Background

Contoso, Inc. has initiated a project to reorganize its IT departments. Contoso's primary infrastructure is shifting to a distributed environment from a centralized one.

Risk Identification

Using sound risk management practices, Contoso conducted various risk identification discussions to come up with a master risks list. Two of those risks are listed in the following table.

Table: Contoso IT Reorganization Risk ID 0001

Project ID
ITREORG010

Risk ID
0001

Root Cause
Process

Business Effect
Cost, Performance

Risk
Present service desk process inefficiencies could lead to increased cost to support current IT services.

Situation
Field office support is not a coordinated effort with centralized help desk functions. Often field support professionals respond to and resolve incidents without those incidents being recorded and a knowledge base being populated.

Consequence
Without a comprehensive, shared knowledge base of incidents, problems, and resolutions, redundant incident-management and problem-management activity will be performed throughout the support organization.

Downstream Effect
Extended service outages as well as inadequate communications regarding status of resolutions will further alienate the customer from IT. This will enforce the view of IT as not being aligned with the needs of the business. The perceived value of the services provided by IT will be diminished.

Table: Contoso IT Reorganization Risk ID 0002

Project ID
ITREORG010

Risk ID
0002

Root Cause
People, Process

Business Effect
Cost, Performance

Risk
Changes implemented by one IT group could negatively affect systems and services delivered by other IT groups.

Situation
Although change management exists within some groups, a common formal change-management process does not exist across all IT groups. Additionally, some changes, when reviewed during the weekly status meeting, have not been properly assessed for impact to all groups.

Consequence
Lack of commitment to a standard set of operational processes will lead to business units that fail to trust each other. Frustration between IT groups will occur as systems under the responsibility of one group will be affected by others.

Downstream Effect
Service disruptions caused by failed changes will interrupt business functions. Additionally, failure to communicate planned downtime of mission-critical services to users and the help desk will result in reduced trust in IT. This will force the business to question the value of the current IT operations and to consider outsourcing IT functions.

Risk Prioritization

Once these risks were identified, the project team then focused on risk prioritization.

Table: Contoso Prioritization of Risk ID 0001

Project ID
ITREORG010

Risk ID
0001

Root Cause
Process

Business Effect
Cost, Performance

Exposure Analysis
Probability is based on best effort analysis of past experience. Impact could not be easily measured by monetary means. Impact was instead based on a 1-5 scale for the risk effect on potential service disruption.

Probability
70%

Impact (1-5)
5

Exposure
3.5

Table: Contoso Prioritization of Risk ID 0002

Project ID
ITREORG010

Risk ID
0002

Root Cause
Process

Business Effect
Cost, Performance

Exposure Analysis
Probability is based on best effort analysis of past experience. Impact could not be easily measured by monetary means. Impact was instead based on a 1-5 scale for the risk effect on potential service disruption.

Probability
65%

Impact (1-5)
5

Exposure
3.25

Risk Planning and Tracking

Risks ID 0001 and ID 0002 were identified as the top risks for the project. They were the only two risks with an exposure of 3.0 or greater. The project team then went through an exercise to devise mitigations, triggers, and contingencies as part of the risk planning and tracking step. Project team members were assigned responsibilities to continually monitor their risks for potential changes and action items.

Table: Contoso Tracking of Risk ID 0001

Project ID
ITREORG010

Risk ID
0001

Root Cause
Process

Business Effect
Cost, Performance

Mitigation
Implement Microsoft Operations Framework (MOF) incident and problem management processes. Coordinate second-line and third-line support groups.

Contingencies
Allocation of excessive resources to accommodate resolution of reactive issues. Fund the costs of increased support activities and staff.

Triggers
Continual incident resolution. Repeated problems occur. Uncoordinated and recurring changes. Poor average time to resolution.

-

Table: Contoso Tracking of Risk ID 0002

Project ID
ITREORG010

Risk ID
0002

Root Cause
Process

Business Effect
Cost, Performance

Mitigation
A standard formalized and communicated MOF-based change management process will be implemented across all IT groups.

Contingencies
Assign additional resources to reactive problem management. Communication to customers and end-users in a prompt, descriptive and meaningful manner can reduce the negative effect on customer satisfaction.

Triggers
Information gathered during project status meetings and operations management reviews (OMRs) regarding process and service outages indicate that this risk is currently being actualized at some level.

-

These two risks became the top risks list for the Contoso IT reorganization project. These risks were discussed at each OMR and various project status meetings. The purpose of this discussion was to discuss the progress of mitigation steps, to determine whether triggers were being fulfilled in the environment, and to ensure that the probability and impact levels were still properly set. This discussion was vital to the project to determine if contingencies identified in the master risks list needed to be acted upon to avoid service disruptions where possible.

Risk Exposure Analysis

As the project progressed, various mitigation activities around MOF-based change management processes and incident and problem management processes began to reduce the probability of these risks occurring. The project team then modified the probability, which in turn also reduced the exposure of the risks as noted in the following table.

Table: Contoso Exposure Analysis of Risk ID 0001

Project ID
ITREORG010

Risk ID
0001

Root Cause
Process

Business Effect
Cost, Performance

Modified Exposure Analysis
Probability has decreased due to the implementation of MOF-based incident and problem management processes. Original probability will be kept in the master risks list and risk knowledge base for historical purposes.

Modified Probability
40%

Impact (1-5)
5

Modified Exposure
2

Table: Contoso Exposure Analysis of Risk ID 0002

Project ID
ITREORG010

Risk ID
0001

Root Cause
Process

Business Effect
Cost, Performance

Modified Exposure Analysis
Probability has decreased due to the implementation of MOF-based change management processes. Original probability will be kept in the master risks list and risk knowledge base for historical purposes.

Modified Probability
35%

Impact (1-5)
5

Modified Exposure
1.75