This page has been archived.
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
Risk Management Implementation Strategy
October 31, 1997
Chief Information Officer Branch
Treasury Board of Canada Secretariat
Version | Release Date | Revisions |
---|---|---|
0.1 | May 8, 1997 | Table of Contents only |
0.2 | May 19, 1997 | First Draft |
0.3 | June 11, 1997 | Second Draft |
0.4 | July 4, 1997 | Third Draft |
0.5 | October 31, 1997 | Fourth Draft |
This section introduces the reader to the Risk Management component of the Enhanced Management Framework initiative within the federal government.
The government is committed to delivering its programs and services more efficiently and effectively through the use of Information Technology (IT). Reviews of government IT projects conducted by the Treasury Board Secretariat (TBS), and the Auditor General (AG) have identified issues in the government's management and delivery of IT projects.
To address these issues and improve the management and delivery of IT projects, a TBS Project Management Office (PMO) was formed. The purpose of the PMO is to provide guidance such that government IT projects satisfy the requirements of the program functions or services they are designed to support, deliver all expected benefits, and are completed on time and within budget.
In May 1996 the PMO, in conjunction with other federal departments, published a document of guiding principles and best practices which addressed project management concerns experienced in the federal government. Referred to as the Enhanced Framework, this document set out a plan to develop improvements to the IT project management regimes currently found within departments.
Risk management was highlighted as an area requiring particular attention. Throughout the past year, the PMO has discovered that, in general, the practice of risk management has now evolved to a point where it is benefiting from all the essential elements including:
As a result, the groundwork has been laid for action in departments. Pilots have been conducted, assessments have been made, lessons have been learned, goals have been defined, priorities have been established and plans have been formulated for the government-wide implementation of an improved risk management regime for IT projects.
The purpose of this document is to outline the strategy and plan to facilitate the implementation of risk management within IT projects across the federal government in support of the Enhanced Framework.
Most people would agree that risk management, if done properly, could be beneficial to organizations. Who wouldn't want to identify potential problems early enough to make a difference in the ultimate quality of the product? Sound risk management regimes "help people avoid disasters, avoid rework, avoid overkill, and stimulate win-win situations on software projects" [Boehm 89].
State-of-the-art in risk management for IT projects is reflected in the work carried out by the Software Engineering Institute (SEI) at Carnegie Mellon University in Pittsburgh in partnership with private and public sector organizations. The SEI has put in place a risk program that has for its mission to improve the management of risk in programs involving software-intensive systems.
The SEI risk program has the merit of being supported by industry and government as well as being focused on software-intensive IT projects, the main PMO concern. Some of the benefits resulting from implementing risk management include:
This document is one of a series of documents that will be produced as part of the government-wide implementation of the Enhanced Framework. It updates the previous strategy document on risk management dated April 18, 1996 and embodies the recommendations and principles detailed in the Enhanced Management Framework document dated May 28, 1996. It also supports the policies of the federal government regarding the management and delivery of IT projects.
This document is intended for two distinct and important groups within the federal government IT community:
This section describes the goals and key elements supporting the implementation of risk management in the federal government. The applicability and adaptability of risk management practices are also outlined.
Strategically, the goal of applying risk management in government projects is to significantly improve the government's ability to deliver and manage IT projects.
At the tactical or project level, the goals of risk management are to:
The strategy for implementing an improved risk management regime builds upon a series of proven and related elements. These include:
The following paragraphs summarize these various elements.
Continuous Risk Management is an approach to risk management promoted by the Software Engineering Institute and selected for use by the PMO. Continuous Risk Management is simply an area of emphasis of good project management. It is applied common sense. It should be a normal aspect of the project manager's daily work.
Continuous Risk Management is founded upon a set of principles that provide an effective approach to managing risk regardless of the specific methods and tools used. These principles are broken down into three types: core, sustaining and defining. These are described in related documentation discussed in the following section and are briefly summarized here.
The core principle is open communication, without which risk management simply cannot succeed. The defining principles focus on how the project sees risks and how ambitious it is about looking for and dealing with uncertainty. These principles foster the development of a shared view that clarifies the when, why and what of continuous risk management. The sustaining principles focus on how the project goes about its daily business of continuous risk management. If established early, adherence to these principles will assure that Continuous Risk Management becomes the way business is conducted.
