IT Strategy plan
cece23
IHSRiskManagementGuide.pdf
Managing Capital Investments at the Indian Health Service
A “How-To” Guide to Risk Management
February 2013
Office of Information Technology (OIT) Division of Information Resource Management
Albuquerque, New Mexico
i
A C K N OW L E D G E M E N T
The Indian Health Service gratefully acknowledges the assistance of the National
Institutes of Health, Office of the Deputy Chief Information Officer, in the
preparation of this document.
ii
Document Change History
Version Number Release Date Summary of Changes
1.0 July 14, 2006 Initial release
2.0 February 14, 2013 Updated document to be consistent with the Department of Health and Human Services Project and Portfolio Management tool and added questions to assist in the risk assessment.
iii
Contents
PURPOSE .................................................................................................................... 1
THE BASICS ................................................................................................................. 2
What Is Risk? ....................................................................................................... 2
What Is Risk Management?.................................................................................. 2
How Do You Manage Risk?.................................................................................. 3
DRAFT A RISK MANAGEMENT PLAN ................................................................................ 3
ASSESS YOUR RISK...................................................................................................... 4
TRACK AND REPORT PROGRESS.................................................................................... 7
Executing Risk Management Activities................................................................. 7
Reporting Risk Management Progress................................................................. 7
Reevaluating Project Risk .................................................................................... 8
Conducting Lessons Learned Sessions ............................................................... 8
Documenting Lessons Learned Activities............................................................. 9
RISK MANAGEMENT ROLES AND RESPONSIBILITIES ......................................................... 9
APPENDIX A. RISK MANAGEMENT PLAN TEMPLATE ......................................................A-1
APPENDIX B. CONDUCTING AN OPEN AND COMPREHENSIVE RISK REVIEW ....................B-1
APPENDIX C. SAMPLE RISK INVENTORY AND ASSESSMENT .......................................... C-1
Figures
Figure 1. Overview of Risk Management ................................................................... 2
Figure 2. The Risk Management Process.................................................................. 4
1
A “How-To” Guide to Risk Management
PURPOSE
This guide is intended to be used by project managers and project team members
to manage the risks associated with their projects. 1 The purpose of this guide is to
provide a basic, easy, step-wise method for managing the risks associated with a
project; a method that is consistent with federal and Indian Health Service (IHS)
requirements. A Guide to the Project Management Body of Knowledge (PMBOK
Guide), ANSI/PMI 99-001-2008 published by the Project Management Institute
can provide a more comprehensive reference guide.
All information technology projects have risk. Risk management provides a
means to identify the potential problems before they occur. Activities addressing
these problems are planned and executed, as needed, across the life of the project
to mitigate adverse impacts on achieving the project’s objectives. The purpose of
Risk Management is to proactively identify and manage potential problems that
may occur during a project’s implementation lifecycle. Risk management is a
continuous process that will occur throughout the project lifecycle. Effective risk
management includes early and aggressive risk identification through the
collaboration of relevant project stakeholders.
The output of this process is a risk management approach to be used as part of the
overall project management process.
This process describes the following four activities and the steps involved in these
activities:
Identify and analyze risks early and determine their relative importance.
Provide a tracking system to document, monitor, and update risks
systematically.
Manage risks by handling them appropriately.
Make timely and appropriate decisions based on risk assessment and
monitoring.
This guide first presents the basics of risk management, defining the terms and
then providing a step-by-step approach to managing risks, following the steps
shown in Figure 1.
1 OMB uses the term “investment” to incorporate the projects, programs, systems, etc., that
fall under the purview of the Capital Planning and Investment Control (CPIC) process. Because
this guide supports the CPIC process, in this document, this document uses the term “project” to
be synonymous with the term “investment.”
2
Figure 1. Overview of Risk Management
Appendix A contains a template for a draft risk management plan. Appendix B
tells how to conduct a comprehensive risk review and Appendix C contains an
example of a comprehensive risk review.
THE BASICS
What Is Risk?
A risk is an uncertain event or condition that, if it occurs, has a positive or
negative effect on a project objective, such as time, cost, scope, or quality. A risk
may have one or more causes and one or more impacts. 2 For reasons of
simplicity, we are only considering risks with negative outcomes. A risk is any
factor that has the potential to interfere with the successful completion of the
project. Risks are not events that have already occurred, but events that might
occur and that have the potential to adversely impact the project in some way..
What Is Risk Management?
Risk management is an organized method of identifying, prioritizing, and
measuring the impact of project risks and developing, selecting, and managing
options for handling those risks—not necessarily to eliminate them entirely, but to
minimize their impact on the project.
Managing project risk is a key component of good project management. Risks
that are managed are minimized. Understanding and communicating risks help
manage the expectations of senior management and other stakeholders. One such
stakeholder, the Office of Management and Budget (OMB), requires a formal risk
management plan for major projects and has in the past required annual reporting
of risks and risk mitigation progress before approving requested project funding. 3
2 A Guide to the Project Management Body of Knowledge, Fourth Edition (PMBOK Guide),
ANSI/PMI 99-001-2008, Project Management Institute, Inc, Newton Square, PA, 2008. 3
OMB does not specify a risk management plan format or content, but the previous reporting
requirements of the Exhibit 300 imply obvious plan elements. These elements are also selection
elements in the ProSight tool.
Step 1: Draft a Risk
Management Plan
See Appendix A
Step 2: Assess
Your Risk
See Appendices B & C
Step 3: Track and
Report Progress
See Appendix D
Step 1: Draft a Risk
Management Plan
See Appendix A
Step 2: Assess
Your Risk
See Appendices B & C
Step 3: Track and
Report Progress
See Appendix D
3
How Do You Manage Risk?
The appropriate level of risk management for any project depends on many
factors (e.g., size, complexity, life-cycle phase, and stability) and determining that
level requires candid management judgment. For example, a stable,
straightforward application using established technology in the maintenance phase
of its life cycle needs a far less extensive risk management program than a large,
complex agency-wide system just beginning the development phase.
No one risk management approach is appropriate for all projects. Managers of
smaller projects can profitably use elements of these risk management guidelines
without the administrative burden of reporting risks to OMB. Those subject to
OMB or HHS oversight must satisfy OMB requirements; risk status and
mitigation must be well documented to be assured that the project manager is
managing risks sufficiently well that project success is probable.
DRAFT A RISK MANAGEMENT PLAN
The risk management planning process begins
with the selection of a risk management
process model. One such model is shown in
Figure 2. The risk management process model
in Figure 2 is straightforward, and its
elements are readily adaptable to the range of projects at IHS. The first four
activities of the risk management process model depicted in the figure, designated
as the planning phase and presented in the top row, specify the actions required to
complete Step 2 of Figure 1, Assess Your Risk. The last three activities of the risk
management process model, designated as the execution phase and presented in
the bottom row of the figure, specify the actions required to complete Step 3 of
Figure 1, Track and Report Progress.
To draft a plan for your project, you will have to consider what level of detail is
required to identify risks, what methods are appropriate for evaluating the risks,
who will be responsible for developing strategies to manage the risks, and how
risk management actions will be developed, monitored, and reported. The level of
funding, impact, or complexity of a project will determine how fully and detailed
the risks are identified, managed, and tracked.
When completed, the risk management plan for your project should be dated and
published. It should be made available to all project personnel, oversight and audit
personnel, project sponsors, and other interested stakeholders.
A template for a risk management plan is presented in Appendix A.
4
Step 2: Assess
Your Risk
See Appendices B & C
Step 2: Assess
Your Risk
See Appendices B & C
Figure 2. The Risk Management Process
ASSESS YOUR RISK
The planning phase of the risk management
process model provides an assessment of
project risks, including understanding the
nature, likelihood, and potential impact of
risk. It has four discrete elements:
Identify risks. The risks inherent in your project should be defined in two
ways: (1) they should be part of a continuous, ongoing part of project
management so that risks are managed as risks arise; and (2) there should
be a periodic, independent, comprehensive assessment of potential risks to
assure that potential new risks are fully identified and managed.
As discussed in Appendix B, OMB has identified 19 risk categories, that
provide a minimum set of risk areas to be considered by the project risk
assessment team:
1) Schedule
2) Initial cost
3) Life-cycle cost
4) Technical obsolescence
5) Feasibility
6) Reliability of systems
7) Dependencies and interoperability
8) Surety (asset protections)
9) Risk of creating a monopoly
5
10) Capability of agency to manage the investment
11) Overall risk of investment failure
12) Organizational and change management
13) Business
14) Data/information
15) Technology
16) Strategic
17) Security
18) Privacy
19) Project resources
Evaluate risks. Once the risks have been identified, the Project Team will
analyze those risks by determining how they might impede the overall
success of the project if they occur. Each risk should be rated in terms of
(1) the likelihood that the risk will occur and (2) its potential impact on the
project if it does occur. This rating can be expressed as high, medium, or
low for both probability of occurrence and for the potential impact. Then,
a level of magnitude can be computed by assigning a numerical score to
each risk by multiplying the numerical score of the risk’s likelihood of
occurrence by its potential impact score. By formally evaluating the risks
in this way, the project team can determine how each risk should be
managed, depending on its magnitude. Risks with a high magnitude
should receive greater management attention than those with a low
magnitude.
Risks with a high magnitude represent those risks that are deemed to pose
the greatest threat to program success and accomplishment, i.e., the high-
risk items. These items are typically reviewed at all internal program
status reviews. Once a high magnitude risk is sufficiently mitigated that it
can be closed out, it is reduced in priority and moved to an appropriate
spot on the watch list. Caution must be exercised when closing out any
risk from the high magnitude list. Closure does not mean file and forget. A
closed risk may resurface and should continue to be observed, tracked, and
documented.
After quantifying each high magnitude risk, the risks should be prioritized
from the most to least important. This allows the team to focus on the
most important risks first.
The Risk Assessment process should begin with the project team;
however, all project stakeholders should have input. During regularly
scheduled risk reviews, the project team will reassess risks previously
identified, as well as newly identified risks.
6
Develop risk management strategy. The most appropriate strategy for
managing each risk should be determined. If a negative risk can be
avoided (e.g., changing the project plan), if it is transferred (e.g., through
the use of a firm fixed-price contract), or if it is accepted (e.g., there is no
other suitable response strategy), it need no longer be part of the on-going
risk management strategy, although it should be identified and the action
taken on documented. The remaining risk management strategy for a
negative risk should be to develop a mitigation strategy, which is what you
do to try to keep the risk from occurring in the first place. For a positive
risk (i.e., an opportunity), the risk management strategy may include
exploiting it by insuring that the opportunity will definitely happen;
sharing or transferring it to another organization that can best take
advantage of it; or enhancing it or increasing the probability of the
opportunity occurring. Regardless of whether the risk is positive or
negative, if it is of medium or of high magnitude, you should also develop
a risk management strategy or contingency plan, which is what you plan to
do if the risk occurs.
The risk management strategy is expressed in a short statement that
describes the approach to managing the risk. For a risk with a high
magnitude, a specific risk owner may be assigned to manage the risk and
its mitigation activities. For negative risks that cannot be mitigated or
which are too expensive to mitigate, a risk response or contingency plan
should be developed and documented in the risk log. The risk management
strategy, along with any related work, e.g., controls, should be agreed to
via consensus techniques.
Acceptable risk management options are:
Accept – Accept the risk when there are no viable options to mitigate
or avoid the risk, or where the management or avoidance of the risk is
not economically practical. In situations where nothing can
realistically be done to prevent a risk from happening, the project risks
should have a higher degree of scrutiny so that the probability or
impact of occurrence is minimized. The Project Sponsor will formally
accept the potential impact of this risk on the project. There may be
contingency plans or reserves developed for these types of risks. A
contingency plan is a pre-defined action that can be implemented in
the event that a previously identified risk occurs, in order to diminish
impact on the project (i.e., “What should the team do if…?”).
Manage - Reduce the expected impact associated with the risk through
mitigation and contingency techniques. Mitigation is a preventative
action, e.g., controls, that are performed to reduce the probability of
the occurrence, increase the visibility of the risk, or reduce the
seriousness of the impact should the risk occur (i.e., “What should the
team do now to minimize or prevent the risk and to minimize its
impact?”). There is usually a cost associated with a risk mitigation
7
Step 3: Track and
Report Progress
See Appendix D
Step 3: Track and
Report Progress
See Appendix D
approach. The estimated cost of such mitigation should be identified
and documented in the Risk Log. Contingency outlines a “plan of
action” to take if the risk occurs and becomes an event to be dealt
with.
Avoid - Eliminate the impact of the risk upon the project by formally
transferring this risk to another party. This is usually accomplished
through some form of contractual agreement.
Identify risk management activities. The project manager, or risk owner if
one is assigned, should develop an approach and action plan to implement
the risk management strategy.
A guide for conducting an open and comprehensive risk review is presented in
Appendix B and an example of a comprehensive Risk Log is contained in
Appendix C.
TRACK AND REPORT PROGRESS
The execution phase of the risk management
process model provides a periodic review of the
status of risk management activities. Tracking
and reporting progress on the actions taken to
manage the risks include both monitoring the
progress toward mitigating the risk and periodically reassessing risk..
Executing Risk Management Activities
Overall execution of the risk management strategy and the corresponding
management activities is managed by the risk owner. Risk management status is
tracked against the planned risk management activities developed for each risk.
HHS uses a commercial software package, currently Primavera ProSight, as its
portfolio management tool (PMT) to track information technology investments
that are subject to HHS review. The PMT provides forms to use for reporting
project risks, their levels of magnitude, and their risk management strategies.
Reporting Risk Management Progress
Risk owners regularly report on their progress in implementing the risk
management strategies and the current status of the risk management activities.
These reports are presented to the other members of the project team at a level of
detail commensurate with the risk magnitude and in the format prescribed by the
project manager.
Progress may also be reported regularly to senior management outside the project
team if appropriate.
8
Examples of reporting measures to be used can include:
Number of risks identified, managed, tracked, and controlled.
Monitoring the indicators that will trigger thresholds.
Risk exposure and changes to the risk exposure for each assessed risk (as a
summary percentage of management reserve).
Change activity for the risk (e.g., processes, schedule, funding).
Occurrence of unanticipated risks.
Risk categorization volatility.
Comparison of estimated versus actual risk management effort and impact.
Earned value management metrics can be used as “risk triggers” to predict when
cost and schedule risks are likely to occur or whether they are sufficiently under
control. Most projects are required to use earned-value management to track and
report on cost and schedule performance. HHS has developed a three-tiered
definition of projects that are required to report cost and schedule variances.
Reevaluating Project Risk
A comprehensive review and assessment should occur frequently, as determined
by the Project Manager, but at least once per year. Reviews can be timed to
provide current comprehensive information to assist the project manager with
preparing reports, and as a minimum, for the annual IHS or HHS business case
review and prioritization process.
During the reevaluation process, it may be determined that some risks that were
identified in past evaluations, or as part of the ongoing risk identification process,
have been successfully mitigated. These risks should still be listed on the risk
inventory with an annotation that no action is necessary, the risk has been
successfully mitigated. This will demonstrate that the risk was identified and
managed at some time as part of the risk identification and assessment process.
Conducting Lessons Learned Sessions
The lessons learned activity involves determining the causes of variances in
performance, the reason behind corrective actions chosen, and project activities
that worked well and those that did not. Lessons learned should be documented as
part of the historical record for the current project and as a “best practice”
reference for future projects. The lessons learned review should be conducted
following completion of each major lifecycle phase. At a minimum, projects
perform a lessons learned review at the end of each phase and at project
completion.
9
A lesson learned session serves as a valuable phase closure activity. The session
provides an opportunity for public praise and recognition for project team
members, allows the team to acknowledge what worked well, and offers an
opportunity to discuss ways to improve processes and procedures.
Participants of a lessons learned session are typically the Project Manager and
project team. It may also include the customer and/or external stakeholders as
appropriate. Some typical questions to answer include the following:
In this process or sub process, what did we do well? What could we have
changed?
Did the delivered product meet the specified requirements and goals of the
project?
Was the customer satisfied with the end product?
Did the project stay within scope?
Were cost budgets met?
Was the schedule met?
Were risks identified and mitigated?
Were problems or issues resolved timely and adequately?
Did all of the components of the project management methodology work?
If not, which ones did not, and why?
What could be done to improve the process?
