Background

Contoso, Inc. is in the process of installing a hardware and software monitoring application and has a limited availability window for production installation.

Risk Identification

Using sound risk management discipline, Contoso conducted various risk identification discussions to produce a master risks list. Two of those risks are listed in the following table.

Table: Contoso Application Installation Risk ID 0001

Project ID
ITMOM001

Risk ID
0001

Root Cause
Technology

Business Effect
Cost, Capability, Performance

Risk
Test environment may not be available for testing prior to implementation.

Situation
Hardware has been ordered for the test environment, but even with equipment available, the proper application environment (for example, Active Directory directory service and Microsoft Exchange Server 2007) may not be available or configured as it is in production.

Operational Consequence
Proper testing of monitoring specific applications in a lab environment may not be available. Unknown performance and security incidents could occur during production deployment. Architecture and design specifications cannot be validated or modified prior to production deployment.

Downstream Effect
Service outages could occur to mission-critical services. This would have a negative and unknown impact on business revenue. The perceived value of the services provided by IT will be diminished.

Table: Contoso Application Installation Risk ID 0002

Project ID
ITMOM001

Risk ID
0002

Root Cause
People

Business Effect
Cost, Capability

Risk
Project team personnel changes could affect release schedule.

Situation
Changes to personnel requirements or actual job changes.

Operational Consequence
Project schedule and release date is pushed back to an unknown time.

Downstream Effect
Could affect delivered functionality of monitoring solution in order to meet availability windows.

Risk Prioritization

Once these risks were identified, the project team then focused on risk prioritization.

Table: Contoso Prioritization of Risk ID 0001

Project ID
ITMOM001

Risk ID
0001

Root Cause
Technology

Business Effect
Cost, Capability, Performance

Exposure Analysis
Probability is based on best effort analysis of past hardware requisition experience. Impact measured by monetary means.

Probability
80%

Impact (1-5)
5

Exposure
4

Table: Contoso Prioritization of Risk ID 0002

Project ID
ITMOM001

Risk ID
0002

Root Cause
People

Business Effect
Cost, Capability

Exposure Analysis
Probability is based on best effort analysis of current business and IT environment. Impact could not be easily measured by monetary means. Impact was instead based on a 1-5 scale for the risk effect on project schedule.

Probability
20%

Impact (1-5)
5

Exposure
1

Risk Planning and Tracking

Risks ID 0001 and ID 0002 were identified as the top risks for the project. The project team then conducted an exercise to devise mitigations, triggers, and contingencies as part of the risk planning and tracking step. Project team members were assigned responsibilities to continually monitor the risks assigned to them for potential changes and action items.

Table: Contoso Tracking of Risk ID 0001

Project ID
ITMOM001

Risk ID
0001

Root Cause
Technology

Business Effect
Cost, Capability, Performance

Mitigation
Establish an additional external vendor relationship for temporary or permanent hardware acquisition suitable for lab environment. Utilize virtual machines within available hardware to simulate additional hardware.

Contingencies
Examine cost of delay to production implementation. Borrow equipment currently being utilized for other lower-priority purposes. Notify operations staff of significant change procedure to copy production environment to test environment.

Triggers
Frequent monitoring of requisition process shows arrival of hardware is still delayed.

-

Table: Contoso Tracking of Risk ID 0002

Project ID
ITMOM001

Risk ID
0002

Root Cause
People

Business Effect
Cost, Capability

Mitigation
Maintain regular communication with all project managers and project sponsors.

Contingencies
Aggressively train and go through knowledge transfer. Adjust deployment schedule as necessary.

Triggers
Personnel involved with project are replaced or Contoso financial situation greatly changes.

-

These two risks became the top risks list for the Contoso IT Operations Manager project. These risks were discussed at each OMR and various project status meetings. The purpose of this discussion was to discuss the progress of mitigation steps, to determine whether triggers were being fulfilled in the environment, and to ensure that the probability and impact levels were still properly set. This discussion was vital to the project to determine if contingencies identified in the master risks list needed to be acted upon to avoid service disruptions where possible.

Risk Exposure Analysis

As the project progressed, various mitigation activities began to change the probability of these risks. The relationship established with an external vendor provided the ability to obtain hardware within three days. However, the project team lost a key member due to shifting business priorities. The project team then modified the probability, which in turn also reduced the exposure of the risks as noted in the following table.

Table: Contoso Exposure Analysis of Risk ID 0001

Project ID
ITMOM001

Risk ID
0001

Root Cause
Technology

Business Effect
Cost, Capability, Performance

Modified Exposure Analysis
Probability has decreased due to new relationship with Vendor X. This will allow the rapid acquisition of necessary hardware, if needed. Original probability will be kept in the master risks list and risk knowledge base for historical purposes.

Modified Probability
30%

Impact (1-5)
5

Modified Exposure
1.5

Table: Contoso Exposure Analysis of Risk ID 0002

Project ID
ITMOM001

Risk ID
0001

Root Cause
People

Business Effect
Cost, Capability

Modified Exposure Analysis
Probability has increased due to changes in project team membership. Original probability will be kept in the master risks list and risk knowledge base for historical purposes.

Modified Probability
70%

Impact (1-5)
5

Modified Exposure
3.5