Interoperability Montana

Risk Management Plan

RISK MANAGEMENT PLAN

Prepared by:

Northrop Grumman Corporation

IM Risk Management Plan v4 0.doc

11/29/2007
 Interoperability Montana

Risk Management Plan

Document Approval
And
Revision History

Date Document Document Revision Description Document Author

Version
9/4/07 1.0 Original Document NGC
10/22/07 4.0 Published Document NGC

Approval Approved Approver Role Approver

Date Version
10/22/07 4.0 Denny Espeland, Program Manager

IM Risk Management Plan v4 0.doc

11/29/2007
 Interoperability Montana

Risk Management Plan

Table of Contents

1 Executive Summary ................................................................................................................ 1

1.1 Purpose............................................................................................................................ 2
2 Risk Management Strategy ..................................................................................................... 2
2.1 Risk Identification........................................................................................................... 2
2.2 Risk Responsibilities....................................................................................................... 4
2.3 Risk Assessment ............................................................................................................. 4
2.4 Risk Response................................................................................................................. 6
2.5 Risk Mitigation ............................................................................................................... 6
2.6 Risk Contingency Planning............................................................................................. 7
2.7 Tracking and Reporting .................................................................................................. 8
2.8 Processes to Address Immediate Unforeseen Risks ....................................................... 8

IM Risk Management Plan v4 0.doc

11/29/2007
 Interoperability Montana

Risk Management Plan

1 Executive Summary
Risk is defined as an event that has a probability of occurring, and could have
either a positive or negative impact to a project should that risk occur. A risk may
have one or more causes and, if it occurs, one or more impacts. For example, a
cause may be requiring an environmental permit to do work, or having limited
personnel assigned to design the project. The risk event is that the permitting
agency may take longer than planned to issue a permit, or the assigned personnel
available and assigned may not be adequate for the activity. If either of these
uncertain events occurs, there may be an impact on the project cost, schedule or
performance. All projects assume some element of risk, and it’s through risk
management where tools and techniques are applied to monitor and track those
events that have the potential to impact the outcome of a project.
Risk management is an ongoing process that continues through the life of a
project. It includes processes for risk management planning, identification,
analysis, monitoring and control. Many of these processes are updated
throughout the project lifecycle as new risks can be identified at any time. It’s the
objective of risk management to decrease the probability and impact of events
adverse to the project. On the other hand, any event that could have a positive
impact should be exploited.
The identification of risk normally starts before the project is initiated, and the
number of risks increase as the project matures through the lifecycle. When a risk
is identified, it’s first assessed to ascertain the probability of occurring, the degree
of impact to the schedule, scope, cost, and quality, and then prioritized. Risk
events may impact only one or while others may impact the project in multiple
impact categories. The probability of occurrence, number of categories impacted
and the degree (high, medium, low) to which they impact the project will be the
basis for assigning the risk priority. All identifiable risks should be entered into a
risk register, and documented as a risk statement.
As part of documenting a risk, two other important items need to be addressed.
The first is mitigation steps that can be taken to lessen the probability of the event
occurring. The second is a contingency plan, or a series of activities that should
take place either prior to, or when the event occurs. Mitigation actions frequently
have a cost. Sometimes the cost of mitigating the risk can exceed the cost of
assuming the risk and incurring the consequences. It is important to evaluate the
probability and impact of each risk against the mitigation strategy cost before
deciding to implement a contingency plan. Contingency plans implemented prior
to the risk occurring are pre-emptive actions intended to reduce the impact or
remove the risk in its entirety. Contingency plans implemented after a risk occurs
can usually only lessen the impact.

IM Risk Management Plan v4 0.doc

11/29/2007
Page 1
 Interoperability Montana

Risk Management Plan

Identifying and documenting events that pose a risk to the outcome of a project is
just the first step. It is equally important to monitor all risks on a scheduled basis
by a risk management team, and reported on in the project status report.

1.1 Purpose

This plan documents the processes, tools and procedures that will be used to
manage and control those events that could have a negative impact on the
Interoperability Montana (IM) project. It’s the controlling document for
managing and controlling all project risks. This plan will address:

• Risk Identification
• Risk Assessment
• Risk Mitigation
• Risk Contingency Planning
• Risk Tracking and Reporting

Appendix A will present a sample of the risk register, with a Risk Statement Form
presented in Appendix B.

