Docstoc

risk-register

Document Sample
risk-register Powered By Docstoc
					12/13/2011 1:23 PM                                                                              Page 1 Document control   5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx




                                     Risk, Assumption and Issue
                                              Register


                                                             Version n
                                                            dd month y ear




                     Function                    Strategy        Solution    Offer   Contract
                     Sales Lead

                     HR Representativ e

                     Finance Representativ e

                     Legal Representativ e

                     Serv ice Line Manager

                     Technical Representativ e

                     Bid Manager

                     Other
12/13/2011 1:23 PM   Page 2 Document control   5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx
   12/13/2011 1:23 PM                                                                                                                                             Page 3 Contents   5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx




Introduction
This Risk, Assumptions and Issues Register is to be used on all contracts with review value greater than EUR 50k.

All risks, assumptions and issues must be recorded in this register and the bid/delivery manager is responsible for ensuring regular reviews of all open risks,
assumptions and issues and for adding new risks, assumptions and issues to the register as they are identified.

A Risk Management Tool will not do the job for you. A tool is only a mechanism to help you:

- It has no intelligence
- It will not manage risk for you

It is vital that everyone understands risk management and why it is important.

This Excel workbook contains the following sheets:

Guidelines & Definitions
This sheet contains a set of guidelines for filling out the rest of the workbook. It also contains definitions used throughout the workbook. These definitions
should not be changed as they will have an impact on the rest of the workbook.
Risk Summary ( input)

The Risk Summary forms part of the Executive Summary Memorandum which is mandatory for all bids opportunities to be reviewed by Country Management,
Regional Management or the Management Board. The majority of this sheet is filled in automatically when the Risk Log is populated.

Risk Log
This sheet must be used to record all bid and delivery risks.

Assumption Log

This sheet must be used to record all bid and delivery assumptions.

Issue Log

This sheet must be used to record all bid and delivery issues.

Charts and Analysis

This sheet is automatically generated to produce graphs showing the number of risks open and closed in each of the risk rating area (Red, Amber, Green) and
the number of issues open and closed by severity level.

Notes
1. Problem with Freeze Frames in some versions of Excel

There is a problem with versions of Excel earlier than Excel 2000 such that you will need to remove freeze frames to ensure that the drop down selection lists
work.

2. Stopping Printing of Selected Sheets

If you do not want to print out the Contents and Guidelines & Definitions sheets then you can do this by hiding the sheets. This is achieved by:
Going to the worksheet you want to hide
Select Format from the toolbar
Select hide from the drop down menu

You can select Format and then unhide at any time to get the sheets back.

Do not delete the Guidelines and Definitions sheet as this will result in unresolved references.
 12/13/2011 1:23 PM                                                    Page 4 Guidelines & Definitions                       5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx

Risk Summary input
Risk Rating and Probable Cost before Mitigation

The values in this section are filled in automatically from the Risk Log and shows the Risk Rating and probable cost before mitigation for area level 1 risks (see under
Risk Log for descriptions). The Sales, Delivery and Technology areas can be expanded (click on the + sign) to show the level 2 values. The Trend is also automatically
generated from the second set of values onwards.

It is possible to override the rating value by copying the appropriate cell from the Manual Override Indicator list:

      X
               Unacceptable. Must reduce risk via controls / or insurance techniques, or transfer risk
      O
               Undesirable. Must attempt to reduce / mitigate. Mitigation plan & impact analysis required
      √        Acceptable. Note and watch for possible escalation or aggregation. Normal activities of continuous improvement must still be applied
However:

1 You must also override the Global Status rating
2 By doing this you will lose the automatic calculation of these cells for the current phase unless you replace the formula. The formula is simply:

=Working!$F$n

where n is a value between 4 and 28 depending on the area (see below under Risk Log)

The Global Status can be replaced by summing the area level 1 cells and dividing by 6.

When you move onto the next phase the automatic calculation will be restored.
Mitigation Cost

The Mitigation Costs are filled in automatically from the Risk Log. The Sales, Delivery and Technology areas can be expanded (click on the + sign) to show the level 2
values.

