Assignment #3: Risk Management Plan As a team develop a Risk Break Down Structure (RBS) and develop a detailed Risk Management Plan for ACME a large US accounting firm. In preparation for your risk ma
Page 5 of 19
Risk Management Plan – ACME Accounting
Table of Contents
Executive Summary 3
Purpose 4
Risk Management Strategy 4
Risk Identification 5
Risk Responsibilities 10
Risk Assessment 11
Risk Response Strategies 16
Risk Contingency Planning 17
Tracking & Reporting 17
References 19
Executive Summary
As a continuation of the Project Management Plan for ACME’s Software System Upgrade; the UCW Project Management team has compiled a Risk Management Plan. This plan establishes the strategy in which Software System Upgrade risks are determined and handled. The plan includes identifying, analyzing, management, and ownership of the project’s risks. Applying proven Risk Management techniques including a Risk Breakdown Structure and a Quantitative and Qualitative Analysis has determined the projects major risks to be:
System outage
Data migration gaps
New wave of Covid outbreak (staff’s health complications)
Management team decides to lower this project’s priority
Management team decides to reallocate funds to another project
Lack of training to use the new system
LA office staying behind schedule due to older version
Poor implementation of key milestones
Assessment of these risks has concluded these risks may have a significant impact and likelihood to occur and will require risk controls. These risk controls are a part of the Risk Response Strategy and will include contingency plans as well as tracking and monitoring. These risks along with all identified risks and yet to be reported risks will be included into the risk register. This document will be owned by Brent Vansickle of the UCW team, he will fulfill the role of the Risk Management lead and will assign ownership of all significant risks and others that arise afterwards. Change management and risk culture ensure trust in the risk management system and regular review of the risk register with the project team will emphasize the ongoing requirement of a successful Risk Management Plan.
Events or conditions that affect ACME’s Software System Upgrade Project either positively or negatively are called risks. The process of Risk Management includes identifying, assessing, responding to, monitoring, and reporting risks. Creating a Risk Management Plan outlines how this project’s risks will be identified, analyzed, and managed. The strategy will be integrated into the project plan and include how the risk management activities are to be performed, recorded, and monitored as the project advances through its lifecycle as well as determine the visibility of the risk management in action. The risk management plan includes templates and practices for recording and prioritizing risks (CDC, 2022).
The UCW Project Management Team has developed this Risk Management Plan during the Planning Phase of the Software System Upgrade project. This plan will be considered a modifiable document to be monitored and updated throughout the project to improve and adapt as required. Although this plan may involve many of ACME’s personnel, the intended audience of this document is the project team, project sponsor, and management (CDC, 2022)
Risk Management StrategyProject Management involves coordinating teamwork; the Risk Management Strategy is no different. The UCW Project Management Team, along with the project’s team, and project sponsors will assert that risks are actively identified, analyzed, and managed. This strategy encompasses the whole lifecycle of the project from planning to completion. Early identification of risks will allow for appropriate actions minimizing their impact and severity. Using risk management practices and tools provided in this plan and other accepted standard practices will serve as templates for sound strategy and decision making.
Risk IdentificationRisk identification analyzes the project to identify sources of risk, the following page uses the Risk Breakdown Structure which divides the project into 5 categories and further identifies their associated risks. There are many options to assist in risk identification, the important steps beyond this initial plan are the diligent reporting, trending, and tracking of known and new risks as the project is underway.
