ASSESSMENT TASK 1
ASSESSMENT TASK 1
Risk Management Plan
Project Overview
Assuming that your organization has been awarded contracts to undertake the following projects:
Project 1 - Website redevelopment and hosting and maintenance services for Destination: Australia
This project is for the technical upgrade of the Archives website Destination: Australia. In order to ensure the best value for money and optimal functionality (for the website and related exhibition interactive) going forward, it is necessary for the website to be transferred from a proprietary CMS to a commonly available CMS (including, but not limited to, an Open Source CMS).
The website will enable the National Archives of Australia to collect user contributed data about the photographic collection featured on the site. The interface must be modern, engaging and user-friendly, designed to meet the needs of people of all ages, and differing levels of computer and English literacy. The website must interact successfully with an exhibition interactive via an existing API. There is an option for hosting, maintenance and support services to be provided from contract execution until 31 December 2019.
Project 2 Re-development of Intranet
A redevelopment of the Clean Energy Regulator Staff Intranet into SharePoint 2013
Project 3 - Database for community engagement - Software as A Service Customer Relationship Management system (SAAS CRM)
The National Radioactive Waste Management Facility project is currently in Phase 2, best described as the technical assessment and continued community consultation phase. One site has been chosen to progress to this stage while other as yet unknown sites may also progress to this stage. The project team requires a database (Software as A Service Customer Relationship Management system (SAAS CRM) to effectively and confidentially manage large volumes of data, including names, addresses, opinions of community members and contact details. This will assist in ongoing community engagement.
The system must be fully operational (tried and tested) within two weeks of the commencement of the proposed contract. The project, and related community engagement, will be ongoing for years. Access to maintenance and advice will be desirable.
ASSESSMENT TASK 1
Risk Management Plan
ASSESSMENT INSTRUCTIONS
Your task is to create a comprehensive Program Risk Management Plan that covers the following:
Program Overview - This section defines the program vision, its business value, and projected outcome. It may include a summary of the program scope, dependencies and constraints. This introductory portion may also include success criteria for measuring program outcomes.
Schedule Management - A roadmap or work breakdown structure may be included in this section along with a description of how scheduling will be managed, updated, and monitored. Roles and responsibilities related to scheduling should be made clear.
Change Management - Provide a clear process for handling program changes, including who can submit change requests, how and where those requests will be tracked, and who can approve changes.
Communications Management - A detailed communications plan can help prevent project issues and ensure that information is distributed appropriately. Use this section to define the frequency and type of communication to be provided, who will be providing and receiving the communications, and other guidelines or expectations.
Cost Management - This section may include detailed information on program budget and expenditures as well as the parties responsible for managing costs, who can approve changes to the program budget, how project budgets will be measured and monitored, and guidelines for reporting. Funding and funding issues.
Procurement Management - Describe responsibilities related to procurement throughout a program lifecycle. Identify who is responsible for vendor relationships, dealing with contracts, purchasing, and other activities.
Project Scope Management - Will the project scope be defined in a scope statement, WBS, or another method? How will the scope be measured? Who is responsible for managing and approving the program scope? Address these questions as well as any guidelines related to the scope change process that were not identified in the change management section.
Risk Management - Describe how risks will be reported, monitored, and assessed, including how they can be submitted and who is responsible for dealing with them.
Staffing Management - This section lists program requirements for staffing, including specific resources and the timeframes in which they are needed, plus training. It describe+es how staff will be managed for the duration of the program.
Stakeholder Management - Use this section to identify stakeholders and strategies for managing them, including who is responsible for collecting and reporting stakeholder information.
Program Governance - Describe any governing groups, what authority they have, and their responsibilities within the program. You can include information on how often they will meet, how escalated decisions should be presented to and handled by the governing groups, how their decisions will be communicated, and when program reviews will occur.
As a basis the following template should be used and adapted as required. As you develop the plan, include reference to AS/NZS ISO 31000:2009 Risk Management Principles and Guidelines and outline how the proposed risk management system meets the requirements of the standard. Insert this information into the plan where relevant.