These costs must be included in the financial forecast for the opportunity.

Bid Team View of Risk Rating and Probable Cost post Mitigation

The probable costs after mitigation and trend are filled in automatically from the Risk Log. The Risk Rating is filled in manually to reflect the team's view of the risk status
for all areas. The Sales, Delivery and Technology areas can be expanded (click on the + sign) to enter the level 2 ratings.

Key Risks

The top five risks from the Risk Log must be entered manually.
Key Assumptions
The top five assumptions from the Assumptions Log must be entered manually.

Strategy Checkpoint/ Solution Checkpoint/ Offer Checkpoint
 12/13/2011 1:23 PM                                                 Page 5 Guidelines & Definitions                     5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx

These three buttons are used for freezing the rating and cost values at the end of each Review phase so that a historic record of changes to the rating and costs can be
seen.

Risk Strategy

Any specific strategy for handling risks should be entered here. This section may point to a separate risk strategy document.
 12/13/2011 1:23 PM                                             Page 6 Guidelines & Definitions                5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx

RISK LOG
No.
A unique number used to identify the risk
Area
Area codes are used to group risks, assumptions and issues into related areas. Area Level 1 codes are used in the Rainbow Executive Summary Memorandum (RESM)
and map onto business functional groups.

An area code must be entered to ensure the correct values are summarised in the RESM sheet.

  Working
                      Area Level 1               Short Code                    Area Level 2
   Value
     4                   Sales                       SAL                           Sales
     5                                             CUSREL                 Customer Relationship
     6                                               BID                             Bid
     7                    HR                          HR                   Human Resources
     8                  Finance                      FIN                         Financial
     9                   Legal                       LEG                           Legal
    10                  Delivery                     DEL                          Delivery
    11                                               C&U                    Customer & Users
    12                                            SUP/PAR                   Suppliers, Partners
    13                                               ORG                       Organisation
    14                                              STAFF                     Staff and skills
    15                                             CONTS                      Contract Scope
    16                                                FR                 Functional Requirement
    17                                            NFR/SLA                      NFRs / SLAs
    18                                               EST                         Estimating
    19                                               PLA                          Planning
    20                                               DLV                       Deliverables
    21                                             TRANS                         Transition
    22                                             CONTM                  Contract Management
    23                                             DUEDIL                      Due Diligence
    24                                               ACC                        Acceptance
    25                Technology                    TECH                        Technology
    26                                            SOL&ARC                Solution and Architecture
    27                                            T&METH                    Tools and Methods
    28                                               ENV                        Environment
 12/13/2011 1:23 PM                                                   Page 7 Guidelines & Definitions                        5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx

Description

This is the description of the actual risk. This must be very precise and describe the basis for the risk. For example "Testing is a risk" is not acceptable as it is too vague
and does not explain the real reason why testing is a risk. A better description would be "Interface testing with a supplier's software is a risk as they may not be ready in
time so that we may have to produce extra software to test our interface".
Raised
Date on which the risk was identified
By
Initial of the person who raised the risk

Impact

When a risk has been identified an assessment of the significance of the risk needs to be carried out. Not all risks are of equal importance and one of the measures is
the potential impact which is the likely effect (typically cost) of a risk occurring.

Impact is typically expressed in financial terms (i.e. in terms of cost) but there are three key elements to consider in reaching the assessment:

- Commercial impact, for example cost and timescale
- Technical / delivery impact including performance requirements
- Delivery visibility - relationship with the Canon for current and future business and impact on suppliers’s image in the market place.

The impact used in this register is defined using five levels:


                             5                           Severe
                             4                            High
                             3                          Moderate
                             2                           Minor
                             1                           Trivial
 12/13/2011 1:23 PM                                                   Page 8 Guidelines & Definitions                        5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx

The following tables are provided for guidance in determining the potential impact of a risk. However, there are many factors that may influence the choice of impact
level e.g. the amount of contingency in the initial estimate or the previous track record with Canon.


