Sample Risk Management Plan - Part 5: Corrective Action and Monitoring
Published: November 16, 2011
Updated: November 22, 2011
Section 5: Corrective Action and Monitoring
Corrective action and monitoring provide an organization with a structure to determine when risk conditions are approaching trigger levels and corrective actions to mitigate risk are necessary.
Risk Monitoring typically involves members of the endeavor’s teams performing the following steps in an iterative, incremental, parallel … and ongoing manner:
- determine risks have changed
- identify the risk controls being used
- determine the effectiveness of actions and techniques
- develop or adjust the risk management plan
(Open Process Framework 2009)
5.1 Type of Corrective Risk Management
A project such as the A&D High Tech Internet Store Project could greatly benefit by an analysis of Strengths, Weaknesses, Opportunities, and Threats (SWOT). However, this form of analysis should be performed earlier in the project so the benefits at this stage may be minimal.
Due to the amount of time remaining before the project deadline and because strategic decisions have already been made, a different form of corrective risk management is called for. In this instance, self-assessment will be the method of corrective risk management employed.
Project stakeholders, including representatives from Geneva, will periodically meet to assess the outstanding risks and corrective measures. For the project to succeed, Geneva must take on the role of a business partner, as opposed to a time and materials contractor, and participate honestly in these assessments.
5.2 Corrective Plan
“The purpose of the Corrective Action Plan … is to establish a risk management operational ‘standard’ for approving and directing the implementation of remedial actions to risks to” (Virginia Commonwealth University, 2005) the successful completion of the A&D High Tech Internet Store Application Project.
The Corrective Action Plan is used … to document a written statement that represents a standard of due care towards the retirement of a risk condition. The Corrective Action Plan details the procedures to be taken and the time-frames to correct deficiency conditions identified by the Risk Statements associated with a specific issue or Unit. (Virginia Commonwealth University, 2005).
The RBS and Risk Matrix will be the sources of input for identification of corrective actions that the Corrective Action Plan defines. The Project manager, team members, and stakeholders “participate in a structured process that is designed to identify, prioritize, document, analyze and re-mediate any reasonably anticipated threats” (Virginia Commonwealth University, 2005).
The outcome of the Corrective Action Plan is expected to:
- Document the rationale or actions that are planned to ensure that actions cited by Risk Matrix are going to be initiated and as a “consequence to the `action(s)’ any risk situation is mitigated or re-mediated as part of the due diligence process and demonstrated good faith effort” (Virginia Commonwealth University, 2005)
- Defines the time necessary to complete the mitigation process
The Corrective Action Plan is initiated by the project manager and is submitted to the CIO for:
- Approval or rejection of recommendations
- Approval or disapproval of resources
- Determination of organization’s willingness to “assume the risk and ‘retire’ the plan without further action” (Virginia Commonwealth University, 2005).
5.3 Corrective Action for Risks
Two of the three major risks to this project relate to missing the Christmas deadline. The deadline itself is a risk and the contract with Geneva is closely related. As of May 26, Geneva had not identified specific resources for the project, which may indicate an opinion on the contractor’s part that the project is not a high priority. Geneva may experience an internal conflict over resources.
The answer to this dilemma is not easy, but in essence, the project management team must include "conflict over resources during the life of the project" as a major potential risk and plan for it accordingly by securing agreements and then monitoring the situation continuously. If a dispute does arise, there is a role here for the project champion and or the client to ensure that the allocated resources are not taken away. (Williams, 2009).
The remaining major risk is that problems may be encountered while developing the interface to the ERP system. Effective corrective actions to mitigate this risk entail beginning development of the interface early so that either the interface is complete in time to be integrated with the application or JD Edwards may be contracted for assistance. Negotiations with JD Edwards should begin immediately so they may be brought into the project if a trigger condition is reached.
Corrective actions for the intermediate risks are identified in the Risk Matrix. The minor risks should be assumed and dropped from the corrective action plan without further consideration. The effects of the minor risks would be minimal and could easily be absorbed if those risk conditions come to pass.
A&D High Tech has taken on some technology initiatives in the past that have proved to be successful despite the inherent risks involved with the development. An Enterprise Resource Planning (ERP) system implemented in 1999 reduced customer callbacks from 30 percent to less than one percent, according to Jeffrey (2007). The success was preceded by concerns that system maintenance may become problematic after the consultants hired to perform the system customization left.
The success of the ERP system led to a series of initiatives to improve systems in “handling the supply chain, payment process, customer relationship management (CRM), and order management” (Jeffrey, 2007, p. 2). These ventures into high tech projects indicate that A&D High Tech has a fair organizational tolerance for risk.
Departments within A&D also demonstrate a high tolerance for risk. Specifically, both the sales and IT departments demonstrate this tolerance by the pressure from the VP of sales to begin the project and the lack of pressure placed on Geneva to identify resources for the Internet store project prior to May by the IT department.
The two greatest risks to project success are missing the holiday deadline and the contract with Geneva. These two risks are directly related and the contract with Geneva influences the overall outcome. Mitigation strategy to offset the issues with the Geneva contract should include strict configuration management and change control. Configuration management would ensure that that each module of developed software meets the requirements for development and change control will help avoid scope creep.
A&D High Tech and the organizational departments that are the major players in the project demonstrate a relatively high tolerance for risk but the relationship with Geneva must be closely monitored and the contract risk mitigated for there to be any chance of meeting the deadline.
Jeffery, M. (2007). A & D high tech (A): Managing projects for success. Project Risk Assessment and Control (pp. 1–16). New York, NY: McGraw-Hill.
Open Process Framework (2009). Risk monitoring. Available from http://www.opfro.org
Virginia Commonwealth University (2005). Correction action plan standard. Information Security Risk Management Program Standards.
Williams, C., J. (2009). Project management: Risk management. Available from http://www.projectsmart.co.uk/project-management-risk-management.html