Risk Management Presentation Colorado gov

Document Sample
Risk Management Presentation Colorado gov Powered By Docstoc
					 An IT Procurement
from Cradle to Grave

Risk Assessment & Mitigation

           CCIT Presentation
           January 18, 2012
      By: RaLea Sluga – CCU Manager
   Using a fact scenario, we are following a
    procurement from the Cradle (planning) to the
    Grave (final performance evaluation).
   The four primary processes involved in a
    procurement are:
       Planning;
       Purchasing;
       Contract formation; and
       Contract Administration.
   Today’s discussion of Risk Assessment & Mitigation
    is part of the Planning Phase and continues our
    Break Out session from the October CCIT meeting.     2
Risk Management Plan (RMP)

   RMP is an overview of the entire risk process,
    including the identification of risks and plan to
    manage such risks over the entire life of the
   It is usually created during the Planning Phase.
   RMP sets forth the original plans and processes
    agreed to by the stakeholders. It is the “Map” for
    the project.
   RMP should be basic but thorough.

    How do you create the RMP?
   Planning meetings
      Analyze issues/ideas raised at the meetings

      Brainstorm

   Delphi technique
   For buy-in, include all stakeholders and
    required parties. See Step 9, Team members,
    from my previous presentation on Planning
    dated 10/19/11.

    Why is the RMP important?
   It   helps   to keep the team on track.
   It   helps   to create schedule/timeline.
   It   helps   to create scope of project.
   It   helps   in assessment of costs/budget.
        Ex. if you determine that your projects needs
         three FTEs for one year and you only have budget
         for one, you will need to address budget shortage

    Step 1 – Risk identification
   Uncertainty versus risk
   The State is risk averse, which is why we
    usually focus on what can go wrong - the
    outcomes that represent loss or damage .
   For the RMP, you should identify existing and
    potential threats, vulnerabilities, and other
    hazards (“risks”) that can compromise the
    performance of project set-up and overall
    Step 1 – Risk identification
   Do not conduct analysis in a vacuum!
    Apply the circumstances of the specific
    project environment (Ex. resources,
    funding, time).

    Step 1 – Risk identification
   Start by identifying reasons for outsourcing
    the project. Examples include:
       Reducing and controlling operating costs
       Gaining access to exceptional capabilities
       Resources are not available within the State
   Use historical information from previous
   Documentation review of prior project files.
   Risk log of all possible risks.
   Cause/effect diagram or system flow chart.         8
Step 1 – Risk identification cont.
   Risks can generally fall into 3 key categories:
      Financial

           Keeping costs within budget.
           Lack of funding.
       Time
           Keeping project implementation on schedule.
           Conflicts with other projects.
       Delivery
           Keeping contractor on task/meeting milestones.
           Meeting scope objectives.
    Step 2 – Qualitative Risk Analysis
    A qualitative risk analysis assesses the impact
     and likelihood of identified risks.
    Risks are ranked in order according to the
     potential effect they will have on the project.
    Consider the probability versus the impact of
     each risk.
       Probability is the chance that the risk will occur.
       Impact is the consequence if the risk occurs.

Step 2 – Qualitative Risk Analysis

Step 2 – Qualitative Risk Analysis
   Establish a risk category for each risk:
       High risk – Remove risk, consider ways to
        reduce impact or prepare a contingency
       Medium risk – Remove risk, consider
        ways to reduce impact or prepare a
        contingency plan.
       Low risk – Take no immediate action, but
        continue to monitor.
Step 3 – Quantitative Risk Analysis
   If your qualitative analysis is inconclusive or you
    have trouble determining which risks to address,
    proceed to quantitative analysis.
   Quantitative analysis attempts to assign
    independently objective monetary values to the
    components of the risk assessment and to the
    assessment of the potential loss.
       Analyzes numerically the probability of each risk and its
        consequence on project objects, as well as the extent of
        overall project risk.
   By attaching a numerical value to each risk, you can
    easily identify the risks requiring the most attention.
Step 3 – Quantitative Risk Analysis
   Although a qualitative risk analysis may be easier to
    do, a quantitative risk analysis offers advantages:
      More objectivity in assessment;

      More powerful selling tool to management;

      Offers direct projection of cost/benefit of proposal;

      Can be modified to fit specific needs/situations;

      Much less prone to disagreements during review;

      Analysis is often derived from facts versus opinion.