Once you have developed the Program Risk Management Plan create a report that will outline a leadership strategy to ensure that the plan is correctly implemented. The strategy and report must outline how you will:
manage the program in accordance with plans
review progress, analyse variance and initiate risk responses
ensure risks are assigned and monitored across the program at agreed intervals
assess issues for impact and remedial actions authorised
Note: Please write the answer for all highlighted Text.
Program Title: Risk Management Plan
Version: ______dd-mm-yyyy
Copy: Uncontrolled
The version number starts at one and increases by one for each release. It shows the release number and a revision letter if in draft. The original draft is 0.A and subsequent drafts are 0.B, 0.C etc. The first accepted and issued document is Version 1.0. Subsequent changes in draft form are 1.0A, 1.0B etc. The accepted and issued second version is 1.1 or 2.0, depending on the magnitude of the change.
Refer to the Program Management Fact Sheet: Document Control for more information.
DOCUMENT ACCEPTANCE and RELEASE NOTICE
This is <release/version> <n.n> of the <Program Title> Risk Management Plan.
The Risk Management Plan is a managed document. For identification of amendments each page contains a release number and a page number. Changes will only be issued as complete replacement. Recipients should remove superseded versions from circulation. This document is authorised for release once all signatures have been obtained.
PREPARED: DATE: ___/___/___
(for acceptance) (<name>, <Program Title>, Program Manager)
ACCEPTED: DATE: ___/___/___
(for release) (Program Sponsor, <name>) on behalf of the <Program Title> Steering Committee BUILD STATUS:
The most recent amendment first.
Version Date Author Reason Sections
<n.n> <dd mmm yyyy> <Name> <e.g. Initial Release> <All>
AMENDMENTS IN THIS RELEASE:
Section Title Section
Number Amendment Summary
<e.g. This is the first release of this document.>
DISTRIBUTION:
Copy No Version Issue Date Issued To
1 <n.n> <dd mmm yyyy> <Name, Title, Organisation>
2
Electronic
Executive Summary
The purpose of this document is to provide a management framework to ensure that levels of risk and uncertainty are properly managed for the remainder of the program. As risk management is an ongoing process over the life of a program, the Risk Register must be considered a snap shot of relevant risks at one point in time.
This document will achieve this by defining the following:
the process that will be/has been adopted by the Program to identify, analyse and evaluate risks during the remainder of the program; how risk mitigation strategies will be developed and deployed to reduce the likelihood and/or impact of risks; how often risks will be reviewed, the process for review and who will be involved; roles and responsibilities for risk management; how reporting on risk status, and changes to risk status, will be undertaken within the Program and to the Steering Committee;
a complete Risk Register containing all risks identified for the Program, their current gradings and the identified risk mitigation strategies to reduce the likelihood and seriousness of each risk.
Introduction
The purpose of risk management is to ensure levels of risk and uncertainty are identified and then properly managed in a structured way, so any potential threat to the delivery of outputs (level of resourcing, time, cost and quality) and the realisation of outcomes/benefits by the Business Owner(s) is appropriately managed to ensure the program is completed successfully.
The objectives of the risk management approach in the <Program Title> Program are to identify, assess and mitigate risks where possible and to continually monitor risks throughout the remainder of the program as other risks or threats emerge or a risks impact or likelihood changes.
As risk management is an ongoing process over the life of a program, this Risk Management Plan and Risk Register must be considered a snap shot of relevant risks at one point in time.
Where required, the process of risk identification, assessment and the development of countermeasures will involve consultation with the Steering Committee members, the <Program Title> Reference Group, other relevant stakeholders and Program team members.
Risk Assessment
Identification
Risk identification involves determining which risks or threats are likely to affect the program. It involves the identification of risks or threats that may lead to program outputs being delayed or reduced, outlays being advanced or increased and/or output quality (fitness for purpose) being reduced or compromised.
For most large/complex programs, a number of high level risks should have been identified during the program initiation stage these should be used as the basis for a more thorough analysis of the risks facing the program.
