Risk Management

Framework Element

Yes

No

Comment/Explanation

4. Principle: Project management decisions are based on risk management
4.1. Has an off-the-shelf product or a solution that performs similar functions and services been adapted to the department's needs rather than develop custom software?      
4.2. Is the custom software development part of the overall project being delivered via a set of sub-projects each of which is less than 12 months in duration and costs less than $1 million?      
4.3. Does each sub-project team involved with custom software development consist of 10 or fewer people?      
4.4. Does the management approach being used ensure the co-ordination of all the individual sub-projects, ensure communication among the different sub-project teams, and address shared or horizontal issues?      
4.5. Does the project have scheduled checkpoints or "gates" when it will be reviewed and where management will decide on its future,and if necessary, take appropriate corrective action?      
4.6. Have only the funds needed to reach the next gate been allocated to the project?      
4.7. Has the project and any related contracting been structured to avoid incurring major penalties due to the gating process?      
4.8. Is the contractor required to provide complete information on project performance and progress?      
4.9. Are scheduled reviews specified in the contract?      
4.10. Is an option to cancel the project at scheduled gates specified in the contract?      
4.11. Are the criteria upon which a project cancellation decision would be made specified in the contract?      
4.12. Have contingency plans for potential problems at these gates been developed in advance?      
4.13. Has a project risk assessment using either ASEC's S:PRIME or SEI's Software Risk Evaluation method been used to identify and quantify the risks?      
4.14. Are plans in place to manage the known risks?      
4.15. Are plans are in place to review and update the risk assessment over the course of the project either when there is significant change or at pre-defined times during a long project?      
4.16. Are SEI's Team Risk Management processes, methods and tools being used to systematically manage risks in software-dependant development aspects of the project?      
4.17. Has SEI's Capability Maturity Model evaluation been applied to the organization involved in system development (either Crown or Contractor or both, as applicable)?      
4.18. Has project complexity been determined at the initiation of the project using Function Point Analysis (FPA)?      
4.19. Is the complexity of any changes also being determined using FPA?      
4.20. Has the project has been structured such that each sub-project in the project is less than 1500 function points?      
4.21. Have project risks been mitigated with a project implementation strategy such as RAD or RAAD that produces results in smaller implementable pieces (i.e less than 1500 function points) - each piece designed to be completed in a relatively short time yet provide immediate benefit to the business process?      
4.22. Is there a change management process in place to ensure that changes are analyzed quickly to determine their impact (risk, cost and time) and that this information is brought to the attention of the appropriate level of management as soon as possible?      
4.23. Do existing contracts define the change management process and provide for third party intervention to resolve any disputes over the cost to implement changes?      
4.24. Is a performance measurement tool based on the national standard, C/SPMS, being used to provide data to the (Crown) project manager on the time and money expended and on the work completed at frequent intervals?      
4.25. Have PWGSC procurement officers been involved early in the project planning so as to develop a procurement process that reduces delays, and to design a procurement plan that best aligns the contracting plan with the project plan?      
4.26. Are there oversight reviews by a senior steering committee planned at each gate?      
4.27. Is a management and technical review by an independent party, such as the Auditor General or a private sector consultant, planned at a key checkpoint or gate to identify any environmental changes, overrun of time and cost targets, or other problems?      
4.28. Are internal peer reviews (with other project and sub-project managers and others in the system development, maintenance and operations groups) regularly scheduled to allow the project manager to present performance and progress data, to discuss upcoming challenges, and to identify any horizontal issues?      
4.29. Are external peer reviews (with other departments or organizations) planned to provide different perspectives and bring a wide range of expertise to bear on project strategies, plans and issues?      
4.30. Are regular sessions held whereby project team members can review the continued relevance of the project, project performance and concerns about actual or potential problems in a non-incriminating way?      
4.31. Does the department's internal audit group have plans to review the performance of the project within the next year?      
Date modified: