Treasury Board of Canada Secretariat
Symbol of the Government of Canada
Skip to content   Skip to institutional links

Common menu bar links

Breadcrumb Trail

Home  > Chief Information Officer Branch  > IT Project Review and Oversight  > Enhanced Management Framework

Institutional links

Chief Information Officer Branch

IT Project Review and Oversight

Enhanced Management Framework

Versions


ARCHIVED - A Strategy for Implementing Risk Management in the Federal Government


Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

2. Risk Management Implementation Overview

This section describes the goals and key elements supporting the implementation of risk management in the federal government. The applicability and adaptability of risk management practices are also outlined.

2.1 Goals

Strategically, the goal of applying risk management in government projects is to significantly improve the government's ability to deliver and manage IT projects.

At the tactical or project level, the goals of risk management are to:

  • Pro-actively assess what could go wrong with a project;
  • Determine which risks are important to deal with; and
  • Implement strategies to deal with those risks.

2.2 Implementation Overview

The strategy for implementing an improved risk management regime builds upon a series of proven and related elements. These include:

  • A Continuous Risk Management approach promoted by the Software Engineering Institute;
  • A Guidebook that identifies and facilitates the use of risk management tools and techniques;
  • An detailed process to guide departmental improvement initiatives;
  • Improvement priorities;
  • Selected methods / tools / techniques;
  • A governance structure that facilitates the coordination of implementation initiatives;
  • A Lessons Learned database.

The following paragraphs summarize these various elements.

2.2.1 Continuous Risk Management

Continuous Risk Management is an approach to risk management promoted by the Software Engineering Institute and selected for use by the PMO. Continuous Risk Management is simply an area of emphasis of good project management. It is applied common sense. It should be a normal aspect of the project manager's daily work.

Continuous Risk Management is founded upon a set of principles that provide an effective approach to managing risk regardless of the specific methods and tools used. These principles are broken down into three types: core, sustaining and defining. These are described in related documentation discussed in the following section and are briefly summarized here.

The core principle is open communication, without which risk management simply cannot succeed. The defining principles focus on how the project sees risks and how ambitious it is about looking for and dealing with uncertainty. These principles foster the development of a shared view that clarifies the when, why and what of continuous risk management. The sustaining principles focus on how the project goes about its daily business of continuous risk management. If established early, adherence to these principles will assure that Continuous Risk Management becomes the way business is conducted.

The functions of Continuous Risk Management are based on the risk management paradigm promoted by the Software Engineering Institute. This paradigm illustrates a set of functions that are identified as continuous activities throughout the life cycle of a project. This paradigm is depicted in Figure 1 below.

Figure 1: SEI Risk Management Paradigm

Figure 1: SEI Risk Management Paradigm

 The functions performed in Continuous Risk Management are described in Table 1.


Function Description
Identify Search for and locate risks before they become problems.
Analyze Transform risk data into decision-making information. Evaluate impact, probability, and timeframe, classify risks, and prioritize risks.
Plan Translate risk information into decisions and mitigation actions (both present and future), and implement those actions.
Track Monitor risk indicators and mitigation actions.
Control Correct for deviations from the risk mitigation plans.
Communicate Provide information and feedback, internal and external to the project, on the risk activities, current risks, and emerging risks.
Note:
Communication happens throughout all the activities of risk management.

Table 1: Risk Management Functions

2.2.2 Continuous Risk Management Guidebook

The Guidebook, published the Software Engineering Institute and available through them or the PMO explains what Continuous Risk Management is, helps understand the principles, functions, methods and tools, shows what it could look like when implemented in a project, and shows how a project could implement its own adaptation.

This guidebook is comprehensive and one of the best available on the market. It is an invaluable tool to any department implementing risk management.

However, it does not provide a cookie-cutter solution for all situations. There is no such solution. The Guidebook outlines a generic practice with a variety of commonly used methods and tools from which to choose. It is meant to be adapted to suit organizations and projects.

2.2.3 Improvement Process

The rollout of risk management improvement activities across the government will be guided and structured by the Software Engineering Institute's IDEALSM Model, a brief summary of which is provided in Appendix 1.

Basically the model outlines an approach for introducing change in an organization. It defines improvement cycle consisting of 5 phases: initiating; diagnosing; establishing; acting; and leveraging or learning. Any major improvement typically requires several cycles.