The functions of Continuous Risk Management are based on the risk management paradigm promoted by the Software Engineering Institute. This paradigm illustrates a set of functions that are identified as continuous activities throughout the life cycle of a project. This paradigm is depicted in Figure 1 below.
Figure 1: SEI Risk Management Paradigm
The functions performed in Continuous Risk Management are described in Table 1.
Function | Description |
---|---|
Identify | Search for and locate risks before they become problems. |
Analyze | Transform risk data into decision-making information. Evaluate impact, probability, and timeframe, classify risks, and prioritize risks. |
Plan | Translate risk information into decisions and mitigation actions (both present and future), and implement those actions. |
Track | Monitor risk indicators and mitigation actions. |
Control | Correct for deviations from the risk mitigation plans. |
Communicate |
Provide information and feedback, internal and external to the project, on the risk activities, current risks,
and emerging risks. Note: Communication happens throughout all the activities of risk management. |
Table 1: Risk Management Functions
The Guidebook, published the Software Engineering Institute and available through them or the PMO explains what Continuous Risk Management is, helps understand the principles, functions, methods and tools, shows what it could look like when implemented in a project, and shows how a project could implement its own adaptation.
This guidebook is comprehensive and one of the best available on the market. It is an invaluable tool to any department implementing risk management.
However, it does not provide a cookie-cutter solution for all situations. There is no such solution. The Guidebook outlines a generic practice with a variety of commonly used methods and tools from which to choose. It is meant to be adapted to suit organizations and projects.
The rollout of risk management improvement activities across the government will be guided and structured by the Software Engineering Institute's IDEALSM Model, a brief summary of which is provided in Appendix 1.
Basically the model outlines an approach for introducing change in an organization. It defines improvement cycle consisting of 5 phases: initiating; diagnosing; establishing; acting; and leveraging or learning. Any major improvement typically requires several cycles.
The priorities outlined here reflect the improvement plateaux defined for implementation of the Enhanced Framework. Reference Appendix 2 for more details.
One key focus of this first improvement cycle is to address the weaknesses associated with risk management: Risk Identification, Analysis, Planning, Tracking, Controlling and Communicating. In concrete terms, the priorities will consist of the following statements:
These functions should be applied in all new projects by March 1998.
As indicated previously, the Continuous Risk Management Guidebook contains a large number of methods and tools, some of which are quite complex. To facilitate getting started, the following have been selected to initiate improvements.
Activity | Method / tool / technique |
---|---|
Risk Identification |
|
Risk Analysis |
|
Risk Planning |
|
Risk Monitoring |
|
Risk Control |
|
Table 2: Selected methods / tools / techniques
All of these selected approaches are described in the Continuous Risk Management Guidebook, as are several others that may be preferred. Some departments have already used those identified above and therefore provide an opportunity to leverage lessons learned.
There are two levels of activity in the implementation of Risk Management:
Within these strategic and tactical levels, there are specific entities that will steer, facilitate or perform Risk improvement activities (see Figure 2).
At the strategic level, the first of these entities is the Enhanced Framework Steering Committee in which membership is drawn from the various departments. The CIO chairs this committee. Members will steer the Enhanced Framework and provide guidance regarding government priorities and issues such as Risk Management.
The Enhanced Framework Implementation Team is responsible for facilitating its implementation across the government and assisting departments with their respective improvements.
Throughout 1996-1997 a Risk Management Working Group helped developed the selected approach. For ongoing implementation, a Risk Management Special Interest Group will be created. Membership in this Special Interest Group will include those departments who are working on or have expressed interest in improving risk management practices in their departments/projects. This group will discuss their department's strategies and plans and will share experiences and lessons learned, thereby facilitating departmental implementation efforts.
Figure 2: Governance Structure
Figure 2: Governance Structure – Text version
At the tactical or departmental level, Risk Management improvement activities may be governed simply by the Head of IT, a Departmental Office of Primary Interest for Risk Management (e.g. an assigned individual or group) and Project Teams responsible for project delivery, including identifying, assessing and managing project risks.
The PMO is in the process of implementing a risk management lessons learned database that is scheduled to be operational in the fall of 1997. The purpose of this database is to document what government departments have read, learned, tested and experienced in risk management as well as documenting successes and less-than successful experiments. A prototype should be available to the Risk Management Special Interest Group for review by December 1997.
