ARCHIVED - A Strategy for Implementing Risk Management in the Federal Government

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

An Enhanced Framework for the Management of Information Technology Projects

Risk Management Implementation Strategy

October 31, 1997
Chief Information Officer Branch
Treasury Board of Canada Secretariat

Publication History

Version	Release Date	Revisions
0.1	May 8, 1997	Table of Contents only
0.2	May 19, 1997	First Draft
0.3	June 11, 1997	Second Draft
0.4	July 4, 1997	Third Draft
0.5	October 31, 1997	Fourth Draft

1. Introduction

This section introduces the reader to the Risk Management component of the Enhanced Management Framework initiative within the federal government.

1.1 Background

The government is committed to delivering its programs and services more efficiently and effectively through the use of Information Technology (IT). Reviews of government IT projects conducted by the Treasury Board Secretariat (TBS), and the Auditor General (AG) have identified issues in the government's management and delivery of IT projects.

To address these issues and improve the management and delivery of IT projects, a TBS Project Management Office (PMO) was formed. The purpose of the PMO is to provide guidance such that government IT projects satisfy the requirements of the program functions or services they are designed to support, deliver all expected benefits, and are completed on time and within budget.

In May 1996 the PMO, in conjunction with other federal departments, published a document of guiding principles and best practices which addressed project management concerns experienced in the federal government. Referred to as the Enhanced Framework, this document set out a plan to develop improvements to the IT project management regimes currently found within departments.

Risk management was highlighted as an area requiring particular attention. Throughout the past year, the PMO has discovered that, in general, the practice of risk management has now evolved to a point where it is benefiting from all the essential elements including:

Principles;
A process;
Methods; and
Tools

As a result, the groundwork has been laid for action in departments. Pilots have been conducted, assessments have been made, lessons have been learned, goals have been defined, priorities have been established and plans have been formulated for the government-wide implementation of an improved risk management regime for IT projects.

1.2 Purpose

The purpose of this document is to outline the strategy and plan to facilitate the implementation of risk management within IT projects across the federal government in support of the Enhanced Framework.

1.3 Benefits

Most people would agree that risk management, if done properly, could be beneficial to organizations. Who wouldn't want to identify potential problems early enough to make a difference in the ultimate quality of the product? Sound risk management regimes "help people avoid disasters, avoid rework, avoid overkill, and stimulate win-win situations on software projects" [Boehm 89].

State-of-the-art in risk management for IT projects is reflected in the work carried out by the Software Engineering Institute (SEI) at Carnegie Mellon University in Pittsburgh in partnership with private and public sector organizations. The SEI has put in place a risk program that has for its mission to improve the management of risk in programs involving software-intensive systems.

The SEI risk program has the merit of being supported by industry and government as well as being focused on software-intensive IT projects, the main PMO concern. Some of the benefits resulting from implementing risk management include:

Preventing problems before they occur;
Improving product quality;
Enabling better use of resources; and
Promoting teamwork.

1.4 Relationship to Other Documents

This document is one of a series of documents that will be produced as part of the government-wide implementation of the Enhanced Framework. It updates the previous strategy document on risk management dated April 18, 1996 and embodies the recommendations and principles detailed in the Enhanced Management Framework document dated May 28, 1996. It also supports the policies of the federal government regarding the management and delivery of IT projects.

1.5 Audience

This document is intended for two distinct and important groups within the federal government IT community:

The departments that must manage and deliver IT projects; and
The agents such as PWGSC which must ensure that the acquisition vehicles used for IT goods and services embody the principles and enforce their implementation with the private sector suppliers.

2. Risk Management Implementation Overview

This section describes the goals and key elements supporting the implementation of risk management in the federal government. The applicability and adaptability of risk management practices are also outlined.

2.1 Goals

Strategically, the goal of applying risk management in government projects is to significantly improve the government's ability to deliver and manage IT projects.

