a risk map is an important tool in 21st century risk analysis practice · 2011. 3. 28. · 1(14) a...
TRANSCRIPT
1(14)
A risk map is an important tool in 21st century risk analysis practice
The so-called risk map is an especially
suitable risk identification tool for
todays activities, as it support dialogue
between parties and thus enables us to
be ready for new phenomena. This
package contains after a short
introduction a collection of risk maps
for a wide range of uses.
24.8.2010
Matti Vuori, [email protected] www.mattivuori.net
Contents
Modern risk analysis session 3
Traditional tools 4
Need for efficient dialogue 5
A risk map responds to the challenges 6
Benefits of a risk map 7
What things do the risk maps contain 9
To be fitted to context 10
Typical session 11
Sometimes we need to compromize 13
Examples 14
3(14)
Modern risk analysis session
• Typically risks are identified and analyzed in risk
analysis sessions.
• Those are meetings held in a conference room,
lasting a couple hours, that have a certain agenda or
script.
• The idea is to identify risks, assess their significance
and to think how we should act about them.
• Risk analysis belongs in mature management and
leading.
• The most critical phase in it is identification of risks,
because only identified risks can be managed and
avoided.
4(14)
Traditional tools
• In a session-based risk analysis, the following tools have traditionally been used to support identification of risks:
– Checklist
– Special analysis methods that study the structure or behavior of the target
– Creative methods that utilize for example brainstorming or keywords
• An ideal process uses all these in certain order –starting from more open methods to those that are more specifieds; from brainstorming to checklists.
• In real word we often need to compromize on this, because there is not that much time to spend on the analysis.
5(14)
Need for efficient dialogue
• A risk analysis is a good place to carry on dialogue
between different people and occupational groups as
we can create shared will, committment and
capability with it.
• In a changing world, each even a small signal of
forthcoming potholes is worth its weight in gold.
• Therefore, we need effective tools that:
– Give psychological room for everyone’s thoughts and
experiences.
– Give impulses for discussion.
– Do not lead our thoughts into the past, but the future!
6(14)
A risk map responds to the challenges
• Visual, mindmap-style
• Checklist of issues that contain meaning
• Opens the risk space, does not restrict,
but guides
• Each box is discussed, risks are
identified, documented and talked about
• This takes an hour or two in a project
risk analysis
• Many risk maps can be used in the
same analysis
• After that the analysis continues with for
example a more detailed checklist, wich
verifies that nothing essential has not
been noticed
7(14)
Benefits of a risk map 1/2
• Helps in creating structure to the target of analysis
• Presents the main elements of activity and areas of
vulnerability
• Opens up the possible space of risks
• Supports creative identification of risks
• Supports dialogue between parties
• Presents a shared object, via which risks are viewed
• A suitable abstraction level, which all occupcational
groups can use – not too technical or theoretical
8(14)
Benefits of a risk map 2/2
• Systematic, but flexible: it can be traversed one box at a
time, but the group can easily jump to the other side of
the map if the discussion should naturally lead there
• Easy to draft to various purposes
• It helps identify more risks than a detailed checklist, but
the participants also get a joy of discovering the issues
• BUT! A risk map still need a professiona
risk analysis process and session leader.
9(14)
What things do the risk maps contain
• Risk maps do not usually contain many direct
risks, but areas in which we can find risks
– Elements of the target’s concept
– Most important success factors
– Areas which we perceived to be important and
meaningfull
– Critical viewpoints, like mandatory requirements and
the customer’s viewpoint
– Area that are risky based on experiences
– …But also individual, very important risks
10(14)
To be fitted to context
• So, the things in a risk maps are such which
usually need to be planned and which need to
be discussed
– The risk map continues that process, now from the
viewpoint of risks
• But things depend somewhat on context, so the
maps should be tailored to each context (at
least if some maps are used on a regular basis
– like project level risk maps often are)
11(14)
Typical session 1/2
• For example, a software project’s risk analysis can happen
roughly like this, in a small group of people
1. Starting the session, description of goals, agenda and rules of
the session
2. Identification or risks using a project risk map
– ”Let’s now go through the risk map clockwise. Let’s start with
’customer needs and requirements’. Is there anything in the project
plan that might cause that the customer does not get what they
expect? Feel free to tell.”
