Risk Management by Integrity, Availability and Confidentiality

This solution has a dependency on the following solutions, and these need to be installed first:

• RAG Status

This solution has an overlap with the following solutions, so these must NOT be installed:

• ROAM Risks
• Risk Management by Impact and Probability

Summary

The purpose of this solution is to allow TargetProcess users to easily track and rank risks using three key scoring categories - Integrity, Availability, and Confidentiality.  Mitigating Risk Actions can be logged against each Risk, allowing you to track selected courses of resolving risks.  Risk Managers, Product Managers/Owners, Release Train Engineers, and Agile Teams use the provided views to Identify and manage risks - At the start of a project, or throughout via key agile ceremonies.

Key Features

Risk Register

A Risk Register view is provided for logging and managing a backlog of Risks.

Each Risk has a Category, Risk Score, and RAG field.

• Category provides a way to organize Risks via common groupings
• Risk Score & RAG (Red, Amber, Green), facilitates priority and indicates the status of the Risk. They are calculated using the related Impact & Probability ratings for the three metrics (Integrity, Availability, Confidentiality).

Clicking on the ID or double clicking on the title reveals the Risk Detailed View where these parameters and additional information can be seen and provided.  The Risk Detailed View highlights a color coded Categorization & Scoring section reflecting the RAG status.  This screen allows the user to enter or update the Availability, Confidentiality, or Integrity Impact and Probability scores, as well as view or log mitigating Risk Actions.

Risk Detailed View

Risk Actions

Mitigating Risk Actions can be related to a Risk via clicking the '+' icon in the Risk Detailed View where users are prompted for both Name and Category.

Risk Actions can also be added and managed via the Risk Register View upon expanding the associated Risk.

Risk Action Detailed View

Clicking Add & Open when adding Risk Actions brings you to the Risk Action Detailed View.  Post Action Impact & Probability ratings can be specified here for the three categories and used to calculate a Post Action Risk Score.  Risk Reduction is also calculated and based on the difference of the highest Post Action Risk Score from the Risk Score carried over from the Risk.

Risk Action Detail

Risk Dashboard

The Risk Dashboard offers a collective view of Risk based measures in different contexts.

• Risk Register - backlog of risks with current state
• Risk Scores by Category - grouping of all risks by business category and visual representation of RAG
• Cumulated Risk - metric showing all open risks, completed risks, and the total risks recorded
• Risk Reduction Rate - percentage of risk reduction over the last ninety days
• Bar chart using the ROAM model with counts by RAG status
• Average cycle time
• Risk by RAG - pie chart displaying risks grouped by RAG status

Customization

The following fields are included and can be customized.  Further details on creating and modifying metrics can be found in the Metrics page.

• Category, currently set to Architecture, Budget, Business, DevOps/Operational, Infrastructure, Programmatic, Quality and Process, Resource, Schedule, Security, Supplier, and Technology.
• Risk Score - the largest value of Impact x Probability for Availability, Confidentiality, or Integrity.
• Post Action Risk Score - as above, but calculated using the Risk Action's scores.
• Availability/Confidentiality/Integrity Score - Impact x Probability for the appropriate category, calculated for Risks.
• Post Action Availability/Confidentiality/Integrity Score - as above, but calculated using the Risk Action's scores.
• Risk RAG - Sets the RAG by measuring the Risk Score.  A Risk Score of 1-4 is Green, 5-10 is Amber, and greater than 10 is Red.
• Risk Reduction for Risk Action - determines how much the Risk is mitigated by the Risk Action.