One of the most difficult things is ensuring that all major risks are identified. A useful way of identifying relevant risks is defining causal categories under which risks might be identified. For example, corporate risks, business risks, program risks and infrastructure risks. These can be broken down even further into categories such as environmental, economic, political, human, etc. Another way is to categorise in terms of risks external to the program and those that are internal.
See the Program Management Risk Identification Tool for some useful prompts in identifying program risks. The Australian Standard for Risk Management AS/NZS 4360: 2004 Appendix D refers to generic sources of risk.
The wording or articulation of each risk should follow a simple two-step approach:
Consider what might be a trigger event or threat (eg. poor quality materials causes costs to rise) several triggers may reveal the same inherent risk; then
Identify the risk - use a newspaper headline style statement short, sharp and snappy (eg. budget blow out) then describe the nature of the risk and the impact on the program if the risk is not mitigated or managed (eg. program delayed or abandoned, expenditure to date wasted, outcomes not realised, government embarrassed etc).
Use the Risk Register (see Appendix A) to document the results.
For large or complex programs it can be beneficial to use an outside facilitator to conduct a number of meetings or brainstorming sessions involving (as a minimum) the Program Manager, Program Team members, Steering Committee members and external key stakeholders. Preparation may include an environmental scan, seeking views of key stakeholders etc.
For a small program, the Program Manager may develop the Risk Register perhaps with input from the Program Sponsor/Senior Manager and colleagues, or a small group of key stakeholders.
It is very easy to identify a range of risks that are outside the program and are actually risks to the business area during output delivery, transition or once operational mode has been established. These are not program risks and should not be included in the Program Risk Register, but referred to the relevant Business Owner. It may be appropriate to submit an Issues Paper to the Steering Committee recommending formal acceptance by the relevant Business Owner for ongoing monitoring and management of specific risks.
See the Program Management Fact Sheet: Developing a Risk Management Plan and the Risk Identification Tool for more information on how to undertake risk identification.
In this section specify:
what risk identification process has been undertaken (ie. brainstorm, facilitated session, scan by Program Manager etc); any categories used to assist in the identification or relevant risks; when the risk identification process occurred; and who was involved.
Analysis and Evaluation
Once risks have been identified they must be analysed by determining how they might affect the success of the program. Generally the impact of a risk will realise one or any combination of the following consequences:
Program outcomes (benefits) are delayed or reduced;
Program output quality is reduced;
Timeframes are extended; Costs are increased.
Once analysed, risks should be evaluated to determine the likelihood of a risk or threat being realised and the seriousness, or impact, should the risk occur.
'Likelihood' is a qualitative measure of probability to express the strength of our belief that the threat will emerge (generally ranked as Low (L), Medium (M) or High (H)).
'Seriousness' is a qualitative measure of negative impact to convey the overall loss of value from a program if the threat emerges, based on the extent of the damage (generally ranked as Low (L), Medium (M), High (H) or Extreme).
From this risks will be graded as A, B, C, D or N according to the following matrix:
Likelihood Seriousness Low Medium High EXTREME
Low N D C A
Medium D C B A
High C B A A
The ratings for likelihood and seriousness determine a current grading for each risk that in turn provides a measure of the program risk exposure at the time of the evaluation.
In this section specify:
How the identified risks could potentially impact on the program in terms of the four categories of consequence (eg. x have potential to delay or reduce program outcomes/reduce output quality etc);
Summarise the distribution of risks according to the grading (number of A Grade risks, B Grade risks etc) List any A Grade risks.
Risk Mitigation
Mitigation of risks involves the identification of actions to reduce the likelihood that a threat will occur (preventative action) and/or reduce the impact of a threat that does occur (contingency action). This strategy also involves identifying the stage of the program when the action should be undertaken, either prior to the start of or during the program.
Risk mitigation strategies to reduce the chance that a risk will be realised and/or reduce the seriousness of a risk if it is realised have been developed. The following table is useful to determine how risks will be treated in terms of preparation and/or deployment of mitigation strategies during the life of the Program. Mitigation strategies are usually only prepared and/or deployed for Grades A through to C, however where an existing risk graded at D appears likely to be upgraded, mitigation strategies should be prepared.
