Tài liệu Module 2: MSF Risk Management Model ppt

Module 2: MSF Risk Management Model iii Instructor Notes Module 2: MSF Risk Management Model This module provides students with an introduction to Microsoft Solutions Framework MSF risk

Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended

to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 1999 Microsoft Corporation All rights reserved

Microsoft, MS-DOS, MS, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted

Other product and company names mentioned herein may be the trademarks of their respective owners

MOC Project Advisor: Janet Wilson

MOC Project Lead: Sharon Salavaria

Program Manager/MSF Project Manager: Sharon Limbocker

Program Manager/Technical Consultant: Dolph Santello

Instructional Designer: Marilyn McCune (Independent)

Product Manager: Jim Wilson

Product Manager: Jerry Dyer

Graphic Artist: Andrea Heuston (Artitudes Layout & Design)

Editing Manger: Lynette Skinner

Editors: Marilyn McCune (Independent) and Wendy Cleary (S&T Onsite)

Production Support: Ed Casper (S&T Consulting)

Manufacturing Manager: Bo Galford

Lead Product Manager: Development Services: Elaine Nuerenberg

Lead Product Manager: Mary Larson

Group Product Manager: Robert Stewart

Module 2: MSF Risk Management Model iii

Instructor Notes Module 2: MSF Risk Management Model

This module provides students with an introduction to Microsoft Solutions Framework (MSF) risk management, including principles of successful risk management, MSF proactive risk management, risk management strategies, and in-depth information on the steps of the risk management process

The activity for this module is a brainstorming session, with the instructor capturing and writing down ideas as the class develops them Typically, people tend to think in terms of the consequences of risk This activity is intended to

demonstrate that fact as a way of generating discussion about condition and

consequence and facilitating understanding of the importance of both

The module concludes with an instructor-led question and answer review to

reinforce learning objectives

At the end of this module, students will be able to:

Recognize the characteristics of risk

Describe the value of proactive risk management

Explain each step of the MSF risk management process and how the process helps an organization manage risk

Materials and Preparation

This section provides you with the materials and preparation needed to teach this module

Materials

To teach this module, you need the following materials:

Microsoft® PowerPoint® file 1639A_02.ppt

Module 2, “MSF Risk Management Model”

Flip chart or white board and pens for recording student responses during the planned activity

Preparation

To prepare for this module, you should:

Read all of the materials for this module

Review the instructor notes for the activity

Explore the MSF Web site at http://www.microsoft.com/msf

Presentation:

45 Minutes

Activity A:

15 Minutes

iv Module 2: MSF Risk Management Model

Instructions for Activity A: Understanding Risk

Description

This activity is designed to illustrate how most people automatically think of the consequences of risk—not the risk condition—when they talk about risk management It asks students to work together as if they were owners of a company planning to build a warehouse Their task is to deal with the risk of fire

The activity tries to approach the subject as neutrally as possible, but the assumption is that most students in your class will offer plans that deal with consequences as ways to handle the risk of fire

Your part of the activity is to lead the whole class in a brainstorming exercise to find ways to deal with the threat of fire It is important that you avoid saying anything about preventing a fire, because that will encourage students to think

of prevention instead of dealing with consequences You want to highlight the

fact that people instinctively perform reactive risk management, in which they

focus only on dealing with the consequences The goal of MSF risk management is to become proactive: to focus more on finding ways of prevention of the risk by eliminating the possible conditions

When you ask people how they will deal with the risk of fire, you will typically get suggestions such as installing a sprinkler system or setting up an escape route None of these things does anything to reduce the probability of fire or reduce the fire risk exposure to an acceptable level, which would be dealing with the risk condition Their suggestions address minimizing the impact of the fire, which is dealing with risk consequences

If the majority of answers are consequence related (which is what you are hoping for), then take the opportunity to talk about dealing with risk conditions,

and discuss what warehouse owners might do to prevent a fire or to reduce the

exposure to an acceptable level

If you have students who are already thinking in terms of risk, congratulate them, and make sure that they clearly understand the distinction between dealing with conditions and consequences

Estimated time to complete this activity: 15 minutes

Objective

Following is the learning objective for this activity:

• In an instructor-led brainstorming session, given a scenario to work from, students will be able to distinguish between risk condition and risk consequence

Module 2: MSF Risk Management Model v

Module Strategy

Use the following strategy to present this module:

Introduction to Risk This section provides an introduction to risk and MSF proactive risk management At the end of this section, students will be able to distinguish between conditions of risk and risk consequence, and explain the five principles of proactive risk management Early in this section, students will participate in an activity, “Understanding Risk.”