2 Risk Management Strategy

2.1 Risk Identification
A risk is any event that could prevent the project from progressing as planned, or
from successful completion. Risks can be identified from a number of different
sources. Some may be quite obvious and will be identified prior to project kick-
off. Others will be identified during the project lifecycle, and a risk can be
identified by anyone associated with the project. Some risk will be inherent to the
project itself, while others will be the result of external influences that are
completely outside the control of the project team.

The Interoperability Montana Project Directors (IMPD) have overall

responsibility for managing project risk. As the IM Project Manager, Mark
Adams has been assigned by Northrop Grumman as the person responsible for
administering risk management processes and activities for the IM project.

Throughout all phases of the project, a specific topic of discussion will be risk
identification. The intent is to instruct the project team in the need for risk
awareness, identification, documentation and communication.

Risk awareness requires that every project team member be aware of what
constitutes a risk to the project, and being sensitive to specific events or factors
that could potentially impact the project in a positive or negative way.
IM Risk Management Plan v4 0.doc
11/29/2007
Page 2
 Interoperability Montana

Risk Management Plan

Risk identification consists of determining which risks are likely to affect the
project and documenting the characteristics of each.

Risk communication involves bringing risk factors or events to the attention of the
project manager and project team.

The Northrop Grumman project manager will identify and document known risk
factors during creation of the Risk Register.

It is the Northrop Grumman project manager’s responsibility to assist the IMPD

and other stakeholders with risk identification, and to document the known and
potential risks in the Risk Register. Updates to the risk register will occur as risk
factors change. Risk management will be a topic of discussion during the monthly
project IMPD meeting.

The Northrop Grumman project team will discuss any new risk factors or events,
and these will be reviewed with the Northrop Grumman project manager.

The project manager will determine if any of the newly identified risk factors or
events warrant further evaluation. Those that do will undergo risk quantification
and risk response development, as appropriate, and the action item will be closed.

At any time during the project, any risk factors or events should be brought to the
attention of the Northrop Grumman project manager using Email or some other
form of written communication to document the item. The project manager is
responsible for logging the risk to the Risk Register. Notification of a new risk
should include the following Risk Register elements:

• Description of the risk factor or event, e.g. conflicting project or

operational initiatives that place demands on project resources, design
errors or omissions, weather, construction delays, etc.

• Probability that the event will occur. For example, a 50% chance that
the vendor will not have staff available to pour the cement.

• Schedule Impact. The number of hours, days, week, or months that a

risk factor could impact the schedule. As an example, the fires which
have resulted in level 3 restrictions are likely to delay installation of
the shelter and generator for 2 weeks.

• Scope Impact. The impact the risk will have on the envisioned
accomplishments of the project. Extreme weather conditions may
result in a reduction in the number of tower sites that can be
completed.

IM Risk Management Plan v4 0.doc

11/29/2007
Page 3
 Interoperability Montana

Risk Management Plan

• Quality Impact. A risk event may result in a reduction in the quality of

work or products that are developed. As an example, lack of funding
caused by construction cost overruns may result in the purchase of
only one cooling unit rather than the planned number of two

• Cost Impact. The impact the risk event, if it occurs is likely to have on
the project budget.

2.2 Risk Responsibilities

The responsibility for managing risk is shared amongst all the stakeholders of the
project. However, decision authority for selecting whether to proceed with
mitigation strategies and implement contingency actions, especially those that
have an associated cost or resource requirement rest with the IMPD. The
following tables details specific responsibilities for the different aspects of risk
management.

Risk Activity Responsibility

Risk Identification All project stakeholders
Risk Registry Project Manager
Risk Assessment All project stakeholders
Risk Statements Project Manager(s), IMTC
Risk Response Options Identification All project stakeholders
Risk Response Approval IMTC (recommendation) IMPD (approval)
Risk Contingency Planning Project Manager(s)
Risk Response Management Project Managers
Risk Reporting Project Manager

2.3 Risk Assessment

Risk assessment is the act of determining the probability that a risk will occur and the
impact that event would have, should it occur. This is basically a “cause and effect”
analysis. The “cause” is the event that might occur, while the “effect” is the potential
impact to a project, should the event occur.