– The findings are added to the risk list but not yet analyzed any
further. Causes are discussed shortly, but not analyzed in more
detail.
3. An option: Going through another risk list that deals with an
essential theme of the project
12(14)
Typical session 2/2
4. An assuring round with a detailed project risk checklist – this
part is fast, as most of the issues have been talked about
already!
5. Going through the risk list, assessing the magnitude of risks,
preliminary planning of actions and appointing more detailed
planning to someone
13(14)
Sometimes we need to compromize
• It is not always possible to follow the state of art, for example
when there is not sufficient time resources
• Then we need to remember that it is better to do at least
something usefull than do nothing
• The risk map can be used as a tool in just as short
sessions as you like – unlike other tools that always take
some minimum time – and you can also skip using other
tools in the session if time does not allow
14(14)
Examples
• The following pages have risk maps for many
different purposes, mostly for the needs of ICT
organizations
– Ranging from company level analysis to user
interfaces and testing
– The maps are in alphabetical order
– Note: The finnish version of this collection is currently
somewhat larger
• During the 1990’s, risk maps were crafted in Risk
management for SMEs programme, which has manyt
other usefull stuff available besides the risk maps,
see http://http://www.pk-rh.fi/en-1
4.5.2005 1
Administration risk map
Administration
risks
ProcessesInformation
systems
Management
Roles and
responsibilities
Co-operation
with business
Personnel
management
Infrastructure
(premises, ICT...)
Personnel Internal
services
Competence,
development
Growing and
renewing Information
risks
Service providers
Something
else? What is
special and
new in this
activity?
17.10.2007 1
Company risk map
Risks of
company
Business idea,
vision and
strategy
Values and
policies
Management
Products and
services
Customer
satisfaction and
quality
Market and
competition
Marketing and
visibilityBranch,
community
Infrastructure
(premises, ICT...)
Economy and
capitals
Personnel Key customers
Competencies,
development
Growing and
renewing
Technology
Something
else? What is
special and
new in this
company?
17.10.2007 1
Consulting and training risk map
Competence
Customer satisfaction
Development,
renewal
Business
ChangesServices
Key person
Consulting and
training risks
Substance
Consulting
Training
Management
Experienced quality •
EffectivenessCustomer need
Image
Profile
Marketing • Demand • Pricing
Methods
Something
else? What is
special and
new in this
activity?
11.10.2007 1
Development process change risk map
Professional
competence
Capability in
process areas
with current
process
Demonstration
of success
Culture and
rules
Management
support
Managing
changeProcess requirements,
incl. trust
Shared sense
of urgency to
change
Something
else? What is
special and
new in this
process and
company?
Risks in
changing dev
process
Organization’s
ability to change
Infrastructure
Stakeholders’
view
Linked processes
(super, next, sub)
Product requirements
and product risks
20.3.2008 1
Distributed project risk map
Shared vision Co-operation
readiness
Ground rules
and processes
Project
management
Co-ordination
of teams
Product and
technology
competence
Communication,
discussion
Compatible
tools
Risks of a
distributed
project
Integration
Note! This map
includes
mainly only
issues relevant
to distributed
activity
Culture • Ways of thinking • History
Monitoring • Control
• Steering
Something
else? What is
special and
new in this
project?
Networks
Robustness
• Performance
Transparency,
views to teams
11.10.2007 1
Information system acquisition risk map
Commitment
Target of
development
Subcontractor
Maintenance
Taking into use
Planning and
design methods
Influences on
activities
Future
Information
system
acquisition risks
Own testing and
acceptance
Project management
Contracts
S/w development
done by the
subcontractor
Technology
Costs
Something
else? What is
special and
new in this
project?Reliability Compatibility
Interest groups,
users
Information
security and
other threats
(Separate analysis)
17.10.2007 1
Marketing and sales risk map
Marketing and
sales risks
Services and
products
Markets and
target groups
Strategy and
vision
Positioning
Brand
Management
Processes and
methodsResources
Media and PR
Sales channels
Design
management
Something
else? What is
special and
new in this
activity?