Topics in this section include:

• Qualifying Risk This topic defines risk and characteristics of risk and provides examples

of risk source and risk impact You should make two key points here to emphasize the important components of the MSF approach to proactive risk management

First, make certain that students understand that risk really is a fact of everyday life, whether someone is involved in working on a technology project or driving an automobile The point is that you cannot avoid or overlook risk, because it is an inherent part of life

The second point is that risk is neither intrinsically good nor bad Nor should it be feared Furthermore, risk taking is essential to progress

• Principles of Successful Risk Management

This topic describes some of the underlying principles of successful risk

management; the examples are not exhaustive, such as: continual risk assessment, risk-based decision making, implementation of a structure for dealing with risk, breadth of team analysis of risk, and treating risk

as a positive

• MSF Proactive Risk Management The MSF approach to risk management emphasizes creating an environment in which on an ongoing basis the team proactively examines what can go wrong, makes proactive choices about which risks need to be addressed, and then addresses them

The team will carry risks forward and deal with them until they are resolved or until they turn into issues and are handled as such

Proactive risk management means that the project team has a visible, measurable, and repeatable process for managing risks

Preventing risk is the transition point between reactive and proactive approaches Prevention occurs in the planning stages of a project, when actions can be taken to preclude risks from occurring

To reach the higher levels of proactive risk management, the team must

be willing to take risks This means not fearing risk, but rather viewing it

as a means to create the right type of opportunity To do so, the team must be able to evaluate the risks (and opportunities) unemotionally and then take actions that will address the causes of these risks, not just their symptoms

vi Module 2: MSF Risk Management Model

• Risk Management Strategies This topic introduces three ways that a project team can mitigate a risk, including risk reduction, risk transference, and risk avoidance

In all three approaches, action must be undertaken ahead of time to be effective In other words, the approach must be proactive rather than reactive, although some of the examples used can appear to be both proactive and reactive For example, fire insurance would be one way to minimize the impact of a fire in a warehouse Buying the insurance is a proactive move But the benefit of having the insurance is realized only

in the event of a fire, which is reactive

Steps of the MSF Risk Management Process This topic introduces the five-step MSF risk management process by which

a team can mitigate risks, including identifying the risk, analyzing the risk, planning for the risk, tracking the risk and controlling the risk This ongoing process should be part of all project management

Topics in this section include:

• Risk Assessment Document This topic presents the function and minimum contents of the risk assessment document

Module 2: MSF Risk Management Model vii

Background on Risk

Identifying Risk

Identifying risk is the first step in a five-step process When the team identifies

a risk, a risk statement is written to ensure that the team understands the risk Risk identification is an ongoing part of the risk management process

Guidelines for Identifying Risks

Use a collaborative approach It takes an entire team watching for potential

problems to do an effective job of identifying risk Identifying risk gives the project team the opportunity and the information that it needs to bring risk factors to the surface Because risk identification involves all key team players, it also reveals for the team the assumptions and viewpoints held by those players

Seek potential problems from many different sources If the entire team is

involved in identifying risk, chances are greater that different sources will

be examined for risk However, best practice is to examine as many potential sources as possible

Approach risk positively A fundamental aspect of risk identification is that

it should be treated as a positive action, not a negative one When the process of identifying risks is perceived negatively, team members have no incentive to bring possible risks to the attention of the rest of the team By adopting the idea that risk identification is positive, team members have an incentive to identify risks before they pose problems

Examine risks from two directions

• Potential issues and likely consequences For example, you know that there are no fire extinguishers in the building What are the likely consequences of that?

• Potential consequences and likely causes For example, you know that you may have a fire in your warehouse What are the likely causes of fire?

Guidelines for Creating a Risk Document

At a minimum, a risk document should contain the following information:

Risk statements The result of analyzed risk is a risk statement A risk cannot

be managed effectively until it has been clearly stated Risk statements

should clearly and simply state the condition of the risk and the

consequences of the risk For example:

• Condition Flammable liquids are stored in the warehouse

• Consequence The warehouse might catch fire

Risk probability Describes the likelihood that the risk will occur

Risk severity Defines the impact of the risk

viii Module 2: MSF Risk Management Model

Risk exposure Quantifies the overall threat

Mitigation plans Describes the effort to prevent or minimize the risk

Contingency plans and triggers Describes what to do if the risk occurs and

to make decisions about risk

Risk analysis enables the team to quantify risk priorities Teams can decide which risk to focus time and energy on Analyzing risk involves:

Risk probability The likelihood that the problem will occur

Risk impact The amount of damage that will result if the problem occurs

Risk exposure Compares and prioritizes risk

Assessing Risk Probability

Risk probability tries to determine the likelihood that what you think might happen will in fact happen The only complicating issue is the need to find a common way of measuring probability so that you can compare different risk factors

One way to compare risk factors is to assign a measurable value to represent the likelihood of risk MSF risk management recommends using numeric scales, such as 3, 2, and 1, because the overall exposure of the risk must be calculated, and it is easier to do that with numbers Although this is the recommended approach, you can use any scale that you want (such as colors or levels, such as high, medium, or low), as long as you use the same one across the project

If you use a numeric scale, keep in mind that it is easy to agree about probability on a scale of 1 to 3, but it is not so easy to explain the distinction between 17 and 18, for example, on a scale of 1 to 20

Assessing Risk Impact

Assessing risk impact means assessing the severity or magnitude of loss if the risk occurs Assessing risk impact also requires assigning a measurable value to represent the impact of the risk

Unlike risk probability, you can sometimes quantify risk impact, for example

by using a dollar value In such a case it is easy to multiply that value to calculate risk exposure