Assessment of a risk involves two factors. First is the probability which is the measure of
certainty that an event, or risk, will occur. This can be measured in a number of ways,
but for the IM project will be assigned a probability percentage for 1% to 100%. A risk
with no probability of occurring will obviously pose no threat, while a risk of 100%
means the risk event has occurred.

The second factor is estimate of the impact on the project. This can be a somewhat
subjective assessment, but should be quantified whenever possible. The estimated cost,
the duration of the potential delay, the changes in scope and the reduction in quality are
IM Risk Management Plan v4 0.doc
11/29/2007
Page 4
 Interoperability Montana

Risk Management Plan

in most cases factors that can be estimated and documented in the risk statement and then
measured using the standard project management tools (i.e. project plan, budget,
statements of work). Rather than detailed impact estimates the Risk Register contains
three ratings for impact; High, Medium and Low. This makes it easier to compare one
risk to another and assign priorities. For each of the impact categories the impact is
assessed as follows:

• Cost – This impact is usually estimated as a dollar amount that has a direct
impact to the project. However, cost is sometimes estimated and reported as
simply additional resources, equipment, etc. This is true whenever these
additional resources will not result in a direct financial impact to the project
due to the fact the resources are loaned or volunteer, the equipment is
currently idle and there is no cost of use, or there are other types of donations
that won’t impact the project budget. Regardless of whether there is a direct
cost, the additional resources should be documented in the risk statement as
part of the mitigation cost.

• Scope – Whenever there is the potential that the final product will not be
completed as originally envisioned there is a scope impact. Scope impact
could be measured as a reduction of the number of tower sites, elimination of
trunking for a site, or not providing a back-up power source.

• Schedule – It is very important to estimate the schedule impact of a risk event

as this often results is the basis for elevating the other impact categories.
Schedule delays frequently result in cost increases and may result in a
reduction of scope or quality. Schedule delays may or may not impact the
critical path of the project and an associated push out of the final end date. As
an example, a road wash-out for a tower site might delay completion of that
site for 3 weeks, but if another site is scheduled to complete after delayed site,
the 3 week delay won’t impact the final end date.

• Quality – Quality is frequently overlooked as an impact category and too often

a reduction in quality is the preferred choice for mitigation of a risk. “Short
cuts” and “low cost replacements” are ways of reducing cost impacts. If not
documented appropriately and approved by the project sponsor, mitigation
strategies that rely upon a reduction in quality can result in significant
disappointment by the stakeholders.
Most risks will be assigned one category, but some might be assigned more than one, or
all.

IM Risk Management Plan v4 0.doc

11/29/2007
Page 5
 Interoperability Montana

Risk Management Plan

2.4 Risk Response

For each identified risk, a response must be identified. It is the responsibility of the IMPD
to select a risk response for each risk. The IMPD will need the best possible assessment
of the risk and description of the response options in order to select the right response for
each risk. The probability of the risk event occurring and the impacts will be the basis for
determining the degree to which the actions to mitigate the risk should be taken. One way
of evaluating mitigation strategies is to multiply the risk cost times the probability of
occurrence. Mitigation strategies that cost less than risk probability calculation should be
given serious consideration. The possible response options are:

• Avoidance – Change the project to avoid the risk. Change scope, objectives,
etc.

• Transference – Shift the impact of a risk to a third party (like a subcontractor).

It does not eliminate it, it simply shifts responsibility.

• Mitigation – Take steps to reduce the probability and/or impact of a risk.

Taking early action, close monitoring, more testing, etc.

• Acceptance – Simply accept that this is a risk. When choosing acceptance as a

response the IMPD is stating that given the probability of occurring and the
associated impact to the project that results, they are not going to take any
actions and will accept the cost, schedule, scope, and quality impacts if the
risk event occurs.

• Deferred – A determination of how to address this risk will be addressed at a

later time.

The results of the risk assessment process are documented in each Risk Statement and
summarized in the Risk Register which will be reported on a monthly basis.