Documenting Lessons Learned Activities
Lessons learned are captured and documented to be housed with other project
files and closure documentation. At a minimum, projects should perform a lessons
learned review at the end of each major lifecycle phase and at project completion.
RISK MANAGEMENT ROLES AND RESPONSIBILITIES
The project manager is responsible for overseeing, monitoring, and assigning all
risk management activities, among other project management responsibilities.
The risk owner is responsible for overall execution of the risk management
strategy and the corresponding risk management activities, including the
following:
Proposing a strategy for mitigating the assigned risk and getting the
strategy approved by the project team and project manager.
Developing an approach and action plan to execute the management
strategy.
Tracking and reporting on the progress in mitigating the risk.
A-1
APPENDIX A. RISK MANAGEMENT PLAN TEMPLATE
This appendix contains an annotated outline of a risk management plan adaptable
to individual projects. 4 Use the outline headings for your risk management plan
and follow the guidance under the headings:
Red italicized text describes what should be in each section of the risk
management plan.
Black text may be used in your plan as is, or with minor modification.
Blue underlined text indicates that you “fill in the blank.”
4 Risks should be managed for all projects, regardless of size, and the processes for doing so
should be documented. Smaller projects may require a lesser degree of risk management than do
larger projects.
Project Name
Risk Management Plan
Version 1.0 DATE
Organizational Unit
Location
ii
UPDATE HISTORY
Version Date Nature of Change Comment
1.0 Date Initial Draft
iii
TABLE OF CONTENTS
I. Purpose 1
II. Background 1
A. Organizational Mission 2
B. Project Description 2
III. The Project Name Risk Management Process 2
A. Planning Phase 3
B. Execution Phase 10
IV. Risk Management Roles and Responsibilities 12
A. Project Manager 13
B. Risk Owner 13
1
I. PURPOSE
To introduce the plan, provide a short statement of the purpose, such as the
following:
The purpose of this risk management plan is to provide a framework for
managing the risks that could hinder the success of Project Name. This risk
management plan provides guidelines for identifying, analyzing, documenting,
mitigating, and monitoring events that might adversely affect the project.
Specifically, this plan provides procedures that
serve as a basis for identifying, documenting, analyzing, and prioritizing
risks associated with the project and for developing management strategies
to handle those risks, and
enable Indian Health Service (IHS), Area Office, and Organization Unit
executives and the project team to monitor the health of the project
throughout its life cycle.
All information technology projects have risk. Risk management provides a
means to identify the potential problems before they occur. Activities addressing
these problems are planned and executed, as needed, across the life of the project
to mitigate adverse impacts on achieving the project’s objectives. To ensure the
lowest possible risk in the performance of project efforts, the established goals for
this Risk Management Plan are to:
Identify and analyze risks early and determine their relative importance.
Provide a tracking system to document, monitor, and update risks
systematically.
Manage risks, if necessary, by handling them appropriately.
Make timely and appropriate decisions based on risk assessment and
monitoring.
II. BACKGROUND
If the risk management plan is a component of the project management plan, this
section may be omitted as it is superfluous. If the risk management plan is a
stand-alone document, include a Background Section to place the plan in its
context.
2
A. Organizational Mission
In this section, describe the mission of the organization or operating unit. The
mission of the organization or operating unit can probably be extracted from the
IHS website and should be edited to focus on that part of the mission that is most
relevant to the project’s scope and objectives. The description of the mission
should be no more than one page.
The Indian Health Service (IHS), an agency within the Department of Health and
Human Services, is responsible for providing federal health services to American
Indians and Alaska Natives. The provision of health services to members of
federally-recognized tribes grew out of the special government-to-government
relationship between the federal government and Indian tribes. This relationship,
established in 1787, is based on Article I, Section 8 of the Constitution, and has
been given form and substance by numerous treaties, laws, Supreme Court
decisions, and Executive Orders. The IHS is the principal federal health care
provider and health advocate for Indian people and its goal is to assure that
comprehensive, culturally acceptable personal and public health services are
available and accessible to American Indian and Alaska Native people The IHS
currently provides health services to approximately 2 million American Indians
and Alaska Natives who belong to more than 566 federally recognized tribes in 35
states.
Describe the mission of the organizational unit that is or will be using the system.
This description should put the system in its proper context and should be about
one page.
B. Project Name Description
Describe the project’s purpose, history, scope, concept of operations, future
plans, and life-cycle phase. This should be about one or two pages.
III. THE PROJECT NAME RISK MANAGEMENT
PROCESS
Select a risk management model to be followed. Several are available, including
one from the Software Engineering Institute of Carnegie Mellon University.
Describe the model and show it graphically.
Figure 1 depicts the process used to manage risks associated with Project Name.
As the figure shows, the process has two phases: a planning phase, and an
execution phase. Risk management activities are conducted in an overall
atmosphere of regular and open communication within the project team and
among stakeholders and users.
3
Figure 1. Project Name Risk Management Process
Regular and Open Communication Regular and Open Communication
Planning
Phase
Execution
Phase
Identify
Risks
Identify Risk
Management
Activities
Develop Risk
Management
Strategy
Evaluate
Risks
Execute Risk
Management
Activities
Track and
Report on
Progress
Review and Reevaluate
Risks Periodically
A. Planning Phase
The planning phase of the risk management process has four steps:
Identify risks
Evaluate risks
Develop risk management strategy
Identify risk management activities
Figure 2 highlights the four steps in the planning phase.
4
Figure 2. Project Name Risk Management Process—Planning Phase
Planning
Phase
Step 1
Identify
Risks
Step 4
Identify Risk
Management
Activities
Step 3
Develop Risk
Management
Strategy
Step 2
Evaluate
Risks
Execute Risk
Management
Activities
Track and
Report on
Progress
Review and Reevaluate
Risks Periodically
1. IDENTIFY RISKS
Define risks and describe the process for identifying risks. The following is an
example.
Risk identification involves recognizing the critical events that, if they occurred,
would prevent the project from achieving its objectives. These events may be
related to technological or process uncertainty, cultural resistance to change, lack
of progress, failure to achieve critical metrics, or many other factors.
The first step in preparing for risk management is to determine risk sources and
categories. Sources are both internal and external to the project. Internal risks are
assumed to be capable of being mitigated by the project manager and team.
External risks are usually assumed to be outside the control of the project
manager and team and will usually need to be elevated to a higher level of
management for action or a contingency plan may need to be developed in the
event the risk occurs. Due to the dynamic nature of most projects, risk sources can
change over the life of the project and will need to be reviewed periodically.
One key factor in recognizing and communicating risk is to state it properly. Best
practice is to define specific risks in cause-and-effect statements. State your intent
to do so and give a few examples of risk statements that are relevant to the project
and its current life-cycle phase. Here are two examples:
“If data supporting the legacy system are not accurate and
complete, then successful transition to the new system will be
jeopardized. “
“If the acquisition process does not include detailed selection
criteria and an evaluation plan, then the selection may not be the
‘best value’ for IHS, and it will not be legally defensible. “
5
Describe both continuous and periodic, comprehensive processes for identifying
risks. First, introduce the subject.
Throughout the project’s life cycle, risks will be identified in two ways:
(1) they will be part of a continuous, ongoing part of project management
so that risks are identified and managed as risks arise; and (2) there will be
an annual independent, comprehensive assessment of potential risks to
assure that potential new risks are fully identified and managed.
Risk sources identify common areas where risks may originate. The following are
considered when developing the source lists:
Changing uncertain requirements
Change in business need
Organizational change
Unprecedented efforts – estimates unavailable
Infeasible design
Unavailable technology
Unrealistic schedule estimates or allocation
Inadequate staffing, skills, or tool resources
Cost or funding issues
Uncertain or inadequate new subcontractor capability
Uncertain or inadequate new vendor capability
Other risks outside of the realm of technology.
a. Continuous Risk Identification
Because continuous methods of identifying risk are the first line of defense for a
project or program, the project team must maintain an atmosphere of open,
candid communication.
Continuous risk identification procedures may vary considerably, from one in
which any project team member or stakeholder can formally identify a perceived
risk by sending the project manager an e-mail, to procedures involving formal
risk identification documentation and a risk committee to evaluate and accept
them. Determine the most appropriate level of continuous risk identification for
6
your project and describe it in a few paragraphs. A smooth-running project in its
steady-state phase will require a lesser degree of continuous risk identification
than a complex, mission-critical project just beginning the development phase.
Use your own judgment to define the best risk identification procedures for your
project.
b. Periodic, Comprehensive Risk Identification
In addition to continuous methods of assessing risk, a comprehensive risk
assessment should be a regular part of the project’s risk management process. At
least annually (and more often if necessary, such as at a significant project
milestone), the project team should conduct a comprehensive review of project
risks. For example, the review could correlate with the agency budget process
and the review and prioritization of agency business cases. Review Appendix B,
“Conducting an Open and Comprehensive Risk Review “of this document to
determine the appropriate level and schedule for your project. Then describe the
chosen approach in a few paragraphs.
2. EVALUATE RISKS
Introduce risk evaluation.
During the risk evaluation process, the project team will assess all suggested risks,
assign each to a risk owner, and enter the risk into the risk tracking process.
a. Risk Rating Method
Describe the method to be used to rate the risks. The following paragraphs
describe a two-stage method by first assessing the probability that the risk will
occur and the impact of the risk. We then calculate the risk magnitude. Risk
Magnitude (=Risk Probability of Occurrence times Risk Impact) is used by the
portfolio management tool (PMT) that HHS and IHS use to evaluate the projects
for investments that require HHS review and to track those projects. A scoring
scheme of High=3, Medium=2, Low=1 is used.
Risk evaluation is an assessment of the magnitude of the identified risks. The
Project Name team will measure the risk magnitude by combining estimates of
the estimated probability of the risk occurring and the risk’s potential impact. The
management of risks with a greater magnitude receives more management
attention than the management of risks with lesser levels of magnitude.
Table 1 provides the ratings and guidelines for the estimated probability that the
risk situation will occur. Table 2 provides the ratings and guidelines for
estimating the degree of impact on the project if the risk is not mitigated.
7
Table 1. Probability of Occurrence
Probability Rating Guideline
Low 1 Below 30% probability of occurrence
Medium 2 Between 30% and 70% probability of occurrence
High 3 Greater than 70% probability of occurrence
Table 2. Degree of Impact
Impact Rating Guideline
Low 1 Will have minor impact on system development or operation
Medium 2 Will likely cause delay in one or more functions required to develop or operate the system
High 3 Will likely cause a significant delay and/or stoppage in system development or operation
The magnitude for each risk is then calculated by multiplying its rating for degree
of impact by its probability of occurrence rating:
Risk Magnitude = Probability Impact.
Table 3 shows the guidelines used to determine the risk magnitude for each
attribute.
Table 3. Risk Magnitude
Magnitude Rating Guideline
Low 1 or 2 Low likelihood of the risk moderately impacting one or more factors.
Medium 3 or 4 Medium likelihood of the risk moderately impacting one or more factors.
High 6 or 9 High likelihood of the risk severely affecting one or more factors. May have a high potential of causing program stoppage.
b. Actions for Different Risk Magnitude Ratings
Different risk magnitude ratings may require the project manager and the risk
owner to apply different risk management actions, such as the following:
Notifying senior management of project risk. A risk with a probability of
occurrence of High = 3 and potential impact on the program of High = 3,
8
resulting in a risk magnitude of High = 9 might be required to be reported
as soon as possible to senior management officials (the project sponsor
and the IHS Chief Information Officer (CIO), for example).
Assigning a risk owner. A risk with a medium or high magnitude (risk
magnitude = 3, 4, 6, or 9) might have a risk owner assigned and have risk
management activities developed for it. Risks with a lower risk magnitude
might be handled in a less intensive manner.
Developing a risk management strategy and plan. A risk with a low
magnitude (risk magnitude = 1 or 2) might be tracked by the project
manager but not have an assigned risk owner or risk management
activities.
Appropriate risk management action depends on risk magnitude, the nature and
complexity of the project itself, and good management judgment.
Determine the appropriate level of risk tracking for your project and describe it
in a few paragraphs.
3. DEVELOP RISK MANAGEMENT STRATEGY
The most appropriate strategy for managing each risk should be determined. If a
negative risk can be avoided (e.g., changing the project plan), if it is transferred
(e.g., though the use of a firm fixed- price contract), or if it is accepted (e.g., there
is no other suitable response strategy), it need no longer be part of the on-going
risk management strategy, although it should be identified and the action taken on
documented. The remaining risk management strategy for a negative risk should
be to develop a risk management strategy, which is what you do to try to keep the
risk from occurring in the first place.
For a positive risk (i.e., an opportunity), the risk management strategy may
include exploiting it by insuring that the opportunity will definitely happen;
sharing or transferring it to another organization that can best take advantage of
it; or enhancing it or increasing the probability of the opportunity occurring.
Regardless of whether the risk is positive or negative, if it is a risk that is being
managed and is of medium or of high magnitude, you should also develop a risk
response or contingency plan, which is what you plan to do if the risk occurs. The
risk management strategy is expressed in a short statement that describes the
approach to managing the risk. For a risk with a high magnitude, a specific risk
owner may be assigned to manage the risk and its management activities. For
negative risks that cannot be mitigated or which are too expensive to mitigate, a
risk response or contingency plan should be developed.
Give one or two examples that are relevant to your project. An example follows:
9
It is the responsibility of the risk owner to develop an appropriate risk
management or risk management strategy and to get it approved by the Project
Name team.
The risk management strategy is a short statement that describes the approach to
managing the risk. For example, the statement below describes a mitigation
strategy for a system interface risk:
“The organization will acquire an independent validation and
verification (IV&V) contractor to assist with developing interface
test requirements and an integrated test plan, and it will perform
interface testing before acceptance.“
The statement below is an example of a mitigation strategy for the risk of
declining system effectiveness from the perspective of users:
“Continuous assessment of program usability and effectiveness
will be maintained though open communication and regular user
group meetings. Users will participate in annual program risk
assessment exercises. “
Management strategies may be even more concise. Here’s an example of a
security risk mitigation statement:
“The project manager will implement the security protocols
provided by IHS and NIST. “
There are other approaches to risk management other than mitigation that may be
appropriate. Any of these approaches could be a risk management strategy that
should be documented in the risk management plan:
Changing the project plan to eliminate the risk altogether
Transferring the risk impact to a third party
Accepting that there is no cost-effective approach to mitigation and that
contingency planning will be the best way to manage the risk. Active
acceptance may involve the creation of contingency plans and passive
acceptance may leave actions to be determined as needed. A decision to
accept a risk must be communicated to stakeholders.
4. IDENTIFY RISK MANAGEMENT ACTIVITIES
Describe how you plan to have risk management actions developed by the risk
owner (or whomever else might be assigned responsibility for developing the
plans), and how risk management activities are approved, tracked and reported.
10
A variety of approaches are possible depending on the complexity and life-cycle
phase of the project and the complexity of the risk management strategy. For
example, for simple risk management strategies, a list of actions with due dates
and responsibilities may suffice. Or, for complex or high-magnitude risks, a
detailed plan for risk management might be needed. Using Microsoft Project as a
tool to help manage the risk management activities may be appropriate.
Determine the best approach for your project and describe it in a few paragraphs.
Say something like the following.
Once the risk management strategy is approved by the project team, the risk
owner will develop an approach and propose actions to execute the risk
management strategy. The proposed actions are defined in a work plan, unless a
more detailed approach is directed by the project manager.
With the help of the project manager, appropriate members of the team and others
as necessary, the risk management actions will be assigned to specific individuals
and formalized.
The risk owner tracks and reports on progress toward risk management at
predetermined risk review sessions conducted by the project team—at least
monthly.
B. Execution Phase
Figure 3 highlights the execution phase of the risk management process. This
phase has three steps:
Execute risk management activities
Track and report on progress
Review and reevaluate risks periodically
11
Figure 3. Project Name Risk Management Process—Execution Phase
Execution
Phase
Step 1
Identify
Risks
Step 4
Identify Risk
Management
Activities
Step 3
Develop Risk
Management
Strategy
Step 2
Evaluate
Risks
Execute Risk
Management
Activities
Track and
Report on
Progress
Review and Reevaluate
Risks Periodically
1. EXECUTE RISK MANAGEMENT ACTIVITIES
Describe responsibilities for execution of the risk management activities in a few
paragraphs. Say something like the following.
Those responsible for executing the risk management activities will execute them
in accordance with the plans managed by the risk owners.
The risk owner maintains responsibility for overall execution of the risk
management strategy and the corresponding risk management activities.
2. TRACK AND REPORT ON PROGRESS
Describe how information on risks and risk management planned activities will
be tracked. Begin by stating something like the following.
Performance and progress on mitigating the risks are tracked against the risk
management activities. Progress against the risk management plan is available for
review by the project manager and designated members of the project team at any
time.
Then, describe the reporting schedules and venues for reporting by the risk
owners. Many reporting options are possible depending on the nature of the
project and the severity of the risk. Low-severity risks on stable operating systems
may be reviewed by the project team at a regularly scheduled meeting at least
once each quarter. For complex or high-magnitude risks or for risks associated
with a large, complex, and mission-critical project, more frequent reporting is
warranted. In some cases, it may be appropriate to hold a weekly or monthly ad
hoc project risk meeting that is attended by stakeholders and senior managers, as
well as team members.
12
In all situations, information on risks, their risk management strategies, risk
management activities, and progress toward mitigation should be available to
appropriate staff and managers.
Progress toward mitigating risks will be reported annually to senior Area
Office/Organization Unit and IHS management and to OMB through the CPIC
process and the OMB Exhibit 300.
If you plan to report high risks to senior management as soon as they are
identified, as discussed in the Evaluate Risks section (III. A. 2. b), include this
reporting requirement here as well. The following is an example.
The IHS CIO will be notified and briefed whenever a high-magnitude risk is
identified.
3. REVIEW AND REEVALUATE RISKS PERIODICALLY
Describe plans for periodic review and reevaluation of risks. It should be done at
least annually but should also be performed at significant project milestones, such
as after selection of a system integrator or at completion of end-to-end testing.
Describe what is appropriate for your project. The following is an example.
The project team, led by the project manager, will assist with a periodic
comprehensive review of the risk posture of the Investments. This review will
take place at least once each year in preparation for the annual business case
review and prioritization by the IHS Information Technology Investment Review
Board (ITIRB).
During the reevaluation process, it may be determined that some risks that were
identified in past evaluations, or as part of the ongoing risk identification process,
have been successfully mitigated. These risks will still be listed on the risk
inventory with an annotation that no action is necessary, the risk has been
successfully mitigated. This will demonstrate that the risk was identified and
managed at some time as part of the risk identification and assessment process.
IV. RISK MANAGEMENT ROLES AND RESPONSIBILITIES
Describe the risk management roles and responsibilities for your project. Include
at least the project manager and the risk owner. Review and cite the roles and
responsibilities sections for the CPIC program contained in Capital Planning and
Investment Control Policy and Guidelines issued by the Office of the CIO. Say
something like the following.
The project manager and the risk owner have specific risk management
responsibilities for project risk management.
13
A. Project Name Project Manager
The project manager is responsible for overseeing, monitoring, and assigning all
risk management activities.
The project manager will schedule a periodic independent review of program
risks at least once each year. This review will cover the perspectives of all
program stakeholders. It will result in identified risks, risk ratings, and suggested
risk management strategies.
B. Risk Owner
The risk owner has the following responsibilities:
Propose a strategy for mitigating the assigned risk and get the strategy
approved by the team and project manager
Develop an approach and action plan to execute the risk management
strategy
With the help of the project manager, assign responsibility for completion
of the action plan steps
Track and report on progress in mitigating the risk
14
APPROVALS:
Jonas Sa lk Pro jec t Inves tment Mange r
Date
Howard Hays Ch ie f In fo rmat ion Of f ice r (Ac t ing)
Date
Samue l Mudd Pro jec t Sponso r
Date
B-1
APPENDIX B. CONDUCTING AN OPEN AND
COMPREHENSIVE RISK REVIEW
Risk management includes assessment of risk, development and execution of risk
management strategies, and monitoring of progress. This appendix provides
guidance on how to conduct a risk assessment.
Risk assessment involves identifying and understanding the potential risks during
project development and implementation: the events that, if they occurred, would
prevent the project from achieving its cost, schedule, or performance objectives.
These events may be related to technological or process uncertainty, cultural
resistance to change, lack of progress, failure to achieve critical metrics, or many
other factors.
One effective way of assessing risk is through a periodic, open and
comprehensive risk review. 5
The risk review team normally consists of a leader
and one or two team members. The team convenes representatives from the
project staff, users, and stakeholders in an environment of open communication.
The risk review must be comprehensive so that the full spectrum of risks from all
sources is considered. During a risk review, the risk assessment team must ask the
right questions and ask the right people, as shown in Figure B-1.
Figure B-1. Two Elements of Effective Risk Assessment
Ask the right
QUESTIONS and Ask the right
PEOPLE
Ask the Right Questions
Risks that are managed are minimized. Understanding and communicating project
risks help manage the expectations of senior management and other stakeholders.
One such stakeholder, OMB, may ask for the formal risk management plan and
annual reporting of project risks and risk management progress before approving
requested project funding.
OMB’s risk management reporting requirements for large projects are useful for
managing risk in projects of all sizes because they contain a broad,
comprehensive set of risk categories that are useful to project managers as a
starting point for defining their project risks.
5 Two important ways of identifying risk are continuous risk identification, which requires an
open and honest exchange of ideas as part of daily project management, and comprehensive risk
identification, which entails a periodic assessment of risk on a project-wide basis. For additional
information on these types of risk identification, see Appendix A, Section III.A.1, Identify Risks.
B-2
OMB has identified 19 risk categories, presented in Figure B-2, that provide a
minimum set of risk areas to be considered by the project risk assessment team.
Figure B-2. OMB’s 19 Risk Categories
Risk Categories for All Investments
1) Schedule
2) Initial cost
3) Life-cycle cost
4) Technical obsolescence
5) Feasibility
6) Reliability of systems
7) Dependencies and interoperability
8) Surety (asset protections)
9) Risk of creating a monopoly
10) Capability of agency to manage the
investment
11) Overall risk of investment failure
Risk Categories for IT
Investments
12) Organizational and change
management
13) Business
14) Data/information
15) Technology
16) Strategic
17) Security
18) Privacy
19) Project resources
The figure separates the risks into two categories: (1) those for all investments
and (2) those for IT investments. There are similarities between those in the first
set of risk categories and those in the second. It is helpful to consider the risks
grouped according to their overall management-related area. Reordering the risk
categories into related risk areas, as shown in Figure B-3, makes them more user
friendly and more meaningful to technical personnel, functional users, and senior
management.
B-3
Figure B-3. Restructured OMB Risk Categories
Business Impact
16—Strategic
13—Business
5—Feasibility
9—Risk of creating a monopoly
Resource Availability
19—Project resources
1—Schedule
2—Initial cost
3—Life-cycle cost
Management and Oversight
10—Capability of agency to manage
the investment
12—Organization and change
management
7—Dependencies and
interoperability
Technical Issues
4—Technical obsolescence
15—Technology
6—Reliability of systems
14—Data/information
Security
17—Security
8—Surety
18—Privacy
Summary of Risk
11—Overall risk of investment
failure
Restructured Investment Risk Categories
The order of assessing these risks doesn’t matter. However, it improves the ability
of the risk assessment team to identify risks if the assessment starts with those
areas that are broadest in scope. The risk assessment leader should start the
assessment with Business Impact; the highest level, least technical of the risk
areas. Next the risk assessment leader should address the other areas according to
Resource Availability, Management and Oversight, Technical Issues, and
Security, the most narrow and specialized area. The risk assessment leader should
address the Summary of Risk last. Table B-1 lists the order in which the risks
should be addressed and provides some examples of topics that may be
considered while assessing risk in each risk category.
B -4
T a b le
B -1
. O
rd e r
fo r
A d d re
s s in
g R
is k s a
n d C
o n s id
e ra
ti o n s
R is
k a
re a
R is
k c
a te
g o
ry C
o n
s id
e ra
ti o
n s
S a
m p
le Q
u e
s ti o
n s
B u
s in
e s s
Im p
a c t
1 6
— S
tr a
te g
ic R
is k a
s s o
c ia
te d
w it h
s tr
a te
g ic
/g o
v e
rn m
e n
t- w
id e
g o
a ls
t o
p m
a n
a g
e m
e n
t s u
p p
o rt
a n
d c
o m
m u
n ic
a ti o
n ,
c o
n s is
te n
c y w
it h
s tr
a te
g ic
p la
n s ,
h ig
h -l
e v e
l v is
ib ili
ty w
it h
o u
ts id
e s
ta k e
h o
ld e rs
s u
c h
a s O
M B
o r
C o
n g
re s s ,
a n
d o
th e
r p
o lit
ic a
l im
p a
c ts
.
R is
k t
h a
t th
e p
ro p
o s e
d a
lt e
rn a
ti v e
f a
ils t
o r
e s u
lt i n
t h
e
a c h
ie v e
m e
n t
o f
th o
s e
g o
a ls
o r
in m
a k in
g c
o n
tr ib
u ti o
n s t
o t h
e m
.
R is
k t
h a
t s tr
a te
g ic
g o
a ls
a n
d o
b je
c ti v e
s ,
in c lu
d in
g P
M A
g o
a ls
o r
H H
S p
ri o
ri ti e
s ,
m a
y c
h a
n g
e .
R is
k t
h a
t th
e o
b je
c ti v e
s o
f th
e p
ro je
c t
a re
n o
t c le
a rl
y l in
k e
d t
o
p ro
g ra
m n
e e
d s ,
to t
h e
a g
e n
c y ’s
o v e
ra ll
s tr
a te
g ie
s ,
a n
d t
o
g o
v e
rn m
e n
t- w
id e
p o
lic ie
s a
n d
s ta
n d
a rd
s .
R is
k t
h a
t th
e i n it ia
ti v e
i s n
o t b
a s e
d o
n c
le a
rl y u
n d
e rs
to o
d
n e
e d
s o
r o
p p
o rt
u n
it ie
s a
n d
i s i n
c o
n s is
te n
t w
it h
t h
e o
v e
ra ll
s tr
a te
g ie
s a
n d
a rc
h it e
c tu
re s u
s e
d b
y t
h e
a g
e n
c y a
n d
t h
e
fe d
e ra
l g
o v e
rn m
e n
t (i
.e .,
F e
d e
ra l E
n te
rp ri
s e
A rc
h it e
c tu
re ).
D o
e s t
h is
p ro
je c t
s u
p p
o rt
a g
o v e
rn m
e n
t w
id e
i n
it ia
ti v e
?
D o
e s t
h is
p ro
je c t
s u
p p
o rt
t h
e s
tr a
te g
ic g
o a
l( s )
o f
H H
S o
r o
f th
e O
P D
IV s ?
H a
v e
s ta
k e
h o
ld e
rs (
e .g
., O
P D
IV s )
b e
e n
e n
g a
g e
d ?
D o
s ta
k e
h o
ld e
rs h
a v e
b
u y -i
n w
it h
s c o
p e
a n
d r
e q
u ir
e m
e n
ts ?
1 3
— B
u s in
e s s
R is
k a
s s o
c ia
te d
w it h
t h
e v
a lid
ly o
f th
e b
u s in
e s s c
a s e
f o
r th
e
p ro
je c t,
t h
e c
o m
p le
te n
e s s a
n d
v a
lid ly
o f
th e
s p
e c if ie
d
fu n
c ti o
n a
l re
q u
ir e
m e
n ts
, a
n d
t h
e n
e e
d f
o r
re e
n g
in e
e ri
n g
s u
b je
c t
b u
s in
e s s p
ro c e
s s e s .
R is
k t
h a
t th
e b
u s in
e s s g
o a ls
o f
th e
p ro
g ra
m o
r in
it ia
ti v e
w ill
n o
t b
e a
c h
ie v e
d .
R is
k t
h a
t th
e p
ro g
ra m
e ff
e c ti v e
n e
s s t
a rg
e te
d b
y t
h e
p ro
je c t
w ill
n
o t
b e
a c h
ie v e
d .
Is t
h e
b u
s in
e s s n
e e
d a
n d
p ro
je c t
s c o
p e
w e
ll- d
e fi n
e d
?
H a
v e
t h
e p
la n
n e
d i m
p ro
v e
m e
n ts
/b e
n e
fi ts
t o
b u
s in
e s s o
p e
ra ti o
n s o
r c u
s to
m e
r re
s u
lt s b
e e
n d
o c u m
e n
te d
?
H a
v e
o p
e ra
ti o
n a
l p
e rf
o rm
a n
c e
m e
a s u
re s b
e e
n i d
e n
ti fi e
d a
n d
s ig
n e
d -o
ff b
y
th e
s p
o n
s o
r a
n d
( O
P D
IV s )
m a
jo r
s ta
k e
h o
ld e
rs ?
H a
s a
n O
p e
ra ti o
n a
l A
n a
ly s is
b e
e n
p e
rf o
rm e
d a
t le
a s t
a n
n u
a lly
?
H a
v e
a n
y s
h o
rt c o
m in
g s b
e e
n i d
e n
ti fi e
d ?
5 —
F e
a s ib
ili ty
R is
k a
s s o
c ia
te d
w it h
t h
e f
e a
s ib
ili ty
o f
th e
r e
q u
ir e
m e
n ts
f ro
m a
te
c h
n ic
a l a
n d
p e
rf o
rm a
n c e
p o
in t
o f
v ie
w a
n d
t h
e o
rg a
n iz
a ti o
n ’s
fa m
ili a
ri ty
w it h
t h
e p
ro je
c t
lif e -c
y c le
m e
th o
d u
s e
d w
it h
in t
h e
o
rg a
n iz
a ti o
n o
r a
s i m
p le
m e
n te
d b
y o
th e
rs .
R is
k o
f in
s u ff
ic ie
n t
a b
ili ty
t o
s u
c c e
s s fu
lly d
e v e
lo p
a n
d
im p
le m
e n
t th
e p
ro je
c t
w it h
in d
e fi n
e d
t e c h
n ic
a l, s
c o
p e
, c o
s t,
a
n d
s c h
e d
u le
p a
ra m
e te
rs t
o s
u c c e s s fu
lly m
e e
t th
e
p e
rf o
rm a
n c e
g o
a ls
.
Is t
h e
p ro
p o
s e
d t
e c h
n o
lo g
y i n
v o
lv e
d f
e a
s ib
le ?
H a
s a
n a
lt e
rn a
ti v e
s a
n a
ly s is
b e
e n
p e
rf o
rm e
d ,
is i t
le s s t
h a n
3 y
e a
rs o
ld ?
D
o e
s /d
id t
h e
a lt e
rn a
ti v e
s a
n a
ly s is
e x a
m in
e u
s e
o f
o th
e r
te c h
n o
lo g
ie s (
e .g
.,
d if fe
re n
t C
O T
S p
ro d
u c ts
a n
d /o
r d
if fe
re n
t h
o s ti n
g s
o lu
ti o
n s :
C lo
u d
C
o m
p u
ti n
g /p
ri v a
te c
lo u
d )?
Is t
h e
p ro
p o
s e
d s
o lu
ti o
n f
e a s ib
le ?
Is t
h e
s o
lu ti o
n a
s s
im p
le a
s p
o s s ib
le ?
B -5
T a b le
B -1
. O
rd e r
fo r
A d d re
s s in
g R
is k s a
n d C
o n s id
e ra
ti o n s
R is
k a
re a
R is
k c
a te
g o
ry C
o n
s id
e ra
ti o
n s
S a
m p
le Q
u e
s ti o
n s
B u
s in
e s s
Im p
a c t
9 —
R is
k o
f c re
a ti n
g a
m
o n
o p
o ly
R is
k a
s s o
c ia
te d
w it h
t h
e o
v e
r- re
lia n
c e
o n
a p
a rt
ic u
la r
v e
n d
o r
o r
o n
p ro
p ri
e ta
ry o
r s p
e c ia
lt y s
o ft
w a
re t
h a
t w
o u
ld l im
it p
ro je
c t
e x p
a n
s io
n o
r fl e
x ib
ili ty
.
D o
e s t
h e
t e
c h
n o
lo g
y /v
e n
d o
r s e
le c te
d t
ri g
g e
r a
r is
k t
h a
t th
e
D e
p a
rt m
e n
t/ O
P D
IV w
ill b
e l o
c k e
d i n
t o
a s
p e
c if ic
s e
t o
f v e n
d o
rs a
n d
t h
e ir
p
ro d
u c ts
?
R e
s o
u rc
e
A v a
ila b
ili ty
1
9 —
P ro
je c t
re s o
u rc
e s
R is
k a
s s o
c ia
te d
w it h
t h
e s
ta b ili
ty a
n d
a d
e q
u a
c y o
f p
ro je
c t s ta
ff
a n
d p
ro je
c t
b u
d g
e t
fo r
to d
a y a
n d
t h
e f
u tu
re .
In c lu
d e
re s o
u rc
e s
th a
t m
ig h
t b
e a
v a
ila b
le f
ro m
c o
n tr
a c to
rs .
R is
k t
h a
t th
e a
v a
ila b
ili ty
o f
p e
o p
le ,
fu n
d s ,
s c h
e d
u le
, a
n d
t o
o ls
th
a t
a re
t h
e n
e c e
s s a
ry i n
g re
d ie
n ts
f o
r s u
c c e
s s fu
lly
im p
le m
e n
ti n
g t
h e
p ro
je c t
w ill
b e
i n
a d
e q
u a
te (
if a
n y a
re
in a
d e
q u
a te
, in
c lu
d in
g th
e q
u a
lif ic
a ti o
n s o
f th
e p
e o
p le
, th
e re
i s
ri s k ).
R is
k t
h a
t a
p p
ro p
ri a
te t
ra in
in g w
ill n
o t
b e
a v a
ila b
le i n
a t
im e
ly
fa s h io
n .
D o
t h
e C
O T
S v
e n
d o
rs h
a v e
a n
d e
s ta
b lis
h e
d r
e p
u ta
ti o
n o
f d
e liv
e ri
n g
q u
a lit
y
p ro
d u
c t
o n
t im
e ?
A re
t h
e c
o n
tr a
c to
rs q
u a
lif ie
d f
o r
th is
t y p
e o
f w
o rk
; d
o t
h e
y h
a v e
a n
e
s ta
b lis
h e
d t
ra c k r
e c o
rd ?
A re
r e
q u
ir e
m e
n ts
/s c o
p e
, c o
s t
a n
d s
c h
e d
u le
w e
ll d
e fi n
e d
?
A re
n e
c e
s s a
ry a
lg o
ri th
m s o
r w
o rk
f lo
w s w
e ll
u n
d e
rs to
o d
?
D o
t h
e c
o n
tr a
c t
v e
h ic
le s p
ro v id
e c
o s t c o
n tr
o ls
; a
re t
h e
y a
p p
ro p
ri a
te t
o t
h e
p
ro d
u c t
a n
d /o
r s e
rv ic
e t
o b
e p
ro v id
e d
?
H a
s t
h e
p ro
je c t
m a
n a
g e
m e
n t
te a
m w
o rk
e d
w it h
t h
e b
u s in
e s s
o w
n e
rs /s
ta k e
h o
ld e
rs t
o i d
e n
ti fy
c a
p a
b ili
ti e
s o
r c o
m p
o n
e n
ts t
h a
t m
ig h
t n
e e
d
to b
e r
e s c h
e d
u le
o r
d e
la y e
d i n
t h
e e
v e
n t
th a
t b
u d
g e
t c u
ts a
ff e
c t
th e
a b ili
ty
to a
u th
o ri
z e
a n
d e
x e
c u
te t
a s k s a
s p
la n
n e
d ?
1 —
S c h
e d
u le
R is
k a
s s o
c ia
te d
w it h
t h
e s
ta b ili
ty ,
re a
lit y ,
a n
d v
a lid
it y
o f
th e
ti m
e e
s ti m
a te
d a
n d
a llo
c a
te d
f o
r th
e d
e v e
lo p
m e
n t,
d
e p
lo y m
e n
t, a
n d
o p
e ra
ti o
n o
f th
e s
y s te
m .
In c lu
d e
th e
c o s t
o r
im p
a c t
o f
n o
t m
e e
ti n
g t
h e
s c h
e d
u le
.
T w
o r
is k a
re a
s b
e a
ri n
g o
n s
c h
e d
u le
r is
k a
re (
1 )
th e
r is
k t
h a
t th
e s
c h
e d
u le
e s ti m
a te
s a
n d
o b
je c ti v e
s a
re n
o t
re a
lis ti c a
n d
( 2
) th
e r
is k t
h a
t p
ro g
ra m
e x e
c u
ti o
n w
ill f
a ll
s h
o rt
o f
th e
s c h
e d
u le
o
b je
c ti v e
s .
D o
e s t
h e
p ro
je c t
h a
v e
a n
I n
te g
ra te
d M
a s te
r S
c h
e d
u le
?
Is t
h e
re a
h ig
h l e
v e
l o
f c o
n fi d e
n c e
i n
t h
e s
c h
e d
u le
f o
r th
e p
ro je
c t?
D o
e s t
h e
s c h
e d
u le
a d
d re
s s a
ll o f
th e
E P
L C
d o
c u
m e
n ta
ti o
n i n
a d
d it io
n t
o
th e
f u
n c ti o
n a
l d
e liv
e ra
b le
s ?
If p
ro c e
s s e
s a
n d
p ro
c e
d u
re s a
re b
e in
g a
ff e
c te
d i s d
e liv
e ri
n g
t ra
in in
g a
n d
d
e v e
lo p
in g
t h
e r
e la
te d
d o
c u
m e
n ta
ti o
n i n
c lu
d e
d i n
t h
e s
c h
e d
u le
?
B -6
T a b le
B -1
. O
rd e r
fo r
A d d re
s s in
g R
is k s a
n d C
o n s id
e ra
ti o n s
R is
k a
re a
R is
k c
a te
g o
ry C
o n
s id
e ra
ti o
n s
S a
m p
le Q
u e
s ti o
n s
R e
s o
u rc
e
A v a
ila b
ili ty
2 —
In it ia
l c o s t
R is
k a
s s o
c ia
te d
w it h
t h
e a
d e q
u a
c y ,
c o
m p
le te
n e
s s ,
a c c u
ra c y ,
a n
d v a
lid it y
o f
th e
i n it ia
l fu
n d in
g e
s ti m
a te
s ,
th e
s u
p p
o rt
in g
in
fo rm
a ti o
n t
h a
t ju
s ti fi e
s t
h o s e
i n
it ia
l fu
n d
in g
e s ti m
a te
s ,
a n
d
th e
ir r
e la
ti o
n s h
ip t
o l o
n g
e r
te rm
f u
n d
in g
n e
e d
s .
Is t
h e
re a
h ig
h l e
v e
l o
f c o
n fi d e
n c e
i n
t h
e e
s ti m
a te
s f
o r
th e
p ro
je c t?
Is t
h e
p ro
je c t
s c o
p e
s u ff
ic ie
n tl y d
e fi n
e d
t o
i d
e n
ti fy
s iz
e /s
c a le
/c o
m p
le x it y o
f th
e p
ro je
c t
e ff
o rt
?
A re
t h
e e
s ti m
a te
s b
a s e
d o
n t
w o
o r
m o
re r
e lia
b le
e s ti m
a ti n
g t
e c h
n iq
u e
s ?
H a
v e
m a
n a
g e
m e
n t
a n
d o
v e
rs ig
h t
re q
u ir
e m
e n
ts ,
s u
c h
a s w
o rk
fl o
w /s
ta tu
s
re p
o rt
in g
, id
e n
ti fi e
d ?
A re
t h
e r
e q
u ir
e m
e n
ts w
e ll
u n
d e
rs to
o d
a n
d w
e ll
d e
v e
lo p
e d
?
A re
s e
c u
ri ty
r e
q u
ir e
m e
n ts
w e
ll e
s ta
b lis
h e
d ?
D o
s e
c u
ri ty
r e
q u
ir e
m e
n ts
i n
c lu
d e
a u
d it l o
g g
in g
a n
d r
e g
u la
r a
n a
ly s is
o f
a u
d it
lo g
s ?
In a
d d
it io
n t
o t
h e
f u
n c ti o
n a lit
y a
n d
s e
c u
ri ty
r e
q u
ir e
m e
n ts
, h
a v e
a ll
o f
th e
“i
lit y ”
re q
u ir
e m
e n
ts b
e e
n i d
e n
ti fi e
d (
i. e
., r
e lia
b ili
ty ,
a v a
ila b
ili ty
, m
a in
ta in
a b
ili ty
, u
s a
b ili
ty ,
s u
p p
o rt
a b
ili ty
, e
tc .)
?
3 —
L if e
-c y c le
c o
s t
R is
k a
s s o
c ia
te d
w it h
t h
e a
d e q
u a
c y ,
c o
m p
le te
n e
s s ,
a c c u
ra c y ,
a n
d v a
lid it y
o f
lif e
-c y c le
c o s t e
s ti m
a te
s ,
th e
s u
p p
o rt
in g
in
fo rm
a ti o
n t
h a
t ju
s ti fi e
s t
h o s e
l if e
-c y c le
f u
n d
in g
e s ti m
a te
s ,
a n
d th
e l ik
e ly
s ta
b ili
ty o
f lo
n g
e r
te rm
a v a
ila b
ili ty
o f
fu n
d s .
T h
is
in c lu
d e s t
h e
i m
p a
c t
o f
e rr
o rs
i n
t h
e c
o s t
e s ti m
a ti n
g
te c h
n iq
u e
(s )
u s e
d (
g iv
e n
t h
a t
th e
t e
c h
n ic
a l re
q u
ir e
m e
n ts
w e
re
p ro
p e
rl y d
e fi n
e d
).
L if e c y c le
c o
s ts
i n
c lu
d e
p la
n n
in g
, d
e v e
lo p
m e
n t,
o p
e ra
ti o
n s ,
a n
d r
e ti re
m e
n t
c o
s ts
.
If t
h is
p ro
je c t
is g
o in
g t
o b
e f o
llo w
e d
b y a
d d
it io
n a
l fu
n c ti o n
a lit
y
Is t
h e
re a
g o
o d
u n
d e
rs ta
n d
in g
o f
th e
p ro
je c ts
/e n
h a
n c e
m e
n ts
t h
a t
a re
n
e e
d e
d ?
H a
s t
h e
a d
d it io
n a
l fu
n c ti o
n a
lit y b
e e
n c
o n
s id
e re
d i n
t h
e d
e s ig
n ?
Is t
h e
s y s te
m s
o lu
ti o
n d
e s ig
n e
d t
o b
e m
a in
ta in
a b
le
Is t
h e
d e
s ig
n a
n d
a c q
u is
it io
n s
tr u
c tu
re d
s o
t h
e s
o lu
ti o
n i s n
o t
a p
ro p
ri e
ta ry
s o
lu ti o
n t
h a
t c a
n o
n ly
b e
s u
p p
o rt
e d
b y o
n e
v e
n d
o r/
c o
m p
e ti to
r?
A re
t ra
in in
g a
n d
m a
in te
n a
n c e
c o
s ts
c o
n s id
e re
d i n
t h
e l if e
c y c le
c o
s t
a n
a ly
s is
?
W ill
t h
e p
la n
n e
d s
o lu
ti o
n /s
y s te
m b
e s
u p
p o
rt a
b le
, a
n d
m a
in ta
in a
b le
?
W h a
t is
t h
e p
la n
f o
r m
a in
ta in
in g
t h
e s
y s te
m o
n c e
i t
is d
e p
lo y e
d ?
Is t
h e
re f
u n
d in
g t
o m
a in
ta in
t h
is s
y s te
m ?
B -7
T a b le
B -1
. O
rd e r
fo r
A d d re
s s in
g R
is k s a
n d C
o n s id
e ra
ti o n s
R is
k a
re a
R is
k c
a te
g o
ry C
o n
s id
e ra
ti o
n s
S a
m p
le Q
u e
s ti o
n s
M a
n a
g e
m e
n t
a n
d O
v e
rs ig
h t
1 0
— C
a p
a b
ili ty
o f
a g
e n
c y t
o m
a n
a g
e
th e
i n
v e
s tm
e n
t
R is
k a
s s o
c ia
te d
w it h
t h
e e
x p e
ri e
n c e
o f
th e
p ro
je c t
m a
n a
g e
r a
n d
s ta
ff ’ in
t h
e d
e v e
lo p
m e
n t
o r
o p
e ra
ti o
n o
f s y s te
m s
w it h
s im
ila r
c o
m p
le x it y a
n d
/o r
s iz
e ,
th e
a p
p lic
a ti o
n d
o m
a in
, a
n d
t h
e
fu n
c ti o
n a
l b
u s in
e s s p
ro c e
s s e s i n
v o
lv e
d .
R is
k a
s s o
c ia
te d
w it h
t h
e e
x is
te n
c e
o f
a n
e x p
e ri
e n
c e
d p
ro je
c t
m a
n a
g e
m e
n t
te a
m ,
a p
p ro
p ri
a te
p ro
je c t
m a
n a
g e
m e
n t
s tr
u c tu
re s ,
e x e
c u
ti v e
m a
n a
g e
m e
n t
s u
p p
o rt
, g
o v e
rn a
n c e
, c le
a r
a n
d d
e fi n
e d
r e
s p
o n
s ib
ili ti e
s , a
s w
e ll
a s d
e m
o n
s tr
a te
d
e x p
e ri
e n
c e
i n
m a
n a
g in
g t
h e
d e
v e
lo p
m e
n t
o r
o p
e ra
ti o
n o
f p
ro je
c ts
o f
s im
ila r
c o
m p
le x it y a
n d
/o r
s iz
e ,
th e
a p
p lic
a ti o
n
d o
m a
in ,
a n
d th
e f
u n
c ti o
n a
l b u
s in
e s s p
ro c e
s s e s i n
v o
lv e
d .
A ls
o r
e la
te s t
o t
h e
d e
g re
e t
o w
h ic
h p
ro g
ra m
p la
n s a
n d
s tr
a te
g ie
s e
x is
t a
n d
a re
r e
a lis
ti c a
n d
c o
n s is
te n
t.
D o
e s t
h e
p ro
je c t
h a
v e
a P
M w
it h
e x p
e ri
e n
c e
i n
t h is
t y p
e a
n d
/o r
s iz
e o
f p
ro je
c t?
D o
e s t
h e
P M
h a
v e
c e
rt if ic
a ti o
n a
n d
/o r
a p
p ro
p ri
a te
t ra
in in
g ?
D o
e s t
h e
p ro
je c t
h a
v e
t e
a m
m e
m b
e rs
w it h
a p
p ro
p ri
a te
e x p
e ri
e n
c e
t o
m
a n
a g
e ,
tr a
c k p
ro g
re s s a
n d
e n
s u
re q
u a
lit y d
e liv
e ra
b le
s (
e .g
., P
M ,
E P
L C
o r
te c h
n ic
a l e
x p
e rt
is e
a p
p ro
p ri
a te
t o
t y p
e o
f p
ro je
c t)
?
A re
g o
o d
p ro
je c t
m a
n a
g e
m e
n t,
a c q
u is
it io
n m
a n
a g
e m
e n
t, r
e q
u ir
e m
e n
ts
m a
n a
g e
m e
n t,
e tc
., c
o n
tr o
ls i n
p la
c e
?
A re
t h
e re
a d
e q
u a
te t
o o
ls f
o r
p la
n n
in g
a n
d m
a n
a g
in g
t h
e p
ro je
c t?
1 2
— O
rg a
n iz
a ti o
n
a n
d c
h a
n g
e
m a
n a
g e
m e
n t
R is
k a
s s o
c ia
te d
w it h
t h
e w
ill in
g n
e s s a
n d
a b
ili ty
o f
th e
o
rg a
n iz
a ti o
n /a
g e
n c y
to a
c c e
p t
th e
c u
lt u
ra l, p
ro c e
s s ,
a n
d
p ro
c e
d u
ra l c h
a n
g e
s r
e q
u ir
e d
b y t
h e
p ro
je c t.
I n
c lu
d e
th e
e
x is
te n c e
o r
a d
e q
u a
c y o
f th
e c
h a
n g
e m
a n
a g
e m
e n
t p
la n
, c o
m m
u n
ic a
ti o
n s p
la n
, a
n d
u s e
r tr
a in
in g
p la
n .