At the tactical or project level, the goals of risk management are to:

Pro-actively assess what could go wrong with a project;
Determine which risks are important to deal with; and
Implement strategies to deal with those risks.

2.2 Implementation Overview

The strategy for implementing an improved risk management regime builds upon a series of proven and related elements. These include:

A Continuous Risk Management approach promoted by the Software Engineering Institute;
A Guidebook that identifies and facilitates the use of risk management tools and techniques;
An detailed process to guide departmental improvement initiatives;
Improvement priorities;
Selected methods / tools / techniques;
A governance structure that facilitates the coordination of implementation initiatives;
A Lessons Learned database.

The following paragraphs summarize these various elements.

2.2.1 Continuous Risk Management

Continuous Risk Management is an approach to risk management promoted by the Software Engineering Institute and selected for use by the PMO. Continuous Risk Management is simply an area of emphasis of good project management. It is applied common sense. It should be a normal aspect of the project manager's daily work.

Continuous Risk Management is founded upon a set of principles that provide an effective approach to managing risk regardless of the specific methods and tools used. These principles are broken down into three types: core, sustaining and defining. These are described in related documentation discussed in the following section and are briefly summarized here.

The core principle is open communication, without which risk management simply cannot succeed. The defining principles focus on how the project sees risks and how ambitious it is about looking for and dealing with uncertainty. These principles foster the development of a shared view that clarifies the when, why and what of continuous risk management. The sustaining principles focus on how the project goes about its daily business of continuous risk management. If established early, adherence to these principles will assure that Continuous Risk Management becomes the way business is conducted.

The functions of Continuous Risk Management are based on the risk management paradigm promoted by the Software Engineering Institute. This paradigm illustrates a set of functions that are identified as continuous activities throughout the life cycle of a project. This paradigm is depicted in Figure 1 below.

Figure 1: SEI Risk Management Paradigm

Figure 1: SEI Risk Management Paradigm

The functions performed in Continuous Risk Management are described in Table 1.

Function	Description
Identify	Search for and locate risks before they become problems.
Analyze	Transform risk data into decision-making information. Evaluate impact, probability, and timeframe, classify risks, and prioritize risks.
Plan	Translate risk information into decisions and mitigation actions (both present and future), and implement those actions.
Track	Monitor risk indicators and mitigation actions.
Control	Correct for deviations from the risk mitigation plans.
Communicate	Provide information and feedback, internal and external to the project, on the risk activities, current risks, and emerging risks. Note: Communication happens throughout all the activities of risk management.

Table 1: Risk Management Functions

2.2.2 Continuous Risk Management Guidebook

The Guidebook, published the Software Engineering Institute and available through them or the PMO explains what Continuous Risk Management is, helps understand the principles, functions, methods and tools, shows what it could look like when implemented in a project, and shows how a project could implement its own adaptation.

This guidebook is comprehensive and one of the best available on the market. It is an invaluable tool to any department implementing risk management.

However, it does not provide a cookie-cutter solution for all situations. There is no such solution. The Guidebook outlines a generic practice with a variety of commonly used methods and tools from which to choose. It is meant to be adapted to suit organizations and projects.

2.2.3 Improvement Process

The rollout of risk management improvement activities across the government will be guided and structured by the Software Engineering Institute's IDEAL^SM Model, a brief summary of which is provided in Appendix 1.

Basically the model outlines an approach for introducing change in an organization. It defines improvement cycle consisting of 5 phases: initiating; diagnosing; establishing; acting; and leveraging or learning. Any major improvement typically requires several cycles.

2.2.4 Improvement Priorities

The priorities outlined here reflect the improvement plateaux defined for implementation of the Enhanced Framework. Reference Appendix 2 for more details.

