|
Project and risk management policy outline
1.
Risk rating of projects
■
Rating structure
■
Classification criteria
2.
Minimum requirements per project
■
Components of the project business case
■
Requirements per project type
3.
Project governance and involvement of the risk function
■
Projects types requiring the involvement of the risk function
■
Stages and nature of involvements of the risk function
1.
Initial stage (before kick-off)
2.
Project life: monitoring and risk update
3.
Project closure
T A B L E 1 7 . 3
Stage of involvement of the risk function – summary
Initial stage (before kick-off)
■
Risk identification and assessment: workshop facilitation, for important and critical
projects
■
Mitigation and monitoring plans: assurance that plans exist to address the risk
identified, in function of their materiality
Project life: monitoring and risk update
■
Regular project reporting both for operational risks and for project risks
■
Quarterly/six-monthly updates of risk identification and assessment workshop with the
risk team and the project team, for important and critical projects
Project closure
■
Debriefing, evaluation of project deliverables, the risks materialized and avoided,
lessons learnt, all projects
186
RISING OPERATIONAL RISKS
R I S K R A T I N G F O R P R O J E C T S
C o n t e x t
In project management, like any other involvement of the risk function in business
activities, effective resource allocation requires a risk-based approach. The risk func-
tion’s level of involvement will depend on the size and criticality of the project.
The approach described below is drawn from experience in financial organiza-
tions where it has been necessary to find ways to develop a risk-based approach that
defines the level of collaboration between the risk function and project managers. Dif-
ferent stages of involvement, and different levels of information exchange, are defined
between the risk team and the project teams according to the complexity and size of
the project at stake. Smaller organizations, or those in early stages of operational risk
management, will adopt simple project-rating scales and fewer involvement require-
ments, while more mature or larger organizations might require more detailed project
ratings and a closer collaboration between the risk function and the project team for
critical projects.
R i s k R a t i n g f o r P r o j e c t s
In its simple version (Figure 17.1), the project rating would include only a handful of
criteria: total budget, process, people and assets impacted. The highest rating of any of
the criteria defines the overall rating of the project. The budget of a project is a proxy
of its size and of the organization’s financial commitment to the project. Figure 17.1
presents ratings relative to EBIT (earnings before interest and tax), scalable to the size
Project rating
Budget (e.g. in
% of EBIT)
I
m
pacting a
critical process of
the organization?
% of organization’s
people or assets
i
m
pacted
Critical
>30%
Y
N
N
N
I
m
portant
Moderate
Modest
<30%
>10%
<10%
>2%
<2%
>50%
>20%
<50%
>5%
<20%
<5%
F I G U R E 1 7 . 1
Project rating – simple scoring version
Project Risk Management
187
of the firm. In practice, however, most employees would be unable to give either the
turnover or the EBIT of their firm off the top of their heads and would use absolute
budget values, expressed in currency units.
The second rating element relates to impacts on a critical process of the firm
(Yes/No) from continuity or a strategic perspective. European banking regulation, for
instance, requires all systemically important financial institutions to identify all critical
processes and ensure their continuity, even in the event of severe incidents. Therefore,
a project is rated critical if it impacts the continuity of one of these processes.
Finally, the percentages of assets or of people impacted by a project reflect the
project’s complexity and its overall impact and influence – and therefore the potential
risks. This is not necessarily captured in the financial budget alone. For instance, con-
sider the digitalization of documents: when a firm decides to go paperless, the change
will affect nearly 100% of the staff and a large portion of its assets, even though the cost
of the project may not be as large as some physical assets. An office move is another
example of a complex project.
Some firms include three additional elements to achieve a slightly more compre-
hensive approach for risk evaluation:
■
Customers: proportion of customers affected by the project.
■
Regulatory impact: regulatory components and their criticality.
■
Reputation: whether the project is likely to impact the image of the firm externally,
through media coverage.
The risk function is involved in projects that are ranked
critical
or
important
.
Involvement of the risk function includes participation in the first phases of project
scoping and budgeting and at each important step of the project life cycle. In partic-
ular, the second line of defense actively supports the project team and the business
during the initial identification and assessment of the operational risks generated or
amplified by the project execution.
Larger or more mature organizations would use more sophisticated scoring sys-
tems to rank the risk level of their projects. Table 17.4 presents a real example of such
a scoring system, although adapted to suit both IT and non-IT project types.
P R O J E C T R I S K I D E N T I F I C A T I O N A N D A S S E S S M E N T
Project risk identification and assessment should closely follow the same RCSA
methodology as other operational risk assessment exercises, with the risk assessment
unit being the project and its impact on the business as usual operations. The case
study illustrates the aggregated results of such risk assessment for several projects in
a tier 2 insurance company.
Trim Size: 152mm x 229mm
Chapelle549048
c17.tex
V1 - 10/30/2018
2:54pm
Page 188
k
k
k
k
188
T A B L E 1 7 . 4
Project rating – sophisticated scoring version
Do'stlaringiz bilan baham: |