R is
k a
s s o
c ia
te d
w it h
b y p
a s s in
g ,
la c k o
f u s e
, im
p ro
p e
r u
s e
, o
r a
d h
e re
n c e
t o
n e
w s
y s te
m s a
n d
p ro
c e
s s e
s d
u e
t o
o rg
a n
iz a
ti o
n a
l s tr
u c tu
re a
n d
c u
lt u
re ;
in a
d e
q u
a te
t ra
in in
g .
Is o
rg a
n iz
a ti o
n a
l c h
a n
g e
r e
q u
ir e
d ?
Is r
e e
n g
in e
e ri
n g
/ re
o rg
a n
iz in
g o
f b
u s in
e s s p
ro c e
s s e s o
r w
o rk
fl o
w s
re q
u ir
e d
?
Is t
h e
re a
d e
q u
a te
b a
c k in
g b
y s
p o
n s o
rs a
n d
k e
y s
ta k e
h o ld
e rs
?
A re
p la
n n
e d
c h
a n
g e
s w
e ll
c o m
m u
n ic
a te
d ?
Is t
ra in
in g
f o
r n
e w
s y s te
m a
s w
e ll
a s n
e w
p ro
c e
s s e
s p
la n n
e d
?
7 —
D e
p e
n d
e n
c ie
s a
n d
in te
ro p
e ra
b ili
ty
R is
k a
s s o
c ia
te d
w it h
t h
e d
e p e
n d
e n
c e
o f
th e
p ro
je c t
o n
d a
ta
fr o
m o
th e
r s y s te
m s a
n d
p ro
c e
s s e
s (
e x is
ti n
g a
n d
p la
n n
e d
) (e
x is
ti n
g o
r in
d e
v e
lo p
m e
n t)
w it h
in t
h e
A g
e n
c y a
n d
a c ro
s s t
h e
F
e d
e ra
l G
o v e
rn m
e n
t (e
.g .
te c h
n ic
a l in
te rf
a c e
s , s c h
e d
u le
d
e p
e n
d e
n c ie
s ).
R is
k a
s s o
c ia
te d
w it h
t h
e r
e q
u ir
e m
e n
t fo
r th
e p
ro je
c t
to o
p e
ra te
in
c o
n c e
rt w
it h
o th
e r
p ro
g ra
m s .
In c lu
d e
re la
te d
s c h
e d
u le
a n
d
fu n
d in
g c
o n
c e
rn s .
R is
k i s i n c re
a s e
d i f
th e
s u c c e s s o
f a
p ro
je c t
is d
ir e
c tl y l in
k e
d t
o
th e
s u
c c e s s /
im p
le m
e n
ta ti o
n o
r o
n -g
o in
g m
a in
te n
a n
c e
o f
o th
e r
s y s te
m s .
A re
t h
e i n
te rn
a l a
n d
e x te
rn a
l in
te rf
a c e s i d
e n
ti fi e
d a
n d
w e
ll u
n d
e rs
to o
d ?
A re
d e
p e
n d
e n
c ie
s a
n d
i n
te ro
p e
ra b
ili ty
r e
q u
ir e
m e
n ts
w e
ll d
e fi n
e d
?
Is t
h e
re a
n I
n te
rf a
c e
C o
n tr
o l D
o c u
m e
n t
(I C
D )
fo r
e a
c h
i n
te rf
a c e
/c o
n n
e c ti o
n
b e
tw e
e n
c o
m m
u n
ic a
ti n
g s
y s te
m s t
h a
t s p
e c if ie
s t
h e
d a
ta , fo
rm a
t,
c o
m m
u n
ic a
ti o
n s p
ro to
c o
l, p
e ri
o d
ic it y ,
e x p
e c te
d v
o lu
m e
s , e
tc ?
A re
t h
e re
s ig
n e
d S
e rv
ic e
L e
v e
l A
g re
e m
e n
ts (
S L
A s )
o r
M e
m o
ra n
d a
o f
U n
d e
rs ta
n d
in g
( M
O U
s )
th a
t a
d d
re s s r
e lia
b ili
ty ,
a v a
ila b
ili ty
, s e
c u
ri ty
d a
ta
in te
g ri
ty ,
e tc
?
B -8
T a b le
B -1
. O
rd e r
fo r
A d d re
s s in
g R
is k s a
n d C
o n s id
e ra
ti o n s
R is
k a
re a
R is
k c
a te
g o
ry C
o n
s id
e ra
ti o
n s
S a
m p
le Q
u e
s ti o
n s
T e
c h
n ic
a l
Is s u
e s
4 —
T e
c h
n ic
a l
o b
s o
le s c e
n c e
R is
k a
s s o
c ia
te d
w it h
t h
e l ik
e lih
o o
d o
f th
e t
e c h
n o
lo g
y b
e c o m
in g
o
b s o
le te
b e
c a
u s e
o f
c h
a n
g in
g t
e c h
n o
lo g
y o
r re
q u
ir e
m e
n ts
. In
c lu
d e
te c h
n o
lo g
y s
u p
p o
rt f
ro m
t h
e e
x is
ti n
g s
u p
p lie
r a
n d
a
b ili
ty o
f in
-h o
u s e
s ta
ff t
o m
a n
a g
e s
u p
p o
rt .
R is
k t
h a
t s tr
a te
g ie
s f
o r
a v o
id in
g t
h e
u s e
o f
o u
td a
te d
t e
c h
n ic
a l
re s o
u rc
e s o
v e
r th
e s
y s te
m l if e
a re
n o
t p
la n
n e
d f
o r
a n
d
im p
le m
e n
te d
. A
p la
n f
o r
re g
u la
r te
c h
n o
lo g
y u
p g
ra d
e o
r re
fr e
s h
i s o
n e
w a
y t
o a
v o
id o
b s o
le s c e
n c e
b y e
n s u
ri n
g t
h e
u s e
o
f a
d v a
n c e
d v
e rs
io n
s o
f e
q u
ip m
e n
t o
r s o
ft w
a re
w h
e n
t h
e y
b e
c o
m e
a v a
ila b
le .
Is t
h e
t e
c h
n o
lo g
y “
a g
in g
” a
n d
i n
d a
n g
e r
o f
o b
s o le
s c e
n c e
?
Is t
h e
re a
d a
n g
e r
th a
t th
e d
e v e
lo p
m e
n t
la n
g u
a g
e o
r o
th e
r C
O T
S p
ro d
u c ts
a
re s
o o
ld t
h a
t it w
o u
ld b
e d
if fi c u
lt t
o g
e t
a n
d /o
r m
a in
ta in
a q
u a
lif ie
d t
e a
m
fo r
th e
p ro
je c t
a s w
e ll
a s t
h e
a n
ti c ip
a te
d l if e
c y c le
o f
th e
s y s te
m ?
If t
h is
p ro
je c t
p ro
v id
e s a
n u
p g
ra d
e o
r re
p la
c e
m e
n t
to a
n e
x is
ti n
g s
y s te
m ,
a re
t h
e re
p la
n s f
o r
re ti re
m e
n t
a n
d d
is p
o s it io
n o
f th
e c
u rr
e n
t s y s te
m /s
o lu
ti o
n ?
1 5
— T
e c h
n o
lo g
y R
is k a
s s o
c ia
te d
w it h
t h
e e
x is
ti n
g o
r c h
o s e
n s
o ft
w a
re ,
h a
rd w
a re
, a
n d
n e
tw o
rk r
e lia
b ili
ty ,
m a
in ta
in a
b ili
ty ,
a n
d s
e c u
ri ty
. In
c lu
d e
te c h
n o
lo g
y d
o c u
m e
n ta
ti o
n ,
te s ta
b ili
ty ,
a n
d
a p
p ro
p ri
a te
n e
s s f
o r
th e
f u
n c ti o
n a
l n
e e
d i n
th e
e x is
ti n
g o
r fu
tu re
e
n v ir
o n
m e
n t.
R is
k a
s s o
c ia
te d
w it h
i m
m a
tu ri
ty o
f c o
m m
e rc
ia lly
a v a
ila b
le
te c h
n o
lo g
y .
R is
k o
f te
c h
n ic
a l p
ro b
le m
s /f
a ilu
re s w
it h
a p
p lic
a ti o
n s a
n d
t h
e ir
a
b ili
ty t
o p
ro v id
e p
la n
n e
d a
n d
d e
s ir
e d
t e
c h
n ic
a l fu
n c ti o
n a
lit y .
T
e c h
n ic
a l ri s k a
d d
re s s e s t
h e p
o s s ib
ili ty
t h
a t
th e
a p
p lic
a ti o n
o f
s o
ft w
a re
e n
g in
e e
ri n
g t
h e
o ri
e s ,
p ri
n c ip
le s ,
a n
d t
e c h
n iq
u e
s w
ill
fa il
to y
ie ld
t h
e a
p p
ro p
ri a
te s
o ft
w a
re p
ro d
u c t.
T e
c h
n ic
a l ri s k i s
c o
m p
ri s e
d o
f th
e u
n d
e rl
y in
g t
e c h
n o
lo g
ic a l fa
c to
rs t
h a
t m
a y
c a
u s e
t h
e f
in a
l p
ro d
u c t
to b
e o
v e
rl y e
x p
e n
s iv
e ,
d e
liv e
re d
l a
te o
r o
th e
rw is
e u
n a
c c e
p ta
b le
t o t
h e
c u
s to
m e
r.
Is t
h e
t e
c h
n o
lo g
y b
le e
d in
g e
d g
e ?
Is t
h e
t e
c h
n o
lo g
y c
o n
s id
e re
d m
a tu
re e
n o
u g
h t
o b
e r
e lia
b le
?
A re
t h
e re
m u
lt ip
le v
e n
d o
rs t
h a
t a
re a
b le
t o
p ro
v id
e t
h e
s u
p p
o rt
/s e
rv ic
e s
n e
e d
e d
o n
t h
is t
e c h
n o
lo g
y ?
D o
t h
e t
e a
m m
e m
b e
rs h
a v e
a p
p ro
p ri
a te
e x p
e rt
is e
?
Is t
h e
t e
c h
n o
lo g
y m
a tu
re e
n o
u g
h ?
6 —
R e
lia b
ili ty
o f
s y s te
m s
R is
k a
s s o
c ia
te d
w it h
t h
e d
e fi n
e d
r e
s p
o n
s e
t im
e a
n d
th
ro u
g h
p u
t re
q u
ir e
m e
n ts
a s n
e e
d e
d a
n d
e x p
e c te
d .
In c lu
d e
s y s te
m c
o n
ti n
g e
n c y p
la n
s ,
c o
n ti n
u it y o
f o
p e
ra ti o
n s p
la n
s ,
d is
a s te
r re
c o
v e
ry p
la n
s a
n d
te s ts
o f
th o
s e
p la
n s .
R is
k o
f in
a b ili
ty o
f th
e s
y s te
m t
o p
ro v id
e p
la n
n e
d a
n d
d e
s ir
e d
fu
n c ti o
n a
lit y .
D o
e s t
h e
p ro
p o
s e
d s
o lu
ti o
n p
ro v id
e a
s u
ff ic
ie n
tl y r
o b
u s t a
n d
/o r
re d
u n
d a
n t
s o
lu ti o
n t
h a
t s y s te
m a
n d
d a
ta a
v a
ila b
ili ty
r e
q u
ir e
m e
n ts
a re
m e
t?
A re
p h
y s ic
a l a
n d
I T
s e
c u
ri ty
m e
a s u
re s s
u ff
ic ie
n t
to e
n s u
re t
h e
s e
c u
ri ty
o f
th e
I T
s y s te
m a
n d
t h
e i n
te g
ri ty
o f
th e
d a
ta ?
B -9
T a b le
B -1
. O
rd e r
fo r
A d d re
s s in
g R
is k s a
n d C
o n s id
e ra
ti o n s
R is
k a
re a
R is
k c
a te
g o
ry C
o n
s id
e ra
ti o
n s
S a
m p
le Q
u e
s ti o
n s
T e
c h
n ic
a l
Is s u
e s
1 4
— D
a ta
/ in
fo rm
a ti o
n R
is k a
s s o
c ia
te d
w it h
t h
e c
la ri ty
, c o
m p
le te
n e
s s ,
v a
lid it y ,
s o
u rc
e s ,
a n
d f
e a
s ib
ili ty
o f
d a
ta r
e q
u ir
e m
e n
ts .
In c lu
d e
d a
ta
in te
rf a
c e
a n
d d
a ta
c o
n v e
rs io
n c
o m
p le
x it ie
s .
In c lu
d e
d a
ta
c o
lle c ti o
n ,
s to
ra g
e ,
in te
g ri
ty , a
n d
a v a
ila b
ili ty
.
R is
k a
s s o
c ia
te d
w it h
t h
e l o s s /m
is u
s e
o f
d a
ta o
r in
fo rm
a ti o
n ,
ri s k o
f in
c re
a s e
d b
u rd
e n
o n
c it iz
e n
s a
n d
b u
s in
e s s e
s d
u e
t o
d
a ta
c o
lle c ti o
n r
e q
u ir
e m
e n
ts i f
th e
a s s o c ia
te d
b u
s in
e s s
p ro
c e
s s e
s o
r th
e p
ro je
c t
re q
u ir
e a
c c e
s s t
o d
a ta
f ro
m o
th e
r s o
u rc
e s (
fe d
e ra
l, s
ta te
a n
d /o
r lo
c a
l a
g e
n c ie
s ).
H a
s a
P ri
v a
c y I
m p
a c t A
s s e
s s m
e n
t (P
IA )
b e
e n
p e
rf o
rm e
d o
r re
v is
it e
d i n
t h
e
la s t
2 y
e a
rs ?
If a
n y P
e rs
o n
a lly
I d
e n
ti fi a
b le
I n
fo rm
a ti o
n (
P II
) is
c o
lle c te
d , h
a s t
h e
n e
e d
f o
r th
a t
in fo
rm a
ti o
n b
e e
n e
s ta
b lis
h e
d ?
H a
v e
t h
e r
e q
u ir
e m
e n
ts f
o r
th e
a n
a ly
s is
, re
p o
rt in
g a
n d
o r
o th
e r
u s e
o f
th is
d
a ta
b e
e n
w e
ll e
s ta
b lis
h e
d ?
If m
u lt ip
le s
o u
rc e
s o
f P
II a
re c
o m
b in
e d
, h
a s t
h a
t b
e e
n a
n n
o u
n c e
d i n
a
S y s te
m o
f R
e c o
rd s N
o ti c e
( S
O R
N )?
A re
p ro
c e
s s e
s a
n d
s e c u
ri ty
c o
n tr
o ls
i n
p la
c e
t o
e n
s u
re a
u th
o ri
z e
d u
s e
rs
h a
v e
a n
e e
d f
o r
a c c e
s s t
o t
h e
s y s te
m /d
a ta
a n
d t
h a
t th
e u
s e
rs a
re g
ra n
te d
o
n ly
t h
e (
ro le
-b a
s e
d )
a c c e
s s t h
e y n
e e
d ?
A re
t h
e re
c o
n tr
o ls
i n
p la
c e
t o p
re v e
n t
u n
a u
th o
ri z e
d a
c c e
s s /v
ie w
in g
, c o
m b
in a
ti o
n ,
a n
d /o
r a
n a
ly s is
o f
th e
P II
?
A re
d a
ta b
e in
g s
u p
p lie
d b
y t
ru s te
d s
o u
rc e
s ?
Is t
h e
re a
w a
y t
o c
h e
c k t
h e
i n
te g
ri ty
a n
d /o
r v a
lid it y o
f th
e d
a ta
? A
re
in te
rf a
c e s a
n d
d a
ta f
e e
d s /p
u lls
w e
ll d
e fi n
e d
?
Is t
h e
re a
d a
ta m
ig ra
ti o
n p
la n
f o
r tr
a n
s it io
n o
f d
a ta
f ro
m l e
g a
c y t
o
re p
la c e
m e
n t
s y s te
m (s
)?
Is t
h e
re a
n a
p p
ro v e
d r
e c o
rd s m
a n
a g
e m
e n
t p
la n
?