One key focus of this first improvement cycle is to address the weaknesses associated with risk management: Risk Identification, Analysis, Planning, Tracking, Controlling and Communicating. In concrete terms, the priorities will consist of the following statements:

Projects should search for and locate risks within their projects before they become problems;
Projects should transform risk data into decision-making information. Evaluate impact, establish probability, identify the timeframe, as well as classify and prioritize risks; and
Projects should translate risk information into decisions and mitigation actions (both present and future), and implement those actions.
Projects should monitor risk indicators and mitigation actions.
Projects should correct for deviations from risk mitigation plans.
Projects should provide information and feedback internal and external to the project on the risk activities, current risks and emerging risks.

These functions should be applied in all new projects by March 1998.

2.2.5 Selected methods / tools / techniques

As indicated previously, the Continuous Risk Management Guidebook contains a large number of methods and tools, some of which are quite complex. To facilitate getting started, the following have been selected to initiate improvements.

Activity	Method / tool / technique
Risk Identification	Taxonomy-Based Questionnaire and Interviews Risk Information Sheets
Risk Analysis	Tri-level Attribute Evaluation Taxonomy Classification Comparative Risk Ranking and Top N
Risk Planning	Planning Decision Flowchart Risk Information Sheets
Risk Monitoring	Tri-Level Attribute Evaluation Risk Information Sheets
Risk Control	Cause and Effect Analysis Risk Information Sheets

Table 2: Selected methods / tools / techniques

All of these selected approaches are described in the Continuous Risk Management Guidebook, as are several others that may be preferred. Some departments have already used those identified above and therefore provide an opportunity to leverage lessons learned.

2.2.6 Governance Structure

There are two levels of activity in the implementation of Risk Management:

A strategic or government-wide level that will provide guidance. This component will be facilitated and supported by the PMO; and
A tactical level created and executed by departmental managers and practitioners, providing guidance to project managers.

Within these strategic and tactical levels, there are specific entities that will steer, facilitate or perform Risk improvement activities (see Figure 2).

At the strategic level, the first of these entities is the Enhanced Framework Steering Committee in which membership is drawn from the various departments. The CIO chairs this committee. Members will steer the Enhanced Framework and provide guidance regarding government priorities and issues such as Risk Management.

The Enhanced Framework Implementation Team is responsible for facilitating its implementation across the government and assisting departments with their respective improvements.

Throughout 1996-1997 a Risk Management Working Group helped developed the selected approach. For ongoing implementation, a Risk Management Special Interest Group will be created. Membership in this Special Interest Group will include those departments who are working on or have expressed interest in improving risk management practices in their departments/projects. This group will discuss their department's strategies and plans and will share experiences and lessons learned, thereby facilitating departmental implementation efforts.

Figure 2: Governance Structure

Figure 2: Governance Structure � Text version

At the tactical or departmental level, Risk Management improvement activities may be governed simply by the Head of IT, a Departmental Office of Primary Interest for Risk Management (e.g. an assigned individual or group) and Project Teams responsible for project delivery, including identifying, assessing and managing project risks.

2.2.7 Risk Management Lessons Learned Database

The PMO is in the process of implementing a risk management lessons learned database that is scheduled to be operational in the fall of 1997. The purpose of this database is to document what government departments have read, learned, tested and experienced in risk management as well as documenting successes and less-than successful experiments. A prototype should be available to the Risk Management Special Interest Group for review by December 1997.

2.3 Applicability

This document applies to all departments and agencies that are managing and delivering IT projects in support of their programs. PWGSC also must ensure that the acquisition vehicles used for IT goods and services support the risk management goals defined herein and enforce its implementation by the private sector suppliers.

2.4 Adaptability

Continuous Risk Management is not a one-size-fits-all approach. To be effective, tailoring is needed. Tailoring occurs when organizations adapt the Continuous Risk Management processes and select methods and tools which best fit with their project management practice and their organizational culture. Following the Continuous Risk Management principles is the key to successful tailoring.

3. Action Plan

This section focuses on the plan that will be implemented to improve risk management practices. The plan defines the activities that need to take place between now and March 1998.