Risk Breakdown Structure (RBS) Overview
Unauthorized access to confidential data
Lack of training
Non acceptance of delivered project
Unrealistic expectations
Incomplete requirements
Poorly defined requirements
Poor implementation of key milestones
Mismanagement of project funds
Inaccurate budget estimates
Ineffective communication with stakeholders
Organizational procurement obstacles
Mgmt team decides to reallocate funds
Mgmt team decides to lower priority
Loss of Data
Weather related risks
Software supplier discontinuous X version of the software
Software supplier stops technical support
Change in system regulations
New wave of COVID outbreak
L.A. office behind schedule due to older version
System outage
Data migration gaps
Poor training of personnel
Sensitive Information Leak
Customer
Project Management
Project
Organizational
WWIII
External
Technical
Use of non-standard technology
Detailed Risk Breakdown Structure
| Risk Breakdown Structure Level 1 | Risk Breakdown Structure Level 2 | Risk Breakdown Structure Level 3 | Description |
| Project Risk | Technical Risk | Sensitive information leak | Leaking confidential data of the customers of ACME, such as their accounting information, would result in legal charges, especially when unauthorized parties access data. |
| Poor training of Personnel | Poor training of ACME staff in using the new system in their business practices would lead to customer dissatisfaction. | ||
| Data migration gaps | Migrating data to another system might lead to gaps, thus leading to loss of essential information that would be helpful to ACME's project. | ||
| System outage | System outages such as provider problems, server-specific problems, upgrades, and maintenance might affect the smooth functioning, thus leading to delays or loss of data. | ||
| LA. office staying behind schedule due to older version | Using outdated technology would increase the risk of the project's failure. | ||
| External Risk | WWIII | The ongoing Russian invasion of Ukraine could potentially lead to WWIII, thus affecting the management accounting practices of ACME. | |
| The new wave of Covid outbreak | COVID-19 jeopardizes the health of ACME’s staff and might lead to complications. | ||
| Change in system regulations | Failing to recognize changes in the legal environment might lead to legal compliance issues. | ||
| Software supplier stops technical support. | This would increase the risk of delays and delivery of poor-quality projects. | ||
| Software supplier discontinues X version of the software | This would increase the risk of poor outcomes. | ||
| Weather-related risks | Extreme weather conditions such as flooding, earthquakes, ad hurricanes might interfere with the infrastructure of ACME. | ||
| Organizational Risk | Loss of data | Losing essential customer data or project data would lead to legal charges or delays and poor-quality project outcomes, respectively. | |
| The management team decides to lower this project's priority | Neglecting the project would ultimately lead to its failure because the necessary people and resources needed to make the project a success would not be appropriately allocated. | ||
| The management team decides to reallocate funds to another project | This would lead to ACME's project failure because financial support would be cut short hence leading to a strain on resources. | ||
| Organizational procurement obstacles | Procurement obstacles such as having unclear requirements and specifications and enabling poor quality for reduced costs would risk the success of a project. | ||
| Ineffective communication with stakeholders | Porreca (2017) asserted that if project managers fail to communicate with the project's stakeholders, there would be a tremendous inconsistency in the expectation that would affect the project's outcome. Similarly, ineffective communication with ACME's project's stakeholders would cause dissatisfaction. | ||
| Project Management Risk | Inaccurate budget estimates | According to Lucker (2019), when there is an underestimation or overestimation of a project's budget, the profit is also often overstated or understated respectively. Similarly, inaccurate budget estimates of the ACME project would lead to an inadequate allocation of resources, thus negatively influencing the project's productivity. | |
| Mismanagement of project funds | An improper allocation of project funds through the unequal distribution of funds, overfunding certain aspects of the project, or allocating fewer funds to a project would ultimately lead to project failure. | ||
| Poor implementation of key milestones | Missing a milestone in a significant project could be detrimental to the success because there would be a poor transition to the next milestone. This would eventually lead to poor-quality projects or project failure. Henceforth if ACME poorly implements vital milestones, the project is at the risk of failing. | ||
| Poorly defined requirements | When a project's requirements are not defined upfront, incomplete, or poor quality will increase the risk of project failure. | ||
| Incomplete requirements | |||
| Customer Risk | Unrealistic expectations | Customers with unrealistic expectations would constantly make impossible or difficult requests beyond the parameters that ACME can offer. This would increase the risks of employee frustration and reduced productivity in the organization since such clients are often never satisfied. | |
| Non acceptance of delivered project due to unmet quality standards | Poor quality of the final project or failure to meet the requirements and standards of customers would lead to risk their relationship and loyalty with their trusted clients and customers. | ||
| Lack of training to use the new system | Poor training of ACME staff in using the new system in their business practices would lead to undesirable results and shortcomings in serving customers and consequently unsatisfaction of customers. | ||
| Unauthorized access to confidential data | When unauthorized parties access confidential data of the customers of ACME, such as their accounting information, this could result in legal charges, loss of credibility, a reduction in market share, and a bad reputation (Hau, 2003). | ||
| Use of non-standard technology | Non-standard technology or outdated technology could exacerbate current ACME compliance risks that the organization is unaware of, thus leading to regulatory and legal compliance risks (Ancell, 2021). |
Risk Management responsibility will be placed onto the whole team: project managers, project team, sponsors, and individuals with direct influence on the success of risk controls. The higher the significance, impact, likelihood, or scope a risk poses, will determine the required authority levels for decision making. The UCW Team has identified team member Brent Vansickle as Risk Management Lead, he will champion the Risk Management Plan and required support. Brent will maintain the risk register and review as a standing agenda item during project team meetings. Although this plan implies and will hold responsibilities to certain parties, Change Management techniques as well as controlling the visibility of risk management will empower all employees to have a personal and professional stake in the success of this project.