B -1
0
T a b le
B -1
. O
rd e r
fo r
A d d re
s s in
g R
is k s a
n d C
o n s id
e ra
ti o n s
R is
k a
re a
R is
k c
a te
g o
ry C
o n
s id
e ra
ti o
n s
S a
m p
le Q
u e
s ti o
n s
S e
c u
ri ty
1
7 —
S e
c u
ri ty
R is
k a
s s o
c ia
te d
w it h
t h
e s
e c u
ri ty
/v u
ln e
ra b
ili ty
o f
s y s te
m s ,
w e
b s it e
s ,
in fo
rm a
ti o
n a
n d
n e
tw o
rk s ;
ri s k o
f in
tr u
s io
n s a
n d
c o
n n
e c ti v it y t
o o
th e
r (v
u ln
e ra
b le
) s y s te
m s
R is
k a
s s o
c ia
te d
w it h
t h
e m
is u
s e
( c ri
m in
a l/ fr
a u
d u
le n
t) o
f in
fo rm
a ti o
n
R is
k a
s s o
c ia
te d
w it h
t h
e v
a lid
it y a
n d
e ff
e c ti v e
n e
s s o
f th
e
o rg
a n
iz a
ti o
n s
e c u
ri ty
p la
n ,
th e
p la
n ’s
c o
m p
lia n
c e
w it h
N IS
T
re q
u ir
e m
e n
ts ,
a s s o
c ia
te d
p la
n s t
o c
e rt
if y a
n d
a c c re
d it t
h e
I T
s y s te
m p
ri o
r to
i m
p le
m e
n ta
ti o
n ,
a n
d t
h e
o rg
a n
iz a
ti o
n ’s
a b
ili ty
to
i m
p le
m e
n t
th e
p la
n .
[N o
te :
T h
is r
is k c
a te
g o
ry m
u s t
in c lu
d e
i n
t h
e r
is k d
e s c ri p
ti o
n
th e
l e
v e
l o
f ri s k (
h ig
h ,
m e
d iu
m ,
o r
lo w
) a
n d
w h
a t
a s p
e c t
o f
s e
c u
ri ty
d e
te rm
in e
s t
h e
l e
v e
l o
f ri
s k ,
e .g
. n
e e
d f
o r
c o
n fi d
e n
ti a
lit y o
f in
fo rm
a ti o
n a
s s o
c ia
te d
w it h
t h
e
p ro
je c t/
s y s te
m ,
a v a
ila b
ili ty
o f
th e
i n
fo rm
a ti o
n o
r s y s te
m ,
o r
re lia
b ili
ty o
f th
e i n fo
rm a
ti o
n o
r s y s te
m .]
A re
p h
y s ic
a l s e c u
ri ty
c o
n tr
o ls
i n
p la
c e
?
A re
a d
e q
u a
te p
e rs
o n
n e
l c h
e c k s i n
p la
c e
?
Is t
h e
re r
o le
-b a
s e
d a
c c e
s s c
o n
tr o
l a
n d
s e
p a
ra ti o
n o
f re
s p o
n s ib
ili ti e s t
o
e n
s u
re a
d e
q u
a te
i n
fo rm
a ti o
n s
e c u
ri ty
c o
n tr
o ls
a re
i n
p la
c e
?
D o
t h
e C
O T
S p
ro d
u c ts
p ro
v id
e t
o o
ls t
h a
t s u
p p
o rt
F IS
M A
r e
q u
ir e
m e
n ts
?
D o
e s /w
ill t
h e
s y s te
m h
a v e
c u
rr e
n t
C e
rt if ic
a ti o
n a
n d
A c c re
d it a
ti o
n (
C &
A )
a n
d /o
r A
u th
o ri
ty T
o O
p e
ra te
( A
T O
)?
A re
i n
te rf
a c in
g s
y s te
m s s
u b
je c t
to s
e c u
ri ty
c h
e c k s a
n d
a c c e
s s c
o n
tr o
ls ?
8 —
S u
re ty
(a s s e
t p
ro te
c ti o
n )
R is
k a
s s o
c ia
te d
w it h
t h
e i m
p a
c t
o f
lo s s ,
d a
m a
g e
, o
r th
e ft
a n
d
th e
a d
e q
u a
c y o
f p
h y s ic
a l p
ro te
c ti o
n ,
c o
n ti n
u it y o
f o
p e
ra ti o n
s ,
a n
d d
is a
s te
r re
c o
v e
ry p
la n
s ,
a n
d o
p e
ra ti o
n s f
o r
th e
s y s te
m .
R is
k a
s s o
c ia
te d
w it h
t h
e n
a tu
re ,
v a
lu e
, a
n d
s e
c u
ri ty
o f
p h
y s ic
a l
a s s e
ts (
g o
v e
rn m
e n
t o
r c o
n tr
a c to
r o
w n
e d
) a
n d
t h
e c
o n
ti n
g e
n c y
p la
n s t
o p
ro te
c t
th e
p ro
je c t
in t
h e
e v e
n t
o f
a s s e
t lo
s s o
r fa
ilu re
.
A re
t h
e re
a d
e q
u a
te c
h e
c k s /c
o n
tr o
ls t
o e
n s u
re d
a ta
i n
te g
ri ty
a n
d a
p p
ro p
ri a
te l e
v e
l o
f a
c c e
s s c
o n
tr o
l?
A re
t h
e s
e le
c te
d s
y s te
m s /t
e c h
n o
lo g
ie s r
e lia
b le
?
A re
p ro
c e
s s e
s i n
p la
c e
t o
e n s u
re t
ra n
s fe
r o f
d a
ta i s r
e lia
b le
, a
n d
t o
e n
s u
re
th a
t tr
a n
s m
it te
d /t
ra n
s fe
rr e
d d
a ta
r e
a c h
e s o
n ly
t h
e i n
te n
d e
d r
e c ip
ie n
t s y s te
m (s
)?
1 8
— P
ri v a
c y
R is
k a
s s o
c ia
te d
w it h
t h
e v
u ln
e ra
b ili
ty o
f th
e c
o lle
c ti o
n ,
u s e ,
s to
ra g
e ,
tr a
n s m
is s io
n ,
a n
d d
is p
o s a
l o f
p e
rs o
n a
lly i d
e n
ti fi a b
le
o r
p ro
p ri
e ta
ry i n
fo rm
a ti o
n .
R is
k a
s s o
c ia
te d
w it h
t h
e c
o m
p lia
n c e
w it h
t h
e P
ri v a
c y A
c t a
n d
th
e p
ri v a
c y i m
p a
c t
a s s e
s s m
e n
t. I
n c lu
d e
th e
e ff
e c ti v e
n e
s s a
n d
c o
s t
o f
th e
p ro
je c t’ s d
o c u
m e
n te
d s
ta n
d a
rd s f
o r
s u
b m
is s io
n a
n d
u
s e
o f
p e
rs o
n a l in
fo rm
a ti o
n .
H a
s a
P ri
v a
c y I
m p
a c t A
s s e
s s m
e n
t (P
IA )
b e
e n
p e
rf o
rm e
d ?
If t
h is
i s a
p ro
je c t
re la
te d
t o
a l e
g a
c y s
y s te
m ,
h a
s t
h e
P IA
b e
e n
r e
v is
it e
d i n
th
e l a
s t
2 y
e a
rs ?
D o
e s /w
ill t
h e
s y s te
m c
o n
ta in
P e
rs o
n a
lly I
d e
n ti fi a
b le
I n
fo rm
a ti o
n (
P II
) o
f th
e
g e
n e
ra l p
u b
lic o
r o f
e m
p lo
y e
e s ?
B -1
1
T a b le
B -1
. O
rd e r
fo r
A d d re
s s in
g R
is k s a
n d C
o n s id
e ra
ti o n s
R is
k a
re a
R is
k c
a te
g o
ry C
o n
s id
e ra
ti o
n s
S a
m p
le Q
u e
s ti o
n s
S u
m m
a ry
o f
R is
k 1
1 —
O v e
ra ll
ri s k o
f in
v e
s tm
e n
t fa
ilu re
R is
k a
s s o
c ia
te d
w it h
a n
y r
is k s ,
in c lu
d in
g o
th e
r ri
s k s n
o t
a lr
e a
d y d
is c u
s s e
d ,
th a
t h
a v e t
h e
g re
a te
s t
p o
te n
ti a
l fo
r c a u
s in
g
s y s te
m f
a ilu
re o
r th
a t
h a
v e
a n
e g
a ti v e
i m
p a
c t
re s u
lt in
g f
ro m
th
e o
c c u
rr e
n c e
o f
o n
e o
r m
o re
i d
e n
ti fi e
d o
r u
n id
e n
ti fi e
d r
is k s ,
le a
d in
g t
o c
a ta
s tr
o p
h ic
r e
s u
lt s f
o r
th e
p ro
je c t.
It
r e
fe rs
t o
t h
e
a g
g re
g a
ti o
n o
f id
e n
ti fi e
d r
is k s a
s s o c ia
te d
w it h
t h is
i n it ia
ti v e
a n
d
th e
l ik
e lih
o o
d (
p ro
b a
b ili
ty a
n d
i m
p a
c t)
t h
a t
o n
e o
r m
o re
o
c c u
rr e
n c e
s o
f ri
s k w
ill c
a u
s e
t h
is i n it ia
ti v e
t o
f a
il.
It a
ls o
in
c lu
d e s t
h e
r is
k t
h a
t u
n id
e n
ti fi e
d a
c ti v it ie
s o
c c u
r th
a t
le a
d t
o
th e
p ro
je c t
b e
c o
m in
g o
b s o
le te
. In
c lu
d e
t h
e e
ff e
c ti v e
n e
s s a
n d
u
s e
o f
th e
r is
k m
a n
a g
e m
e n
t p
la n
.
Is t
h e
re a
b u
s in
e s s n
e e
d f
o r
th is
p ro
je c t?
D o
e s t
h e
p ro
d u
c t/
s y s te
m s
u p
p o
rt t
h e
b u
s in
e s s g
o a
ls a
n d o
b je
c ti v e
s ?
I s
th is
p ro
je c t
a b
u s in
e s s p
ri o
ri ty
?
H a
s t
h e
s p
o n
s o
r/ b
u s in
e s s o
w n
e r
b e
e n
i d
e n
ti fi e
d ?
D o
e s t
h e
s p
o n
s o
r/ b
u s in
e s s o
w n
e r
h is
/h e
r re
c o
g n
iz e
r o
le a
n d
re
s p
o n
s ib
ili ti e s w
it h
t h
e p
ro je
c t?
Is t
h e
re s
u ff
ic ie
n t
s u
p p
o rt
f o
r c o
m p
le ti n
g t
h is
e ff
o rt
a n
d b
a c k in
g t
o g
e t
a llo
c a
ti o
n o
f fu
n d
s ?
A re
t h
e re
p o
lit ic
a l is
s u
e s t
h a
t m
ig h
t a
ff e c t
th e
d ir
e c ti o
n a
n d
/o r
p ri
o ri
ty o
f th
is e
ff o
rt ?
A re
t h
e r
e q
u ir
e m
e n
ts w
e ll
u n
d e
rs to
o d
a n
d w
e ll
m a
n a
g e
d ?
Is t
h e
d e
s ig
n w
e ll
d o
c u
m e
n te
d ?
Is t
h e
t e
s t
p la
n w
e ll-
d o
c u
m e
n te
d ?
D o
t h
e t
e s ts
m a
p t
o t
h e
r e
q u
ir e
m e
n ts
?
Is t
h e
re a
s o
u n
d i m
p le
m e
n ta
ti o
n p
la n
?
Is t
h e
re a
s o
u n
d t
ra in
in g
p la
n ?
A re
t h
e re
a d
e q
u a
te t
o o
ls f
o r
e x e
c u
ti n
g t
h e
p ro
je c t,
f o
r re
q u
ir e
m e
n ts
a
n a
ly s is
a n
d m
a n
a g
e m
e n
t, d
e s ig
n ,
d e
v e
lo p
m e
n t,
t e
s t,
im
p le
m e
n ta
ti o
n /d
e p
lo y m
e n
t?
D o
t e
a m
m e
m b
e rs
h a
v e
a d
e q
u a
te t
ra in
in g
t o
u s e
t h
e t
o o
ls a
n d
p e
rf o
rm
th e
ir j o
b /r
o le
?
A re
r o
le s a
n d
r e
s p
o n
s ib
ili ti e
s w
it h
in t
h e
p ro
je c t
te a
m c
le a
r?
Is t
h e
re a
t ra
in in
g p
la n
?
D o
k e
y i n
d iv
id u
a ls
h a
v e
b a
c k u
p /s
h a
d o
w p
e rs
o n
n e
l?
Is t
h e
re a
n y s
u c c e
s s io
n p
la n n
in g
?
B-12
Ask the Right People
WHOM TO ASK
Whose opinion of project risk is the best to solicit? The answer is anyone who has
a stake in the project’s success. No one group of people is best for every project
or every life-cycle phase of a single project. The appropriate people include
individuals selected from this list:
Project or investment management
Project staff
Organization or operating unit security officer
Organization or operating unit and/or IHS chief enterprise architect
Agency support staff such as the budget officer and the contracting officer
Contractor management
Contractor staff
Users or potential users
Senior functional management and senior technical management
Other members of the Integrated Project Team (IPT)
Other stakeholders that have an interest in the success of the project and a
perspective about risk.
Do not exclude people because they are not supporters of the project or because
you think you already understand their opinions. These may be the most
important people to include. Getting potential real or perceived risks out in the
open early is often the best way to manage or mitigate them.
It is best to gather opinions of risk in an open forum so all players can hear and
learn from the ideas of others. For this reason, a facilitated workshop is
recommended.
B-13
DON’T ATTEMPT TOO MUCH
While a group is gathered to identify and evaluate project risk, it may be tempting
to try to cover too much ground—for example, to also develop risk management
strategies and discuss risk management action steps. These are best postponed
until a later meeting or until the risk owner is ready to discuss them. A more
limited agenda works best. Suggestions for an agenda are listed below:
Describe the purpose of risk management and the risk management model.
Introduce the risk categories.
Address each risk category. You may not have a risk in every category;
however, every category should be reviewed. State each risk as a cause-
and-effect statement.
When all risks have been identified, consider them in their entirety. Then
evaluate each risk—one at a time—for its potential impact on the project
and the likelihood of occurrence as described in your risk management
plan.
If time permits, consider risk management strategies for the most serious risks. If
appropriate, assign risks to risk owners as described in the risk management plan.
A sample risk inventory and assessment, the results of conducting an open and
comprehensive risk review, is presented in Appendix C.
C-1
APPENDIX C. SAMPLE RISK INVENTORY AND
ASSESSMENT
This Appendix provides a sample risk inventory and assessment.
When entered into the HHS project and Portfolio Management Tool, Oracle
Primavera ProSight, a unique identifier for each risk identifier will be assigned by
the tool
Within a risk category, there can be more than one risk (see risk category 4)
Technical Obsolescence, for example).
C -2
In fr
a re
d T
er o si
s D
et ec
ti o n
S y st
em (
IT D
S )
R is
k I
n v en
to ry
a n
d A
ss es
sm en
t
A s
o f
F eb
ru a ry
1 4 , 2 0 1
3
R is
k N
a m
e D
a te
Id
e n
ti fi
e d
R is
k C
a te
g o
ry D
e s c ri
p ti
o n
P ro
b a
b il
it y
o f
O c c u
rr e n
c e
Im p
a c t
R is
k
M a
g n
it u
d e
R is
k O
w n
e r
M it
ig a
ti o
n P
la n
D a
te a
n d
S ta
tu s
S ch
e d u le
d a ta
1 0 J
a n
2 0 1 3
1 )
S ch
e d u le
If t
h e p
ro je
ct m
a n a g e r
d o e s
n o t
h a v e t
h e a
p p ro
p ri a te
in
fo rm
a ti o n t
o t
ra ck
a ct
u a l
p ro
g re
ss a
g a in
st p
la n n e d
m ile
st o n e s,
t h e n t
h e p
ro je
ct
m a y f
a ll
b e h in
d s
ch e d u le
.
L o w
L o w
1 N
o n e r
e q u ir e d .
R is
k i s
m in
im a l.
S ch
e d u le
i ss
u e s
in v o lv
in g s
y st
e m
m
o d if ic
a ti o n a
re m
a n a g e d t
h ro
u g h
re g u la
r w
e e k ly
t e a m
m e e ti n g s.
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
In it ia
l co
st
d a ta
1 0 J
a n
2 0 1 3
2 )
In it ia
l C o st
s If
t h e i n it ia
l co
st e
st im
a te
i s
n o t
a cc
u ra
te , th
e n t
h e l if e cy
cl e c
o st
s a n d f
u tu
re e
st im
a te
s w
ill n
o t
b e
a cc
u ra
te .
