Foundation Service Centre (FSC) Foundation Service Centre

     - Risk Management Process

    (Insert logo here)

    Foundation Service Centre

Foundation Service Centre (FSC) - Risk Management

    Process

    Draft Document v1.0

Author: Matt Sealby

    Owner: Andy Kirby

    Client: YHGfL

    Document Number: 26

    Document Version: d1.0

    Document Date: 19/05/2006

    108174087.doc; Page 1; of 12; 17/12/2010;

    Foundation Service Centre (FSC) Foundation Service Centre

     - Risk Management Process

Table of Contents

    1. Change Control Information .................................................................................................................. 2 1.1. Record of Changes ............................................................................................................................ 2 2. Introduction ............................................................................................................................................ 3 2.1. Nature of Risk .................................................................................................................................... 3 2.2. Scope ................................................................................................................................................ 3 2.3. Objectives .......................................................................................................................................... 3 2.4. Types of Risk ..................................................................................................................................... 4

    2.4.1. Strategic Risk ............................................................................................................................................ 4

    2.4.2. Programme / Project Risk .......................................................................................................................... 4

    2.4.3. Operational Risk........................................................................................................................................ 4 3. Risk Management Process .................................................................................................................... 5 3.1. Risk Identification .............................................................................................................................. 5

    3.1.1. Categorisation of risks ............................................................................................................................... 5 3.2. Risk Assessment ............................................................................................................................... 6 3.3. Risk Evaluation .................................................................................................................................. 7 3.4. Planning ............................................................................................................................................ 7

    3.4.1. Strategies and Plans ................................................................................................................................. 8 3.5. Management of Risks ........................................................................................................................ 8

    3.5.1. The Risk Manager ..................................................................................................................................... 8

    3.5.2. Risk Management Implementation Plan ..................................................................................................... 9

    3.5.3. Risk Reviews and Reporting ...................................................................................................................... 9

    3.5.4. The Risk Register ...................................................................................................................................... 9

    3.5.5. Closing a Risk ......................................................................................................................................... 10 4. Roles and Responsibilities .................................................................................................................. 11 5. Customer Risk Management ............................................................................................................... 11 6. Appendices........................................................................................................................................... 12 6.1. Appendix A - The Risk Management Process Flowchart ................................................................. 12

1. Change Control Information

1.1. Record of Changes

Release Revision Summary of Changes Changes

    No. Date Marked?

    No d1.0 19/05/2006 First draft

    108174087.doc; Page 2; of 12; 17/12/2010;

    Foundation Service Centre (FSC) Foundation Service Centre

     - Risk Management Process

2. Introduction

    Risk Management is used to identify, analyse, monitor and control risks to the successful outcome of the YHGfL objectives.

    The [Manager - decide who] has overall responsibility for risk management, including procedures that ensure that new risks are identified, captured and progressed, and that extant risks have owners and monitored action plans. A risk register containing details of the risks and plans for their ongoing management will be set up and maintained.

    Risk Management shall include all parties who have inputs to YHGfL, including YHGfL staff, LEA representatives and Supplier representatives.

2.1. Nature of Risk

    Risks are events which can occur at any time and which could adversely affect YHGfL’s objectives, i.e. increased costs, reduced quality of service and increasing numbers of Incidents.

    For individual risks there are opportunities to develop preventative strategies which reduce or eliminate the probability of the risk occurring, or which mitigate the impact of the risk should it occur. There are also opportunities to develop fallback strategies to be implemented should the risk occur. (Please refer to the FSC Service Continuity Plan [hyperlink/location].)

    Choosing to do nothing may be the best strategy in some instances. For example if a mitigating action costs too much, it might be neither sensible nor cost effective to deal with it.

2.2. Scope

    The Risk Management Framework covers YHGfL, the FSC and supported programmes and projects.

    Risk Management will increase awareness of risks across the YHGfL and ensure that appropriate strategies are in place well in advance of any risks occurring, and that the reasons for the selection of particular strategies are understood.

    The process and the approach to Risk Management are described in detail below.

2.3. Objectives

The objectives of Risk Management are to ensure that:

    ; All risks are identified and actions to counter or minimise them are put in place ; Risk Management actions are organised as an effective management plan across all

    YHGfL activities

    ; The overall risk to success diminishes progressively and rapidly

    ; Should a risk become an issue, that it is managed in such as way as to minimise the

    impact on YHGfL

    ; Prioritisation of individual risks is undertaken

2.4. Types of Risk

    108174087.doc; Page 3; of 12; 17/12/2010;

    Foundation Service Centre (FSC) Foundation Service Centre

     - Risk Management Process

There are three broad types of risk:

; Strategic

    ; Programme / Project

    ; Operational

    Where partners and / or suppliers are involved it's essential to have shared understanding of risks and agreed plans for managing them.