3.1 Key Components

Key components for the implementation of Risk Management improvements have been identified and include:

Communications Program: Using various vehicles, introduce Heads of IT to the need for an improved Risk Management regime. Additional information is available in the document entitled "Communications Approach for the Implementation of the Enhanced Management Framework for IT Projects".
Constitute the Risk Management Special Interest Group: The PMO will build on the previous Working Group and refine and expand it to include active or interested departments.
Identify Volunteers: The PMO will continue to seek volunteer departments and projects to undertake pilots using the selected tools and techniques described in Section 2.2.5. Training in the selected tools and techniques will be provided.
Continuous Risk Management Training: Identify possible sources of comprehensive Risk Management training and sponsor the first course offering.
Assessments: Experiences with different tools and techniques will be assessed and lessons learned will be captured in the Lessons Learned database. The assessments will also provide input for direction setting and opportunities to leverage best practices already in place.
Improvement Agenda: Departments will be encouraged to staff an Office of Primary Interest for the introduction of Risk Management improvements. They will be encouraged develop departmental strategies and plans for Risk Management. The PMO, the Special Interest Group and the Enhanced Framework Implementation Team will provide support. Government-wide Risk Management improvement activities will be highlighted by sharing ongoing and planned initiatives in departments.

3.2 Key Inputs

To carry out the activities above, the PMO needs various inputs in the form of people, funds, approvals and other resources. As a minimum, it is estimated that Risk Management implementation will require:

One PMO resource dedicated to the deliverables identified above;
10% of PMO management time;
Each participating department to staff the Risk Management Working Group and a Risk Management OPI;
$50K dollars for consulting support and miscellaneous requirements such as training, tools, and consultation with the SEI or other resources.

3.3 Key Stakeholders

The key stakeholders in implementing the strategy include:

Government Chief Information Officer (CIO): The CIO is the government-wide sponsor of Enhanced Framework implementation. He has ultimate responsibility for its government-wide implementation, including the Risk Management component;
Project Management Office: The PMO will support the CIO and provide guidance and assistance to departments regarding the implementation of improvement activities;
Departments: Departments will carry out most of the implementation activities. They will, in some instances, provide resources to support the development of the deliverables identified above. The improvements in departments will be leveraged through the Risk Management Special Interest Group and the Enhanced Framework Implementation Team;
PWGSC: The department will ensure that acquisition vehicles used for IT goods and services embody the principles and practices required for appropriate Risk Management. The department will enforce their implementation with private sector suppliers;
Internal Audit: Internal Audit in departments will measure Risk Management implementation status in projects. They will be in a position to provide guidance regarding future directions and priorities; and
Industry: Industry will support the various departments insofar as they have the requisite skills and are requested to do so. Suppliers will be expected to comply with Risk Management practices as required under the terms and conditions of their contracts.

3.4 Key Milestones

The key milestones for the implementation strategy currently include:

Milestone	Date
1. Communications Program	December 15, 1997
2. Reconstitute Working Group	November 15, 1997
3. Identify Pathfinder Volunteers	November 30, 1997
4. Continuous Risk Management Training	November 30, 1997
5. Assessments	December 31, 1997
6. Improvement Agenda	March 31, 1998

Table 3: Key Milestones

3.5 Key Assumptions

In the development of this strategy the following key assumptions were made:

Departments will be willing to use projects as opportunities to improve;
Departments will be willing to fund improvement activities providing that they are contributing to their project objectives;

3.6 Risks

The following risks have been identified for the implementation of this strategy:

There is a risk that one of the above assumptions will prove to be incorrect. Although it is felt that this risk is rather unlikely for all departments, the PMO mitigation strategy will be to emphasize the need for a risk regime as part of any submission for funds;
There is a risk that departments will propose alternate pathfinder solutions. PMO will assess the merit of each of these solutions and will determine its applicability in the context of this improvement effort. Tools that clearly support the goals of the improvement effort will be accepted.