This document applies to all departments and agencies that are managing and delivering IT projects in support of their programs. PWGSC also must ensure that the acquisition vehicles used for IT goods and services support the risk management goals defined herein and enforce its implementation by the private sector suppliers.
Continuous Risk Management is not a one-size-fits-all approach. To be effective, tailoring is needed. Tailoring occurs when organizations adapt the Continuous Risk Management processes and select methods and tools which best fit with their project management practice and their organizational culture. Following the Continuous Risk Management principles is the key to successful tailoring.
This section focuses on the plan that will be implemented to improve risk management practices. The plan defines the activities that need to take place between now and March 1998.
Key components for the implementation of Risk Management improvements have been identified and include:
To carry out the activities above, the PMO needs various inputs in the form of people, funds, approvals and other resources. As a minimum, it is estimated that Risk Management implementation will require:
The key stakeholders in implementing the strategy include:
The key milestones for the implementation strategy currently include:
Milestone | Date |
---|---|
1. Communications Program | December 15, 1997 |
2. Reconstitute Working Group | November 15, 1997 |
3. Identify Pathfinder Volunteers | November 30, 1997 |
4. Continuous Risk Management Training | November 30, 1997 |
5. Assessments | December 31, 1997 |
6. Improvement Agenda | March 31, 1998 |
Table 3: Key Milestones
In the development of this strategy the following key assumptions were made:
The following risks have been identified for the implementation of this strategy:
The next steps include:
Risk management has been clearly identified as a deficient process in the AG and TBS reviews of projects in the government. It is a key theme of the Enhanced Framework and should be at the forefront of each department's improvement agenda. Some progress has been made in the area of risk management and the TBS is confident that this weakness will be completely addressed in the coming years through the implementation of the proposed pathfinder solutions.
The following paragraphs provide a general definition of each of the model's phases. The paragraphs that follow are an adaptation from the SEI Handbook IDEALSM: A User's Guide for Software Process Improvement (CMU/SEI-96-HB-001).
It should be noted that, to keep the document to a manageable size, details of the SEI IDEALSM Model have not been repeated. A summary is provided below, but readers may want to obtain the documentation found on the WWW by SEI at their site http://www.sei.cmu.edu or through the PMO.
Figure 1: IDEAL Model
Figure 1: IDEAL Model – Text version
Initiating Phase: The Initiating phase of the IDEALSM model is the starting point. Here is where the initial improvement infrastructure is established, the roles and responsibilities for the infrastructure are initially defined, and initial resources are assigned. In this phase, a Continuous Process Improvement plan is created to guide the organization through the completion of the Initiating, Diagnosing and Establishing phases. Approval for the initiative is obtained along with a commitment of future resources for the job ahead. The general goals of the program are defined during the Initiating phase. They are established from the business needs of the organization and will be refined and made specific during the Establishing phase of IDEALSM.
Two key components are typically established, a management steering group and a process group. Also during the Initiating phase, plans are made for communicating the start of the initiative, and it is suggested that organizational assessments be performed to determine the readiness of the organization for an improvement initiative.
Diagnosing Phase: The Diagnosing phase of the IDEALSM model starts the organization on the path of continuous process improvement. This phase lays the groundwork for the later phases. In this phase, the action plan is initiated in accordance with the organization's vision, strategic business plan, lessons learned from past improvement efforts, key business issues faced by the organization, and long-range goals. Appraisal activities are performed to establish a baseline of the organization's current state. The results and recommendations from appraisals and any other baseline activities will be reconciled with existing and/or planned improvement efforts for inclusion into the action plan.
Establishing Phase: During the Establishing phase, the issues that the organization has decided to address with its improvement activities are prioritized. Strategies for pursuing the solutions are also developed. The draft action plan will be completed in accordance with the organization's vision, strategic business plan, lessons learned from past improvement efforts, key business issues facing the organization, and long-range goals.
During the Establishing phase, measurable goals are developed from the general goals that were defined in the Initiating phase; these measurable goals will be included in the final version of the action plan. Metrics necessary to monitor progress are also defined, resources are committed and training provided for the technical working groups or process action teams. The action plan developed will guide the improvement activities as it addresses the prioritized findings and recommendations from the Diagnosing phase. Also during this phase, tactical action plan templates are created and made available for the process action teams to complete and follow.