   Impact                 Profit                         Cost                             Delivery                       Performance                     Reputation
               Total erosion of Profit    Very large increase in total cost   Very large delay to activity /   Major shortfall in any key       Politically sensitive or high
                                                                              delivery                         acceptance criteria / SLA. Major profile service offering that
                                                                                                               performance criteria not met     could have significant impact
      5
                                                                                                                                                on the image of the supplier
                                                                                                                                                if there are issues.

               Serious threat to          Large increase to total cost        Large delay to activity /        Significant shortfalls in more
      4        expected profit                                                delivery                         than two key acceptance
                                                                                                               criteria/SLA
               Significant reduction in   Significant increase in total cost Significant slip to activity /    Substantial shortfall in one or   Politically sensitive / high
               profit                                                        delivery                          two key acceptance criteria /     profile for the suppliers
      3                                                                                                        SLA. A single non-critical        business unit or for other
                                                                                                               performance criteria not met      work with the Canon Group
               Small effect on profit     Small increase in total cost        Small slip to activity /         Some shortfalls in one or two
      2                                                                       delivery                         non-key acceptance criteria/SLA

               Trivial effect on profit   Trivial increase in total cost      Negligible slip (but be          A few shortfalls in non-key       Little impact on Canon
      1
                                                                              aware)                           acceptance criteria / SLA

An alternate way of assessing the impact can be by a percentage reduction:

   Impact                 Profit                         Cost                             Delivery                       Performance
      5        85-100% loss of profit     >50% increase to cost base          >50% of total WP cost            > 50% shortfall
      4        50-84% loss of profit      30-50% increase to cost base        30-50% of total WP cost          30-49% shortfall
      3        21-49% loss of profit      10-29% increase to cost base        10-29% of total WP cost          10-29% shortfall
      2        5-20% loss of profit       5-9% increase to cost base          5-9% of total WP cost            3-9% shortfall
      1        < 4% loss of profit        >4% increase to cost base           <4% of total WP cost             < 3% shortfall

The highest impact value from the set of tables should be used as the overall impact value in the risk matrix.
 12/13/2011 1:23 PM                                                   Page 9 Guidelines & Definitions                       5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx
Probability (%)

The other measure used in determining the significance of a risk is the probability of the risk occurring. Probability can either be expressed as a percentage or a
description that reflects the likelihood of the risk occurring. Typical questions to assist with assessing probability include:

· What have been the risks in similar delivery/business propositions?
· How often have they occurred?
· What delivery risks have occurred in this area of business?
· How often have they occurred?
· How many people or assets will be affected?

When calculating the probability of a risk, it is important to avoid taking into account mechanisms being put in place to minimise the risk occurring or mitigating its effect.
The probability of a risk should be considered as the likelihood of occurrence if no special preventative action had been put in place.

A table is available below for guidance in determining the probability of a risk occurring.


 Probability
                      % Probability           Probability of Occurrence                 Description
   Rating
                                                                               Assume risk will occur –
      5                   >85%              Almost Certain
                                                                               include in costs / plans
      4                 50 - 85%            Very Likely                        More likely to happen than
                                                                               not
      3                 21 - 49%            Likely/Possible                    Fairly likely to occur
      2                  1 - 20%            Not very likely                    Low, but not impossible
                                                                               Could ignore, but leave on
      1                    <1%              Highly Unlikely/Improbable
                                                                               risk register
 12/13/2011 1:23 PM                                                      Page 10 Guidelines & Definitions                          5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx

Risk Rating

Once the estimated probability and overall impact of a risk has been estimated then a risk rating and a RAG (Red, Amber, Green) status is automatically calculated by
using the values in a Risk Assessment Matrix (RAM) (see table below) to determine the risk rating which is calculated over a scale of 1 to 25 which makes it possible to
get a view of:

· The most significant risks so effort can be concentrated on these
· An overall bid/contract risk profile

A risk with very little probability of occurring is unlikely to be of great significance to delivery, unless its impact is extremely severe. Similarly, a risk with little delivery
impact is unlikely to be of great significance to the delivery.