2.2.4 Improvement Priorities

The priorities outlined here reflect the improvement plateaux defined for implementation of the Enhanced Framework. Reference Appendix 2 for more details.

One key focus of this first improvement cycle is to address the weaknesses associated with risk management: Risk Identification, Analysis, Planning, Tracking, Controlling and Communicating. In concrete terms, the priorities will consist of the following statements:

  • Projects should search for and locate risks within their projects before they become problems;
  • Projects should transform risk data into decision-making information. Evaluate impact, establish probability, identify the timeframe, as well as classify and prioritize risks; and
  • Projects should translate risk information into decisions and mitigation actions (both present and future), and implement those actions.
  • Projects should monitor risk indicators and mitigation actions.
  • Projects should correct for deviations from risk mitigation plans.
  • Projects should provide information and feedback internal and external to the project on the risk activities, current risks and emerging risks.

These functions should be applied in all new projects by March 1998.

2.2.5 Selected methods / tools / techniques

As indicated previously, the Continuous Risk Management Guidebook contains a large number of methods and tools, some of which are quite complex. To facilitate getting started, the following have been selected to initiate improvements.


Activity Method / tool / technique
Risk Identification
  • Taxonomy-Based Questionnaire and Interviews
  • Risk Information Sheets
Risk Analysis
  • Tri-level Attribute Evaluation
  • Taxonomy Classification
  • Comparative Risk Ranking and Top N
Risk Planning
  • Planning Decision Flowchart
  • Risk Information Sheets
Risk Monitoring
  • Tri-Level Attribute Evaluation
  • Risk Information Sheets
Risk Control
  • Cause and Effect Analysis
  • Risk Information Sheets

Table 2: Selected methods / tools / techniques

All of these selected approaches are described in the Continuous Risk Management Guidebook, as are several others that may be preferred. Some departments have already used those identified above and therefore provide an opportunity to leverage lessons learned.

2.2.6 Governance Structure

There are two levels of activity in the implementation of Risk Management:

  • A strategic or government-wide level that will provide guidance. This component will be facilitated and supported by the PMO; and
  • A tactical level created and executed by departmental managers and practitioners, providing guidance to project managers.

Within these strategic and tactical levels, there are specific entities that will steer, facilitate or perform Risk improvement activities (see Figure 2).

At the strategic level, the first of these entities is the Enhanced Framework Steering Committee in which membership is drawn from the various departments. The CIO chairs this committee. Members will steer the Enhanced Framework and provide guidance regarding government priorities and issues such as Risk Management.

The Enhanced Framework Implementation Team is responsible for facilitating its implementation across the government and assisting departments with their respective improvements.

Throughout 1996-1997 a Risk Management Working Group helped developed the selected approach. For ongoing implementation, a Risk Management Special Interest Group will be created. Membership in this Special Interest Group will include those departments who are working on or have expressed interest in improving risk management practices in their departments/projects. This group will discuss their department's strategies and plans and will share experiences and lessons learned, thereby facilitating departmental implementation efforts.

Figure 2: Governance Structure

Figure 2: Governance Structure

Figure 2: Governance Structure – Text version

At the tactical or departmental level, Risk Management improvement activities may be governed simply by the Head of IT, a Departmental Office of Primary Interest for Risk Management (e.g. an assigned individual or group) and Project Teams responsible for project delivery, including identifying, assessing and managing project risks.

2.2.7 Risk Management Lessons Learned Database

The PMO is in the process of implementing a risk management lessons learned database that is scheduled to be operational in the fall of 1997. The purpose of this database is to document what government departments have read, learned, tested and experienced in risk management as well as documenting successes and less-than successful experiments. A prototype should be available to the Risk Management Special Interest Group for review by December 1997.

2.3 Applicability

This document applies to all departments and agencies that are managing and delivering IT projects in support of their programs. PWGSC also must ensure that the acquisition vehicles used for IT goods and services support the risk management goals defined herein and enforce its implementation by the private sector suppliers.

2.4 Adaptability

Continuous Risk Management is not a one-size-fits-all approach. To be effective, tailoring is needed. Tailoring occurs when organizations adapt the Continuous Risk Management processes and select methods and tools which best fit with their project management practice and their organizational culture. Following the Continuous Risk Management principles is the key to successful tailoring.



Date Modified: 2003-12-16
 
Return to Top of Page
 Top of Page
Important Notices