e-VOTE: An Internet-based Electronic Voting System

IST-2000-29518

Risk Management Plan

1. Purpose
This document describes how we will perform the job of managing risks for e-Vote. It defines roles and responsibilities for participants in the risk processes, the risk management activities that will be carried out, the schedule and budget for risk management activities, and any tools and techniques that will be used.

2. Definitions

2.1. Risk management Risk management is the application of appropriate tools and procedures to maintain risk within acceptable limits. It consists of several sub-activities.

2.2. Risk assessment Is the process of examining a project and identifying areas of potential risk. The Risk Assessment is concerned with identifying, characterizing, prioritising and deciding whether to accept the exposure associated with each risk that threatens the projects ability to meet its objectives within schedule and budget.

2.3. Risk identification Can be facilitated with the help of a checklist of common risk areas for software projects, or by examining the contents of an organizational database of previously identified risks and mitigation strategies (both successful and unsuccessful).

2.4. Risk analysis Risk analysis involves examining how project outcomes might change with modification of risk input variables.

e-VOTE/WP-1/D1.3/Final/13-12-2001

Page 1 of 14

e-VOTE: An Internet-based Electronic Voting System

IST-2000-29518

2.5. Risk prioritization Helps the project focus on its most severe risks by assessing the risk exposure.

2.6. Risk exposure Is the product of the probability of incurring a loss due to the risk and the potential magnitude of that loss. We usually estimate the probability from 0.1 (highly unlikely) to 1.0 (certain to happen), and the loss on a relative scale of 1 (no problem ) to 10 (total loss). Multiplying these factors together provide an estimation of the risk exposure due to each item, which can run from 0.1 through 10.

2.7. Risk avoidance The risk avoidance strategy is to abstain from high risk activities. The obvious disadvantage of this strategy is that it limits the activities performed with a consequent loss of the benefits resulting from these activities.

2.8. Risk control Is the process of managing risks to achieve the desired outcomes. 2.9. Risk reduction / risk mitigation Risk Reduction is concerned with developing and executing countermeasures, monitoring their execution and evaluating their effectiveness. Countermeasures and corrective actions shall be agreed upon, based on the assessed impact of the risk, the projects ability to accept the risk, and the feasibility of mitigating the risk.

2.10. Risk management planning Produces a plan for dealing with each significant risk, including mitigation approaches, owners, and timelines.

2.11. Risk resolution Is the execution of the plans for dealing with each risk.
e-VOTE/WP-1/D1.3/Final/13-12-2001 Page 2 of 14

e-VOTE: An Internet-based Electronic Voting System

IST-2000-29518

2.12. Risk monitoring Involves tracking your progress toward resolving each risk item.

2.13. Risk The chance of damage, loss, injury or destruction.

2.14. Probability Probability is the likelihood of an event to occur.

2.15. Impact The cost or consequence of an undesirable event.

3. Roles and Responsibilities

3.1. Project Manager The Project Manager will assign a Risk Officer to the project, and identify this individual on the projects organisation chart. The Project Manager and other members of the Project Coordination team shall meet monthly to review the status of all risk mitigation efforts, review the exposure assessments for any new risk items, and redefine the project's Top Ten Risk List. 3.2. Risk Officer The Risk Officer has the following responsibilities and authority: coordinating risk identification and analysis activities maintaining the projects risk list notifying project management of new risk items reporting risk resolution status to management

The Risk Officer should normally not be the Project Manager.

e-VOTE/WP-1/D1.3/Final/13-12-2001 Page 3 of 14

e-VOTE: An Internet-based Electronic Voting System

IST-2000-29518

3.3. Project Member Assigned a Risk The Risk Officer will assign each newly identified risk to a project member, who will assess the exposure and probability for the risk factor and report the results of that analysis back to the Risk Officer. Assigned project members are also responsible for performing the steps of the mitigation plan and reporting progress to the Risk Officer biweekly.

4. Risk Categories
Possible risks are classified according to the following list. This list can function as checklist for risk analysis. This list shall be used for filling the Risk Category Field in the document Risk Documentation Form. 4.1. Supplier Issues 1 2 3 4 Failure of the third party Failure by them to deliver satisfactorily Contractual issues Mismatch between the nature of the task and the procurement process

4.2. Organisational factors 1 2 3 4 5 6 Additional staff responsibilities alongside project work The project culture, or lack of it, within the Customer organisation Personnel and training issues Skill shortage Potential security implications Culture clashes between Customer and Supplier

4.3. Specialist issues 1 2 3 4 How well requirements can be specified To what extent the requirements can be met using currently available and understood facilities and approaches The extent to which a project involves innovative, difficult or complex processes and / or equipment The challenges and problems regarding quality, testing

e-VOTE/WP-1/D1.3/Final/13-12-2001

Page 4 of 14

e-VOTE: An Internet-based Electronic Voting System

IST-2000-29518

The risks that the specified requirements will not be achievable in full, or that not all requirements will be correctly specified.