2.4.1. Strategic Risk

    This covers threats to the overall success of YHGfL, including its ability to deliver services to its Customers.

2.4.2. Programme / Project Risk

    This is the collection of threats to the management of the programme or project and hence to the achievement of the programme or project objectives within cost and time. These are usually dealt with at the Programme or Project level and it is likely that the Programme or Project Manager will manage these on a day-to-day basis. However, if there is a risk identified within a programme or project that has an impact outside of it, it must be escalated to the YHGfL risk register.

2.4.3. Operational Risk

    This covers ongoing risk to service delivery, which could include anything from major disaster to minor technical breakdown. Nominated risk owners manage these risks on a day-to-day basis.

    108174087.doc; Page 4; of 12; 17/12/2010;

    Foundation Service Centre (FSC) Foundation Service Centre

     - Risk Management Process

3. Risk Management Process

    The Risk Management process comprises five main steps. These are performed as an ongoing activity.

; Identification and documentation of potential risks

    ; Assessment of risks

    ; Evaluation of risks

    ; Planning. This includes the preparation and implementation of risk prevention, mitigation

    and fallback strategies

    ; Management of risks, including monitoring, reviewing and closing risks

    These steps are part of an iterative process and are described more fully in the sections below.

3.1. Risk Identification

    The risks that might impact upon YHGfL may be identified via the various reports and meetings, which occur as part of normal Service Management activities. All parties within YHGfL are responsible for the identification and management of risk, and experience drawn from previous projects should be applied. Specific techniques such as brainstorming may also be used.

    Risks can be found in any area of YHGfL activities and at any point in the lifetime of projects that it is involved with.

    At the end of this process, there should be a list of most or all of the risks currently facing YHGfL or likely to face it in the near future.

3.1.1. Categorisation of risks

    Assigning risks to a category can be useful in deciding the appropriate areas within YHGfL for the ownership and management of risks. Categorisation should be flexible and should match the requirements of YHGfL. They may include some or all of the following:

    Category Description

    Infrastructure Relating to computer networks, and power supply systems.

    Economic Relating to economic factors such as interest rates, exchange

    rates, inflation.

    Legal & Regulatory Relating to regulatory legislation (e.g. RIPA).

    Political Relating to possible political constraints.

    Financial Relating to the availability of finance or the allocation of

    financial resources.

    Fraud or theft Relating to unproductive loss of resources.

    Policy Relating to the appropriateness and quality of policy decisions.

    Reputation Relating to the reputation of YHGfL and consequential effects.

    Technology Relating to the use of technology.

    Cultural Relating to the ability to make a cultural change within YHGfL.

    Governance Relating to programme or project procedures and controls.

    Benefits Management Relating to the achievement of benefits.

    Resource Management Relating to the availability of people, skills and accommodation.

    Customer Relationships Relating to external partners and customers.

    108174087.doc; Page 5; of 12; 17/12/2010;

    Foundation Service Centre (FSC) Foundation Service Centre

     - Risk Management Process

    It is essential that the captured risks be matched, wherever possible, against the activities being undertaken to deliver services. This allows meaningful impact assessments to be performed and assists in improving the accuracy of assessments.

3.2. Risk Assessment

    Not all risks should be treated equally. When a risk has been identified, it must be assessed to determine:

; Its possible causes

    ; The probability of it occurring and expected outcomes

    ; The impact should it occur

    ; Its relationship to other risks and its ability to set off a ‘chain-reaction’ of other issues. For

    example, losing a member of a development team can lead to a chain reaction including

    work delays and cost overruns

    Risks are firstly assessed based on the probability that they will occur and the impact should they occur. The assessment relies upon the expert judgement of YHGfL staff and past experience from similar projects.

The Probability of a risk occurring is expressed as:

Likelihood Rating Likelihood Description

    High (H) Risk is more likely to occur than not: 50%-80% probability

    Medium (M) The risk may occur: 20%-50% probability

    Low (L) The risk is unlikely to occur: Less than 20% probability

    If the risk is assessed as having a probability of greater then 80%, then it should be treated as a certainty and not a risk, added to the Service Plan and the appropriate action taken.

The Impact of a risk should it occur is expressed as:

Impact Rating Impact Description

    High (H) Significant timescale, cost or performance / SLA difficulties

    Medium (M) Affects target timescales, costs or performance / SLAs

    Low (L) Minimal impact

    The overall risk rating or risk severity is determined by combining the probability with the impact, as shown below.

