Pin Me

Real-World Risk Assessment Examples

written by: Jean Scheid • edited by: Linda Richter • updated: 6/2/2011

The world of risk management is a necessary evil in project management. Without defining, analyzing, prioritizing, and controlling project risks—we’d have a lot of failed projects. To help us understand risk management, Jean Scheid looks at three real-world risk assessment examples.

  • slide 1 of 6

    Risky Business

    Risky Business Movie Poster by SoundonSight Risk management, or the process of identifying, analyzing, prioritizing, monitoring, and controlling risks in a project is utilized abundantly in the project management world. More often than not, most of us think risk assessment is only needed in projects that are of a health or medical nature in which real lives are at stake. This simply isn’t the case and as we explore the following three risk assessment examples from the real world, you’ll see how risk management is needed in almost any type of project.

  • slide 2 of 6

    1. Call Accounting Risk Assessment

    Is it Worth the Risk This risk analysis example considered a process that Campton College wanted to implement—a new call accounting system that both administrators and medical students could utilize for billing, tuition, and dorm expense payments; actually, every department of the medical school. Their antiquated system was from the 1990s and they felt it was time to move into the next generation.

    In this risk assessment example, first a team was formed to determine which tech company could offer the best system without too much down time for the current system. The company chosen was a widely known call accounting provider – TACS. The challenge was to find a better way for data collection, database improvements, and purging information.

    The risk assessment team was challenged with looking at vulnerabilities, threats, and risks and coming up with ways to avoid or minimize risk to the already-valuable assets contained within the current system—the private and secure records as well as accessibility of online interactions, payment histories, and account information.

    Campton College was able to determine that over $2 million assets (information) could be at risk including data integrity, private information, access and down time, passwords, and liability costs to the college if private information was accessed.

    Not happy with trusting these assets to a switchover right away, the team was able to work with TACS to find ways to mitigate risks such as using compatible software interchanges like Microsoft and an encrypted repository.

    Finally, the risk assessment team was able to identity 14 various risks with solutions to those risks that lowered a forecasted 249% risk they had previously determined to a mere 54.3% risk. By lowering the percentage of risk through secure processes, the college was able to introduce a newly updated system.

  • slide 3 of 6

    2. Passport Security Protocol

    Passport Security A joint effort was used in this risk assessment example that included PPSLC, a Texas student loan provider, and Microsoft. The project at hand was to see if PPSLC could utilize Passport Security, which is a web-hosted protocol that gives users who are signed in access to many different merchants—here, the student loan merchant website.

    The risk here, of course, was how severely would online fraud or attempts at fraud affect the clients of PPSLC?

    In this joint effort both Microsoft engineers and PPSLC techs examined the true cost of damages if a student’s private information was stolen and at what amount per student. They also included the company’s liability if such fraud occurred and student (customer) trust in the system.

    Once these risks or threats were defined, the joint teams worked together and also aligned with Passport Security to lower risks through mitigation, software solutions, firewalls, and other technological online advances that would indeed keep the student information safe and secure.

  • slide 4 of 6

    3. Networked Medical Devices

    Patient Risk In our final risk assessment example, a Microsoft-based network medical device that monitored patients throughout their stay at a hospital was looked at to see if the risks outweighed the cost of the device as well as if the device would be practical for use.

    The three largest risks here were the device's accessibility to all staff, network capabilities, and patient confidentiality. The risk analysis team talked to hardware and software people in order to first identify all threats to patient confidentiality. This was considered to be the most important risk; how would the network medical device be protected from hacks and potential attacks?

    Next came the device's accessibility as well as authorized use. What were the risks if non-authorized personnel had access to the device and in what ways would these situations be prevented? Last, the in-house network that accessed an outside server needed to be secure enough to face the challenge of hospital confidentiality and regulation rules on patient information.

    These risks and threats to the new device were tackled via teams that tested defects, encryption protection, password safety, up and down times, and the use of binary formats. They also looked at single user stations and if USB devices were utilized—and how easily they could be infected.

    Because the largest risk was patient confidentiality, countermeasures were designed to constantly scan, upgrade, and improve threats. A plan was developed for online or server attacks and accessibility was agreed upon via a management team that would oversee and sponsor the use of the medical device.

  • slide 5 of 6

    Why You Need Risk Assessments

    Don't Roll the Dice on Risk In these real life risk assessment examples, it was prudent for the stakeholders of these projects to ensure against data and identify theft as well as introduce streamlined processes, accessibility, trust, and reliability.

    Consider if your project was to find an in-house accounting system so that everyone who needed access could indeed access the system, while also protecting private and secure information. It wouldn’t be prudent to just choose a company to implement a system if you didn’t know what the company was all about, its history with these types of systems, or its ability to understand the strict confidentiality needed.

    In our student loan example, if the risk analysis team couldn’t prove trust to users, the cost of the system, wouldn’t have been worth the money invested. In our networked medical device, if real hacks and attacks were possible and the ability for non-authorized staff to have access was a problem, the device could cause all sorts of damage including liability for the hospital.

    Whether your projects are large or small, as the project manager, you must consider how to perform a risk analysis and use it. That includes identifying, prioritizing, and mitigating risks to ensure you have an acceptable outcome—or controlled risks that are acceptable.

  • slide 6 of 6

    References

    1. PTA Technologies - Networked Medical Device -http://www.ptatechnologies.com/Documents/MedicalDevice_ThreatAnalysis_CaseStudy.pdf
    2. PTA Technologies - Call Accounting System - http://www.ptatechnologies.com/Documents/CallAccountingCaseStudy.pdf - same source.
    3. PTA Technologies - Passport Security - http://www.ptatechnologies.com/Documents/PassportCaseStudyIntro.pdf - same source.

    Image Credits:


Wright