Risk Analysis Matrix
Risk analysis is the process of identifying and evaluating risk
factors, present or anticipated, and determining both the probability
and the impact of identified risk factors. Risk analysis is a preliminary
step in establishing a risk management strategy, which is intended
to increase the probability that the application development project
produces the desired outcome while minimizing risk factors. It communicates
both preventive and corrective actions to each of the identified
risk factors, particularly those with a medium to high rating level.
Some of the factors considered in the risk analysis for each system
are identified in the Risk Analysis Matrix, shown below. Each factor
in the matrix is rated according to its potential adverse impact
as High (H), Medium (M), Low (L), or Not Applicable (NA).
Note: Information for this section was adapted from the publication "Quality
Assurance Review Guide for Major Information Resources Projects",
version 1.0, November 1996, published by the Department of Information
Resources, Office of the State Auditor, Austin Texas.
| Customer: General Risk Factors |
| Risk Factor |
HIGH RISK |
MEDIUM
RISK |
LOW RISK |
| Integration with Current Statewide Information
Resource (IR) Strategies |
Project does not support any statewide IR strategies |
Project indirectly or partially supports statewide
IR strategies |
Project directly supports statewide IR strategies |
| Customers IR Experience |
Customer has little experience with automated
systems |
Customer has some experience with automated
systems |
Customer has extensive experience with automated
systems |
| Customers Work Methods |
Project will directly alter work methods |
Project will alter parts or have slight effect
on work methods |
Project will have little or no effect on work
methods |
| Customer: Management Risk Factors |
| Risk Factor |
HIGH RISK |
MEDIUM
RISK |
LOW RISK |
| Customers Standard Business Procedures |
No policies or standards in place |
Policies and standards in place but not followed
completely |
Policies and standards in place and are followed
completely |
| Upper Management Project Support |
No support for project or project involvement |
Mission issues unresolved or in process of
being defined or approved |
Committed to success of project |
| Middle Management Project Support |
Little or no support for project |
Some support for project |
Committed to success of project |
| Managerial Staffing and Stability |
Management is rapidly changing or not clearly
defined |
Some management change is expected |
Little or no change in management is expected |
| Project Managements Experience with Similar
Projects |
No experience with projects of this type or
projects in general |
Moderate experience or experience with different
type projects |
Very experienced with similar projects |
| Customer: Project Management
Risk Factors |
| Risk Factor |
HIGH RISK |
MEDIUM
RISK |
LOW RISK |
| Expected Effect of System on Customer Service |
No improvements in service |
Minor improvements to customer service |
Major improvement to customer service |
| Customers Definition of Project Requirements
and Scope |
Rapidly changing size or scope; requirements
not defined and not signed off by users |
Requirements defined but changes to baseline
expected; requirements may not have been distributed to all employees |
Requirements well-established, baseline defined,
user acceptance high, and few or no changes |
| Customer: Funding, Cost, and
Time-Line Risk Factor |
| Risk Factor |
HIGH RISK |
MEDIUM
RISK |
LOW RISK |
| Funding Sources |
Funds not allocated |
Some funds allocated |
Funds allocated |
| Budget Size |
Insufficient budget available to complete project
as defined |
Questions remain concerning budget |
Sufficient funds available to complete project
as currently defined |
| End User: Participation Risk
Factors |
| Risk Factor |
HIGH RISK |
MEDIUM
RISK |
LOW RISK |
| End User Perceived Benefits |
Do not perceive benefits as measurable |
Some questions remain about benefits |
Benefits well-defined and measurable |
| End User Training Requirements |
Requirements have not been defined or have
not been addressed |
User training needs have been considered; training
or training plan is in development |
End user training needs considered; training
or training plan in place and in process |
| End User Acceptance |
End users have not accepted any of the concepts
or design details of the system |
End users have accepted most of the concepts
and details of the system and process is in place for user approvals |
End users have accepted all concepts and details
of the system and process in place for user approvals |
| End User Experience on Similar Projects |
Users have no previous experience with similar
projects |
Users have experience with similar projects |
Users highly experienced in similar projects |
| Involvement of End Users with System Design
and Testing |
Minimal or no user involvement with development
team or little user input into process |
Play minor roles with development team or have moderate
impact on system development |
Highly involved with development team, provide
significant input and have significant ownership of system |
| CIS: Project Management Risk
Factors |
| Risk Factor |
HIGH RISK |
MEDIUM
RISK |
LOW RISK |
| Project Leader Experience |
Project leader has no experience with this