L o w
L o w
1 N
o n e r
e q u ir e d .
R is
k i s
m in
im a l.
G S A p
u rc
h a se
.
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
1 6 J
a n
2 0 1 3 :
P u rc
h a se
co
m p le
te d .
L if e -c
y cl
e c
o st
d a ta
1 0 J
a n
2 0 1 3
3 )
L if e -c
y cl
e C
o st
s If
l if e -c
y cl
e c
o st
s a re
e st
im a te
d
in co
rr e ct
ly , th
e n p
ro je
ct m
a y
n o t
b e c
o m
p le
te d w
it h in
t h e
sp e ci
fi e d b
u d g e t.
L o w
L o w
1 N
o n e r
e q u ir e d .
R is
k i s
m in
im a l.
C O
T S p
ro d u ct
; G
S A p
u rc
h a se
.
S y st
e m
i s
p ri m
a ri ly
i n t
h e s
te a d y -
st a te
p h a se
o f
it s
lif e c
y cl
e a
n d
D M
E c
o st
s a re
r e la
ti v e ly
l o w
. T h o se
r e q u e st
in g e
n h a n ce
m e n ts
p a rt
ic ip
a te
i n f
u n d in
g j u st
if ic
a ti o n s.
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
M a in
te n a n ce
co
st s
1 0 J
a n
2 0 1 3
4 )
T e ch
n ic
a l
o b so
le sc
e n ce
If t
h e I
n v e st
m e n t
re lie
s o n
te ch
n o lo
g y t
h a t
is n
o t
o p e n o
r w
id e ly
s u p p o rt
e d , th
e n t
h e
m a in
te n a n ce
m a y b
e co
m e c
o st
- p ro
h ib
it iv
e .
L o w
L o w
1 N
o n e r
e q u ir e d .
R is
k i s
m in
im a l.
A u to
-r e fr
e sh
w it h c
o n tr
a ct
o r.
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
O ra
cl e
m ig
ra ti o n
1 0 J
a n
2 0 1 3
4 )
T e ch
n ic
a l
o b so
le sc
e n ce
If t
h e s
ta n d a rd
O ra
cl e m
ig ra
ti o n
p a th
i s
n o t
fo llo
w e d , th
e s
y st
e m
co
u ld
b e co
m e t
e ch
n o lo
g ic
a lly
o b so
le te
, m
o re
e x p e n si
v e t
o
m a in
ta in
, a n d /o
r lo
se
fu n ct
io n a lit
y .
L o w
L o w
1 N
o n e r
e q u ir e d
T h e O
ra cl
e c
o n tr
a ct
o r
a tt
e n d s
w e e k ly
I T D
S te
a m
m e e ti n g s
a n d
re p o rt
s o n O
ra cl
e t
e ch
n o lo
g y
ch a n g e i ss
u e s.
P ro
je ct
p e rs
o n n e l
h a v e e
x te
n si
v e e
x p e ri e n ce
w it h t
h e
O ra
cl e p
ro d u ct
s.
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
C -3
In fr
a re
d T
er o si
s D
et ec
ti o n
S y st
em (
IT D
S )
R is
k I
n v en
to ry
a n
d A
ss es
sm en
t
A s
o f
F eb
ru a ry
1 4 , 2 0 1
3
R is
k N
a m
e D
a te
Id
e n
ti fi
e d
R is
k C
a te
g o
ry D
e s c ri
p ti
o n
P ro
b a
b il
it y
o f
O c c u
rr e n
c e
Im p
a c t
R is
k
M a
g n
it u
d e
R is
k O
w n
e r
M it
ig a
ti o
n P
la n
D a
te a
n d
S ta
tu s
D e si
g n
co m
p le
x it y
1 0 J
a n
2 0 1 3
5 )
F e a si
b ili
ty If
t h e i m
p le
m e n ta
ti o n o
f th
e
d e si
g n i s
d if fi cu
lt o
r im
p o ss
ib le
to
t e st
, th
e p
ro je
ct m
a y b
e
a cc
e p te
d w
h e n i t
d o e s
n o t
m e e t
u se
r- d e fi n e d f
u n ct
io n a l
re q u ir e m
e n ts
.
L o w
L o w
1 N
o n e r
e q u ir e d .
R is
k i s
m in
im a l.
C O
T S p
ro d u ct
; G
S A p
u rc
h a se
. 1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
S y st
e m
re
st o ra
ti o n
1 0 J
a n
2 0 1 3
6 )
R e lia
b ili
ty o
f sy
st e m
s If
t h e s
ta ff h
a s
lim it e d e
x p e rt
is e
w it h t
e ch
n o lo
g y ,
th e n t
h e a
b ili
ty
to q
u ic
k ly
r e st
o re
a n d r
e p a ir
sy st
e m
s co
u ld
b e i m
p a ct
e d .
L o w
L o w
1 N
o n e r
e q u ir e d .
R is
k i s
m in
im a l.
C O
T S p
ro d u ct
; m
e e ts
b u si
n e ss
n e e d .
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
S o ft
w a re
/ h a rd
w a re
re
lia b ili
ty
1 0 J
a n
2 0 1 3
6 )
R e lia
b ili
ty o
f sy
st e m
s If
t h e s
o ft
w a re
p la
ce s
u n e x p e ct
e d s
tr e ss
o n t
h e
h a rd
w a re
a n d o
th e r
in fr
a st
ru ct
u re
, th
e s
y st
e m
m a y
fa il.
L o w
L o w
1 N
o n e r
e q u ir e d
T h e s
o ft
w a re
, h a rd
w a re
, a n d
in fr
a st
ru ct
u re
h a v e p
ro v e n t
h e ir
a b ili
ty t
o s
u p p o rt
t h e s
y st
e m
. T h e
sy st
e m
h a s
a c
o n ti n u it y o
f o p e ra
ti o n s
p la
n a n d a
d is
a st
e r
re co
v e ry
s it e . S y st
e m
r e lia
b ili
ty h
a s
n o t
b e e n a
n i ss
u e .
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
S h a re
d s
y st
e m
1 0 J
a n
2 0 1 3
6 )
R e lia
b ili
ty o
f sy
st e m
s If
a c
h a n g e i s
m a d e i n t
h e
h a rd
w a re
o r
so ft
w a re
t o
a cc
o m
m o d a te
o th
e r
w o rk
w
it h o u t
e v a lu
a ti n g i ts
i m
p a ct
o n
a ll
sy st
e m
s, I
T D
S m
a y f
a il.
M e d iu
m L o w
2 N
o n e r
e q u ir e d
S y st
e m
i s
p ri m
a ri ly
i n t
h e s
te a d y -
st a te
p h a se
o f
it s
lif e c
y cl
e a
n d
h a rd
w a re
a n d s
o ft
w a re
c h a n g e s
a re
c o o rd
in a te
d a
m o n g a
ff e ct
e d
p a rt
ie s.
R is
k i s
co n ti n u o u s
a n d w
ill
b e r
e g u la
rl y m
o n it o re
d .
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
P la
n n e d
in te
ro p e ra
ti o n
1 0 J
a n
2 0 1 3
7 )
D e p e n d e n ci
e s/
in
te ro
p e ra
b ili
ty If
t h e i n te
rn a l a n d e
x te
rn a l
sy st
e m
d e p e n d e n ci
e s
a n d a
b ili
ty
to i n te
ro p e ra
te a
re n
o t
a d e q u a te
ly p
la n n e d f
o r,
t h e
sy st
e m
m a y n
o t
b e a
s e ff
e ct
iv e
a n d c
o st
s co
u ld
i n cr
e a se
.
L o w
L o w
1 N
o n e r
e q u ir e d .
R is
k i s
m in
im a l.
N o d
e p e n d e n ci
e s
a n d
in te
ro p e ra
b ili
ty r
is k s
h a v e b
e e n
id e n ti fi e d . IT
D S
is a
s ta
n d -a
lo n e
a p p lic
a ti o n .
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
A ss
e t
p ro
te ct
io n
1 0 J
a n
2 0 1 3
8 )
S u re
ty
If t
h e f
ix e d , in
te lle
ct u a l, a
n d
h u m
a n a
ss e ts
a re
n o t
p ro
te ct
e d
a d e q u a te
ly f
ro m
h a rm
, th
e n t
h e
in v e st
m e n t
m a y b
e i m
p a ct
e d .
L o w
L o w
1 N
o n e r
e q u ir e d .
R is
k i s
m in
im a l.
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
C -4
In fr
a re
d T
er o si
s D
et ec
ti o n
S y st
em (
IT D
S )
R is
k I
n v en
to ry
a n
d A
ss es
sm en
t
A s
o f
F eb
ru a ry
1 4 , 2 0 1
3
R is
k N
a m
e D
a te
Id
e n
ti fi
e d
R is
k C
a te
g o
ry D
e s c ri
p ti
o n
P ro
b a
b il
it y
o f
O c c u
rr e n
c e
Im p
a c t
R is
k
M a
g n
it u
d e
R is
k O
w n
e r
M it
ig a
ti o
n P
la n
D a
te a
n d
S ta
tu s
M o n o p o ly
a v o id
a n ce
1 0 J
a n
2 0 1 3
9 )
R is
k o
f C re
a ti n g
a M
o n o p o ly
If t
h e i n v e st
m e n t
re lie
s o n o
n e
o r
tw o v
e n d o rs
, th
e n t
h e r
is k o
f cr
e a ti n g a
m o n o p o ly
i n cr
e a si
n g
a n d i n n o v a ti o n m
a y b
e s
ti fl e d .
L o w
L o w
1 N
o n e r
e q u ir e d .
R is
k i s
m in
im a l.
IH S u
se s
fu ll
a n d o
p e n
co m
p e ti ti o n . S o m
e c
o n tr
a ct
s, b
y
th e n
a tu
re o
f th
e t
e ch
n o lo
g y , a re
d e p e n d e n t
o n a
p a rt
ic u la
r co
m p a n y –
i. e ., C
is co
R o u te
rs , M
C I
b a ck
b o n e .
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
P ro
je ct
m
a n a g e m
e n t
sk ill
s
1 0 J
a n
2 0 1 3
1 0 )
C a p a b ili
ty o
f A g e n cy
t o M
a n a g e
th e I
n v e st
m e n t
If p
ro je
ct m
a n a g e rs
a re
n o t
su ff ic
ie n tl y s
k ill
e d i n p
ro je
ct
m a n a g e m
e n t, s
o ft
w a re
d e v e lo
p m
e n t, s
o ft
w a re
m
a n a g e m
e n t, o
r th
e
d e v e lo
p m
e n t
p ro
ce ss
, th
e
p ro
je ct
c o u ld
f a il.
M e d iu
m M
e d iu
m 4
L a u ra
L e e H
o p e
3 0 1 -4
4 3 -1
2 3 4
P ro
je ct
m a n a g e r
is a
n e
x p e ri e n ce
d
fe d e ra
l m
a n a g e r.
P ro
je ct
m a n a g e r
is t
a k in
g p
ro je
ct m
a n a g e m
e n t
tr a in
in g a
n d w
ill b
e c
e rt
if ie
d b
y
D e ce
m b e r
2 0 1 3 .
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
1 4 F
e b 2
0 1 3 :
P ro
je ct
m
a n a g e r
is t
a k in
g p
ro je
ct m
a n a g e m
e n t
co u rs
e s
a s
sc h e d u le
d . E x p e ct
e d
ce rt
if ic
a ti o n
b y D
e ce
m b e r
2 0 1 3 . C o n ti n u e m
o n it o ri n g .
P ro
je ct
m
o n it o ri n g
1 0 J
a n
2 0 1 3
1 1 )
O v e ra
ll p ro
je ct
fa
ilu re
If I
n a d e q u a te
a tt
e n ti o n i s
p a id
to
m o n it o ri n g c
o st
, sc
h e d u le
, a n d p
e rf
o rm
a n ce
g o a ls
, th
e n
th e i n v e st
m e n t
m a y b
e
im p a ct
e d .
L o w
H ig
h 3
C a p t. M
a rk
T w
a in
w ill
m
o n it o r
E V M
v a ri a n ce
s m
o n th
ly .
C O
T S p
ro d u ct
; p la
n n e d u
se s
im ila
r to
p re
v io
u s
u se
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
1 4 F
e b 2
0 1 3 :
P ro
je ct
sc h e d u le
v a ri a n ce
i- 3 .3
7 %
P ro
je ct
c o st
v a ri a n ce
i s
- 4 .0
5 %
. C o n ti n u e m
o n it o ri n g .
S ta
k e h o ld
e r
su p p o rt
1 0 J
a n
2 0 1 3
1 2 )
O rg
/C h a n g e
M a n a g e m
e n t
If t
h e s
ta k e h o ld
e rs
d o n
o t
su p p o rt
t h e i n v e st
m e n t
o r
m a jo
r o rg
a n iz
a ti o n a l ch
a n g e s
o cc
u r,
th
e i n v e st
m e n t
m a y n
o t
m e e t
p e rf
o rm
a n ce
g o a ls
.
L o w
L o w
1 N
o n e r
e q u ir e d .
R is
k i s
m in
im a l.
T h e p
ro g ra
m c
o n d u ct
s re
g u la
r p e rf
o rm
a n ce
r e v ie
w s
w it h
m a n a g e m
e n t
a n d k
e y u
se rs
.
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
S p o n so
r su
p p o rt
1 0 J
a n
2 0 1 3
1 3 )
B u si
n e ss
If t
h e i n v e st
m e n t
d o e s
n o t
h a v e
a ct
iv e p
ro je
ct s
p o n so
r su
p p o rt
, th
e n r
e so
u rc
e s,
f u n d in
g ,
sc h e d u le
, a n d m
a n a g e m
e n t
su p p o rt
c o u ld
b e i m
p a ct
e d .
L o w
L o w
1 N
o n e r
e q u ir e d .
R is
k i s
m in
im a l.
T h e i n v e st
m e n t
m a n a g e r
m e e ts
re
g u la
rl y w
it h k
e y b
u si
n e ss
m
a n a g e rs
a n d t
h e C
IO ’s
o ff ic
e .
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
C -5
In fr
a re
d T
er o si
s D
et ec
ti o n
S y st
em (
IT D
S )
R is
k I
n v en
to ry
a n
d A
ss es
sm en
t
A s
o f
F eb
ru a ry
1 4 , 2 0 1
3
R is
k N
a m
e D
a te
Id
e n
ti fi
e d
R is
k C
a te
g o
ry D
e s c ri
p ti
o n
P ro
b a
b il
it y
o f
O c c u
rr e n
c e
Im p
a c t
R is
k
M a
g n
it u
d e
R is
k O
w n
e r
M it
ig a
ti o
n P
la n
D a
te a
n d
S ta
tu s
P o o rl y d
e fi n e d
fi e ld
n a m
e s
1 0 J
a n
2 0 1 3
1 3 )
B u si
n e ss
If t
h e e
n d u
se r
is u
n a b le
t o
e a si
ly u
n d e rs
ta n d t
h e f
ie ld
n a m
e
se m
a n ti cs
, d a ta
m a y b
e co
m e
in co
n si
st e n t.
M e d iu
m M
e d iu
m 4
F lo
ss ie
B o b b si
e 5 0 5 -2
4 8 -1
2 3 4
C ri ti ca
l d a ta
e le
m e n ts
f o r
IT D
S a re
b e in
g d
e fi n e d a
n d w
ill b
e
co n v e rt
e d i n to
C o m
m o n D
a ta
E le
m e n ts
( C D
E s)
. T h e C
D E s
cr e a te
d f
o r
IT D
S w
ill b
e a
d d e d t
o
th e I
n fr
a re
d T
e ro
si s
S ta
n d a rd
s R
e p o si
to ry
( IT
S R )
a s
th e y a
re
fi n a liz
e d . T h e e
st im
a te
d
co m
p le
ti o n d
a te
i s
D e ce
m b e r
2 9 ,
2 0 1 3 .
