Background
Contoso, Inc. has initiated a project to reorganize its
IT departments. Contoso's primary infrastructure is shifting to a
distributed environment from a centralized one.
Risk Identification
Using sound risk management practices, Contoso
conducted various risk identification discussions to come up with a
master risks list. Two of those risks are listed in the following
table.
Table: Contoso IT Reorganization
Risk ID 0001
|
Project ID
ITREORG010
|
Risk ID
0001
|
Root Cause
Process
|
Business Effect
Cost, Performance
|
|
Risk
Present service desk process inefficiencies could lead to increased
cost to support current IT services.
|
Situation
Field office support is not a coordinated effort with centralized
help desk functions. Often field support professionals respond to
and resolve incidents without those incidents being recorded and a
knowledge base being populated.
|
Consequence
Without a comprehensive, shared knowledge base of incidents,
problems, and resolutions, redundant incident-management and
problem-management activity will be performed throughout the
support organization.
|
Downstream Effect
Extended service outages as well as inadequate communications
regarding status of resolutions will further alienate the customer
from IT. This will enforce the view of IT as not being aligned with
the needs of the business. The perceived value of the services
provided by IT will be diminished.
|
Table: Contoso IT Reorganization
Risk ID 0002
|
Project ID
ITREORG010
|
Risk ID
0002
|
Root Cause
People, Process
|
Business Effect
Cost, Performance
|
|
Risk
Changes implemented by one IT group could negatively affect systems
and services delivered by other IT groups.
|
Situation
Although change management exists within some groups, a common
formal change-management process does not exist across all IT
groups. Additionally, some changes, when reviewed during the weekly
status meeting, have not been properly assessed for impact to all
groups.
|
Consequence
Lack of commitment to a standard set of operational processes will
lead to business units that fail to trust each other. Frustration
between IT groups will occur as systems under the responsibility of
one group will be affected by others.
|
Downstream Effect
Service disruptions caused by failed changes will interrupt
business functions. Additionally, failure to communicate planned
downtime of mission-critical services to users and the help desk
will result in reduced trust in IT. This will force the business to
question the value of the current IT operations and to consider
outsourcing IT functions.
|
Risk Prioritization
Once these risks were identified, the project team then
focused on risk prioritization.
Table: Contoso Prioritization of
Risk ID 0001
|
Project ID
ITREORG010
|
Risk ID
0001
|
Root Cause
Process
|
Business Effect
Cost, Performance
|
|
Exposure Analysis
Probability is based on best effort analysis of past experience.
Impact could not be easily measured by monetary means. Impact was
instead based on a 1-5 scale for the risk effect on potential
service disruption.
|
Probability
70%
|
Impact (1-5)
5
|
Exposure
3.5
|
Table: Contoso Prioritization of
Risk ID 0002
|
Project ID
ITREORG010
|
Risk ID
0002
|
Root Cause
Process
|
Business Effect
Cost, Performance
|
|
Exposure Analysis
Probability is based on best effort analysis of past experience.
Impact could not be easily measured by monetary means. Impact was
instead based on a 1-5 scale for the risk effect on potential
service disruption.
|
Probability
65%
|
Impact (1-5)
5
|
Exposure
3.25
|
Risk Planning and Tracking
Risks ID 0001 and ID 0002 were identified as the top
risks for the project. They were the only two risks with an
exposure of 3.0 or greater. The project team then went through an
exercise to devise mitigations, triggers, and contingencies as part
of the risk planning and tracking step. Project team members were
assigned responsibilities to continually monitor their risks for
potential changes and action items.
Table: Contoso Tracking of Risk ID
0001
|
Project ID
ITREORG010
|
Risk ID
0001
|
Root Cause
Process
|
Business Effect
Cost, Performance
|
|
Mitigation
Implement Microsoft Operations Framework (MOF) incident and problem
management processes. Coordinate second-line and third-line support
groups.
|
Contingencies
Allocation of excessive resources to accommodate resolution of
reactive issues. Fund the costs of increased support activities and
staff.
|
Triggers
Continual incident resolution. Repeated problems occur.
Uncoordinated and recurring changes. Poor average time to
resolution.
|
-
|
Table: Contoso Tracking of Risk ID
0002
|
Project ID
ITREORG010
|
Risk ID
0002
|
Root Cause
Process
|
Business Effect
Cost, Performance
|
|
Mitigation
A standard formalized and communicated MOF-based change management
process will be implemented across all IT groups.
|
Contingencies
Assign additional resources to reactive problem management.
Communication to customers and end-users in a prompt, descriptive
and meaningful manner can reduce the negative effect on customer
satisfaction.
|
Triggers
Information gathered during project status meetings and operations
management reviews (OMRs) regarding process and service outages
indicate that this risk is currently being actualized at some
level.
|
-
|
These two risks became the top risks list for the
Contoso IT reorganization project. These risks were discussed at
each OMR and various project status meetings. The purpose of this
discussion was to discuss the progress of mitigation steps, to
determine whether triggers were being fulfilled in the environment,
and to ensure that the probability and impact levels were still
properly set. This discussion was vital to the project to determine
if contingencies identified in the master risks list needed to be
acted upon to avoid service disruptions where possible.
Risk Exposure Analysis
As the project progressed, various mitigation
activities around MOF-based change management processes and
incident and problem management processes began to reduce the
probability of these risks occurring. The project team then
modified the probability, which in turn also reduced the exposure
of the risks as noted in the following table.
Table: Contoso Exposure Analysis of
Risk ID 0001
|
Project ID
ITREORG010
|
Risk ID
0001
|
Root Cause
Process
|
Business Effect
Cost, Performance
|
|
Modified Exposure Analysis
Probability has decreased due to the implementation of MOF-based
incident and problem management processes. Original probability
will be kept in the master risks list and risk knowledge base for
historical purposes.
|
Modified Probability
40%
|
Impact (1-5)
5
|
Modified Exposure
2
|
Table: Contoso Exposure Analysis of
Risk ID 0002
|
Project ID
ITREORG010
|
Risk ID
0001
|
Root Cause
Process
|
Business Effect
Cost, Performance
|
|
Modified Exposure Analysis
Probability has decreased due to the implementation of MOF-based
change management processes. Original probability will be kept in
the master risks list and risk knowledge base for historical
purposes.
|
Modified Probability
35%
|
Impact (1-5)
5
|
Modified Exposure
1.75
|