4. Concluding Remarks

4.1 Next Steps

The next steps include:

PMO must identify volunteer departments to implement pathfinder solutions; and
PMO must initiate communications with Heads of IT

4.2 Conclusion

Risk management has been clearly identified as a deficient process in the AG and TBS reviews of projects in the government. It is a key theme of the Enhanced Framework and should be at the forefront of each department's improvement agenda. Some progress has been made in the area of risk management and the TBS is confident that this weakness will be completely addressed in the coming years through the implementation of the proposed pathfinder solutions.

Appendix 1:

IDEAL^SM Model Overview

The following paragraphs provide a general definition of each of the model's phases. The paragraphs that follow are an adaptation from the SEI Handbook IDEAL^SM: A User's Guide for Software Process Improvement (CMU/SEI-96-HB-001).

It should be noted that, to keep the document to a manageable size, details of the SEI IDEAL^SM Model have not been repeated. A summary is provided below, but readers may want to obtain the documentation found on the WWW by SEI at their site http://www.sei.cmu.edu or through the PMO.

Figure 1: IDEAL Model

IDEAL Model

Figure 1: IDEAL Model � Text version

Initiating Phase: The Initiating phase of the IDEAL^SM model is the starting point. Here is where the initial improvement infrastructure is established, the roles and responsibilities for the infrastructure are initially defined, and initial resources are assigned. In this phase, a Continuous Process Improvement plan is created to guide the organization through the completion of the Initiating, Diagnosing and Establishing phases. Approval for the initiative is obtained along with a commitment of future resources for the job ahead. The general goals of the program are defined during the Initiating phase. They are established from the business needs of the organization and will be refined and made specific during the Establishing phase of IDEAL^SM.

Two key components are typically established, a management steering group and a process group. Also during the Initiating phase, plans are made for communicating the start of the initiative, and it is suggested that organizational assessments be performed to determine the readiness of the organization for an improvement initiative.

Diagnosing Phase: The Diagnosing phase of the IDEAL^SM model starts the organization on the path of continuous process improvement. This phase lays the groundwork for the later phases. In this phase, the action plan is initiated in accordance with the organization's vision, strategic business plan, lessons learned from past improvement efforts, key business issues faced by the organization, and long-range goals. Appraisal activities are performed to establish a baseline of the organization's current state. The results and recommendations from appraisals and any other baseline activities will be reconciled with existing and/or planned improvement efforts for inclusion into the action plan.

Establishing Phase: During the Establishing phase, the issues that the organization has decided to address with its improvement activities are prioritized. Strategies for pursuing the solutions are also developed. The draft action plan will be completed in accordance with the organization's vision, strategic business plan, lessons learned from past improvement efforts, key business issues facing the organization, and long-range goals.

During the Establishing phase, measurable goals are developed from the general goals that were defined in the Initiating phase; these measurable goals will be included in the final version of the action plan. Metrics necessary to monitor progress are also defined, resources are committed and training provided for the technical working groups or process action teams. The action plan developed will guide the improvement activities as it addresses the prioritized findings and recommendations from the Diagnosing phase. Also during this phase, tactical action plan templates are created and made available for the process action teams to complete and follow.

Acting Phase: In the Acting phase of the IDEAL^SM model, solutions to address the areas for improvement discovered during the Diagnosing phase are created, piloted, and deployed through-out the organization. Plans will be developed to execute pilots to test and evaluate the new or improved processes. After successful piloting of the new processes and determining their readiness for organization-wide adoption, deployment, and institutionalization, plans to accomplish the rollout are then developed and executed.

Leveraging Phase: The objective of the Leveraging phase is to make the next pass through the IDEAL^SM model more effective. By this time, solutions have been developed, lessons have been learned, and metrics on performance and goal achievement have been collected. These artifacts are added to the process database that will become a source of information for personnel involved in the next pass through the model. Using this collected information, an evaluation of the strategy, methods and infrastructure used in the improvement program can be performed. By doing this, corrections or adjustments to the strategy, methods, or infrastructure can be made prior to the start of another process improvement cycle. Some questions that should be asked include: Has the infrastructure (management steering group, process group, process action teams, etc.) performance been appropriate? Have the methods employed by the process action teams in their solution development activities been satisfactory? Have the program communications activities been sufficient? Does the sponsorship need to be reaffirmed? Does another baseline activity need to be performed? The re-entry point into the IDEAL^SM model for the next cycle is highly dependent on the answers to questions such as these.