C D
E s
fr o m
o th
e r
IH S
co n te
x t
a re
a s
w ill
b e r
e u se
d w
h e re
a p p ro
p ri a te
. M
e e ti n g s
w ill
b e h
e ld
w it h k
e y s
ta ff
m e m
b e rs
f o r
IH S
e n ti ti e s
th a t
m a n a g e p
ro to
co ls
t o d
e v e lo
p a
co
re s
e t
o f
C D
E s
th a t
w ill
a cc
o m
m o d a te
t h e p
ro ce
ss in
g o
f p ro
to co
ls a
n d r
e la
te d d
o cu
m e n ts
. T h e e
st im
a te
d c
o m
p le
ti o n d
a te
i s
D e ce
m b e r
2 9 , 2 0 1 3 .
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
1 4 F
e b 2
0 1 3 :
F ir st
m e e ti n g i s
sc h e d u le
d f
o r
1 A
p ri l 2 0 1 3 .
D a ta
l o ss
1 0 J
a n
2 0 1 3
1 4 )
D a ta
/I n fo
If t
h e i n v e st
m e n t
in cu
rs d
a ta
lo
ss , th
e n d
e p e n d e n t
sy st
e m
s co
u ld
b e c
o m
p ro
m is
e d .
L o w
L o w
1 N
o n e r
e q u ir e d .
R is
k i s
m in
im a l.
R e g u la
rl y m
o n it o ri n g o
f d a ta
. 1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
D a ta
re
q u ir e m
e n ts
1 0 J
a n
2 0 1 3
1 4 )
D a ta
/I n fo
If d
a ta
r e q u ir e m
e n ts
a re
u n cl
e a r
to d
a ta
s u p p lie
rs , d a ta
c o lle
ct e d
m a y b
e i n co
n si
st e n t,
in
co m
p le
te , a n d i n a cc
u ra
te .
(S e e r
is k “
P o o rl y D
e fi n e d F
ie ld
N
a m
e s”
1 3 —
B u si
n e ss
.)
M e d iu
m M
e d iu
m 4
F lo
ss ie
B o b b si
e 5 0 5 -2
4 8 -1
2 3 4
T ra
in d
a ta
s u p p lie
rs . W
h e n
th e
se v e ri ty
o f
a d v e rs
e e
v e n ts
f o r
V io
x x w
a s
id e n ti fi e d , 2 6 p
re v e n ti o n
tr ia
ls w
e re
u n d e rw
a y . It
t o o k f
o u r
st a ff m
e m
b e rs
m o re
t h a n a
w e e k
to g
a th
e r
th e n
e ce
ss a ry
d a ta
t o
e x p e d it io
u sl
y n
o ti fy
i n v e st
ig a to
rs
a n d p
a rt
ic ip
a n ts
, st
o p t
h e t
ri a ls
, a n d s
to p t
h e d
ru g s
h ip
m e n ts
.
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
1 4 F
e b 2
0 1 3 . O
ri e n ta
ti o n
m e e ti n g s
ch e d u le
d f
o r
d a ta
su
p p lie
rs o
n 1
A p ri l 2 0 1 3 .
C o n ti n u e m
o n it o ri n g .
C -6
In fr
a re
d T
er o si
s D
et ec
ti o n
S y st
em (
IT D
S )
R is
k I
n v en
to ry
a n
d A
ss es
sm en
t
A s
o f
F eb
ru a ry
1 4 , 2 0 1
3
R is
k N
a m
e D
a te
Id
e n
ti fi
e d
R is
k C
a te
g o
ry D
e s c ri
p ti
o n
P ro
b a
b il
it y
o f
O c c u
rr e n
c e
Im p
a c t
R is
k
M a
g n
it u
d e
R is
k O
w n
e r
M it
ig a
ti o
n P
la n
D a
te a
n d
S ta
tu s
B le
e d in
g e
d g e
1 0 J
a n
2 0 1 3
1 5 )
T e ch
n o lo
g y
If t
h e i n v e st
m e n t
is d
e v e lo
p e d
w it h n
e w
p e rf
o rm
a n ce
- e n h a n ci
n g t
e ch
n o lo
g y , th
e n t
h e
in v e st
m e n t
m a y i n cu
r a d d it io
n a l
tr a in
in g , te
st in
g , a n d
im p le
m e n ta
ti o n a
ct iv
it ie
s.
L o w
L o w
1 N
o n e r
e q u ir e d .
R is
k i s
m in
im a l.
T e st
e d a
n d c
o m
m o n ly
u se
d
a p p lic
a ti o n s/
C O
T S p
ro d u ct
s u se
d
to m
e e t
re q u ir e m
e n ts
w h e re
p o ss
ib le
S ta
ff h
a s
a cc
e ss
t o t
ra in
in g i n n
e w
te
ch n o lo
g y .
T h e i n v e st
m e n t
h a s
b u ilt
t h e r
is k
o f
a n y n
e w
t e ch
n o lo
g y i n to
c o st
a n d s
ch e d u le
p ro
je ct
io n s.
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
S tr
a te
g ic
d ir e ct
io n
1 0 J
a n
2 0 1 3
1 6 )
S tr
a te
g ic
If c
h a n g e s
in H
H S I
T g
o a ls
o r
fe d e ra
l h e a lt h a
rc h it e ct
u re
m
a n d a te
s o cc
u r,
t h e i n v e st
m e n t
w ill
b e i m
p a ct
e d .
L o w
L o w
1 N
o n e r
e q u ir e d .
R is
k i s
m in
im a l.
T h e i n v e st
m e n t
m a n a g e r
co n ti n u a lly
m o n it o rs
u p co
m in
g
H H
S a
n d H
H S I
T i n it ia
ti v e s
fo r
im p a ct
o n p
ro g ra
m .
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
D a ta
r e sp
o n se
1 0 J
a n
2 0 1 3
1 6 )
S tr
a te
g ic
If I
T D
S is
n o t
a b le
t o p
ro v id
e
th e d
a ta
t o q
u ic
k ly
r e sp
o n d t
o
co n g re
ss io
n a l in
q u ir ie
s, i t
m a y
lo se
s ta
k e h o ld
e r
su p p o rt
.
L o w
L o w
1 N
o n e r
e q u ir e d .
R is
k i s
m in
im a l.
S y st
e m
i s
p ri m
a ri ly
i n t
h e s
te a d y -
st a te
p h a se
o f
it s
lif e c
y cl
e . R
is k i s
co n ti n u o u s
a n d w
ill b
e r
e g u la
rl y
m o n it o re
d .
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
U se
r a cc
e ss
1 0 J
a n
2 0 1 3
1 7 )
S e cu
ri ty
If u
se r
a cc
e ss
i s
n o t
w e ll
m a in
ta in
e d , u n a u th
o ri ze
d u
se rs
m
a y h
a v e a
cc e ss
t o s
e n si
ti v e
d a ta
. IT
D S
co n ta
in s
p a ti e n t
d a ta
a n d p
ro g n o st
ic d
a ta
. T h e n
e e d
fo r
co n fi d e n ti a lit
y o
f th
e
in fo
rm a ti o n i n I
T D
S m
a k e s
th e
ri sk
l e v e l h ig
h .
H =
2 L o w
2 L a u ra
L e e H
o p e
3 0 1 -4
4 3 -1
2 3 4
C la
ss if ic
a ti o n o
f u se
rs i s
b e in
g
re v ie
w e d c
u rr
e n tl y a
n d w
ill b
e
fi n a liz
e d b
y M
a rc
h 1
, 2 0 1 4 .
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
C -7
In fr
a re
d T
er o si
s D
et ec
ti o n
S y st
em (
IT D
S )
R is
k I
n v en
to ry
a n
d A
ss es
sm en
t
A s
o f
F eb
ru a ry
1 4 , 2 0 1
3
R is
k N
a m
e D
a te
Id
e n
ti fi
e d
R is
k C
a te
g o
ry D
e s c ri
p ti
o n
P ro
b a
b il
it y
o f
O c c u
rr e n
c e
Im p
a c t
R is
k
M a
g n
it u
d e
R is
k O
w n
e r
M it
ig a
ti o
n P
la n
D a
te a
n d
S ta
tu s
S u p e r
u se
rs 1 0 J
a n
2 0 1 3
1 7 )
S e cu
ri ty
If t
o o m
a n y u
se rs
h a v e a
cc e ss
to
t h e s
y st
e m
a s
su p e r
u se
rs ,
se n si
ti v e d
a ta
m a y b
e co
m e
a cc
id e n ta
lly c
o rr
u p te
d . T h e
n e e d f
o r
th e a
v a ila
b ili
ty o
f a cc
u ra
te , co
m p re
h e n si
v e
in fo
rm a ti o n
m a k e s
th e r
is k l e v e l
m e d iu
m .
M e d iu
m M
e d iu
m 4
L a u ra
L e e H
o p e
3 0 1 -4
4 3 -1
2 3 4
C la
ss if ic
a ti o n o
f u se
rs i s
b e in
g
re v ie
w e d c
u rr
e n tl y a
n d w
ill b
e
fi n a liz
e d b
y M
a rc
h 1
, 2 0 1 4 .
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
1 7 J
a n 2
0 1 3 :
N o r
is k
o cc
u rr
e n ce
. C
o n ti n u e
m o n it o ri n g .
2 4 J
a n
2 0 1 3 :
N o r
is k
o cc
u rr
e n ce
. C
o n ti n u e
m o n it o ri n g .
3 1 J
a n 2
0 1 3 :
N o r
is k
o cc
u rr
e n ce
. C
o n ti n u e
m o n it o ri n g .
7 F
e b 2
0 1 3 :
N o r
is k
o cc
u rr
e n ce
. C
o n ti n u e
m o n it o ri n g .
1 4 F
e b :
N o r
is k o
cc u rr
e n ce
.
C o n ti n u e m
o n it o ri n g
S y st
e m
in
te g ri ty
1 0 J
a n
2 0 1 3
1 7 )
S e cu
ri ty
If t
h e I
n fo
rm a ti o n S
e cu
ri ty
co
n si
d e ra
ti o n s
h a v e n
o t
b e e n
a d e q u a te
ly a
d d re
ss e d , th
e n
co n fi d e n ti a lit
y , a v a ila
b ili
ty a
n d
in te
g ri ty
o f
th e s
y st
e m
s co
u ld
b e i m
p a ct
e d .
M e d iu
m H
ig h
6 C a p t. M
a rk
T w
a in
w ill
d is
cu ss
C &
A w
it h
th e I
S S O
.
T h e i n v e st
m e n t
is c
lo se
ly
m o n it o re
d f
o r
N IS
T 8
0 0 -5
3 co
m p lia
n ce
. H
H S i s
im p le
m e n ti n g
sp e ci
fi c
se cu
ri ty
t ra
in in
g i n F
Y 2 0 1 3
fo r
th o se
e m
p lo
y e e s
a n d
co n tr
a ct
o rs
w it h s
ig n if ic
a n t
se cu
ri ty
r e sp
o n si
b ili
ti e s.
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
1 7 J
a n 2
0 1 3 :
T ra
in in
g o
n
sc h e d u le
. C
o n ti n u e
m o n it o ri n g .
2 4 J
a n
2 0 1 3 :
T ra
in in
g o
n
sc h e d u le
. C
o n ti n u e
m o n it o ri n g .
3 1 J
a n 2
0 1 3 :
T ra
in in
g o
n
sc h e d u le
. C
o n ti n u e
m o n it o ri n g .
7 F
e b 2
0 1 3 :
T ra
in in
g o
n
sc h e d u le
. C
o n ti n u e
m o n it o ri n g .
1 4 F
e b :
T ra
in in
g o
n
sc h e d u le
. C
o n ti n u e
m o n it o ri n g
C -8
In fr
a re
d T
er o si
s D
et ec
ti o n
S y st
em (
IT D
S )
R is
k I
n v en
to ry
a n
d A
ss es
sm en
t
A s
o f
F eb
ru a ry
1 4 , 2 0 1
3
R is
k N
a m
e D
a te
Id
e n
ti fi
e d
R is
k C
a te
g o
ry D
e s c ri
p ti
o n
P ro
b a
b il
it y
o f
O c c u
rr e n
c e
Im p
a c t
R is
k
M a
g n
it u
d e
R is
k O
w n
e r
M it
ig a
ti o
n P
la n
D a
te a
n d
S ta
tu s
P ri v a cy
1 0 J
a n
2 0 1 3
1 8 )
P ri v a cy
If t
h e p
ri v a cy
i ss
u e s
h a v e n
o t
b e e n a
d d re
ss e d , th
e n p
a ti e n t
in fo
rm a ti o n , e m
p lo
y e e
in fo
rm a ti o n , a n d o
th e r
se n si
ti v e
in fo
rm a ti o n m
a y b
e
co m
p ro
m is
e d .
M e d iu
m H
ig h
6 C a p t. M
a rk
T w
a in
w ill
d is
cu ss
P IA
w it h
th e I
H S P
ri v a cy
O
ff ic
e r.
M a k e e
m p lo
y e e s
a n d c
o n tr
a ct
o rs
a w
a re
o f
p ro
p e r
u se
o f
sy st
e m
s a n d p
ri v a cy
p ro
te ct
io n .
Im p le
m e n t
a n d m
a in
ta in
a d e q u a te
co
n tr
o ls
t o p
ro te
ct p
ri v a cy
a s
m a n d a te
d i n N
IS T 8
0 0 -6
6 a
n d
8 0 0 -5
3 .
A n I
H S H
IP P A p
ri v a cy
o ff ic
e r
co n d u ct
s a w
a re
n e ss
p ro
g ra
m .
H IP
P A o
ff ic
e r
co n d u ct
s a w
a re
n e ss
p ro
g ra
m . In
v e st
m e n t
co n d u ct
s a n n u a l p ri v a cy
i m
p a ct
a ss
e ss
m e n t.
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
1 7 J
a n 2
0 1 3 :
T ra
in in
g o
n
sc h e d u le
. C
o n ti n u e
m o n it o ri n g .
2 4 J
a n
2 0 1 3 :
T ra
in in
g o
n
sc h e d u le
. C
o n ti n u e
m o n it o ri n g .
3 1 J
a n 2
0 1 3 :
T ra
in in
g o
n
sc h e d u le
. C
o n ti n u e
m o n it o ri n g .
7 F
e b 2
0 1 3 :
T ra
in in
g o
n
sc h e d u le
. C
o n ti n u e
m o n it o ri n g .
1 4 F
e b :
T ra
in in
g o
n
sc h e d u le
. C
o n ti n u e
m o n it o ri n g .
S ta
ff e
x p e rt
is e
1 0 J
a n
2 0 1 3
1 9 )
P ro
je ct
R
e so
u rc
e s
If s
ta ff m
e m
b e rs
d o n
o t
h a v e
th e r
ig h t
e x p e rt
is e , m
a in
te n a n ce
a ct
iv it ie
s m
a y b
e d
e la
y e d a
n d
co st
s m
a y i n cr
e a se
.
L o w
M e d iu
m 2
N o n e r
e q u ir e d
S ta
ff h
a s
d e m
o n st
ra te
d
a p p ro
p ri a te
c a p a b ili
ty , a lt h o u g h
d e p th
i n e
x p e ri e n ce
i s
la ck
in g .
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
S ta
ff t
u rn
o v e r
1 0 J
a n
2 0 1 3
1 9 )
P ro
je ct
R
e so
u rc
e s
If t
h e re
i s
m a jo
r st
a ff t
u rn
o v e r
(e it h e r
g o v e rn
m e n t
o r
co n tr
a ct
o r
st a ff ),
m a in
te n a n ce
a ct
iv it ie
s m
a y b
e d
e la
y e d a
s re
p la
ce m
e n t
p e rs
o n n e l a re
o ri e n te
d a
n d e
d u ca
te d .
L o w
M e d iu
m 2
N o n e r
e q u ir e d
S ta
ff h
a s
u n d e rg
o n e m
a jo
r tu
rn o v e r
in t
h e p
a st
y e a r,
a n d
tr a in
in g a
n d p
ro je
ct o
ri e n ta
ti o n
h a v e p
ro v e n a
d e q u a te
f o r
tr a n si
ti o n . N
e w
s ta
ff q
u a lif
ic a ti o n s
a re
c a re
fu lly
r e v ie
w e d f
o r
a p p ro
p ri a te
e x p e rt
is e .
1 0 J
a n 2
0 1 3 :
R is
k i n it ia
lly
id e n ti fi e d .
2 5 J
a n 2
0 1 2 :
R is
k h
a s
b e e n
m it ig
a te
d .