Grade Possible Action
A Mitigation actions, to reduce the likelihood and seriousness, to be identified and implemented as soon as the program commences as a priority.
B Mitigation actions, to reduce the likelihood and seriousness, to be identified and appropriate actions implemented during program execution.
C Mitigation actions, to reduce the likelihood and seriousness, to be identified and costed for possible action if funds permit.
D To be noted; no action is needed unless grading increases over time.
N To be noted; no action is needed unless grading increases over time.
In this section specify:
The proportion of risk mitigation actions that are preventative (eg. 30%);
The proportion of risk mitigation actions that are contingency (eg. 70%);
Key stakeholders nominated as responsible for undertaking specific risk mitigation actions;
Any major budgetary implications
For any identified A Grade risks specify:
What type of mitigation action is proposed (preventative or contingency);
Who is responsible for undertaking the proposed action; and
Any cost implications for the program Budget.
Risk Monitoring
Risk Management is an iterative process that should be built into the management processes for any program. It must be closely linked with Issues Management, as untreated issues may become significant risks. If prevention strategies are being effective, some of the Grade A and B Risks should be able to be downgraded fairly soon into the program.
In this section specify
How frequently a review of the Risk and Issues Registers will be undertaken (eg. fortnightly, monthly);
Who will be involved in the review of the Risk and Issues Registers (eg. the Program team);
How often risks will be monitored to ensure that appropriate action is taken should the likelihood, or impact, of identified risks change and to ensure that any emerging risks are appropriately dealt with (eg. monthly);
If the Risk Register will be maintained as a separate document or as part of the Risk Management Plan;
How often the Steering Committee or Program Sponsor/Senior Manager will be provided with an updated Risk Register for consideration; and
How often Risk status will be reported in the Program Status Reports to the Steering Committee/Program Sponsor/Senior Manager (usually only Grade A and B risks).
Roles and Responsibilities
Steering Committee
Ultimate responsibility for ensuring appropriate risk management processes are applied rests with the Program Sponsor and Program Steering
Committee, and they should be involved in the initial risk identification and analysis process. The Risk Management Plan and the Risk Register should provide the Program Sponsor and Program Steering Committee with clear statements of the program risks and the proposed risk management strategies to enable ongoing management and regular review.
The Steering Committee will review the Grade A and B program risks on a <specify frequency, eg. monthly> basis via updated information provided in the Program Status Reports and provide advice and direction to the Program Manager. The Steering Committee will also be provided with an updated Risk Register for consideration, as required, when additional threats emerge or the likelihood or potential impact of a previously identified risk changes.
Program Manager
The Program Manager will be responsible for:
Development and implementation of a Program Risk Management Plan;
Organisation of regular risk management sessions so that risks can be reviewed and new risks identified;
Assessment of identified risks and developing strategies to manage those risks for each phase of the program, as they are identified;
Ensure that risks given an A grading are closely monitored; and
Providing regular Status Reports to the Steering Committee noting any A Grade risks and specifying any changes to the risks identified during each phase of the program and the strategies adopted to manage them.
In large or complex programs, the Program Manager may choose to assign risk management activities to a separate Risk Manager, but they should still retain responsibility. It should be noted that large programs are a risk in themselves, and the need for the Program Manager to reassign this integral aspect of program management may be an indication that the program should be re-scoped, or divided into several subprograms overseen by a Program Director.
Program Team
All members of the Program Team will be responsible for assisting the Program Manager in the risk management process. This includes the identification, analysis and evaluation of risks and continual monitoring throughout the program life cycle.
RISK REGISTER (As at DD/MM/YYYY)
Rating for Likelihood and Seriousness for each risk L Rated as Low E Rated as Extreme (Used for Seriousness only)
M Rated as Medium NA Not Assessed
H Rated as High
Grade: Combined effect of Likelihood/Seriousness Seriousness Likelihood low medium high EXTREME
low N D C A
medium D C B A
high C B A A
Recommended actions for grades of risk
Grade Risk mitigation actions
A Mitigation actions, to reduce the likelihood and seriousness, to be identified and implemented as soon as the program commences as a priority.