Overall Risk Probability

    Rating (Severity) Low Medium High

    Low 3 3 2

    Impact Medium 3 2 1

    High 2 1 1

    ; For severity 1 risks a mitigation strategy and fallback / contingency plan are required. ; For severity 2 risks a mitigation strategy is required.

    ; For severity 3 risks a monthly review of the risk is required.

    108174087.doc; Page 6; of 12; 17/12/2010;

    Foundation Service Centre (FSC) Foundation Service Centre

     - Risk Management Process

The priority of each risk is documented in the Risk Register.

    The frequency of overall risk rating on the above matrix can be increased or reduced according to YHGfL requirements. For example it could be decided that only risks assessed as being High probability and High impact should have an overall severity rating of 1.

3.3. Risk Evaluation

    Rank each risk according to its potential impact on YHGfL and then assess each risk to determine its level of acceptability. A potential problem becomes a more critical risk for one or both of two reasons:

1. The problem is more likely to occur than other problems. For example, feature

    creep is more likely to cause problems in a development project than a faulty

    compiler.

    2. The problem will cause more disruption than other problems if it does occur.

    For example, losing email messages is generally more critical than slow email.

    At the end of the evaluation the following should be documented in the risk register:

    ; The outcome of the risk assessment and evaluation process for each risk added ; The risks that require active, or more active, management

    ; For each risk, the amount of disruption to YHGfL should it occur

3.4. Planning

    Risk management plans help reduce, contain, and control risks in a cost-effective and efficient manner. Planning and resources should be concentrated on the most critical risks. Each strategy to manage risk should also have a contingency plan in the event the original strategy does not work.

    Typically there are four types of strategy adopted in the reduction of risk. These may be deployed in any combination.

Transfer to a third party (e.g. Supplier)

    Avoid In situations where the risk is largely with a Customer for example, it

    is possible to avoid it

    Mitigate reducing impact and / probability by, for example:

     redefine scope or requirements

     modify plans to break dependencies or introduce contingency

     re-negotiate performance criteria

     limit through contract

     introduce additional activities or expertise

     remove unreliable supplier

     insure

    Absorb accept the risk

    For each risk, the strategy must be decided, an owner identified and the necessary actions agreed and then put into effect. It is important to ensure that the full cost of risk reduction measures are understood and included in any financial planning. This cost must be compared to the estimated risk value and a judgement made on the merits of trying to avoid the risks impact.

    108174087.doc; Page 7; of 12; 17/12/2010;

    Foundation Service Centre (FSC) Foundation Service Centre

     - Risk Management Process

    When a viable risk reduction strategy is agreed and the plans and budgets have been adjusted, the probability and impact figures may be reduced accordingly. However, where a rdrd party is involved and the risk is to be transferred or avoided, its acceptance by the 3 3rdparty should not be assumed. Until the 3 party has accepted the risk, the impact of the risk to YHGfL should not be reduced.

3.4.1. Strategies and Plans

    When risks have been assessed and evaluated, the risk owner shall develop plans to contain and manage them. Several approaches are possible:

    ; It may be possible to modify the affected activity in order to eliminate or reduce the risk

    while maintaining the objectives. This possibility is always to be favoured and should be

    examined rigorously for Priority 1 and 2 risks.

    ; Where the risk is irreducible, it may be possible either to modify the requirement or

    subject the activity to closer monitoring and control.

    ; Where risks remain, an acceptable balance should be sought between the effect on cost

    and schedule on the one hand, and YHGfL objectives on the other. To achieve this, it

    may be necessary to reallocate resources between tasks or consider the use of

    alternative techniques and strategies.

    ; For Priority 2 and 3 risks, provided that the risk or the proposed corrective action do not

    imply failure to maintain service levels, then awareness of the risk and closer monitoring

    may be adequate.

    Once confirmed, the prevention, mitigation and fallback strategies for each risk, together with the trigger criteria for the fallback strategy, shall be documented in the risk register. The YHGfL Management Team should incorporate preventative and mitigation actions in the service plans.

3.5. Management of Risks

    As risks change through time the Risk Register must be continually monitored, reviewed, and updated. New risks may be identified as more information becomes available. Existing risks may be eliminated through the effectiveness of the risk management actions or be updated as new information becomes available. Risk owners are responsible for monitoring their own risks between reviews.

3.5.1. The Risk Manager

    It is the responsibility of the YHGfL Risk Manager to manage and coordinate all risk management activities. The Risk Manager's objectives are to:

; Reduce the total risk ownership of YHGfL.

