Uploaded on

Narasimhan Bhagavan (BN), Kompusys Consultants Inc. …

Narasimhan Bhagavan (BN), Kompusys Consultants Inc.

“Risk Management in Today’s IT World”

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. • Introduction game• What is Risk and Risk Management?• Identifying risks• Categorize risks - Extreme, High, Medium and Low• Risk-based requirement writing• Risk-based testing• Defects / bugs / issues in IT projects• Software vs. Review defects• Impact of identifying and resolving review defects• Intro to Disaster Risk Management & Green Risk Management• Q&A Kompusys Consultants 2
  • 2. Introduction GameLet’s play a game by introducing ourselves• Name• Area of specialization Kompusys Consultants 3
  • 3. What is Risk?Risk: Is the probability that a particular threat will exploit a particular vulnerability of the systemDamage (consequences / impact, loss) – Direct loss: financial, environmental, market, etc. – Technical: impact on other projects / products or services – Loss of (faith of) clients, damage to corporate identity, like hacking – Legal, loss of license, due to regulatory lapses – Technical: detection and repair time, e.g. underground – Probability of use – Lost moraleProbability of failure – Depends on the knowledge of development project and product (just before testing) Kompusys Consultants 4
  • 4. Risk Management• Risk identification: Is the process of determining risks that could potentially prevent the project, enterprise, or investment from achieving its objectives. It includes documenting and communicating the concern to the stakeholders• Risk estimation: The likelihood of occurrence and consequences of each risk identified• Risk evaluation: Risks evaluated against its risk thresholds and placed in priority ordering - criteria determined by stakeholders. Contingency plans should be developed for all risks above their thresholds Kompusys Consultants 5
  • 5. Risk Management (contd..)• Risk treatment: Involves the selection, planning, monitoring, and controlling of actions to decrease risk exposure• Risk mitigation: The process of elimination or reduction of the severity, frequency or magnitude of exposure to risks or minimization of the impact of a threat• Risk management: It’s a continuous process for systematically addressing risk throughout the life-cycle of a project or service• Risk management plan: A plan that defines how the risk management activities are implemented and supported during a project. It is always PROACTIVE. Kompusys Consultants 6
  • 6. Risk Management (contd..)Managing risks is of novalue withoutunderstanding whatrisks to take and why! Risks Threats ConsequenceVulnerability Kompusys Consultants 7
  • 7. Identifying risksCatalysts to identify risk Types of IT risks • Strategic – long-term• Stakeholders – opportunities people on a project • Regulatory – Changes by local• Experience – lessons government learnt • Training – project / product• Location – country, • Operational – late shipment, industry incomplete project or obsolete process• Funding • Financial – not getting paid• Technology • Inherent – meetings,• Environment documentation, sign-off, etc. Kompusys Consultants 8
  • 8. Categorize risks - Extreme, High, Medium and Low Risk = Probability * Impact• Simply put: How LIKELY it is to happen and how BAD it would be if it ever happened• Without uncertainty or damage, there is no risk• Every individuals perspective of IMPACT is differentThe biggest single risk for any organization is the risk management doesn’t really work – leading to rising failed projects Kompusys Consultants 9
  • 9. Categorize risks – Risk matrix – Extreme, High, Medium and Low IMPACT ANALYSIS  Very high High Moderate LowMost likely EXTREME EXTREME HIGH HIGHLikely EXTREME HIGH HIGH MEDIUMLess likely HIGH HIGH MEDIUM LOWLeast likely HIGH MEDIUM LOW LOWUnlikely MEDIUM LOW LOW LOWProbability means LikelihoodImpact Analysis is Consequence Kompusys Consultants 10
  • 10. Traditional requirement Kompusys Consultants 11
  • 11. Risk-based requirement writing• Requirements should be • Encourages development malleable – flexible till teams to negotiate risk project / product end mitigation strategies with• Requirement changes, stakeholders which create significant risk • Helps to identify and• It allows business analysts resolve inconsistencies in to decide what requirement requirements additions are valid from a • Ensures consistency policy or development between the requirements, standpoint all policies, and the• Provides platform to system’s functionality negotiate with the • Stakeholder involvement is customer key to this Kompusys Consultants 12