B Mitigation actions, to reduce the likelihood and seriousness, to be identified and appropriate actions implemented during program execution.
C Mitigation actions, to reduce the likelihood and seriousness, to be identified and costed for possible action if funds permit.
D To be noted - no action is needed unless grading increases over time.
N To be noted - no action is needed unless grading increases over time.
Change to Grade since last assessment NEW New risk Grading decreased
No change to Grade Grading increased
548640175260BSBPMG6
32
Manage pro
gram risk
BSBPMG6
32
Manage pro
gram risk
Id Description of Risk
Impact on
Program
(Identification of consequences) L
S
G
Change Date of
Review Mitigation Actions
(Preventative or
Contingency) Individual/ Group responsible for mitigation action(s) Cost Timeline for mitigation action(s) WBS
<n> <A newspaper headline style statement. Also identify relevant triggers that may cause the risk to be realised.> <Describe the nature of the risk and the impact on the program if the risk is not mitigated or managed> <Change in Grade since last review> <Date of
last
review> <Specify planned mitigation strategies:
Preventative (implement immediately);
Contingency (implement if/when risk occurs).> <Specify who is responsible for undertaking each mitigation action(s)> <Specify timeframe for mitigation action(s) to be completed by>
<n
+
1>
882396112776BSBPMG632
Manage program risk
BSBPMG632
Manage program risk
Central Australian Institute of Technology Pty Ltd | CRICOS: 03217C |TOID: 22302
Risk Management Strategy Review
ASSESSMENT INSTRUCTIONS
This assessment task requires you to populate a risk register for the program as outlined in Task 1. Using the information from the register:
Determine program residual risk.
Develop a management strategy for each residual risk identified.
Review and analyse program risk outcomes from the available information
Summarise the lessons learnt in such a way that they may be applied to future programs.
Compile a management report to outline each of the above points.
Note: Use the risk register template attached as a basis for this assessment task and add a minimum of 10 risks. The risks may be identified through stakeholder engagement and this engagement may be role played.
Management Report:
Please include the below points in the report:
Determine program residual risk.
Develop a management strategy for each residual risk identified.
Review and analyse program risk outcomes from the available information
Summarise the lessons learnt in such a way that they may be applied to future programs
Id Description of Risk
Impact on
Program
(Identification of consequences) L
S
G
Change Date of
Review Mitigation Actions
(Preventative or
Contingency) Individual/ Group responsible for mitigation action(s) Cost Timeline for mitigation action(s) WBS
<n> <A newspaper headline style statement. Also identify relevant triggers that may cause the risk to be realised.> <Describe the nature of the risk and the impact on the program if the risk is not mitigated or
managed> <Change in Grade since last review> <Date of
last
review> <Specify planned mitigation strategies:
Preventative (implement immediately);
Contingency (implement if/when risk occurs).> <Specify who is responsible for undertaking each mitigation action(s)> <Specify timeframe for mitigation action(s) to be completed by>
Version: 1.0 Page 24 of 34
Created: April 2021 Last Reviewed: April 2021
Version: 1.0 Page 25 of 34
Created: April 2021 Last Reviewed: April 2021
ASSESSMENT TASK 3 WRITTEN/ORAL QUESTIONS
Question 1
What is risk according to ISO 31000?
Question 2
What is the purpose of risk management?
Question 3
How do organisational ethics affect risk management strategies?
Question 4
What are the 11 risk management principles within AS/NZS ISO 31000:2009 Risk Management Principles and Guidelines.
Question 5
What is a residual risk?
Question 6
Why are risks analysed and documented?
Question 7
What are the focuses of risk identification?
Question 8
Outline possible response strategies to program risks identified as threats.
Question 9
Outline possible response strategies to program risks identified as opportunities.