Acting Phase: In the Acting phase of the IDEALSM model, solutions to address the areas for improvement discovered during the Diagnosing phase are created, piloted, and deployed through-out the organization. Plans will be developed to execute pilots to test and evaluate the new or improved processes. After successful piloting of the new processes and determining their readiness for organization-wide adoption, deployment, and institutionalization, plans to accomplish the rollout are then developed and executed.
Leveraging Phase: The objective of the Leveraging phase is to make the next pass through the IDEALSM model more effective. By this time, solutions have been developed, lessons have been learned, and metrics on performance and goal achievement have been collected. These artifacts are added to the process database that will become a source of information for personnel involved in the next pass through the model. Using this collected information, an evaluation of the strategy, methods and infrastructure used in the improvement program can be performed. By doing this, corrections or adjustments to the strategy, methods, or infrastructure can be made prior to the start of another process improvement cycle. Some questions that should be asked include: Has the infrastructure (management steering group, process group, process action teams, etc.) performance been appropriate? Have the methods employed by the process action teams in their solution development activities been satisfactory? Have the program communications activities been sufficient? Does the sponsorship need to be reaffirmed? Does another baseline activity need to be performed? The re-entry point into the IDEALSM model for the next cycle is highly dependent on the answers to questions such as these.
Figure 2: Departmental Improvement Targets
Figure 2: Departmental Improvement Targets – Text version
Plateau 0 provides departments with the opportunity to implement the project solutions immediately and to plan the strategy, tactics and implementation approach for the next three plateaus. These project solutions include Risk Management. This approach allows departments to implement those solutions that will immediately increase the likelihood for success within specific projects.
Organizations cannot be improved over night. These improvements require time, dedication and perseverance. Plateaus 1-3 address the larger organizational processes that must exist for projects to be consistently successful over the longer term. The implementation of both the people and process solutions, together with improvements to the key process areas identified does not occur only once. Rather, this process is cyclical in nature, with improvements planned, implemented, reviewed and then improved upon again.
This Departmental Improvement Plateaux do not dictate the approach that will be used by departments to improve but rather focuses on the concrete steps towards the ultimate goal of significantly improving the government's ability to deliver and manage IT projects. Developed independently from any methodology or improvement model, this path reflects the initial Enhanced Framework findings and the priorities of government departments.
This first plateau is designed to ensure that departments immediately gain value from the implementation of specific project solutions related to the Governance Structure of a project. These include defining: a clear and explicit business case, the procurement strategy, the project charter; the gating and review process; the project planning and control mechanisms and conducting a risk assessment.
The second objective of plateau 0 is to ensure that departments plan for the next three plateaus. Without a plan, together with resource estimates, it is unlikely that departments will make the improvement gains as identified in the Enhanced Framework. It is expected that departments will have implemented the project solutions and created the plans for implementation of the next three plateaus by March of 1998.
This plateau addresses the initial phase of any project namely project planning, project tracking, and oversight and subcontract management. The processes are aimed at linking the project objectives to the organizational goals and answering the fundamental questions of planning: what, who, by whom, when, how and how much. The objective of this plateau is to achieve proper planning for projects in government departments and to establish adequate visibility into actual progress, thus allowing management to take effective action when the project deviates from plan. It is also in Plateau 1 that initial actions are taken to develop project managers and establish the tools to support them and the project. Departments are to have implemented these improvements by March of 1999.
Plateau 2 seeks to establish, at a departmental level, the controls and processes to be followed that will ensure:
Actions continue to be taken to ensure the implementation of process solutions and the development of the Project Management cadre.
The third Plateau deals with making the processes and practices established in Plateaus 0-2 the way that government departments do business for all their projects. The objective of this Plateau is to ensure that the best processes implemented in one project within a department are carried through to the other projects within the organization. Organization-wide issues such as the training of personnel and the documentation of processes are also addressed at this level.
The final Plateau deals with continually improving the organizational effectiveness of departments when managing and delivering projects (e.g. do projects faster and better). This Plateau includes quantitative techniques to measure and improve processes.
This path for improvement will guide Enhanced Framework implementation by establishing clear priorities, objectives and time frames.