written by: Jean Scheid
• edited by: Linda Richter
• updated: 6/2/2011
The world of risk management is a necessary evil in project management. Without defining, analyzing, prioritizing, and controlling project risks—we’d have a lot of failed projects. To help us understand risk management, Jean Scheid looks at three real-world risk assessment examples.
slide 1 of 6
Risk management, or the process of identifying, analyzing, prioritizing, monitoring, and controlling risks in a project is utilized abundantly in the project management world. More often than not, most of us think risk assessment is only needed in projects that are of a health or medical nature in which real lives are at stake. This simply isn’t the case and as we explore the following three risk assessment examples from the real world, you’ll see how risk management is needed in almost any type of project.
slide 2 of 6
1. Call Accounting Risk Assessment
This risk analysis example considered a process that Campton College wanted to implement—a new call accounting system that both administrators and medical students could utilize for billing, tuition, and dorm expense payments; actually, every department of the medical school. Their antiquated system was from the 1990s and they felt it was time to move into the next generation.
In this risk assessment example, first a team was formed to determine which tech company could offer the best system without too much down time for the current system. The company chosen was a widely known call accounting provider – TACS. The challenge was to find a better way for data collection, database improvements, and purging information.
Campton College was able to determine that over $2 million assets (information) could be at risk including data integrity, private information, access and down time, passwords, and liability costs to the college if private information was accessed.
Not happy with trusting these assets to a switchover right away, the team was able to work with TACS to find ways to mitigate risks such as using compatible software interchanges like Microsoft and an encrypted repository.
Finally, the risk assessment team was able to identity 14 various risks with solutions to those risks that lowered a forecasted 249% risk they had previously determined to a mere 54.3% risk. By lowering the percentage of risk through secure processes, the college was able to introduce a newly updated system.
slide 3 of 6
2. Passport Security Protocol
A joint effort was used in this risk assessment example that included PPSLC, a Texas student loan provider, and Microsoft. The project at hand was to see if PPSLC could utilize Passport Security, which is a web-hosted protocol that gives users who are signed in access to many different merchants—here, the student loan merchant website.
In this joint effort both Microsoft engineers and PPSLC techs examined the true cost of damages if a student’s private information was stolen and at what amount per student. They also included the company’s liability if such fraud occurred and student (customer) trust in the system.
Once these risks or threats were defined, the joint teams worked together and also aligned with Passport Security to lower risks through mitigation, software solutions, firewalls, and other technological online advances that would indeed keep the student information safe and secure.
slide 4 of 6
3. Networked Medical Devices
In our final risk assessment example, a Microsoft-based network medical device that monitored patients throughout their stay at a hospital was looked at to see if the risks outweighed the cost of the device as well as if the device would be practical for use.
The three largest risks here were the device's accessibility to all staff, network capabilities, and patient confidentiality. The risk analysis team talked to hardware and software people in order to first identify all threats to patient confidentiality. This was considered to be the most important risk; how would the network medical device be protected from hacks and potential attacks?
Next came the device's accessibility as well as authorized use. What were the risks if non-authorized personnel had access to the device and in what ways would these situations be prevented? Last, the in-house network that accessed an outside server needed to be secure enough to face the challenge of hospital confidentiality and regulation rules on patient information.
These risks and threats to the new device were tackled via teams that tested defects, encryption protection, password safety, up and down times, and the use of binary formats. They also looked at single user stations and if USB devices were utilized—and how easily they could be infected.
Because the largest risk was patient confidentiality, countermeasures were designed to constantly scan, upgrade, and improve threats. A plan was developed for online or server attacks and accessibility was agreed upon via a management team that would oversee and sponsor the use of the medical device.
slide 5 of 6
Why You Need Risk Assessments
In these real life risk assessment examples, it was prudent for the stakeholders of these projects to ensure against data and identify theft as well as introduce streamlined processes, accessibility, trust, and reliability.
Consider if your project was to find an in-house accounting system so that everyone who needed access could indeed access the system, while also protecting private and secure information. It wouldn’t be prudent to just choose a company to implement a system if you didn’t know what the company was all about, its history with these types of systems, or its ability to understand the strict confidentiality needed.
In our student loan example, if the risk analysis team couldn’t prove trust to users, the cost of the system, wouldn’t have been worth the money invested. In our networked medical device, if real hacks and attacks were possible and the ability for non-authorized staff to have access was a problem, the device could cause all sorts of damage including liability for the hospital.
Whether your projects are large or small, as the project manager, you must consider how to perform a risk analysis and use it. That includes identifying, prioritizing, and mitigating risks to ensure you have an acceptable outcome—or controlled risks that are acceptable.
slide 6 of 6
PTA Technologies - Networked Medical Device -http://www.ptatechnologies.com/Documents/MedicalDevice_ThreatAnalysis_CaseStudy.pdf
PTA Technologies - Call Accounting System - http://www.ptatechnologies.com/Documents/CallAccountingCaseStudy.pdf - same source.
PTA Technologies - Passport Security - http://www.ptatechnologies.com/Documents/PassportCaseStudyIntro.pdf - same source.