5. Risk Documentation

5.1. Risk List The risk factors identified and managed for this project will be accumulated in a Project Risk List [PRL], which is located in e-Vote Templates. (See Forms PROJECT RISK LIST [PRL]) The ten risk items that currently have the highest estimated risk exposure are referred to as the projects Top Ten Risk List.

5.2. Risk Data Items Information for each project risk will be stored in a Risk Documentation Form [RDF] The RDF is the primary form. Any team member can fill an RDF and send it by e-mail to the Project Manager. 5.3. Closing Risks A risk item can be considered closed when the planned mitigation actions have been completed and the estimated risk exposure of (probability X impact) is less than 2.

6. Activities

6.1. Activities Overview The Risk Management Team (PM, SM,TC) provide the foundation for Risk Management approach. TC acts as RO. A risk assessment will be performed every month throughout the life of the project, by PM, SM, TC. The potential impacts on the projects success, and how the results and recommended

e-VOTE/WP-1/D1.3/Final/13-12-2001

Page 5 of 14

e-VOTE: An Internet-based Electronic Voting System

IST-2000-29518

contingencies to manage or mitigate the risks will be communicated to those interested/involved parties. Risk Reduction is continually performed throughout the life of the project. Risk Reduction is concerned with developing and executing corrective measures, monitoring corrections and evaluating their effectiveness. Corrective actions shall be agreed upon, based on the assessed impact of the risk, the projects ability to accept the risk, and the feasibility of mitigating the risk. A Project Risk Metric Model within e-Vote will be adopted, which can help the Project Manager assess the overall project risk level. Distinct risk reduction actions are suggested within the Model that can effectively lower the level of risk exposure for each type of risk that the project faces.

6.2. Risk Identification 6.2.1. Task The techniques that will be used to identify risk factors at the beginning of the project and on an on-going basis are: A formal risk assessment workshop, A brainstorming session, Interviews at the beginning of each life cycle phase,

or use of the RDF form available from the projects web site for submitting risk factors. Any consolidated lists of risk items that will be used to identify candidate risks for this project MUST update this paper. 6.2.2. Participants Any Team Member or participant can identify a risk and submit the relative document to the Project Manager.

e-VOTE/WP-1/D1.3/Final/13-12-2001

Page 6 of 14

e-VOTE: An Internet-based Electronic Voting System

IST-2000-29518

6.3. Risk Analysis and Prioritisation Stage 1 Task Participants Project

The Risk Officer will assign each risk factor to an Risk Assigned individual project member, who will estimate the Member [RAPM] probability the risk could become a problem (scale of 0.1-1.0) and the impact if it does (either relative scale of 1-10, or units of dollars or schedule days, as indicated by the Risk Officer) The individual analysed risk factors are collected, Risk Officer [RO] reviewed, and adjusted if necessary. The list of risk factors is sorted by descending risk exposure (probability times impact). Preparation of Contingency Plan Risk Officer [RO] Description of estimation of such contingencies and communicating the information to the Project Manager or building those contingencies into the project schedule

6.4. Risk Management Planning Stage 1 Task The top ten risks are assigned to individual project members for development and execution of a Risk Mitigation Plan. Participants Risk Officer [RO]

Risk Assigned For each assigned risk factor, recommend actions Project Member that will reduce either the probability of the risk [RAPM] materializing into a problem, or the severity of the exposure if it does. Return the Risk Mitigation Plan to the Risk Officer. Risk Officer [RO] The Risk Mitigation Plans for the assigned risk items are collated into a single list. The completed Top Ten Risk List is created and made publicly available on the projects intranet web site.

e-VOTE/WP-1/D1.3/Final/13-12-2001

Page 7 of 14

e-VOTE: An Internet-based Electronic Voting System

IST-2000-29518

6.5. Risk Resolution Stage 1 Task Each individual who is responsible for executing a risk mitigation plan carries out the mitigation activities. Participants Risk Assigned Project Member [RAPM]

6.6. Risk Monitoring Stage 1 Task Describe the methods and metrics for tracking the projects risk status over time, and the way risk status will be reported to management.> Participants Risk Officer [RO]

3 4

Risk Assigned The status and effectiveness of each mitigation Project Member action is reported to the Risk Officer every two [RAPM] weeks. Risk Officer [RO] The probability and impact for each risk item is reevaluated and modified if appropriate. Risk Officer [RO] If any new risk items have been identified, they are analyzed as were the items on the original risk list and added to the risk list. Risk Officer [RO] The Top Ten Risk List is regenerated based on the updated probability and impact for each remaining risk. Risk Officer [RO] Any risk factors for which mitigation actions are not being effectively carried out, or whose risk exposure is rising, may be escalated to an appropriate level of management for visibility and action.

6.7. Lessons Learned Stage 1 Task Participants A specific document is created by the PM when Risk Officer [RO] the risk is closed. The document shall be logged in Lessons Learned Log [LLL] (see template in section Forms) and shall contain information about mitigation of specific risks. The LLL and the Relative documents shall be stored in Web Site restricted area for further assessment.