Every risk should be re-assessed on a regular basis as both the probability of it occurring and its impact may change.

      Impact                                Probability
                        1          2            3            4            5
               1        1          2            3            4            5
               2        2          4            6            8            10
               3        3          6            9            12           15
               4        4          8           12            16           20
               5        5          10          15            20           25


                   Unacceptable. Must reduce risk via controls / or insurance techniques, or transfer risk
                   Undesirable. Must attempt to reduce / mitigate. Mitigation plan & impact analysis required
                   Acceptable. Note and watch for possible escalation or aggregation. Normal activities of continuous improvement must still be applied

Prioritisation of risks is essential so that effort can be focused on the most significant threats to the success of the delivery. The priority categories established in the risk
estimation process enable risks to be ranked accordingly. Where the risk evaluation indicates that some form of mitigation is required then a detailed plan of action is
required for each risk.

Minor risks identified from the Risk Matrix are likely to be the ones where the cost of the risk occurring is cheaper than the implementation of counter-measures.

Major risks will almost certainly require some form of alternative action to be planned; intermediate risks need to be considered each in there own right to ensure that the
most appropriate cost balance is achieved..
 12/13/2011 1:23 PM                                                   Page 11 Guidelines & Definitions                        5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx

Risk Exposure
Risk Exposure is the potential cost if a risk happens.

It is also possible that you may not be able to estimate a mitigation cost but you may want to identify a cost to be put in the financial forecast to reduce the severity of the
risk if it occurs.
Probable Cost

Probable cost is exposure times the probability of the risk occurring. E.g. if we estimated that a risk could cost 60,000 Euro but the probability of the risk actually
happening is only 20% then the Probable Cost will be 12,000 Euro (60,000*20%)

Mitigation Cost
This is the cost of any mitigation that can either reduce the impact or probability of a risk occurring or remove a risk entirely.

For each risk there is a balance between the cost to the delivery if the risk were to occur versus the cost of implementing counter-measures. These costs need to be
evaluated to determine what is acceptable for the delivery.

For each risk, alternative actions / strategies need to be considered. Risks can be mitigated by:
- Reduction or elimination - redesigning the solution and / or delivery approach can reduce risks.
- Transfer - risks can be re-assigned to the parties best able to control them or who can carry the risks at the lowest cost. Sharing, possibly through back-to-back
agreements with subcontractors can reduce risks.
- Avoidance- risks can be avoided by changing scope, design and /or technology, and in certain cases a submission of a non-compliant bid.
- Insurance - insurance is a particular form of risk transfer.
- Absorption / acceptance - risks that cannot (or cannot economically) be eliminated, transferred or avoided. However it is not always essential for one party alone to
bear all the absorbed risks.

Prevention measures reduce the probability of occurrence of an undesired risk while mitigation measures reduce the impact of an undesired risk.
Containment actions are normally preferable to contingency actions.

In all instances the option chosen must be made with full knowledge of the impact and in assessing potential mitigation strategies the additional costs of mitigation must
be balanced against the probability of a risk occurring. It must be remembered that the cost of mitigation is a definite cost, which will be incurred, whilst risk is by its
nature an uncertain cost that may or may not occur.

It is possible that there are mitigations that do not have a cost e.g. ensuring the use of a Project Manager experienced in the type of contract. This is still a risk that
needs to be recorded and handled

It is also possible that you may not be able to estimate a mitigation cost but you may want to identify a cost to be put in the financial forecast to reduce the severity of the
risk if it occurs.

ALL MITIGATION COSTS MUST BE PUT IN THE FINANCIAL FORECAST FOR THE CONTRACT
 12/13/2011 1:23 PM                                                   Page 12 Guidelines & Definitions                       5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx
Probable Cost Post Mitigation

This is the Probable Cost after a mitigation has been applied. If there is no mitigation then this will be the same as the Probable Cost. If there is a mitigation this value
will be zero if the mitigation removes all the risk but if there is still a reduced risk then the probable cost of this reduced risk should be put here.


Preventative/Mitigating Actions
This describes the actions to be taken to mitigate the risk. It is possible that there may be more than one mitigating action that can be taken. All possible mitigations
should be documented here.
Resp
This is the owner of the risk i.e. the person who is responsible for performing any actions required or who is responsible for tracking the risk.

Due
This is the date by when any actions are to be completed or may be the next checkpoint for this risk.
Status
This indicated whether the risk is still ongoing or has been closed I.e. is no longer a risk
Days Open /Date Closed
This either gives the date on which the risk was closed or is the number of days since the risk was first raised.
 12/13/2011 1:23 PM                                                  Page 13 Guidelines & Definitions                      5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx


ASSUMPTION LOG


This log is used to record every assumption made during a bid/contract and must include all assumptions as well as those relating to subcontractors.

It is vital that all assumptions are verified and officially documented as soon as they can be with the appropriate party as any assumption that proves not to be correct will
usually have some cost or timescale impact on delivery.

It is also important to remember that an assumption that proves not to be correct is very likely to be a risk. So all assumptions need to be regularly reviewed to either be
verified or considered as a risk in which case it should be transferred to the risk log.


No.

A unique number used to identify the assumption

Area

Area codes are used to group risks, assumptions and issues into related areas.


Target

Target is used to identify who the assumption is on/with

               int                         Supplier internal
               CAN                         Canon
               SUPP                        Partner/Subcontractor
Assumption

This is a description of the assumption being made.
Raised
Date on which the assumption was identified
By
Initial of the person who raised the assumption
Action Required if not true
This is a description of what the impact could be if an assumption proves not be true.
 12/13/2011 1:23 PM                                                  Page 14 Guidelines & Definitions                     5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx
Cost Impact if not true
This is the cost of any action we may need to do if the assumption proves not to be true.
Confirmed
This indicates whether an assumption has been verified.

It is important that all assumptions are verified as soon as they can be as any assumption that it not correct will usually have some impact on us. Remember that an
assumption that is not true can be a risk.

ISSUE LOG
No.
A unique number used to identify the issue
Area

Area codes are used to group risks, assumptions and issues into related areas.

Description

This is the description of the actual issue. This must be very precise and describe the basis for the issue.

Raised
Date on which the issue was identified
By
Initial of the person who raised the issue
Severity
This indicates the significance of the issue on a scale of 1 to 5:
                             5                           Severe
                             4                            High
                             3                          Moderate
                             2                           Minor
                             1                           Trivial
Actions/Solution
This describes the actions to be taken to resolve the issue. It is possible that there may be more than one action that can be taken. All possible actions should be
documented here.
 12/13/2011 1:23 PM                                                  Page 15 Guidelines & Definitions                     5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx
Resp
This is the owner of the issue i.e. the person who is responsible for performing any actions required or who is responsible for tracking the issue.

Due
This is the date by when any actions are to be completed or may be the next checkpoint for this issue.
Status
This indicated whether the issue is still ongoing or has been closed I.e. is no longer an issue.
Days Open /Date Closed
This either gives the date on which the issue was closed or is the number of days since the issue was first raised.

Charts and Analysis
This sheet is automatically generated to produce graphs showing the number of risks open and closed in each of the RAG ratings and the number of issues open and
closed by severity level.
12/13/2011 1:23 PM   Page 16 Guidelines & Definitions   5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx
12/13/2011 1:23 PM                                                                                                                                Page 17 Risk Summary (input)                                 5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx



                                                                                                      RISK MANAGEMENT SUMMARY
Risk Summary
              Date                                                                                                                              Manual Override Indicator
                           Strategy                  Solution                          Offer                      Contract                            X
                            Rating          Rating              Cost          Rating           Cost      Rating              Cost                     O             Strategy Checkpoint
                                                                                                                                                      √
                                                                                                                                                                    Solution Checkpoint
                                     Risk Rating and Probable Cost before Mitigation (Euro K)
Sales                          0               0                 0
                                                                                                                                                                      Offer Checkpoint
Human Resources                0               0                 0
Financial                      0               0                 0                                                                              Risk Strategy
Legal                          0               0                 0
Delivery                       0               0                 0
Technology                     0               0                 0
GLOBAL STATUS/
                               0               0
WEIGHTED RISK                                                    0


            Risk Trend                        ►


                                                       Mitigation Cost (Euro K)
Sales                                                            0
Human Resources                                                  0
Financial                                                        0
Legal                                                            0
Delivery                                                         0
Technology                                                       0
Total Mitigation Cost                                            0


                           Bid Team View of Risk Rating and Probable Cost post Mitigation (Euro K)
Sales                                                            0
Human Resources                                                  0
Financial                                                        0
Legal                                                            0
Delivery                                                         0
Technology                                                       0
GLOBAL STATUS/
WEIGHTED RISK                                                    0

            Risk Trend


Key Risks

                         Probable Cost
                                          Mitigation     Probable Cost
                             before                                                                                                                                                             Mitigation
            Risk Area                       Cost         post Mitigation                                   Description
                           Mitigation
                                          (Euro K)          (Euro K)
                            (Euro K)




Key Assumptions
                                                                                                                                      Cost
                                                                                                                                    Impact if
            Risk Area       Target                                                Description                                                                                    Action Required if not True
                                                                                                                                    not True
                                                                                                                                    (Euro K)
 12/13/2011 1:23 PM                                                                                                                            Page 18 Risk Log                                                                5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx



                                                                                                                                                                             Probable
                                                                                                                                          Risk
                                                                                                                                                    Probable   Mitigation    Cost Post                                                                       Days Open / Date
No.      Area                         Description                        Raised      By     Impact      Probability (%)   Risk Rating   Exposure                                          Preventative/Mitigating Actions   Resp       Due         Status
                                                                                                                                                   Cost (Euro) Cost (Euro)   Mitigation                                                                          Closed
                                                                                                                                         (Euro)
                                                                                                                                                                              (Euro)
R001
                 Insert new rows above this line (drag down columns H, J and Q from previous row to get formula)


 2     <= Next Risk Number
12/13/2011 1:23 PM                                              Page 19 Assumption Log                            5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx


                                                                                                                               Cost Impact if not
 No.      Area       Target                    Assumption        Raised       By         Action Required if not true                              Confirmed
                                                                                                                                  true (Euro)

 A001
                              Insert new rows above this line

  2      <= Next Assumption Number
12/13/2011 1:23 PM                                                                                      Page 20 Issue Log                         5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx



                                                                                                                                                                              Days Open/
No.     Area                        Description                         Raised       By      Severity                       Actions/Solution   Resp       Due       Status
                                                                                                                                                                              Date Closed

I001
               Insert new rows above this line (drag down column K from previous row to get formula)


2      <= Next Issue Number
12/13/2011 1:23 PM                                                     Page 21 Charts & Analysis                                  5987a8d6-28e2-4f94-8d78-656855675ca9.xlsx




                                    Risks by Rating                                                              Issues by Severity

                     20                                                                               20
        Risk Count




                                                                                        Issue Count
                                                              Open
                     10                                                                                                                              Open
                                                              Closed                                  10
                                                                                                                                                     Closed




                      0
                              Red       Amber         Green                                            0
                                                                                                           5       4         3          2   1
                                        Rating
                                         Level                                                                         Severity Level




                          Rating      Open       Closed                                                        Severity          Open       Closed
                           Red         0            0                                                             5               0            0
                          Amber        0            0                                                             4               0            0
                          Green        0            0                                                             3               0            0
                                                                                                                  2               0            0
                                                                                                                  1               0            0

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:10
posted:12/13/2011
language:English
pages:21