Main Content
Risk Assessment Process:
Once the Indiana Office of Technology (IOT) and the Office of Management and Budget (OMB) provide approval to move forward with a large-scale Information Technology (IT) project and the accompanying Project Portfolio Risk Management (PPRM) activities, the Large Project Delivery (LPD) team begins the Risk Assessment process. This process is part of the second level of the PPRM framework lifecycle, “Enhanced Project Selection, Solutions, and Preparation.”
The Risk Assessment process is conducted for each large-scale IT project to help identify levels of heighted project risk in various project focus areas and to identify the appropriate Risk Management Approach.
The sections below provide additional details on the Risk Profile Analysis and the Risk Management Approach activities that are part of the overall Risk Assessment process.
Risk Profile Analysis:
The key component of the Risk Assessment process is the Risk Profile Analysis document that consists of a list of consistent questions and associated multiple-choice answers to capture objective risk measurements within both non-technical and technical risk categories. The LPD team created the Risk Profile Analysis document based on experience, expertise, and research from previous large-scale IT projects at the State of Indiana (SOI) and throughout the public and private sectors. The following steps highlight the use of this document as part of the Risk Assessment process:
- The LPD team sends the Risk Profile Analysis document to the agency project team.
- The agency project team completes the Risk Profile Analysis document and returns to the LPD team.
- The LPD team reviews the document results to assess the overall project risk landscape and the risk within each focus area.
- Members of the agency project team and LPD team meet to discuss the results to help drive a better understanding of the project risk.
- The LPD team identifies the appropriate Risk Management Approach for the project and communicates that to the agency project team.
Risk Management Approach options are further elaborated below.
Risk Management Approach:
Based on the results of the Risk Profile Analysis described above, the LPD team identifies a right-sized Risk Management Approach to be leveraged throughout the project. Importantly, there are various levels and scopes of activities both between, and within, the Risk Management Approach options to help drive the appropriate risk management effort and cost reflective of the project risk landscape. The Risk Management Approach options are defined below:
|
Approach |
Project Criteria |
Service Provider |
Activities |
Deliverables |
|
Independent Verification and Validation (IV&V) |
Very large, highly complex, and very risky projects. Federal reporting from independent project oversight services required. |
External vendor not otherwise associated with the project. Only vendors on the SOI IV&V list are eligible to provide these services. |
Attend meetings, review deliverables, and monitor project activities. Identity current and future risks, actionable recommendations, and timing that risks could worsen without corrective action. |
“Just in time” feedback to project team. Monthly status reports using required PPRM format and timing. Monthly briefings with project leadership team. |
|
Independent Project Assurance (PA) |
Project size, complexity, and risk levels require oversight but not to the level of IV&V services described above. Federal reporting from independent project oversight services NOT required. |
Member of the SOI Large Project Delivery Team. Allocation dependent on level of risk identified during the Risk Profile Analysis. |
Attend meetings, review deliverables, and monitor project activities. Identity current and future risks, actionable recommendations, and timing that risks could worsen without corrective action. |
“Just in time” feedback to project team. Monthly status reports using required PPRM format and timing. Monthly briefings with project leadership team. |
|
Risk Consulting |
Project size, complexity, and risk levels do NOT require IV&V or PA services but would benefit from risk consulting. Federal reporting from independent project oversight services NOT required. |
Member of the SOI Large Project Delivery Team. Allocation dependent on level of risk identified during the Risk Profile Analysis. |
Attend meetings, review deliverables, and monitor project activities. Identity current and future risks, actionable recommendations, and timing that risks could worsen without corrective action. |
“Just in time” feedback to project team.
|
|
No Additional Risk Management Services |
Project size, complexity, and risk levels do NOT require additional risk management services. |
N/A |
N/A |
N/A |