  • 12. Risk-based requirement (contd..)• Offers developers and customers, the opportunity to compromise on four variables (cost, time, scope, quality)• Customers are allowed to choose the desired values for three of these four variables, and the developers determine the value of the last variableExamples• Customer might state that they want “a high quality release” on May 1 for $x, and the developers can tell them which of the customer-prioritized requirements might make it into that release• Customer might state that they want a “high quality release” with specified features for $y, and the developers will determine when they can deliver the release. Kompusys Consultants 13
  • 13. Risk-based testing (RBT) More testing will not result in stable deliveries• Traditional testing is finding the right bugs, whereas RBT involves deferring the right bugs, by employing right skills• Helps to find the right level of quality that can be delivered within a short schedule and limited skilled resources• Completely based on identifying business and technical requirements for an application• Demonstrated improvement in the project success factor• RBT allows QA teams to make informed decisions while setting a clear test exit criteria Kompusys Consultants 14
  • 14. Risk-based testing (RBT) More testing will not result in stable deliveries• Industry specific – Healthcare, Insurance, Financial, Construction, Mining, …• Test according to the risk matrix with a 3rd dimension – SCENARIO; customer-focused• Schedule test for all risk-based requirements• Test all EXTREME / CRITICAL and HIGH risk items• Validate risk matrix with known situations• Test all medium risks during slack time or between cycles• Document medium and low untested risks during lessons learnt (project closure) Kompusys Consultants 15
  • 15. RBT- ScenarioDriver is driving a car• Loss of control – vehicle manufacturers• Meets with an accident – insurance• Either dies or is injured – health servicesProbability for losing control is greater than accident, which is greater than the impact Kompusys Consultants 16
  • 16. RBT – Project ScenarioProject Manager is driving the project• Unclear scope – sponsor• Several defects – test team• Kill project or delay – stakeholdersReversing thisProbability for successful project delivery is greater when defects are fixed, which is greater when the risks are addressed earlier Kompusys Consultants 17
  • 17. Defects / bugs / issues in IT projects• Defects are anomalies in the functionality• Incidence of risk occurrence – known defects• Considering the risk means considering the defects• The defects should be analyzed and classified• Action is REACTIVE• RBT focuses on detecting issues much earlier during planning Kompusys Consultants 18
  • 18. Risks and review defects found Kompusys Consultants 19
  • 19. Software vs review defectsSOFTWARE DEFECTS REVIEW DEFECTS• Traditionally found bugs • Found while inspection or issues or review of documents• Identified only during • Identified throughout execution & monitoring the project lifecycle phase • Early detection starts• Logged and managed from planning stage between cycles • Classified by Severity• Categorized with • Linked with risk Severity & Priority • Proven to save• Rarely linked to risks substantial $s Kompusys Consultants 20
  • 20. Impact of identifying and resolving review defectsAddresses risks and saves moneyAdvantages• Universal across all industries• Risk based approach• Cost is quite low to fix any defects / bugs• Most defects lead to clarification and close• Resource training is uniform and the turnaround cycles are quite aggressive Kompusys Consultants 21
  • 21. Intro to Disaster Risk ManagementInvolves 4Rs – Readiness, Response, Recovery& Reduction•Disaster risk reduction (DRR) is a systematicapproach to identifying, assessing and reducingthe risks of disaster•DRR if not acted upon quickly may turn out tobe hazardous / critical•Helps build better infrastructure•DRR is an avoidance or delayed method Kompusys Consultants 22
  • 22. Intro to Green Risk ManagementGreening IT infrastructure  reducing the risks offailure  lowers maintenance costs•Green Risk Management is highly proactive•Returns on investment is sustainable•Better and faster infrastructure•Improved business results – Legacy IT migrations•Marketplace mandate – Current trends like Cloudcomputing•Environmental impacts are reduced Kompusys Consultants 23
  • 23. Kompusys Consultants 24
  • 24. References• IEEE Standards • Project experience -• BS standards myself• EN standards • Several intl. papers• PMI • Online discussions• DRM articles / papers • Research results• Green & Sustainable • LinkedIn articles Project Management • Google images Kompusys Consultants 25
  • 25. Contact for future consultancyNarasimhan Bhagavan- CPRM, CIPM, MPM, MQM, CIA, CLAPrincipal ConsultantKompusys ConsultantsPhone: 647-248-1398eMail: Bhagavan.Narasimhan@Gmail.ComLinkedIn: Kompusys Consultants 26