk Responses

Inputs

Risk Management Plan

Outputs

Tools & Techniques

Inputs

Risk Register

Risk Management Plan

Risk Register Updates

Risk-related Contract Decisions

Project Management Plan Updates

• Strategies for negative risks or threats
• Strategies for positive risks or opportunities
• Contingent response strategy
• Expert Judgement

Diagramming Techniques

Testing

Time

Project Prioritization

What is Risk Management

Product Delivered

Late

Computer Incident Response Team Plan

Types of Incidents to the organization:

Materials

Personnel

Bad Specs

• Methodology - Approach, tools & data
• Roles & Responsibilities
• Budgeting - Resources to be put into risk management
• Timing - When and how often
• Risk Categories - Risk Breakdown Structure (RBS)
• Definitions - Risk probabilities and impact

Insufficient

Resources

DoS Attack- Prevents system or network from providing a service

Effect

Potential Causes

Malware- Malicious software (viruses, worms, mobile code and Trojan horses

Unauthorized Access- Person who gains access to resources even though it may be accidental

Inappropriate Usage- Users violate internal policies and could result in lost of money to the organization

Strategies

Risk Register

• List of
• Identified risks
• Potential responses
• Root causes

Updated risk categories

What is a Risk Management Plan

Positive Risk ( Opportunities)

• Exploit
• Share
• Enhance
• Acceptance

Negative Risks ( or Threats)

• Avoid
• Transfer
• Mitigate
• Acceptance

• Probability and Impact Matrix
• Stakeholder tolerances
• Reporting formats
• Tracking

Perform Qualitative Risk Analysis

Monitor and Control Risks

Inputs

Tools & Techniques

Outputs

• Risk probability and impact statement
• Probability and impact matrix
• Risk data quality assessment
• Risk categorization
• Risk urgency assessment
• Expert Judgement

Inputs

• Risk reassessment
• Risk audits
• Variance and trend analysis
• Technical performance measurement
• Reserve analysis
• Status meetings

Risk Register

Risk Management Plan

Project Scope Statement

Organizational Process Assets

Risk Register Updates

Organizational Process Assets

Change Request

Project Management Updates

Project Document Updates

Outputs

Risk Register Updates

Risk Register

Project Management Plan

Work Performance Information

Performance Reports