Appendix 2:

Enhanced Framework Implementation Plateaux

At first view, implementation of the Enhanced Framework may appear to be complex and somewhat daunting. It is also apparent that in these times of shrinking resources and multiple priorities departments cannot do everything at once. Consequently a strategy has been defined that allows departments to approach its implementation in a step-wise manner.

Figure 2: Departmental Improvement Targets

Departmental Improvement Targets

Figure 2: Departmental Improvement Targets � Text version

Plateau 0 provides departments with the opportunity to implement the project solutions immediately and to plan the strategy, tactics and implementation approach for the next three plateaus. These project solutions include Risk Management. This approach allows departments to implement those solutions that will immediately increase the likelihood for success within specific projects.

Organizations cannot be improved over night. These improvements require time, dedication and perseverance. Plateaus 1-3 address the larger organizational processes that must exist for projects to be consistently successful over the longer term. The implementation of both the people and process solutions, together with improvements to the key process areas identified does not occur only once. Rather, this process is cyclical in nature, with improvements planned, implemented, reviewed and then improved upon again.

Departmental Improvement Plateaux

This Departmental Improvement Plateaux do not dictate the approach that will be used by departments to improve but rather focuses on the concrete steps towards the ultimate goal of significantly improving the government's ability to deliver and manage IT projects. Developed independently from any methodology or improvement model, this path reflects the initial Enhanced Framework findings and the priorities of government departments.

Plateau 0: Project Solutions and Improvement Plans

This first plateau is designed to ensure that departments immediately gain value from the implementation of specific project solutions related to the Governance Structure of a project. These include defining: a clear and explicit business case, the procurement strategy, the project charter; the gating and review process; the project planning and control mechanisms and conducting a risk assessment.

The second objective of plateau 0 is to ensure that departments plan for the next three plateaus. Without a plan, together with resource estimates, it is unlikely that departments will make the improvement gains as identified in the Enhanced Framework. It is expected that departments will have implemented the project solutions and created the plans for implementation of the next three plateaus by March of 1998.

Plateau 1: Project Planning

This plateau addresses the initial phase of any project namely project planning, project tracking, and oversight and subcontract management. The processes are aimed at linking the project objectives to the organizational goals and answering the fundamental questions of planning: what, who, by whom, when, how and how much. The objective of this plateau is to achieve proper planning for projects in government departments and to establish adequate visibility into actual progress, thus allowing management to take effective action when the project deviates from plan. It is also in Plateau 1 that initial actions are taken to develop project managers and establish the tools to support them and the project. Departments are to have implemented these improvements by March of 1999.

Plateau 2: Product Planning

Plateau 2 seeks to establish, at a departmental level, the controls and processes to be followed that will ensure:

changes to requirements follow a clearly defined effective change management process;
product integrity is maintained throughout the life of the project; and
quality of the product is acceptable within defined parameters.

Actions continue to be taken to ensure the implementation of process solutions and the development of the Project Management cadre.

Plateau 3: Organizational Effectiveness

The third Plateau deals with making the processes and practices established in Plateaus 0-2 the way that government departments do business for all their projects. The objective of this Plateau is to ensure that the best processes implemented in one project within a department are carried through to the other projects within the organization. Organization-wide issues such as the training of personnel and the documentation of processes are also addressed at this level.

Plateau 4: Continuous Improvement

The final Plateau deals with continually improving the organizational effectiveness of departments when managing and delivering projects (e.g. do projects faster and better). This Plateau includes quantitative techniques to measure and improve processes.

This path for improvement will guide Enhanced Framework implementation by establishing clear priorities, objectives and time frames.