type of project or is new to management |
Project leader has moderate experience or has
experience with different types of projects |
Project leader is very experienced with similar
types of projects |
| Project Timeline |
Project has schedule delays that threaten success
of project |
Project is within schedule, minor delays on
some parts or deliverables |
Project is within reasonable schedule, following
work plan with no delays |
| Change Control Management |
No change control process being used |
Change control process in place but not being
followed completely |
Formal change control process in place, followed,
and effective |
| Development Methodology |
No formal project development methodology being
used, either commercial or in-house system |
Project development methodology established,
but not followed or ineffective |
Project development methodology in place, established,
effective, and followed by staff |
| CIS: Project Team Risk Factors
Personnel |
| Risk Factor |
HIGH RISK |
MEDIUM
RISK |
LOW RISK |
| Experience of Staff |
Staff has little or no experience with projects
of this type |
Project staff has some experience with projects
of this type |
Project staff is highly experienced with projects
of this type |
| Consultant/CIS Personnel Mix |
Complete reliance on contractor or consultant
staff with no CIS staff being trained in new system |
A small percentage of agency staff or some
CIS personnel being trained on new system |
A balanced mix of CIS and contractor staff
with agency personnel capable of taking over new system; or not
applicable |
| Available Personnel Resources |
Staff is not immediately available and/or requires
training for project |
Project staff is available but requires project
orientation or minor training |
Project staff is available |
| CIS: Project Team Risk Factors
Experience/Training |
| Risk Factor |
HIGH RISK |
MEDIUM
RISK |
LOW RISK |
| Expertise with Hardware |
Technology is new, little or no staff experience |
Technology similar to existing systems, and
some staff experience |
Mature technology, current staff experience,
high experience ratio |
| Experience with Software |
No experience with software and / or software
not available |
Software available but not being used to full
potential, or in process of being implemented and training needed |
Software available and staff are experienced
in use of tools |
| Technical Training of Staff |
Training not readily available, or no training
plan in place |
Training for some disciplines not available,
but training is planned and is available |
Training plan in place and training is ongoing |
| CIS: Technology Risk Factors
System Implementation |
| Risk Factor |
HIGH RISK |
MEDIUM
RISK |
LOW RISK |
| Complexity of Requirements |
Project is very complex with multiple requirements
from many different users; requirements are complex and hard to
define |
Project is fairly complex with some requirements
more easily defined; several user groups will be aiding in the
design |
Requirements are few and easily defined; few
users to provide input |
| System Integration/ Interfaces |
Extensive integration of systems, or exchange
of information or interfaces are a major part of project |
Some integration or interfaces required and/or
of some importance to project |
Little or no integration or interfaces required |
| Fit with Customer' s existing IR infrastructure |
Introduces new technologies |
Limited use of new technologies |
Uses proven technology that integrates well |
| Quality/Timeline Control |
Time line likely to adversely affect quality
and completeness |
Has critical time line, but little to no impact
on quality |
Time lines are not critical |
| CIS: Technology Risk Factors
System Operation |
| Risk Factor |
HIGH RISK |
MEDIUM
RISK |
LOW RISK |
| Open Systems |
Proprietary system with little or no communication
with other technologies possible |
System capable of communicating with other
technologies on a limited basis |
Completely open platform, capable of communicating
with multiple technologies |
| Vendor Support |
Vendor provides little or no support for hardware/software,
and only at high cost with poor response times |
Vendor provides adequate support for hardware/software
at contracted price with reasonable response times |
Vendor provides complete support for hardware/software
at reasonable or contracted price and within contracted response
times |
| Maturity of Solution |
In operation less than one year or over 5 years
old |
In operation from 1-3 years |
In operation 3-5 years |
| Security |
No security measures in place, backup of data
and hardware lacking, disaster recovery not considered |
Some security measures in place, backups of
data and hardware being done, disaster recovery considered, but
procedures lacking or not followed |
All areas following security guidelines, data
and hardware completely backed up, disaster recovery system in
place, and procedures are easily followed |
| Multiple Vendors/ Major Contractors |
No clear delineation between vendor responsibility,
contractors in conflict with one another, no clear prime contractor |
Prime contractor delineated, vendor responsibilities
defined, but conflict between vendors/contractors |
Prime contractor in place and responsible for
successfully implementing project, no conflict between vendors
and dispute resolution policy established |
Back to Guidelines and Procedures
