Risk Assessment Process:
Once the Indiana Office of Technology (IOT) and the Office of Management and Budget (OMB) provide approval to move forward with a large-scale Information Technology (IT) project and the accompanying Project Risk Management (PRM) framework, the Project Risk Management (PRM) team begins the Risk Assessment process. This process is part of the second level of the PRM framework lifecycle, “Enhanced Project Selection, Solutions, and Preparation.”
The Risk Assessment process is conducted for each large-scale IT project to help identify levels of heighted project risk in various project focus areas and to identify the appropriate Risk Management Approach.
The sections below provide additional details on the Risk Profile Analysis and the Risk Management Approach activities that are part of the overall Risk Assessment process.
Risk Profile Analysis:
The key component of the Risk Assessment process is the Risk Profile Analysis document that consists of a list of consistent questions and an associated scale of multiple-choice answers to capture objective risk measurements within both non-technical and technical risk categories. The PRM team created the Risk Profile Analysis document based on experience, expertise, and research from previous large-scale IT projects at the State of Indiana (SOI) and throughout the public and private sectors. The following steps highlight the use of this document as part of the Risk Assessment process:
- The PRM team sends the Risk Profile Analysis document to the agency project team with only the "Instructions" and "Risk Questions and Scores" tabs visible and available.
- The agency project team completes the "Risk Questions and Scores" tab of the Risk Profile Analysis document and returns to the PRM team.
- The PRM team meets internally to review the results and assess the overall project risk landscape. During this meeting, the PRM team:
- Completes the "PRM Team Recommendation" tab explaining:
- Overall Risk Result
- Overall Risk Details which includes details of high-risk categories and individual questions.
- Risk Services Recommendation
- Oversight Focus Areas
- Next Steps
- Completes the "PRM Team Recommendation" tab explaining:
- The PRM team schedules a meeting with the agency project team to discuss the results to help drive a better understanding of the project risk. During this meeting:
- The "Risk Analysis Results" tab (which can be seen below) is reviewed. This diagram depicts the scoring of each risk focus area and shows where the highest risks exist for the project.
- The “PRM Team Comments” tab is reviewed which provides a high-level assessment of the findings of each risk focus area.
- The “PRM Team Recommendation” tab is reviewed which identifies the appropriate Risk Management Approach for the project.
Each Risk Management Approach is defined in the section below.
Risk Management Approach:
Based on the results of the Risk Profile Analysis described above, the PRM team identifies a right-sized Risk Management Approach to be leveraged throughout the project. Importantly, there are various levels and scopes of activities both between, and within, the Risk Management Approach options to help drive the appropriate risk management effort and cost reflective of the project risk landscape. The Risk Management Approach options are defined below:
Approach | Project Criteria | Service Provider | Activities | Deliverables |
Independent Verification and Validation (IV&V) | Very large, highly complex, and very risky projects. Federal reporting from independent project oversight services required. | External vendor not otherwise associated with the project. Only vendors on the SOI IV&V list are eligible to provide these services. | Attend meetings, review deliverables, and monitor project activities. Identity current and future risks, actionable recommendations, and timing that risks could worsen without corrective action. | “Just in time” feedback to project team. Monthly status reports using required PRM format and timing. Monthly briefings with project leadership team. |
Independent Project Assurance (PA) | Project size, complexity, and risk levels require oversight but not to the level of IV&V services described above. Federal reporting from independent project oversight services NOT required. | Member of the SOI PRM Team. Allocation dependent on level of risk identified during the Risk Profile Analysis. | Attend meetings, review deliverables, and monitor project activities. Identity current and future risks, actionable recommendations, and timing that risks could worsen without corrective action. | “Just in time” feedback to project team. Monthly status reports using required PRM format and timing. Monthly briefings with project leadership team. |
Risk Consulting | Project size, complexity, and risk levels do NOT require IV&V or PA services but would benefit from risk consulting. Federal reporting from independent project oversight services NOT required. | Member of the SOI PRM Team. Allocation dependent on level of risk identified during the Risk Profile Analysis. | Attend meetings, review deliverables, and monitor project activities. Identity current and future risks, actionable recommendations, and timing that risks could worsen without corrective action. | “Just in time” feedback to project team. |
No Additional Risk Management Services | Project size, complexity, and risk levels do NOT require additional risk management services. | N/A | N/A | N/A |