    ; Monitor risk exposure and report on it as required.

In order to do this the Risk Manager must:

; Ensure that the Risk Register is set up and maintained

    ; Ensure that risk management actions are integrated into YHGfL service planning,

    including finances

    ; Ensure that risk owners are managing their allocated risks effectively ; Ensure that processes are in place to capture new risks

    108174087.doc; Page 8; of 12; 17/12/2010;

    Foundation Service Centre (FSC) Foundation Service Centre

     - Risk Management Process

; Authorise risk closure

    The Risk Manager does not set the impact or probability, but may assign an overall severity based on these values.

    Where there is a dispute over impact, probability or overall severity, the Risk Manager should log this dispute and escalate to the YHGfL Management Team.

3.5.2. Risk Management Implementation Plan

The Risk Management Implementation Plan must contain:

    ; A definition of the process by which risks are identified, submitted, assessed, evaluated,

    planned and managed throughout their lifetime

    ; A list of the YHGfL risk owners

    ; An overview of the workshops or meetings to be undertaken in support of risk

    management

    ; A list of standard risk management documents / templates to be used and where they

    are located

    ; Details of any training required in support of risk management

    ; Details of how risk management will be launched within YHGfL

    ; A plan for the collection of existing risks

    ; The risk register

    ; An overall status summary of the risk facing YHGfL. This can be expressed in any

    number of ways, including Red, Amber, Green (RAG rating), or High, Medium, Low.

It should also provide:

    ; The structure of the risk register (this is particularly important if a nested structure is

    adopted, with parts of the risk register being decomposed for close management) ; Details of tools and techniques to be used in support of the risk management process ; Details of the review and reporting cycle

3.5.3. Risk Reviews and Reporting

    The Risk Manager will issue a monthly risk report to the YHGfL Management Team.

    The Risk Review Board will meet monthly to review the risk report and the risk register, and recommend any additional action to be taken in support of individual risks, or changes to actions currently being taken.

    As part of the risk assessment and evaluation phases, the Risk Manager will circulate risks identified as being severity 1 to the YHGfL Management Team.

3.5.4. The Risk Register

    The Risk Register lists all the identified risks, the results of their analysis and evaluation, and information on managing them. Information on the status of the risk is also included.

    New risks should be added to the Risk Register as soon as they are identified.

    The risk register includes some or all of the following fields for each risk:

    108174087.doc; Page 9; of 12; 17/12/2010;

    Foundation Service Centre (FSC) Foundation Service Centre

     - Risk Management Process

Field Name Notes

    Risk ID A unique reference within the register.

    Date Raised The date the risk was raised.

    Date Last Reviewed The last time the risk was reviewed.

    Date Closed The date the risk was closed.

    Risk Title The title of the risk.

    Revision Number A number denoting the version of the risk. This number

    will be incremented each time action tracking

    information is added to the risk.

    Risk Description The description of the risk.

    Impact Description Description of the impact the risk's occurrence may

    have.

    Possible Causes Provide a brief list of the possible causes of the risk.

    Associated Risks Refer to any other risks to which the risk is linked.

    Owner (individual) The named individual responsible for managing an

    individual risk for YHGfL or for monitoring a risk which

    is owned by another organisation. The named

    individual must be appropriately empowered to

    manage the risk effectively.

    Probability Rating The probability of the risk occurring; High, Medium or

    Low.

    Impact Rating The impact of the risk should it occur; High, Medium or

    Low.

    Overall Risk (Severity) The overall severity of the risk based upon its

    Rating probability and impact scores.

    Trigger Event The event that will trigger the risk and turn it into an

    issue.

    Mitigating Action or Risk Summary of the strategy to reduce probability or Management Strategy impact of risk.

    ; If a risk is to be transfered - to whom?

    ; If a risk is to be avoided - how?

    ; If a risk is to be mitigated - how?

    ; If a risk is to be absorbed - why?

    Fallback or Contingency Strategies to be adopted if the planned mitigating Plans actions fail or cannot be executed.

    Status 'Open' or 'Closed' (Closed risks are retianed for audit

    purposes).

    Action Tracking Review Current status, current assessment, actions Notes completed, results achieved, actions in hand, actions

    planned.

    Risk Category The category of the risk within the register.

3.5.5. Closing a Risk

Risks are cleared when the risk owner recommends closure of a risk and the YHGfL

    Management Team is satisfied that the circumstances of the risk no longer apply.

Closed risks will be identified as closed for one month, and then will be removed from the

    main Risk Register and archived.

4. Roles and Responsibilities

    108174087.doc; Page 10; of 12; 17/12/2010;