17.10.2007 1
Open Source integration and utilization risk map
Business
models
Community and
infrastructureFuture
Maintainability
Licenses
Product
managementCustomers and
contracts
Open Source
risks
Fulfillment of
requirements
Information
security
Architecture and
replaceability
Policies and OSS-
awareness
Product
development
process
Quality
Something
else? What is
special and
new in this
activity?
7.9.2007 1
Outsourcing risk map
Own personnel Schedule
Subcontractor’s
business
Quality
Reduction of own
competence
Choice of
partner
Information
security Dependability
Outsourcing
risks Future
Contracts
Monitoring of
subcontractor
Process
development
Costs
Differences in
culture and
ways of
thinking
Subcontractor’s
competence
Something
else? What is
special and
new in this
outsourcing?
17.10.2007 1
Process risk map
Competence
Process risks
Co-operation
Deviations
Time
Ownership
Tools, technical
resources
Monitoring
Inputs
Key persons
Time requirements
Timing
Speed
Information exchange
Errors
Deviations in flow
Exceptional situations
and conditions
Something
else? What is
special and
new in this
activity?
11.10.2007 1
Product concept risk map
Product concept
risks
Value promise
Desirability
Affordability
Functionality
Dependability
Safety
Information
security
Misuse
Compatibility Transfer from
old
User
satisfaction
Cultural
compatibility
Conditions, environment
Long term
Product development
Competitions
Technology
Purpose
Something
else? What is
special and
new in this
product?
11.10.2007 1
Project risk map
Customer
needs and
requirements
Schedule
Technical risksTeam
Competence
Quality
Strategic risks
Product
liability –end
users Budget
Something
else? What is
special and
new in this
project?
Project risks
Information
security and
IPRs
11.10.2007 1
Software acquisition risk map
Needs of
interest groups
Schedule
Technical risks
Change process
Costs
Quality
Compatibility
Changes
Software
acquisition
risks
Information security
Software supplier
Old information, files,
databases
Project co-operation
Acceptance
Something
else? What is
special and
new in this
project?
11.10.2007 1
Software business risk map
Compliance with
requirements
Compatibility
Product technology
Developers
Know-how
Quality
Strategic risks
Product liability –
end users
Product family
Software
business risks
Information security
and IPRs
Innovation
Sales
Competitors
Services
Clients’ satisfaction
Market
Key customersContracts
User’s technologySomething
else? What is
special and
new in this
business?
11.10.2007 1
Software increment risk map
Match with
visionIntegrity of the
product
ArchitectureTime
Validation,
verification,
testingStatus of
product,
stability
Changing of
conceptResources
What the
changes break
Risk of
increment
Remember the
issues of the
project risk
map
Something
else? What is
special and
new in this
project?
11.10.2007 1
Software production risk map
Client’s
requirements for
subcontractors
Projects
Product technology
Personnel
Competence
Quality
Strategic risks
Product liability –
end users
Costs
Software
production
risks
Information
security and IPRs
Premises
Order book
Capacity
Contracts
IT-infrastructure
Client
satisfaction
Something
else? What is
special and
new in this
unit?
17.10.2007 1
Technology strategy risk map
Technology strategy
risks
Company
changes
Business
strategy
Reliability of
information
Technology
changes
Marketing
Products and
platforms Competitors
Value net
Competence
Resources
Commitment
and co-
operation
Technology
management
External factors
Renewing
Organizing
Customers
Branch
Something
else? What is
special and
new in this
company?
11.10.2007
1
Testing project risk map
Quality
ResourcesInitial
information
Monitoring
Business
Information
technology,
communications
Methods
Something else?
What is new and
special in this
activity?
Testing project
risks
Improvement
Management
Undestanding
of the field /
business
Client satisfaction
Schedule
Key persons
Product under
test
17.10.2007 1
Testing service business risk map
Testing service
business risks
Key clients Business and
markets
Services
Maintenance of
competitive
advantages
Product
understanding
Personnel
Development and
renewalCompetence
Methods and
test tools
ICT
infrastructure
Information
risksManagement of
technology
Something
else? What is
special and
new in this
business?