Treasury Board of Canada Secretariat
Symbol of the Government of Canada
Skip to content   Skip to institutional links

Common menu bar links

Breadcrumb Trail

Home  > Chief Information Officer Branch  > IT Project Review and Oversight  > Enhanced Management Framework

Institutional links

Chief Information Officer Branch

IT Project Review and Oversight

Enhanced Management Framework

Versions


ARCHIVED - A Guide to Effective Business Continuity in Support of the Year 2000 Challenge


Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Appendix O  -  "Plan" Detailed Procedures

Process Overview

The "plan" step is divided into separate but related types of planning documents: Risk Action Plans, Contingency Plans, and Business Continuity Preparedness Documents. The following table provides steps to develop risk action plans for the identified risks. Sample Tables of Contents are provided for the other plans.

Table O-1: Detailed Risk Planning Steps
Risk Planning Steps Description Responsibility
1. Conduct a Risk Planning Workshop. Identify key stakeholders from the Year 2000 Project in order to conduct a workshop intended to develop risk action plans for mitigating the identified risks. Year 2000 Project Manager
2. Select Risks Answer "Who's risk is it?"

Review the risks identified in Risk Information Sheets (RIS) to determine their validity and to determine whether the Year 2000 PO is responsible for managing each risk.

Using the Responsibility Decision flowchart (CRM Guidebook, Chapter 6, Part 2), for each risk, determine:

 Year 2000 Project Manager
  a. Does the Year 2000 PO have the responsibility to deal with this risk?
  • YES – The Year 2000 PO will Keep the responsibility for this risk. Go to the next step (#3) to determine the Approach for dealing with the risk;
  • NO – Go to the next question step #1-b);
  
  b. Does the functional organization have the responsibility to deal with this risk?
  • YES – Then the Year 2000 PO must Delegate the responsibility to the appropriate organization. Determine who is best suited to deal with the risk and then have them follow similar activities as in step #3 (determine the approach for dealing with the risk), or facilitate the process for them. The Year 2000 PO must still track the activities for this risk since it is still a risk which can have a negative impact on the Year 2000 Project;
  • NOTransfer the responsibility to another organization (e.g. Treasury Board) and have them follow similar activities as in step #3 (determine the approach for dealing with the risk), or facilitate the process for them. The Year 2000 PO must still track activities for this risk since it is still a risk which can have a negative impact on the Year 2000 Project.
  
3. Analyze the Risks and Decide an Approach for Managing the Risks. Answer "What can be done about it?"

For each risk that the Year 2000 PO is responsible for (or other organization as in step #1 - b) determine whether the risk is well understood, then determine the appropriate approach for managing the risk.

Using the Approach Decision flowchart (CRM Guidebook, Chapter 6, Part 2), for each risk, determine:

 Year 2000 Project Manager
  a. Does the Year 2000 PO understand the risk and is the risk clearly documented in the Risk Information Sheet?
  • YES – Go to the next question step #3-b);
  • NO – Conduct more research on the risk and go back to step #2 (Select risk);
  
  b. Can the Year 2000 PO accept this risk without doing anything to manage or control its probability and impact (this is validating the "response" on the Risk Information Sheet)?:
  • YES – No further action is required. The Year 2000 Project will Accept (or assume) any impact associated with the materialization of the risk;
  • NO – Go to the next question step #3-c);
  
  c. Can the Year 2000 PO do anything with regards to this risk? Does the Year 2000 PO need to act on this risk?
  • YES – Then the Year 2000 PO needs to develop Mitigation (or avoidance) strategies to be implemented before the risk materializes in order to minimize or completely avoid the probability of the risk materializing as well as minimizing its impact. Go to the next step # 4 (Generate Action Plans).
  • NO – Then the Year 2000 PO needs to develop Watch (or Control) strategies for managing the risk when it materializes in order to minimize the impact. Go to the next step # 4 (Generate Action Plans).
  
4. Generate Action Plans Answer "How much and what should be done?"

For each risk that the Year 2000 PO is responsible for, and for which a "Mitigation (avoid)" or "Watch (control)" approach for managing the risk is required (resulting from step 3-c), develop various strategies to deal with the risks. This can be accomplished using a brainstorming technique.

Once various alternative strategies have been clearly identified, choose the best strategy (or combination thereof) which minimizes the probability of occurrence as well as minimizes the negative impact of the risk. The selected strategy must then be elaborated by developing a risk action plan for each risk.

The risk action plan is a series of action items that will direct a Year 2000 PO or departmental resource in implementing the mitigation strategy.

The risk action plan is to be attached to the Risk Information Sheet.

 Year 2000 Project Manager
5. Assign Year 2000 PO Risk Owner For each risk that requires a risk action plan (those for the Year 2000 PO as well as those delegated to the department or transferred to another organization such as TBS), assign a risk owner. This person will be responsible for tracking and reporting status on each risk and associated activities (such as the development of risk action plans). Year 2000 Project Manager
6. Ensure Risk Action Plans are Developed For each risk that was delegated to the department or transferred to another organization, the Year 2000 PO must ensure that risk action plans are being developed for risks requiring avoidance or control.

The Year 2000 PO must still track activities for this risk since it is still a risk which can have negative impacts on the Year 2000 Project.

 Risk Owners
7. Implement Action Plans For each risk action plan that was developed and for which there was a risk mitigation (or avoidance) strategy required, each risk owner responsible for a risk must implement the risk action items on the Risk Information Sheet by the target implementation date.

The implementation activities will be tracked and monitored for problems with the implementation.

 Risk Owners

Note: The responsibility currently assigned to the Year 2000 Project Manager can be delegated to other members of the organization including audit.



Date Modified: 2003-12-16
 
Return to Top of Page
 Top of Page
Important Notices