This page has been archived.
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
This section describes the goals and key elements supporting the implementation of risk management in the federal government. The applicability and adaptability of risk management practices are also outlined.
Strategically, the goal of applying risk management in government projects is to significantly improve the government's ability to deliver and manage IT projects.
At the tactical or project level, the goals of risk management are to:
The strategy for implementing an improved risk management regime builds upon a series of proven and related elements. These include:
The following paragraphs summarize these various elements.
Continuous Risk Management is an approach to risk management promoted by the Software Engineering Institute and selected for use by the PMO. Continuous Risk Management is simply an area of emphasis of good project management. It is applied common sense. It should be a normal aspect of the project manager's daily work.
Continuous Risk Management is founded upon a set of principles that provide an effective approach to managing risk regardless of the specific methods and tools used. These principles are broken down into three types: core, sustaining and defining. These are described in related documentation discussed in the following section and are briefly summarized here.
The core principle is open communication, without which risk management simply cannot succeed. The defining principles focus on how the project sees risks and how ambitious it is about looking for and dealing with uncertainty. These principles foster the development of a shared view that clarifies the when, why and what of continuous risk management. The sustaining principles focus on how the project goes about its daily business of continuous risk management. If established early, adherence to these principles will assure that Continuous Risk Management becomes the way business is conducted.
The functions of Continuous Risk Management are based on the risk management paradigm promoted by the Software Engineering Institute. This paradigm illustrates a set of functions that are identified as continuous activities throughout the life cycle of a project. This paradigm is depicted in Figure 1 below.
Figure 1: SEI Risk Management Paradigm
The functions performed in Continuous Risk Management are described in Table 1.
Function | Description |
---|---|
Identify | Search for and locate risks before they become problems. |
Analyze | Transform risk data into decision-making information. Evaluate impact, probability, and timeframe, classify risks, and prioritize risks. |
Plan | Translate risk information into decisions and mitigation actions (both present and future), and implement those actions. |
Track | Monitor risk indicators and mitigation actions. |
Control | Correct for deviations from the risk mitigation plans. |
Communicate |
Provide information and feedback, internal and external to the project, on the risk activities, current risks,
and emerging risks. Note: Communication happens throughout all the activities of risk management. |
Table 1: Risk Management Functions
The Guidebook, published the Software Engineering Institute and available through them or the PMO explains what Continuous Risk Management is, helps understand the principles, functions, methods and tools, shows what it could look like when implemented in a project, and shows how a project could implement its own adaptation.
This guidebook is comprehensive and one of the best available on the market. It is an invaluable tool to any department implementing risk management.
However, it does not provide a cookie-cutter solution for all situations. There is no such solution. The Guidebook outlines a generic practice with a variety of commonly used methods and tools from which to choose. It is meant to be adapted to suit organizations and projects.
The rollout of risk management improvement activities across the government will be guided and structured by the Software Engineering Institute's IDEALSM Model, a brief summary of which is provided in Appendix 1.
Basically the model outlines an approach for introducing change in an organization. It defines improvement cycle consisting of 5 phases: initiating; diagnosing; establishing; acting; and leveraging or learning. Any major improvement typically requires several cycles.
The priorities outlined here reflect the improvement plateaux defined for implementation of the Enhanced Framework. Reference Appendix 2 for more details.
One key focus of this first improvement cycle is to address the weaknesses associated with risk management: Risk Identification, Analysis, Planning, Tracking, Controlling and Communicating. In concrete terms, the priorities will consist of the following statements:
These functions should be applied in all new projects by March 1998.
As indicated previously, the Continuous Risk Management Guidebook contains a large number of methods and tools, some of which are quite complex. To facilitate getting started, the following have been selected to initiate improvements.
Activity | Method / tool / technique |
---|---|
Risk Identification |
|
Risk Analysis |
|
Risk Planning |
|
Risk Monitoring |
|
Risk Control |
|
Table 2: Selected methods / tools / techniques
All of these selected approaches are described in the Continuous Risk Management Guidebook, as are several others that may be preferred. Some departments have already used those identified above and therefore provide an opportunity to leverage lessons learned.
There are two levels of activity in the implementation of Risk Management:
Within these strategic and tactical levels, there are specific entities that will steer, facilitate or perform Risk improvement activities (see Figure 2).
At the strategic level, the first of these entities is the Enhanced Framework Steering Committee in which membership is drawn from the various departments. The CIO chairs this committee. Members will steer the Enhanced Framework and provide guidance regarding government priorities and issues such as Risk Management.
The Enhanced Framework Implementation Team is responsible for facilitating its implementation across the government and assisting departments with their respective improvements.
Throughout 1996-1997 a Risk Management Working Group helped developed the selected approach. For ongoing implementation, a Risk Management Special Interest Group will be created. Membership in this Special Interest Group will include those departments who are working on or have expressed interest in improving risk management practices in their departments/projects. This group will discuss their department's strategies and plans and will share experiences and lessons learned, thereby facilitating departmental implementation efforts.
Figure 2: Governance Structure
Figure 2: Governance Structure – Text version
At the tactical or departmental level, Risk Management improvement activities may be governed simply by the Head of IT, a Departmental Office of Primary Interest for Risk Management (e.g. an assigned individual or group) and Project Teams responsible for project delivery, including identifying, assessing and managing project risks.
The PMO is in the process of implementing a risk management lessons learned database that is scheduled to be operational in the fall of 1997. The purpose of this database is to document what government departments have read, learned, tested and experienced in risk management as well as documenting successes and less-than successful experiments. A prototype should be available to the Risk Management Special Interest Group for review by December 1997.
This document applies to all departments and agencies that are managing and delivering IT projects in support of their programs. PWGSC also must ensure that the acquisition vehicles used for IT goods and services support the risk management goals defined herein and enforce its implementation by the private sector suppliers.
Continuous Risk Management is not a one-size-fits-all approach. To be effective, tailoring is needed. Tailoring occurs when organizations adapt the Continuous Risk Management processes and select methods and tools which best fit with their project management practice and their organizational culture. Following the Continuous Risk Management principles is the key to successful tailoring.