MSF recommends a simple scale of measurement used consistently, because you will multiply this figure by the probability figure to calculate exposure Ultimately, the important thing when assessing risk impact is that you pick a scale, stick with it, and avoid mixing scales

Note

Module 2: MSF Risk Management Model ix

Calculating Risk Exposure

Calculating risk exposure means quantifying the overall threat constituted by each risk The risk exposure calculation is why consistency in scales is so important Risk exposure is an artificial way of quantifying the overall threat of

a risk It has meaning only within the context of the project and by comparison with other risks

Risk exposure is arrived at by the simple mathematical formula of multiplying the number that you have arrived at for risk probability by the number that you have determined for impact:

Probability x impact = exposure The risk exposure calculation makes it clear why it is so important that project teams use simple, consistent ways of measuring probability and impact

Risk Planning

The third step in the risk management process is risk planning: planning what

to do about risk factors that have been identified and analyzed A team should only make plans for the risk factors that have consequences that the team cannot accept

Devising Risk Plans

A risk plan should address:

How to prevent the risk, if that is possible

How to minimize it ahead of time, if prevention is not possible

What to do if prevention and minimization do not work, and the risk occurs

as a result

There are five key considerations for determining which risk factors to plan against:

Research Does the team know enough about the risk?

Acceptance Can the team live with the risk consequences?

Avoidance Can the risk be avoided?

If your team cannot live with the consequences of a risk and cannot avoid it, it may be necessary to mitigate the risk or develop a contingency plan for it

Mitigation Can the probability of the risk be reduced?

Contingency Can the impact of the risk be reduced?

x Module 2: MSF Risk Management Model

Planning Risk Mitigation

The essence of mitigation is doing something ahead of time to try to keep the risk from occurring

There are a number of ways that a project team can mitigate risk

Use targeted mitigation Proactive means that the team focuses on the root

causes rather than the symptoms of risk It is likely that any chance for mitigation will be found at or close to the root causes Trying to fix the symptom will leave the risk unmitigated, which means that it will probably recur

Focus team energy only on high-exposure risks Most projects have far too

many risk factors for any project team to handle Teams should pick only those risk factors that must be handled and focus energy on them

Address the conditions of risk to reduce the probability For example, if the

risk is that employees smoking in the warehouse may cause a fire, then the issue of the employees smoking inside needs to be addressed By having them smoke outside, you may dramatically reduce the probability of fire

Address the consequences of risk to minimize the impact For example, to

minimize the impact of a warehouse fire, insurance can be purchased, which would make the risk less severe and reduce its exposure

Planning Risk Contingency

Risk contingency planning is what you do for all risk factors identified as high priority by the team—including those that you have tried to mitigate—so that you know what to do if the problem occurs despite all your efforts If the team needs to react, it is a planned reaction

A project team must know when to execute a plan This is where contingency

triggers come in Contingency triggers are sets of parameters that determine

when a contingency plan should go into effect:

Point-in-time triggers Point-in-time triggers generally are the latest date by

which something has to happen

Threshold triggers Threshold triggers focus on things that can be counted

or measured

Risk Tracking

Tracking, the fourth step in the risk management process is the guardian

function of the proactive risk management process

Tracking risks requires teams to

Treat risk tracking as an ongoing exercise throughout the project life cycle

Track the risks for any changes in condition or consequence

Include risk reviews with regular project reviews

Measure the effect of the mitigation plans

Find their own mechanisms for changing risk status and effectively judging progress

Monitor the contingency triggers

Module 2: MSF Risk Management Model xi

The Top-Ten List As a Tracking Tool

One of the reasons why risk prioritization is so important is that project teams cannot possibly focus on a large number of risks at one time A top-ten list, top-five list, or any tracking tool that a team chooses, is merely a way of prioritizing risk factors and keeping the team focused on a limited number of major issues

A top-ten list only works if the team reviews it regularly

Controlling Risk

The final step in the risk management process is controlling risk During this step, the project team uses the results of the risk management process to retire a successfully mitigated risk, correct for variations from plans, respond to contingency triggers, or improve the risk management process

Controlling risk helps integrate risk management into overall project management and is an important part of making certain that the team does not relegate risk management to a background activity Controlling risk requires the team to:

Adapt to changes in risk priority Over the course of the project, the

probability or impact of a risk may change, causing its overall exposure to change Reacting to these changes is part of controlling risks

React to variations from the plan Execution of a mitigation or contingency

plan may not go exactly as expected Reacting to these variations is part of controlling risks

Respond to triggering events Part of controlling risks is deciding whether

the conditions necessary for starting risk contingency plans have occurred For example, whether the point in time has occurred or the threshold has been reached

Assess the risk management process During the process of managing risk,

the process itself must be assessed for its efficiency and effectiveness Any necessary adjustments can then be made

Retiring Risks

Retiring a risk means removing the risk from the active risk management

process Risks are retired because:

The risk has occurred

The risk has been resolved

Retiring a risk allows the team to focus on risks that require management How

a risk is retired is an organizational issue and depends on the process and tool put in place One approach may be to create a risk archive as a repository for use and reference by future projects Another approach may be simply to remove the risks without maintaining a record of them

Note