Risk AssessmentRisks will be assessed based on their severity of impact, the likelihood of occurring, and controllability. The first model employs the Scenario Analysis followed by the Failure Mode and Affects Model. The resulting findings will identify the current high-risk items facing the Software System Upgrade Project. The highlighted items are risks the models have identified as more significant.
Qualitative Risk Analysis using Scenario Analysis
| Risks | Probability of risk occurring | Possible Outcomes | Probability of each outcome |
| Technical | |||
| System outage | High | Elevated costs | High |
| Delay in processes | High | ||
| Business operations affected | Medium | ||
| Loss in business revenues | Medium | ||
| Data migration gaps | Medium | Loss of valuable information | High |
| Business operations affected | High | ||
| Loss in business revenues | High | ||
| Personnel not properly trained | Low | Low level of performance | High |
| L.A. office staying behind schedule due to older version | Medium | Delay in other key milestones | Medium |
| Longer implementation period | Medium | ||
| Sensitive information leak | Low | Damaged reputation | Medium |
| Damage in business | Medium | ||
| External | |||
| New wave of Covid outbreak (staff’s health complications) | High | Delay in implementation period | Medium |
| Need for extra employees | High | ||
| Higher project costs | Medium | ||
| Weather related risks (hurricanes, earthquakes, flooding) | Low | Loss in infrastructure | High |
| Higher project costs | High | ||
| WWIII | Medium | Interruption of project activities | High |
| Loss in infrastructure | High | ||
| Higher project costs | High | ||
| Change in system regulations | Medium | Noncompliance | Medium |
| Legal consequences | Medium | ||
| Software supplier discontinues X version of software | Low | Inability to continue implementation | High |
| Software supplier stops technical support | Low | Poor quality deliverables | Medium |
| Organizational | |||
| Management team decides to lower this project’s priority | Medium | Scarce human resources | High |
| Scarce monetary resources | High | ||
| Management team decides to reallocate funds to another project | Medium | Failure in implementation | High |
| Organizational procurement obstacles | Medium | Delay in implementation period | High |
| Loss of data | Low | Legal charges | Medium |
| Delay in implementation | High | ||
| Poor quality deliverables | Medium | ||
| Ineffective communication with stakeholders | Low | Inconsistency in expectations | High |
| Project Management | |||
| Mismanagement of project funds | Low | Project failure | High |
| Damaged reputation | High | ||
| Inaccurate budget estimates | Medium | Need for additional funding | High |
| Damaged client-provider relationship | Medium | ||
| Poor implementation of key milestones | Medium | Delay in dependent tasks | Medium |
| Poorly defined requirements | Low | Dissatisfied customer | Medium |
| Poor quality deliverables | High | ||
| Incomplete requirements | Low | Dissatisfied customer | Medium |
| Project failure | Medium | ||
| Customer | |||
| Lack of training to use the new system | High | Dissatisfied customer | High |
| Inefficient use of the new system | High | ||
| Not acceptance of delivered project due to unmet quality standards | Low | Loss of a customer | Medium |
| Damaged reputation | High | ||
| Additional work | High | ||
| Unrealistic expectations | Medium | Increase employee frustration | High |
| Reduced productivity | High | ||
| Unauthorized access to confidential data | Low | Loss of credibility | Medium |
| Loss of market share | Medium | ||
| Use of non-standard technology | Low | Noncompliance | Medium |
Quantitative Risk Analysis using Failure Mode and Effects Analysis (FMEA)
| Failure | Severity | Likelihood | Detection | RPN | |
| Technical Risk | Sensitive information leak | 140 | |||
| Poor training of Personnel | 252 | ||||
| Data migration gaps | 168 | ||||
| System outage | 336 | ||||
| LA office staying behind schedule due to older version | 315 | ||||
|
|
|
|
|
| |
| External Risk | WWIII | 72 | |||
| The new wave of Covid outbreak | 140 | ||||
| Change in system regulations | 147 | ||||
| Software supplier stops technical support. | 192 | ||||
| Software supplier discontinues X version of the software | 168 | ||||
| Weather-related risks | 84 | ||||
|
|
|
|
|
| |
| Organizational Risk | Loss of data | 196 | |||
| The management team decides to lower this project's priority | 252 | ||||
| The management team decides to reallocate funds to another project | 210 | ||||
| Organizational procurement obstacles | 140 | ||||
| Ineffective communication with stakeholders | 126 | ||||
|
|
|
|
|
| |
| Project Management | Inaccurate budget estimates | 224 | |||
| Mismanagement of project funds | 144 | ||||
| Poor implementation of key milestones | 245 | ||||
| Poorly defined requirements | 168 | ||||
| Incomplete requirements | 192 | ||||
|
|
|
|
|
| |
| Customer Risk | Unrealistic expectations | 224 | |||
| Non acceptance of delivered project due to unmet quality standards | 252 | ||||
| Lack of training to use the new system | 192 | ||||
| Unauthorized access to confidential data | 168 | ||||
Risk Response strategies develop a plan to reduce or eliminate possible damage and develop contingency plans. The actions decided are agreed upon by the team and would include any specialist recommendations, expert judgment, established best practices, and predictive modeling. The Risk Assessment has identified major risks of the Software System Upgrade Project. Each major risk will be assigned to an owner to prevent it from being neglected or forgotten. The Risk Management Lead will require regular updates for the risk register.