     Step 3 – Quantitative Risk Analysis

i.       Determine value of asset at risk.
             Tangible assets – Use cost, research
              replacement cost.
             Intangible assets -
               Cost Approach - measures asset’s fair market
                value including depreciation due to physical
                use, functional obsolescence, and economic
                obsolescence (replacement cost). Does not
                directly consider economic benefits that can
                be achieved or the time period over which
                they might continue.                           15
     Step 3 – Quantitative Risk Analysis

i.    Determine value of asset at risk cont.
             Intangible assets -
               Income Approach – Focuses on the income-
                producing capability of the asset. The value
                is measured by the present value of the net
                economic benefit over the life of the asset.
                When economic conditions are not favorable,
                the income approach leads to a relative low
                valuation of assets.

      Step 3 – Quantitative Risk Analysis

ii.    Estimate the Annualized Rate of
       Occurrence (ARO) for the risk.
         This is the estimated frequency a loss will
          occur within a year and is determined on
          an annual basis.
              For example, a loss occurring once in 10 years
               has an ARO of 0.1; a loss occurring 10 times in
               a year has an ARO of 10.

       Step 3 – Quantitative Risk Analysis
iii.     Determine the countermeasures required to
         overcome the risk; determine cost.
iv.      Determine the Exposure Factor (EF), which
         is the likelihood of a loss that can be caused
         by the risk.
           It ranges from 0 to 100%.
v.       Determine the Single Loss Expectancy (SLE)
         which is the Asset Value x Exposure Factor
          For example, 1,000,000 x 20% EF = $200,000
      Step 3 – Quantitative Risk Analysis

vi.       Determine the Annualized Loss
          Expectancy (ALE) for the risk, which is
          the Single Loss Expectancy x
          Annualized Rate of Occurrence.
           Industry surveys and studies may also be
            used to determine ALE.

   Step 3 – Quantitative Risk Analysis

vii.       Conduct a safeguard cost/benefit
            The ALE prior to implementing the
             countermeasure minus the ALE after
             implementing the countermeasures minus
             the annual cost of the safeguard = the
             benefit to the State from the safeguard.

      Step 3 – Quantitative Risk Analysis

viii.   Using the ALE (vi above) and the
        safeguard cost/benefit in (vii above),
        determine the return on investment
        using Internal Rate of Return (IRR).
        The easiest way to calculate IRR is to use
         the IRR function in Microsoft Excel.
ix.     Finally, present the results for review.

Step 4 – Plan Risk Responses
   After you have identified risks and
    determined which risks require a
    response, you should develop options
    and determine actions to enhance
    opportunities and reduce threats to the
    project’s objections.
   There are 4 main ways to respond to a
     Step 4 – Plan Risk Responses
1.    Avoidance
       Change the Project to eliminate the risk.

2.    Transference
       Shift the consequence and management

        responsibility of a risk to another party.
3.    Mitigation
       Take early action to reduce the chances of a risk

        occurring or at least reduce the impact the risk will
        have on the project when it occurs.

     Step 4 – Plan Risk Responses
4.    Acceptance
         Make no changes.
         Active acceptance monitors the risk and develop a
          contingency plan in a case a risk occurs.
         Passive acceptance requires you to wait and deal with risks
          as they occur.

     Step 5 – Monitor and Control Risks
   Risk monitoring and control is the process of tracking
    identified risks, monitoring residual risks and
    identifying new risks, ensuring execution of risk plans
    and evaluating their effectiveness in reducing risk.
   While monitoring risks, you may need to choose an
    alternative strategy, implement a contingency plan,
    take corrective action or re-plan the project.
   Create a tracking list of all risks including
    prevention/contingency plans for each risk.

Risk Management Tips
   Establish a risk filter, which are 10-12 clear
    questions that can be used by procurement
    personnel to quickly and consistently identify
    those procurements that require more in-
    depth risk attention.
   Know and understand the risks that impact
    your agency objectives. Communicate those
    with vendors.
   Be proactive!
    Office of the State Controller
    Central Contracts Unit
    633 17th Street, Suite 1500
    Denver, Colorado 80202
•   RaLea Sluga, Central Contracts Unit Manager
    (303) 866-2127

•   Barbara Sohnen, Contract Specialist
    (303) 866-2862

•   Clark Bolser, Contract Specialist
    (303) 866-4759

Shared By:
ihuang pingba ihuang pingba http://