2.5 Risk Mitigation

Risk mitigation involves two steps:

• Identifying the various activities, or steps, to reduce the probability and/or

impact of an adverse risk.

• Creation of a Contingency Plan to deal with the risk should it occur.

Taking early steps to reduce the probability of an adverse risk occurring may be more
effective and less costly than repairing the damage after a risk has occurred. However,
some risk mitigation options may simply be too costly in time or money to consider.

IM Risk Management Plan v4 0.doc

11/29/2007
Page 6
 Interoperability Montana

Risk Management Plan

Mitigation activities should be documented in the Risk Register, and reviewed on a

regular basis. They include:

• Identification of potential failure points for each risk mitigation solution.

• For each failure point, document the event that would raise a “flag” indicating
that the event or factor has occurred or reached a critical condition.

• For each failure point, provide alternatives for correcting the failure.

2.6 Risk Contingency Planning

Contingency planning is the act of preparing a plan, or a series of activities, should an
adverse risk occur. Having a contingency plan in place forces the project team to think in
advance as to a course of action if a risk event takes place.

• Identify the contingency plan tasks (or steps) that can be performed to
implement the mitigation strategy.

• Identify the necessary resources such as money, equipment and labor.

• Develop a contingency plan schedule. Since the date the plan will be
implemented is unknown, this schedule will be in the format of day 1, day 2,
day 3, etc., rather than containing specific start and end dates.

• Define emergency notification and escalation procedures, if appropriate.

• Develop contingency plan training materials, if appropriate.

• Review and update contingency plans if necessary.

• Publish the plan(s) and distribute the plan(s) to management and those directly
involved in executing the plan(s).

Contingency may also be reflected in the project budget, as a line item to cover
unexpected expenses. The amount to budget for contingency may be limited to just the
high probability risks. This is normally determined by estimating the cost if a risk
occurs, and multiplying it by the probability. For example, assume a risk is estimated to
result in an additional cost of $50,000, and the probability of occurring is 80%. The
amount that should be included in the budget for this one item is $40,000.

Associated with a contingency plan, are start triggers and stop triggers. A start trigger is
an event that would activate the contingency plan, while a stop trigger is the criteria to
resume normal operations. Both should be identified in the Risk Register.

IM Risk Management Plan v4 0.doc

11/29/2007
Page 7
 Interoperability Montana

Risk Management Plan

2.7 Tracking and Reporting

As project activities are conducted and completed, risk factors and events will be
monitored to determine if in fact trigger events have occurred that would indicate the risk
is now a reality.

Based on trigger events that have been documented during the risk analysis and
mitigation processes, the IMPD, or Northrop Grumman project managers will have the
authority to enact contingency plans as deemed appropriate. Day to day risk mitigation
activities will be enacted and directed by the project managers. Large scale mitigation
strategies will be initiated by the IMPD.

Contingency plans that once approved and initiated will be added to the project work plan
and be tracked and reported along with all of the other project activities.

Risk management is an ongoing activity that will continue throughout the life of the
project. This process includes continued activities of risk identification, risk assessment,
planning for newly identified risks, monitoring trigger conditions and contingency plans,
and risk reporting on a regular basis. Project status reporting contains a section on risk
management, where new risks are presented along with any status changes of existing
risks. Some risk attributes, such as probability and impact, could change during the life
of a project and this should be reported as well.

2.8 Processes to Address Immediate Unforeseen Risks

The individual identifying the risk will immediately notify the IMPD and Northrop
Grumman project managers. The individual notified will assess the risk situation.

If required, the IMPD and Northrop Grumman project managers will identify a mitigating
strategy, and assign resources as necessary.

The project risk manager will document the risk factor and the mitigating strategy.
.

IM Risk Management Plan v4 0.doc

11/29/2007
Page 8
 Interoperability Montana

Risk Management Plan

Appendix A - Sample Risk Register

IM Risk Management Plan v4 0.doc

11/29/2007
Page 1
 Interoperability Montana

Risk Management Plan

Appendix B - Sample Risk Statement Form

IM Risk Management Plan v4 0.doc

11/29/2007
Page 1