There are four ways to approach a risk (CDC, 2022):
Avoid – eliminate the threat by eliminating the cause
Mitigate – Identify ways to reduce the probability or the impact of the risk
Accept – Nothing will be done
Transfer – Make another party responsible for the risk (buy insurance, outsourcing, etc.)
The risks that cannot be avoided must fall to one of the other 3 options. Risks like WWIII must be accepted or transferred with the purchase of insurance. While the risk of a COVID outbreak can be mitigated against by following masking and social distancing practices. Offering employees health coverage and purchasing insurance with pandemic coverages can help with financial concerns related to a actual outbreak. Some risks may have layers of protection and others like ‘Management team decides to lower this project’s priority’ or ‘Management team decides to reallocate funds to another project’ will have to be accepted if they occur. Regardless of the risk or course of action outlined, each major risk will be reviewed regularly in the risk register and subjected to analysis and attempted to be minimized in impact or probability.
Risk Contingency PlanningIt is important to consider the risk appetite of the Software System Upgrade Project, which is low to moderate. Contingency planning involves implementing a ‘plan b’ or beyond. Contingency plans are not a part of the initial implementation plan and as such can only be initiated after a risk is recognized. This required flexibility should be identified early with appropriate risk monitoring, controlling, and reporting ideally leading to limited surprises or interruptions to the Project Plan. Major risks like ‘System outages’ and ‘data migration gaps’ are likely candidates for contingency planning. Testing the software, hardware, and soft launches will act as mitigation steps for ‘system outages but access to other ACME office servers will act as a contingency plan while the outage is addressed. Regular data backups and relationship management with the developer and IT specialists will address concerns over data migration but authorizing overtime and accessing the developer’s own specialists will act as contingency plans for the ‘data migration gaps.’ The Project Plan does include built-in time and budget buffers allowing for unforeseen circumstances allowing for temporary setbacks that do not severely impact the overall scope or goals of the Software System Upgrade.
Tracking & ReportingTracking and reporting is encompassed in both the risk management plan and change management initiatives. Risk culture is collaborative and will be supported but the UCW Team providing the tools and structure for reporting and tracking. Diligent monitoring of the daily activities of the project as well as seeking feedback from the project team and software users will lead to appropriate risk treatments smoothly advancing the project.
A risk register will be implemented as a key item of this Risk Management Plan. The register will be owned by the Risk Management Lead and reviewed at project team meetings; it includes:
details all of the identified risks
description
category
probability of occurrence
severity and impact
responses
contingency plans
risk owner(s)
current status
Ancell, B. (2021). Top 5 Risks of Using Outdated Technology. Meridian. https://www.whymeridian.com/blog/top-5-risks-of-using-outdated-technology
CDC. (2022). CDC UP. Centers for Disease Control and Prevention. https://www2a.cdc.gov/cdcup/library/templates/default.htm
Hau, D. (2003). Unauthorized Access- Threats, Risk, and Control. https://www.giac.org/paper/gsec/3161/unauthorized-access-threats-risk-control/105264
Lucker, D. (2019). Five common budget mistakes and how to correct them. https://rsmus.com/what-we-do/industries/real-estate/construction/common-budget-mistakes-and-how-to-correct-them.html
Porreca, L. (2017). How Poor Communication can Have an Impact on Your Project. https://7dailyhabits.com/how-poor-communication-can-have-an-impact-on-your-project/