7. Schedule for Risk Management Activities

Description

Activity

e-VOTE/WP-1/D1.3/Final/13-12-2001

Page 8 of 14

e-VOTE: An Internet-based Electronic Voting System

IST-2000-29518

Risk Identification Risk List

A risk workshop will be held on approximately <TBD>. The prioritized risk list will be completed and made available to the project team by approximately <TBD>.

Risk Management The Risk Management Plan, with mitigation, avoidance, or Plan prevention strategies for the top ten risk items, will be completed by approximately <TBD>. Risk Review The Risk Management Plan and initial Top Ten Risk List will be reviewed and approved by the Project Manager on approximately <date>. The status of risk management activities and mitigation success will be revisited as part of the gate exit criteria for each life cycle phase. The risk management plan will be updated at that time.

Risk Tracking

8. Risk Management Budget

The [contract] does not provide special person/hours for risk management. The cost of risk management is charged to the project person/hours in general.

9. Risk Management Tools

10. Plans
All following plans refer to an individual risk. Guidelines on the content of this plan are. Risk Idetification Actions Roles Timelines Conclusions - Estimations

e-VOTE/WP-1/D1.3/Final/13-12-2001

Page 9 of 14

e-VOTE: An Internet-based Electronic Voting System

IST-2000-29518

10.1. Risk Mitigation plan

10.2. Risk Contingency Plan

10.3. Risk Management Plan

e-VOTE/WP-1/D1.3/Final/13-12-2001

Page 10 of 14

e-VOTE: An Internet-based Electronic Voting System

IST-2000-29518

11. Forms

11.1. Lessons Learned Log [LLL] Lessons Learned Log (Use to summarise any Lessons Learned during the Management. This will be updated by the Project Manager during the Management Stage and notified to the Project Board at the End Stage Assessment Meeting. A Lessons Learned Report will be produced using this Log as its basis in the CP Process, and authorised by the Project Board at the Project Closure Meeting) Programme:IST Project:e-Vote Author: Date: LLL Ref: Version:

Reference

Lessons Learned & Reference

Date & Location

e-VOTE/WP-1/D1.3/Final/13-12-2001

Page 11 of 14

e-VOTE: An Internet-based Electronic Voting System

IST-2000-29518

11.2. PROJECT RISK LIST [PRL] PROJECT RISK LIST (Risks of the project are logged from RDFs by order of Risk Factor. The 10 First are faced as most important). PROGRAMME/PROJECT: IST/e-Vote AUTHOR DATE UPDATED DOC CODE PRL

CLASSIFICATION: Int.

ORDER

Risk ID1

RISK DESCRIPTION

Risk Assigned Member

PROB ABILI TY (a)

IMPACT (b)

Risk Exposure (a x b)

1 2 3 4 5 6 7 8 9 10

Risk ID is transferred to document RDF (Risk Documentation Form) Page 12 of 14

e-VOTE/WP-1/D1.3/Final/13-12-2001

e-VOTE: An Internet-based Electronic Voting System

IST-2000-29518

11.3. Risk Documentation Form [RDF] Risk Documentation Form (Primary document where a risk is registered. A summary of RDFs is written to the Risk List and obtains a Risk ID) PROGRAMME/PROJECT: IST/e-Vote AUTHOR Organisation DOC CODE RDF Risk ID: <Sequence Number> CLASSIFICATION Int.

Risk Category

Report Date: <Date this risk report was last updated>

Description: <Describe each risk in the form condition consequence. >

Probability: <Whats the likelihood of this risk becoming a problem? >

Impact: <Whats the damage if the risk does become a problem? >

Risk Exposure: <Multiply Probability times Loss to estimate the risk exposure. >

First Indicator: <Describe the earliest indicator or trigger condition that might indicate that the risk is turning into a problem. > Improvement Approaches: <State one or more approaches to control, avoid, minimize, or otherwise limit the risk. Limitation approaches may reduce the probability or the impact. > Date Started: <State the date the Improvement plan implementation was begun. > Date to Complete: <State a date by which the improvement plan is to be implemented. > Owner: <Assign each risk improvement action to an individual for resolution. >

Current Status: <Describe the status and effectiveness of the risk limitation actions as of the date of this report. > Contingency Plan: <Describe the actions that will be taken to deal with the situation if this risk factor actually becomes a problem. > Trigger for Contingency Plan: <State the conditions under which the contingency plan will begin to be implemented. >

e-VOTE/WP-1/D1.3/Final/13-12-2001

Page 13 of 14

e-VOTE: An Internet-based Electronic Voting System

IST-2000-29518

11.4. Risk Mitigation Log Risk Mitigation Log (Log document where all risks are registered. A summary of the mitigation Strategy for every risk is stated in the appropriate column. The cost of event in person Hours PROGRAMME/PROJECT: IST/e-Vote AUTHOR Organisation DOC CODE RML

CLASSIFICATION Int.

ID

Risk event

Risk exposure

Mitigation Strategy

e-VOTE/WP-1/D1.3/Final/13-12-2001

Page 14 of 14